Fixes so alerts are sent properly in s3_pkt.c

PR: 851 [backport from OpenSSL_0_9_7-stable branch / head]
remove extra whitespace; fix link
2005-05-03 23:03:26 +00:00 · 2005-04-25 21:40:03 +00:00 · 2005-03-24 00:14:07 +00:00 · 2005-03-19 11:52:15 +00:00 · 2005-03-11 09:00:18 +00:00 · 2004-11-14 15:10:37 +00:00
370 changed files with 5998 additions and 15771 deletions
--- a/168
+++ b/168
@@ -2,6 +2,162 @@
 OpenSSL CHANGES
 _______________
 Changes between 0.9.6m and 0.9.6n  [XX XXX XXXX]
  *) 
 Changes between 0.9.6l and 0.9.6m  [17 Mar 2004]
  *) Fix null-pointer assignment in do_change_cipher_spec() revealed
     by using the Codenomicon TLS Test Tool (CAN-2004-0079)
     [Joe Orton, Steve Henson]
 Changes between 0.9.6k and 0.9.6l  [04 Nov 2003]
  *) Fix additional bug revealed by the NISCC test suite:
     Stop bug triggering large recursion when presented with
     certain ASN.1 tags (CAN-2003-0851)
     [Steve Henson]
 Changes between 0.9.6j and 0.9.6k  [30 Sep 2003]
  *) Fix various bugs revealed by running the NISCC test suite:
     Stop out of bounds reads in the ASN1 code when presented with
     invalid tags (CAN-2003-0543 and CAN-2003-0544).
     If verify callback ignores invalid public key errors don't try to check
     certificate signature with the NULL public key.
     [Steve Henson]
  *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
     if the server requested one: as stated in TLS 1.0 and SSL 3.0
     specifications.
     [Steve Henson]
  *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
     extra data after the compression methods not only for TLS 1.0
     but also for SSL 3.0 (as required by the specification).
     [Bodo Moeller; problem pointed out by Matthias Loepfe]
  *) Change X509_certificate_type() to mark the key as exported/exportable
     when it's 512 *bits* long, not 512 bytes.
     [Richard Levitte]
 Changes between 0.9.6i and 0.9.6j  [10 Apr 2003]
  *) Countermeasure against the Klima-Pokorny-Rosa extension of
     Bleichbacher's attack on PKCS #1 v1.5 padding: treat
     a protocol version number mismatch like a decryption error
     in ssl3_get_client_key_exchange (ssl/s3_srvr.c).
     [Bodo Moeller]
  *) Turn on RSA blinding by default in the default implementation
     to avoid a timing attack. Applications that don't want it can call
     RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING.
     They would be ill-advised to do so in most cases.
     [Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller]
  *) Change RSA blinding code so that it works when the PRNG is not
     seeded (in this case, the secret RSA exponent is abused as
     an unpredictable seed -- if it is not unpredictable, there
     is no point in blinding anyway).  Make RSA blinding thread-safe
     by remembering the creator's thread ID in rsa->blinding and
     having all other threads use local one-time blinding factors
     (this requires more computation than sharing rsa->blinding, but
     avoids excessive locking; and if an RSA object is not shared
     between threads, blinding will still be very fast).
     [Bodo Moeller]
 Changes between 0.9.6h and 0.9.6i  [19 Feb 2003]
  *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
     via timing by performing a MAC computation even if incorrrect
     block cipher padding has been found.  This is a countermeasure
     against active attacks where the attacker has to distinguish
     between bad padding and a MAC verification error. (CAN-2003-0078)
     [Bodo Moeller; problem pointed out by Brice Canvel (EPFL),
     Alain Hiltgen (UBS), Serge Vaudenay (EPFL), and
     Martin Vuagnoux (EPFL, Ilion)]
 Changes between 0.9.6g and 0.9.6h  [5 Dec 2002]
  *) New function OPENSSL_cleanse(), which is used to cleanse a section of
     memory from it's contents.  This is done with a counter that will
     place alternating values in each byte.  This can be used to solve
     two issues: 1) the removal of calls to memset() by highly optimizing
     compilers, and 2) cleansing with other values than 0, since those can
     be read through on certain media, for example a swap space on disk.
     [Geoff Thorpe]
  *) Bugfix: client side session caching did not work with external caching,
     because the session->cipher setting was not restored when reloading
     from the external cache. This problem was masked, when
     SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (part of SSL_OP_ALL) was set.
     (Found by Steve Haslam <steve@araqnid.ddts.net>.)
     [Lutz Jaenicke]
  *) Fix client_certificate (ssl/s2_clnt.c): The permissible total
     length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33.
     [Zeev Lieber <zeev-l@yahoo.com>]
  *) Undo an undocumented change introduced in 0.9.6e which caused
     repeated calls to OpenSSL_add_all_ciphers() and 
     OpenSSL_add_all_digests() to be ignored, even after calling
     EVP_cleanup().
     [Richard Levitte]
  *) Change the default configuration reader to deal with last line not
     being properly terminated.
     [Richard Levitte]
  *) Change X509_NAME_cmp() so it applies the special rules on handling
     DN values that are of type PrintableString, as well as RDNs of type
     emailAddress where the value has the type ia5String.
     [stefank@valicert.com via Richard Levitte]
  *) Add a SSL_SESS_CACHE_NO_INTERNAL_STORE flag to take over half
     the job SSL_SESS_CACHE_NO_INTERNAL_LOOKUP was inconsistently
     doing, define a new flag (SSL_SESS_CACHE_NO_INTERNAL) to be
     the bitwise-OR of the two for use by the majority of applications
     wanting this behaviour, and update the docs. The documented
     behaviour and actual behaviour were inconsistent and had been
     changing anyway, so this is more a bug-fix than a behavioural
     change.
     [Geoff Thorpe, diagnosed by Nadav Har'El]
  *) Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c
     (the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes).
     [Bodo Moeller]
  *) Fix initialization code race conditions in
        SSLv23_method(),  SSLv23_client_method(),   SSLv23_server_method(),
        SSLv2_method(),   SSLv2_client_method(),    SSLv2_server_method(),
        SSLv3_method(),   SSLv3_client_method(),    SSLv3_server_method(),
        TLSv1_method(),   TLSv1_client_method(),    TLSv1_server_method(),
        ssl2_get_cipher_by_char(),
        ssl3_get_cipher_by_char().
     [Patrick McCormick <patrick@tellme.com>, Bodo Moeller]
  *) Reorder cleanup sequence in SSL_CTX_free(): only remove the ex_data after
     the cached sessions are flushed, as the remove_cb() might use ex_data
     contents. Bug found by Sam Varshavchik <mrsam@courier-mta.com>
     (see [openssl.org #212]).
     [Geoff Thorpe, Lutz Jaenicke]
  *) Fix typo in OBJ_txt2obj which incorrectly passed the content
     length, instead of the encoding length to d2i_ASN1_OBJECT.
     [Steve Henson]
 Changes between 0.9.6f and 0.9.6g  [9 Aug 2002]
  *) [In 0.9.6g-engine release:]
     Fix crypto/engine/vendor_defns/cswift.h for WIN32 (use '_stdcall').
     [Lynn Gazis <lgazis@rainbow.com>]
 Changes between 0.9.6e and 0.9.6f  [8 Aug 2002]
  *) Fix ASN1 checks. Check for overflow by comparing with LONG_MAX
@@ -17,6 +173,12 @@
 Changes between 0.9.6d and 0.9.6e  [30 Jul 2002]
  *) Add various sanity checks to asn1_get_length() to reject
     the ASN1 length bytes if they exceed sizeof(long), will appear
     negative or the content length exceeds the length of the
     supplied buffer.
     [Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>]
  *) Fix cipher selection routines: ciphers without encryption had no flags
     for the cipher strength set and where therefore not handled correctly
     by the selection routines (PR #130).
@@ -48,7 +210,7 @@
  *) Add various sanity checks to asn1_get_length() to reject
     the ASN1 length bytes if they exceed sizeof(long), will appear
     negative or the content length exceeds the length of the
-     supplied buffer.
+     supplied buffer. (CAN-2002-0659)
     [Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>]
  *) Assertions for various potential buffer overflows, not known to
@@ -153,8 +315,8 @@
     value is 0.
     [Richard Levitte]
-  *) [In 0.9.6c-engine release:]
+  *) [In 0.9.6d-engine release:]
-     Fix a crashbug and a logic bug in hwcrhk_load_pubkey()
+     Fix a crashbug and a logic bug in hwcrhk_load_pubkey().
     [Toomas Kiisk <vix@cyber.ee> via Richard Levitte]
  *) Add the configuration target linux-s390x.
--- a/64
+++ b/64
@@ -10,7 +10,7 @@ use strict;
 # see INSTALL for instructions.
-my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [rsaref] [no-threads] [no-asm] [no-dso] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--test-sanity] os/compiler[:flags]\n";
+my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [rsaref] [no-threads] [no-asm] [no-dso] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--test-sanity] os/compiler[:flags]\n";
 # Options:
 #
@@ -23,12 +23,6 @@ my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-
 #               default).  This needn't be set in advance, you can
 #               just as well use "make INSTALL_PREFIX=/whatever install".
 #
 # no-hw-xxx     do not compile support for specific crypto hardware.
 #               Generic OpenSSL-style methods relating to this support
 #               are always compiled but return NULL if the hardware
 #               support isn't compiled.
 # no-hw         do not compile support for any crypto hardware.
 #
 # --test-sanity Make a number of sanity checks on the data in this file.
 #               This is a debugging tool for OpenSSL developers.
 #
@@ -37,10 +31,6 @@ my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-
 #               multithreaded applications (default is "threads" if we
 #               know how to do it)
 # [no-]shared	[don't] try to create shared libraries when supported.
 #               IT IS NOT RECOMMENDED TO USE "shared"!  Since this is a
 #               development branch, the positions of the ENGINE symbols
 #               in the transfer vector are constantly moving, so binary
 #               backward compatibility can't be guaranteed in any way.
 # no-asm        do not use assembler
 # no-dso        do not compile in any native shared-library methods. This
 #               will ensure that all methods just return NULL.
@@ -132,7 +122,7 @@ my %table=(
 "debug-bodo",	"gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -DPEDANTIC -DBIO_PAIR_DEBUG -g -m486 -pedantic -Wshadow -Wall::-D_REENTRANT::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
 "debug-ulf",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -O2 -m486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
 "debug-steve",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -O2 -m486 -pedantic -Wall -Werror -Wshadow -pipe::-D_REENTRANT::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
-"debug-levitte-linux-elf","gcc:-DUSE_ALLOCATING_PRINT -DRL_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DNO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -ggdb -g3 -m486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -pipe::-D_REENTRANT:-ldl:::::::::::dlfcn",
+"debug-levitte-linux-elf","gcc:-DUSE_ALLOCATING_PRINT -DRL_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DNO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -ggdb -g3 -m486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wmissing-declarations -Wno-long-long -pipe::-D_REENTRANT:-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "dist",		"cc:-O::(unknown):::::",
 # Basic configs that should work on any (32 and less bit) box
@@ -354,7 +344,7 @@ my %table=(
 "linux-mips",   "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::BN_LLONG:::",
 "linux-ppc",	"gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-m68k",   "gcc:-DB_ENDIAN -DTERMIO -O2 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::",
-"linux-s390",	"gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:-ldl:BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR),\$(SHLIB_MINOR)",
+"linux-s390",	"gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:-ldl:BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-s390x", "gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-ia64",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "NetBSD-sparc",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -376,7 +366,7 @@ my %table=(
 "qnx6",	"cc:-DL_ENDIAN -DTERMIOS::(unknown):-lsocket:${x86_gcc_des} ${x86_gcc_opts}:",
 # Linux on ARM
-"linux-elf-arm","gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-elf-arm","gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:-ldl:BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # UnixWare 2.0x fails destest with -O
 "unixware-2.0","cc:-DFILIO_H::-Kthread:-lsocket -lnsl -lx:${x86_gcc_des} ${x86_gcc_opts}:::",
@@ -405,7 +395,7 @@ my %table=(
 "aix-cc",   "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown)::BN_LLONG RC4_CHAR:::",
 "aix-gcc",  "gcc:-O3 -DAIX -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR:::",
 "aix43-cc",   "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown)::BN_LLONG RC4_CHAR::::::::::dlfcn:",
-"aix43-gcc",  "gcc:-O3 -DAIX -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR::::::::::dlfcn:",
+"aix43-gcc",  "gcc:-O1 -DAIX -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR::::::::::dlfcn:",
 #
 # Cray T90 and similar (SDSC)
@@ -487,7 +477,7 @@ my %table=(
 # Cygwin
 "Cygwin-pre1.3", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",
-"Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -m486 -Wall::::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32:cygwin-shared:::.dll",
+"Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -march=i486 -Wall::::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32:cygwin-shared:::.dll",
 # Ultrix from Bernhard Simon <simon@zid.tuwien.ac.at>
 "ultrix-cc","cc:-std1 -O -Olimit 1000 -DL_ENDIAN::(unknown)::::::",
@@ -505,12 +495,18 @@ my %table=(
 "rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
 "darwin-ppc-cc","cc:-O3 -D_DARWIN -DB_ENDIAN -fno-common::-D_REENTRANT::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
 ##### A/UX
 "aux3-gcc","gcc:-O2 -DTERMIO::(unknown):-lbsd:RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
 ##### Sony NEWS-OS 4.x
 "newsos4-gcc","gcc:-O -DB_ENDIAN -DNEWS4::(unknown):-lmld -liberty:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::",
 ##### VxWorks for various targets
 "vxworks-ppc405","ccppc:-g -msoft-float -mlongcall -DVXWORKS -DCPU=PPC405 -I\$(WIND_BASE)/target/h:::-r:::::",
 ##### Compaq Non-Stop Kernel (Tandem)
 "tandem-c89","c89:-Ww -D__TANDEM -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 -D_TANDEM_SOURCE -DB_ENDIAN::(unknown)::THIRTY_TWO_BIT:::",
 );
 my @WinTargets=qw(VC-NT VC-WIN32 VC-WIN16 VC-W31-16 VC-W31-32 VC-MSDOS BC-32
@@ -587,6 +583,7 @@ my $libs;
 my $target;
 my $options;
 my $symlink;
 my $make_depend=0;
 my @argvcopy=@ARGV;
 my $argvstring="";
@@ -621,18 +618,6 @@ PROCESS_ARGS:
 			$flags .= "-DNO_ASM ";
 			$openssl_other_defines .= "#define NO_ASM\n";
 			}
 		elsif (/^no-hw-(.+)$/)
 			{
 			my $hw=$1;
 			$hw =~ tr/[a-z]/[A-Z]/;
 			$flags .= "-DNO_HW_$hw ";
 			$openssl_other_defines .= "#define NO_HW_$hw\n";
 			}
 		elsif (/^no-hw$/)
 			{
 			$flags .= "-DNO_HW ";
 			$openssl_other_defines .= "#define NO_HW\n";
 			}
 		elsif (/^no-dso$/)
 			{ $no_dso=1; }
 		elsif (/^no-threads$/)
@@ -641,7 +626,7 @@ PROCESS_ARGS:
 			{ $threads=1; }
 		elsif (/^no-shared$/)
 			{ $no_shared=1; }
-		elsif (/^shared$/)
+		elsif (/^shared$/ || /^-shared$/ || /^--shared$/)
 			{ $no_shared=0; }
 		elsif (/^no-symlinks$/)
 			{ $symlink=0; }
@@ -1210,11 +1195,13 @@ if($IsWindows) {
 EOF
 	close(OUT);
 } else {
-	(system "make -f Makefile.ssl PERL=\'$perl\' links") == 0 or exit $?
+	my $make_command = "make -f Makefile.ssl PERL=\'$perl\'";
-		if $symlink;
+	my $make_targets = "";
-	### (system 'make depend') == 0 or exit $? if $depflags ne "";
+	$make_targets .= " links" if $symlink;
-	# Run "make depend" manually if you want to be able to delete
+	$make_targets .= " depend" if $depflags ne "" && $make_depend;
-	# the source code files of ciphers you left out.
+	$make_targets .= " gentests" if $symlink;
 	(system $make_command.$make_targets) == 0 or exit $?
 		if $make_targets ne "";
 	if ( $perl =~ m@^/@) {
 	    &dofile("tools/c_rehash",$perl,'^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";');
 	    &dofile("apps/der_chop",$perl,'^#!/', '#!%s');
@@ -1224,6 +1211,15 @@ EOF
 	    &dofile("tools/c_rehash",'/usr/local/bin/perl','^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";');
 	    &dofile("apps/der_chop",'/usr/local/bin/perl','^#!/', '#!%s');
 	    &dofile("apps/CA.pl",'/usr/local/bin/perl','^#!/', '#!%s');
 	}
 	if ($depflags ne "" && !$make_depend) {
 		print <<EOF;
 Since you've disabled at least one algorithm, you need to do the following
 before building:
 	make depend
 EOF
 	}	    
 }
--- a/78
+++ b/78
@@ -9,6 +9,7 @@ OpenSSL  -  Frequently Asked Questions
 * Where can I get a compiled version of OpenSSL?
 * Why aren't tools like 'autoconf' and 'libtool' used?
 * What is an 'engine' version?
 * How do I check the authenticity of the OpenSSL distribution?
 [LEGAL] Legal questions
@@ -35,6 +36,7 @@ OpenSSL  -  Frequently Asked Questions
 * Why does the linker complain about undefined symbols?
 * Why does the OpenSSL test fail with "bc: command not found"?
 * Why does the OpenSSL test fail with "bc: 1 no implemented"?
 * Why does the OpenSSL test fail with "bc: stack empty"?
 * Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
 * Why does the OpenSSL compilation fail with "ar: command not found"?
 * Why does the OpenSSL compilation fail on Win32 with VC++?
@@ -61,7 +63,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.6f was released on 8 August 2002.
+OpenSSL 0.9.7d was released on March 17, 2004.
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
@@ -109,11 +111,14 @@ OpenSSL.  Information on the OpenSSL mailing lists is available from
 * Where can I get a compiled version of OpenSSL?
 You can finder pointers to binary distributions in
 http://www.openssl.org/related/binaries.html .
 Some applications that use OpenSSL are distributed in binary form.
 When using such an application, you don't need to install OpenSSL
 yourself; the application will include the required parts (e.g. DLLs).
-If you want to install OpenSSL on a Windows system and you don't have
+If you want to build OpenSSL on a Windows system and you don't have
 a C compiler, read the "Mingw32" section of INSTALL.W32 for information
 on how to obtain and install the free GNU C compiler.
@@ -132,6 +137,19 @@ hardware. This was realized in a special release '0.9.6-engine'. With
 version 0.9.7 (not yet released) the changes were merged into the main
 development line, so that the special release is no longer necessary.
 * How do I check the authenticity of the OpenSSL distribution?
 We provide MD5 digests and ASC signatures of each tarball.
 Use MD5 to check that a tarball from a mirror site is identical:
   md5sum TARBALL | awk '{print $1;}' | cmp - TARBALL.md5
 You can check authenticity using pgp or gpg. You need the OpenSSL team
 member public key used to sign it (download it from a key server). Then
 just do:
   pgp TARBALL.asc
 [LEGAL] =======================================================================
 * Do I need patent licenses to use OpenSSL?
@@ -169,18 +187,30 @@ for permission to use their software with OpenSSL.
 Cryptographic software needs a source of unpredictable data to work
 correctly.  Many open source operating systems provide a "randomness
-device" that serves this purpose.  On other systems, applications have
+device" (/dev/urandom or /dev/random) that serves this purpose.
-to call the RAND_add() or RAND_seed() function with appropriate data
+All OpenSSL versions try to use /dev/urandom by default; starting with
-before generating keys or performing public key encryption.
+version 0.9.7, OpenSSL also tries /dev/random if /dev/urandom is not
-(These functions initialize the pseudo-random number generator, PRNG.)
+available.
-Some broken applications do not do this.  As of version 0.9.5, the
+On other systems, applications have to call the RAND_add() or
-OpenSSL functions that need randomness report an error if the random
+RAND_seed() function with appropriate data before generating keys or
-number generator has not been seeded with at least 128 bits of
+performing public key encryption. (These functions initialize the
-randomness.  If this error occurs, please contact the author of the
+pseudo-random number generator, PRNG.)  Some broken applications do
-application you are using.  It is likely that it never worked
+not do this.  As of version 0.9.5, the OpenSSL functions that need
-correctly.  OpenSSL 0.9.5 and later make the error visible by refusing
+randomness report an error if the random number generator has not been
-to perform potentially insecure encryption.
+seeded with at least 128 bits of randomness.  If this error occurs and
 is not discussed in the documentation of the application you are
 using, please contact the author of that application; it is likely
 that it never worked correctly.  OpenSSL 0.9.5 and later make the
 error visible by refusing to perform potentially insecure encryption.
 If you are using Solaris 8, you can add /dev/urandom and /dev/random
 devices by installing patch 112438 (Sparc) or 112439 (x86), which are
 available via the Patchfinder at <URL: http://sunsolve.sun.com>
 (Solaris 9 includes these devices by default). For /dev/random support
 for earlier Solaris versions, see Sun's statement at
 <URL: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsrdb/27606&zone_32=SUNWski>
 (the SUNWski package is available in patch 105710).
 On systems without /dev/urandom and /dev/random, it is a good idea to
 use the Entropy Gathering Demon (EGD); see the RAND_egd() manpage for
@@ -213,16 +243,6 @@ OpenSSL command line tools. Applications using the OpenSSL library
 provide their own configuration options to specify the entropy source,
 please check out the documentation coming the with application.
 For Solaris 2.6, Tim Nibbe <tnibbe@sprint.net> and others have suggested
 installing the SUNski package from Sun patch 105710-01 (Sparc) which
 adds a /dev/random device and make sure it gets used, usually through
 $RANDFILE.  There are probably similar patches for the other Solaris
 versions.  An official statement from Sun with respect to /dev/random
 support can be found at
  http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsrdb/27606&zone_32=SUNWski
 However, be warned that /dev/random is usually a blocking device, which
 may have some effects on OpenSSL.
 * Why do I get an "unable to write 'random state'" error message?
@@ -392,6 +412,17 @@ and compile/install it.  GNU bc (see http://www.gnu.org/software/software.html
 for download instructions) can be safely used, for example.
 * Why does the OpenSSL test fail with "bc: stack empty"?
 On some DG/ux versions, bc seems to have a too small stack for calculations
 that the OpenSSL bntest throws at it.  This gets triggered when you run the
 test suite (using "make test").  The message returned is "bc: stack empty".
 The best way to deal with this is to find another implementation of bc
 and compile/install it.  GNU bc (see http://www.gnu.org/software/software.html
 for download instructions) can be safely used, for example.
 * Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
 On some Alpha installations running Tru64 Unix and Compaq C, the compilation
@@ -646,6 +677,7 @@ The general answer is to check the config.log file generated when running
 the OpenSSH configure script. It should contain the detailed information
 on why the OpenSSL library was not detected or considered incompatible.
 * Can I use OpenSSL's SSL library with non-blocking I/O?
 Yes; make sure to read the SSL_get_error(3) manual page!
--- a/23
+++ b/23
@@ -57,10 +57,7 @@
  shared        In addition to the usual static libraries, create shared
                libraries on platforms where it's supported.  See "Note on
-                shared libraries" below.  THIS IS NOT RECOMMENDED!  Since
+                shared libraries" below.
                this is a development branch, the positions of the ENGINE
                symbols in the transfer vector are constantly moving, so
                binary backward compatibility can't be guaranteed in any way.
  no-asm        Do not use assembler code.
@@ -132,8 +129,8 @@
     standard headers).  If it is a problem with OpenSSL itself, please
     report the problem to <openssl-bugs@openssl.org> (note that your
     message will be recorded in the request tracker publicly readable
-     via http://www.openssl.org/rt2.html and will be forwarded to a public
+     via http://www.openssl.org/support/rt2.html and will be forwarded to a
-     mailing list). Include the output of "make report" in your message.
+     public mailing list). Include the output of "make report" in your message.
     Please check out the request tracker. Maybe the bug was already
     reported or has already been fixed.
@@ -154,7 +151,7 @@
     in Makefile.ssl and run "make clean; make". Please send a bug
     report to <openssl-bugs@openssl.org>, including the output of
     "make report" in order to be added to the request tracker at
-     http://www.openssl.org/rt2.html.
+     http://www.openssl.org/support/rt2.html.
  4. If everything tests ok, install OpenSSL with
@@ -288,3 +285,15 @@
 targets for shared library creation, like linux-shared.  Those targets
 can currently be used on their own just as well, but this is expected
 to change in future versions of OpenSSL.
 Note on random number generation
 --------------------------------
 Availability of cryptographically secure random numbers is required for
 secret key generation. OpenSSL provides several options to seed the
 internal PRNG. If not properly seeded, the internal PRNG will refuse
 to deliver random bytes and a "PRNG not seeded error" will occur.
 On systems without /dev/urandom (or similar) device, it may be necessary
 to install additional support software to obtain random seed.
 Please check out the manual pages for RAND_add(), RAND_bytes(), RAND_egd(),
 and the FAQ for more information.
