Prepare for 1.1.0-pre1 release

Reviewed-by: Richard Levitte <levitte@openssl.org>
OpenSSL 1.1.0 is now in pre release
2015-12-10 14:23:10 +00:00 · 2015-12-10 14:21:59 +00:00 · 2015-12-10 14:21:59 +00:00 · 2015-12-10 15:03:52 +01:00 · 2015-12-10 13:10:32 +00:00 · 2015-12-10 12:44:07 +00:00
2583 changed files with 423724 additions and 388875 deletions
--- a/.cvsignore
+++ b/.cvsignore
@@ -1,20 +0,0 @@
 openssl.pc
 libcrypto.pc
 libssl.pc
 MINFO
 makefile.one
 outinc
 rehash.time
 testlog
 make.log
 maketest.log
 cctest
 cctest.c
 cctest.a
 *.flc
 semantic.cache
 Makefile
 *.dll*
 *.so*
 *.sl*
 *.dylib*
--- a/.gitignore
+++ b/.gitignore
@@ -0,0 +1,128 @@
 # Object files
 *.o
 *.obj
 # editor artefacts
 *.swp
 .#*
 \#*#
 *~
 /.dir-locals.el
 # Top level excludes
 /Makefile.bak
 /Makefile
 /MINFO
 /TABLE
 /*.a
 /*.pc
 /rehash.time
 /inc.*
 /makefile.*
 /out.*
 /tmp.*
 /test/*.ss
 /test/*.srl
 /test/.rnd
 /test/test*.pem
 /test/newkey.pem
 /test/*.log
 # Certificate symbolic links
 *.0
 # Links under apps
 /apps/CA.pl
 /apps/md4.c
 # Auto generated headers
 /crypto/buildinf.h
 /crypto/opensslconf.h
 # Auto generated assembly language source files
 *.s
 !/crypto/*/asm/*.s
 /crypto/arm*.S
 /crypto/*/*.S
 *.asm
 !/crypto/*/asm/*.asm
 # Executables
 /apps/openssl
 /test/sha256t
 /test/sha512t
 /test/gost2814789t
 /test/*test
 /test/fips_aesavs
 /test/fips_desmovs
 /test/fips_dhvs
 /test/fips_drbgvs
 /test/fips_dssvs
 /test/fips_ecdhvs
 /test/fips_ecdsavs
 /test/fips_rngvs
 /test/fips_test_suite
 *.so*
 *.dylib*
 *.dll*
 *.exe
 # Exceptions
 !/test/bctest
 !/crypto/des/times/486-50.sol
 # Misc auto generated files
 include/openssl/opensslconf.h
 /tools/c_rehash
 lib
 Makefile.save
 *.bak
 tags
 TAGS
 cscope.out
 *.d
 # Windows
 /tmp32
 /tmp32.dbg
 /tmp32dll
 /tmp32dll.dbg
 /out32
 /out32.dbg
 /out32dll
 /out32dll.dbg
 /inc32
 /MINFO
 ms/bcb.mak
 ms/libeay32.def
 ms/nt.mak
 ms/ntdll.mak
 ms/ssleay32.def
 ms/version32.rc
 # Files created on other branches that are not held in git, and are not
 # needed on this branch
 include/openssl/asn1_mac.h
 include/openssl/des_old.h
 include/openssl/fips.h
 include/openssl/fips_rand.h
 include/openssl/krb5_asn.h
 include/openssl/kssl.h
 include/openssl/pq_compat.h
 include/openssl/ssl23.h
 include/openssl/tmdiff.h
 include/openssl/ui_compat.h
 test/fips_aesavs.c
 test/fips_desmovs.c
 test/fips_dsatest.c
 test/fips_dssvs.c
 test/fips_hmactest.c
 test/fips_randtest.c
 test/fips_rngvs.c
 test/fips_rsagtest.c
 test/fips_rsastest.c
 test/fips_rsavtest.c
 test/fips_shatest.c
 test/fips_test_suite.c
 test/shatest.c
--- a/.travis-create-release.sh
+++ b/.travis-create-release.sh
@@ -0,0 +1,10 @@
 #! /bin/sh
 # $1 is expected to be $TRAVIS_OS_NAME
 if [ "$1" == osx ]; then
    make -f Makefile.org \
 	 DISTTARVARS="NAME=_srcdist TAR_COMMAND='\$\$(TAR) \$\$(TARFLAGS) -s \"|^|\$\$(NAME)/|\" -T \$\$(TARFILE).list -cvf -' TARFLAGS='-n' TARFILE=_srcdist.tar" SHELL='sh -vx' dist
 else
    make -f Makefile.org DISTTARVARS='TARFILE=_srcdist.tar NAME=_srcdist' SHELL='sh -v' dist
 fi
--- a/.travis.yml
+++ b/.travis.yml
@@ -0,0 +1,96 @@
 language: c
 addons:
    apt:
        packages:
            - clang-3.6
            - gcc-5
            - binutils-mingw-w64
            - gcc-mingw-w64
            - wine
        sources:
            - llvm-toolchain-precise-3.6
            - ubuntu-toolchain-r-test
 os:
    - linux
    - osx
 compiler:
    - clang
    - clang-3.6
    - gcc
    - gcc-5
    - i686-w64-mingw32-gcc
    - x86_64-w64-mingw32-gcc
 env:
    - CONFIG_OPTS=""
    - CONFIG_OPTS="shared"
    - CONFIG_OPTS="no-asm"
    - CONFIG_OPTS="--debug --strict-warnings"
 matrix:
    include:
        - os: linux
          compiler: clang-3.6
          env: CONFIG_OPTS="-fsanitize=address"
        - os: linux
          compiler: clang-3.6
          env: CONFIG_OPTS="no-asm --debug --strict-warnings -fno-sanitize-recover -fsanitize=address -fsanitize=undefined"
        - os: linux
          compiler: gcc-5
          env: CONFIG_OPTS="-fsanitize=address"
        - os: linux
          compiler: gcc-5
          env: CONFIG_OPTS="no-asm --debug --strict-warnings -fno-sanitize-recover -fsanitize=address -fsanitize=undefined"
    exclude:
        - os: osx
          compiler: clang-3.6
        - os: osx
          compiler: gcc-5
        - os: osx
          compiler: i686-w64-mingw32-gcc
        - os: osx
          compiler: x86_64-w64-mingw32-gcc
        - compiler: i686-w64-mingw32-gcc
          env: CONFIG_OPTS="shared"
        - compiler: x86_64-w64-mingw32-gcc
          env: CONFIG_OPTS="shared"
        - compiler: i686-w64-mingw32-gcc
          env: CONFIG_OPTS="no-asm"
        - compiler: x86_64-w64-mingw32-gcc
          env: CONFIG_OPTS="no-asm"
    allow_failures:
        - compiler: i686-w64-mingw32-gcc
          env: CONFIG_OPTS="--debug --strict-warnings"
        - compiler: x86_64-w64-mingw32-gcc
          env: CONFIG_OPTS="--debug --strict-warnings"
 before_script:
    - sh .travis-create-release.sh $TRAVIS_OS_NAME
    - tar -xvzf _srcdist.tar.gz
    - cd _srcdist
    - if [ "$CC" == i686-w64-mingw32-gcc ]; then
          export CROSS_COMPILE=${CC%%gcc}; unset CC;
          ./Configure mingw $CONFIG_OPTS -Wno-pedantic-ms-format;
      elif [ "$CC" == x86_64-w64-mingw32-gcc ]; then
          export CROSS_COMPILE=${CC%%gcc}; unset CC;
          ./Configure mingw64 $CONFIG_OPTS -Wno-pedantic-ms-format;
      else
          ./config $CONFIG_OPTS;
      fi
    - cd ..
 script:
    - cd _srcdist
    - make
    - if [ -n "$CROSS_COMPILE" ]; then
          export EXE_SHELL="wine" WINEPREFIX=`pwd`;
      fi
    - make test
    - cd ..
 notifications:
    email:
        - openssl-commits@openssl.org
--- a/2
+++ b/2
@@ -0,0 +1,2 @@
 Please https://www.openssl.org/community/thanks.html for the current
 acknowledgements.
--- a/25
+++ b/25
@@ -1,25 +0,0 @@
 The OpenSSL project depends on volunteer efforts and financial support from
 the end user community. That support comes in the form of donations and paid
 sponsorships, software support contracts, paid consulting services
 and commissioned software development.
 Since all these activities support the continued development and improvement
 of OpenSSL we consider all these clients and customers as sponsors of the
 OpenSSL project.
 We would like to identify and thank the following such sponsors for their past
 or current significant support of the OpenSSL project:
 Very significant support:
 	OpenGear: www.opengear.com
 Significant support:
 	PSW Group: www.psw.net
 Please note that we ask permission to identify sponsors and that some sponsors
 we consider eligible for inclusion here have requested to remain anonymous.
 Additional sponsorship or financial support is always welcome: for more
 information please contact the OpenSSL Software Foundation.
--- a/1962
+++ b/1962
--- a/CHANGES.SSLeay
+++ b/CHANGES.SSLeay
@@ -1,968 +0,0 @@
 This file contains the changes for the SSLeay library up to version
 0.9.0b. For later changes, see the file "CHANGES".
  SSLeay CHANGES
  ______________
 Changes between 0.8.x and 0.9.0b
 10-Apr-1998
 I said the next version would go out at easter, and so it shall.
 I expect a 0.9.1 will follow with portability fixes in the next few weeks.
 This is a quick, meet the deadline.  Look to ssl-users for comments on what
 is new etc.
 eric (about to go bushwalking for the 4 day easter break :-)
 16-Mar-98
    - Patch for Cray T90 from Wayne Schroeder <schroede@SDSC.EDU>
    - Lots and lots of changes
 29-Jan-98
    - ASN1_BIT_STRING_set_bit()/ASN1_BIT_STRING_get_bit() from
      Goetz Babin-Ebell <babinebell@trustcenter.de>.
    - SSL_version() now returns SSL2_VERSION, SSL3_VERSION or
      TLS1_VERSION.
 7-Jan-98
    - Finally reworked the cipher string to ciphers again, so it
      works correctly
    - All the app_data stuff is now ex_data with funcion calls to access.
      The index is supplied by a function and 'methods' can be setup
      for the types that are called on XXX_new/XXX_free.  This lets
      applications get notified on creation and destruction.  Some of
      the RSA methods could be implemented this way and I may do so.
    - Oh yes, SSL under perl5 is working at the basic level.
 15-Dec-97
    - Warning - the gethostbyname cache is not fully thread safe,
      but it should work well enough.
    - Major internal reworking of the app_data stuff.  More functions
      but if you were accessing ->app_data directly, things will
      stop working.
    - The perlv5 stuff is working.  Currently on message digests,
      ciphers and the bignum library.
 9-Dec-97
    - Modified re-negotiation so that server initated re-neg
      will cause a SSL_read() to return -1 should retry.
      The danger otherwise was that the server and the
      client could end up both trying to read when using non-blocking
      sockets.
 4-Dec-97
    - Lots of small changes
    - Fix for binaray mode in Windows for the FILE BIO, thanks to
      Bob Denny <rdenny@dc3.com>
 17-Nov-97
    - Quite a few internal cleanups, (removal of errno, and using macros
      defined in e_os.h).
    - A bug in ca.c, pointed out by yasuyuki-ito@d-cruise.co.jp, where
      the automactic naming out output files was being stuffed up.
 29-Oct-97
    - The Cast5 cipher has been added.  MD5 and SHA-1 are now in assember
      for x86.
 21-Oct-97
    - Fixed a bug in the BIO_gethostbyname() cache.
 15-Oct-97
    - cbc mode for blowfish/des/3des is now in assember.  Blowfish asm
      has also been improved.  At this point in time, on the pentium,
      md5 is %80 faster, the unoptimesed sha-1 is %79 faster,
      des-cbc is %28 faster, des-ede3-cbc is %9 faster and blowfish-cbc
      is %62 faster.
 12-Oct-97
    - MEM_BUF_grow() has been fixed so that it always sets the buf->length
      to the value we are 'growing' to.  Think of MEM_BUF_grow() as the
      way to set the length value correctly.
 10-Oct-97
    - I now hash for certificate lookup on the raw DER encoded RDN (md5).
      This breaks things again :-(.  This is efficent since I cache
      the DER encoding of the RDN.
    - The text DN now puts in the numeric OID instead of UNKNOWN.
    - req can now process arbitary OIDs in the config file.
    - I've been implementing md5 in x86 asm, much faster :-).
    - Started sha1 in x86 asm, needs more work.
    - Quite a few speedups in the BN stuff.  RSA public operation
      has been made faster by caching the BN_MONT_CTX structure.
      The calulating of the Ai where A*Ai === 1 mod m was rather
      expensive.  Basically a 40-50% speedup on public operations.
      The RSA speedup is now 15% on pentiums and %20 on pentium
      pro.
 30-Sep-97
    - After doing some profiling, I added x86 adm for bn_add_words(),
      which just adds 2 arrays of longs together.  A %10 speedup
      for 512 and 1024 bit RSA on the pentium pro.
 29-Sep-97
    - Converted the x86 bignum assembler to us the perl scripts
      for generation.
 23-Sep-97
    - If SSL_set_session() is passed a NULL session, it now clears the
      current session-id.
 22-Sep-97
    - Added a '-ss_cert file' to apps/ca.c.  This will sign selfsigned
      certificates.
    - Bug in crypto/evp/encode.c where by decoding of 65 base64
      encoded lines, one line at a time (via a memory BIO) would report
      EOF after the first line was decoded.
    - Fix in X509_find_by_issuer_and_serial() from
      Dr Stephen Henson <shenson@bigfoot.com>
 19-Sep-97
    - NO_FP_API and NO_STDIO added.
    - Put in sh config command.  It auto runs Configure with the correct
      parameters.
 18-Sep-97
    - Fix x509.c so if a DSA cert has different parameters to its parent,
      they are left in place.  Not tested yet.
 16-Sep-97
    - ssl_create_cipher_list() had some bugs, fixes from
      Patrick Eisenacher <eisenach@stud.uni-frankfurt.de>
    - Fixed a bug in the Base64 BIO, where it would return 1 instead
      of -1 when end of input was encountered but should retry.
      Basically a Base64/Memory BIO interaction problem.
    - Added a HMAC set of functions in preporarion for TLS work.
 15-Sep-97
    - Top level makefile tweak - Cameron Simpson <cs@zip.com.au>
    - Prime generation spead up %25 (512 bit prime, pentium pro linux)
      by using montgomery multiplication in the prime number test.
 11-Sep-97
    - Ugly bug in ssl3_write_bytes().  Basically if application land
      does a SSL_write(ssl,buf,len) where len > 16k, the SSLv3 write code
      did not check the size and tried to copy the entire buffer.
      This would tend to cause memory overwrites since SSLv3 has
      a maximum packet size of 16k.  If your program uses
      buffers <= 16k, you would probably never see this problem.
    - Fixed a few errors that were cause by malloc() not returning
      0 initialised memory..
    - SSL_OP_NETSCAPE_CA_DN_BUG was being switched on when using
      SSL_CTX_set_options(ssl_ctx,SSL_OP_ALL); which was a bad thing
      since this flags stops SSLeay being able to handle client
      cert requests correctly.
 08-Sep-97
    - SSL_SESS_CACHE_NO_INTERNAL_LOOKUP option added.  When switched
      on, the SSL server routines will not use a SSL_SESSION that is
      held in it's cache.  This in intended to be used with the session-id
      callbacks so that while the session-ids are still stored in the
      cache, the decision to use them and how to look them up can be
      done by the callbacks.  The are the 'new', 'get' and 'remove'
      callbacks.  This can be used to determine the session-id
      to use depending on information like which port/host the connection
      is coming from.  Since the are also SSL_SESSION_set_app_data() and
      SSL_SESSION_get_app_data() functions, the application can hold
      information against the session-id as well.
 03-Sep-97
    - Added lookup of CRLs to the by_dir method,
      X509_load_crl_file() also added.  Basically it means you can
      lookup CRLs via the same system used to lookup certificates.
    - Changed things so that the X509_NAME structure can contain
      ASN.1 BIT_STRINGS which is required for the unique
      identifier OID.
    - Fixed some problems with the auto flushing of the session-id
      cache.  It was not occuring on the server side.
 02-Sep-97
    - Added SSL_CTX_sess_cache_size(SSL_CTX *ctx,unsigned long size)
      which is the maximum number of entries allowed in the
      session-id cache.  This is enforced with a simple FIFO list.
      The default size is 20*1024 entries which is rather large :-).
      The Timeout code is still always operating.
 01-Sep-97
    - Added an argument to all the 'generate private key/prime`
      callbacks.  It is the last parameter so this should not
      break existing code but it is needed for C++.
    - Added the BIO_FLAGS_BASE64_NO_NL flag for the BIO_f_base64()
      BIO.  This lets the BIO read and write base64 encoded data
      without inserting or looking for '\n' characters.  The '-A'
      flag turns this on when using apps/enc.c.
    - RSA_NO_PADDING added to help BSAFE functionality.  This is a
      very dangerous thing to use, since RSA private key
      operations without random padding bytes (as PKCS#1 adds) can
      be attacked such that the private key can be revealed.
    - ASN.1 bug and rc2-40-cbc and rc4-40 added by
      Dr Stephen Henson <shenson@bigfoot.com>
 31-Aug-97 (stuff added while I was away)    
    - Linux pthreads by Tim Hudson (tjh@cryptsoft.com).
    - RSA_flags() added allowing bypass of pub/priv match check
      in ssl/ssl_rsa.c - Tim Hudson.
    - A few minor bugs.
 SSLeay 0.8.1 released.
 19-Jul-97
    - Server side initated dynamic renegotiation is broken.  I will fix
      it when I get back from holidays.
 15-Jul-97
    - Quite a few small changes.
    - INVALID_SOCKET usage cleanups from Alex Kiernan <alex@hisoft.co.uk>
 09-Jul-97
    - Added 2 new values to the SSL info callback.
      SSL_CB_START which is passed when the SSL protocol is started
      and SSL_CB_DONE when it has finished sucsessfully.
 08-Jul-97
    - Fixed a few bugs problems in apps/req.c and crypto/asn1/x_pkey.c
      that related to DSA public/private keys.
    - Added all the relevent PEM and normal IO functions to support
      reading and writing RSAPublic keys.
    - Changed makefiles to use ${AR} instead of 'ar r'
 07-Jul-97
    - Error in ERR_remove_state() that would leave a dangling reference
      to a free()ed location - thanks to Alex Kiernan <alex@hisoft.co.uk>
    - s_client now prints the X509_NAMEs passed from the server
      when requesting a client cert.
    - Added a ssl->type, which is one of SSL_ST_CONNECT or
      SSL_ST_ACCEPT.  I had to add it so I could tell if I was
      a connect or an accept after the handshake had finished.
    - SSL_get_client_CA_list(SSL *s) now returns the CA names
      passed by the server if called by a client side SSL.
 05-Jul-97
    - Bug in X509_NAME_get_text_by_OBJ(), looking starting at index
      0, not -1 :-(  Fix from Tim Hudson (tjh@cryptsoft.com).
 04-Jul-97
    - Fixed some things in X509_NAME_add_entry(), thanks to
      Matthew Donald <matthew@world.net>.
    - I had a look at the cipher section and though that it was a
      bit confused, so I've changed it.
    - I was not setting up the RC4-64-MD5 cipher correctly.  It is
      a MS special that appears in exported MS Money.
    - Error in all my DH ciphers.  Section 7.6.7.3 of the SSLv3
      spec.  I was missing the two byte length header for the
      ClientDiffieHellmanPublic value.  This is a packet sent from
      the client to the server.  The SSL_OP_SSLEAY_080_CLIENT_DH_BUG
      option will enable SSLeay server side SSLv3 accept either
      the correct or my 080 packet format.
    - Fixed a few typos in crypto/pem.org.
 02-Jul-97
    - Alias mapping for EVP_get_(digest|cipher)byname is now
      performed before a lookup for actual cipher.  This means
      that an alias can be used to 're-direct' a cipher or a
      digest.
    - ASN1_read_bio() had a bug that only showed up when using a
      memory BIO.  When EOF is reached in the memory BIO, it is
      reported as a -1 with BIO_should_retry() set to true.
 01-Jul-97
    - Fixed an error in X509_verify_cert() caused by my
      miss-understanding how 'do { contine } while(0);' works.
      Thanks to Emil Sit <sit@mit.edu> for educating me :-)
 30-Jun-97
    - Base64 decoding error.  If the last data line did not end with
      a '=', sometimes extra data would be returned.
    - Another 'cut and paste' bug in x509.c related to setting up the
      STDout BIO.
 27-Jun-97
    - apps/ciphers.c was not printing due to an editing error.
    - Alex Kiernan <alex@hisoft.co.uk> send in a nice fix for
      a library build error in util/mk1mf.pl
 26-Jun-97
    - Still did not have the auto 'experimental' code removal
      script correct.
    - A few header tweaks for Watcom 11.0 under Win32 from
      Rolf Lindemann <Lindemann@maz-hh.de>
    - 0 length OCTET_STRING bug in asn1_parse
    - A minor fix with an non-existent function in the MS .def files.
    - A few changes to the PKCS7 stuff.
 25-Jun-97
    SSLeay 0.8.0 finally it gets released.
 24-Jun-97
    Added a SSL_OP_EPHEMERAL_RSA option which causes all SSLv3 RSA keys to
    use a temporary RSA key.  This is experimental and needs some more work.
    Fixed a few Win16 build problems.
 23-Jun-97
    SSLv3 bug. I was not doing the 'lookup' of the CERT structure
    correctly. I was taking the SSL->ctx->default_cert when I should
    have been using SSL->cert. The bug was in ssl/s3_srvr.c
 20-Jun-97
    X509_ATTRIBUTES were being encoded wrongly by apps/reg.c and the
    rest of the library. Even though I had the code required to do
    it correctly, apps/req.c was doing the wrong thing.  I have fixed
    and tested everything.
    Missing a few #ifdef FIONBIO sections in crypto/bio/bss_acpt.c.
 19-Jun-97
    Fixed a bug in the SSLv2 server side first packet handling. When
    using the non-blocking test BIO, the ssl->s2->first_packet flag
    was being reset when a would-block failure occurred when reading
    the first 5 bytes of the first packet. This caused the checking
    logic to run at the wrong time and cause an error.
    Fixed a problem with specifying cipher. If RC4-MD5 were used,
    only the SSLv3 version would be picked up.  Now this will pick
    up both SSLv2 and SSLv3 versions. This required changing the
    SSL_CIPHER->mask values so that they only mask the ciphers,
    digests, authentication, export type and key-exchange algorithms.
    I found that when a SSLv23 session is established, a reused
    session, of type SSLv3 was attempting to write the SSLv2 
    ciphers, which were invalid. The SSL_METHOD->put_cipher_by_char 
    method has been modified so it will only write out cipher which
    that method knows about.  
 Changes between 0.8.0 and 0.8.1
  *) Mostly bug fixes. 
     There is an Ephemeral DH cipher problem which is fixed.
 SSLeay 0.8.0
 This version of SSLeay has quite a lot of things different from the
 previous version.
 Basically check all callback parameters, I will be producing documentation
 about how to use things in th future.  Currently I'm just getting 080 out
 the door.  Please not that there are several ways to do everything, and
 most of the applications in the apps directory are hybrids, some using old
 methods and some using new methods.
 Have a look in demos/bio for some very simple programs and
 apps/s_client.c and apps/s_server.c for some more advanced versions.
 Notes are definitly needed but they are a week or so away.
 Anyway, some quick nots from Tim Hudson (tjh@cryptsoft.com)
 ---
 Quick porting notes for moving from SSLeay-0.6.x to SSLeay-0.8.x to
 get those people that want to move to using the new code base off to
 a quick start.
 Note that Eric has tidied up a lot of the areas of the API that were
 less than desirable and renamed quite a few things (as he had to break
 the API in lots of places anyrate). There are a whole pile of additional
 functions for making dealing with (and creating) certificates a lot
 cleaner.
 01-Jul-97
 Tim Hudson
 tjh@cryptsoft.com
 ---8<---
 To maintain code that uses both SSLeay-0.6.x and SSLeay-0.8.x you could
 use something like the following (assuming you #include "crypto.h" which
 is something that you really should be doing).
 #if SSLEAY_VERSION_NUMBER >= 0x0800
 #define SSLEAY8
 #endif
 buffer.h -> splits into buffer.h and bio.h so you need to include bio.h
            too if you are working with BIO internal stuff (as distinct
        from simply using the interface in an opaque manner)
 #include "bio.h"    - required along with "buffer.h" if you write
              your own BIO routines as the buffer and bio
              stuff that was intermixed has been separated
              out 
 envelope.h -> evp.h  (which should have been done ages ago)
 Initialisation ... don't forget these or you end up with code that
 is missing the bits required to do useful things (like ciphers):
 SSLeay_add_ssl_algorithms()
 (probably also want SSL_load_error_strings() too but you should have
 already had that call in place)
 SSL_CTX_new()   - requires an extra method parameter
              SSL_CTX_new(SSLv23_method()) 
              SSL_CTX_new(SSLv2_method()) 
              SSL_CTX_new(SSLv3_method()) 
          OR to only have the server or the client code
              SSL_CTX_new(SSLv23_server_method()) 
              SSL_CTX_new(SSLv2_server_method()) 
              SSL_CTX_new(SSLv3_server_method()) 
          or  
              SSL_CTX_new(SSLv23_client_method()) 
              SSL_CTX_new(SSLv2_client_method()) 
              SSL_CTX_new(SSLv3_client_method()) 
 SSL_set_default_verify_paths() ... renamed to the more appropriate
 SSL_CTX_set_default_verify_paths()
 If you want to use client certificates then you have to add in a bit
 of extra stuff in that a SSLv3 server sends a list of those CAs that
 it will accept certificates from ... so you have to provide a list to
 SSLeay otherwise certain browsers will not send client certs.
 SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(s_cert_file));
 X509_NAME_oneline(X)    -> X509_NAME_oneline(X,NULL,0)  
               or provide a buffer and size to copy the
               result into
 X509_add_cert ->  X509_STORE_add_cert (and you might want to read the
          notes on X509_NAME structure changes too)
 VERIFICATION CODE
 =================
 The codes have all be renamed from VERIFY_ERR_* to X509_V_ERR_* to
 more accurately reflect things.
 The verification callback args are now packaged differently so that
 extra fields for verification can be added easily in future without
 having to break things by adding extra parameters each release :-)
 X509_cert_verify_error_string -> X509_verify_cert_error_string
 BIO INTERNALS
 =============
 Eric has fixed things so that extra flags can be introduced in
 the BIO layer in future without having to play with all the BIO
 modules by adding in some macros.
 The ugly stuff using 
    b->flags ~= (BIO_FLAGS_RW|BIO_FLAGS_SHOULD_RETRY)
 becomes
    BIO_clear_retry_flags(b)
    b->flags |= (BIO_FLAGS_READ|BIO_FLAGS_SHOULD_RETRY)
 becomes
    BIO_set_retry_read(b)
 Also ... BIO_get_retry_flags(b), BIO_set_flags(b)
 OTHER THINGS
 ============
 X509_NAME has been altered so that it isn't just a STACK ... the STACK
 is now in the "entries" field ... and there are a pile of nice functions
 for getting at the details in a much cleaner manner.
 SSL_CTX has been altered ... "cert" is no longer a direct member of this
 structure ... things are now down under "cert_store" (see x509_vfy.h) and
 things are no longer in a CERTIFICATE_CTX but instead in a X509_STORE.
 If your code "knows" about this level of detail then it will need some 
 surgery.
 If you depending on the incorrect spelling of a number of the error codes
 then you will have to change your code as these have been fixed.
 ENV_CIPHER "type" got renamed to "nid" and as that is what it actually
 has been all along so this makes things clearer.
 ify_cert_error_string(ctx->error));
 SSL_R_NO_CIPHER_WE_TRUST -> SSL_R_NO_CIPHER_LIST
            and SSL_R_REUSE_CIPHER_LIST_NOT_ZERO
 Changes between 0.7.x and 0.8.0
  *) There have been lots of changes, mostly the addition of SSLv3.
     There have been many additions from people and amongst
     others, C2Net has assisted greatly.
 Changes between 0.7.x and 0.7.x
  *) Internal development version only
 SSLeay 0.6.6 13-Jan-1997
 The main additions are
 - assember for x86 DES improvments.
  From 191,000 per second on a pentium 100, I now get 281,000.  The inner
  loop and the IP/FP modifications are from
  Svend Olaf Mikkelsen <svolaf@inet.uni-c.dk>.  Many thanks for his
  contribution.
 - The 'DES macros' introduced in 0.6.5 now have 3 types.
  DES_PTR1, DES_PTR2 and 'normal'.  As per before, des_opts reports which
  is best and there is a summery of mine in crypto/des/options.txt
 - A few bug fixes.
 - Added blowfish.  It is not used by SSL but all the other stuff that
  deals with ciphers can use it in either ecb, cbc, cfb64 or ofb64 modes.
  There are 3 options for optimising Blowfish.  BF_PTR, BF_PTR2 and 'normal'.
  BF_PTR2 is pentium/x86 specific.  The correct option is setup in
  the 'Configure' script.
 - There is now a 'get client certificate' callback which can be
  'non-blocking'.  If more details are required, let me know.  It will
  documented more in SSLv3 when I finish it.
 - Bug fixes from 0.6.5 including the infamous 'ca' bug.  The 'make test'
  now tests the ca program.
 - Lots of little things modified and tweaked.
 SSLeay 0.6.5
 After quite some time (3 months), the new release.  I have been very busy
 for the last few months and so this is mostly bug fixes and improvments.
 The main additions are
 - assember for x86 DES.  For all those gcc based systems, this is a big
  improvement.  From 117,000 DES operation a second on a pentium 100,
  I now get 191,000.  I have also reworked the C version so it
  now gives 148,000 DESs per second.  
 - As mentioned above, the inner DES macros now have some more variant that
  sometimes help, sometimes hinder performance.  There are now 3 options
  DES_PTR (ptr vs array lookup), DES_UNROLL (full vs partial loop unrolling)
  and DES_RISC (a more register intensive version of the inner macro).
  The crypto/des/des_opts.c program, when compiled and run, will give
  an indication of the correct options to use.
 - The BIO stuff has been improved.  Read doc/bio.doc.  There are now
  modules for encryption and base64 encoding and a BIO_printf() function.
 - The CA program will accept simple one line X509v3 extensions in the
  ssleay.cnf file.  Have a look at the example.  Currently this just
  puts the text into the certificate as an OCTET_STRING so currently
  the more advanced X509v3 data types are not handled but this is enough
  for the netscape extensions.
 - There is the start of a nicer higher level interface to the X509
  strucutre.
 - Quite a lot of bug fixes.
 - CRYPTO_malloc_init()  (or CRYPTO_set_mem_functions()) can be used
  to define the malloc(), free() and realloc() routines to use
  (look in crypto/crypto.h).  This is mostly needed for Windows NT/95 when
  using DLLs and mixing CRT libraries.
 In general, read the 'VERSION' file for changes and be aware that some of
 the new stuff may not have been tested quite enough yet, so don't just plonk
 in SSLeay 0.6.5 when 0.6.4 used to work and expect nothing to break.
 SSLeay 0.6.4 30/08/96 eay
 I've just finished some test builds on Windows NT, Windows 3.1, Solaris 2.3,
 Solaris 2.5, Linux, IRIX, HPUX 10 and everthing seems to work :-).
 The main changes in this release
 - Thread safe.  have a read of doc/threads.doc and play in the mt directory.
  For anyone using 0.6.3 with threads, I found 2 major errors so consider
  moving to 0.6.4.  I have a test program that builds under NT and
  solaris.
 - The get session-id callback has changed.  Have a read of doc/callback.doc.
 - The X509_cert_verify callback (the SSL_verify callback) now
  has another argument.  Have a read of doc/callback.doc
 - 'ca -preserve', sign without re-ordering the DN.  Not tested much.
 - VMS support.
 - Compile time memory leak detection can now be built into SSLeay.
  Read doc/memory.doc
 - CONF routines now understand '\', '\n', '\r' etc.  What this means is that
  the  SPKAC object mentioned in doc/ns-ca.doc can be on multiple lines.
 - 'ssleay ciphers' added, lists the default cipher list for SSLeay.
 - RC2 key setup is now compatable with Netscape.
 - Modifed server side of SSL implementation, big performance difference when
      using session-id reuse.
 0.6.3
 Bug fixes and the addition of some nice stuff to the 'ca' program.
 Have a read of doc/ns-ca.doc for how hit has been modified so
 it can be driven from a CGI script.  The CGI script is not provided,
 but that is just being left as an excersize for the reader :-).
 0.6.2
 This is most bug fixes and functionality improvements.
 Additions are
 - More thread debugging patches, the thread stuff is still being
  tested, but for those keep to play with stuff, have a look in
  crypto/cryptlib.c.  The application needs to define 1 (or optionaly
  a second) callback that is used to implement locking.  Compiling
  with LOCK_DEBUG spits out lots of locking crud :-).
  This is what I'm currently working on.
 - SSL_CTX_set_default_passwd_cb() can be used to define the callback
  function used in the SSL*_file() functions used to load keys.  I was
  always of the opinion that people should call
  PEM_read_RSAPrivateKey() and pass the callback they want to use, but
  it appears they just want to use the SSL_*_file() function() :-(.
 - 'enc' now has a -kfile so a key can be read from a file.  This is
  mostly used so that the passwd does not appear when using 'ps',
  which appears imposible to stop under solaris.
 - X509v3 certificates now work correctly.  I even have more examples
  in my tests :-).  There is now a X509_EXTENSION type that is used in
  X509v3 certificates and CRLv2.
 - Fixed that signature type error :-(
 - Fixed quite a few potential memory leaks and problems when reusing
  X509, CRL and REQ structures.
 - EVP_set_pw_prompt() now sets the library wide default password
  prompt.
 - The 'pkcs7' command will now, given the -print_certs flag, output in
  pem format, all certificates and CRL contained within.  This is more
  of a pre-emtive thing for the new verisign distribution method.  I
  should also note, that this also gives and example in code, of how
  to do this :-), or for that matter, what is involved in going the
  other way (list of certs and crl -> pkcs7).
 - Added RSA's DESX to the DES library.  It is also available via the
  EVP_desx_cbc() method and via 'enc desx'. 
 SSLeay 0.6.1
 The main functional changes since 0.6.0 are as follows
 - Bad news, the Microsoft 060 DLL's are not compatable, but the good news is
  that from now on, I'll keep the .def numbers the same so they will be.
 - RSA private key operations are about 2 times faster that 0.6.0
 - The SSL_CTX now has more fields so default values can be put against
  it.  When an SSL structure is created, these default values are used
  but can be overwritten.  There are defaults for cipher, certificate,
  private key, verify mode and callback.  This means SSL session
  creation can now be
  ssl=SSL_new()
  SSL_set_fd(ssl,sock);
  SSL_accept(ssl)
  ....
  All the other uglyness with having to keep a global copy of the
  private key and certificate/verify mode in the server is now gone.
 - ssl/ssltest.c - one process talking SSL to its self for testing.
 - Storage of Session-id's can be controled via a session_cache_mode
  flag.  There is also now an automatic default flushing of 
  old session-id's.
 - The X509_cert_verify() function now has another parameter, this
  should not effect most people but it now means that the reason for
  the failure to verify is now available via SSL_get_verify_result(ssl).
  You don't have to use a global variable.
 - SSL_get_app_data() and SSL_set_app_data() can be used to keep some
  application data against the SSL structure.  It is upto the application
  to free the data.  I don't use it, but it is available.
 - SSL_CTX_set_cert_verify_callback() can be used to specify a
  verify callback function that completly replaces my certificate
  verification code.  Xcert should be able to use this :-).
  The callback is of the form int app_verify_callback(arg,ssl,cert).
  This needs to be documented more.
 - I have started playing with shared library builds, have a look in
  the shlib directory.  It is very simple.  If you need a numbered
  list of functions, have a look at misc/crypto.num and misc/ssl.num.
 - There is some stuff to do locking to make the library thread safe.
  I have only started this stuff and have not finished.  If anyone is
  keen to do so, please send me the patches when finished.
 So I have finally made most of the additions to the SSL interface that
 I thought were needed.
 There will probably be a pause before I make any non-bug/documentation
 related changes to SSLeay since I'm feeling like a bit of a break.
 eric - 12 Jul 1996
 I saw recently a comment by some-one that we now seem to be entering
 the age of perpetual Beta software.
 Pioneered by packages like linux but refined to an art form by
 netscape.
 I too wish to join this trend with the anouncement of SSLeay 0.6.0 :-).
 There are quite a large number of sections that are 'works in
 progress' in this package.  I will also list the major changes and
 what files you should read.
 BIO - this is the new IO structure being used everywhere in SSLeay.  I
 started out developing this because of microsoft, I wanted a mechanism
 to callback to the application for all IO, so Windows 3.1 DLL
 perversion could be hidden from me and the 15 different ways to write
 to a file under NT would also not be dictated by me at library build
 time.  What the 'package' is is an API for a data structure containing
 functions.  IO interfaces can be written to conform to the
 specification.  This in not intended to hide the underlying data type
 from the application, but to hide it from SSLeay :-).
 I have only really finished testing the FILE * and socket/fd modules.
 There are also 'filter' BIO's.  Currently I have only implemented
 message digests, and it is in use in the dgst application.  This
 functionality will allow base64/encrypto/buffering modules to be
 'push' into a BIO without it affecting the semantics.  I'm also
 working on an SSL BIO which will hide the SSL_accept()/SLL_connet()
 from an event loop which uses the interface.
 It is also possible to 'attach' callbacks to a BIO so they get called
 before and after each operation, alowing extensive debug output
 to be generated (try running dgst with -d).
 Unfortunaly in the conversion from 0.5.x to 0.6.0, quite a few
 functions that used to take FILE *, now take BIO *.
 The wrappers are easy to write
 function_fp(fp,x)
 FILE *fp;
    {
    BIO *b;
    int ret;
    if ((b=BIO_new(BIO_s_file())) == NULL) error.....
    BIO_set_fp(b,fp,BIO_NOCLOSE);
    ret=function_bio(b,x);
    BIO_free(b);
    return(ret);
    }
 Remember, there are no functions that take FILE * in SSLeay when
 compiled for Windows 3.1 DLL's.
 --
 I have added a general EVP_PKEY type that can hold a public/private
 key.  This is now what is used by the EVP_ functions and is passed
 around internally.  I still have not done the PKCS#8 stuff, but
 X509_PKEY is defined and waiting :-)
 --
 For a full function name listings, have a look at ms/crypt32.def and
 ms/ssl32.def.  These are auto-generated but are complete.
 Things like ASN1_INTEGER_get() have been added and are in here if you
 look.  I have renamed a few things, again, have a look through the
 function list and you will probably find what you are after.  I intend
 to at least put a one line descrition for each one.....
 --
 Microsoft - thats what this release is about, read the MICROSOFT file.
 --
 Multi-threading support.  I have started hunting through the code and
 flaging where things need to be done.  In a state of work but high on
 the list.
 --
 For random numbers, edit e_os.h and set DEVRANDOM (it's near the top)
 be be you random data device, otherwise 'RFILE' in e_os.h
 will be used, in your home directory.  It will be updated
 periodically.  The environment variable RANDFILE will override this
 choice and read/write to that file instead.  DEVRANDOM is used in
 conjunction to the RFILE/RANDFILE.  If you wish to 'seed' the random
 number generator, pick on one of these files.
 --
 The list of things to read and do
 dgst -d
 s_client -state (this uses a callback placed in the SSL state loop and
        will be used else-where to help debug/monitor what
        is happening.)
 doc/why.doc
 doc/bio.doc <- hmmm, needs lots of work.
 doc/bss_file.doc <- one that is working :-)
 doc/session.doc <- it has changed
 doc/speed.doc
 also play with ssleay version -a.  I have now added a SSLeay()
 function that returns a version number, eg 0600 for this release
 which is primarily to be used to check DLL version against the
 application.
 util/*  Quite a few will not interest people, but some may, like
 mk1mf.pl, mkdef.pl,
 util/do_ms.sh
 try
 cc -Iinclude -Icrypto -c crypto/crypto.c
 cc -Iinclude -Issl -c ssl/ssl.c
 You have just built the SSLeay libraries as 2 object files :-)
 Have a general rummage around in the bin stall directory and look at
 what is in there, like CA.sh and c_rehash
 There are lots more things but it is 12:30am on a Friday night and I'm
 heading home :-).
 eric 22-Jun-1996
 This version has quite a few major bug fixes and improvements.  It DOES NOT
 do SSLv3 yet.
 The main things changed
 - A Few days ago I added the s_mult application to ssleay which is
  a demo of an SSL server running in an event loop type thing.
  It supports non-blocking IO, I have finally gotten it right, SSL_accept()
  can operate in non-blocking IO mode, look at the code to see how :-).
  Have a read of doc/s_mult as well.  This program leaks memory and
  file descriptors everywhere but I have not cleaned it up yet.
  This is a demo of how to do non-blocking IO.
 - The SSL session management has been 'worked over' and there is now
  quite an expansive set of functions to manipulate them.  Have a read of
  doc/session.doc for some-things I quickly whipped up about how it now works.
  This assume you know the SSLv2 protocol :-)
 - I can now read/write the netscape certificate format, use the
  -inform/-outform  'net' options to the x509 command.  I have not put support
  for this type in the other demo programs, but it would be easy to add.
 - asn1parse and 'enc' have been modified so that when reading base64
  encoded files (pem format), they do not require '-----BEGIN' header lines.
  The 'enc' program had a buffering bug fixed, it can be used as a general
  base64 -> binary -> base64 filter by doing 'enc -a -e' and 'enc -a -d'
  respecivly.  Leaving out the '-a' flag in this case makes the 'enc' command
  into a form of 'cat'.