--- a/INSTALL.W32
+++ b/INSTALL.W32
@@ -82,7 +82,8 @@
 There are various changes you can make to the Win32 compile environment. By
 default the library is not compiled with debugging symbols. If you add 'debug'
 to the mk1mf.pl lines in the do_* batch file then debugging symbols will be
- compiled in.
+ compiled in. Note that mk1mf.pl expects the platform to be the last argument
 on the command line, so 'debug' must appear before that, as all other options.
 The default Win32 environment is to leave out any Windows NT specific
 features.
@@ -215,7 +216,7 @@
 	$ md c:\openssl\lib
 	$ md c:\openssl\include
 	$ md c:\openssl\include\openssl
-	$ copy /b inc32\*               c:\openssl\include\openssl
+	$ copy /b inc32\openssl\*       c:\openssl\include\openssl
 	$ copy /b out32dll\ssleay32.lib c:\openssl\lib
 	$ copy /b out32dll\libeay32.lib c:\openssl\lib
 	$ copy /b out32dll\ssleay32.dll c:\openssl\bin
--- a/2
+++ b/2
@@ -12,7 +12,7 @@
  ---------------
 /* ====================================================================
- * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2004 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
--- a/MacOS/GetHTTPS.src/MacSocket.cpp
+++ b/MacOS/GetHTTPS.src/MacSocket.cpp
@@ -1287,7 +1287,7 @@ EXITPOINT:
 //	Send some bytes
-int MacSocket_send(const int inSocketNum,void *inBuff,int inBuffLength)
+int MacSocket_send(const int inSocketNum,const void *inBuff,int inBuffLength)
 {
 OSErr			errCode = noErr;
 int				bytesSent = 0;
@@ -1604,4 +1604,4 @@ EPInfo* epi = (EPInfo*) context;
 		}
 	}
 }
-*/
+*/
--- a/MacOS/GetHTTPS.src/MacSocket.h
+++ b/MacOS/GetHTTPS.src/MacSocket.h
@@ -62,7 +62,7 @@ int MacSocket_recv(const int inSocketNum,void *outBuff,int outBuffLength,const B
 //	Call this to send data on a socket
-int MacSocket_send(const int inSocketNum,void *inBuff,int inBuffLength);
+int MacSocket_send(const int inSocketNum,const void *inBuff,int inBuffLength);
 //	If zero bytes were read in a call to MacSocket_recv(), it may be that the remote end has done a half-close
--- a/Makefile.org
+++ b/Makefile.org
@@ -162,7 +162,7 @@ SHLIBDIRS= crypto ssl
 SDIRS=  \
 	md2 md4 md5 sha mdc2 hmac ripemd \
 	des rc2 rc4 rc5 idea bf cast \
-	bn rsa dsa dh dso engine \
+	bn rsa dsa dh dso \
 	buffer bio stack lhash rand err objects \
 	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp
@@ -270,9 +270,7 @@ do_gnu-shared:
 	done
 DETECT_GNU_LD=${CC} -v 2>&1 | grep '^gcc' >/dev/null 2>&1 && \
-	collect2=`gcc -print-prog-name=collect2 2>&1` && \
+	my_ld=`${CC} -print-prog-name=ld 2>&1` && \
 	[ -n "$$collect2" ] && \
 	my_ld=`$$collect2 --help 2>&1 | grep Usage: | sed 's/^Usage: *\([^ ][^ ]*\).*/\1/'` && \
 	[ -n "$$my_ld" ] && \
 	$$my_ld -v 2>&1 | grep 'GNU ld' >/dev/null 2>&1
@@ -370,9 +368,10 @@ do_svr3-shared:
 		  find . -name "*.o" -print > allobjs ; \
 		  OBJS= ; export OBJS ; \
 		  for obj in `ar t lib$$i.a` ; do \
-		    OBJS="$${OBJS} `grep $$obj allobjs`" ; \
+		    OBJS="$${OBJS} `grep /$$obj allobjs`" ; \
 		  done ; \
-		  set -x; ${CC}  -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
+		  set -x; ${CC} ${SHARED_LDFLAGS} \
 			-G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			-h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			$${OBJS} $$libs ${EX_LIBS} ) || exit 1; \
 		libs="$$libs -l$$i"; \
@@ -386,13 +385,15 @@ do_svr5-shared:
 	else \
 		libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
 		( PATH=/usr/ccs/bin:$$PATH ; export PATH; \
 		  SHARE_FLAG='-G'; \
 		  (${CC} -v 2>&1 | grep gcc) > /dev/null && SHARE_FLAG='-shared'; \
 		  find . -name "*.o" -print > allobjs ; \
 		  OBJS= ; export OBJS ; \
 		  for obj in `ar t lib$$i.a` ; do \
-		    OBJS="$${OBJS} `grep $$obj allobjs`" ; \
+		    OBJS="$${OBJS} `grep /$$obj allobjs`" ; \
 		  done ; \
 		  set -x; ${CC} ${SHARED_LDFLAGS} \
-			-G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
+			$${SHARE_FLAG} -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			-h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			$${OBJS} $$libs ${EX_LIBS} ) || exit 1; \
 		libs="$$libs -l$$i"; \
@@ -529,6 +530,10 @@ links:
 	fi; \
 	done;
 gentests:
 	@(cd test && echo "generating dummy tests (if needed)..." && \
 	$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on generate );
 dclean:
 	rm -f *.bak
 	@for i in $(DIRS) ;\
@@ -610,6 +615,9 @@ update: depend errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_
 # and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal
 # tar does not support the --files-from option.
 tar:
 	find . -type d -print | xargs chmod 755
 	find . -type f -print | xargs chmod a+r
 	find . -type f -perm -0100 -print | xargs chmod a+x
 	find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE | sort > ../$(TARFILE).list; \
 	$(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list -cvf - | \
 	tardy --user_number=0  --user_name=openssl \
@@ -634,8 +642,7 @@ install: all install_docs
 		$(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
-		$(INSTALL_PREFIX)$(OPENSSLDIR)/private \
+		$(INSTALL_PREFIX)$(OPENSSLDIR)/private
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/lib
 	@for i in $(EXHEADER) ;\
 	do \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
@@ -652,9 +659,10 @@ install: all install_docs
 	do \
 		if [ -f "$$i" ]; then \
 		(       echo installing $$i; \
-			cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
+			cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-			$(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
+			$(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-			chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
+			chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
 			mv $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
 		fi; \
 	done
 	@if [ -n "$(SHARED_LIBS)" ]; then \
@@ -664,20 +672,24 @@ install: all install_docs
 			if [ -f "$$i" -o -f "$$i.a" ]; then \
 			(       echo installing $$i; \
 				if [ "$(PLATFORM)" != "Cygwin" ]; then \
-					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
+					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-					chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
+					chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
 					mv $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
 				else \
 					c=`echo $$i | sed 's/^lib/cyg/'`; \
-					cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
+					cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
-					chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
+					chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
-					cp $$i.a $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \
+					mv $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
-					chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \
+					cp $$i.a $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new; \
 					chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new; \
 					mv $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \
 				fi ); \
 			fi; \
 		done; \
 		(	here="`pwd`"; \
 			cd $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
-			$(MAKE) -f $$here/Makefile link-shared ); \
+			set $(MAKE); \
 			$$1 -f $$here/Makefile link-shared ); \
 	fi
 install_docs:
@@ -686,23 +698,23 @@ install_docs:
 		$(INSTALL_PREFIX)$(MANDIR)/man3 \
 		$(INSTALL_PREFIX)$(MANDIR)/man5 \
 		$(INSTALL_PREFIX)$(MANDIR)/man7
-	@pod2man=`cd ../../util; ./pod2mantest ignore`; \
+	@pod2man="`cd util; ./pod2mantest $(PERL)`"; \
 	for i in doc/apps/*.pod; do \
 		fn=`basename $$i .pod`; \
 		if [ "$$fn" = "config" ]; then sec=5; else sec=1; fi; \
 		echo "installing man$$sec/`basename $$i .pod`.$$sec"; \
 		(cd `$(PERL) util/dirname.pl $$i`; \
-		sh -c "$(PERL) $$pod2man \
+		sh -c "$$pod2man \
 			--section=$$sec --center=OpenSSL \
 			--release=$(VERSION) `basename $$i`") \
 			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \
 	done; \
-	@for i in doc/crypto/*.pod doc/ssl/*.pod; do \
+	for i in doc/crypto/*.pod doc/ssl/*.pod; do \
 		fn=`basename $$i .pod`; \
 		if [ "$$fn" = "des_modes" ]; then sec=7; else sec=3; fi; \
 		echo "installing man$$sec/`basename $$i .pod`.$$sec"; \
 		(cd `$(PERL) util/dirname.pl $$i`; \
-		sh -c "$(PERL) $$pod2man \
+		sh -c "$$pod2man \
 			--section=$$sec --center=OpenSSL \
 			--release=$(VERSION) `basename $$i`") \
 			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \
--- a/42
+++ b/42
@@ -5,6 +5,48 @@
  This file gives a brief overview of the major changes between each OpenSSL
  release. For more details please read the CHANGES file.
  Major changes between OpenSSL 0.9.6l and OpenSSL 0.9.6m:
      o Security: fix null-pointer bug leading to crash
  Major changes between OpenSSL 0.9.6k and OpenSSL 0.9.6l:
      o Security: fix ASN1 bug leading to large recursion
  Major changes between OpenSSL 0.9.6j and OpenSSL 0.9.6k:
      o Security: fix various ASN1 parsing bugs.
      o SSL/TLS protocol fix for unrequested client certificates.
  Major changes between OpenSSL 0.9.6i and OpenSSL 0.9.6j:
      o Security: counter the Klima-Pokorny-Rosa extension of
        Bleichbacher's attack 
      o Security: make RSA blinding default.
      o Build: shared library support fixes.
  Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i:
      o Important security related bugfixes.
  Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h:
      o New configuration targets for Tandem OSS and A/UX.
      o New OIDs for Microsoft attributes.
      o Better handling of SSL session caching.
      o Better comparison of distinguished names.
      o Better handling of shared libraries in a mixed GNU/non-GNU environment.
      o Support assembler code with Borland C.
      o Fixes for length problems.
      o Fixes for uninitialised variables.
      o Fixes for memory leaks, some unusual crashes and some race conditions.
      o Fixes for smaller building problems.
      o Updates of manuals, FAQ and other instructive documents.
  Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g:
      o Important building fixes on Unix.
  Major changes between OpenSSL 0.9.6e and OpenSSL 0.9.6f:
      o Various important bugfixes.
--- a/16
+++ b/16
@@ -40,3 +40,19 @@ scripts use the same name for output and input files, which means different
 will interfere with each other and lead to test failure.
 The solution is simple for now: don't run parallell make when testing.
 * Bugs in gcc 3.0 triggered
 According to a problem report, there are bugs in gcc 3.0 that are
 triggered by some of the code in OpenSSL, more specifically in
 PEM_get_EVP_CIPHER_INFO().  The triggering code is the following:
 	header+=11;
 	if (*header != '4') return(0); header++;
 	if (*header != ',') return(0); header++;
 What happens is that gcc might optimize a little too agressively, and
 you end up with an extra incrementation when *header != '4'.
 We recommend that you upgrade gcc to as high a 3.x version as you can.
--- a/45
+++ b/45
@@ -1,7 +1,7 @@
- OpenSSL 0.9.6f [engine] 8 August 2002
+ OpenSSL 0.9.6m 17 Mar 2004
- Copyright (c) 1998-2002 The OpenSSL Project
+ Copyright (c) 1998-2004 The OpenSSL Project
 Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
 All rights reserved.
@@ -14,13 +14,13 @@
 protocols as well as a full-strength general purpose cryptography library.
 The project is managed by a worldwide community of volunteers that use the
 Internet to communicate, plan, and develop the OpenSSL toolkit and its
- related documentation. 
+ related documentation.
 OpenSSL is based on the excellent SSLeay library developed from Eric A. Young
 and Tim J. Hudson.  The OpenSSL toolkit is licensed under a dual-license (the
 OpenSSL license plus the SSLeay license) situation, which basically means
 that you are free to get and use it for commercial and non-commercial
- purposes as long as you fulfill the conditions of both licenses. 
+ purposes as long as you fulfill the conditions of both licenses.
 OVERVIEW
 --------
@@ -53,11 +53,11 @@
        MDC2 message digest. A DES based hash that is popular on smart cards.
     Public Key
-        RSA encryption/decryption/generation.  
+        RSA encryption/decryption/generation.
            There is no limit on the number of bits.
-        DSA encryption/decryption/generation.   
+        DSA encryption/decryption/generation.
            There is no limit on the number of bits.
-        Diffie-Hellman key-exchange/key generation.  
+        Diffie-Hellman key-exchange/key generation.
            There is no limit on the number of bits.
     X.509v3 certificates
@@ -80,16 +80,16 @@
        A simple stack.
        A Configuration loader that uses a format similar to MS .ini files.
- openssl: 
+ openssl:
     A command line tool that can be used for:
        Creation of RSA, DH and DSA key parameters
-        Creation of X.509 certificates, CSRs and CRLs 
+        Creation of X.509 certificates, CSRs and CRLs
        Calculation of Message Digests
        Encryption and Decryption with Ciphers
        SSL/TLS Client and Server Tests
        Handling of S/MIME signed or encrypted mail
-        
+
 PATENTS
 -------
@@ -104,13 +104,15 @@
 licensing conditions. Their web page is http://www.rsasecurity.com/.
 RC4 is a trademark of RSA Security, so use of this label should perhaps
- only be used with RSA Security's permission. 
+ only be used with RSA Security's permission.
 The IDEA algorithm is patented by Ascom in Austria, France, Germany, Italy,
 Japan, the Netherlands, Spain, Sweden, Switzerland, UK and the USA.  They
 should be contacted if that algorithm is to be used; their web page is
 http://www.ascom.ch/.
 The MDC2 algorithm is patented by IBM.
 INSTALLATION
 ------------
@@ -129,7 +131,7 @@
 or application author.  We try to collect those in doc/PROBLEMS, with current
 thoughts on how they should be solved in a future of OpenSSL.
- SUPPORT 
+ SUPPORT
 -------
 If you have any problems with OpenSSL then please take the following steps
@@ -138,7 +140,7 @@
    - Download the current snapshot from ftp://ftp.openssl.org/snapshot/
      to see if the problem has already been addressed
    - Remove ASM versions of libraries
-    - Remove compiler optimisation flags 
+    - Remove compiler optimisation flags
 If you wish to report a bug then please include the following information in
 any bug report:
@@ -154,7 +156,7 @@
    - Stack Traceback (if the application dumps core)
 Report the bug to the OpenSSL project via the Request Tracker
- (http://www.openssl.org/rt2.html) by mail to:
+ (http://www.openssl.org/support/rt2.html) by mail to:
    openssl-bugs@openssl.org
@@ -173,11 +175,17 @@
 textual explanation of what your patch does.
 Note: For legal reasons, contributions from the US can be accepted only
- if a TSA notification and a copy of the patch is sent to crypt@bis.doc.gov;
+ if a TSU notification and a copy of the patch are sent to crypt@bis.doc.gov
- see http://www.bis.doc.gov/Encryption/PubAvailEncSourceCodeNofify.html [sic]
+ (formerly BXA) with a copy to the ENC Encryption Request Coordinator;
- and http://w3.access.gpo.gov/bis/ear/pdf/740.pdf (EAR Section 740.13(e)).
+ please take some time to look at
    http://www.bis.doc.gov/Encryption/PubAvailEncSourceCodeNofify.html [sic]
 and
    http://w3.access.gpo.gov/bis/ear/pdf/740.pdf (EAR Section 740.13(e))
 for the details. If "your encryption source code is too large to serve as
 an email attachment", they are glad to receive it by fax instead; hope you
 have a cheap long-distance plan.
- The preferred format for changes is "diff -u" output. You might
+ Our preferred format for changes is "diff -u" output. You might
 generate it like this:
 # cd openssl-work
@@ -185,3 +193,4 @@
 # ./Configure dist; make clean
 # cd ..
 # diff -ur openssl-orig openssl-work > mydiffs.patch
--- a/18
+++ b/18
@@ -1,10 +1,22 @@
  OpenSSL STATUS                           Last modified at
-  ______________                           $Date: 2002/08/08 21:44:07 $
+  ______________                           $Date: 2004/03/17 11:40:42 $
  DEVELOPMENT STATE
-    o  OpenSSL 0.9.7:  Under development...
+    o  OpenSSL 0.9.8:  Under development...
    o  OpenSSL 0.9.7d: Released on March     17th, 2004
    o  OpenSSL 0.9.7c: Released on September 30th, 2003
    o  OpenSSL 0.9.7b: Released on April     10th, 2003
    o  OpenSSL 0.9.7a: Released on February  19th, 2003
    o  OpenSSL 0.9.7:  Released on December  31st, 2002
    o  OpenSSL 0.9.6m: Released on March     17th, 2004
    o  OpenSSL 0.9.6l: Released on November   4th, 2003
    o  OpenSSL 0.9.6k: Released on September 30th, 2003
    o  OpenSSL 0.9.6j: Released on April     10th, 2003
    o  OpenSSL 0.9.6i: Released on February  19th, 2003
    o  OpenSSL 0.9.6h: Released on December   5th, 2002
    o  OpenSSL 0.9.6g: Released on August     9th, 2002
    o  OpenSSL 0.9.6f: Released on August     8th, 2002
    o  OpenSSL 0.9.6e: Released on July      30th, 2002
    o  OpenSSL 0.9.6d: Released on May        9th, 2002
@@ -22,6 +34,8 @@
  RELEASE SHOWSTOPPERS
    o none
  AVAILABLE PATCHES
    o 
--- a/62
+++ b/62
@@ -71,7 +71,7 @@ $ranlib       =
 *** Cygwin
 $cc           = gcc
-$cflags       = -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -m486 -Wall
+$cflags       = -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -march=i486 -Wall
 $unistd       = 
 $thread_cflag = 
 $lflags       = 
@@ -853,7 +853,7 @@ $ranlib       =
 *** aix43-gcc
 $cc           = gcc
-$cflags       = -O3 -DAIX -DB_ENDIAN
+$cflags       = -O1 -DAIX -DB_ENDIAN
 $unistd       = 
 $thread_cflag = (unknown)
 $lflags       = 
@@ -989,6 +989,29 @@ $shared_ldflag =
 $shared_extension = .so
 $ranlib       = 
 *** aux3-gcc
 $cc           = gcc
 $cflags       = -O2 -DTERMIO
 $unistd       = 
 $thread_cflag = (unknown)
 $lflags       = -lbsd
 $bn_ops       = RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR
 $bn_obj       = 
 $des_obj      = 
 $bf_obj       = 
 $md5_obj      = 
 $sha1_obj     = 
 $cast_obj     = 
 $rc4_obj      = 
 $rmd160_obj   = 
 $rc5_obj      = 
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
 $shared_ldflag = 
 $shared_extension = 
 $ranlib       = 
 *** bsdi-elf-gcc
 $cc           = gcc
 $cflags       = -DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall
@@ -1244,11 +1267,11 @@ $ranlib       =
 *** debug-levitte-linux-elf
 $cc           = gcc
-$cflags       = -DUSE_ALLOCATING_PRINT -DRL_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DNO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -ggdb -g3 -m486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -pipe
+$cflags       = -DUSE_ALLOCATING_PRINT -DRL_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DNO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -ggdb -g3 -m486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wmissing-declarations -Wno-long-long -pipe
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $lflags       = -ldl
-$bn_ops       = 
+$bn_ops       = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
 $bn_obj       = 
 $des_obj      = 
 $bf_obj       = 
@@ -1259,10 +1282,10 @@ $rc4_obj      =
 $rmd160_obj   = 
 $rc5_obj      = 
 $dso_scheme   = dlfcn
-$shared_target= 
+$shared_target= linux-shared
-$shared_cflag = 
+$shared_cflag = -fPIC
 $shared_ldflag = 
-$shared_extension = 
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 *** debug-linux-elf
@@ -2435,7 +2458,7 @@ $dso_scheme   = dlfcn
 $shared_target= linux-shared
 $shared_cflag = -fPIC
 $shared_ldflag = 
-$shared_extension = .so.$(SHLIB_MAJOR),$(SHLIB_MINOR)
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 *** linux-s390x
@@ -3151,6 +3174,29 @@ $shared_ldflag =
 $shared_extension = 
 $ranlib       = 
 *** tandem-c89
 $cc           = c89
 $cflags       = -Ww -D__TANDEM -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 -D_TANDEM_SOURCE -DB_ENDIAN
 $unistd       = 
 $thread_cflag = (unknown)
 $lflags       = 
 $bn_ops       = THIRTY_TWO_BIT
 $bn_obj       = 
 $des_obj      = 
 $bf_obj       = 
 $md5_obj      = 
 $sha1_obj     = 
 $cast_obj     = 
 $rc4_obj      = 
 $rmd160_obj   = 
 $rc5_obj      = 
 $dso_scheme   = 
 $shared_target= 
 $shared_cflag = 
 $shared_ldflag = 
 $shared_extension = 
 $ranlib       = 
 *** ultrix-cc
 $cc           = cc
 $cflags       = -std1 -O -Olimit 1000 -DL_ENDIAN
--- a/apps/Makefile.ssl
+++ b/apps/Makefile.ssl
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -170,8 +170,6 @@ int str2fmt(char *s)
 		|| (strcmp(s,"PKCS12") == 0) || (strcmp(s,"pkcs12") == 0)
 		|| (strcmp(s,"P12") == 0) || (strcmp(s,"p12") == 0))
 		return(FORMAT_PKCS12);
 	else if ((*s == 'E') || (*s == 'e'))
 		return(FORMAT_ENGINE);
 	else
 		return(FORMAT_UNDEF);
 	}
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -59,7 +59,11 @@
 #ifndef HEADER_APPS_H
 #define HEADER_APPS_H
-#include "openssl/e_os.h"
+#ifdef FLAT_INC
 #include "e_os.h"
 #else
 #include "../e_os.h"
 #endif
 #include <openssl/buffer.h>
 #include <openssl/bio.h>
@@ -92,8 +96,10 @@ int WIN32_rename(char *oldname,char *newname);
 #define MAIN(a,v)	main(a,v)
 #ifndef NON_MAIN
 LHASH *config=NULL;
 BIO *bio_err=NULL;
 #else
 extern LHASH *config;
 extern BIO *bio_err;
 #endif
@@ -162,8 +168,6 @@ STACK_OF(X509) *load_certs(BIO *err, char *file, int format);
 #define FORMAT_NETSCAPE 4
 #define FORMAT_PKCS12   5
 #define FORMAT_SMIME    6
 /* Since this is currently inofficial, let's give it a high number */
 #define FORMAT_ENGINE   127
 #define NETSCAPE_CERT_HDR	"certificate"
--- a/apps/asn1pars.c
+++ b/apps/asn1pars.c
@@ -301,7 +301,15 @@ bad:
 		num=tmplen;
 		}
-	if (length == 0) length=(unsigned int)num;
+	if (offset >= num)
 		{
 		BIO_printf(bio_err, "Error: offset too large\n");
 		goto end;
 		}
 	num -= offset;
 	if ((length == 0) || ((long)length > num)) length=(unsigned int)num;
 	if(derout) {
 		if(BIO_write(derout, str + offset, length) != (int)length) {
 			BIO_printf(bio_err, "Error writing output\n");
@@ -328,6 +336,6 @@ end:
 	if (at != NULL) ASN1_TYPE_free(at);
 	if (osk != NULL) sk_free(osk);
 	OBJ_cleanup();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -74,7 +74,6 @@
 #include <openssl/x509v3.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
 #include <openssl/engine.h>
 #ifndef W_OK
 #  ifdef VMS
@@ -168,7 +167,6 @@ static char *ca_usage[]={
 " -revoke file    - Revoke a certificate (given in file)\n",
 " -extensions ..  - Extension section (override value in config file)\n",
 " -crlexts ..     - CRL extension section (override value in config file)\n",
 " -engine e       - use engine e, possibly a hardware device.\n",
 NULL
 };
@@ -218,7 +216,6 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	ENGINE *e = NULL;
 	char *key=NULL,*passargin=NULL;
 	int total=0;
 	int total_done=0;
@@ -271,7 +268,6 @@ int MAIN(int argc, char **argv)
 #define BSIZE 256
 	MS_STATIC char buf[3][BSIZE];
 	char *randfile=NULL;
 	char *engine = NULL;
 #ifdef EFENCE
 EF_PROTECT_FREE=1;
@@ -423,11 +419,6 @@ EF_ALIGNMENT=0;
 			if (--argc < 1) goto bad;
 			crl_ext= *(++argv);
 			}
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 		else
 			{
 bad:
@@ -448,24 +439,6 @@ bad:
 	ERR_load_crypto_strings();
 	if (engine != NULL)
 		{
 		if((e = ENGINE_by_id(engine)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine \"%s\"\n",
 				engine);
 			goto err;
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			goto err;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 		/* Free our "structural" reference. */
 		ENGINE_free(e);
 		}
 	/*****************************************************************/
 	if (configfile == NULL) configfile = getenv("OPENSSL_CONF");
 	if (configfile == NULL) configfile = getenv("SSLEAY_CONF");
@@ -570,7 +543,7 @@ bad:
 		goto err;
 		}
 		pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,key);
-		if(key) memset(key,0,strlen(key));
+		if(key) OPENSSL_cleanse(key,strlen(key));
 	if (pkey == NULL)
 		{
 		BIO_printf(bio_err,"unable to load CA private key\n");
@@ -633,12 +606,14 @@ bad:
 	       that to access().  However, time's too short to do that just
 	       now.