 - The 'x509' and 'req' programs have been fixed and modified a little so
  that they generate self-signed certificates correctly.  The test
  script actually generates a 'CA' certificate and then 'signs' a
  'user' certificate.  Have a look at this shell script (test/sstest)
  to see how things work, it tests most possible combinations of what can
  be done.
 - The 'SSL_set_pref_cipher()' function has been 'fixed' and the prefered name
  of SSL_set_cipher_list() is now the correct API (stops confusion :-).
  If this function is used in the client, only the specified ciphers can
  be used, with preference given to the order the ciphers were listed.
  For the server, if this is used, only the specified ciphers will be used
  to accept connections.  If this 'option' is not used, a default set of
  ciphers will be used.  The SSL_CTX_set_cipher_list(SSL_CTX *ctx) sets this
  list for all ciphers started against the SSL_CTX.  So the order is
  SSL cipher_list, if not present, SSL_CTX cipher list, if not
  present, then the library default.
  What this means is that normally ciphers like
  NULL-MD5 will never be used.  The only way this cipher can be used
  for both ends to specify to use it.
  To enable or disable ciphers in the library at build time, modify the
  first field for the cipher in the ssl_ciphers array in ssl/ssl_lib.c.
  This file also contains the 'pref_cipher' list which is the default
  cipher preference order.
 - I'm not currently sure if the 'rsa -inform net' and the 'rsa -outform net'
  options work.  They should, and they enable loading and writing the
  netscape rsa private key format.  I will be re-working this section of
  SSLeay for the next version.  What is currently in place is a quick and
  dirty hack.
 - I've re-written parts of the bignum library.  This gives speedups
  for all platforms.  I now provide assembler for use under Windows NT.
  I have not tested the Windows 3.1 assembler but it is quite simple code.
  This gives RSAprivate_key operation encryption times of 0.047s (512bit key)
  and 0.230s (1024bit key) on a pentium 100 which I consider reasonable.
  Basically the times available under linux/solaris x86 can be achieve under
  Windows NT.  I still don't know how these times compare to RSA's BSAFE
  library but I have been emailing with people and with their help, I should
  be able to get my library's quite a bit faster still (more algorithm changes).
  The object file crypto/bn/asm/x86-32.obj should be used when linking
  under NT.
 - 'make makefile.one' in the top directory will generate a single makefile
  called 'makefile.one'  This makefile contains no perl references and
  will build the SSLeay library into the 'tmp' and 'out' directories.
  util/mk1mf.pl >makefile.one is how this makefile is
  generated.  The mk1mf.pl command take several option to generate the
  makefile for use with cc, gcc, Visual C++ and Borland C++.  This is
  still under development.  I have only build .lib's for NT and MSDOS
  I will be working on this more.  I still need to play with the
  correct compiler setups for these compilers and add some more stuff but
  basically if you just want to compile the library
  on a 'non-unix' platform, this is a very very good file to start with :-).
  Have a look in the 'microsoft' directory for my current makefiles.
  I have not yet modified things to link with sockets under Windows NT.
  You guys should be able to do this since this is actually outside of the
  SSLeay scope :-).  I will be doing it for myself soon.
  util/mk1mf.pl takes quite a few options including no-rc, rsaref  and no-sock
  to build without RC2/RC4, to require RSAref for linking, and to
  build with no socket code.
 - Oh yes, the cipher that was reported to be compatible with RSA's RC2 cipher
  that was posted to sci.crypt has been added to the library and SSL.
  I take the view that if RC2 is going to be included in a standard,
  I'll include the cipher to make my package complete.
  There are NO_RC2, NO_RC4 and NO_IDEA macros to remove these ciphers
  at compile time.  I have not tested this recently but it should all work
  and if you are in the USA and don't want RSA threatening to sue you,
  you could probably remove the RC4/RC2 code inside these sections.
  I may in the future include a perl script that does this code
  removal automatically for those in the USA :-).
 - I have removed all references to sed in the makefiles.  So basically,
  the development environment requires perl and sh.  The build environment
  does not (use the makefile.one makefile).
  The Configure script still requires perl, this will probably stay that way
  since I have perl for Windows NT :-).
 eric (03-May-1996)
 PS Have a look in the VERSION file for more details on the changes and
   bug fixes.
 I have fixed a few bugs, added alpha and x86 assembler and generally cleaned
 things up.  This version will be quite stable, mostly because I'm on
 holidays until 10-March-1996.  For any problems in the interum, send email
 to Tim Hudson <tjh@mincom.oz.au>.
 SSLeay 0.5.0
 12-12-95
 This is going out before it should really be released.
 I leave for 11 weeks holidays on the 22-12-95 and so I either sit on
 this for 11 weeks or get things out.  It is still going to change a
 lot in the next week so if you do grab this version, please test and
 give me feed back ASAP, inculuding questions on how to do things with
 the library.  This will prompt me to write documentation so I don't
 have to answer the same question again :-).
 This 'pre' release version is for people who are interested in the
 library.  The applications will have to be changed to use
 the new version of the SSL interface.  I intend to finish more
 documentation before I leave but until then, look at the programs in
 the apps directory.  As far as code goes, it is much much nicer than
 the old version.
 The current library works, has no memory leaks (as far as I can tell)
 and is far more bug free that 0.4.5d.  There are no global variable of
 consequence (I believe) and I will produce some documentation that
 tell where to look for those people that do want to do multi-threaded
 stuff.
 There should be more documentation.  Have a look in the
 doc directory.  I'll be adding more before I leave, it is a start
 by mostly documents the crypto library.  Tim Hudson will update
 the web page ASAP.  The spelling and grammar are crap but
 it is better than nothing :-)
 Reasons to start playing with version 0.5.0
 - All the programs in the apps directory build into one ssleay binary.
 - There is a new version of the 'req' program that generates certificate
  requests, there is even documentation for this one :-)
 - There is a demo certification authorithy program.  Currently it will
  look at the simple database and update it.  It will generate CRL from
  the data base.  You need to edit the database by hand to revoke a
  certificate, it is my aim to use perl5/Tk but I don't have time to do
  this right now.  It will generate the certificates but the management
  scripts still need to be written.  This is not a hard task.
 - Things have been cleaned up alot.
 - Have a look at the enc and dgst programs in the apps directory.
 - It supports v3 of x509 certiticates.
 Major things missing.
 - I have been working on (and thinging about) the distributed x509
  hierachy problem.  I have not had time to put my solution in place.
  It will have to wait until I come back.
 - I have not put in CRL checking in the certificate verification but
  it would not be hard to do.  I was waiting until I could generate my
  own CRL (which has only been in the last week) and I don't have time
  to put it in correctly.
 - Montgomery multiplication need to be implemented.  I know the
  algorithm, just ran out of time.
 - PKCS#7.  I can load and write the DER version.  I need to re-work
  things to support BER (if that means nothing, read the ASN1 spec :-).
 - Testing of the higher level digital envelope routines.  I have not
  played with the *_seal() and *_open() type functions.  They are
  written but need testing.  The *_sign() and *_verify() functions are
  rock solid. 
 - PEM.  Doing this and PKCS#7 have been dependant on the distributed
  x509 heirachy problem.  I started implementing my ideas, got
  distracted writing a CA program and then ran out of time.  I provide
  the functionality of RSAref at least.
 - Re work the asm. code for the x86.  I've changed by low level bignum
  interface again, so I really need to tweak the x86 stuff.  gcc is
  good enough for the other boxes.
--- a/38
+++ b/38
@@ -0,0 +1,38 @@
 HOW TO CONTRIBUTE TO OpenSSL
 ----------------------------
 Development is coordinated on the openssl-dev mailing list (see
 http://www.openssl.org for information on subscribing). If you
 would like to submit a patch, send it to rt@openssl.org with
 the string "[PATCH]" in the subject. Please be sure to include a
 textual explanation of what your patch does.
 You can also make GitHub pull requests. If you do this, please also send
 mail to rt@openssl.org with a brief description and a link to the PR so
 that we can more easily keep track of it.
 If you are unsure as to whether a feature will be useful for the general
 OpenSSL community please discuss it on the openssl-dev mailing list first.
 Someone may be already working on the same thing or there may be a good
 reason as to why that feature isn't implemented.
 Patches should be as up to date as possible, preferably relative to the
 current Git or the last snapshot. They should follow our coding style
 (see https://www.openssl.org/policies/codingstyle.html) and compile without
 warnings using the --strict-warnings flag.  OpenSSL compiles on many varied
 platforms: try to ensure you only use portable features.
 Our preferred format for patch files is "git format-patch" output. For example
 to provide a patch file containing the last commit in your local git repository
 use the following command:
 # git format-patch --stdout HEAD^ >mydiffs.patch
 Another method of creating an acceptable patch file without using git is as
 follows:
 # cd openssl-work
 # [your changes]
 # ./Configure dist; make clean
 # cd ..
 # diff -ur openssl-orig openssl-work > mydiffs.patch
--- a/Configurations/10-main.conf
+++ b/Configurations/10-main.conf
--- a/Configurations/90-team.conf
+++ b/Configurations/90-team.conf
@@ -0,0 +1,123 @@
 ## -*- mode: perl; -*-
 ## Build configuration targets for openssl-team members
 ##
 ## If you edit this file, run this command before committing
 ##	make -f Makefile.org TABLE
 ## This file is interpolated by the Configure script.
 %targets = (
    "purify" => {
        cc               => "purify gcc",
        cflags           => "-g -DPURIFY -Wall",
        thread_cflag     => "(unknown)",
        lflags           => "-lsocket -lnsl",
    },
    "debug" => {
        cc               => "gcc",
        cflags           => "-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror",
        thread_cflag     => "(unknown)",
        lflags           => "-lefence",
    },
    "debug-erbridge" => {
        inherit_from     => [ "x86_64_asm" ],
        cc               => "gcc",
        cflags           => "$gcc_devteam_warn -DBN_DEBUG -DCONF_DEBUG -DCRYPTO_MDEBUG -m64 -DL_ENDIAN -DTERMIO -g",
        thread_cflag     => "-D_REENTRANT",
        lflags           => "-ldl",
        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
        perlasm_scheme   => "elf",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
        shared_cflag     => "-fPIC",
        shared_ldflag    => "-m64",
        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
        multilib         => "64",
    },
    "debug-linux-pentium" => {
        inherit_from     => [ "x86_elf_asm" ],
        cc               => "gcc",
        cflags           => "-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -g -mcpu=pentium -Wall",
        thread_cflag     => "-D_REENTRANT",
        lflags           => "-ldl",
        bn_ops           => "BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}",
        dso_scheme       => "dlfcn",
    },
    "debug-linux-ppro" => {
        inherit_from     => [ "x86_elf_asm" ],
        cc               => "gcc",
        cflags           => "-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -g -mcpu=pentiumpro -Wall",
        thread_cflag     => "-D_REENTRANT",
        lflags           => "-ldl",
        bn_ops           => "BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}",
        dso_scheme       => "dlfcn",
    },
    "debug-linux-elf-noefence" => {
        inherit_from     => [ "x86_elf_asm" ],
        cc               => "gcc",
        cflags           => "-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -g -march=i486 -Wall",
        thread_cflag     => "-D_REENTRANT",
        lflags           => "-ldl",
        bn_ops           => "BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
        shared_cflag     => "-fPIC",
        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
    },
    "debug-linux-ia32-aes" => {
        cc               => "gcc",
        cflags           => "-DAES_EXPERIMENTAL -DL_ENDIAN -O3 -fomit-frame-pointer -Wall",
        thread_cflag     => "-D_REENTRANT",
        lflags           => "-ldl",
        bn_ops           => "BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}",
        cpuid_obj        => "x86cpuid.o",
        bn_obj           => "bn-586.o co-586.o x86-mont.o",
        des_obj          => "des-586.o crypt586.o",
        aes_obj          => "aes_x86core.o aes_cbc.o aesni-x86.o",
        bf_obj           => "bf-586.o",
        md5_obj          => "md5-586.o",
        sha1_obj         => "sha1-586.o sha256-586.o sha512-586.o",
        cast_obj         => "cast-586.o",
        rc4_obj          => "rc4-586.o",
        rmd160_obj       => "rmd-586.o",
        rc5_obj          => "rc5-586.o",
        wp_obj           => "wp_block.o wp-mmx.o",
        modes_obj        => "ghash-x86.o",
        engines_obj      => "e_padlock-x86.o",
        perlasm_scheme   => "elf",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
        shared_cflag     => "-fPIC",
        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
    },
    "dist" => {
        cc               => "cc",
        cflags           => "-O",
        thread_cflag     => "(unknown)",
    },
    "debug-test-64-clang" => {
        inherit_from     => [ "x86_64_asm" ],
        cc               => "clang",
        cflags           => "$gcc_devteam_warn -Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wno-error=unused-const-variable -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
        thread_cflag     => "${BSDthreads}",
        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
        perlasm_scheme   => "elf",
        dso_scheme       => "dlfcn",
        shared_target    => "bsd-gcc-shared",
        shared_cflag     => "-fPIC",
        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
    },
    "darwin64-debug-test-64-clang" => {
        inherit_from     => [ "x86_64_asm" ],
        cc               => "clang",
        cflags           => "-arch x86_64 -DL_ENDIAN $gcc_devteam_warn -Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wno-error=unused-const-variable -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
        thread_cflag     => "${BSDthreads}",
        sys_id           => "MACOSX",
        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
        perlasm_scheme   => "macosx",
        dso_scheme       => "dlfcn",
        shared_target    => "darwin-shared",
        shared_cflag     => "-fPIC -fno-common",
        shared_ldflag    => "-arch x86_64 -dynamiclib",
        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
    },
 );
--- a/Configurations/99-personal-ben.conf
+++ b/Configurations/99-personal-ben.conf
@@ -0,0 +1,95 @@
 ## -*- mode: perl; -*-
 ## Personal configuration targets
 ##
 ## If you edit this file, run this command before committing
 ##	make -f Makefile.org TABLE
 ## This file is interpolated by the Configure script.
 %targets = (
    "debug-ben" => {
        cc               => "gcc",
        cflags           => "$gcc_devteam_warn -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DDEBUG_SAFESTACK -O2 -pipe",
        thread_cflag     => "(unknown)",
    },
    "debug-ben-openbsd" => {
        cc               => "gcc",
        cflags           => "-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe",
        thread_cflag     => "(unknown)",
    },
    "debug-ben-openbsd-debug" => {
        cc               => "gcc",
        cflags           => "-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe",
        thread_cflag     => "(unknown)",
    },
    "debug-ben-debug" => {
        cc               => "gcc",
        cflags           => "$gcc_devteam_warn -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DOPENSSL_NO_HW_PADLOCK -g3 -O2 -pipe",
        thread_cflag     => "(unknown)",
    },
    "debug-ben-debug-64" => {
        inherit_from     => [ "x86_64_asm" ],
        cc               => "gcc",
        cflags           => "$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
        thread_cflag     => "${BSDthreads}",
        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
        perlasm_scheme   => "elf",
        dso_scheme       => "dlfcn",
        shared_target    => "bsd-gcc-shared",
        shared_cflag     => "-fPIC",
        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
    },
    "debug-ben-debug-64-clang" => {
        inherit_from     => [ "x86_64_asm" ],
        cc               => "clang",
        cflags           => "$gcc_devteam_warn -Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
        thread_cflag     => "${BSDthreads}",
        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
        perlasm_scheme   => "elf",
        dso_scheme       => "dlfcn",
        shared_target    => "bsd-gcc-shared",
        shared_cflag     => "-fPIC",
        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
    },
    "debug-ben-debug-64-noopt" => {
        inherit_from     => [ "x86_64_asm" ],
        cc               => "gcc",
        cflags           => "$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -pipe",
        thread_cflag     => "${BSDthreads}",
        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
        perlasm_scheme   => "elf",
        dso_scheme       => "dlfcn",
        shared_target    => "bsd-gcc-shared",
        shared_cflag     => "-fPIC",
        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
    },
    "debug-ben-macos" => {
        cc               => "cc",
        cflags           => "$gcc_devteam_warn -DOPENSSL_NO_ASM -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch i386 -O3 -DL_ENDIAN -g3 -pipe",
        thread_cflag     => "(unknown)",
    },
    "debug-ben-no-opt" => {
        cc               => "gcc",
        cflags           => " -Wall -Wmissing-prototypes -Wstrict-prototypes -Wmissing-declarations -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG -Werror -DL_ENDIAN -Wall -g3",
        thread_cflag     => "(unknown)",
    },
    "debug-ben-strict" => {
        cc               => "gcc",
        cflags           => "-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe",
        thread_cflag     => "(unknown)",
    },
    "debug-ben-darwin64" => {
        inherit_from     => [ "x86_64_asm" ],
        cc               => "cc",
        cflags           => "$gcc_devteam_warn -Wno-language-extension-token -Wno-extended-offsetof -arch x86_64 -O3 -DL_ENDIAN -DMD32_REG_T=int -Wall",
        thread_cflag     => "-D_REENTRANT",
        sys_id           => "MACOSX",
        lflags           => "-Wl,-search_paths_first%",
        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
        perlasm_scheme   => "macosx",
        dso_scheme       => "dlfcn",
        shared_target    => "darwin-shared",
        shared_cflag     => "-fPIC -fno-common",
        shared_ldflag    => "-arch x86_64 -dynamiclib",
        shared_extension => ".\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
    },
 );
--- a/Configurations/99-personal-bodo.conf
+++ b/Configurations/99-personal-bodo.conf
@@ -0,0 +1,24 @@
 ## -*- mode: perl; -*-
 ## Personal configuration targets
 ##
 ## If you edit this file, run this command before committing
 ##	make -f Makefile.org TABLE
 ## This file is interpolated by the Configure script.
 %targets = (
    "debug-bodo" => {
        inherit_from     => [ "x86_64_asm" ],
        cc               => "gcc",
        cflags           => "$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DBN_DEBUG_RAND -DCONF_DEBUG -DBIO_PAIR_DEBUG -m64 -DL_ENDIAN -DTERMIO -g -DMD32_REG_T=int",
        thread_cflag     => "-D_REENTRANT",
        lflags           => "-ldl",
        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
        perlasm_scheme   => "elf",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
        shared_cflag     => "-fPIC",
        shared_ldflag    => "-m64",
        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
        multilib         => "64",
    },
 );
--- a/Configurations/99-personal-geoff.conf
+++ b/Configurations/99-personal-geoff.conf
@@ -0,0 +1,33 @@
 ## -*- mode: perl; -*-
 ## Personal configuration targets
 ##
 ## If you edit this file, run this command before committing
 ##	make -f Makefile.org TABLE
 ## This file is interpolated by the Configure script.
 %targets = (
    "debug-geoff32" => {
        inherit_from     => [ "no_asm_filler" ],
        cc               => "gcc",
        cflags           => "-DBN_DEBUG -DBN_DEBUG_RAND -DBN_STRICT -DPURIFY -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_ASM -DOPENSSL_NO_INLINE_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -O1 -ggdb2 -Wall -Werror -Wundef -pedantic -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wsign-compare -Wmissing-prototypes -Wmissing-declarations -Wno-long-long",
        thread_cflag     => "-D_REENTRANT",
        lflags           => "-ldl",
        bn_ops           => "BN_LLONG",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
        shared_cflag     => "-fPIC",
        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
    },
    "debug-geoff64" => {
        inherit_from     => [ "no_asm_filler" ],
        cc               => "gcc",
        cflags           => "-DBN_DEBUG -DBN_DEBUG_RAND -DBN_STRICT -DPURIFY -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_ASM -DOPENSSL_NO_INLINE_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -O1 -ggdb2 -Wall -Werror -Wundef -pedantic -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wsign-compare -Wmissing-prototypes -Wmissing-declarations -Wno-long-long",
        thread_cflag     => "-D_REENTRANT",
        lflags           => "-ldl",
        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
        shared_cflag     => "-fPIC",
        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
    },
 );