            */
 #ifndef VXWORKS
 		if (access(outdir,R_OK|W_OK|X_OK) != 0)
 			{
 			BIO_printf(bio_err,"I am unable to access the %s directory\n",outdir);
 			perror(outdir);
 			goto err;
 			}
 #endif
 		if (stat(outdir,&sb) != 0)
 			{
@@ -856,9 +831,14 @@ bad:
 			}
 		if (verbose)
 			{
-			if ((f=BN_bn2hex(serial)) == NULL) goto err;
+			if (BN_is_zero(serial))
-			BIO_printf(bio_err,"next serial number is %s\n",f);
+				BIO_printf(bio_err,"next serial number is 00\n");
-			OPENSSL_free(f);
+			else
 				{
 				if ((f=BN_bn2hex(serial)) == NULL) goto err;
 				BIO_printf(bio_err,"next serial number is %s\n",f);
 				OPENSSL_free(f);
 				}
 			}
 		if ((attribs=CONF_get_section(conf,policy)) == NULL)
@@ -1302,7 +1282,7 @@ err:
 	X509_CRL_free(crl);
 	CONF_free(conf);
 	OBJ_cleanup();
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 static void lookup_fail(char *name, char *tag)
@@ -1367,7 +1347,7 @@ static BIGNUM *load_serial(char *serialfile)
 	ret=ASN1_INTEGER_to_BN(ai,NULL);
 	if (ret == NULL)
 		{
-		BIO_printf(bio_err,"error converting number from bin to BIGNUM");
+		BIO_printf(bio_err,"error converting number from bin to BIGNUM\n");
 		goto err;
 		}
 err:
@@ -1755,7 +1735,10 @@ again2:
 		BIO_printf(bio_err,"The subject name appears to be ok, checking data base for clashes\n");
 	row[DB_name]=X509_NAME_oneline(subject,NULL,0);
-	row[DB_serial]=BN_bn2hex(serial);
+	if (BN_is_zero(serial))
 		row[DB_serial]=BUF_strdup("00");
 	else
 		row[DB_serial]=BN_bn2hex(serial);
 	if ((row[DB_name] == NULL) || (row[DB_serial] == NULL))
 		{
 		BIO_printf(bio_err,"Memory allocation failure\n");
@@ -2169,7 +2152,10 @@ static int do_revoke(X509 *x509, TXT_DB *db)
 		row[i]=NULL;
 	row[DB_name]=X509_NAME_oneline(X509_get_subject_name(x509),NULL,0);
 	bn = ASN1_INTEGER_to_BN(X509_get_serialNumber(x509),NULL);
-	row[DB_serial]=BN_bn2hex(bn);
+	if (BN_is_zero(bn))
 		row[DB_serial]=BUF_strdup("00");
 	else
 		row[DB_serial]=BN_bn2hex(bn);
 	BN_free(bn);
 	if ((row[DB_name] == NULL) || (row[DB_serial] == NULL))
 		{
--- a/apps/ciphers.c
+++ b/apps/ciphers.c
@@ -202,6 +202,6 @@ end:
 	if (ctx != NULL) SSL_CTX_free(ctx);
 	if (ssl != NULL) SSL_free(ssl);
 	if (STDout != NULL) BIO_free_all(STDout);
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
--- a/apps/crl.c
+++ b/apps/crl.c
@@ -364,7 +364,7 @@ end:
 		X509_STORE_CTX_cleanup(&ctx);
 		X509_STORE_free(store);
 	}
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 static X509_CRL *load_crl(char *infile, int format)
--- a/apps/crl2p7.c
+++ b/apps/crl2p7.c
@@ -166,7 +166,7 @@ bad:
 		BIO_printf(bio_err," -certfile arg  certificates file of chain to a trusted CA\n");
 		BIO_printf(bio_err,"                (can be used more than once)\n");
 		BIO_printf(bio_err," -nocrl         no crl to load, just certs from '-certfile'\n");
-		EXIT(1);
+		OPENSSL_EXIT(1);
 		}
 	ERR_load_crypto_strings();
@@ -278,7 +278,7 @@ end:
 	if (p7 != NULL) PKCS7_free(p7);
 	if (crl != NULL) X509_CRL_free(crl);
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 /*
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -66,7 +66,6 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/engine.h>
 #undef BUFSIZE
 #define BUFSIZE	1024*8
@@ -81,7 +80,6 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	ENGINE *e = NULL;
 	unsigned char *buf=NULL;
 	int i,err=0;
 	const EVP_MD *md=NULL,*m;
@@ -99,7 +97,6 @@ int MAIN(int argc, char **argv)
 	EVP_PKEY *sigkey = NULL;
 	unsigned char *sigbuf = NULL;
 	int siglen = 0;
 	char *engine=NULL;
 	apps_startup();
@@ -157,11 +154,6 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) break;
 			sigfile=*(++argv);
 			}
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) break;
 			engine= *(++argv);
 			}
 		else if (strcmp(*argv,"-hex") == 0)
 			out_bin = 0;
 		else if (strcmp(*argv,"-binary") == 0)
@@ -198,7 +190,6 @@ int MAIN(int argc, char **argv)
 		BIO_printf(bio_err,"-prverify file  verify a signature using private key in file\n");
 		BIO_printf(bio_err,"-signature file signature to verify\n");
 		BIO_printf(bio_err,"-binary         output in binary form\n");
 		BIO_printf(bio_err,"-engine e       use engine e, possibly a hardware device.\n");
 		BIO_printf(bio_err,"-%3s to use the %s message digest algorithm (default)\n",
 			LN_md5,LN_md5);
@@ -218,24 +209,6 @@ int MAIN(int argc, char **argv)
 		goto end;
 		}
 	if (engine != NULL)
 		{
 		if((e = ENGINE_by_id(engine)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine \"%s\"\n",
 				engine);
 			goto end;
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			goto end;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 		/* Free our "structural" reference. */
 		ENGINE_free(e);
 		}
 	in=BIO_new(BIO_s_file());
 	bmd=BIO_new(BIO_f_md());
 	if (debug)
@@ -354,7 +327,7 @@ int MAIN(int argc, char **argv)
 end:
 	if (buf != NULL)
 		{
-		memset(buf,0,BUFSIZE);
+		OPENSSL_cleanse(buf,BUFSIZE);
 		OPENSSL_free(buf);
 		}
 	if (in != NULL) BIO_free(in);
@@ -362,7 +335,7 @@ end:
 	EVP_PKEY_free(sigkey);
 	if(sigbuf) OPENSSL_free(sigbuf);
 	if (bmd != NULL) BIO_free(bmd);
-	EXIT(err);
+	OPENSSL_EXIT(err);
 	}
 void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
--- a/apps/dh.c
+++ b/apps/dh.c
@@ -69,7 +69,6 @@
 #include <openssl/dh.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/engine.h>
 #undef PROG
 #define PROG	dh_main
@@ -88,12 +87,11 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	ENGINE *e = NULL;
 	DH *dh=NULL;
 	int i,badops=0,text=0;
 	BIO *in=NULL,*out=NULL;
 	int informat,outformat,check=0,noout=0,C=0,ret=1;
-	char *infile,*outfile,*prog,*engine;
+	char *infile,*outfile,*prog;
 	apps_startup();
@@ -101,7 +99,6 @@ int MAIN(int argc, char **argv)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 	engine=NULL;
 	infile=NULL;
 	outfile=NULL;
 	informat=FORMAT_PEM;
@@ -132,11 +129,6 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 		else if (strcmp(*argv,"-check") == 0)
 			check=1;
 		else if (strcmp(*argv,"-text") == 0)
@@ -168,30 +160,11 @@ bad:
 		BIO_printf(bio_err," -text         print a text form of the DH parameters\n");
 		BIO_printf(bio_err," -C            Output C code\n");
 		BIO_printf(bio_err," -noout        no output\n");
 		BIO_printf(bio_err," -engine e     use engine e, possibly a hardware device.\n");
 		goto end;
 		}
 	ERR_load_crypto_strings();
 	if (engine != NULL)
 		{
 		if((e = ENGINE_by_id(engine)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine \"%s\"\n",
 				engine);
 			goto end;
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			goto end;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 		/* Free our "structural" reference. */
 		ENGINE_free(e);
 		}
 	in=BIO_new(BIO_s_file());
 	out=BIO_new(BIO_s_file());
 	if ((in == NULL) || (out == NULL))
@@ -346,6 +319,6 @@ end:
 	if (in != NULL) BIO_free(in);
 	if (out != NULL) BIO_free_all(out);
 	if (dh != NULL) DH_free(dh);
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 #endif
--- a/apps/dhparam.c
+++ b/apps/dhparam.c
@@ -121,7 +121,6 @@
 #include <openssl/dh.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/engine.h>
 #ifndef NO_DSA
 #include <openssl/dsa.h>
@@ -149,7 +148,6 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	ENGINE *e = NULL;
 	DH *dh=NULL;
 	int i,badops=0,text=0;
 #ifndef NO_DSA
@@ -158,7 +156,7 @@ int MAIN(int argc, char **argv)
 	BIO *in=NULL,*out=NULL;
 	int informat,outformat,check=0,noout=0,C=0,ret=1;
 	char *infile,*outfile,*prog;
-	char *inrand=NULL,*engine=NULL;
+	char *inrand=NULL;
 	int num = 0, g = 0;
 	apps_startup();
@@ -197,11 +195,6 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 		else if (strcmp(*argv,"-check") == 0)
 			check=1;
 		else if (strcmp(*argv,"-text") == 0)
@@ -247,7 +240,6 @@ bad:
 		BIO_printf(bio_err," -2            generate parameters using  2 as the generator value\n");
 		BIO_printf(bio_err," -5            generate parameters using  5 as the generator value\n");
 		BIO_printf(bio_err," numbits       number of bits in to generate (default 512)\n");
 		BIO_printf(bio_err," -engine e     use engine e, possibly a hardware device.\n");
 		BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err,"               - load the file (or the files in the directory) into\n");
 		BIO_printf(bio_err,"               the random number generator\n");
@@ -257,24 +249,6 @@ bad:
 	ERR_load_crypto_strings();
 	if (engine != NULL)
 		{
 		if((e = ENGINE_by_id(engine)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine \"%s\"\n",
 				engine);
 			goto end;
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			goto end;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 		/* Free our "structural" reference. */
 		ENGINE_free(e);
 		}
 	if (g && !num)
 		num = DEFBITS;
@@ -532,7 +506,7 @@ end:
 	if (in != NULL) BIO_free(in);
 	if (out != NULL) BIO_free_all(out);
 	if (dh != NULL) DH_free(dh);
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 /* dh_cb is identical to dsa_cb in apps/dsaparam.c */
--- a/apps/dsa.c
+++ b/apps/dsa.c
@@ -68,7 +68,6 @@
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/engine.h>
 #undef PROG
 #define PROG	dsa_main
@@ -88,7 +87,6 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	ENGINE *e = NULL;
 	int ret=1;
 	DSA *dsa=NULL;
 	int i,badops=0;
@@ -96,7 +94,7 @@ int MAIN(int argc, char **argv)
 	BIO *in=NULL,*out=NULL;
 	int informat,outformat,text=0,noout=0;
 	int pubin = 0, pubout = 0;
-	char *infile,*outfile,*prog,*engine;
+	char *infile,*outfile,*prog;
 	char *passargin = NULL, *passargout = NULL;
 	char *passin = NULL, *passout = NULL;
 	int modulus=0;
@@ -107,7 +105,6 @@ int MAIN(int argc, char **argv)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 	engine=NULL;
 	infile=NULL;
 	outfile=NULL;
 	informat=FORMAT_PEM;
@@ -148,11 +145,6 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			passargout= *(++argv);
 			}
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 		else if (strcmp(*argv,"-noout") == 0)
 			noout=1;
 		else if (strcmp(*argv,"-text") == 0)
@@ -184,7 +176,6 @@ bad:
 		BIO_printf(bio_err," -passin arg     input file pass phrase source\n");
 		BIO_printf(bio_err," -out arg        output file\n");
 		BIO_printf(bio_err," -passout arg    output file pass phrase source\n");
 		BIO_printf(bio_err," -engine e       use engine e, possibly a hardware device.\n");
 		BIO_printf(bio_err," -des            encrypt PEM output with cbc des\n");
 		BIO_printf(bio_err," -des3           encrypt PEM output with ede cbc des using 168 bit key\n");
 #ifndef NO_IDEA
@@ -198,24 +189,6 @@ bad:
 	ERR_load_crypto_strings();
 	if (engine != NULL)
 		{
 		if((e = ENGINE_by_id(engine)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine \"%s\"\n",
 				engine);
 			goto end;
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			goto end;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 		/* Free our "structural" reference. */
 		ENGINE_free(e);
 		}
 	if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
 		BIO_printf(bio_err, "Error getting passwords\n");
 		goto end;
@@ -320,6 +293,6 @@ end:
 	if(dsa != NULL) DSA_free(dsa);
 	if(passin) OPENSSL_free(passin);
 	if(passout) OPENSSL_free(passout);
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 #endif
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -357,7 +357,7 @@ end:
 	if (in != NULL) BIO_free(in);
 	if (out != NULL) BIO_free_all(out);
 	if (dsa != NULL) DSA_free(dsa);
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 static void MS_CALLBACK dsa_cb(int p, int n, void *arg)
--- a/apps/enc.c
+++ b/apps/enc.c
@@ -70,7 +70,6 @@
 #include <openssl/md5.h>
 #endif
 #include <openssl/pem.h>
 #include <openssl/engine.h>
 int set_hex(char *in,unsigned char *out,int size);
 #undef SIZE
@@ -85,7 +84,6 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	ENGINE *e = NULL;
 	static const char magic[]="Salted__";
 	char mbuf[8];	/* should be 1 smaller than magic */
 	char *strbuf=NULL;
@@ -103,7 +101,6 @@ int MAIN(int argc, char **argv)
 	BIO *in=NULL,*out=NULL,*b64=NULL,*benc=NULL,*rbio=NULL,*wbio=NULL;
 #define PROG_NAME_SIZE  39
 	char pname[PROG_NAME_SIZE+1];
 	char *engine = NULL;
 	apps_startup();
@@ -144,11 +141,6 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			passarg= *(++argv);
 			}
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 		else if	(strcmp(*argv,"-d") == 0)
 			enc=0;
 		else if	(strcmp(*argv,"-p") == 0)
@@ -249,7 +241,6 @@ bad:
 			BIO_printf(bio_err,"%-14s key/iv in hex is the next argument\n","-K/-iv");
 			BIO_printf(bio_err,"%-14s print the iv/key (then exit if -P)\n","-[pP]");
 			BIO_printf(bio_err,"%-14s buffer size\n","-bufsize <n>");
 			BIO_printf(bio_err,"%-14s use engine e, possibly a hardware device.\n","-engine e");
 			BIO_printf(bio_err,"Cipher Types\n");
 			BIO_printf(bio_err,"des     : 56 bit key DES encryption\n");
@@ -323,24 +314,6 @@ bad:
 		argv++;
 		}
 	if (engine != NULL)
 		{
 		if((e = ENGINE_by_id(engine)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine \"%s\"\n",
 				engine);
 			goto end;
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			goto end;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 		/* Free our "structural" reference. */
 		ENGINE_free(e);
 		}
 	if (bufsize != NULL)
 		{
 		unsigned long n;
@@ -533,9 +506,9 @@ bad:
 			 * bug picked up by
 			 * Larry J. Hughes Jr. <hughes@indiana.edu> */
 			if (str == strbuf)
-				memset(str,0,SIZE);
+				OPENSSL_cleanse(str,SIZE);
 			else
-				memset(str,0,strlen(str));
+				OPENSSL_cleanse(str,strlen(str));
 			}
 		if ((hiv != NULL) && !set_hex(hiv,iv,8))
 			{
@@ -631,7 +604,7 @@ end:
 	if (benc != NULL) BIO_free(benc);
 	if (b64 != NULL) BIO_free(b64);
 	if(pass) OPENSSL_free(pass);
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 int set_hex(char *in, unsigned char *out, int size)
--- a/apps/errstr.c
+++ b/apps/errstr.c
@@ -121,5 +121,5 @@ int MAIN(int argc, char **argv)
 			ret++;
 			}
 		}
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
--- a/apps/gendh.c
+++ b/apps/gendh.c
@@ -70,7 +70,6 @@
 #include <openssl/dh.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/engine.h>
 #define DEFBITS	512
 #undef PROG
@@ -82,13 +81,11 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	ENGINE *e = NULL;
 	DH *dh=NULL;
 	int ret=1,num=DEFBITS;
 	int g=2;
 	char *outfile=NULL;
 	char *inrand=NULL;
 	char *engine=NULL;
 	BIO *out=NULL;
 	apps_startup();
@@ -113,11 +110,6 @@ int MAIN(int argc, char **argv)
 			g=3; */
 		else if (strcmp(*argv,"-5") == 0)
 			g=5;
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 		else if (strcmp(*argv,"-rand") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -133,34 +125,15 @@ int MAIN(int argc, char **argv)
 bad:
 		BIO_printf(bio_err,"usage: gendh [args] [numbits]\n");
 		BIO_printf(bio_err," -out file - output the key to 'file\n");
-		BIO_printf(bio_err," -2        - use 2 as the generator value\n");
+		BIO_printf(bio_err," -2    use 2 as the generator value\n");
-	/*	BIO_printf(bio_err," -3        - use 3 as the generator value\n"); */
+	/*	BIO_printf(bio_err," -3    use 3 as the generator value\n"); */
-		BIO_printf(bio_err," -5        - use 5 as the generator value\n");
+		BIO_printf(bio_err," -5    use 5 as the generator value\n");
 		BIO_printf(bio_err," -engine e - use engine e, possibly a hardware device.\n");
 		BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err,"           - load the file (or the files in the directory) into\n");
 		BIO_printf(bio_err,"             the random number generator\n");
 		goto end;
 		}
 	if (engine != NULL)
 		{
 		if((e = ENGINE_by_id(engine)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine \"%s\"\n",
 				engine);
 			goto end;
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			goto end;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 		/* Free our "structural" reference. */
 		ENGINE_free(e);
 		}
 	out=BIO_new(BIO_s_file());
 	if (out == NULL)
 		{
@@ -211,7 +184,7 @@ end:
 		ERR_print_errors(bio_err);
 	if (out != NULL) BIO_free_all(out);
 	if (dh != NULL) DH_free(dh);
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 static void MS_CALLBACK dh_cb(int p, int n, void *arg)
--- a/apps/gendsa.c
+++ b/apps/gendsa.c
@@ -68,7 +68,6 @@
 #include <openssl/dsa.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/engine.h>
 #define DEFBITS	512
 #undef PROG
@@ -78,7 +77,6 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	ENGINE *e = NULL;
 	DSA *dsa=NULL;
 	int ret=1;
 	char *outfile=NULL;
@@ -86,7 +84,6 @@ int MAIN(int argc, char **argv)
 	char *passargout = NULL, *passout = NULL;
 	BIO *out=NULL,*in=NULL;
 	EVP_CIPHER *enc=NULL;
 	char *engine=NULL;
 	apps_startup();
@@ -109,11 +106,6 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			passargout= *(++argv);
 			}
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 		else if (strcmp(*argv,"-rand") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -153,7 +145,6 @@ bad:
 #ifndef NO_IDEA
 		BIO_printf(bio_err," -idea     - encrypt the generated key with IDEA in cbc mode\n");
 #endif
 		BIO_printf(bio_err," -engine e - use engine e, possibly a hardware device.\n");
 		BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err,"           - load the file (or the files in the directory) into\n");
 		BIO_printf(bio_err,"             the random number generator\n");
@@ -162,24 +153,6 @@ bad:
 		goto end;
 		}
 	if (engine != NULL)
 		{
 		if((e = ENGINE_by_id(engine)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine \"%s\"\n",
 				engine);
 			goto end;
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			goto end;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 		/* Free our "structural" reference. */
 		ENGINE_free(e);
 		}
 	if(!app_passwd(bio_err, NULL, passargout, NULL, &passout)) {
 		BIO_printf(bio_err, "Error getting password\n");
 		goto end;
@@ -247,6 +220,6 @@ end:
 	if (out != NULL) BIO_free_all(out);
 	if (dsa != NULL) DSA_free(dsa);
 	if(passout) OPENSSL_free(passout);
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 #endif
--- a/apps/genrsa.c
+++ b/apps/genrsa.c
@@ -69,7 +69,6 @@
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/engine.h>
 #define DEFBITS	512
 #undef PROG
@@ -81,7 +80,6 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	ENGINE *e = NULL;
 	int ret=1;
 	RSA *rsa=NULL;
 	int i,num=DEFBITS;
@@ -90,7 +88,6 @@ int MAIN(int argc, char **argv)
 	unsigned long f4=RSA_F4;
 	char *outfile=NULL;
 	char *passargout = NULL, *passout = NULL;
 	char *engine=NULL;
 	char *inrand=NULL;
 	BIO *out=NULL;
@@ -119,11 +116,6 @@ int MAIN(int argc, char **argv)
 			f4=3;
 		else if (strcmp(*argv,"-F4") == 0 || strcmp(*argv,"-f4") == 0)
 			f4=RSA_F4;
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 		else if (strcmp(*argv,"-rand") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -162,7 +154,6 @@ bad:
 		BIO_printf(bio_err," -passout arg    output file pass phrase source\n");
 		BIO_printf(bio_err," -f4             use F4 (0x10001) for the E value\n");
 		BIO_printf(bio_err," -3              use 3 for the E value\n");
 		BIO_printf(bio_err," -engine e       use engine e, possibly a hardware device.\n");
 		BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err,"                 load the file (or the files in the directory) into\n");
 		BIO_printf(bio_err,"                 the random number generator\n");
@@ -176,24 +167,6 @@ bad:
 		goto err;
 	}
 	if (engine != NULL)
 		{
 		if((e = ENGINE_by_id(engine)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine \"%s\"\n",
 				engine);
 			goto err;
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			goto err;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 		/* Free our "structural" reference. */
 		ENGINE_free(e);
 		}
 	if (outfile == NULL)
 		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
@@ -213,8 +186,7 @@ bad:
 			}
 		}
-	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
+	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL)
 		&& !RAND_status())
 		{
 		BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
 		}
@@ -252,7 +224,7 @@ err:
 	if(passout) OPENSSL_free(passout);
 	if (ret != 0)
 		ERR_print_errors(bio_err);
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 static void MS_CALLBACK genrsa_cb(int p, int n, void *arg)
--- a/apps/makeapps.com
+++ b/apps/makeapps.com
@@ -805,7 +805,7 @@ $ ENDIF
 $!
 $! Set Up Initial CC Definitions, Possibly With User Ones
 $!
-$ CCDEFS = "VMS=1,MONOLITH"
+$ CCDEFS = "VMS=1,MONOLITH,THREADS"
 $ IF F$TRNLNM("OPENSSL_NO_ASM") THEN CCDEFS = CCDEFS + ",NO_ASM"
 $ IF F$TRNLNM("OPENSSL_NO_RSA") THEN CCDEFS = CCDEFS + ",NO_RSA"
 $ IF F$TRNLNM("OPENSSL_NO_DSA") THEN CCDEFS = CCDEFS + ",NO_DSA"
@@ -1077,7 +1077,7 @@ $ CC = CC + "/DEFINE=(" + CCDEFS + ")" + CCDISABLEWARNINGS
 $!
 $! Show user the result
 $!
-$ WRITE SYS$OUTPUT "Main Compiling Command: ",CC
+$ WRITE/SYMBOL SYS$OUTPUT "Main Compiling Command: ",CC
 $!
 $! Special Threads For OpenVMS v7.1 Or Later
 $!