--- a/Configurations/99-personal-levitte.conf
+++ b/Configurations/99-personal-levitte.conf
@@ -0,0 +1,60 @@
 ## -*- mode: perl; -*-
 ## Personal configuration targets
 ##
 ## If you edit this file, run this command before committing
 ##	make -f Makefile.org TABLE
 ## This file is interpolated by the Configure script.
 %targets = (
    "levitte-linux-elf" => {
        inherit_from     => [ "x86_elf_asm" ],
        cc               => "gcc",
        cflags           => "-DL_ENDIAN -Wall",
        debug_cflags     => "-DLEVITTE_DEBUG -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG-ggdb -g3",
        thread_cflag     => "-D_REENTRANT",
        lflags           => "-ldl",
        bn_ops           => "BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
        shared_cflag     => "-fPIC",
        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
    },
    "debug-levitte-linux-noasm" => {
        inherit_from     => [ "no_asm_filler" ],
        cc               => "gcc",
        cflags           => "-DLEVITTE_DEBUG -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -ggdb -g3 -Wall",
        thread_cflag     => "-D_REENTRANT",
        lflags           => "-ldl",
        bn_ops           => "BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
        shared_cflag     => "-fPIC",
        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
    },
    "debug-levitte-linux-elf-extreme" => {
        inherit_from     => [ "x86_elf_asm" ],
        cc               => "gcc",
        cflags           => "-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DPEDANTIC -ggdb -g3 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe",
        thread_cflag     => "-D_REENTRANT",
        lflags           => "-ldl",
        bn_ops           => "BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT",
        perlasm_scheme   => "elf",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
        shared_cflag     => "-fPIC",
        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
    },
    "debug-levitte-linux-noasm-extreme" => {
        inherit_from     => [ "no_asm_filler" ],
        cc               => "gcc",
        cflags           => "-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DPEDANTIC -ggdb -g3 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe",
        thread_cflag     => "-D_REENTRANT",
        lflags           => "-ldl",
        bn_ops           => "BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT",
        perlasm_scheme   => "void",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
        shared_cflag     => "-fPIC",
        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
    },
 );
--- a/Configurations/99-personal-rse.conf
+++ b/Configurations/99-personal-rse.conf
@@ -0,0 +1,16 @@
 ## -*- mode: perl; -*-
 ## Personal configuration targets
 ##
 ## If you edit this file, run this command before committing
 ##	make -f Makefile.org TABLE
 ## This file is interpolated by the Configure script.
 %targets = (
    "debug-rse" => {
        inherit_from     => [ "x86_elf_asm" ],
        cc               => "cc",
        cflags           => "-DL_ENDIAN -pipe -O -g -ggdb3 -Wall",
        thread_cflag     => "(unknown)",
        bn_ops           => "BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}",
    },
 );
--- a/Configurations/99-personal-steve.conf
+++ b/Configurations/99-personal-steve.conf
@@ -0,0 +1,50 @@
 ## -*- mode: perl; -*-
 ## Personal configuration targets
 ##
 ## If you edit this file, run this command before committing
 ##	make -f Makefile.org TABLE
 ## This file is interpolated by the Configure script.
 %targets = (
    "debug-steve64" => {
        inherit_from     => [ "x86_64_asm" ],
        cc               => "gcc",
        cflags           => "$gcc_devteam_warn -pthread -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -g",
        thread_cflag     => "-D_REENTRANT",
        lflags           => "-ldl",
        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
        perlasm_scheme   => "elf",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
        shared_cflag     => "-fPIC",
        shared_ldflag    => "-m64",
        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
    },
    "debug-steve32" => {
        inherit_from     => [ "x86_elf_asm" ],
        cc               => "gcc",
        cflags           => "$gcc_devteam_warn -pthread -m32 -DL_ENDIAN -DCONF_DEBUG -g",
        thread_cflag     => "-D_REENTRANT",
        lflags           => "-rdynamic -ldl",
        bn_ops           => "BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
        shared_cflag     => "-fPIC",
        shared_ldflag    => "-m32",
        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
    },
    "debug-steve-opt" => {
        inherit_from     => [ "x86_64_asm" ],
        cc               => "gcc",
        cflags           => "$gcc_devteam_warn -pthread -m64 -O3 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -g",
        thread_cflag     => "-D_REENTRANT",
        lflags           => "-ldl",
        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
        perlasm_scheme   => "elf",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
        shared_cflag     => "-fPIC",
        shared_ldflag    => "-m64",
        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
    },
 );
--- a/1930
+++ b/1930
--- a/1027
+++ b/1027
--- a/10
+++ b/10
@@ -0,0 +1,10 @@
 #!/bin/sh
 BRANCH=`git rev-parse --abbrev-ref HEAD`
 ./Configure $@
 make files
 util/mk1mf.pl OUT=out.$BRANCH TMP=tmp.$BRANCH INC=inc.$BRANCH copy > makefile.$BRANCH
 MAKE=make
 which bsdmake > /dev/null && MAKE=bsdmake
 $MAKE -f makefile.$BRANCH init
--- a/7
+++ b/7
@@ -0,0 +1,7 @@
 #!/bin/sh
 BRANCH=`git rev-parse --abbrev-ref HEAD`
 MAKE=make
 which bsdmake > /dev/null && MAKE=bsdmake
 $MAKE -f makefile.$BRANCH $@
--- a/64
+++ b/64
@@ -12,7 +12,7 @@
 To install OpenSSL, you will need:
  * make
-  * Perl 5
+  * Perl 5 with core modules (see 'Note on Perl' further down)
  * an ANSI C compiler
  * a development environment in form of development libraries and C
    header files
@@ -79,7 +79,7 @@
                compiler flags for any other CPU specific configuration,
                e.g. "-m32" to build x86 code on an x64 system.
-  no-sse2	Exclude SSE2 code pathes. Normally SSE2 extention is
+  no-sse2	Exclude SSE2 code pathes. Normally SSE2 extension is
 		detected at run-time, but the decision whether or not the
 		machine code will be executed is taken solely on CPU
 		capability vector. This means that if you happen to run OS
@@ -173,14 +173,38 @@
       $ make test
-     If a test fails, look at the output.  There may be reasons for
+     If some tests fail, look at the output.  There may be reasons for
-     the failure that isn't a problem in OpenSSL itself (like a missing
+     the failure that isn't a problem in OpenSSL itself (like a
-     or malfunctioning bc).  If it is a problem with OpenSSL itself,
+     malfunction with Perl).  You may want increased verbosity, that
-     try removing any compiler optimization flags from the CFLAG line
+     can be accomplished like this:
-     in Makefile.ssl and run "make clean; make". Please send a bug
+
-     report to <openssl-bugs@openssl.org>, including the output of
+       $ HARNESS_VERBOSE=yes make test
-     "make report" in order to be added to the request tracker at
+
-     http://www.openssl.org/support/rt.html.
+     Also, you will find logs for all commands the tests have executed
     in logs, test/test_*.log, one for each individual test.
     If you want to run just one or a few specific tests, you can use
     the make variable TESTS to specify them, like this:
       $ make TESTS='test_rsa test_dsa' test
     And of course, you can combine:
       $ HARNESS_VERBOSE=yes make TESTS='test_rsa test_dsa' test
     You can find the list of available tests like this:
       $ make list-tests
     If you find a problem with OpenSSL itself, try removing any
     compiler optimization flags from the CFLAG line in Makefile and
     run "make clean; make".
     Please send a bug report to <openssl-bugs@openssl.org>, and when
     you do, please run the following and include the output in your
     report:
       $ make report
  4. If everything tests ok, install OpenSSL with
@@ -286,6 +310,26 @@
     with names of the form <foo.h>.
 Note on Perl
 ------------
 For our scripts, we rely quite a bit on Perl, and increasingly on
 some core Perl modules.  These Perl modules are part of the Perl
 source, so if you build Perl on your own, you should be set.
 However, if you install Perl as binary packages, the outcome might
 differ, and you may have to check that you do get the core modules
 installed properly.  We do not claim to know them all, but experience
 has told us the following:
 - on Linux distributions based on Debian, the package 'perl' will
   install the core Perl modules as well, so you will be fine.
 - on Linux distributions based on RPMs, you will need to install
   'perl-core' rather than just 'perl'.
 It is highly recommended that you have at least Perl version 5.12
 installed.
 Note on multi-threading
 -----------------------
--- a/INSTALL.MacOS
+++ b/INSTALL.MacOS
@@ -1,72 +0,0 @@
 OpenSSL - Port To The Macintosh OS 9 or Earlier
 ===============================================
 Thanks to Roy Wood <roy@centricsystems.ca> initial support for Mac OS (pre
 X) is now provided. "Initial" means that unlike other platforms where you
 get an SDK and a "swiss army" openssl application, on Macintosh you only
 get one sample application which fetches a page over HTTPS(*) and dumps it
 in a window. We don't even build the test applications so that we can't
 guarantee that all algorithms are operational.
 Required software:
 - StuffIt Expander 5.5 or later, alternatively MacGzip and SUNtar;
 - Scriptable Finder;
 - CodeWarrior Pro 5;
 Installation procedure:
 - fetch the source at ftp://ftp.openssl.org/ (well, you probably already
  did, huh?)
 - unpack the .tar.gz file:
 	- if you have StuffIt Expander then just drag it over it;
 	- otherwise uncompress it with MacGzip and then unpack with SUNtar;
 - locate MacOS folder in OpenSSL source tree and open it;
 - unbinhex mklinks.as.hqx and OpenSSL.mcp.hqx if present (**), do it
  "in-place", i.e. unpacked files should end-up in the very same folder;
 - execute mklinks.as;
 - open OpenSSL.mcp(***) and build 'GetHTTPS PPC' target(****);
 - that's it for now;
 (*)	URL is hardcoded into ./MacOS/GetHTTPS.src/GetHTTPS.cpp, lines 40
        to 42, change appropriately.
 (**)	If you use SUNtar, then it might have already unbinhexed the files
 	in question.
 (***)	The project file was saved with CW Pro 5.3. If you have an earlier
 	version and it refuses to open it, then download
 	http://www.openssl.org/~appro/OpenSSL.mcp.xml and import it
 	overwriting the original OpenSSL.mcp.
 (****)	Other targets are works in progress. If you feel like giving 'em a
 	shot, then you should know that OpenSSL* and Lib* targets are
 	supposed to be built with the GUSI, MacOS library which mimics
 	BSD sockets and some other POSIX APIs. The GUSI distribution is
 	expected to be found in the same directory as the openssl source tree,
 	i.e., in the parent directory to the one where this very file,
 	namely INSTALL.MacOS, resides. For more information about GUSI, see
 	http://www.iis.ee.ethz.ch/~neeri/macintosh/gusi-qa.html
 Finally some essential comments from our generous contributor:-)
 "I've gotten OpenSSL working on the Macintosh. It's probably a bit of a
 hack, but it works for what I'm doing. If you don't like the way I've done
 it, then feel free to change what I've done. I freely admit that I've done
 some less-than-ideal things in my port, and if you don't like the way I've
 done something, then feel free to change it-- I won't be offended!
 ... I've tweaked "bss_sock.c" a little to call routines in a "MacSocket"
 library I wrote. My MacSocket library is a wrapper around OpenTransport,
 handling stuff like endpoint creation, reading, writing, etc. It is not
 designed as a high-performance package such as you'd use in a webserver,
 but is fine for lots of other applications. MacSocket also uses some other
 code libraries I've written to deal with string manipulations and error
 handling. Feel free to use these things in your own code, but give me
 credit and/or send me free stuff in appreciation! :-)
 ...
 If you have any questions, feel free to email me as the following:
 roy@centricsystems.ca
 -Roy Wood"
--- a/INSTALL.NW
+++ b/INSTALL.NW
@@ -378,7 +378,7 @@ The openssl program has numerous options and can be used for many different
 things.  Many of the options operate in an interactive mode requiring the
 user to enter data.  Because of this, a default screen is created for the
 program.  However, when running the test script it is not desirable to
-have a seperate screen.  Therefore, the build also creates openssl2.nlm.
+have a separate screen.  Therefore, the build also creates openssl2.nlm.
 Openssl2.nlm is functionally identical but uses the console screen.
 Openssl2 can be used when a non-interactive mode is desired.
--- a/INSTALL.VMS
+++ b/INSTALL.VMS
@@ -25,6 +25,8 @@ Requirements:
 To build and install OpenSSL, you will need:
 * Perl 5 with core modules.  If you don't want to build it yourself,
   we suggest you look here: http://sourceforge.net/projects/vmsperlkit/files/
 * DEC C or some other ANSI C compiler.  VAX C is *not* supported.
   [Note: OpenSSL has only been tested with DEC C.  Compiling with 
    a different ANSI C compiler may require some work]
@@ -83,7 +85,6 @@ directory.  The syntax is the following:
      RSAREF    Just build the "[.xxx.EXE.RSAREF]LIBRSAGLUE.OLB" library.
      CRYPTO    Just build the "[.xxx.EXE.CRYPTO]LIBCRYPTO.OLB" library.
      SSL       Just build the "[.xxx.EXE.SSL]LIBSSL.OLB" library.
      SSL_TASK  Just build the "[.xxx.EXE.SSL]SSL_TASK.EXE" program.
      TEST      Just build the "[.xxx.EXE.TEST]" test programs for OpenSSL.
      APPS      Just build the "[.xxx.EXE.APPS]" application programs for OpenSSL.
@@ -130,15 +131,23 @@ Currently, the logical names supported are:
      OPENSSL_NO_ASM    with value YES, the assembler parts of OpenSSL will
                        not be used.  Instead, plain C implementations are
                        used.  This is good to try if something doesn't work.
-      OPENSSL_NO_'alg'  with value YES, the corresponding crypto algorithm
+      OPENSSL_NO_'alg'  with value YES, the corresponding crypto algorithm,
-                        will not be implemented.  Supported algorithms to
+                        protocol or other routine will not be implemented if
-                        do this with are: RSA, DSA, DH, MD2, MD4, MD5, RIPEMD,
+                        disabling it is supported.  Supported algorithms to
-                        SHA, DES, MDC2, CR2, RC4, RC5, IDEA, BF, CAST, HMAC,
+                        do this with are: AES, BF, CAMELLIA, CAST, CMS, COMP,
-                        SSL2.  So, for example, having the logical name
+                        DES, DGRAM, DH, DSA, EC, EC2M, ECDH, ECDSA, ENGINE,
-                        OPENSSL_NO_RSA with the value YES means that the
+                        ERR, GOST, HEARTBEATS, HMAC, IDEA, MD2, MD4,
-                        LIBCRYPTO.OLB library will not contain an RSA
+                        MD5, OCB, OCSP, PSK, RC2, RC4, RC5, RMD160, RSA, SCTP,
-                        implementation.
+                        SEED, SOCK, SRP, SRTP, WHIRLPOOL.  So, for
-
+                        example, having the logical name OPENSSL_NO_RSA with
                        the value YES means that the LIBCRYPTO.OLB library
                        will not contain an RSA implementation.
      OPENSSL_EXPERIMENTAL_'alg'
                        with value YES, the corresponding experimental
                        algorithm is enabled.  Note that is also requires
                        the application using this to define the C macro
                        OPENSSL_EXPERIMENTAL_'alg'.  Supported algorithms
                        to do this with are: JPAKE, STORE.
 Test:
 =====
--- a/INSTALL.W32
+++ b/INSTALL.W32
@@ -29,7 +29,7 @@
  is required if you intend to utilize assembler modules. Note that NASM
  is now the only supported assembler.
- If you are compiling from a tarball or a CVS snapshot then the Win32 files
+ If you are compiling from a tarball or a Git snapshot then the Win32 files
 may well be not up to date. This may mean that some "tweaking" is required to
 get it all to work. See the trouble shooting section later on for if (when?)
 it goes wrong.
@@ -257,7 +257,7 @@
 then ms\do_XXX should not give a warning any more. However the numbers that
 get assigned by this technique may not match those that eventually get
- assigned in the CVS tree: so anything linked against this version of the
+ assigned in the Git tree: so anything linked against this version of the
 library may need to be recompiled.
 If you get errors about unresolved symbols there are several possible
--- a/Makefile.fips
+++ b/Makefile.fips
@@ -1,638 +0,0 @@
 ##
 ## Makefile for OpenSSL: fipscanister.o only
 ##
 VERSION=fips-2.0-test
 MAJOR=
 MINOR=
 SHLIB_VERSION_NUMBER=
 SHLIB_VERSION_HISTORY=
 SHLIB_MAJOR=
 SHLIB_MINOR=
 SHLIB_EXT=
 PLATFORM=dist
 OPTIONS=
 CONFIGURE_ARGS=
 SHLIB_TARGET=
 # HERE indicates where this Makefile lives.  This can be used to indicate
 # where sub-Makefiles are expected to be.  Currently has very limited usage,
 # and should probably not be bothered with at all.
 HERE=.
 # INSTALL_PREFIX is for package builders so that they can configure
 # for, say, /usr/ and yet have everything installed to /tmp/somedir/usr/.
 # Normally it is left empty.
 INSTALL_PREFIX=
 INSTALLTOP=/usr/local/ssl
 # Do not edit this manually. Use Configure --openssldir=DIR do change this!
 OPENSSLDIR=/usr/local/ssl
 # NO_IDEA - Define to build without the IDEA algorithm
 # NO_RC4  - Define to build without the RC4 algorithm
 # NO_RC2  - Define to build without the RC2 algorithm
 # THREADS - Define when building with threads, you will probably also need any
 #           system defines as well, i.e. _REENTERANT for Solaris 2.[34]
 # TERMIO  - Define the termio terminal subsystem, needed if sgtty is missing.
 # TERMIOS - Define the termios terminal subsystem, Silicon Graphics.
 # LONGCRYPT - Define to use HPUX 10.x's long password modification to crypt(3).
 # DEVRANDOM - Give this the value of the 'random device' if your OS supports
 #           one.  32 bytes will be read from this when the random
 #           number generator is initalised.
 # SSL_FORBID_ENULL - define if you want the server to be not able to use the
 #           NULL encryption ciphers.
 #
 # LOCK_DEBUG - turns on lots of lock debug output :-)
 # REF_CHECK - turn on some xyz_free() assertions.
 # REF_PRINT - prints some stuff on structure free.
 # CRYPTO_MDEBUG - turns on my 'memory leak' detecting stuff
 # MFUNC - Make all Malloc/Free/Realloc calls call
 #       CRYPTO_malloc/CRYPTO_free/CRYPTO_realloc which can be setup to
 #       call application defined callbacks via CRYPTO_set_mem_functions()
 # MD5_ASM needs to be defined to use the x86 assembler for MD5
 # SHA1_ASM needs to be defined to use the x86 assembler for SHA1
 # RMD160_ASM needs to be defined to use the x86 assembler for RIPEMD160
 # Do not define B_ENDIAN or L_ENDIAN if 'unsigned long' == 8.  It must
 # equal 4.
 # PKCS1_CHECK - pkcs1 tests.
 CC= cc
 CFLAG= -O
 DEPFLAG= 
 PEX_LIBS= 
 EX_LIBS= 
 EXE_EXT= 
 ARFLAGS=
 AR=ar $(ARFLAGS) r
 RANLIB= ranlib
 NM= nm
 PERL= perl
 TAR= tar
 TARFLAGS= --no-recursion
 MAKEDEPPROG=makedepend
 LIBDIR=lib
 # We let the C compiler driver to take care of .s files. This is done in
 # order to be excused from maintaining a separate set of architecture
 # dependent assembler flags. E.g. if you throw -mcpu=ultrasparc at SPARC
 # gcc, then the driver will automatically translate it to -xarch=v8plus
 # and pass it down to assembler.
 #AS=$(CC) -c
 ASFLAG=$(CFLAG)
 # For x86 assembler: Set PROCESSOR to 386 if you want to support
 # the 80386.
 PROCESSOR=
 # CPUID module collects small commonly used assembler snippets
 CPUID_OBJ= 
 BN_ASM= bn_asm.o
 DES_ENC= des_enc.o fcrypt_b.o
 AES_ENC= aes_core.o aes_cbc.o
 BF_ENC= bf_enc.o
 CAST_ENC= c_enc.o
 RC4_ENC= rc4_enc.o
 RC5_ENC= rc5_enc.o
 MD5_ASM_OBJ= 
 SHA1_ASM_OBJ= 
 RMD160_ASM_OBJ= 
 WP_ASM_OBJ=
 CMLL_ENC=
 MODES_ASM_OBJ=
 PERLASM_SCHEME=
 # KRB5 stuff
 KRB5_INCLUDES=
 LIBKRB5=
 # Zlib stuff
 ZLIB_INCLUDE=
 LIBZLIB=
 # This is the location of fipscanister.o and friends.
 # The FIPS module build will place it $(INSTALLTOP)/lib
 # but since $(INSTALLTOP) can only take the default value
 # when the module is built it will be in /usr/local/ssl/lib
 # $(INSTALLTOP) for this build may be different so hard
 # code the path.
 FIPSLIBDIR=/usr/local/ssl/$(LIBDIR)/
 # This is set to "y" if fipscanister.o is compiled internally as
 # opposed to coming from an external validated location.
 FIPSCANISTERINTERNAL=n
 # This is set if we only build fipscanister.o
 FIPSCANISTERONLY=y
 # The location of the library which contains fipscanister.o
 # normally it will be libcrypto unless fipsdso is set in which
 # case it will be libfips. If not compiling in FIPS mode at all
 # this is empty making it a useful test for a FIPS compile.
 FIPSCANLIB=
 # Shared library base address. Currently only used on Windows.
 #
 BASEADDR=
 DIRS=   crypto fips test 
 ENGDIRS= ccgost
 SHLIBDIRS= crypto 
 # dirs in crypto to build
 SDIRS=  \
 	sha hmac des aes modes \
 	bn ec rsa dsa ecdsa dh \
 	buffer evp ecdh cmac
 # keep in mind that the above list is adjusted by ./Configure
 # according to no-xxx arguments...
 LINKDIRS=  \
 	objects sha hmac des aes modes \
 	bn ec rsa dsa ecdh cmac ecdsa dh engine \
 	buffer bio stack lhash rand err \
 	evp asn1 ui
 # tests to perform.  "alltests" is a special word indicating that all tests
 # should be performed.
 TESTS = alltests
 MAKEFILE= Makefile
 MANDIR=$(OPENSSLDIR)/man
 MAN1=1
 MAN3=3
 MANSUFFIX=
 HTMLSUFFIX=html
 HTMLDIR=$(OPENSSLDIR)/html
 SHELL=/bin/sh
 TOP=    .
 ONEDIRS=out tmp
 EDIRS=  times doc bugs util include certs ms shlib mt demos perl sf dep VMS
 WDIRS=  windows
 LIBS=   
 SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
 SHARED_SSL=libssl$(SHLIB_EXT)
 SHARED_LIBS=
 SHARED_LIBS_LINK_EXTS=
 SHARED_LDFLAGS=
 GENERAL=        Makefile
 BASENAME=       openssl
 NAME=           $(BASENAME)-$(VERSION)
 TARFILE=        openssl-fips-2.0-test.tar
 WTARFILE=       $(NAME)-win.tar
 EXHEADER=       e_os2.h
 HEADER=         e_os.h
 all: Makefile build_all openssl.pc libssl.pc libcrypto.pc
 # as we stick to -e, CLEARENV ensures that local variables in lower
 # Makefiles remain local and variable. $${VAR+VAR} is tribute to Korn
 # shell, which [annoyingly enough] terminates unset with error if VAR
 # is not present:-( TOP= && unset TOP is tribute to HP-UX /bin/sh,
 # which terminates unset with error if no variable was present:-(
 CLEARENV=	TOP= && unset TOP $${LIB+LIB} $${LIBS+LIBS}	\
 		$${INCLUDE+INCLUDE} $${INCLUDES+INCLUDES}	\
 		$${DIR+DIR} $${DIRS+DIRS} $${SRC+SRC}		\
 		$${LIBSRC+LIBSRC} $${LIBOBJ+LIBOBJ} $${ALL+ALL}	\
 		$${EXHEADER+EXHEADER} $${HEADER+HEADER}		\
 		$${GENERAL+GENERAL} $${CFLAGS+CFLAGS}		\
 		$${ASFLAGS+ASFLAGS} $${AFLAGS+AFLAGS}		\
 		$${LDCMD+LDCMD} $${LDFLAGS+LDFLAGS}		\
 		$${SHAREDCMD+SHAREDCMD} $${SHAREDFLAGS+SHAREDFLAGS}	\
 		$${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS}
 BUILDENV=	PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)' \
 		CC='$(CC)' CFLAG='$(CFLAG)' 			\
 		ASFLAG='$(CFLAG) -c'			\
 		AR='$(AR)' NM='$(NM)' RANLIB='$(RANLIB)'	\
 		CROSS_COMPILE='$(CROSS_COMPILE)'	\
 		PERL='$(PERL)' ENGDIRS='$(ENGDIRS)'		\
 		SDIRS='$(SDIRS)' LIBRPATH='$(INSTALLTOP)/$(LIBDIR)'	\
 		INSTALL_PREFIX='$(INSTALL_PREFIX)'		\
 		INSTALLTOP='$(INSTALLTOP)' OPENSSLDIR='$(OPENSSLDIR)'	\
 		LIBDIR='$(LIBDIR)'				\
 		MAKEDEPEND='$$$${TOP}/util/domd $$$${TOP} -MD $(MAKEDEPPROG)' \
 		DEPFLAG='-DOPENSSL_NO_DEPRECATED $(DEPFLAG)'	\
 		MAKEDEPPROG='$(MAKEDEPPROG)'			\
 		SHARED_LDFLAGS='$(SHARED_LDFLAGS)'		\
 		KRB5_INCLUDES='$(KRB5_INCLUDES)' LIBKRB5='$(LIBKRB5)'	\
 		ZLIB_INCLUDE='$(ZLIB_INCLUDE)' LIBZLIB='$(LIBZLIB)'	\
 		EXE_EXT='$(EXE_EXT)' SHARED_LIBS='$(SHARED_LIBS)'	\
 		SHLIB_EXT='$(SHLIB_EXT)' SHLIB_TARGET='$(SHLIB_TARGET)'	\
 		PEX_LIBS='$(PEX_LIBS)' EX_LIBS='$(EX_LIBS)'	\
 		CPUID_OBJ='$(CPUID_OBJ)'			\
 		BN_ASM='$(BN_ASM)' DES_ENC='$(DES_ENC)' 	\
 		AES_ENC='$(AES_ENC)' CMLL_ENC='$(CMLL_ENC)'	\
 		BF_ENC='$(BF_ENC)' CAST_ENC='$(CAST_ENC)'	\
 		RC4_ENC='$(RC4_ENC)' RC5_ENC='$(RC5_ENC)'	\
 		SHA1_ASM_OBJ='$(SHA1_ASM_OBJ)'			\
 		MD5_ASM_OBJ='$(MD5_ASM_OBJ)'			\
 		RMD160_ASM_OBJ='$(RMD160_ASM_OBJ)'		\
 		WP_ASM_OBJ='$(WP_ASM_OBJ)'			\
 		MODES_ASM_OBJ='$(MODES_ASM_OBJ)'		\
 		PERLASM_SCHEME='$(PERLASM_SCHEME)'		\
 		FIPSLIBDIR='${FIPSLIBDIR}'			\
 		FIPSCANLIB="$${FIPSCANLIB:-$(FIPSCANLIB)}"	\
 		FIPSCANISTERINTERNAL='${FIPSCANISTERINTERNAL}'	\
 		FIPSCANISTERONLY='${FIPSCANISTERONLY}'	\
 		FIPS_EX_OBJ='${FIPS_EX_OBJ}'	\
 		THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES=
 # MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors,
 # which in turn eliminates ambiguities in variable treatment with -e.
 # BUILD_CMD is a generic macro to build a given target in a given
 # subdirectory.  The target must be given through the shell variable
 # `target' and the subdirectory to build in must be given through `dir'.
 # This macro shouldn't be used directly, use RECURSIVE_BUILD_CMD or
 # BUILD_ONE_CMD instead.
 #
 # BUILD_ONE_CMD is a macro to build a given target in a given
 # subdirectory if that subdirectory is part of $(DIRS).  It requires
 # exactly the same shell variables as BUILD_CMD.
 #
 # RECURSIVE_BUILD_CMD is a macro to build a given target in all
 # subdirectories defined in $(DIRS).  It requires that the target
 # is given through the shell variable `target'.
 BUILD_CMD=  if [ -d "$$dir" ]; then \
 	    (	cd $$dir && echo "making $$target in $$dir..." && \
 		$(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. DIR=$$dir $$target \
 	    ) || exit 1; \
 	    fi
 RECURSIVE_BUILD_CMD=for dir in $(DIRS); do $(BUILD_CMD); done
 BUILD_ONE_CMD=\
 	if expr " $(DIRS) " : ".* $$dir " >/dev/null 2>&1; then \
 		$(BUILD_CMD); \
 	fi
 reflect:
 	@[ -n "$(THIS)" ] && $(CLEARENV) && $(MAKE) $(THIS) -e $(BUILDENV)
 FIPS_EX_OBJ= ../crypto/aes/aes_cfb.o \
 	../crypto/aes/aes_ecb.o \
 	../crypto/aes/aes_ofb.o \
 	../crypto/bn/bn_add.o \
 	../crypto/bn/bn_blind.o \
 	../crypto/bn/bn_ctx.o \
 	../crypto/bn/bn_div.o \
 	../crypto/bn/bn_exp2.o \
 	../crypto/bn/bn_exp.o \
 	../crypto/bn/bn_gcd.o \
 	../crypto/bn/bn_gf2m.o \
 	../crypto/bn/bn_lib.o \
 	../crypto/bn/bn_mod.o \
 	../crypto/bn/bn_mont.o \
 	../crypto/bn/bn_mul.o \
 	../crypto/bn/bn_nist.o \
 	../crypto/bn/bn_prime.o \
 	../crypto/bn/bn_rand.o \
 	../crypto/bn/bn_recp.o \
 	../crypto/bn/bn_shift.o \
 	../crypto/bn/bn_sqr.o \
 	../crypto/bn/bn_word.o \
 	../crypto/bn/bn_x931p.o \
 	../crypto/buffer/buf_str.o \
 	../crypto/cmac/cmac.o \
 	../crypto/cryptlib.o \
 	../crypto/des/cfb64ede.o \
 	../crypto/des/cfb64enc.o \
 	../crypto/des/cfb_enc.o \
 	../crypto/des/ecb3_enc.o \
 	../crypto/des/ofb64ede.o \
 	../crypto/des/fcrypt.o \
 	../crypto/des/set_key.o \
 	../crypto/dh/dh_check.o \
 	../crypto/dh/dh_gen.o \
 	../crypto/dh/dh_key.o \
 	../crypto/dsa/dsa_gen.o \
 	../crypto/dsa/dsa_key.o \
 	../crypto/dsa/dsa_ossl.o \
 	../crypto/ec/ec_curve.o \
 	../crypto/ec/ec_cvt.o \
 	../crypto/ec/ec_key.o \
 	../crypto/ec/ec_lib.o \
 	../crypto/ec/ecp_mont.o \
 	../crypto/ec/ec_mult.o \
 	../crypto/ec/ecp_nist.o \
 	../crypto/ec/ecp_smpl.o \
 	../crypto/ec/ec2_mult.o \
 	../crypto/ec/ec2_smpl.o \
 	../crypto/ecdh/ech_key.o \
 	../crypto/ecdh/ech_ossl.o \
 	../crypto/ecdsa/ecs_ossl.o \
 	../crypto/evp/e_aes.o \
 	../crypto/evp/e_des3.o \
 	../crypto/evp/e_null.o \
 	../crypto/evp/m_sha1.o \
 	../crypto/evp/m_dss1.o \
 	../crypto/evp/m_dss.o \
 	../crypto/evp/m_ecdsa.o \
 	../crypto/hmac/hmac.o \
 	../crypto/modes/cbc128.o \
 	../crypto/modes/ccm128.o \
 	../crypto/modes/cfb128.o \
 	../crypto/modes/ctr128.o \
 	../crypto/modes/gcm128.o \
 	../crypto/modes/ofb128.o \
 	../crypto/modes/xts128.o \
 	../crypto/rsa/rsa_eay.o \
 	../crypto/rsa/rsa_gen.o \
 	../crypto/rsa/rsa_crpt.o \
 	../crypto/rsa/rsa_none.o \
 	../crypto/rsa/rsa_oaep.o \
 	../crypto/rsa/rsa_pk1.o \
 	../crypto/rsa/rsa_pss.o \
 	../crypto/rsa/rsa_ssl.o \
 	../crypto/rsa/rsa_x931.o \
 	../crypto/rsa/rsa_x931g.o \
 	../crypto/sha/sha1dgst.o \
 	../crypto/sha/sha256.o \
 	../crypto/sha/sha512.o \
 	../crypto/thr_id.o \
 	../crypto/uid.o
 sub_all: build_all
 build_all: build_libs
 build_libs: build_crypto build_fips
 build_fips:
 	@dir=fips; target=all; [ -z "$(FIPSCANLIB)" ] || $(BUILD_ONE_CMD)
 build_crypto:
 	if [ -n "$(FIPSCANLIB)" ]; then \
 		EXCL_OBJ='$(AES_ENC) $(BN_ASM) $(DES_ENC) $(CPUID_OBJ) $(SHA1_ASM_OBJ) $(MODES_ASM_OBJ) $(FIPS_EX_OBJ)' ; export EXCL_OBJ ; \
 		ARX='$(PERL) $${TOP}/util/arx.pl $(AR)' ; \
 	else \
 		ARX='${AR}' ; \
 	fi ; export ARX ; \
 	if [ $(FIPSCANISTERINTERNAL) = "y" ]; then \
 		AS='$(PERL) $${TOP}/util/fipsas.pl $${TOP} $${<} $(CC)' ; \
 	else \
 		AS='$(CC) -c' ; \
 	fi ; export AS ; \
 		dir=crypto; target=fips; $(BUILD_ONE_CMD)
 build_ssl:
 	@dir=ssl; target=all; $(BUILD_ONE_CMD)
 build_engines:
 	@dir=engines; target=all; $(BUILD_ONE_CMD)
 build_apps:
 	@dir=apps; target=all; $(BUILD_ONE_CMD)
 build_tests:
 	@dir=test; target=fipsexe; $(BUILD_ONE_CMD)
 build_tools:
 	@dir=tools; target=all; $(BUILD_ONE_CMD)
 all_testapps: build_libs build_testapps
 build_testapps:
 	@dir=crypto; target=testapps; $(BUILD_ONE_CMD)
 libcrypto$(SHLIB_EXT): libcrypto.a build_fips
 	@if [ "$(SHLIB_TARGET)" != "" ]; then \
 		if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \
 			FIPSLD_CC="$(CC)"; CC=fips/fipsld; \
 			export CC FIPSLD_CC; \
 		fi; \
 		$(MAKE) SHLIBDIRS=crypto build-shared; \
 	else \
 		echo "There's no support for shared libraries on this platform" >&2; \
 		exit 1; \
 	fi
 libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a
 	@if [ "$(SHLIB_TARGET)" != "" ]; then \
 		$(MAKE) SHLIBDIRS=ssl SHLIBDEPS='-lcrypto' build-shared; \
 	else \
 		echo "There's no support for shared libraries on this platform" >&2; \
 		exit 1; \
 	fi
 clean-shared:
 	@set -e; for i in $(SHLIBDIRS); do \
 		if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \
 			tmp="$(SHARED_LIBS_LINK_EXTS)"; \
 			for j in $${tmp:-x}; do \
 				( set -x; rm -f lib$$i$$j ); \
 			done; \
 		fi; \
 		( set -x; rm -f lib$$i$(SHLIB_EXT) ); \
 		if [ "$(PLATFORM)" = "Cygwin" ]; then \
 			( set -x; rm -f cyg$$i$(SHLIB_EXT) lib$$i$(SHLIB_EXT).a ); \
 		fi; \
 	done
 link-shared:
 	@ set -e; for i in $(SHLIBDIRS); do \
 		$(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
 			LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
 			LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
 			symlink.$(SHLIB_TARGET); \
 		libs="$$libs -l$$i"; \
 	done
 build-shared: do_$(SHLIB_TARGET) link-shared
 do_$(SHLIB_TARGET):
 	@ set -e; libs='-L. $(SHLIBDEPS)'; for i in $(SHLIBDIRS); do \
 		if [ "$$i" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 			libs="$(LIBKRB5) $$libs"; \
 		fi; \
 		$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
 			LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
 			LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
 			LIBDEPS="$$libs $(EX_LIBS)" \
 			link_a.$(SHLIB_TARGET); \
 		libs="-l$$i $$libs"; \
 	done
 libcrypto.pc: Makefile
 	@ ( echo 'prefix=$(INSTALLTOP)'; \
 	    echo 'exec_prefix=$${prefix}'; \
 	    echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
 	    echo 'includedir=$${prefix}/include'; \
 	    echo ''; \
 	    echo 'Name: OpenSSL-libcrypto'; \
 	    echo 'Description: OpenSSL cryptography library'; \
 	    echo 'Version: '$(VERSION); \
 	    echo 'Requires: '; \
 	    echo 'Libs: -L$${libdir} -lcrypto $(EX_LIBS)'; \
 	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc
 libssl.pc: Makefile
 	@ ( echo 'prefix=$(INSTALLTOP)'; \
 	    echo 'exec_prefix=$${prefix}'; \
 	    echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
 	    echo 'includedir=$${prefix}/include'; \
 	    echo ''; \
 	    echo 'Name: OpenSSL'; \
 	    echo 'Description: Secure Sockets Layer and cryptography libraries'; \
 	    echo 'Version: '$(VERSION); \
 	    echo 'Requires: '; \
 	    echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
 	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc
 openssl.pc: Makefile
 	@ ( echo 'prefix=$(INSTALLTOP)'; \
 	    echo 'exec_prefix=$${prefix}'; \
 	    echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
 	    echo 'includedir=$${prefix}/include'; \
 	    echo ''; \
 	    echo 'Name: OpenSSL'; \
 	    echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \
 	    echo 'Version: '$(VERSION); \
 	    echo 'Requires: '; \
 	    echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
 	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
 Makefile: Makefile.fips Configure config
 	@echo "Makefile is older than Makefile.org, Configure or config."
 	@echo "Reconfigure the source tree (via './config' or 'perl Configure'), please."
 	@false
 libclean:
 	rm -f *.map *.so *.so.* *.dll engines/*.so engines/*.dll *.a engines/*.a */lib */*/lib
 clean:	libclean
 	rm -f shlib/*.o *.o core a.out fluff testlog make.log cctest cctest.c
 	@set -e; target=clean; $(RECURSIVE_BUILD_CMD)
 	rm -f $(LIBS)
 	rm -f openssl.pc libssl.pc libcrypto.pc
 	rm -f speed.* .pure
 	rm -f $(TARFILE)
 	@set -e; for i in $(ONEDIRS) ;\
 	do \
 	rm -fr $$i/*; \
 	done
 makefile.one: files
 	$(PERL) util/mk1mf.pl >makefile.one; \
 	sh util/do_ms.sh
 files:
 	$(PERL) $(TOP)/util/files.pl Makefile > $(TOP)/MINFO
 	@set -e; target=files; $(RECURSIVE_BUILD_CMD)
 links:
 	@$(PERL) $(TOP)/util/mkdir-p.pl include/openssl
 	@$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER)
 	@set -e; dir=fips target=links; $(RECURSIVE_BUILD_CMD)
 	@(cd crypto ; SDIRS='$(LINKDIRS)' $(MAKE) -e links)
 gentests:
 	@(cd test && echo "generating dummy tests (if needed)..." && \
 	$(CLEARENV) && $(MAKE) -e $(BUILDENV) TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on generate );
 dclean:
 	rm -rf *.bak include/openssl certs/.0
 	@set -e; target=dclean; $(RECURSIVE_BUILD_CMD)
 test:   tests
 tests:
 	@(cd test && echo "testing..." && \
 	$(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on OPENSSL_CONF=../apps/openssl.cnf tests );
 	OPENSSL_CONF=apps/openssl.cnf util/opensslwrap.sh version -a
 report:
 	@$(PERL) util/selftest.pl
 depend:
 	@echo make depend not supported ; false
 lint:
 	@set -e; target=lint; $(RECURSIVE_BUILD_CMD)
 tags:
 	rm -f TAGS
 	find . -name '[^.]*.[ch]' | xargs etags -a
 errors:
 	$(PERL) util/mkerr.pl -recurse -write
 	(cd engines; $(MAKE) PERL=$(PERL) errors)
 	$(PERL) util/ck_errf.pl -strict */*.c */*/*.c
 stacks:
 	$(PERL) util/mkstack.pl -write
 util/libeay.num::
 	$(PERL) util/mkdef.pl crypto update
 util/ssleay.num::
 	$(PERL) util/mkdef.pl ssl update
 crypto/objects/obj_dat.h: crypto/objects/obj_dat.pl crypto/objects/obj_mac.h
 	$(PERL) crypto/objects/obj_dat.pl crypto/objects/obj_mac.h crypto/objects/obj_dat.h
 crypto/objects/obj_mac.h: crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num
 	$(PERL) crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num crypto/objects/obj_mac.h
 crypto/objects/obj_xref.h: crypto/objects/objxref.pl crypto/objects/obj_xref.txt crypto/objects/obj_mac.num
 	$(PERL) crypto/objects/objxref.pl crypto/objects/obj_mac.num crypto/objects/obj_xref.txt >crypto/objects/obj_xref.h
 apps/openssl-vms.cnf: apps/openssl.cnf
 	$(PERL) VMS/VMSify-conf.pl < apps/openssl.cnf > apps/openssl-vms.cnf
 crypto/bn/bn_prime.h: crypto/bn/bn_prime.pl
 	$(PERL) crypto/bn/bn_prime.pl >crypto/bn/bn_prime.h
 TABLE: Configure
 	(echo 'Output of `Configure TABLE'"':"; \
 	$(PERL) Configure TABLE) > TABLE
 update: errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h crypto/objects/obj_xref.h apps/openssl-vms.cnf crypto/bn/bn_prime.h TABLE depend
 # Build distribution tar-file. As the list of files returned by "find" is
 # pretty long, on several platforms a "too many arguments" error or similar
 # would occur. Therefore the list of files is temporarily stored into a file
 # and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal
 # tar does not support the --files-from option.
 tar:
 	find . -type d -print | xargs chmod 755
 	find . -type f -print | xargs chmod a+r
 	find . -type f -perm -0100 -print | xargs chmod a+x
 	find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE | $(BUILDENV) LINKDIRS='$(LINKDIRS)' $(PERL) util/fipsdist.pl | sort > ../$(TARFILE).list; \
 	$(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list -cvf - | \
 	tardy --user_number=0  --user_name=openssl \
 	      --group_number=0 --group_name=openssl \
 	      --prefix=openssl-$(VERSION) - |\
 	gzip --best >../$(TARFILE).gz; \
 	rm -f ../$(TARFILE).list; \
 	ls -l ../$(TARFILE).gz
 tar-snap:
 	@$(TAR) $(TARFLAGS) -cvf - \
 		`find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \! -name '*.so' \! -name '*.so.*'  \! -name 'openssl' \! -name '*test' \! -name '.#*' \! -name '*~' | sort` |\
 	tardy --user_number=0  --user_name=openssl \
 	      --group_number=0 --group_name=openssl \
 	      --prefix=openssl-$(VERSION) - > ../$(TARFILE);\
 	ls -l ../$(TARFILE)
 dist:   
 	$(PERL) Configure dist fipscanisteronly
 	@$(MAKE) dist_pem_h
 	@$(MAKE) SDIRS='$(SDIRS)' clean
 	@$(MAKE) -f Makefile.fips TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' tar
 dist_pem_h:
 	(cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean)
 install: all install_sw
 install_sw:
 	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl
 	@set -e; headerlist="$(EXHEADER)"; for i in $$headerlist;\
 	do \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
 	done;
 	@set -e; target=install; $(RECURSIVE_BUILD_CMD)
 # DO NOT DELETE THIS LINE -- make depend depends on it.
--- a/Makefile.org
+++ b/Makefile.org
@@ -26,14 +26,14 @@ HERE=.