--- a/apps/nseq.c
+++ b/apps/nseq.c
@@ -102,7 +102,7 @@ int MAIN(int argc, char **argv)
 		BIO_printf (bio_err, "-in file  input file\n");
 		BIO_printf (bio_err, "-out file output file\n");
 		BIO_printf (bio_err, "-toseq    output NS Sequence file\n");
-		EXIT(1);
+		OPENSSL_EXIT(1);
 	}
 	if (infile) {
@@ -162,6 +162,6 @@ end:
 	BIO_free_all(out);
 	NETSCAPE_CERT_SEQUENCE_free(seq);
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 }
--- a/apps/openssl.c
+++ b/apps/openssl.c
@@ -77,11 +77,11 @@ static unsigned long MS_CALLBACK hash(FUNCTION *a);
 static int MS_CALLBACK cmp(FUNCTION *a,FUNCTION *b);
 static LHASH *prog_init(void );
 static int do_cmd(LHASH *prog,int argc,char *argv[]);
 LHASH *config=NULL;
 char *default_config_file=NULL;
 /* Make sure there is only one when MONOLITH is defined */
 #ifdef MONOLITH
 LHASH *config=NULL;
 BIO *bio_err=NULL;
 #endif
@@ -215,7 +215,7 @@ end:
 		BIO_free(bio_err);
 		bio_err=NULL;
 		}
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 #define LIST_STANDARD_COMMANDS "list-standard-commands"
--- a/apps/passwd.c
+++ b/apps/passwd.c
@@ -284,7 +284,7 @@ err:
 		BIO_free(in);
 	if (out)
 		BIO_free_all(out);
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
@@ -498,6 +498,6 @@ err:
 int MAIN(int argc, char **argv)
 	{
 	fputs("Program not available.\n", stderr)
-	EXIT(1);
+	OPENSSL_EXIT(1);
 	}
 #endif
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -66,7 +66,6 @@
 #include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/pkcs12.h>
 #include <openssl/engine.h>
 #define PROG pkcs12_main
@@ -93,7 +92,6 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 {
    ENGINE *e = NULL;
    char *infile=NULL, *outfile=NULL, *keyname = NULL;	
    char *certfile=NULL;
    BIO *in=NULL, *out = NULL, *inkey = NULL, *certsin = NULL;
@@ -120,7 +118,6 @@ int MAIN(int argc, char **argv)
    char *passin = NULL, *passout = NULL;
    char *inrand = NULL;
    char *CApath = NULL, *CAfile = NULL;
    char *engine=NULL;
    apps_startup();
@@ -239,11 +236,6 @@ int MAIN(int argc, char **argv)
 			args++;	
 			CAfile = *args;
 		    } else badarg = 1;
 		} else if (!strcmp(*args,"-engine")) {
 		    if (args[1]) {
 			args++;	
 			engine = *args;
 		    } else badarg = 1;
 		} else badarg = 1;
 	} else badarg = 1;
@@ -287,27 +279,12 @@ int MAIN(int argc, char **argv)
 	BIO_printf (bio_err, "-password p   set import/export password source\n");
 	BIO_printf (bio_err, "-passin p     input file pass phrase source\n");
 	BIO_printf (bio_err, "-passout p    output file pass phrase source\n");
 	BIO_printf (bio_err, "-engine e     use engine e, possibly a hardware device.\n");
 	BIO_printf(bio_err,  "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 	BIO_printf(bio_err,  "              load the file (or the files in the directory) into\n");
 	BIO_printf(bio_err,  "              the random number generator\n");
    	goto end;
    }
    if (engine != NULL) {
 	if((e = ENGINE_by_id(engine)) == NULL) {
 	    BIO_printf(bio_err,"invalid engine \"%s\"\n", engine);
 	    goto end;
 	}
 	if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
 	    BIO_printf(bio_err,"can't use that engine\n");
 	    goto end;
 	}
 	BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 	/* Free our "structural" reference. */
 	ENGINE_free(e);
    }
    if(passarg) {
 	if(export_cert) passargout = passarg;
 	else passargin = passarg;
@@ -503,9 +480,10 @@ int MAIN(int argc, char **argv)
 		    /* Exclude verified certificate */
 		    for (i = 1; i < sk_X509_num (chain2) ; i++) 
 			sk_X509_push(certs, sk_X509_value (chain2, i));
-		}
+		    /* Free first certificate */
-		sk_X509_free(chain2);
+		    X509_free(sk_X509_value(chain2, 0));
-		if (vret) {
+		    sk_X509_free(chain2);
 		} else {
 			BIO_printf (bio_err, "Error %s getting chain.\n",
 					X509_verify_cert_error_string(vret));
 			goto export_end;
@@ -532,8 +510,6 @@ int MAIN(int argc, char **argv)
 	}
 	sk_X509_pop_free(certs, X509_free);
 	certs = NULL;
 	/* ucert is part of certs so it is already freed */
 	ucert = NULL;
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_pop_info();
@@ -621,7 +597,6 @@ int MAIN(int argc, char **argv)
 	if (certs) sk_X509_pop_free(certs, X509_free);
 	if (safes) sk_PKCS7_pop_free(safes, PKCS7_free);
 	if (bags) sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
 	if (ucert) X509_free(ucert);
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_pop_info();
@@ -691,7 +666,7 @@ int MAIN(int argc, char **argv)
    if (canames) sk_free(canames);
    if(passin) OPENSSL_free(passin);
    if(passout) OPENSSL_free(passout);
-    EXIT(ret);
+    OPENSSL_EXIT(ret);
 }
 int dump_certs_keys_p12 (BIO *out, PKCS12 *p12, char *pass,
--- a/apps/pkcs7.c
+++ b/apps/pkcs7.c
@@ -67,7 +67,6 @@
 #include <openssl/x509.h>
 #include <openssl/pkcs7.h>
 #include <openssl/pem.h>
 #include <openssl/engine.h>
 #undef PROG
 #define PROG	pkcs7_main
@@ -83,7 +82,6 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	ENGINE *e = NULL;
 	PKCS7 *p7=NULL;
 	int i,badops=0;
 	BIO *in=NULL,*out=NULL;
@@ -91,7 +89,6 @@ int MAIN(int argc, char **argv)
 	char *infile,*outfile,*prog;
 	int print_certs=0,text=0,noout=0;
 	int ret=1;
 	char *engine=NULL;
 	apps_startup();
@@ -135,11 +132,6 @@ int MAIN(int argc, char **argv)
 			text=1;
 		else if (strcmp(*argv,"-print_certs") == 0)
 			print_certs=1;
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 		else
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
@@ -162,30 +154,11 @@ bad:
 		BIO_printf(bio_err," -print_certs  print any certs or crl in the input\n");
 		BIO_printf(bio_err," -text         print full details of certificates\n");
 		BIO_printf(bio_err," -noout        don't output encoded data\n");
-		BIO_printf(bio_err," -engine e     use engine e, possibly a hardware device.\n");
+		OPENSSL_EXIT(1);
 		EXIT(1);
 		}
 	ERR_load_crypto_strings();
 	if (engine != NULL)
 		{
 		if((e = ENGINE_by_id(engine)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine \"%s\"\n",
 				engine);
 			goto end;
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			goto end;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 		/* Free our "structural" reference. */
 		ENGINE_free(e);
 		}
 	in=BIO_new(BIO_s_file());
 	out=BIO_new(BIO_s_file());
 	if ((in == NULL) || (out == NULL))
@@ -316,5 +289,5 @@ end:
 	if (p7 != NULL) PKCS7_free(p7);
 	if (in != NULL) BIO_free(in);
 	if (out != NULL) BIO_free_all(out);
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
--- a/apps/pkcs8.c
+++ b/apps/pkcs8.c
@@ -62,7 +62,6 @@
 #include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/pkcs12.h>
 #include <openssl/engine.h>
 #include "apps.h"
 #define PROG pkcs8_main
@@ -71,7 +70,6 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 {
 	ENGINE *e = NULL;
 	char **args, *infile = NULL, *outfile = NULL;
 	char *passargin = NULL, *passargout = NULL;
 	BIO *in = NULL, *out = NULL;
@@ -87,13 +85,9 @@ int MAIN(int argc, char **argv)
 	EVP_PKEY *pkey;
 	char pass[50], *passin = NULL, *passout = NULL, *p8pass = NULL;
 	int badarg = 0;
 	char *engine=NULL;
 	if (bio_err == NULL) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
 	informat=FORMAT_PEM;
 	outformat=FORMAT_PEM;
 	ERR_load_crypto_strings();
 	OpenSSL_add_all_algorithms();
 	args = argv + 1;
@@ -144,11 +138,6 @@ int MAIN(int argc, char **argv)
 			if (!args[1]) goto bad;
 			passargout= *(++args);
 			}
 		else if (strcmp(*args,"-engine") == 0)
 			{
 			if (!args[1]) goto bad;
 			engine= *(++args);
 			}
 		else if (!strcmp (*args, "-in")) {
 			if (args[1]) {
 				args++;
@@ -181,28 +170,9 @@ int MAIN(int argc, char **argv)
 		BIO_printf(bio_err, "-nocrypt        use or expect unencrypted private key\n");
 		BIO_printf(bio_err, "-v2 alg         use PKCS#5 v2.0 and cipher \"alg\"\n");
 		BIO_printf(bio_err, "-v1 obj         use PKCS#5 v1.5 and cipher \"alg\"\n");
 		BIO_printf(bio_err," -engine e       use engine e, possibly a hardware device.\n");
 		return (1);
 	}
 	if (engine != NULL)
 		{
 		if((e = ENGINE_by_id(engine)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine \"%s\"\n",
 				engine);
 			return (1);
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			return (1);
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 		/* Free our "structural" reference. */
 		ENGINE_free(e);
 		}
 	if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
 		BIO_printf(bio_err, "Error getting passwords\n");
 		return (1);
@@ -249,7 +219,7 @@ int MAIN(int argc, char **argv)
 		}
 		BIO_free(in);
 		if (!(p8inf = EVP_PKEY2PKCS8_broken(pkey, p8_broken))) {
-			BIO_printf(bio_err, "Error converting key\n", outfile);
+			BIO_printf(bio_err, "Error converting key\n");
 			ERR_print_errors(bio_err);
 			return (1);
 		}
@@ -266,14 +236,14 @@ int MAIN(int argc, char **argv)
 			if(passout) p8pass = passout;
 			else {
 				p8pass = pass;
-				EVP_read_pw_string(pass, 50, "Enter Encryption Password:", 1);
+				if (EVP_read_pw_string(pass, 50, "Enter Encryption Password:", 1))
 					return (1);
 			}
 			app_RAND_load_file(NULL, bio_err, 0);
 			if (!(p8 = PKCS8_encrypt(pbe_nid, cipher,
 					p8pass, strlen(p8pass),
 					NULL, 0, iter, p8inf))) {
-				BIO_printf(bio_err, "Error encrypting key\n",
+				BIO_printf(bio_err, "Error encrypting key\n");
 								 outfile);
 				ERR_print_errors(bio_err);
 				return (1);
 			}
@@ -316,7 +286,7 @@ int MAIN(int argc, char **argv)
 		}
 		if (!p8) {
-			BIO_printf (bio_err, "Error reading key\n", outfile);
+			BIO_printf (bio_err, "Error reading key\n");
 			ERR_print_errors(bio_err);
 			return (1);
 		}
@@ -330,13 +300,13 @@ int MAIN(int argc, char **argv)
 	}
 	if (!p8inf) {
-		BIO_printf(bio_err, "Error decrypting key\n", outfile);
+		BIO_printf(bio_err, "Error decrypting key\n");
 		ERR_print_errors(bio_err);
 		return (1);
 	}
 	if (!(pkey = EVP_PKCS82PKEY(p8inf))) {
-		BIO_printf(bio_err, "Error converting key\n", outfile);
+		BIO_printf(bio_err, "Error converting key\n");
 		ERR_print_errors(bio_err);
 		return (1);
 	}
--- a/apps/rand.c
+++ b/apps/rand.c
@@ -9,7 +9,6 @@
 #include <openssl/bio.h>
 #include <openssl/err.h>
 #include <openssl/rand.h>
 #include <openssl/engine.h>
 #undef PROG
 #define PROG rand_main
@@ -24,7 +23,6 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	ENGINE *e = NULL;
 	int i, r, ret = 1;
 	int badopt;
 	char *outfile = NULL;
@@ -32,7 +30,6 @@ int MAIN(int argc, char **argv)
 	int base64 = 0;
 	BIO *out = NULL;
 	int num = -1;
 	char *engine=NULL;
 	apps_startup();
@@ -51,13 +48,6 @@ int MAIN(int argc, char **argv)
 			else
 				badopt = 1;
 			}
 		if (strcmp(argv[i], "-engine") == 0)
 			{
 			if ((argv[i+1] != NULL) && (engine == NULL))
 				engine = argv[++i];
 			else
 				badopt = 1;
 			}
 		else if (strcmp(argv[i], "-rand") == 0)
 			{
 			if ((argv[i+1] != NULL) && (inrand == NULL))
@@ -94,31 +84,12 @@ int MAIN(int argc, char **argv)
 		{
 		BIO_printf(bio_err, "Usage: rand [options] num\n");
 		BIO_printf(bio_err, "where options are\n");
-		BIO_printf(bio_err, "-out file             - write to file\n");
+		BIO_printf(bio_err, "-out file            - write to file\n");
-		BIO_printf(bio_err," -engine e             - use engine e, possibly a hardware device.\n");
+		BIO_printf(bio_err, "-rand file%cfile%c...  - seed PRNG from files\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
-		BIO_printf(bio_err, "-rand file%cfile%c... - seed PRNG from files\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
+		BIO_printf(bio_err, "-base64              - encode output\n");
 		BIO_printf(bio_err, "-base64               - encode output\n");
 		goto err;
 		}
 	if (engine != NULL)
 		{
 		if((e = ENGINE_by_id(engine)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine \"%s\"\n",
 				engine);
 			goto err;
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			goto err;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 		/* Free our "structural" reference. */
 		ENGINE_free(e);
 		}
 	app_RAND_load_file(NULL, bio_err, (inrand != NULL));
 	if (inrand != NULL)
 		BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
@@ -173,5 +144,5 @@ err:
 	ERR_print_errors(bio_err);
 	if (out)
 		BIO_free_all(out);
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
--- a/apps/req.c
+++ b/apps/req.c
@@ -73,7 +73,6 @@
 #include <openssl/x509v3.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
 #include <openssl/engine.h>
 #define SECTION		"req"
@@ -141,7 +140,6 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	ENGINE *e = NULL;
 #ifndef NO_DSA
 	DSA *dsa_params=NULL;
 #endif
@@ -154,7 +152,6 @@ int MAIN(int argc, char **argv)
 	int informat,outformat,verify=0,noout=0,text=0,keyform=FORMAT_PEM;
 	int nodes=0,kludge=0,newhdr=0;
 	char *infile,*outfile,*prog,*keyfile=NULL,*template=NULL,*keyout=NULL;
 	char *engine=NULL;
 	char *extensions = NULL;
 	char *req_exts = NULL;
 	EVP_CIPHER *cipher=NULL;
@@ -198,11 +195,6 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			outformat=str2fmt(*(++argv));
 			}
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 		else if (strcmp(*argv,"-key") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -383,7 +375,6 @@ bad:
 		BIO_printf(bio_err," -verify        verify signature on REQ\n");
 		BIO_printf(bio_err," -modulus       RSA modulus\n");
 		BIO_printf(bio_err," -nodes         don't encrypt the output key\n");
 		BIO_printf(bio_err," -engine e      use engine e, possibly a hardware device.\n");
 		BIO_printf(bio_err," -key file	use the private key contained in file\n");
 		BIO_printf(bio_err," -keyform arg   key file format\n");
 		BIO_printf(bio_err," -keyout arg    file to send the key to\n");
@@ -431,7 +422,7 @@ bad:
 	if (template != NULL)
 		{
-		long errline;
+		long errline = -1;
 		BIO_printf(bio_err,"Using configuration from %s\n",template);
 		req_conf=CONF_load(NULL,template,&errline);
@@ -530,55 +521,24 @@ bad:
 	if ((in == NULL) || (out == NULL))
 		goto end;
 	if (engine != NULL)
 		{
 		if((e = ENGINE_by_id(engine)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine \"%s\"\n",
 				engine);
 			goto end;
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			goto end;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 		/* Free our "structural" reference. */
 		ENGINE_free(e);
 		}
 	if (keyfile != NULL)
 		{
-		if (keyform == FORMAT_ENGINE)
+		if (BIO_read_filename(in,keyfile) <= 0)
 			{
-			if (!e)
+			perror(keyfile);
-				{
+			goto end;
-				BIO_printf(bio_err,"no engine specified\n");
+			}
-				goto end;
+
-				}
+		if (keyform == FORMAT_ASN1)
-			pkey = ENGINE_load_private_key(e, keyfile, NULL);
+			pkey=d2i_PrivateKey_bio(in,NULL);
 		else if (keyform == FORMAT_PEM)
 			{
 			pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,passin);
 			}
 		else
 			{
-			if (BIO_read_filename(in,keyfile) <= 0)
+			BIO_printf(bio_err,"bad input format specified for X509 request\n");
-				{
+			goto end;
 				perror(keyfile);
 				goto end;
 				}
 			if (keyform == FORMAT_ASN1)
 				pkey=d2i_PrivateKey_bio(in,NULL);
 			else if (keyform == FORMAT_PEM)
 				{
 				pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,
 					passin);
 				}
 			else
 				{
 				BIO_printf(bio_err,"bad input format specified for X509 request\n");
 				goto end;
 				}
 			}
 		if (pkey == NULL)
@@ -949,7 +909,7 @@ end:
 #ifndef NO_DSA
 	if (dsa_params != NULL) DSA_free(dsa_params);
 #endif
-	EXIT(ex);
+	OPENSSL_EXIT(ex);
 	}
 static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, int attribs)
--- a/apps/rsa.c
+++ b/apps/rsa.c
@@ -68,7 +68,6 @@
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/engine.h>
 #undef PROG
 #define PROG	rsa_main
@@ -91,7 +90,6 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	ENGINE *eng = NULL;
 	int ret=1;
 	RSA *rsa=NULL;
 	int i,badops=0, sgckey=0;
@@ -102,7 +100,6 @@ int MAIN(int argc, char **argv)
 	char *infile,*outfile,*prog;
 	char *passargin = NULL, *passargout = NULL;
 	char *passin = NULL, *passout = NULL;
 	char *engine=NULL;
 	int modulus=0;
 	apps_startup();
@@ -151,11 +148,6 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			passargout= *(++argv);
 			}
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 		else if (strcmp(*argv,"-sgckey") == 0)
 			sgckey=1;
 		else if (strcmp(*argv,"-pubin") == 0)
@@ -203,30 +195,11 @@ bad:
 		BIO_printf(bio_err," -check          verify key consistency\n");
 		BIO_printf(bio_err," -pubin          expect a public key in input file\n");
 		BIO_printf(bio_err," -pubout         output a public key\n");
 		BIO_printf(bio_err," -engine e       use engine e, possibly a hardware device.\n");
 		goto end;
 		}
 	ERR_load_crypto_strings();
 	if (engine != NULL)
 		{
 		if((eng = ENGINE_by_id(engine)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine \"%s\"\n",
 				engine);
 			goto end;
 			}
 		if(!ENGINE_set_default(eng, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			goto end;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 		/* Free our "structural" reference. */
 		ENGINE_free(eng);
 		}
 	if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
 		BIO_printf(bio_err, "Error getting passwords\n");
 		goto end;
@@ -416,7 +389,7 @@ end:
 	if(rsa != NULL) RSA_free(rsa);
 	if(passin) OPENSSL_free(passin);
 	if(passout) OPENSSL_free(passout);
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 #else /* !NO_RSA */
--- a/apps/rsautl.c
+++ b/apps/rsautl.c
@@ -62,7 +62,6 @@
 #include <string.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/engine.h>
 #define RSA_SIGN 	1
 #define RSA_VERIFY 	2
@@ -83,7 +82,6 @@ int MAIN(int argc, char **);
 int MAIN(int argc, char **argv)
 {
 	ENGINE *e = NULL;
 	BIO *in = NULL, *out = NULL;
 	char *infile = NULL, *outfile = NULL;
 	char *keyfile = NULL;
@@ -97,7 +95,6 @@ int MAIN(int argc, char **argv)
 	unsigned char *rsa_in = NULL, *rsa_out = NULL, pad;
 	int rsa_inlen, rsa_outlen = 0;
 	int keysize;
 	char *engine=NULL;
 	int ret = 1;
@@ -120,9 +117,6 @@ int MAIN(int argc, char **argv)
 		} else if(!strcmp(*argv, "-inkey")) {
 			if (--argc < 1) badarg = 1;
 			keyfile = *(++argv);
 		} else if(!strcmp(*argv, "-engine")) {
 			if (--argc < 1) badarg = 1;
 			engine = *(++argv);
 		} else if(!strcmp(*argv, "-pubin")) {
 			key_type = KEY_PUBKEY;
 		} else if(!strcmp(*argv, "-certin")) {
@@ -157,24 +151,6 @@ int MAIN(int argc, char **argv)
 		goto end;
 	}
 	if (engine != NULL)
 		{
 		if((e = ENGINE_by_id(engine)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine \"%s\"\n",
 				engine);
 			goto end;
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			goto end;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 		/* Free our "structural" reference. */
 		ENGINE_free(e);
 		}
 /* FIXME: seed PRNG only if needed */
 	app_RAND_load_file(NULL, bio_err, 0);
@@ -304,7 +280,6 @@ static void usage()
 	BIO_printf(bio_err, "-inkey file     input key\n");
 	BIO_printf(bio_err, "-pubin          input is an RSA public\n");
 	BIO_printf(bio_err, "-certin         input is a certificate carrying an RSA public key\n");
 	BIO_printf(bio_err, "-engine e       use engine e, possibly a hardware device.\n");
 	BIO_printf(bio_err, "-ssl            use SSL v2 padding\n");
 	BIO_printf(bio_err, "-raw            use no padding\n");
 	BIO_printf(bio_err, "-pkcs           use PKCS#1 v1.5 padding (default)\n");
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -80,7 +80,6 @@ typedef unsigned int u_int;
 #include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/rand.h>
 #include <openssl/engine.h>
 #include "s_apps.h"
 #ifdef WINDOWS
@@ -155,7 +154,7 @@ static void sc_usage(void)
 	BIO_printf(bio_err," -cipher       - preferred cipher to use, use the 'openssl ciphers'\n");
 	BIO_printf(bio_err,"                 command to see what is available\n");
 	BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
-	BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
+
 	}
 int MAIN(int, char **);
@@ -183,8 +182,6 @@ int MAIN(int argc, char **argv)
 	SSL_METHOD *meth=NULL;
 	BIO *sbio;
 	char *inrand=NULL;
 	char *engine_id=NULL;
 	ENGINE *e=NULL;
 #ifdef WINDOWS
 	struct timeval tv;
 #endif
@@ -327,11 +324,6 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			inrand= *(++argv);
 			}
 		else if	(strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine_id = *(++argv);
 			}
 		else
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
@@ -372,30 +364,6 @@ bad:
 	OpenSSL_add_ssl_algorithms();
 	SSL_load_error_strings();
 	if (engine_id != NULL)
 		{
 		if((e = ENGINE_by_id(engine_id)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine\n");
 			ERR_print_errors(bio_err);
 			goto end;
 			}
 		if (c_debug)
 			{
 			ENGINE_ctrl(e, ENGINE_CTRL_SET_LOGSTREAM,
 				0, bio_err, 0);
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			ERR_print_errors(bio_err);
 			goto end;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine_id);
 		ENGINE_free(e);
 		}
 	ctx=SSL_CTX_new(meth);
 	if (ctx == NULL)
 		{
@@ -800,14 +768,14 @@ end:
 	if (con != NULL) SSL_free(con);
 	if (con2 != NULL) SSL_free(con2);
 	if (ctx != NULL) SSL_CTX_free(ctx);
-	if (cbuf != NULL) { memset(cbuf,0,BUFSIZZ); OPENSSL_free(cbuf); }
+	if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
-	if (sbuf != NULL) { memset(sbuf,0,BUFSIZZ); OPENSSL_free(sbuf); }
+	if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
 	if (bio_c_out != NULL)
 		{
 		BIO_free(bio_c_out);
 		bio_c_out=NULL;
 		}
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -84,7 +84,6 @@ typedef unsigned int u_int;
 #include <openssl/x509.h>
 #include <openssl/ssl.h>
 #include <openssl/rand.h>
 #include <openssl/engine.h>
 #include "s_apps.h"
 #ifdef WINDOWS
@@ -178,7 +177,6 @@ static int s_debug=0;
 static int s_quiet=0;
 static int hack=0;
 static char *engine_id=NULL;
 #ifdef MONOLITH
 static void s_server_init(void)
@@ -201,7 +199,6 @@ static void s_server_init(void)
 	s_debug=0;
 	s_quiet=0;
 	hack=0;
 	engine_id=NULL;
 	}
 #endif
@@ -247,7 +244,6 @@ static void sv_usage(void)
 	BIO_printf(bio_err," -www          - Respond to a 'GET /' with a status page\n");
 	BIO_printf(bio_err," -WWW          - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
 	BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 	BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
 	}
 static int local_argc=0;
@@ -257,10 +253,10 @@ static char **local_argv;
 static int ebcdic_new(BIO *bi);
 static int ebcdic_free(BIO *a);
 static int ebcdic_read(BIO *b, char *out, int outl);
-static int ebcdic_write(BIO *b, char *in, int inl);
+static int ebcdic_write(BIO *b, const char *in, int inl);
-static long ebcdic_ctrl(BIO *b, int cmd, long num, char *ptr);
+static long ebcdic_ctrl(BIO *b, int cmd, long num, void *ptr);
 static int ebcdic_gets(BIO *bp, char *buf, int size);
-static int ebcdic_puts(BIO *bp, char *str);
+static int ebcdic_puts(BIO *bp, const char *str);
 #define BIO_TYPE_EBCDIC_FILTER	(18|0x0200)
 static BIO_METHOD methods_ebcdic=
@@ -325,7 +321,7 @@ static int ebcdic_read(BIO *b, char *out, int outl)
 	return(ret);
 }
-static int ebcdic_write(BIO *b, char *in, int inl)
+static int ebcdic_write(BIO *b, const char *in, int inl)
 {
 	EBCDIC_OUTBUFF *wbuf;
 	int ret=0;
@@ -358,7 +354,7 @@ static int ebcdic_write(BIO *b, char *in, int inl)
 	return(ret);
 }
-static long ebcdic_ctrl(BIO *b, int cmd, long num, char *ptr)
+static long ebcdic_ctrl(BIO *b, int cmd, long num, void *ptr)
 {
 	long ret;
@@ -377,7 +373,7 @@ static long ebcdic_ctrl(BIO *b, int cmd, long num, char *ptr)
 static int ebcdic_gets(BIO *bp, char *buf, int size)
 {
-	int i, ret;
+	int i, ret=0;
 	if (bp->next_bio == NULL) return(0);
 /*	return(BIO_gets(bp->next_bio,buf,size));*/
 	for (i=0; i<size-1; ++i)
@@ -396,7 +392,7 @@ static int ebcdic_gets(BIO *bp, char *buf, int size)
 	return (ret < 0 && i == 0) ? ret : i;
 }
-static int ebcdic_puts(BIO *bp, char *str)
+static int ebcdic_puts(BIO *bp, const char *str)
 {
 	if (bp->next_bio == NULL) return(0);
 	return ebcdic_write(bp, str, strlen(str));
@@ -418,8 +414,6 @@ int MAIN(int argc, char *argv[])
 	int state=0;
 	SSL_METHOD *meth=NULL;
 	char *inrand=NULL;
 	char *engine=NULL;
 	ENGINE *e=NULL;
 #ifndef NO_DH
 	DH *dh=NULL;
 #endif
@@ -579,11 +573,6 @@ int MAIN(int argc, char *argv[])
 			if (--argc < 1) goto bad;
 			inrand= *(++argv);
 			}
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine = *(++argv);
 			}
 		else
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
@@ -635,29 +624,6 @@ bad:
 	SSL_load_error_strings();
 	OpenSSL_add_ssl_algorithms();
 	if (engine != NULL)
 		{
 		if((e = ENGINE_by_id(engine)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine\n");
 			ERR_print_errors(bio_err);
 			goto end;
 			}
 		if (s_debug)
 			{
 			ENGINE_ctrl(e, ENGINE_CTRL_SET_LOGSTREAM,
 				0, bio_err, 0);
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			ERR_print_errors(bio_err);
 			goto end;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 		ENGINE_free(e);
 		}
 	ctx=SSL_CTX_new(meth);
 	if (ctx == NULL)
 		{
@@ -775,7 +741,7 @@ end:
 		BIO_free(bio_s_out);
 		bio_s_out=NULL;
 		}
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 static void print_stats(BIO *bio, SSL_CTX *ssl_ctx)
@@ -1077,7 +1043,7 @@ err:
 	BIO_printf(bio_s_out,"CONNECTION CLOSED\n");
 	if (buf != NULL)
 		{
-		memset(buf,0,bufsize);
+		OPENSSL_cleanse(buf,bufsize);
 		OPENSSL_free(buf);
 		}
 	if (ret >= 0)
@@ -1284,7 +1250,7 @@ static int www_body(char *hostname, int s, unsigned char *context)
 			else
 				{
 				BIO_printf(bio_s_out,"read R BLOCK\n");
-#ifndef MSDOS
+#if !defined(MSDOS) && !defined(VXWORKS)
 				sleep(1);
 #endif
 				continue;
--- a/apps/s_time.c
+++ b/apps/s_time.c
@@ -116,6 +116,11 @@
 #include <sys/param.h>
 #endif
 #ifdef VXWORKS
 #include <tickLib.h>
 #undef SIGALRM
 #endif
 /* The following if from times(3) man page.  It may need to be changed
 */
 #ifndef HZ
@@ -461,7 +466,7 @@ int MAIN(int argc, char **argv)
 	if (tm_cipher == NULL ) {
 		fprintf( stderr, "No CIPHER specified\n" );
-/*		EXIT(1); */
+/*		OPENSSL_EXIT(1); */
 	}
 	if (!(perform & 1)) goto next;
@@ -628,7 +633,7 @@ end:
 		SSL_CTX_free(tm_ctx);
 		tm_ctx=NULL;
 		}
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 /***********************************************************************
--- a/apps/sess_id.c
+++ b/apps/sess_id.c
@@ -272,7 +272,7 @@ bad:
 end:
 	if (out != NULL) BIO_free_all(out);
 	if (x != NULL) SSL_SESSION_free(x);
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 static SSL_SESSION *load_sess_id(char *infile, int format)
--- a/apps/smime.c
+++ b/apps/smime.c
@@ -64,7 +64,6 @@
 #include <openssl/crypto.h>
 #include <openssl/pem.h>
 #include <openssl/err.h>
 #include <openssl/engine.h>
 #undef PROG
 #define PROG smime_main
@@ -82,7 +81,6 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 {
 	ENGINE *e = NULL;
 	int operation = 0;
 	int ret = 0;
 	char **args;
@@ -105,9 +103,8 @@ int MAIN(int argc, char **argv)
 	char *inrand = NULL;
 	int need_rand = 0;
 	int informat = FORMAT_SMIME, outformat = FORMAT_SMIME;
 	char *engine=NULL;
 	args = argv + 1;
 	ret = 1;
 	while (!badarg && *args && *args[0] == '-') {
@@ -156,11 +153,6 @@ int MAIN(int argc, char **argv)
 				inrand = *args;
 			} else badarg = 1;
 			need_rand = 1;
 		} else if (!strcmp(*args,"-engine")) {
 			if (args[1]) {
 				args++;
 				engine = *args;
 			} else badarg = 1;
 		} else if (!strcmp(*args,"-passin")) {
 			if (args[1]) {
 				args++;
@@ -298,7 +290,6 @@ int MAIN(int argc, char **argv)
 		BIO_printf (bio_err, "-text          include or delete text MIME headers\n");
 		BIO_printf (bio_err, "-CApath dir    trusted certificates directory\n");
 		BIO_printf (bio_err, "-CAfile file   trusted certificates file\n");
 		BIO_printf (bio_err, "-engine e      use engine e, possibly a hardware device.\n");
 		BIO_printf (bio_err, "-passin arg    input file pass phrase source\n");
 		BIO_printf(bio_err,  "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err,  "               load the file (or the files in the directory) into\n");
@@ -307,24 +298,6 @@ int MAIN(int argc, char **argv)
 		goto end;
 	}
 	if (engine != NULL)
 		{
 		if((e = ENGINE_by_id(engine)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine \"%s\"\n",
 				engine);
 			goto end;
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			goto end;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 		/* Free our "structural" reference. */
 		ENGINE_free(e);
 		}
 	if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
 		BIO_printf(bio_err, "Error getting password\n");
 		goto end;
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -81,7 +81,6 @@
 #include <openssl/crypto.h>
 #include <openssl/rand.h>
 #include <openssl/err.h>
 #include <openssl/engine.h>
 #if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__) || defined(_DARWIN)
 # define USE_TOD
@@ -192,7 +191,11 @@
 #endif
 #undef BUFSIZE
-#define BUFSIZE	((long)1024*8+1)
+/* BUFSIZE needs to be one cipherblock larger than the largest number in the
   lengths array (see below), to make space for padding when doing EVP tests.
   1024 extra bytes may seem much, but hey, it doesn't hurt!
 							-- Richard Levitte */
 #define BUFSIZE	((long)1024*9+1)
 int run=0;
 static double Time_F(int s, int usertime);
@@ -328,7 +331,6 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	ENGINE *e;
 	unsigned char *buf=NULL,*buf2=NULL;
 	int mret=1;
 #define ALGOR_NUM	15
@@ -491,37 +493,6 @@ int MAIN(int argc, char **argv)
 		{
 		if	((argc > 0) && (strcmp(*argv,"-elapsed") == 0))
 			usertime = 0;
 		else
 		if	((argc > 0) && (strcmp(*argv,"-engine") == 0))
 			{
 			argc--;
 			argv++;
 			if(argc == 0)
 				{
 				BIO_printf(bio_err,"no engine given\n");
 				goto end;
 				}
 			if((e = ENGINE_by_id(*argv)) == NULL)
 				{
 				BIO_printf(bio_err,"invalid engine \"%s\"\n",
 					*argv);
 				goto end;
 				}
 			if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 				{
 				BIO_printf(bio_err,"can't use that engine\n");
 				goto end;
 				}
 			BIO_printf(bio_err,"engine \"%s\" set.\n", *argv);
 			/* Free our "structural" reference. */
 			ENGINE_free(e);
 			/* It will be increased again further down.  We just
 			   don't want speed to confuse an engine with an
 			   algorithm, especially when none is given (which
 			   means all of them should be run) */
 			j--;
 			}
 		else
 #ifndef NO_MD2
 		if	(strcmp(*argv,"md2") == 0) doit[D_MD2]=1;
 		else
@@ -569,7 +540,7 @@ int MAIN(int argc, char **argv)
 #ifdef RSAref
 			if (strcmp(*argv,"rsaref") == 0) 
 			{
-			RSA_set_default_openssl_method(RSA_PKCS1_RSAref());
+			RSA_set_default_method(RSA_PKCS1_RSAref());
 			j--;
 			}
 		else
@@ -577,7 +548,7 @@ int MAIN(int argc, char **argv)
 #ifndef RSA_NULL
 			if (strcmp(*argv,"openssl") == 0) 
 			{
-			RSA_set_default_openssl_method(RSA_PKCS1_SSLeay());
+			RSA_set_default_method(RSA_PKCS1_SSLeay());
 			j--;
 			}
 		else
@@ -722,12 +693,11 @@ int MAIN(int argc, char **argv)
 			BIO_printf(bio_err,"\n");
 #endif
 #if defined(TIMES) || defined(USE_TOD)
 			BIO_printf(bio_err,"\n");
 			BIO_printf(bio_err,"Available options:\n");
 #ifdef TIMES
 			BIO_printf(bio_err,"-elapsed        measure time in real time instead of CPU user time.\n");
 #endif
 			BIO_printf(bio_err,"-engine e       use engine e, possibly a hardware device.\n");
 			goto end;
 			}
 		argc--;
@@ -1434,7 +1404,6 @@ int MAIN(int argc, char **argv)
 #endif
 	mret=0;
 end:
 	ERR_print_errors(bio_err);
 	if (buf != NULL) OPENSSL_free(buf);
 	if (buf2 != NULL) OPENSSL_free(buf2);
 #ifndef NO_RSA
@@ -1447,7 +1416,7 @@ end:
 		if (dsa_key[i] != NULL)
 			DSA_free(dsa_key[i]);
 #endif
-	EXIT(mret);
+	OPENSSL_EXIT(mret);
 	}
 static void print_message(char *s, long num, int length)
--- a/apps/spkac.c
+++ b/apps/spkac.c
@@ -69,7 +69,6 @@
 #include <openssl/lhash.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/engine.h>
 #undef PROG
 #define PROG	spkac_main
@@ -82,7 +81,6 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	ENGINE *e = NULL;
 	int i,badops=0, ret = 1;
 	BIO *in = NULL,*out = NULL, *key = NULL;
 	int verify=0,noout=0,pubkey=0;
@@ -93,7 +91,6 @@ int MAIN(int argc, char **argv)
 	LHASH *conf = NULL;
 	NETSCAPE_SPKI *spki = NULL;
 	EVP_PKEY *pkey = NULL;
 	char *engine=NULL;
 	apps_startup();
@@ -139,11 +136,6 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			spksect= *(++argv);
 			}
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 		else if (strcmp(*argv,"-noout") == 0)
 			noout=1;
 		else if (strcmp(*argv,"-pubkey") == 0)
@@ -169,7 +161,6 @@ bad:
 		BIO_printf(bio_err," -noout         don't print SPKAC\n");
 		BIO_printf(bio_err," -pubkey        output public key\n");
 		BIO_printf(bio_err," -verify        verify SPKAC signature\n");
 		BIO_printf(bio_err," -engine e      use engine e, possibly a hardware device.\n");
 		goto end;
 		}
@@ -179,24 +170,6 @@ bad:
 		goto end;
 	}
 	if (engine != NULL)
 		{
 		if((e = ENGINE_by_id(engine)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine \"%s\"\n",
 				engine);
 			goto end;
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			goto end;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 		/* Free our "structural" reference. */
 		ENGINE_free(e);
 		}
 	if(keyfile) {
 		if(strcmp(keyfile, "-")) key = BIO_new_file(keyfile, "r");
 		else key = BIO_new_fp(stdin, BIO_NOCLOSE);
@@ -315,5 +288,5 @@ end:
 	BIO_free(key);
 	EVP_PKEY_free(pkey);
 	if(passin) OPENSSL_free(passin);
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -65,7 +65,6 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 #include <openssl/pem.h>
 #include <openssl/engine.h>
 #undef PROG
 #define PROG	verify_main
@@ -79,7 +78,6 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	ENGINE *e = NULL;
 	int i,ret=1;
 	int purpose = -1;
 	char *CApath=NULL,*CAfile=NULL;
@@ -87,7 +85,6 @@ int MAIN(int argc, char **argv)
 	STACK_OF(X509) *untrusted = NULL, *trusted = NULL;
 	X509_STORE *cert_ctx=NULL;
 	X509_LOOKUP *lookup=NULL;
 	char *engine=NULL;
 	cert_ctx=X509_STORE_new();
 	if (cert_ctx == NULL) goto end;
@@ -140,11 +137,6 @@ int MAIN(int argc, char **argv)
 				if (argc-- < 1) goto end;
 				trustfile= *(++argv);
 				}
 			else if (strcmp(*argv,"-engine") == 0)
 				{
 				if (--argc < 1) goto end;
 				engine= *(++argv);
 				}
 			else if (strcmp(*argv,"-help") == 0)
 				goto end;
 			else if (strcmp(*argv,"-issuer_checks") == 0)
@@ -162,24 +154,6 @@ int MAIN(int argc, char **argv)
 			break;
 		}
 	if (engine != NULL)
 		{
 		if((e = ENGINE_by_id(engine)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine \"%s\"\n",
 				engine);
 			goto end;
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			goto end;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 		/* Free our "structural" reference. */
 		ENGINE_free(e);
 		}
 	lookup=X509_STORE_add_lookup(cert_ctx,X509_LOOKUP_file());
 	if (lookup == NULL) abort();
 	if (CAfile) {
@@ -227,7 +201,7 @@ int MAIN(int argc, char **argv)
 	ret=0;
 end:
 	if (ret == 1) {
-		BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-engine e] cert1 cert2 ...\n");
+		BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] cert1 cert2 ...\n");
 		BIO_printf(bio_err,"recognized usages:\n");
 		for(i = 0; i < X509_PURPOSE_get_count(); i++) {
 			X509_PURPOSE *ptmp;
@@ -239,7 +213,7 @@ end:
 	if (cert_ctx != NULL) X509_STORE_free(cert_ctx);
 	sk_X509_pop_free(untrusted, X509_free);
 	sk_X509_pop_free(trusted, X509_free);
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, int purpose)
--- a/apps/version.c
+++ b/apps/version.c
@@ -128,5 +128,5 @@ int MAIN(int argc, char **argv)
 		}
 	if (cflags)  printf("%s\n",SSLeay_version(SSLEAY_CFLAGS));
 end:
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -73,7 +73,6 @@
 #include <openssl/x509v3.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
 #include <openssl/engine.h>
 #undef PROG
 #define PROG x509_main
@@ -122,7 +121,7 @@ static char *x509_usage[]={
 " -CAkey arg      - set the CA key, must be PEM format\n",
 "                   missing, it is assumed to be in the CA file.\n",
 " -CAcreateserial - create serial number file if it does not exist\n",
-" -CAserial       - serial file\n",
+" -CAserial arg   - serial file\n",
 " -text           - print the certificate in text form\n",
 " -C              - print out C code forms\n",
 " -md2/-md5/-sha1/-mdc2 - digest to use\n",
@@ -130,7 +129,6 @@ static char *x509_usage[]={
 " -extensions     - section from config file with X509V3 extensions to add\n",
 " -clrext         - delete extensions before signing and input certificate\n",
 " -nameopt arg    - various certificate name options\n",
 " -engine e       - use engine e, possibly a hardware device.\n",
 NULL
 };
@@ -147,7 +145,6 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	ENGINE *e = NULL;
 	int ret=1;
 	X509_REQ *req=NULL;
 	X509 *x=NULL,*xca=NULL;
@@ -178,7 +175,6 @@ int MAIN(int argc, char **argv)
 	int need_rand = 0;
 	int checkend=0,checkoffset=0;
 	unsigned long nmflag = 0;
 	char *engine=NULL;
 	reqfile=0;
@@ -341,11 +337,6 @@ int MAIN(int argc, char **argv)
 			alias= *(++argv);
 			trustout = 1;
 			}
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 		else if (strcmp(*argv,"-C") == 0)
 			C= ++num;
 		else if (strcmp(*argv,"-email") == 0)
@@ -429,24 +420,6 @@ bad:
 		goto end;
 		}
 	if (engine != NULL)
 		{
 		if((e = ENGINE_by_id(engine)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine \"%s\"\n",
 				engine);
 			goto end;
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			goto end;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 		/* Free our "structural" reference. */
 		ENGINE_free(e);
 		}
 	if (need_rand)
 		app_RAND_load_file(NULL, bio_err, 0);
@@ -474,7 +447,7 @@ bad:
 	if (extfile)
 		{
-		long errorline;
+		long errorline = -1;
 		X509V3_CTX ctx2;
 		if (!(extconf=CONF_load(NULL,extfile,&errorline)))
 			{
@@ -988,7 +961,7 @@ end:
 	sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free);
 	sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free);
 	if (passin) OPENSSL_free(passin);
-	EXIT(ret);
+	OPENSSL_EXIT(ret);
 	}
 static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
@@ -1090,7 +1063,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
 	BIO_free(io);
 	io=NULL;
-	if (!X509_STORE_add_cert(ctx,x)) goto end;
+	/*if (!X509_STORE_add_cert(ctx,x)) goto end;*/
 	/* NOTE: this certificate can/should be self signed, unless it was
 	 * a certificate request in which case it is not. */
--- a/bugs/SSLv3
+++ b/bugs/SSLv3
@@ -29,7 +29,7 @@ RC4-MD5, but a re-connect tries to use DES-CBC-SHA.  So netscape, when
 doing a re-connect, always takes the first cipher in the cipher list.
 If we accept a netscape connection, demand a client cert, have a
-non-self-sighed CA which does not have it's CA in netscape, and the
+non-self-signed CA which does not have it's CA in netscape, and the
 browser has a cert, it will crash/hang.  Works for 3.x and 4.xbeta
 Netscape browsers do not really notice the server sending a
--- a/certs/expired/vsign3.pem
+++ b/certs/expired/vsign3.pem
@@ -0,0 +1,18 @@
 subject=/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
 notBefore=Jan 29 00:00:00 1996 GMT
 notAfter=Jan  7 23:59:59 2004 GMT
 -----BEGIN CERTIFICATE-----
 MIICPTCCAaYCEQDknv3zOugOz6URPhmkJAIyMA0GCSqGSIb3DQEBAgUAMF8xCzAJ
 BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xh
 c3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05
 NjAxMjkwMDAwMDBaFw0wNDAxMDcyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYD
 VQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMgUHJp
 bWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOB
 jQAwgYkCgYEAyVxZnvIbigEUtBDfBEDb41evakVAj4QMC9Ez2dkRz+4CWB8l9yqo
 RAWq7AMfeH+ek7maAKojfdashaJjRcdyJ8z0TMZ1cdI5709C8HXfCpDGjiBvmA/4
 rCNfcCk2pMmG57GaIMtTpYXnPb59mv4kRTPcdhXtD6JxZExlLoFoRacCAwEAATAN
 BgkqhkiG9w0BAQIFAAOBgQBhcOwvP579K+ZoVCGwZ3kIDCCWMYoNer62Jt95LCJp
 STbjl3diYaIy13pUITa6Ask05yXaRDWw0lyAXbOU+Pms7qRgdSoflUkjsUp89LNH
 ciFbfperVKxi513srpvSybIk+4Kt6WcVS7qqpvCXoPawl1cAyAw8CaCCBLpB2veZ
 pA==
 -----END CERTIFICATE-----
--- a/certs/vsign3.pem
+++ b/certs/vsign3.pem
@@ -1,18 +1,17 @@
 subject=/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
 notBefore=Jan 29 00:00:00 1996 GMT
-notAfter=Jan  7 23:59:59 2004 GMT
+notAfter=Aug  1 23:59:59 2028 GMT
 -----BEGIN CERTIFICATE-----
-MIICPTCCAaYCEQDknv3zOugOz6URPhmkJAIyMA0GCSqGSIb3DQEBAgUAMF8xCzAJ
+MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
-BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xh
+A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
-c3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05
+cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
-NjAxMjkwMDAwMDBaFw0wNDAxMDcyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYD
+MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
-VQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMgUHJp
+BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
-bWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOB
+YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
-jQAwgYkCgYEAyVxZnvIbigEUtBDfBEDb41evakVAj4QMC9Ez2dkRz+4CWB8l9yqo
+ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
-RAWq7AMfeH+ek7maAKojfdashaJjRcdyJ8z0TMZ1cdI5709C8HXfCpDGjiBvmA/4
+BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
-rCNfcCk2pMmG57GaIMtTpYXnPb59mv4kRTPcdhXtD6JxZExlLoFoRacCAwEAATAN
+I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
-BgkqhkiG9w0BAQIFAAOBgQBhcOwvP579K+ZoVCGwZ3kIDCCWMYoNer62Jt95LCJp
+CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do
-STbjl3diYaIy13pUITa6Ask05yXaRDWw0lyAXbOU+Pms7qRgdSoflUkjsUp89LNH
+lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc
-ciFbfperVKxi513srpvSybIk+4Kt6WcVS7qqpvCXoPawl1cAyAw8CaCCBLpB2veZ
+AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k
 pA==
 -----END CERTIFICATE-----
--- a/41
+++ b/41
@@ -317,6 +317,10 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
    *CRAY*)
       echo "j90-cray-unicos"; exit 0;
       ;;
    NONSTOP_KERNEL*)
       echo "nsr-tandem-nsk"; exit 0;
       ;;
 esac
 #
@@ -384,6 +388,9 @@ done
 GCCVER=`(gcc -dumpversion) 2>/dev/null`
 if [ "$GCCVER" != "" ]; then
  CC=gcc
  # then strip off whatever prefix egcs prepends the number with...
  # Hopefully, this will work for any future prefixes as well.
  GCCVER=`echo $GCCVER | sed 's/^[a-zA-Z]*\-//'`
  # Since gcc 3.1 gcc --version behaviour has changed.  gcc -dumpversion
  # does give us what we want though, so we use that.  We just just the
  # major and minor version numbers.
@@ -470,7 +477,8 @@ case "$GUESSOS" in
 	echo "WARNING! If you wish to build 64-bit library, then you have to"
 	echo "         invoke './Configure irix64-mips4-$CC' *manually*."
 	echo "         Type return if you want to continue, Ctrl-C to abort."
-	read waste < /dev/tty
+	# Do not stop if /dev/tty is unavailable
 	(read waste < /dev/tty) || true
        CPU=`(hinv -t cpu) 2>/dev/null | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'`
        CPU=${CPU:-0}
        if [ $CPU -ge 5000 ]; then
@@ -525,7 +533,8 @@ EOF
 	#echo "WARNING! If you wish to build 64-bit library, then you have to"
 	#echo "         invoke './Configure linux64-sparcv9' *manually*."
 	#echo "         Type return if you want to continue, Ctrl-C to abort."
-	#read waste < /dev/tty
+	# Do not stop if /dev/tty is unavailable
 	#(read waste < /dev/tty) || true
 	OUT="linux-sparcv9" ;;
  sparc-*-linux2)
 	KARCH=`awk '/^type/{print$3}' /proc/cpuinfo`
@@ -566,7 +575,8 @@ EOF
 		echo "WARNING! If you wish to build 64-bit library, then you have to"
 		echo "         invoke './Configure solaris64-sparcv9-cc' *manually*."
 		echo "         Type return if you want to continue, Ctrl-C to abort."