 INSTALL_PREFIX=
 INSTALLTOP=/usr/local/ssl
-# Do not edit this manually. Use Configure --openssldir=DIR do change this!
+# Do not edit this manually. Use Configure --openssldir=DIR to change this!
 OPENSSLDIR=/usr/local/ssl
 # NO_IDEA - Define to build without the IDEA algorithm
 # NO_RC4  - Define to build without the RC4 algorithm
 # NO_RC2  - Define to build without the RC2 algorithm
 # THREADS - Define when building with threads, you will probably also need any
-#           system defines as well, i.e. _REENTERANT for Solaris 2.[34]
+#           system defines as well, i.e. _REENTRANT for Solaris 2.[34]
 # TERMIO  - Define the termio terminal subsystem, needed if sgtty is missing.
 # TERMIOS - Define the termios terminal subsystem, Silicon Graphics.
 # LONGCRYPT - Define to use HPUX 10.x's long password modification to crypt(3).
@@ -68,6 +68,8 @@ AR=ar $(ARFLAGS) r
 RANLIB= ranlib
 NM= nm
 PERL= perl
 #RM= echo --
 RM= rm -f
 TAR= tar
 TARFLAGS= --no-recursion
 MAKEDEPPROG=makedepend
@@ -78,7 +80,7 @@ LIBDIR=lib
 # dependent assembler flags. E.g. if you throw -mcpu=ultrasparc at SPARC
 # gcc, then the driver will automatically translate it to -xarch=v8plus
 # and pass it down to assembler.
-#AS=$(CC) -c
+AS=$(CC) -c
 ASFLAG=$(CFLAG)
 # For x86 assembler: Set PROCESSOR to 386 if you want to support
@@ -88,6 +90,7 @@ PROCESSOR=
 # CPUID module collects small commonly used assembler snippets
 CPUID_OBJ= 
 BN_ASM= bn_asm.o
 EC_ASM=
 DES_ENC= des_enc.o fcrypt_b.o
 AES_ENC= aes_core.o aes_cbc.o
 BF_ENC= bf_enc.o
@@ -103,10 +106,6 @@ MODES_ASM_OBJ=
 ENGINES_ASM_OBJ=
 PERLASM_SCHEME=
 # KRB5 stuff
 KRB5_INCLUDES=
 LIBKRB5=
 # Zlib stuff
 ZLIB_INCLUDE=
 LIBZLIB=
@@ -120,15 +119,9 @@ LIBZLIB=
 FIPSLIBDIR=/usr/local/ssl/$(LIBDIR)/
 # This is set to "y" if fipscanister.o is compiled internally as
 # opposed to coming from an external validated location.
 FIPSCANISTERINTERNAL=n
 # The location of the library which contains fipscanister.o
-# normally it will be libcrypto unless fipsdso is set in which
+# normally it will be libcrypto. If not compiling in FIPS mode
-# case it will be libfips. If not compiling in FIPS mode at all
+# at all this is empty making it a useful test for a FIPS compile.
 # this is empty making it a useful test for a FIPS compile.
 FIPSCANLIB=
@@ -137,19 +130,20 @@ FIPSCANLIB=
 BASEADDR=
-DIRS=   crypto fips ssl engines apps test tools
+DIRS=   crypto ssl engines apps test tools
 ENGDIRS= ccgost
 SHLIBDIRS= crypto ssl
 INSTALL_SUBS= engines apps tools
 # dirs in crypto to build
 SDIRS=  \
 	objects \
-	md2 md4 md5 sha mdc2 hmac ripemd whrlpool \
+	md2 md4 md5 sha mdc2 hmac ripemd whrlpool poly1305 \
-	des aes rc2 rc4 rc5 idea bf cast camellia seed modes \
+	des aes rc2 rc4 rc5 idea bf cast camellia seed chacha modes \
-	bn ec rsa dsa ecdsa dh ecdh dso engine \
+	bn ec rsa dsa dh dso engine \
 	buffer bio stack lhash rand err \
-	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 \
+	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui \
-	cms pqueue ts jpake srp store cmac
+	cms pqueue ts jpake srp store cmac ct async
 # keep in mind that the above list is adjusted by ./Configure
 # according to no-xxx arguments...
@@ -168,9 +162,6 @@ HTMLDIR=$(OPENSSLDIR)/html
 SHELL=/bin/sh
 TOP=    .
 ONEDIRS=out tmp
 EDIRS=  times doc bugs util include certs ms shlib mt demos perl sf dep VMS
 WDIRS=  windows
 LIBS=   libcrypto.a libssl.a
 SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
 SHARED_SSL=libssl$(SHLIB_EXT)
@@ -181,12 +172,21 @@ SHARED_LDFLAGS=
 GENERAL=        Makefile
 BASENAME=       openssl
 NAME=           $(BASENAME)-$(VERSION)
-TARFILE=        $(NAME).tar
+TARFILE=        ../$(NAME).tar
 WTARFILE=       $(NAME)-win.tar
 EXHEADER=       e_os2.h
 HEADER=         e_os.h
-all: Makefile build_all openssl.pc libssl.pc libcrypto.pc
+# Directories created on install if they don't exist.
 INSTALLDIRS=	\
 		$(INSTALL_PREFIX)$(INSTALLTOP)/bin \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/private
 all: Makefile build_all
 # as we stick to -e, CLEARENV ensures that local variables in lower
 # Makefiles remain local and variable. $${VAR+VAR} is tribute to Korn
@@ -197,16 +197,18 @@ CLEARENV=	TOP= && unset TOP $${LIB+LIB} $${LIBS+LIBS}	\
 		$${INCLUDE+INCLUDE} $${INCLUDES+INCLUDES}	\
 		$${DIR+DIR} $${DIRS+DIRS} $${SRC+SRC}		\
 		$${LIBSRC+LIBSRC} $${LIBOBJ+LIBOBJ} $${ALL+ALL}	\
-		$${EXHEADER+EXHEADER} $${HEADER+HEADER}		\
+		$${HEADER+HEADER}				\
 		$${GENERAL+GENERAL} $${CFLAGS+CFLAGS}		\
 		$${ASFLAGS+ASFLAGS} $${AFLAGS+AFLAGS}		\
-		$${LDCMD+LDCMD} $${LDFLAGS+LDFLAGS}		\
+		$${LDCMD+LDCMD} $${LDFLAGS+LDFLAGS} $${SCRIPTS+SCRIPTS}	\
 		$${SHAREDCMD+SHAREDCMD} $${SHAREDFLAGS+SHAREDFLAGS}	\
 		$${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS}
-BUILDENV=	PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)' \
+# LC_ALL=C ensures that error [and other] messages are delivered in
 # same language for uniform treatment.
 BUILDENV=	LC_ALL=C PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)'\
 		CC='$(CC)' CFLAG='$(CFLAG)' 			\
-		ASFLAG='$(CFLAG) -c'			\
+		AS='$(CC)' ASFLAG='$(CFLAG) -c'			\
 		AR='$(AR)' NM='$(NM)' RANLIB='$(RANLIB)'	\
 		CROSS_COMPILE='$(CROSS_COMPILE)'	\
 		PERL='$(PERL)' ENGDIRS='$(ENGDIRS)'		\
@@ -215,16 +217,15 @@ BUILDENV=	PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)' \
 		INSTALLTOP='$(INSTALLTOP)' OPENSSLDIR='$(OPENSSLDIR)'	\
 		LIBDIR='$(LIBDIR)'				\
 		MAKEDEPEND='$$$${TOP}/util/domd $$$${TOP} -MD $(MAKEDEPPROG)' \
-		DEPFLAG='-DOPENSSL_NO_DEPRECATED $(DEPFLAG)'	\
+		DEPFLAG='$(DEPFLAG)'                    	\
 		MAKEDEPPROG='$(MAKEDEPPROG)'			\
 		SHARED_LDFLAGS='$(SHARED_LDFLAGS)'		\
 		KRB5_INCLUDES='$(KRB5_INCLUDES)' LIBKRB5='$(LIBKRB5)'	\
 		ZLIB_INCLUDE='$(ZLIB_INCLUDE)' LIBZLIB='$(LIBZLIB)'	\
 		EXE_EXT='$(EXE_EXT)' SHARED_LIBS='$(SHARED_LIBS)'	\
 		SHLIB_EXT='$(SHLIB_EXT)' SHLIB_TARGET='$(SHLIB_TARGET)'	\
 		PEX_LIBS='$(PEX_LIBS)' EX_LIBS='$(EX_LIBS)'	\
-		CPUID_OBJ='$(CPUID_OBJ)'			\
+		CPUID_OBJ='$(CPUID_OBJ)' BN_ASM='$(BN_ASM)'	\
-		BN_ASM='$(BN_ASM)' DES_ENC='$(DES_ENC)' 	\
+		EC_ASM='$(EC_ASM)' DES_ENC='$(DES_ENC)'		\
 		AES_ENC='$(AES_ENC)' CMLL_ENC='$(CMLL_ENC)'	\
 		BF_ENC='$(BF_ENC)' CAST_ENC='$(CAST_ENC)'	\
 		RC4_ENC='$(RC4_ENC)' RC5_ENC='$(RC5_ENC)'	\
@@ -237,8 +238,6 @@ BUILDENV=	PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)' \
 		PERLASM_SCHEME='$(PERLASM_SCHEME)'		\
 		FIPSLIBDIR='${FIPSLIBDIR}'			\
 		FIPSCANLIB="$${FIPSCANLIB:-$(FIPSCANLIB)}"	\
 		FIPSCANISTERINTERNAL='${FIPSCANISTERINTERNAL}'	\
 		FIPS_EX_OBJ='${FIPS_EX_OBJ}'	\
 		THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES=
 # MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors,
 # which in turn eliminates ambiguities in variable treatment with -e.
@@ -249,13 +248,13 @@ BUILDENV=	PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)' \
 # This macro shouldn't be used directly, use RECURSIVE_BUILD_CMD or
 # BUILD_ONE_CMD instead.
 #
 # BUILD_ONE_CMD is a macro to build a given target in a given
 # subdirectory if that subdirectory is part of $(DIRS).  It requires
 # exactly the same shell variables as BUILD_CMD.
 #
 # RECURSIVE_BUILD_CMD is a macro to build a given target in all
 # subdirectories defined in $(DIRS).  It requires that the target
 # is given through the shell variable `target'.
 #
 # BUILD_ONE_CMD is a macro to build a given target in a given
 # subdirectory if that subdirectory is part of $(DIRS).  It requires
 # exactly the same shell variables as BUILD_CMD.
 BUILD_CMD=  if [ -d "$$dir" ]; then \
 	    (	cd $$dir && echo "making $$target in $$dir..." && \
 		$(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. DIR=$$dir $$target \
@@ -270,132 +269,40 @@ BUILD_ONE_CMD=\
 reflect:
 	@[ -n "$(THIS)" ] && $(CLEARENV) && $(MAKE) $(THIS) -e $(BUILDENV)
 FIPS_EX_OBJ= ../crypto/aes/aes_cfb.o \
 	../crypto/aes/aes_ecb.o \
 	../crypto/aes/aes_ofb.o \
 	../crypto/bn/bn_add.o \
 	../crypto/bn/bn_blind.o \
 	../crypto/bn/bn_ctx.o \
 	../crypto/bn/bn_div.o \
 	../crypto/bn/bn_exp2.o \
 	../crypto/bn/bn_exp.o \
 	../crypto/bn/bn_gcd.o \
 	../crypto/bn/bn_gf2m.o \
 	../crypto/bn/bn_lib.o \
 	../crypto/bn/bn_mod.o \
 	../crypto/bn/bn_mont.o \
 	../crypto/bn/bn_mul.o \
 	../crypto/bn/bn_nist.o \
 	../crypto/bn/bn_prime.o \
 	../crypto/bn/bn_rand.o \
 	../crypto/bn/bn_recp.o \
 	../crypto/bn/bn_shift.o \
 	../crypto/bn/bn_sqr.o \
 	../crypto/bn/bn_word.o \
 	../crypto/bn/bn_x931p.o \
 	../crypto/buffer/buf_str.o \
 	../crypto/cmac/cmac.o \
 	../crypto/cryptlib.o \
 	../crypto/des/cfb64ede.o \
 	../crypto/des/cfb64enc.o \
 	../crypto/des/cfb_enc.o \
 	../crypto/des/ecb3_enc.o \
 	../crypto/des/ofb64ede.o \
 	../crypto/des/fcrypt.o \
 	../crypto/des/set_key.o \
 	../crypto/dh/dh_check.o \
 	../crypto/dh/dh_gen.o \
 	../crypto/dh/dh_key.o \
 	../crypto/dsa/dsa_gen.o \
 	../crypto/dsa/dsa_key.o \
 	../crypto/dsa/dsa_ossl.o \
 	../crypto/ec/ec_curve.o \
 	../crypto/ec/ec_cvt.o \
 	../crypto/ec/ec_key.o \
 	../crypto/ec/ec_lib.o \
 	../crypto/ec/ecp_mont.o \
 	../crypto/ec/ec_mult.o \
 	../crypto/ec/ecp_nist.o \
 	../crypto/ec/ecp_smpl.o \
 	../crypto/ec/ec2_mult.o \
 	../crypto/ec/ec2_smpl.o \
 	../crypto/ecdh/ech_key.o \
 	../crypto/ecdh/ech_ossl.o \
 	../crypto/ecdsa/ecs_ossl.o \
 	../crypto/evp/e_aes.o \
 	../crypto/evp/e_des3.o \
 	../crypto/evp/e_null.o \
 	../crypto/evp/m_sha1.o \
 	../crypto/evp/m_dss1.o \
 	../crypto/evp/m_dss.o \
 	../crypto/evp/m_ecdsa.o \
 	../crypto/hmac/hmac.o \
 	../crypto/modes/cbc128.o \
 	../crypto/modes/ccm128.o \
 	../crypto/modes/cfb128.o \
 	../crypto/modes/ctr128.o \
 	../crypto/modes/gcm128.o \
 	../crypto/modes/ofb128.o \
 	../crypto/modes/xts128.o \
 	../crypto/rsa/rsa_eay.o \
 	../crypto/rsa/rsa_gen.o \
 	../crypto/rsa/rsa_crpt.o \
 	../crypto/rsa/rsa_none.o \
 	../crypto/rsa/rsa_oaep.o \
 	../crypto/rsa/rsa_pk1.o \
 	../crypto/rsa/rsa_pss.o \
 	../crypto/rsa/rsa_ssl.o \
 	../crypto/rsa/rsa_x931.o \
 	../crypto/rsa/rsa_x931g.o \
 	../crypto/sha/sha1dgst.o \
 	../crypto/sha/sha256.o \
 	../crypto/sha/sha512.o \
 	../crypto/thr_id.o \
 	../crypto/uid.o
 sub_all: build_all
 build_all: build_libs build_apps build_tests build_tools
-build_libs: build_crypto build_fips build_ssl build_engines
+build_libs: build_libcrypto build_libssl openssl.pc
-build_fips:
+build_libcrypto: build_crypto build_engines libcrypto.pc
-	@dir=fips; target=all; [ -z "$(FIPSCANLIB)" ] || $(BUILD_ONE_CMD)
+build_libssl: build_ssl libssl.pc
 build_crypto:
-	if [ -n "$(FIPSCANLIB)" ]; then \
+	@dir=crypto; target=all; $(BUILD_ONE_CMD)
-		EXCL_OBJ='$(AES_ENC) $(BN_ASM) $(DES_ENC) $(CPUID_OBJ) $(SHA1_ASM_OBJ) $(MODES_ASM_OBJ) $(FIPS_EX_OBJ)' ; export EXCL_OBJ ; \
+build_ssl: build_crypto
 		ARX='$(PERL) $${TOP}/util/arx.pl $(AR)' ; \
 	else \
 		ARX='${AR}' ; \
 	fi ; export ARX ; \
 	if [ $(FIPSCANISTERINTERNAL) = "y" ]; then \
 		AS='$(PERL) $${TOP}/util/fipsas.pl $${TOP} $${<} $(CC) -c' ; \
 	else \
 		AS='$(CC) -c' ; \
 	fi ; export AS ; \
 		dir=crypto; target=all; $(BUILD_ONE_CMD)
 build_ssl:
 	@dir=ssl; target=all; $(BUILD_ONE_CMD)
-build_engines:
+build_engines: build_crypto
 	@dir=engines; target=all; AS='$(CC) -c'; export AS; $(BUILD_ONE_CMD)
-build_apps:
+
 build_apps: build_libs
 	@dir=apps; target=all; $(BUILD_ONE_CMD)
-build_tests:
+build_tests: build_libs
 	@dir=test; target=all; $(BUILD_ONE_CMD)
-build_tools:
+build_tools: build_libs
 	@dir=tools; target=all; $(BUILD_ONE_CMD)
 all_testapps: build_libs build_testapps
 build_testapps:
 	@dir=crypto; target=testapps; $(BUILD_ONE_CMD)
-libcrypto$(SHLIB_EXT): libcrypto.a build_fips
+libcrypto$(SHLIB_EXT): libcrypto.a
 	@if [ "$(SHLIB_TARGET)" != "" ]; then \
 		if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \
 			FIPSLD_CC="$(CC)"; CC=fips/fipsld; \
 			export CC FIPSLD_CC; \
 		fi; \
-		$(MAKE) -e SHLIBDIRS=crypto build-shared; \
+		$(MAKE) -e SHLIBDIRS=crypto CC="$${CC:-$(CC)}" build-shared; \
 	else \
 		echo "There's no support for shared libraries on this platform" >&2; \
 		exit 1; \
@@ -418,7 +325,7 @@ clean-shared:
 			done; \
 		fi; \
 		( set -x; rm -f lib$$i$(SHLIB_EXT) ); \
-		if [ "$(PLATFORM)" = "Cygwin" ]; then \
+		if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \
 			( set -x; rm -f cyg$$i$(SHLIB_EXT) lib$$i$(SHLIB_EXT).a ); \
 		fi; \
 	done
@@ -436,9 +343,6 @@ build-shared: do_$(SHLIB_TARGET) link-shared
 do_$(SHLIB_TARGET):
 	@ set -e; libs='-L. $(SHLIBDEPS)'; for i in $(SHLIBDIRS); do \
 		if [ "$$i" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 			libs="$(LIBKRB5) $$libs"; \
 		fi; \
 		$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
 			LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
 			LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
@@ -457,8 +361,9 @@ libcrypto.pc: Makefile
 	    echo 'Description: OpenSSL cryptography library'; \
 	    echo 'Version: '$(VERSION); \
 	    echo 'Requires: '; \
-	    echo 'Libs: -L$${libdir} -lcrypto $(EX_LIBS)'; \
+	    echo 'Libs: -L$${libdir} -lcrypto'; \
-	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc
+	    echo 'Libs.private: $(EX_LIBS)'; \
 	    echo 'Cflags: -I$${includedir}' ) > libcrypto.pc
 libssl.pc: Makefile
 	@ ( echo 'prefix=$(INSTALLTOP)'; \
@@ -466,12 +371,13 @@ libssl.pc: Makefile
 	    echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
 	    echo 'includedir=$${prefix}/include'; \
 	    echo ''; \
-	    echo 'Name: OpenSSL'; \
+	    echo 'Name: OpenSSL-libssl'; \
 	    echo 'Description: Secure Sockets Layer and cryptography libraries'; \
 	    echo 'Version: '$(VERSION); \
-	    echo 'Requires: '; \
+	    echo 'Requires.private: libcrypto'; \
-	    echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
+	    echo 'Libs: -L$${libdir} -lssl'; \
-	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc
+	    echo 'Libs.private: $(EX_LIBS)'; \
 	    echo 'Cflags: -I$${includedir}' ) > libssl.pc
 openssl.pc: Makefile
 	@ ( echo 'prefix=$(INSTALLTOP)'; \
@@ -482,9 +388,7 @@ openssl.pc: Makefile
 	    echo 'Name: OpenSSL'; \
 	    echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \
 	    echo 'Version: '$(VERSION); \
-	    echo 'Requires: '; \
+	    echo 'Requires: libssl libcrypto' ) > openssl.pc
 	    echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
 	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
 Makefile: Makefile.org Configure config
 	@echo "Makefile is older than Makefile.org, Configure or config."