-		read waste < /dev/tty
+		# Do not stop if /dev/tty is unavailable
 		(read waste < /dev/tty) || true
 	fi
 	OUT="solaris-sparcv9-$CC" ;;
  sun4m-*-solaris2)	OUT="solaris-sparcv8-$CC" ;;
@@ -627,30 +637,15 @@ EOF
  *-*-cygwin) OUT="Cygwin" ;;
  t3e-cray-unicosmk) OUT="cray-t3e" ;;
  j90-cray-unicos) OUT="cray-j90" ;;
  nsr-tandem-nsk) OUT="tandem-c89" ;;
  *) OUT=`echo $GUESSOS | awk -F- '{print $3}'`;;
 esac
 # NB: This atalla support has been superceded by the ENGINE support
 # That contains its own header and definitions anyway. Support can
 # be enabled or disabled on any supported platform without external
 # headers, eg. by adding the "hw-atalla" switch to ./config or
 # perl Configure
 #
 # See whether we can compile Atalla support
-#if [ -f /usr/include/atasi.h ]
+if [ -f /usr/include/atasi.h ]
-#then
+then
-#  options="$options -DATALLA"
+  options="$options -DATALLA"
-#fi
+fi
 #get some basic shared lib support (behnke@trustcenter.de)
 case "$OUT" in
   solaris-*-gcc)
 	if  [ "$SHARED" = "true" ] 
 	 then
 	  options="$options -DPIC -fPIC"
        fi
     ;;
 esac
 # gcc < 2.8 does not support -mcpu=ultrasparc
 if [ "$OUT" = solaris-sparcv9-gcc -a $GCCVER -lt 28 ]
--- a/crypto/Makefile.ssl
+++ b/crypto/Makefile.ssl
@@ -27,15 +27,15 @@ LIBS=
 SDIRS=	md2 md5 sha mdc2 hmac ripemd \
 	des rc2 rc4 rc5 idea bf cast \
-	bn rsa dsa dh dso engine \
+	bn rsa dsa dh dso \
 	buffer bio stack lhash rand err objects \
 	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp
 GENERAL=Makefile README crypto-lib.com install.com
 LIB= $(TOP)/libcrypto.a
-LIBSRC=	cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c
+LIBSRC=	cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c
-LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o
+LIBOBJ= cryptlib.o mem.o mem_clr.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o
 SRC= $(LIBSRC)
@@ -129,7 +129,7 @@ lint:
 depend:
 	if [ ! -f buildinf.h ]; then touch buildinf.h; fi # fake buildinf.h if it does not exist
-	$(MAKEDEPEND) $(INCLUDE) $(DEPFLAG) $(PROGS) $(LIBSRC)
+	$(MAKEDEPEND) -- $(INCLUDE) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 	if [ ! -s buildinf.h ]; then rm buildinf.h; fi
 	@for i in $(SDIRS) ;\
 	do \
@@ -160,44 +160,45 @@ cpt_err.o: ../include/openssl/bio.h ../include/openssl/crypto.h
 cpt_err.o: ../include/openssl/err.h ../include/openssl/lhash.h
 cpt_err.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
 cpt_err.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-cryptlib.o: ../include/openssl/bio.h ../include/openssl/buffer.h
+cryptlib.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
-cryptlib.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
+cryptlib.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
-cryptlib.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+cryptlib.o: ../include/openssl/err.h ../include/openssl/lhash.h
-cryptlib.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
+cryptlib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-cryptlib.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
+cryptlib.o: ../include/openssl/safestack.h ../include/openssl/stack.h
-cryptlib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h
+cryptlib.o: ../include/openssl/symhacks.h cryptlib.h
-cversion.o: ../include/openssl/bio.h ../include/openssl/buffer.h
+cversion.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
-cversion.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
+cversion.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
-cversion.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+cversion.o: ../include/openssl/err.h ../include/openssl/lhash.h
-cversion.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
+cversion.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-cversion.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
+cversion.o: ../include/openssl/safestack.h ../include/openssl/stack.h
-cversion.o: ../include/openssl/stack.h ../include/openssl/symhacks.h buildinf.h
+cversion.o: ../include/openssl/symhacks.h buildinf.h cryptlib.h
-cversion.o: cryptlib.h
+ex_data.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
-ex_data.o: ../include/openssl/bio.h ../include/openssl/buffer.h
+ex_data.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
-ex_data.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
+ex_data.o: ../include/openssl/err.h ../include/openssl/lhash.h
-ex_data.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ex_data.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-ex_data.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
+ex_data.o: ../include/openssl/safestack.h ../include/openssl/stack.h
-ex_data.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
+ex_data.o: ../include/openssl/symhacks.h cryptlib.h
-ex_data.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h
+mem.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
-mem.o: ../include/openssl/bio.h ../include/openssl/buffer.h
+mem.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
-mem.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
+mem.o: ../include/openssl/err.h ../include/openssl/lhash.h
-mem.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+mem.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-mem.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
+mem.o: ../include/openssl/safestack.h ../include/openssl/stack.h
-mem.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
+mem.o: ../include/openssl/symhacks.h cryptlib.h
-mem.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h
+mem_clr.o: ../include/openssl/crypto.h ../include/openssl/opensslv.h
-mem_dbg.o: ../include/openssl/bio.h ../include/openssl/buffer.h
+mem_clr.o: ../include/openssl/safestack.h ../include/openssl/stack.h
-mem_dbg.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
+mem_clr.o: ../include/openssl/symhacks.h
-mem_dbg.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+mem_dbg.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
-mem_dbg.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
+mem_dbg.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
-mem_dbg.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
+mem_dbg.o: ../include/openssl/err.h ../include/openssl/lhash.h
-mem_dbg.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h
+mem_dbg.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-tmdiff.o: ../include/openssl/bio.h ../include/openssl/buffer.h
+mem_dbg.o: ../include/openssl/safestack.h ../include/openssl/stack.h
-tmdiff.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
+mem_dbg.o: ../include/openssl/symhacks.h cryptlib.h
-tmdiff.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+tmdiff.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
-tmdiff.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
+tmdiff.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
-tmdiff.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
+tmdiff.o: ../include/openssl/err.h ../include/openssl/lhash.h
-tmdiff.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+tmdiff.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-tmdiff.o: ../include/openssl/tmdiff.h cryptlib.h
+tmdiff.o: ../include/openssl/safestack.h ../include/openssl/stack.h
 tmdiff.o: ../include/openssl/symhacks.h ../include/openssl/tmdiff.h cryptlib.h
 uid.o: ../include/openssl/crypto.h ../include/openssl/opensslv.h
 uid.o: ../include/openssl/safestack.h ../include/openssl/stack.h
 uid.o: ../include/openssl/symhacks.h
--- a/crypto/asn1/Makefile.ssl
+++ b/crypto/asn1/Makefile.ssl
--- a/crypto/asn1/a_bytes.c
+++ b/crypto/asn1/a_bytes.c
@@ -201,7 +201,10 @@ ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, unsigned char **pp, long length,
 		c.pp=pp;
 		c.p=p;
 		c.inf=inf;
-		c.slen=len;
+		if (inf & 1)
 			c.slen = length - (p - *pp);
 		else
 			c.slen=len;
 		c.tag=Ptag;
 		c.xclass=Pclass;
 		c.max=(length == 0)?0:(p+length);
@@ -279,8 +282,7 @@ static int asn1_collate_primitive(ASN1_STRING *a, ASN1_CTX *c)
 		{
 		if (c->inf & 1)
 			{
-			c->eos=ASN1_check_infinite_end(&c->p,
+			c->eos=ASN1_check_infinite_end(&c->p, c->slen);
 				(long)(c->max-c->p));
 			if (c->eos) break;
 			}
 		else
@@ -289,7 +291,7 @@ static int asn1_collate_primitive(ASN1_STRING *a, ASN1_CTX *c)
 			}
 		c->q=c->p;
-		if (d2i_ASN1_bytes(&os,&c->p,c->max-c->p,c->tag,c->xclass)
+		if (d2i_ASN1_bytes(&os,&c->p,c->slen,c->tag,c->xclass)
 			== NULL)
 			{
 			c->error=ERR_R_ASN1_LIB;
@@ -302,8 +304,7 @@ static int asn1_collate_primitive(ASN1_STRING *a, ASN1_CTX *c)
 			goto err;
 			}
 		memcpy(&(b.data[num]),os->data,os->length);
-		if (!(c->inf & 1))
+		c->slen-=(c->p-c->q);
 			c->slen-=(c->p-c->q);
 		num+=os->length;
 		}
--- a/crypto/asn1/a_sign.c
+++ b/crypto/asn1/a_sign.c
@@ -199,10 +199,10 @@ int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2,
 	signature->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07);
 	signature->flags|=ASN1_STRING_FLAG_BITS_LEFT;
 err:
-	memset(&ctx,0,sizeof(ctx));
+	OPENSSL_cleanse(&ctx,sizeof(ctx));
 	if (buf_in != NULL)
-		{ memset((char *)buf_in,0,(unsigned int)inl); OPENSSL_free(buf_in); }
+		{ OPENSSL_cleanse((char *)buf_in,(unsigned int)inl); OPENSSL_free(buf_in); }
 	if (buf_out != NULL)
-		{ memset((char *)buf_out,0,outll); OPENSSL_free(buf_out); }
+		{ OPENSSL_cleanse((char *)buf_out,outll); OPENSSL_free(buf_out); }
 	return(outl);
 	}
--- a/crypto/asn1/a_strex.c
+++ b/crypto/asn1/a_strex.c
@@ -78,7 +78,8 @@
 * and a FILE pointer.
 */
-int send_mem_chars(void *arg, const void *buf, int len)
+#if 0 /* Not used */
 static int send_mem_chars(void *arg, const void *buf, int len)
 {
 	unsigned char **out = arg;
 	if(!out) return 1;
@@ -86,15 +87,16 @@ int send_mem_chars(void *arg, const void *buf, int len)
 	*out += len;
 	return 1;
 }
 #endif
-int send_bio_chars(void *arg, const void *buf, int len)
+static int send_bio_chars(void *arg, const void *buf, int len)
 {
 	if(!arg) return 1;
 	if(BIO_write(arg, buf, len) != len) return 0;
 	return 1;
 }
-int send_fp_chars(void *arg, const void *buf, int len)
+static int send_fp_chars(void *arg, const void *buf, int len)
 {
 	if(!arg) return 1;
 	if(fwrite(buf, 1, len, arg) != (unsigned int)len) return 0;
@@ -240,7 +242,8 @@ static int do_hex_dump(char_io *io_ch, void *arg, unsigned char *buf, int buflen
 * #01234 format.
 */
-int do_dump(unsigned long lflags, char_io *io_ch, void *arg, ASN1_STRING *str)
+static int do_dump(unsigned long lflags, char_io *io_ch, void *arg,
 		   ASN1_STRING *str)
 {
 	/* Placing the ASN1_STRING in a temp ASN1_TYPE allows
 	 * the DER encoding to readily obtained
@@ -274,7 +277,7 @@ int do_dump(unsigned long lflags, char_io *io_ch, void *arg, ASN1_STRING *str)
 * otherwise it is the number of bytes per character
 */
-const static char tag2nbyte[] = {
+const static signed char tag2nbyte[] = {
 	-1, -1, -1, -1, -1,	/* 0-4 */
 	-1, -1, -1, -1, -1,	/* 5-9 */
 	-1, -1, 0, -1,		/* 10-13 */
@@ -519,7 +522,7 @@ int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in)
 {
 	ASN1_STRING stmp, *str = &stmp;
 	int mbflag, type, ret;
-	if(!*out || !in) return -1;
+	if(!in) return -1;
 	type = in->type;
 	if((type < 0) || (type > 30)) return -1;
 	mbflag = tag2nbyte[type];
@@ -528,6 +531,6 @@ int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in)
 	stmp.data = NULL;
 	ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING);
 	if(ret < 0) return ret;
-	if(out) *out = stmp.data;
+	*out = stmp.data;
 	return stmp.length;
 }
--- a/crypto/asn1/a_utctm.c
+++ b/crypto/asn1/a_utctm.c
@@ -246,6 +246,8 @@ ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t)
 		ts=(struct tm *)localtime(&t);
 		}
 #endif
 	if (ts == NULL)
 		return(NULL);
 	p=(char *)s->data;
 	if ((p == NULL) || (s->length < 14))
 		{
--- a/crypto/asn1/a_verify.c
+++ b/crypto/asn1/a_verify.c
@@ -100,7 +100,7 @@ int ASN1_verify(int (*i2d)(), X509_ALGOR *a, ASN1_BIT_STRING *signature,
 	EVP_VerifyInit(&ctx,type);
 	EVP_VerifyUpdate(&ctx,(unsigned char *)buf_in,inl);
-	memset(buf_in,0,(unsigned int)inl);
+	OPENSSL_cleanse(buf_in,(unsigned int)inl);
 	OPENSSL_free(buf_in);
 	if (EVP_VerifyFinal(&ctx,(unsigned char *)signature->data,
--- a/crypto/asn1/asn1.h
+++ b/crypto/asn1/asn1.h
@@ -123,7 +123,7 @@ extern "C" {
 #define B_ASN1_NUMERICSTRING	0x0001
 #define B_ASN1_PRINTABLESTRING	0x0002
 #define B_ASN1_T61STRING	0x0004
-#define B_ASN1_TELETEXSTRING	0x0008
+#define B_ASN1_TELETEXSTRING	0x0004
 #define B_ASN1_VIDEOTEXSTRING	0x0008
 #define B_ASN1_IA5STRING	0x0010
 #define B_ASN1_GRAPHICSTRING	0x0020
--- a/crypto/asn1/asn1_lib.c
+++ b/crypto/asn1/asn1_lib.c
@@ -104,10 +104,12 @@ int ASN1_get_object(unsigned char **pp, long *plength, int *ptag, int *pclass,
 			l<<=7L;
 			l|= *(p++)&0x7f;
 			if (--max == 0) goto err;
 			if (l > (INT_MAX >> 7L)) goto err;
 			}
 		l<<=7L;
 		l|= *(p++)&0x7f;
 		tag=(int)l;
 		if (--max == 0) goto err;
 		}
 	else
 		{ 
--- a/crypto/asn1/n_pkey.c
+++ b/crypto/asn1/n_pkey.c
@@ -181,7 +181,7 @@ int i2d_RSA_NET(RSA *a, unsigned char **pp, int (*cb)(), int sgckey)
 	}
 	EVP_BytesToKey(EVP_rc4(),EVP_md5(),NULL,buf,i,1,key,NULL);
-	memset(buf,0,256);
+	OPENSSL_cleanse(buf,256);
 	EVP_CIPHER_CTX_init(&ctx);
 	EVP_EncryptInit(&ctx,EVP_rc4(),key,NULL);
@@ -292,7 +292,7 @@ RSA *d2i_RSA_NET_2(RSA **a, unsigned char **pp, long length,
 	}
 	EVP_BytesToKey(EVP_rc4(),EVP_md5(),NULL,buf,i,1,key,NULL);
-	memset(buf,0,256);
+	OPENSSL_cleanse(buf,256);
 	EVP_CIPHER_CTX_init(&ctx);
 	EVP_DecryptInit(&ctx,EVP_rc4(),key,NULL);
--- a/crypto/asn1/p8_pkey.c
+++ b/crypto/asn1/p8_pkey.c
@@ -119,8 +119,8 @@ void PKCS8_PRIV_KEY_INFO_free (PKCS8_PRIV_KEY_INFO *a)
 	X509_ALGOR_free(a->pkeyalg);
 	/* Clear sensitive data */
 	if (a->pkey->value.octet_string)
-		memset (a->pkey->value.octet_string->data,
+		OPENSSL_cleanse(a->pkey->value.octet_string->data,
-				 0, a->pkey->value.octet_string->length);
+				a->pkey->value.octet_string->length);
 	ASN1_TYPE_free (a->pkey);
 	sk_X509_ATTRIBUTE_pop_free (a->attributes, X509_ATTRIBUTE_free);
 	OPENSSL_free (a);
--- a/crypto/bf/Makefile.ssl
+++ b/crypto/bf/Makefile.ssl
@@ -96,7 +96,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 depend:
-	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+	$(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
--- a/crypto/bf/bftest.c
+++ b/crypto/bf/bftest.c
@@ -63,6 +63,12 @@
 #include <string.h>
 #include <stdlib.h>
 #ifdef FLAT_INC
 #include "e_os.h"
 #else
 #include "../e_os.h"
 #endif
 #ifdef NO_BF
 int main(int argc, char *argv[])
 {
@@ -275,7 +281,7 @@ int main(int argc, char *argv[])
 	else
 		ret=test();
-	exit(ret);
+	EXIT(ret);
 	return(0);
 	}
--- a/crypto/bio/Makefile.ssl
+++ b/crypto/bio/Makefile.ssl
@@ -78,7 +78,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 depend:
-	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+	$(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -89,33 +89,33 @@ clean:
 # DO NOT DELETE THIS LINE -- make depend depends on it.
-b_dump.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+b_dump.o: ../../e_os.h ../../include/openssl/bio.h
-b_dump.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+b_dump.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 b_dump.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 b_dump.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 b_dump.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 b_dump.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 b_dump.o: ../cryptlib.h
-b_print.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+b_print.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 b_print.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-b_print.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+b_print.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-b_print.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+b_print.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-b_print.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+b_print.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-b_print.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+b_print.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-b_print.o: ../../include/openssl/symhacks.h ../cryptlib.h
+b_print.o: ../cryptlib.h
-b_sock.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+b_sock.o: ../../e_os.h ../../include/openssl/bio.h
-b_sock.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+b_sock.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 b_sock.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 b_sock.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 b_sock.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 b_sock.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 b_sock.o: ../cryptlib.h
-bf_buff.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+bf_buff.o: ../../e_os.h ../../include/openssl/asn1.h
-bf_buff.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+bf_buff.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-bf_buff.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+bf_buff.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-bf_buff.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+bf_buff.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-bf_buff.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+bf_buff.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-bf_buff.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bf_buff.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 bf_buff.o: ../../include/openssl/err.h ../../include/openssl/evp.h
 bf_buff.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
 bf_buff.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
@@ -127,12 +127,12 @@ bf_buff.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 bf_buff.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 bf_buff.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 bf_buff.o: ../../include/openssl/symhacks.h ../cryptlib.h
-bf_nbio.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+bf_nbio.o: ../../e_os.h ../../include/openssl/asn1.h
-bf_nbio.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+bf_nbio.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-bf_nbio.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+bf_nbio.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-bf_nbio.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+bf_nbio.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-bf_nbio.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+bf_nbio.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-bf_nbio.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bf_nbio.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 bf_nbio.o: ../../include/openssl/err.h ../../include/openssl/evp.h
 bf_nbio.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
 bf_nbio.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
@@ -145,12 +145,12 @@ bf_nbio.o: ../../include/openssl/ripemd.h ../../include/openssl/rsa.h
 bf_nbio.o: ../../include/openssl/safestack.h ../../include/openssl/sha.h
 bf_nbio.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 bf_nbio.o: ../cryptlib.h
-bf_null.o: ../../include/openssl/asn1.h ../../include/openssl/bio.h
+bf_null.o: ../../e_os.h ../../include/openssl/asn1.h
-bf_null.o: ../../include/openssl/blowfish.h ../../include/openssl/bn.h
+bf_null.o: ../../include/openssl/bio.h ../../include/openssl/blowfish.h
-bf_null.o: ../../include/openssl/buffer.h ../../include/openssl/cast.h
+bf_null.o: ../../include/openssl/bn.h ../../include/openssl/buffer.h
-bf_null.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+bf_null.o: ../../include/openssl/cast.h ../../include/openssl/crypto.h
-bf_null.o: ../../include/openssl/dh.h ../../include/openssl/dsa.h
+bf_null.o: ../../include/openssl/des.h ../../include/openssl/dh.h
-bf_null.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bf_null.o: ../../include/openssl/dsa.h ../../include/openssl/e_os2.h
 bf_null.o: ../../include/openssl/err.h ../../include/openssl/evp.h
 bf_null.o: ../../include/openssl/idea.h ../../include/openssl/lhash.h
 bf_null.o: ../../include/openssl/md2.h ../../include/openssl/md4.h
@@ -162,8 +162,8 @@ bf_null.o: ../../include/openssl/rc5.h ../../include/openssl/ripemd.h
 bf_null.o: ../../include/openssl/rsa.h ../../include/openssl/safestack.h
 bf_null.o: ../../include/openssl/sha.h ../../include/openssl/stack.h
 bf_null.o: ../../include/openssl/symhacks.h ../cryptlib.h
-bio_cb.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+bio_cb.o: ../../e_os.h ../../include/openssl/bio.h
-bio_cb.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bio_cb.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bio_cb.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bio_cb.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bio_cb.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
@@ -173,15 +173,15 @@ bio_err.o: ../../include/openssl/bio.h ../../include/openssl/crypto.h
 bio_err.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 bio_err.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 bio_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bio_lib.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+bio_lib.o: ../../e_os.h ../../include/openssl/bio.h
-bio_lib.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bio_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bio_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bio_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bio_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 bio_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 bio_lib.o: ../cryptlib.h
-bss_acpt.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+bss_acpt.o: ../../e_os.h ../../include/openssl/bio.h
-bss_acpt.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bss_acpt.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bss_acpt.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bss_acpt.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bss_acpt.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
@@ -193,50 +193,50 @@ bss_bio.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 bss_bio.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 bss_bio.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 bss_bio.o: ../../include/openssl/symhacks.h
-bss_conn.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+bss_conn.o: ../../e_os.h ../../include/openssl/bio.h
-bss_conn.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bss_conn.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bss_conn.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bss_conn.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bss_conn.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 bss_conn.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 bss_conn.o: ../cryptlib.h
-bss_fd.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+bss_fd.o: ../../e_os.h ../../include/openssl/bio.h
-bss_fd.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bss_fd.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bss_fd.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bss_fd.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bss_fd.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 bss_fd.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 bss_fd.o: ../cryptlib.h bss_sock.c
-bss_file.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+bss_file.o: ../../e_os.h ../../include/openssl/bio.h
-bss_file.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bss_file.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bss_file.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bss_file.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bss_file.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 bss_file.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 bss_file.o: ../cryptlib.h
-bss_log.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+bss_log.o: ../../e_os.h ../../include/openssl/bio.h
-bss_log.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bss_log.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bss_log.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bss_log.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bss_log.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 bss_log.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 bss_log.o: ../cryptlib.h
-bss_mem.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+bss_mem.o: ../../e_os.h ../../include/openssl/bio.h
-bss_mem.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bss_mem.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bss_mem.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bss_mem.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bss_mem.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 bss_mem.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 bss_mem.o: ../cryptlib.h
-bss_null.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+bss_null.o: ../../e_os.h ../../include/openssl/bio.h
-bss_null.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bss_null.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bss_null.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bss_null.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bss_null.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 bss_null.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 bss_null.o: ../cryptlib.h
-bss_sock.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+bss_sock.o: ../../e_os.h ../../include/openssl/bio.h
-bss_sock.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+bss_sock.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bss_sock.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bss_sock.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bss_sock.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
--- a/crypto/bio/b_print.c
+++ b/crypto/bio/b_print.c
@@ -565,12 +565,12 @@ abs_val(LDOUBLE value)
 }
 static LDOUBLE
-pow10(int exp)
+pow10(int in_exp)
 {
    LDOUBLE result = 1;
-    while (exp) {
+    while (in_exp) {
        result *= 10;
-        exp--;
+        in_exp--;
    }
    return result;
 }
@@ -630,7 +630,7 @@ fmtfp(
       multiplying by a factor of 10 */
    fracpart = roundv((pow10(max)) * (ufvalue - intpart));
-    if (fracpart >= pow10(max)) {
+    if (fracpart >= (long)pow10(max)) {
        intpart++;
        fracpart -= (long)pow10(max);
    }
@@ -825,5 +825,5 @@ int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args)
 		 * had the buffer been large enough.) */
 		return -1;
 	else
-		return (retlen <= INT_MAX) ? retlen : -1;
+		return (retlen <= INT_MAX) ? (int)retlen : -1;
 	}
--- a/crypto/bio/bf_buff.c
+++ b/crypto/bio/bf_buff.c
@@ -495,6 +495,7 @@ static int buffer_gets(BIO *b, char *buf, int size)
 			if (i <= 0)
 				{
 				BIO_copy_next_retry(b);
 				*buf='\0';
 				if (i < 0) return((num > 0)?num:i);
 				if (i == 0) return(num);
 				}
--- a/crypto/bio/bio.h
+++ b/crypto/bio/bio.h
@@ -241,7 +241,7 @@ typedef struct bio_method_st
 	long (_far *ctrl)();
 	int (_far *create)();
 	int (_far *destroy)();
-	long (_fat *callback_ctrl)();
+	long (_far *callback_ctrl)();
 	} BIO_METHOD;
 #endif
--- a/crypto/bio/bss_bio.c
+++ b/crypto/bio/bss_bio.c
@@ -1,4 +1,57 @@
 /* crypto/bio/bss_bio.c  -*- Mode: C; c-file-style: "eay" -*- */
 /* ====================================================================
 * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@openssl.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */
 /* Special method for a BIO where the other endpoint is also a BIO
 * of this kind, handled by the same thread (i.e. the "peer" is actually
@@ -503,7 +556,7 @@ static long bio_ctrl(BIO *bio, int cmd, long num, void *ptr)
 		break;
 	case BIO_C_DESTROY_BIO_PAIR:
-		/* Effects both BIOs in the pair -- call just once!
+		/* Affects both BIOs in the pair -- call just once!
 		 * Or let BIO_free(bio1); BIO_free(bio2); do the job. */
 		bio_destroy_pair(bio);
 		ret = 1;
--- a/crypto/bn/Makefile.ssl
+++ b/crypto/bn/Makefile.ssl
@@ -159,7 +159,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 depend:
-	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+	$(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -170,146 +170,141 @@ clean:
 # DO NOT DELETE THIS LINE -- make depend depends on it.
-bn_add.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_add.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_add.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-bn_add.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_add.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-bn_add.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+bn_add.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bn_add.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+bn_add.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bn_add.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_add.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bn_add.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h
+bn_add.o: ../cryptlib.h bn_lcl.h
-bn_asm.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_asm.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_asm.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-bn_asm.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_asm.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-bn_asm.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+bn_asm.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bn_asm.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+bn_asm.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bn_asm.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_asm.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bn_asm.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h
+bn_asm.o: ../cryptlib.h bn_lcl.h
-bn_blind.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_blind.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_blind.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-bn_blind.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_blind.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-bn_blind.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+bn_blind.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bn_blind.o: ../../include/openssl/opensslconf.h
 bn_blind.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 bn_blind.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 bn_blind.o: ../cryptlib.h bn_lcl.h
-bn_ctx.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_ctx.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_ctx.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-bn_ctx.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_ctx.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-bn_ctx.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+bn_ctx.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bn_ctx.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+bn_ctx.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bn_ctx.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_ctx.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bn_ctx.o: ../../include/openssl/symhacks.h ../cryptlib.h
+bn_ctx.o: ../cryptlib.h
-bn_div.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_div.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_div.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-bn_div.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_div.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-bn_div.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+bn_div.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bn_div.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+bn_div.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bn_div.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_div.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bn_div.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h
+bn_div.o: ../cryptlib.h bn_lcl.h
 bn_err.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_err.o: ../../include/openssl/crypto.h ../../include/openssl/err.h
 bn_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bn_err.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 bn_err.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bn_exp.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_exp.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_exp.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-bn_exp.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_exp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-bn_exp.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+bn_exp.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bn_exp.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+bn_exp.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bn_exp.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_exp.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bn_exp.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h
+bn_exp.o: ../cryptlib.h bn_lcl.h
-bn_exp2.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_exp2.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_exp2.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-bn_exp2.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_exp2.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-bn_exp2.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+bn_exp2.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bn_exp2.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+bn_exp2.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bn_exp2.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_exp2.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bn_exp2.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h
+bn_exp2.o: ../cryptlib.h bn_lcl.h
-bn_gcd.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_gcd.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_gcd.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-bn_gcd.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_gcd.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-bn_gcd.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+bn_gcd.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bn_gcd.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+bn_gcd.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bn_gcd.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_gcd.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bn_gcd.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h
+bn_gcd.o: ../cryptlib.h bn_lcl.h
-bn_lib.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_lib.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_lib.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-bn_lib.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_lib.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-bn_lib.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+bn_lib.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bn_lib.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+bn_lib.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bn_lib.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_lib.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bn_lib.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h
+bn_lib.o: ../cryptlib.h bn_lcl.h
-bn_mont.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_mont.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_mont.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-bn_mont.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_mont.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-bn_mont.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+bn_mont.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bn_mont.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+bn_mont.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bn_mont.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_mont.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bn_mont.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h
+bn_mont.o: ../cryptlib.h bn_lcl.h
-bn_mpi.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_mpi.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_mpi.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-bn_mpi.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_mpi.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-bn_mpi.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+bn_mpi.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bn_mpi.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+bn_mpi.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bn_mpi.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_mpi.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bn_mpi.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h
+bn_mpi.o: ../cryptlib.h bn_lcl.h
-bn_mul.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_mul.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_mul.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-bn_mul.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_mul.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-bn_mul.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+bn_mul.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bn_mul.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+bn_mul.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bn_mul.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_mul.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bn_mul.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h
+bn_mul.o: ../cryptlib.h bn_lcl.h
-bn_prime.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_prime.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_prime.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-bn_prime.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_prime.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-bn_prime.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+bn_prime.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bn_prime.o: ../../include/openssl/opensslconf.h
 bn_prime.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
 bn_prime.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 bn_prime.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h bn_prime.h
-bn_print.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_print.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_print.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-bn_print.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_print.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-bn_print.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+bn_print.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bn_print.o: ../../include/openssl/opensslconf.h
 bn_print.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 bn_print.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 bn_print.o: ../cryptlib.h bn_lcl.h
-bn_rand.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_rand.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_rand.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-bn_rand.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_rand.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-bn_rand.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+bn_rand.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bn_rand.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+bn_rand.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
-bn_rand.o: ../../include/openssl/rand.h ../../include/openssl/safestack.h
+bn_rand.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-bn_rand.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
+bn_rand.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h
-bn_rand.o: ../cryptlib.h bn_lcl.h
+bn_recp.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_recp.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_recp.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-bn_recp.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_recp.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-bn_recp.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+bn_recp.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bn_recp.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+bn_recp.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bn_recp.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_recp.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bn_recp.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h
+bn_recp.o: ../cryptlib.h bn_lcl.h
-bn_shift.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_shift.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_shift.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-bn_shift.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_shift.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-bn_shift.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+bn_shift.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bn_shift.o: ../../include/openssl/opensslconf.h
 bn_shift.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 bn_shift.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 bn_shift.o: ../cryptlib.h bn_lcl.h
-bn_sqr.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_sqr.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_sqr.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-bn_sqr.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_sqr.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-bn_sqr.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+bn_sqr.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bn_sqr.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+bn_sqr.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bn_sqr.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_sqr.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bn_sqr.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h
+bn_sqr.o: ../cryptlib.h bn_lcl.h
-bn_word.o: ../../include/openssl/bio.h ../../include/openssl/bn.h
+bn_word.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 bn_word.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-bn_word.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+bn_word.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
-bn_word.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
+bn_word.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
-bn_word.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
+bn_word.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-bn_word.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
+bn_word.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-bn_word.o: ../../include/openssl/symhacks.h ../cryptlib.h bn_lcl.h
+bn_word.o: ../cryptlib.h bn_lcl.h
--- a/crypto/bn/bn.h
+++ b/crypto/bn/bn.h
@@ -155,7 +155,7 @@ extern "C" {
 #define BN_BYTES	4
 #define BN_BITS2	32
 #define BN_BITS4	16
-#ifdef _MSC_VER
+#if defined(_MSC_VER) || defined(__BORLANDC__)
 /* VC++ doesn't like the LL suffix */
 #define BN_MASK		(0xffffffffffffffffL)
 #else
@@ -259,6 +259,8 @@ typedef struct bn_blinding_st
 	BIGNUM *A;
 	BIGNUM *Ai;
 	BIGNUM *mod; /* just a reference */
 	unsigned long thread_id; /* added in OpenSSL 0.9.6j and 0.9.7b;
 				  * used only by crypto/rsa/rsa_eay.c, rsa_lib.c */
 	} BN_BLINDING;
 /* Used for montgomery multiplication */
@@ -413,7 +415,7 @@ int BN_mod_mul_montgomery(BIGNUM *r,BIGNUM *a,BIGNUM *b,BN_MONT_CTX *mont,
 			  BN_CTX *ctx);
 int BN_from_montgomery(BIGNUM *r,BIGNUM *a,BN_MONT_CTX *mont,BN_CTX *ctx);
 void BN_MONT_CTX_free(BN_MONT_CTX *mont);
-int BN_MONT_CTX_set(BN_MONT_CTX *mont,const BIGNUM *modulus,BN_CTX *ctx);
+int BN_MONT_CTX_set(BN_MONT_CTX *mont,const BIGNUM *mod,BN_CTX *ctx);
 BN_MONT_CTX *BN_MONT_CTX_copy(BN_MONT_CTX *to,BN_MONT_CTX *from);
 BN_BLINDING *BN_BLINDING_new(BIGNUM *A,BIGNUM *Ai,BIGNUM *mod);
--- a/crypto/bn/bn_exp.c
+++ b/crypto/bn/bn_exp.c
@@ -113,6 +113,13 @@
 #include <stdio.h>
 #include "cryptlib.h"
 #include "bn_lcl.h"
 #ifdef ATALLA
 # include <alloca.h>
 # include <atasi.h>
 # include <assert.h>
 # include <dlfcn.h>
 #endif
 #define TABLE_SIZE	32
@@ -176,6 +183,174 @@ err:
 	}
 #ifdef ATALLA
 /*
 * This routine will dynamically check for the existance of an Atalla AXL-200
 * SSL accelerator module.  If one is found, the variable
 * asi_accelerator_present is set to 1 and the function pointers
 * ptr_ASI_xxxxxx above will be initialized to corresponding ASI API calls.
 */
 typedef int tfnASI_GetPerformanceStatistics(int reset_flag,
 					    unsigned int *ret_buf);
 typedef int tfnASI_GetHardwareConfig(long card_num, unsigned int *ret_buf);
 typedef int tfnASI_RSAPrivateKeyOpFn(RSAPrivateKey * rsaKey,
 				     unsigned char *output,
 				     unsigned char *input,
 				     unsigned int modulus_len);
 static tfnASI_GetHardwareConfig *ptr_ASI_GetHardwareConfig;
 static tfnASI_RSAPrivateKeyOpFn *ptr_ASI_RSAPrivateKeyOpFn;
 static tfnASI_GetPerformanceStatistics *ptr_ASI_GetPerformanceStatistics;
 static int asi_accelerator_present;
 static int tried_atalla;
 void atalla_initialize_accelerator_handle(void)
 	{
 	void *dl_handle;
 	int status;
 	unsigned int config_buf[1024]; 
 	static int tested;
 	if(tested)
 		return;
 	tested=1;
 	bzero((void *)config_buf, 1024);
 	/*
 	 * Check to see if the library is present on the system
 	 */
 	dl_handle = dlopen("atasi.so", RTLD_NOW);
 	if (dl_handle == (void *) NULL)
 		{
 /*		printf("atasi.so library is not present on the system\n");
 		printf("No HW acceleration available\n");*/
 		return;
 	        }
 	/*
 	 * The library is present.  Now we'll check to insure that the
 	 * LDM is up and running. First we'll get the address of the
 	 * function in the atasi library that we need to see if the
 	 * LDM is operating.
 	 */
 	ptr_ASI_GetHardwareConfig =
 	  (tfnASI_GetHardwareConfig *)dlsym(dl_handle,"ASI_GetHardwareConfig");
 	if (ptr_ASI_GetHardwareConfig)
 		{
 		/*
 		 * We found the call, now we'll get our config
 		 * status.  If we get a non 0 result, the LDM is not
 		 * running and we cannot use the Atalla ASI *
 		 * library.
 		 */
 		status = (*ptr_ASI_GetHardwareConfig)(0L, config_buf);
 		if (status != 0)
 			{
 			printf("atasi.so library is present but not initialized\n");
 			printf("No HW acceleration available\n");
 			return;
 			}    
 	        }
 	else
 		{
 /*		printf("We found the library, but not the function. Very Strange!\n");*/
 		return ;
 	      	}
 	/* 
 	 * It looks like we have acceleration capabilities.  Load up the
 	 * pointers to our ASI API calls.
 	 */
 	ptr_ASI_RSAPrivateKeyOpFn=
 	  (tfnASI_RSAPrivateKeyOpFn *)dlsym(dl_handle, "ASI_RSAPrivateKeyOpFn");
 	if (ptr_ASI_RSAPrivateKeyOpFn == NULL)
 		{
 /*		printf("We found the library, but no RSA function. Very Strange!\n");*/
 		return;
 	        }
 	ptr_ASI_GetPerformanceStatistics =
 	  (tfnASI_GetPerformanceStatistics *)dlsym(dl_handle, "ASI_GetPerformanceStatistics");
 	if (ptr_ASI_GetPerformanceStatistics == NULL)
 		{
 /*		printf("We found the library, but no stat function. Very Strange!\n");*/
 		return;
 	      }
 	/*
 	 * Indicate that acceleration is available
 	 */
 	asi_accelerator_present = 1;
 /*	printf("This system has acceleration!\n");*/
 	return;
 	}
 /* make sure this only gets called once when bn_mod_exp calls bn_mod_exp_mont */
 int BN_mod_exp_atalla(BIGNUM *r, BIGNUM *a, const BIGNUM *p, const BIGNUM *m)
 	{
 	unsigned char *abin;
 	unsigned char *pbin;
 	unsigned char *mbin;
 	unsigned char *rbin;
 	int an,pn,mn,ret;
 	RSAPrivateKey keydata;
 	atalla_initialize_accelerator_handle();
 	if(!asi_accelerator_present)
 		return 0;
 /* We should be able to run without size testing */
 # define ASIZE	128
 	an=BN_num_bytes(a);
 	pn=BN_num_bytes(p);
 	mn=BN_num_bytes(m);
 	if(an <= ASIZE && pn <= ASIZE && mn <= ASIZE)
 	    {
 	    int size=mn;
 	    assert(an <= mn);
 	    abin=alloca(size);
 	    memset(abin,'\0',mn);
 	    BN_bn2bin(a,abin+size-an);
 	    pbin=alloca(pn);
 	    BN_bn2bin(p,pbin);
 	    mbin=alloca(size);
 	    memset(mbin,'\0',mn);
 	    BN_bn2bin(m,mbin+size-mn);
 	    rbin=alloca(size);
 	    memset(&keydata,'\0',sizeof keydata);
 	    keydata.privateExponent.data=pbin;
 	    keydata.privateExponent.len=pn;
 	    keydata.modulus.data=mbin;
 	    keydata.modulus.len=size;
 	    ret=(*ptr_ASI_RSAPrivateKeyOpFn)(&keydata,rbin,abin,keydata.modulus.len);
 /*fprintf(stderr,"!%s\n",BN_bn2hex(a));*/
 	    if(!ret)
 	        {
 		BN_bin2bn(rbin,keydata.modulus.len,r);
 /*fprintf(stderr,"?%s\n",BN_bn2hex(r));*/
 		return 1;
 	        }
 	    }
 	return 0;
        }
 #endif /* def ATALLA */
 int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
 	       BN_CTX *ctx)
 	{
@@ -185,6 +360,13 @@ int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
 	bn_check_top(p);
 	bn_check_top(m);
 #ifdef ATALLA
 	if(BN_mod_exp_atalla(r,a,p,m))
 	    return 1;
 /* If it fails, try the other methods (but don't try atalla again) */
 	tried_atalla=1;
 #endif
 #ifdef MONT_MUL_MOD
 	/* I have finally been able to take out this pre-condition of
 	 * the top bit being set.  It was caused by an error in BN_div
@@ -210,6 +392,10 @@ int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p, const BIGNUM *m,
 		{ ret=BN_mod_exp_simple(r,a,p,m,ctx); }
 #endif
 #ifdef ATALLA
 	tried_atalla=0;
 #endif
 	return(ret);
 	}
@@ -339,6 +525,12 @@ int BN_mod_exp_mont(BIGNUM *rr, BIGNUM *a, const BIGNUM *p,
 	bn_check_top(p);
 	bn_check_top(m);
 #ifdef ATALLA
 	if(!tried_atalla && BN_mod_exp_atalla(rr,a,p,m))
 	    return 1;
 /* If it fails, try the other methods */
 #endif
 	if (!(m->d[0] & 1))
 		{
 		BNerr(BN_F_BN_MOD_EXP_MONT,BN_R_CALLED_WITH_EVEN_MODULUS);
@@ -501,6 +693,19 @@ int BN_mod_exp_mont_word(BIGNUM *rr, BN_ULONG a, const BIGNUM *p,
 	t = BN_CTX_get(ctx);
 	if (d == NULL || r == NULL || t == NULL) goto err;
 #ifdef ATALLA
 	if (!tried_atalla)
 		{
 		BN_set_word(t, a);
 		if (BN_mod_exp_atalla(rr, t, p, m))
 			{
 			BN_CTX_end(ctx);
 			return 1;
 			}
 		}
 /* If it fails, try the other methods */
 #endif
 	if (in_mont != NULL)
 		mont=in_mont;
 	else
--- a/crypto/bn/bn_lib.c
+++ b/crypto/bn/bn_lib.c
@@ -263,12 +263,12 @@ void BN_clear_free(BIGNUM *a)
 	if (a == NULL) return;
 	if (a->d != NULL)
 		{
-		memset(a->d,0,a->dmax*sizeof(a->d[0]));
+		OPENSSL_cleanse(a->d,a->dmax*sizeof(a->d[0]));
 		if (!(BN_get_flags(a,BN_FLG_STATIC_DATA)))
 			OPENSSL_free(a->d);
 		}
 	i=BN_get_flags(a,BN_FLG_MALLOCED);
-	memset(a,0,sizeof(BIGNUM));
+	OPENSSL_cleanse(a,sizeof(BIGNUM));
 	if (i)
 		OPENSSL_free(a);
 	}
--- a/crypto/bn/bn_mul.c
+++ b/crypto/bn/bn_mul.c
@@ -224,7 +224,7 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int tn,
 	     int n, BN_ULONG *t)
 	{
 	int i,j,n2=n*2;
-	unsigned int c1,c2,neg,zero;
+	int c1,c2,neg,zero;
 	BN_ULONG ln,lo,*p;
 # ifdef BN_COUNT
@@ -376,7 +376,7 @@ void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int tn,
 		/* The overflow will stop before we over write
 		 * words we should not overwrite */
-		if (ln < c1)
+		if (ln < (BN_ULONG)c1)
 			{
 			do	{
 				p++;
--- a/crypto/bn/bn_rand.c
+++ b/crypto/bn/bn_rand.c
@@ -201,7 +201,7 @@ static int bnrand(int pseudorand, BIGNUM *rnd, int bits, int top, int bottom)
 err:
 	if (buf != NULL)
 		{
-		memset(buf,0,bytes);
+		OPENSSL_cleanse(buf,bytes);
 		OPENSSL_free(buf);
 		}
 	return(ret);
--- a/crypto/bn/bn_word.c
+++ b/crypto/bn/bn_word.c
@@ -123,7 +123,10 @@ int BN_add_word(BIGNUM *a, BN_ULONG w)
 	i=0;
 	for (;;)
 		{
-		l=(a->d[i]+(BN_ULONG)w)&BN_MASK2;
+		if (i >= a->top)
 			l=w;
 		else
 			l=(a->d[i]+(BN_ULONG)w)&BN_MASK2;
 		a->d[i]=l;
 		if (w > l)
 			w=1;
--- a/crypto/bn/bntest.c
+++ b/crypto/bn/bntest.c
@@ -139,10 +139,10 @@ int main(int argc, char *argv[])
 	ctx=BN_CTX_new();
-	if (ctx == NULL) exit(1);
+	if (ctx == NULL) EXIT(1);
 	out=BIO_new(BIO_s_file());
-	if (out == NULL) exit(1);
+	if (out == NULL) EXIT(1);
 	if (outfile == NULL)
 		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
@@ -152,7 +152,7 @@ int main(int argc, char *argv[])
 		if (!BIO_write_filename(out,outfile))
 			{
 			perror(outfile);
-			exit(1);
+			EXIT(1);
 			}
 		}
@@ -228,14 +228,14 @@ int main(int argc, char *argv[])
 	BIO_free(out);
 /**/
-	exit(0);
+	EXIT(0);
 err:
 	BIO_puts(out,"1\n"); /* make sure the Perl script fed by bc notices
 	                      * the failure, see test_bn in test/Makefile.ssl*/
 	BIO_flush(out);
 	ERR_load_crypto_strings();
 	ERR_print_errors_fp(stderr);
-	exit(1);
+	EXIT(1);
 	return(1);
 	}
@@ -746,7 +746,7 @@ int test_mod_mul(BIO *bp, BN_CTX *ctx)
 			while ((l=ERR_get_error()))
 				fprintf(stderr,"ERROR:%s\n",
 					ERR_error_string(l,NULL));
-			exit(1);
+			EXIT(1);
 			}
 		if (bp != NULL)
 			{
--- a/crypto/bn/exptest.c
+++ b/crypto/bn/exptest.c
@@ -59,6 +59,9 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include "../e_os.h"
 #include <openssl/bio.h>
 #include <openssl/bn.h>
 #include <openssl/rand.h>
@@ -86,7 +89,7 @@ int main(int argc, char *argv[])
 	ERR_load_BN_strings();
 	ctx=BN_CTX_new();
-	if (ctx == NULL) exit(1);
+	if (ctx == NULL) EXIT(1);
 	r_mont=BN_new();
 	r_recp=BN_new();
 	r_simple=BN_new();
@@ -99,7 +102,7 @@ int main(int argc, char *argv[])
 	out=BIO_new(BIO_s_file());
-	if (out == NULL) exit(1);
+	if (out == NULL) EXIT(1);
 	BIO_set_fp(out,stdout,BIO_NOCLOSE);
 	for (i=0; i<200; i++)
@@ -124,7 +127,7 @@ int main(int argc, char *argv[])
 			{
 			printf("BN_mod_exp_mont() problems\n");
 			ERR_print_errors(out);
-			exit(1);
+			EXIT(1);
 			}
 		ret=BN_mod_exp_recp(r_recp,a,b,m,ctx);
@@ -132,7 +135,7 @@ int main(int argc, char *argv[])
 			{
 			printf("BN_mod_exp_recp() problems\n");
 			ERR_print_errors(out);
-			exit(1);
+			EXIT(1);
 			}
 		ret=BN_mod_exp_simple(r_simple,a,b,m,ctx);
@@ -140,7 +143,7 @@ int main(int argc, char *argv[])
 			{
 			printf("BN_mod_exp_simple() problems\n");
 			ERR_print_errors(out);
-			exit(1);
+			EXIT(1);
 			}
 		if (BN_cmp(r_simple, r_mont) == 0
@@ -163,7 +166,7 @@ int main(int argc, char *argv[])
 			printf("\nrecp     =");	BN_print(out,r_recp);
 			printf("\nmont     ="); BN_print(out,r_mont);
 			printf("\n");
-			exit(1);
+			EXIT(1);
 			}
 		}
 	BN_free(r_mont);
@@ -177,11 +180,11 @@ int main(int argc, char *argv[])
 	CRYPTO_mem_leaks(out);
 	BIO_free(out);
 	printf(" done\n");
-	exit(0);
+	EXIT(0);
 err:
 	ERR_load_crypto_strings();
 	ERR_print_errors(out);
-	exit(1);
+	EXIT(1);
 	return(1);
 	}
--- a/crypto/buffer/Makefile.ssl
+++ b/crypto/buffer/Makefile.ssl
@@ -68,7 +68,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 depend:
-	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+	$(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -84,8 +84,8 @@ buf_err.o: ../../include/openssl/crypto.h ../../include/openssl/err.h
 buf_err.o: ../../include/openssl/lhash.h ../../include/openssl/opensslv.h
 buf_err.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
 buf_err.o: ../../include/openssl/symhacks.h
-buffer.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+buffer.o: ../../e_os.h ../../include/openssl/bio.h
-buffer.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+buffer.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 buffer.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 buffer.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 buffer.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
--- a/crypto/cast/Makefile.ssl
+++ b/crypto/cast/Makefile.ssl
@@ -97,7 +97,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 depend:
-	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+	$(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
--- a/crypto/cast/casttest.c
+++ b/crypto/cast/casttest.c
@@ -60,6 +60,8 @@
 #include <string.h>
 #include <stdlib.h>
 #include "../e_os.h"
 #ifdef NO_CAST
 int main(int argc, char *argv[])
 {
@@ -224,7 +226,7 @@ int main(int argc, char *argv[])
      }
 #endif
-    exit(err);
+    EXIT(err);
    return(err);
    }
 #endif
--- a/crypto/comp/Makefile.ssl
+++ b/crypto/comp/Makefile.ssl
@@ -71,7 +71,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 depend:
-	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(LIBSRC)
+	$(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(LIBSRC)
 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
--- a/crypto/conf/Makefile.ssl
+++ b/crypto/conf/Makefile.ssl
@@ -69,7 +69,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 depend:
-	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(LIBSRC)
+	$(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(LIBSRC)
 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -86,9 +86,9 @@ conf_api.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
 conf_api.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 conf_api.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 conf_api.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-conf_def.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+conf_def.o: ../../e_os.h ../../include/openssl/bio.h
-conf_def.o: ../../include/openssl/conf.h ../../include/openssl/conf_api.h
+conf_def.o: ../../include/openssl/buffer.h ../../include/openssl/conf.h
-conf_def.o: ../../include/openssl/crypto.h ../../include/openssl/e_os.h
+conf_def.o: ../../include/openssl/conf_api.h ../../include/openssl/crypto.h
 conf_def.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 conf_def.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 conf_def.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
--- a/crypto/conf/conf_def.c
+++ b/crypto/conf/conf_def.c
@@ -224,9 +224,9 @@ static int def_load(CONF *conf, BIO *in, long *line)
 	section_sk=(STACK_OF(CONF_VALUE) *)sv->value;
 	bufnum=0;
 	again=0;
 	for (;;)
 		{
 		again=0;
 		if (!BUF_MEM_grow(buff,bufnum+BUFSIZE))
 			{
 			CONFerr(CONF_F_CONF_LOAD_BIO,ERR_R_BUF_LIB);
@@ -237,7 +237,8 @@ static int def_load(CONF *conf, BIO *in, long *line)
 		BIO_gets(in, p, BUFSIZE-1);
 		p[BUFSIZE-1]='\0';
 		ii=i=strlen(p);
-		if (i == 0) break;
+		if (i == 0 && !again) break;
 		again=0;
 		while (i > 0)
 			{
 			if ((p[i-1] != '\r') && (p[i-1] != '\n'))
@@ -247,7 +248,7 @@ static int def_load(CONF *conf, BIO *in, long *line)
 			}
 		/* we removed some trailing stuff so there is a new
 		 * line on the end. */
-		if (i == ii)
+		if (ii && i == ii)
 			again=1; /* long line */
 		else
 			{
@@ -598,6 +599,11 @@ static int str_copy(CONF *conf, char *section, char **pto, char *from)
 			BUF_MEM_grow(buf,(strlen(p)+len-(e-from)));
 			while (*p)
 				buf->data[to++]= *(p++);
 			/* Since we change the pointer 'from', we also have
 			   to change the perceived length of the string it
 			   points at.  /RL */
 			len -= e-from;
 			from=e;
 			}
 		else
--- a/crypto/cryptlib.c
+++ b/crypto/cryptlib.c
@@ -58,6 +58,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <assert.h>
 #include "cryptlib.h"
 #include <openssl/crypto.h>
 #include <openssl/safestack.h>
@@ -89,6 +90,7 @@ static const char* lock_names[CRYPTO_NUM_LOCKS] =
 	"ssl_session",
 	"ssl_sess_cert",
 	"ssl",
 	/* "ssl_method", */
 	"rand",
 	"rand2",
 	"debug_malloc",
@@ -101,8 +103,7 @@ static const char* lock_names[CRYPTO_NUM_LOCKS] =
 	"debug_malloc2",
 	"dso",
 	"dynlock",
-	"engine",
+#if CRYPTO_NUM_LOCKS != 29
 #if CRYPTO_NUM_LOCKS != 30
 # error "Inconsistency between crypto.h and cryptlib.c"
 #endif
 	};
@@ -205,10 +206,18 @@ int CRYPTO_get_new_dynlockid(void)
 	i=sk_CRYPTO_dynlock_find(dyn_locks,NULL);
 	/* If there was none, push, thereby creating a new one */
 	if (i == -1)
-		i=sk_CRYPTO_dynlock_push(dyn_locks,pointer);
+		/* Since sk_push() returns the number of items on the
 		   stack, not the location of the pushed item, we need
 		   to transform the returned number into a position,
 		   by decreasing it.  */
 		i=sk_CRYPTO_dynlock_push(dyn_locks,pointer) - 1;
 	else
 		/* If we found a place with a NULL pointer, put our pointer
 		   in it.  */
 		sk_CRYPTO_dynlock_set(dyn_locks,i,pointer);
 	CRYPTO_w_unlock(CRYPTO_LOCK_DYNLOCK);
-	if (!i)
+	if (i == -1)
 		{
 		dynlock_destroy_callback(pointer->data,__FILE__,__LINE__);
 		OPENSSL_free(pointer);
@@ -231,7 +240,7 @@ void CRYPTO_destroy_dynlockid(int i)
 	if (dyn_locks == NULL || i >= sk_CRYPTO_dynlock_num(dyn_locks))
 		{
 		CRYPTO_w_unlock(CRYPTO_LOCK_DYNLOCK);
- 		return;
+		return;
 		}
 	pointer = sk_CRYPTO_dynlock_value(dyn_locks, i);
 	if (pointer != NULL)
@@ -400,15 +409,17 @@ void CRYPTO_lock(int mode, int type, const char *file, int line)
 #endif
 	if (type < 0)
 		{
-		struct CRYPTO_dynlock_value *pointer
+		if (dynlock_lock_callback != NULL)
 			= CRYPTO_get_dynlock_value(type);
 		if (pointer && dynlock_lock_callback)
 			{
-			dynlock_lock_callback(mode, pointer, file, line);
+			struct CRYPTO_dynlock_value *pointer
-			}
+				= CRYPTO_get_dynlock_value(type);
-		CRYPTO_destroy_dynlockid(type);
+			assert(pointer != NULL);
 			dynlock_lock_callback(mode, pointer, file, line);
 			CRYPTO_destroy_dynlockid(type);
 			}
 		}
 	else
 		if (locking_callback != NULL)
@@ -459,7 +470,7 @@ const char *CRYPTO_get_lock_name(int type)
 		return("dynamic");
 	else if (type < CRYPTO_NUM_LOCKS)
 		return(lock_names[type]);
-	else if (type-CRYPTO_NUM_LOCKS >= sk_num(app_locks))
+	else if (type-CRYPTO_NUM_LOCKS > sk_num(app_locks))
 		return("ERROR");
 	else
 		return(sk_value(app_locks,type-CRYPTO_NUM_LOCKS));
@@ -491,11 +502,3 @@ BOOL WINAPI DLLEntryPoint(HINSTANCE hinstDLL, DWORD fdwReason,
 #endif
 #endif
 void OpenSSLDie(const char *file,int line,const char *assertion)
    {
    fprintf(stderr,"%s(%d): OpenSSL internal error, assertion failed: %s\n",
 	    file,line,assertion);
    abort();
    }
--- a/crypto/cryptlib.h
+++ b/crypto/cryptlib.h
@@ -62,7 +62,11 @@
 #include <stdlib.h>
 #include <string.h>
-#include "openssl/e_os.h"
+#ifdef FLAT_INC
 #include "e_os.h"
 #else
 #include "../e_os.h"
 #endif
 #include <openssl/crypto.h>
 #include <openssl/buffer.h> 
--- a/crypto/crypto-lib.com
+++ b/crypto/crypto-lib.com
@@ -88,7 +88,7 @@ $! Define The Different Encryption Types.