@@ -492,19 +396,16 @@ Makefile: Makefile.org Configure config
 	@false
 libclean:
-	rm -f *.map *.so *.so.* *.dll engines/*.so engines/*.dll *.a engines/*.a */lib */*/lib
+	rm -f *.map *.so *.so.* *.dylib *.dll engines/*.so engines/*.dll engines/*.dylib *.a engines/*.a */lib */*/lib
 clean:	libclean
-	rm -f shlib/*.o *.o core a.out fluff rehash.time testlog make.log cctest cctest.c
+	rm -f */*/*.o */*.o *.o core a.out fluff rehash.time testlog make.log cctest cctest.c
 	rm -rf *.bak certs/.0
 	@set -e; target=clean; $(RECURSIVE_BUILD_CMD)
-	rm -f $(LIBS)
+	rm -f $(LIBS) tags TAGS
 	rm -f openssl.pc libssl.pc libcrypto.pc
 	rm -f speed.* .pure
 	rm -f $(TARFILE)
 	@set -e; for i in $(ONEDIRS) ;\
 	do \
 	rm -fr $$i/*; \
 	done
 makefile.one: files
 	$(PERL) util/mk1mf.pl >makefile.one; \
@@ -514,20 +415,11 @@ files:
 	$(PERL) $(TOP)/util/files.pl Makefile > $(TOP)/MINFO
 	@set -e; target=files; $(RECURSIVE_BUILD_CMD)
 links:
 	@$(PERL) $(TOP)/util/mkdir-p.pl include/openssl
 	@$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER)
 	@set -e; target=links; $(RECURSIVE_BUILD_CMD)
 	@if [ -z "$(FIPSCANLIB)" ]; then \
 		set -e; target=links; dir=fips ; $(BUILD_CMD) ; \
 	fi
 gentests:
 	@(cd test && echo "generating dummy tests (if needed)..." && \
 	$(CLEARENV) && $(MAKE) -e $(BUILDENV) TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on generate );
 dclean:
 	rm -rf *.bak include/openssl certs/.0
 	@set -e; target=dclean; $(RECURSIVE_BUILD_CMD)
 rehash: rehash.time
@@ -535,36 +427,52 @@ rehash.time: certs apps
 	@if [ -z "$(CROSS_COMPILE)" ]; then \
 		(OPENSSL="`pwd`/util/opensslwrap.sh"; \
 		[ -x "apps/openssl.exe" ] && OPENSSL="apps/openssl.exe" || :; \
-		OPENSSL_DEBUG_MEMORY=on; \
+		OPENSSL_DEBUG_MEMORY=on; OPENSSL_CONF=/dev/null ; \
-		export OPENSSL OPENSSL_DEBUG_MEMORY; \
+		export OPENSSL OPENSSL_DEBUG_MEMORY OPENSSL_CONF; \
-		$(PERL) tools/c_rehash certs) && \
+		$$OPENSSL rehash certs/demo) && \
 		touch rehash.time; \
 	else :; fi
 test:   tests
 test_ordinals:
 	TOP=$(TOP) PERL=$(PERL) $(PERL) test/run_tests.pl test_ordinals
 tests: rehash
 	@(cd test && echo "testing..." && \
 	$(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on OPENSSL_CONF=../apps/openssl.cnf tests );
-	OPENSSL_CONF=apps/openssl.cnf util/opensslwrap.sh version -a
+	@if [ -z "$(CROSS_COMPILE)" ]; then \
 		OPENSSL_CONF=apps/openssl.cnf util/opensslwrap.sh version -a; \
 	fi
 list-tests:
 	@(cd test && \
 	        $(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. list-tests)
 report:
 	@$(PERL) util/selftest.pl
 update: errors stacks util/libeay.num util/ssleay.num TABLE test_ordinals
 	@set -e; target=update; $(RECURSIVE_BUILD_CMD)
 depend:
 	@set -e; target=depend; $(RECURSIVE_BUILD_CMD)
 lint:
 	@set -e; target=lint; $(RECURSIVE_BUILD_CMD)
-tags:
+tags TAGS: FORCE
-	rm -f TAGS
+	rm -f TAGS tags
-	find . -name '[^.]*.[ch]' | xargs etags -a
+	-ctags -R .
 	-etags -R .
 FORCE:
 errors:
 	$(PERL) util/ck_errf.pl -strict */*.c */*/*.c
 	$(PERL) util/mkerr.pl -recurse -write
 	(cd engines; $(MAKE) PERL=$(PERL) errors)
-	$(PERL) util/ck_errf.pl -strict */*.c */*/*.c
+	(cd crypto/ct; $(MAKE) PERL=$(PERL) errors)
 stacks:
 	$(PERL) util/mkstack.pl -write
@@ -575,78 +483,55 @@ util/libeay.num::
 util/ssleay.num::
 	$(PERL) util/mkdef.pl ssl update
-crypto/objects/obj_dat.h: crypto/objects/obj_dat.pl crypto/objects/obj_mac.h
+TABLE: Configure Configurations/*.conf
 	$(PERL) crypto/objects/obj_dat.pl crypto/objects/obj_mac.h crypto/objects/obj_dat.h
 crypto/objects/obj_mac.h: crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num
 	$(PERL) crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num crypto/objects/obj_mac.h
 crypto/objects/obj_xref.h: crypto/objects/objxref.pl crypto/objects/obj_xref.txt crypto/objects/obj_mac.num
 	$(PERL) crypto/objects/objxref.pl crypto/objects/obj_mac.num crypto/objects/obj_xref.txt >crypto/objects/obj_xref.h
 apps/openssl-vms.cnf: apps/openssl.cnf
 	$(PERL) VMS/VMSify-conf.pl < apps/openssl.cnf > apps/openssl-vms.cnf
 crypto/bn/bn_prime.h: crypto/bn/bn_prime.pl
 	$(PERL) crypto/bn/bn_prime.pl >crypto/bn/bn_prime.h
 TABLE: Configure
 	(echo 'Output of `Configure TABLE'"':"; \
 	$(PERL) Configure TABLE) > TABLE
 update: errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h crypto/objects/obj_xref.h apps/openssl-vms.cnf crypto/bn/bn_prime.h TABLE depend
 # Build distribution tar-file. As the list of files returned by "find" is
 # pretty long, on several platforms a "too many arguments" error or similar
 # would occur. Therefore the list of files is temporarily stored into a file
 # and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal
 # tar does not support the --files-from option.
-tar:
+TAR_COMMAND=$(TAR) $(TARFLAGS) --files-from $(TARFILE).list \
 	                       --owner 0 --group 0 \
 			       --transform 's|^|$(NAME)/|' \
 			       -cvf -
 $(TARFILE).list:
 	find * \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \
 	       \! -name '*.so' \! -name '*.so.*'  \! -name 'openssl' \
 	       \! -name '*test' \! -name '.#*' \! -name '*~' \!	-type l \
 	    | sort > $(TARFILE).list
 tar: $(TARFILE).list
 	find . -type d -print | xargs chmod 755
 	find . -type f -print | xargs chmod a+r
 	find . -type f -perm -0100 -print | xargs chmod a+x
-	find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE | sort > ../$(TARFILE).list; \
+	$(TAR_COMMAND) | gzip --best > $(TARFILE).gz
-	$(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list -cvf - | \
+	rm -f $(TARFILE).list
-	tardy --user_number=0  --user_name=openssl \
+	ls -l $(TARFILE).gz
 	      --group_number=0 --group_name=openssl \
 	      --prefix=openssl-$(VERSION) - |\
 	gzip --best >../$(TARFILE).gz; \
 	rm -f ../$(TARFILE).list; \
 	ls -l ../$(TARFILE).gz
-tar-snap:
+tar-snap: $(TARFILE).list
-	@$(TAR) $(TARFLAGS) -cvf - \
+	$(TAR_COMMAND) > $(TARFILE)
-		`find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \! -name '*.so' \! -name '*.so.*'  \! -name 'openssl' \! -name '*test' \! -name '.#*' \! -name '*~' | sort` |\
+	rm -f $(TARFILE).list
-	tardy --user_number=0  --user_name=openssl \
+	ls -l $(TARFILE)
 	      --group_number=0 --group_name=openssl \
 	      --prefix=openssl-$(VERSION) - > ../$(TARFILE);\
 	ls -l ../$(TARFILE)
 dist:   
 	$(PERL) Configure dist
 	@$(MAKE) dist_pem_h
 	@$(MAKE) SDIRS='$(SDIRS)' clean
-	@$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' tar
+	@$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar
 dist_pem_h:
 	(cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean)
 install: all install_docs install_sw
 uninstall: uninstall_sw uninstall_docs
 install_sw:
-	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
+	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALLDIRS)
-		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
+	@set -e; for i in include/openssl/*.h; do \
-		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \
+	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$$i; \
-		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig \
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$$i ); \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/private
 	@set -e; headerlist="$(EXHEADER)"; for i in $$headerlist;\
 	do \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
 	done;
-	@set -e; target=install; $(RECURSIVE_BUILD_CMD)
+	@set -e; target=install; for dir in $(INSTALL_SUBS); do $(BUILD_CMD); done
 	@set -e; liblist="$(LIBS)"; for i in $$liblist ;\
 	do \
 		if [ -f "$$i" ]; then \
@@ -663,11 +548,7 @@ install_sw:
 		do \
 			if [ -f "$$i" -o -f "$$i.a" ]; then \
 			(       echo installing $$i; \
-				if [ "$(PLATFORM)" != "Cygwin" ]; then \
+				if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \
 					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
 					chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
 					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
 				else \
 					c=`echo $$i | sed 's/^lib\(.*\)\.dll\.a/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \
 					cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
 					chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
@@ -675,6 +556,10 @@ install_sw:
 					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
 					chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
 					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
 				else \
 					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
 					chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
 					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
 				fi ); \
 				if expr $(PLATFORM) : 'mingw' > /dev/null; then \
 				(	case $$i in \
@@ -694,8 +579,6 @@ install_sw:
 		if [ "$(INSTALLTOP)" != "/usr" ]; then \
 			echo 'OpenSSL shared libraries have been installed in:'; \
 			echo '  $(INSTALLTOP)'; \
 			echo ''; \
 			sed -e '1,/^$$/d' doc/openssl-shared.txt; \
 		fi; \
 	fi
 	cp libcrypto.pc $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
@@ -705,16 +588,59 @@ install_sw:
 	cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/openssl.pc
 uninstall_sw:
 	cd include/openssl && files=* && cd $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl && $(RM) $$files
 	@for i in $(LIBS) ;\
 	do \
 		test -f "$$i" && \
 		echo $(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i && \
 		$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
 	done;
 	@if [ -n "$(SHARED_LIBS)" ]; then \
 		tmp="$(SHARED_LIBS)"; \
 		for i in $${tmp:-x}; \
 		do \
 			if [ -f "$$i" -o -f "$$i.a" ]; then \
 				if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \
 					c=`echo $$i | sed 's/^lib\(.*\)\.dll\.a/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \
 					echo $(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
 					$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
 					echo $(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
 					$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
 				else \
 					echo $(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
 					$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
 				fi; \
 				if expr $(PLATFORM) : 'mingw' > /dev/null; then \
 					case $$i in \
 						*crypto*) i=libeay32.dll;; \
 						*ssl*)    i=ssleay32.dll;; \
 					esac; \
 					echo $(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i; \
 					$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i; \
 				fi; \
 			fi; \
 		done; \
 	fi
 	$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libcrypto.pc
 	$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libssl.pc
 	$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/openssl.pc
 	@target=uninstall; $(RECURSIVE_BUILD_CMD)
 install_html_docs:
 	here="`pwd`"; \
 	filecase=; \
 	case "$(PLATFORM)" in DJGPP|Cygwin*|mingw*|darwin*-*-cc) \
 		filecase=-i; \
 	esac; \
 	for subdir in apps crypto ssl; do \
-		mkdir -p $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir; \
+		$(PERL) $(TOP)/util/mkdir-p $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir; \
 		for i in doc/$$subdir/*.pod; do \
 			fn=`basename $$i .pod`; \
 			echo "installing html/$$fn.$(HTMLSUFFIX)"; \
 			cat $$i \
 			| sed -r 's/L<([^)]*)(\([0-9]\))?\|([^)]*)(\([0-9]\))?>/L<\1|\3>/g' \
-			| pod2html --podroot=doc --htmlroot=.. --podpath=apps:crypto:ssl \
+			| pod2html --podroot=doc --htmlroot=.. --podpath=$$subdir:apps:crypto:ssl \
 			| sed -r 's/<!DOCTYPE.*//g' \
 			> $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir/$$fn.$(HTMLSUFFIX); \
 			$(PERL) util/extract-names.pl < $$i | \
@@ -726,26 +652,43 @@ install_html_docs:
 		done; \
 	done
 uninstall_html_docs:
 	here="`pwd`"; \
 	filecase=; \
 	case "$(PLATFORM)" in DJGPP|Cygwin*|mingw*|darwin*-*-cc) \
 		filecase=-i; \
 	esac; \
 	for subdir in apps crypto ssl; do \
 		for i in doc/$$subdir/*.pod; do \
 			fn=`basename $$i .pod`; \
 			$(RM) $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir/$$fn.$(HTMLSUFFIX); \
 			$(PERL) util/extract-names.pl < $$i | \
 				grep -v $$filecase "^$$fn\$$" | \
 				while read n; do \
 					$(RM) $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir/"$$n".$(HTMLSUFFIX); \
 				done; \
 		done; \
 	done
 install_docs:
 	@$(PERL) $(TOP)/util/mkdir-p.pl \
 		$(INSTALL_PREFIX)$(MANDIR)/man1 \
 		$(INSTALL_PREFIX)$(MANDIR)/man3 \
 		$(INSTALL_PREFIX)$(MANDIR)/man5 \
 		$(INSTALL_PREFIX)$(MANDIR)/man7
 	@pod2man="`cd ./util; ./pod2mantest $(PERL)`"; \
 	here="`pwd`"; \
 	filecase=; \
-	if [ "$(PLATFORM)" = "DJGPP" -o "$(PLATFORM)" = "Cygwin" -o "$(PLATFORM)" = "mingw" ]; then \
+	case "$(PLATFORM)" in DJGPP|Cygwin*|mingw*|darwin*-*-cc) \
 		filecase=-i; \
-	fi; \
+	esac; \
 	set -e; for i in doc/apps/*.pod; do \
 		fn=`basename $$i .pod`; \
 		sec=`$(PERL) util/extract-section.pl 1 < $$i`; \
 		echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
 		(cd `$(PERL) util/dirname.pl $$i`; \
-		sh -c "$$pod2man \
+		pod2man \
 			--section=$$sec --center=OpenSSL \
-			--release=$(VERSION) `basename $$i`") \
+			--release=$(VERSION) `basename $$i`) \
 			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(PERL) util/extract-names.pl < $$i | \
 			(grep -v $$filecase "^$$fn\$$"; true) | \
@@ -760,9 +703,9 @@ install_docs:
 		sec=`$(PERL) util/extract-section.pl 3 < $$i`; \
 		echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
 		(cd `$(PERL) util/dirname.pl $$i`; \
-		sh -c "$$pod2man \
+		pod2man \
 			--section=$$sec --center=OpenSSL \
-			--release=$(VERSION) `basename $$i`") \
+			--release=$(VERSION) `basename $$i`) \
 			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(PERL) util/extract-names.pl < $$i | \
 			(grep -v $$filecase "^$$fn\$$"; true) | \
@@ -773,4 +716,37 @@ install_docs:
 			 done); \
 	done
 uninstall_docs:
 	@here="`pwd`"; \
 	filecase=; \
 	case "$(PLATFORM)" in DJGPP|Cygwin*|mingw*) \
 		filecase=-i; \
 	esac; \
 	for i in doc/apps/*.pod; do \
 		fn=`basename $$i .pod`; \
 		sec=`$(PERL) util/extract-section.pl 1 < $$i`; \
 		echo $(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(PERL) util/extract-names.pl < $$i | \
 			(grep -v $$filecase "^$$fn\$$"; true) | \
 			(grep -v "[	]"; true) | \
 			while read n; do \
 				echo $(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/"$$n".$${sec}$(MANSUFFIX); \
 				$(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/"$$n".$${sec}$(MANSUFFIX); \
 			done; \
 	done; \
 	for i in doc/crypto/*.pod doc/ssl/*.pod; do \
 		fn=`basename $$i .pod`; \
 		sec=`$(PERL) util/extract-section.pl 3 < $$i`; \
 		echo $(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(PERL) util/extract-names.pl < $$i | \
 			(grep -v $$filecase "^$$fn\$$"; true) | \
 			(grep -v "[	]"; true) | \
 			while read n; do \
 				echo $(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/"$$n".$${sec}$(MANSUFFIX); \
 				$(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/"$$n".$${sec}$(MANSUFFIX); \
 			done; \
 	done
 # DO NOT DELETE THIS LINE -- make depend depends on it.
--- a/Makefile.shared
+++ b/Makefile.shared
@@ -170,17 +170,6 @@ link_a.gnu:
 link_app.gnu:
 	@ $(DO_GNU_APP); $(LINK_APP)
 DO_BEOS_SO=	SHLIB=lib$(LIBNAME).so; \
 	SHLIB_SUFFIX=; \
 	ALLSYMSFLAGS='-Wl,--whole-archive'; \
 	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
 	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SUFFIX"
 link_o.beos:
 	@ $(DO_BEOS_SO); $(LINK_SO_O)
 link_a.beos:
 	@ $(DO_BEOS_SO); $(LINK_SO_A)
 link_o.bsd:
 	@if $(DETECT_GNU_LD); then $(DO_GNU_SO); else \
 	$(CALC_VERSIONS); \
@@ -555,28 +544,10 @@ link_app.aix:
 	LDFLAGS="$(CFLAGS) -Wl,-brtl,-blibpath:$(LIBRPATH):$${LIBPATH:-/usr/lib:/lib}"; \
 	$(LINK_APP)
 link_o.reliantunix:
 	@ $(CALC_VERSIONS); \
 	SHLIB=lib$(LIBNAME).so; \
 	SHLIB_SUFFIX=; \
 	ALLSYMSFLAGS=; \
 	NOALLSYMSFLAGS=''; \
 	SHAREDFLAGS='$(CFLAGS) -G'; \
 	$(LINK_SO_O)
 link_a.reliantunix:
 	@ $(CALC_VERSIONS); \
 	SHLIB=lib$(LIBNAME).so; \
 	SHLIB_SUFFIX=; \
 	ALLSYMSFLAGS=; \
 	NOALLSYMSFLAGS=''; \
 	SHAREDFLAGS='$(CFLAGS) -G'; \
 	$(LINK_SO_A_UNPACKED)
 link_app.reliantunix:
 	$(LINK_APP)
 # Targets to build symbolic links when needed
 symlink.gnu symlink.solaris symlink.svr3 symlink.svr5 symlink.irix \
-symlink.aix symlink.reliantunix:
+symlink.aix:
 	@ $(CALC_VERSIONS); \
 	SHLIB=lib$(LIBNAME).so; \
 	$(SYMLINK_SO)
@@ -591,7 +562,7 @@ symlink.hpux:
 	expr $(PLATFORM) : '.*ia64' > /dev/null && SHLIB=lib$(LIBNAME).so; \
 	$(SYMLINK_SO)
 # The following lines means those specific architectures do no symlinks
-symlink.cygwin symlink.alpha-osf1 symlink.tru64 symlink.tru64-rpath symlink.beos:
+symlink.cygwin symlink.alpha-osf1 symlink.tru64 symlink.tru64-rpath:
 # Compatibility targets
 link_o.bsd-gcc-shared link_o.linux-shared link_o.gnu-shared: link_o.gnu
@@ -645,11 +616,3 @@ link_o.aix-shared: link_o.aix
 link_a.aix-shared: link_a.aix
 link_app.aix-shared: link_app.aix
 symlink.aix-shared: symlink.aix
 link_o.reliantunix-shared: link_o.reliantunix
 link_a.reliantunix-shared: link_a.reliantunix
 link_app.reliantunix-shared: link_app.reliantunix
 symlink.reliantunix-shared: symlink.reliantunix
 link_o.beos-shared: link_o.beos
 link_a.beos-shared: link_a.beos
 link_app.beos-shared: link_app.gnu
 symlink.beos-shared: symlink.beos
--- a/319
+++ b/319
@@ -5,11 +5,207 @@
  This file gives a brief overview of the major changes between each OpenSSL
  release. For more details please read the CHANGES file.