 $!
 $ ENCRYPT_TYPES = "Basic,MD2,MD4,MD5,SHA,MDC2,HMAC,RIPEMD,"+ -
 		  "DES,RC2,RC4,RC5,IDEA,BF,CAST,"+ -
-		  "BN,RSA,DSA,DH,DSO,ENGINE,"+ -
+		  "BN,RSA,DSA,DH,DSO,"+ -
 		  "BUFFER,BIO,STACK,LHASH,RAND,ERR,OBJECTS,"+ -
 		  "EVP,EVP_2,ASN1,ASN1_2,PEM,X509,X509V3,"+ -
 		  "CONF,TXT_DB,PKCS7,PKCS12,COMP"
@@ -174,7 +174,7 @@ $!
 $ APPS_DES = "DES/DES,CBC3_ENC"
 $ APPS_PKCS7 = "ENC/ENC;DEC/DEC;SIGN/SIGN;VERIFY/VERIFY,EXAMPLE"
 $
-$ LIB_ = "cryptlib,mem,mem_dbg,cversion,ex_data,tmdiff,cpt_err,ebcdic,uid"
+$ LIB_ = "cryptlib,mem,mem_clr,mem_dbg,cversion,ex_data,tmdiff,cpt_err,ebcdic,uid"
 $ LIB_MD2 = "md2_dgst,md2_one"
 $ LIB_MD4 = "md4_dgst,md4_one"
 $ LIB_MD5 = "md5_dgst,md5_one"
@@ -206,9 +206,6 @@ $ LIB_DSA = "dsa_gen,dsa_key,dsa_lib,dsa_asn1,dsa_vrf,dsa_sign,dsa_err,dsa_ossl"
 $ LIB_DH = "dh_gen,dh_key,dh_lib,dh_check,dh_err"
 $ LIB_DSO = "dso_dl,dso_dlfcn,dso_err,dso_lib,dso_null,"+ -
 	"dso_openssl,dso_win32,dso_vms"
 $ LIB_ENGINE = "engine_err,engine_lib,engine_list,engine_openssl,"+ -
 	"hw_atalla,hw_cswift,hw_ncipher,hw_aep,hw_sureware,"+ -
 	"hw_ubsec,hw_keyclient"
 $ LIB_BUFFER = "buffer,buf_err"
 $ LIB_BIO = "bio_lib,bio_cb,bio_err,"+ -
 	"bss_mem,bss_null,bss_fd,"+ -
@@ -874,8 +871,8 @@ $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT "The Option ",P1," Is Invalid.  The Valid Options Are:"
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT "    ALL      :  Just Build Everything."
-$     WRITE SYS$OUTPUT "    LIBRARY  :  To Compile Just The [.xxx.EXE.SSL]LIBCRYPTO.OLB Library."
+$     WRITE SYS$OUTPUT "    LIBRARY  :  To Compile Just The [.xxx.EXE.CRYPTO]LIBCRYPTO.OLB Library."
-$     WRITE SYS$OUTPUT "    APPS     :  To Compile Just The [.xxx.EXE.SSL]*.EXE Programs."
+$     WRITE SYS$OUTPUT "    APPS     :  To Compile Just The [.xxx.EXE.CRYPTO]*.EXE Programs."
 $     WRITE SYS$OUTPUT ""
 $     WRITE SYS$OUTPUT " Where 'xxx' Stands For:"
 $     WRITE SYS$OUTPUT ""
@@ -1142,7 +1139,7 @@ $ ENDIF
 $!
 $! Set Up Initial CC Definitions, Possibly With User Ones
 $!
-$ CCDEFS = "VMS=1,TCPIP_TYPE_''P5',DSO_VMS"
+$ CCDEFS = "VMS=1,TCPIP_TYPE_''P5',DSO_VMS,THREADS"
 $ IF F$TRNLNM("OPENSSL_NO_ASM") THEN CCDEFS = CCDEFS + ",NO_ASM"
 $ IF F$TRNLNM("OPENSSL_NO_RSA") THEN CCDEFS = CCDEFS + ",NO_RSA"
 $ IF F$TRNLNM("OPENSSL_NO_DSA") THEN CCDEFS = CCDEFS + ",NO_DSA"
@@ -1198,9 +1195,7 @@ $     CC = "CC"
 $     IF ARCH.EQS."VAX" .AND. F$TRNLNM("DECC$CC_DEFAULT").NES."/DECC" -
 	 THEN CC = "CC/DECC"
 $     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/STANDARD=ANSI89" + -
-           "/NOLIST/PREFIX=ALL" + -
+           "/NOLIST/PREFIX=ALL/INCLUDE=SYS$DISK:[]" + CCEXTRAFLAGS
 	   "/INCLUDE=(SYS$DISK:[],SYS$DISK:[.ENGINE.VENDOR_DEFNS])" + -
 	   CCEXTRAFLAGS
 $!
 $!    Define The Linker Options File Name.
 $!
@@ -1232,8 +1227,7 @@ $	WRITE SYS$OUTPUT "There is no VAX C on Alpha!"
 $	EXIT
 $     ENDIF
 $     IF F$TRNLNM("DECC$CC_DEFAULT").EQS."/DECC" THEN CC = "CC/VAXC"
-$     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/NOLIST" + -
+$     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/NOLIST/INCLUDE=SYS$DISK:[]" + -
 	   "/INCLUDE=(SYS$DISK:[],SYS$DISK:[.ENGINE.VENDOR_DEFNS])" + -
 	   CCEXTRAFLAGS
 $     CCDEFS = """VAXC""," + CCDEFS
 $!
@@ -1265,8 +1259,7 @@ $!
 $!    Use GNU C...
 $!
 $     CC = "GCC/NOCASE_HACK/''GCC_OPTIMIZE'/''DEBUGGER'/NOLIST" + -
-	   "/INCLUDE=(SYS$DISK:[],SYS$DISK:[.ENGINE.VENDOR_DEFNS])" + -
+	   "/INCLUDE=SYS$DISK:[]" + CCEXTRAFLAGS
 	   CCEXTRAFLAGS
 $!
 $!    Define The Linker Options File Name.
 $!
@@ -1333,7 +1326,7 @@ $   CC4 = CC - CCDISABLEWARNINGS + CC4DISABLEWARNINGS
 $!
 $!  Show user the result
 $!
-$   WRITE SYS$OUTPUT "Main C Compiling Command: ",CC
+$   WRITE/SYMBOL SYS$OUTPUT "Main C Compiling Command: ",CC
 $!
 $!  Else The User Entered An Invalid Arguement.
 $!
@@ -1364,7 +1357,7 @@ $ IF ARCH .EQS. "AXP" THEN MACRO = "MACRO/MIGRATION/''DEBUGGER'/''MACRO_OPTIMIZE
 $!
 $!  Show user the result
 $!
-$   WRITE SYS$OUTPUT "Main MACRO Compiling Command: ",MACRO
+$   WRITE/SYMBOL SYS$OUTPUT "Main MACRO Compiling Command: ",MACRO
 $!
 $! Time to check the contents, and to make sure we get the correct library.
 $!
--- a/crypto/crypto.h
+++ b/crypto/crypto.h
@@ -95,36 +95,38 @@ extern "C" {
 * names in cryptlib.c
 */
-#define	CRYPTO_LOCK_ERR			1
+#define CRYPTO_LOCK_ERR			1
-#define	CRYPTO_LOCK_ERR_HASH		2
+#define CRYPTO_LOCK_ERR_HASH		2
-#define	CRYPTO_LOCK_X509		3
+#define CRYPTO_LOCK_X509		3
-#define	CRYPTO_LOCK_X509_INFO		4
+#define CRYPTO_LOCK_X509_INFO		4
-#define	CRYPTO_LOCK_X509_PKEY		5
+#define CRYPTO_LOCK_X509_PKEY		5
 #define CRYPTO_LOCK_X509_CRL		6
 #define CRYPTO_LOCK_X509_REQ		7
 #define CRYPTO_LOCK_DSA			8
 #define CRYPTO_LOCK_RSA			9
 #define CRYPTO_LOCK_EVP_PKEY		10
-#define	CRYPTO_LOCK_X509_STORE		11
+#define CRYPTO_LOCK_X509_STORE		11
-#define	CRYPTO_LOCK_SSL_CTX		12
+#define CRYPTO_LOCK_SSL_CTX		12
-#define	CRYPTO_LOCK_SSL_CERT		13
+#define CRYPTO_LOCK_SSL_CERT		13
-#define	CRYPTO_LOCK_SSL_SESSION		14
+#define CRYPTO_LOCK_SSL_SESSION		14
-#define	CRYPTO_LOCK_SSL_SESS_CERT	15
+#define CRYPTO_LOCK_SSL_SESS_CERT	15
-#define	CRYPTO_LOCK_SSL			16
+#define CRYPTO_LOCK_SSL			16
-#define	CRYPTO_LOCK_RAND		17
+/* for binary compatibility between 0.9.6 minor versions,
-#define	CRYPTO_LOCK_RAND2		18
+ * reuse an existing lock (later version use a new one): */
-#define	CRYPTO_LOCK_MALLOC		19
+# define CRYPTO_LOCK_SSL_METHOD		CRYPTO_LOCK_SSL_CTX
-#define	CRYPTO_LOCK_BIO			20
+#define CRYPTO_LOCK_RAND		17
-#define	CRYPTO_LOCK_GETHOSTBYNAME	21
+#define CRYPTO_LOCK_RAND2		18
-#define	CRYPTO_LOCK_GETSERVBYNAME	22
+#define CRYPTO_LOCK_MALLOC		19
-#define	CRYPTO_LOCK_READDIR		23
+#define CRYPTO_LOCK_BIO			20
-#define	CRYPTO_LOCK_RSA_BLINDING	24
+#define CRYPTO_LOCK_GETHOSTBYNAME	21
-#define	CRYPTO_LOCK_DH			25
+#define CRYPTO_LOCK_GETSERVBYNAME	22
-#define	CRYPTO_LOCK_MALLOC2		26
+#define CRYPTO_LOCK_READDIR		23
-#define	CRYPTO_LOCK_DSO			27
+#define CRYPTO_LOCK_RSA_BLINDING	24
-#define	CRYPTO_LOCK_DYNLOCK		28
+#define CRYPTO_LOCK_DH			25
-#define	CRYPTO_LOCK_ENGINE		29
+#define CRYPTO_LOCK_MALLOC2		26
-#define	CRYPTO_NUM_LOCKS		30
+#define CRYPTO_LOCK_DSO			27
 #define CRYPTO_LOCK_DYNLOCK		28
 #define CRYPTO_NUM_LOCKS		29
 #define CRYPTO_LOCK		1
 #define CRYPTO_UNLOCK		2
@@ -146,7 +148,7 @@ extern "C" {
 #endif
 #else
 #define CRYPTO_w_lock(a)
-#define	CRYPTO_w_unlock(a)
+#define CRYPTO_w_unlock(a)
 #define CRYPTO_r_lock(a)
 #define CRYPTO_r_unlock(a)
 #define CRYPTO_add(a,b,c)	((*(a))+=(b))
@@ -343,6 +345,8 @@ void CRYPTO_free(void *);
 void *CRYPTO_realloc(void *addr,int num, const char *file, int line);
 void *CRYPTO_remalloc(void *addr,int num, const char *file, int line);
 void OPENSSL_cleanse(void *ptr, size_t len);
 void CRYPTO_set_mem_debug_options(long bits);
 long CRYPTO_get_mem_debug_options(void);
--- a/crypto/des/FILES0
+++ b/crypto/des/FILES0
--- a/crypto/des/Makefile.ssl
+++ b/crypto/des/Makefile.ssl
@@ -130,7 +130,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 depend:
-	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(LIBSRC)
+	$(MAKEDEPEND) -- $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -149,8 +149,9 @@ cfb64ede.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
 cfb64ede.o: ../../include/openssl/opensslconf.h des_locl.h
 cfb64enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
 cfb64enc.o: ../../include/openssl/opensslconf.h des_locl.h
-cfb_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+cfb_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os.h
-cfb_enc.o: ../../include/openssl/opensslconf.h des_locl.h
+cfb_enc.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
 cfb_enc.o: des_locl.h
 des_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
 des_enc.o: ../../include/openssl/opensslconf.h des_locl.h des_locl.h ncbc_enc.c
 ecb3_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
@@ -160,17 +161,17 @@ ecb_enc.o: ../../include/openssl/opensslconf.h ../../include/openssl/opensslv.h
 ecb_enc.o: des_locl.h spr.h
 ede_cbcm_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
 ede_cbcm_enc.o: ../../include/openssl/opensslconf.h des_locl.h
-enc_read.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+enc_read.o: ../../e_os.h ../../include/openssl/bio.h
-enc_read.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+enc_read.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-enc_read.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+enc_read.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
 enc_read.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 enc_read.o: ../../include/openssl/opensslconf.h
 enc_read.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 enc_read.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 enc_read.o: ../cryptlib.h des_locl.h
-enc_writ.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+enc_writ.o: ../../e_os.h ../../include/openssl/bio.h
-enc_writ.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+enc_writ.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
-enc_writ.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+enc_writ.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
 enc_writ.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 enc_writ.o: ../../include/openssl/opensslconf.h
 enc_writ.o: ../../include/openssl/opensslv.h ../../include/openssl/rand.h
@@ -192,11 +193,14 @@ qud_cksm.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
 qud_cksm.o: ../../include/openssl/opensslconf.h des_locl.h
 rand_key.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
 rand_key.o: ../../include/openssl/opensslconf.h ../../include/openssl/rand.h
-read2pwd.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+read2pwd.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-read2pwd.o: ../../include/openssl/opensslconf.h des_locl.h
+read2pwd.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
-read_pwd.o: ../../include/openssl/bio.h ../../include/openssl/buffer.h
+read2pwd.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
-read_pwd.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
+read2pwd.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
-read_pwd.o: ../../include/openssl/e_os.h ../../include/openssl/e_os2.h
+read2pwd.o: des_locl.h
 read_pwd.o: ../../e_os.h ../../include/openssl/bio.h
 read_pwd.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 read_pwd.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
 read_pwd.o: ../../include/openssl/err.h ../../include/openssl/lhash.h
 read_pwd.o: ../../include/openssl/opensslconf.h
 read_pwd.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
@@ -206,7 +210,10 @@ rpc_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
 rpc_enc.o: ../../include/openssl/opensslconf.h des_locl.h des_ver.h rpc_des.h
 set_key.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
 set_key.o: ../../include/openssl/opensslconf.h des_locl.h
-str2key.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
+str2key.o: ../../include/openssl/crypto.h ../../include/openssl/des.h
-str2key.o: ../../include/openssl/opensslconf.h des_locl.h
+str2key.o: ../../include/openssl/e_os2.h ../../include/openssl/opensslconf.h
 str2key.o: ../../include/openssl/opensslv.h ../../include/openssl/safestack.h
 str2key.o: ../../include/openssl/stack.h ../../include/openssl/symhacks.h
 str2key.o: des_locl.h
 xcbc_enc.o: ../../include/openssl/des.h ../../include/openssl/e_os2.h
 xcbc_enc.o: ../../include/openssl/opensslconf.h des_locl.h
--- a/crypto/des/cfb64ede.c
+++ b/crypto/des/cfb64ede.c
@@ -57,6 +57,7 @@
 */
 #include "des_locl.h"
 #include "e_os.h"
 /* The input and output encrypted as though 64bit cfb mode is being
 * used.  The extra state information to record how much of the
--- a/crypto/des/cfb_enc.c
+++ b/crypto/des/cfb_enc.c
@@ -56,6 +56,7 @@
 * [including the GNU Public Licence.]
 */
 #include "openssl/e_os.h"
 #include "des_locl.h"
 /* The input and output are loaded in multiples of 8 bits.
--- a/crypto/des/des.c
+++ b/crypto/des/des.c
@@ -86,6 +86,7 @@
 #endif
 #include <sys/stat.h>
 #endif
 #include <openssl/crypto.h>
 #include <openssl/des.h>
 #include <openssl/rand.h>
@@ -423,7 +424,7 @@ void doencryption(void)
 				k2[i-8]=k;
 			}
 		des_set_key_unchecked(&k2,ks2);
-		memset(k2,0,sizeof(k2));
+		OPENSSL_cleanse(k2,sizeof(k2));
 		}
 	else if (longk || flag3)
 		{
@@ -431,7 +432,7 @@ void doencryption(void)
 			{
 			des_string_to_2keys(key,&kk,&k2);
 			des_set_key_unchecked(&k2,ks2);
-			memset(k2,0,sizeof(k2));
+			OPENSSL_cleanse(k2,sizeof(k2));
 			}
 		else
 			des_string_to_key(key,&kk);
@@ -453,8 +454,8 @@ void doencryption(void)
 			}
 	des_set_key_unchecked(&kk,ks);
-	memset(key,0,sizeof(key));
+	OPENSSL_cleanse(key,sizeof(key));
-	memset(kk,0,sizeof(kk));
+	OPENSSL_cleanse(kk,sizeof(kk));
 	/* woops - A bug that does not showup under unix :-( */
 	memset(iv,0,sizeof(iv));
 	memset(iv2,0,sizeof(iv2));
@@ -662,18 +663,18 @@ void doencryption(void)
 		if (l) fclose(CKSUM_OUT);
 		}
 problems:
-	memset(buf,0,sizeof(buf));
+	OPENSSL_cleanse(buf,sizeof(buf));
-	memset(obuf,0,sizeof(obuf));
+	OPENSSL_cleanse(obuf,sizeof(obuf));
-	memset(ks,0,sizeof(ks));
+	OPENSSL_cleanse(ks,sizeof(ks));
-	memset(ks2,0,sizeof(ks2));
+	OPENSSL_cleanse(ks2,sizeof(ks2));
-	memset(iv,0,sizeof(iv));
+	OPENSSL_cleanse(iv,sizeof(iv));
-	memset(iv2,0,sizeof(iv2));
+	OPENSSL_cleanse(iv2,sizeof(iv2));
-	memset(kk,0,sizeof(kk));
+	OPENSSL_cleanse(kk,sizeof(kk));
-	memset(k2,0,sizeof(k2));
+	OPENSSL_cleanse(k2,sizeof(k2));
-	memset(uubuf,0,sizeof(uubuf));
+	OPENSSL_cleanse(uubuf,sizeof(uubuf));
-	memset(b,0,sizeof(b));
+	OPENSSL_cleanse(b,sizeof(b));
-	memset(bb,0,sizeof(bb));
+	OPENSSL_cleanse(bb,sizeof(bb));
-	memset(cksum,0,sizeof(cksum));
+	OPENSSL_cleanse(cksum,sizeof(cksum));
 	if (Exit) EXIT(Exit);
 	}
--- a/crypto/des/read2pwd.c
+++ b/crypto/des/read2pwd.c
@@ -57,6 +57,7 @@
 */
 #include "des_locl.h"
 #include <openssl/crypto.h>
 int des_read_password(des_cblock *key, const char *prompt, int verify)
 	{
@@ -65,8 +66,8 @@ int des_read_password(des_cblock *key, const char *prompt, int verify)
 	if ((ok=des_read_pw(buf,buff,BUFSIZ,prompt,verify)) == 0)
 		des_string_to_key(buf,key);
-	memset(buf,0,BUFSIZ);
+	OPENSSL_cleanse(buf,BUFSIZ);
-	memset(buff,0,BUFSIZ);
+	OPENSSL_cleanse(buff,BUFSIZ);
 	return(ok);
 	}
@@ -78,7 +79,7 @@ int des_read_2passwords(des_cblock *key1, des_cblock *key2, const char *prompt,
 	if ((ok=des_read_pw(buf,buff,BUFSIZ,prompt,verify)) == 0)
 		des_string_to_2keys(buf,key1,key2);
-	memset(buf,0,BUFSIZ);
+	OPENSSL_cleanse(buf,BUFSIZ);
-	memset(buff,0,BUFSIZ);
+	OPENSSL_cleanse(buff,BUFSIZ);
 	return(ok);
 	}
--- a/Show More
+++ b/Show More