-  Major changes between OpenSSL 1.0.0c and OpenSSL 1.0.0d:
+  Major changes between OpenSSL 1.0.2e and OpenSSL 1.1.0 [in pre-release]
      o Support for ChaCha20 and Poly1305 added to libcrypto and libssl
      o Support for extended master secret
      o CCM ciphersuites
      o Reworked test suite, now based on perl, Test::Harness and Test::More
      o Varous libcrypto structures made opaque including: BIGNUM, EVP_MD,
        EVP_MD_CTX and HMAC_CTX.
      o libssl internal structures made opaque
      o SSLv2 support removed
      o Kerberos ciphersuite support removed
      o RC4 removed from DEFAULT ciphersuites in libssl
      o 40 and 56 bit cipher support removed from libssl
      o All public header files moved to include/openssl, no more symlinking
      o SSL/TLS state machine, version negotiation and record layer rewritten
      o EC revision: now operations use new EC_KEY_METHOD.
      o Support for OCB mode added to libcrypto
      o Support for asynchronous crypto operations added to libcrypto and libssl
  Major changes between OpenSSL 1.0.2d and OpenSSL 1.0.2e [3 Dec 2015]
      o BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
      o Certificate verify crash with missing PSS parameter (CVE-2015-3194)
      o X509_ATTRIBUTE memory leak (CVE-2015-3195)
      o Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs
      o In DSA_generate_parameters_ex, if the provided seed is too short,
        return an error
  Major changes between OpenSSL 1.0.2c and OpenSSL 1.0.2d [9 Jul 2015]
      o Alternate chains certificate forgery (CVE-2015-1793)
      o Race condition handling PSK identify hint (CVE-2015-3196)
  Major changes between OpenSSL 1.0.2b and OpenSSL 1.0.2c [12 Jun 2015]
      o Fix HMAC ABI incompatibility
  Major changes between OpenSSL 1.0.2a and OpenSSL 1.0.2b [11 Jun 2015]
      o Malformed ECParameters causes infinite loop (CVE-2015-1788)
      o Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789)
      o PKCS7 crash with missing EnvelopedContent (CVE-2015-1790)
      o CMS verify infinite loop with unknown hash function (CVE-2015-1792)
      o Race condition handling NewSessionTicket (CVE-2015-1791)
  Major changes between OpenSSL 1.0.2 and OpenSSL 1.0.2a [19 Mar 2015]
      o OpenSSL 1.0.2 ClientHello sigalgs DoS fix (CVE-2015-0291)
      o Multiblock corrupted pointer fix (CVE-2015-0290)
      o Segmentation fault in DTLSv1_listen fix (CVE-2015-0207)
      o Segmentation fault in ASN1_TYPE_cmp fix (CVE-2015-0286)
      o Segmentation fault for invalid PSS parameters fix (CVE-2015-0208)
      o ASN.1 structure reuse memory corruption fix (CVE-2015-0287)
      o PKCS7 NULL pointer dereferences fix (CVE-2015-0289)
      o DoS via reachable assert in SSLv2 servers fix (CVE-2015-0293)
      o Empty CKE with client auth and DHE fix (CVE-2015-1787)
      o Handshake with unseeded PRNG fix (CVE-2015-0285)
      o Use After Free following d2i_ECPrivatekey error fix (CVE-2015-0209)
      o X509_to_X509_REQ NULL pointer deref fix (CVE-2015-0288)
      o Removed the export ciphers from the DEFAULT ciphers
  Major changes between OpenSSL 1.0.1l and OpenSSL 1.0.2 [22 Jan 2015]:
      o Suite B support for TLS 1.2 and DTLS 1.2
      o Support for DTLS 1.2
      o TLS automatic EC curve selection.
      o API to set TLS supported signature algorithms and curves
      o SSL_CONF configuration API.
      o TLS Brainpool support.
      o ALPN support.
      o CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH.
  Major changes between OpenSSL 1.0.1k and OpenSSL 1.0.1l [15 Jan 2015]
      o Build fixes for the Windows and OpenVMS platforms
  Major changes between OpenSSL 1.0.1j and OpenSSL 1.0.1k [8 Jan 2015]
      o Fix for CVE-2014-3571
      o Fix for CVE-2015-0206
      o Fix for CVE-2014-3569
      o Fix for CVE-2014-3572
      o Fix for CVE-2015-0204
      o Fix for CVE-2015-0205
      o Fix for CVE-2014-8275
      o Fix for CVE-2014-3570
  Major changes between OpenSSL 1.0.1i and OpenSSL 1.0.1j [15 Oct 2014]
      o Fix for CVE-2014-3513
      o Fix for CVE-2014-3567
      o Mitigation for CVE-2014-3566 (SSL protocol vulnerability)
      o Fix for CVE-2014-3568
  Major changes between OpenSSL 1.0.1h and OpenSSL 1.0.1i [6 Aug 2014]
      o Fix for CVE-2014-3512
      o Fix for CVE-2014-3511
      o Fix for CVE-2014-3510
      o Fix for CVE-2014-3507
      o Fix for CVE-2014-3506
      o Fix for CVE-2014-3505
      o Fix for CVE-2014-3509
      o Fix for CVE-2014-5139
      o Fix for CVE-2014-3508
  Major changes between OpenSSL 1.0.1g and OpenSSL 1.0.1h [5 Jun 2014]
      o Fix for CVE-2014-0224
      o Fix for CVE-2014-0221
      o Fix for CVE-2014-0198
      o Fix for CVE-2014-0195
      o Fix for CVE-2014-3470
      o Fix for CVE-2010-5298
  Major changes between OpenSSL 1.0.1f and OpenSSL 1.0.1g [7 Apr 2014]
      o Fix for CVE-2014-0160
      o Add TLS padding extension workaround for broken servers.
      o Fix for CVE-2014-0076
  Major changes between OpenSSL 1.0.1e and OpenSSL 1.0.1f [6 Jan 2014]
      o Don't include gmt_unix_time in TLS server and client random values
      o Fix for TLS record tampering bug CVE-2013-4353
      o Fix for TLS version checking bug CVE-2013-6449
      o Fix for DTLS retransmission bug CVE-2013-6450
  Major changes between OpenSSL 1.0.1d and OpenSSL 1.0.1e [11 Feb 2013]:
      o Corrected fix for CVE-2013-0169
  Major changes between OpenSSL 1.0.1c and OpenSSL 1.0.1d [4 Feb 2013]:
      o Fix renegotiation in TLS 1.1, 1.2 by using the correct TLS version.
      o Include the fips configuration module.
      o Fix OCSP bad key DoS attack CVE-2013-0166
      o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169
      o Fix for TLS AESNI record handling flaw CVE-2012-2686
  Major changes between OpenSSL 1.0.1b and OpenSSL 1.0.1c [10 May 2012]:
      o Fix TLS/DTLS record length checking bug CVE-2012-2333
      o Don't attempt to use non-FIPS composite ciphers in FIPS mode.
  Major changes between OpenSSL 1.0.1a and OpenSSL 1.0.1b [26 Apr 2012]:
      o Fix compilation error on non-x86 platforms.
      o Make FIPS capable OpenSSL ciphers work in non-FIPS mode.
      o Fix SSL_OP_NO_TLSv1_1 clash with SSL_OP_ALL in OpenSSL 1.0.0
  Major changes between OpenSSL 1.0.1 and OpenSSL 1.0.1a [19 Apr 2012]:
      o Fix for ASN1 overflow bug CVE-2012-2110
      o Workarounds for some servers that hang on long client hellos.
      o Fix SEGV in AES code.
  Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1 [14 Mar 2012]:
      o TLS/DTLS heartbeat support.
      o SCTP support.
      o RFC 5705 TLS key material exporter.
      o RFC 5764 DTLS-SRTP negotiation.
      o Next Protocol Negotiation.
      o PSS signatures in certificates, requests and CRLs.
      o Support for password based recipient info for CMS.
      o Support TLS v1.2 and TLS v1.1.
      o Preliminary FIPS capability for unvalidated 2.0 FIPS module.
      o SRP support.
  Major changes between OpenSSL 1.0.0g and OpenSSL 1.0.0h [12 Mar 2012]:
      o Fix for CMS/PKCS#7 MMA CVE-2012-0884
      o Corrected fix for CVE-2011-4619
      o Various DTLS fixes.
  Major changes between OpenSSL 1.0.0f and OpenSSL 1.0.0g [18 Jan 2012]:
      o Fix for DTLS DoS issue CVE-2012-0050
  Major changes between OpenSSL 1.0.0e and OpenSSL 1.0.0f [4 Jan 2012]:
      o Fix for DTLS plaintext recovery attack CVE-2011-4108
      o Clear block padding bytes of SSL 3.0 records CVE-2011-4576
      o Only allow one SGC handshake restart for SSL/TLS CVE-2011-4619
      o Check parameters are not NULL in GOST ENGINE CVE-2012-0027
      o Check for malformed RFC3779 data CVE-2011-4577
  Major changes between OpenSSL 1.0.0d and OpenSSL 1.0.0e [6 Sep 2011]:
      o Fix for CRL vulnerability issue CVE-2011-3207
      o Fix for ECDH crashes CVE-2011-3210
      o Protection against EC timing attacks.
      o Support ECDH ciphersuites for certificates using SHA2 algorithms.
      o Various DTLS fixes.
  Major changes between OpenSSL 1.0.0c and OpenSSL 1.0.0d [8 Feb 2011]:
      o Fix for security issue CVE-2011-0014
-  Major changes between OpenSSL 1.0.0b and OpenSSL 1.0.0c:
+  Major changes between OpenSSL 1.0.0b and OpenSSL 1.0.0c [2 Dec 2010]:
      o Fix for security issue CVE-2010-4180
      o Fix for CVE-2010-4252
@@ -17,18 +213,18 @@
      o Fix various platform compilation issues.
      o Corrected fix for security issue CVE-2010-3864.
-  Major changes between OpenSSL 1.0.0a and OpenSSL 1.0.0b:
+  Major changes between OpenSSL 1.0.0a and OpenSSL 1.0.0b [16 Nov 2010]:
      o Fix for security issue CVE-2010-3864.
      o Fix for CVE-2010-2939
      o Fix WIN32 build system for GOST ENGINE.
-  Major changes between OpenSSL 1.0.0 and OpenSSL 1.0.0a:
+  Major changes between OpenSSL 1.0.0 and OpenSSL 1.0.0a [1 Jun 2010]:
      o Fix for security issue CVE-2010-1633.
      o GOST MAC and CFB fixes.
-  Major changes between OpenSSL 0.9.8n and OpenSSL 1.0.0:
+  Major changes between OpenSSL 0.9.8n and OpenSSL 1.0.0 [29 Mar 2010]:
      o RFC3280 path validation: sufficient to process PKITS tests.
      o Integrated support for PVK files and keyblobs.
@@ -51,33 +247,12 @@
      o Opaque PRF Input TLS extension support.
      o Updated time routines to avoid OS limitations.
-  Major changes between OpenSSL 0.9.8q and OpenSSL 0.9.8r:
+  Major changes between OpenSSL 0.9.8m and OpenSSL 0.9.8n [24 Mar 2010]:
      o Fix for security issue CVE-2011-0014
  Major changes between OpenSSL 0.9.8p and OpenSSL 0.9.8q:
      o Fix for security issue CVE-2010-4180
      o Fix for CVE-2010-4252
  Major changes between OpenSSL 0.9.8o and OpenSSL 0.9.8p:
      o Fix for security issue CVE-2010-3864.
  Major changes between OpenSSL 0.9.8n and OpenSSL 0.9.8o:
      o Fix for security issue CVE-2010-0742.
      o Various DTLS fixes.
      o Recognise SHA2 certificates if only SSL algorithms added.
      o Fix for no-rc4 compilation.
      o Chil ENGINE unload workaround.
  Major changes between OpenSSL 0.9.8m and OpenSSL 0.9.8n:
      o CFB cipher definition fixes.
      o Fix security issues CVE-2010-0740 and CVE-2010-0433.
-  Major changes between OpenSSL 0.9.8l and OpenSSL 0.9.8m:
+  Major changes between OpenSSL 0.9.8l and OpenSSL 0.9.8m [25 Feb 2010]:
      o Cipher definition fixes.
      o Workaround for slow RAND_poll() on some WIN32 versions.
@@ -89,33 +264,33 @@
      o Ticket and SNI coexistence fixes.
      o Many fixes to DTLS handling. 
-  Major changes between OpenSSL 0.9.8k and OpenSSL 0.9.8l:
+  Major changes between OpenSSL 0.9.8k and OpenSSL 0.9.8l [5 Nov 2009]:
      o Temporary work around for CVE-2009-3555: disable renegotiation.
-  Major changes between OpenSSL 0.9.8j and OpenSSL 0.9.8k:
+  Major changes between OpenSSL 0.9.8j and OpenSSL 0.9.8k [25 Mar 2009]:
      o Fix various build issues.
      o Fix security issues (CVE-2009-0590, CVE-2009-0591, CVE-2009-0789)
-  Major changes between OpenSSL 0.9.8i and OpenSSL 0.9.8j:
+  Major changes between OpenSSL 0.9.8i and OpenSSL 0.9.8j [7 Jan 2009]:
      o Fix security issue (CVE-2008-5077)
      o Merge FIPS 140-2 branch code.
-  Major changes between OpenSSL 0.9.8g and OpenSSL 0.9.8h:
+  Major changes between OpenSSL 0.9.8g and OpenSSL 0.9.8h [28 May 2008]:
      o CryptoAPI ENGINE support.
      o Various precautionary measures.
      o Fix for bugs affecting certificate request creation.
      o Support for local machine keyset attribute in PKCS#12 files.
-  Major changes between OpenSSL 0.9.8f and OpenSSL 0.9.8g:
+  Major changes between OpenSSL 0.9.8f and OpenSSL 0.9.8g [19 Oct 2007]:
      o Backport of CMS functionality to 0.9.8.
      o Fixes for bugs introduced with 0.9.8f.
-  Major changes between OpenSSL 0.9.8e and OpenSSL 0.9.8f:
+  Major changes between OpenSSL 0.9.8e and OpenSSL 0.9.8f [11 Oct 2007]:
      o Add gcc 4.2 support.
      o Add support for AES and SSE2 assembly lanugauge optimization
@@ -126,23 +301,23 @@
      o RFC4507bis support.
      o TLS Extensions support.
-  Major changes between OpenSSL 0.9.8d and OpenSSL 0.9.8e:
+  Major changes between OpenSSL 0.9.8d and OpenSSL 0.9.8e [23 Feb 2007]:
      o Various ciphersuite selection fixes.
      o RFC3779 support.
-  Major changes between OpenSSL 0.9.8c and OpenSSL 0.9.8d:
+  Major changes between OpenSSL 0.9.8c and OpenSSL 0.9.8d [28 Sep 2006]:
      o Introduce limits to prevent malicious key DoS  (CVE-2006-2940)
      o Fix security issues (CVE-2006-2937, CVE-2006-3737, CVE-2006-4343)
      o Changes to ciphersuite selection algorithm
-  Major changes between OpenSSL 0.9.8b and OpenSSL 0.9.8c:
+  Major changes between OpenSSL 0.9.8b and OpenSSL 0.9.8c [5 Sep 2006]:
      o Fix Daniel Bleichenbacher forged signature attack, CVE-2006-4339
      o New cipher Camellia
-  Major changes between OpenSSL 0.9.8a and OpenSSL 0.9.8b:
+  Major changes between OpenSSL 0.9.8a and OpenSSL 0.9.8b [4 May 2006]:
      o Cipher string fixes.
      o Fixes for VC++ 2005.
@@ -152,12 +327,12 @@
      o Built in dynamic engine compilation support on Win32.
      o Fixes auto dynamic engine loading in Win32.
-  Major changes between OpenSSL 0.9.8 and OpenSSL 0.9.8a:
+  Major changes between OpenSSL 0.9.8 and OpenSSL 0.9.8a [11 Oct 2005]:
      o Fix potential SSL 2.0 rollback, CVE-2005-2969
      o Extended Windows CE support
-  Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.8:
+  Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.8 [5 Jul 2005]:
      o Major work on the BIGNUM library for higher efficiency and to
        make operations more streamlined and less contradictory.  This
@@ -231,36 +406,36 @@
      o Added initial support for Win64.
      o Added alternate pkg-config files.
-  Major changes between OpenSSL 0.9.7l and OpenSSL 0.9.7m:
+  Major changes between OpenSSL 0.9.7l and OpenSSL 0.9.7m [23 Feb 2007]:
      o FIPS 1.1.1 module linking.
      o Various ciphersuite selection fixes.
-  Major changes between OpenSSL 0.9.7k and OpenSSL 0.9.7l:
+  Major changes between OpenSSL 0.9.7k and OpenSSL 0.9.7l [28 Sep 2006]:
      o Introduce limits to prevent malicious key DoS  (CVE-2006-2940)
      o Fix security issues (CVE-2006-2937, CVE-2006-3737, CVE-2006-4343)
-  Major changes between OpenSSL 0.9.7j and OpenSSL 0.9.7k:
+  Major changes between OpenSSL 0.9.7j and OpenSSL 0.9.7k [5 Sep 2006]:
      o Fix Daniel Bleichenbacher forged signature attack, CVE-2006-4339
-  Major changes between OpenSSL 0.9.7i and OpenSSL 0.9.7j:
+  Major changes between OpenSSL 0.9.7i and OpenSSL 0.9.7j [4 May 2006]:
      o Visual C++ 2005 fixes.
      o Update Windows build system for FIPS.
-  Major changes between OpenSSL 0.9.7h and OpenSSL 0.9.7i:
+  Major changes between OpenSSL 0.9.7h and OpenSSL 0.9.7i [14 Oct 2005]:
      o Give EVP_MAX_MD_SIZE it's old value, except for a FIPS build.
-  Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.7h:
+  Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.7h [11 Oct 2005]:
      o Fix SSL 2.0 Rollback, CVE-2005-2969
      o Allow use of fixed-length exponent on DSA signing
      o Default fixed-window RSA, DSA, DH private-key operations
-  Major changes between OpenSSL 0.9.7f and OpenSSL 0.9.7g:
+  Major changes between OpenSSL 0.9.7f and OpenSSL 0.9.7g [11 Apr 2005]:
      o More compilation issues fixed.
      o Adaptation to more modern Kerberos API.
@@ -269,7 +444,7 @@
      o More constification.
      o Added processing of proxy certificates (RFC 3820).
-  Major changes between OpenSSL 0.9.7e and OpenSSL 0.9.7f:
+  Major changes between OpenSSL 0.9.7e and OpenSSL 0.9.7f [22 Mar 2005]:
      o Several compilation issues fixed.
      o Many memory allocation failure checks added.
@@ -277,12 +452,12 @@
      o Mandatory basic checks on certificates.
      o Performance improvements.
-  Major changes between OpenSSL 0.9.7d and OpenSSL 0.9.7e:
+  Major changes between OpenSSL 0.9.7d and OpenSSL 0.9.7e [25 Oct 2004]:
      o Fix race condition in CRL checking code.
      o Fixes to PKCS#7 (S/MIME) code.
-  Major changes between OpenSSL 0.9.7c and OpenSSL 0.9.7d:
+  Major changes between OpenSSL 0.9.7c and OpenSSL 0.9.7d [17 Mar 2004]:
      o Security: Fix Kerberos ciphersuite SSL/TLS handshaking bug
      o Security: Fix null-pointer assignment in do_change_cipher_spec()
@@ -290,14 +465,14 @@
      o Multiple X509 verification fixes
      o Speed up HMAC and other operations
-  Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c:
+  Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c [30 Sep 2003]:
      o Security: fix various ASN1 parsing bugs.
      o New -ignore_err option to OCSP utility.
      o Various interop and bug fixes in S/MIME code.
      o SSL/TLS protocol fix for unrequested client certificates.
-  Major changes between OpenSSL 0.9.7a and OpenSSL 0.9.7b:
+  Major changes between OpenSSL 0.9.7a and OpenSSL 0.9.7b [10 Apr 2003]:
      o Security: counter the Klima-Pokorny-Rosa extension of
        Bleichbacher's attack 
@@ -308,7 +483,7 @@
      o ASN.1: treat domainComponent correctly.
      o Documentation: fixes and additions.
-  Major changes between OpenSSL 0.9.7 and OpenSSL 0.9.7a:
+  Major changes between OpenSSL 0.9.7 and OpenSSL 0.9.7a [19 Feb 2003]:
      o Security: Important security related bugfixes.
      o Enhanced compatibility with MIT Kerberos.
@@ -319,7 +494,7 @@
      o SSL/TLS: now handles manual certificate chain building.
      o SSL/TLS: certain session ID malfunctions corrected.
-  Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.7:
+  Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.7 [30 Dec 2002]:
      o New library section OCSP.
      o Complete rewrite of ASN1 code.
@@ -365,23 +540,23 @@
      o SSL/TLS: add callback to retrieve SSL/TLS messages.
      o SSL/TLS: support AES cipher suites (RFC3268).
-  Major changes between OpenSSL 0.9.6j and OpenSSL 0.9.6k:
+  Major changes between OpenSSL 0.9.6j and OpenSSL 0.9.6k [30 Sep 2003]:
      o Security: fix various ASN1 parsing bugs.
      o SSL/TLS protocol fix for unrequested client certificates.
-  Major changes between OpenSSL 0.9.6i and OpenSSL 0.9.6j:
+  Major changes between OpenSSL 0.9.6i and OpenSSL 0.9.6j [10 Apr 2003]:
      o Security: counter the Klima-Pokorny-Rosa extension of
        Bleichbacher's attack 
      o Security: make RSA blinding default.
      o Build: shared library support fixes.
-  Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i:
+  Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i [19 Feb 2003]:
      o Important security related bugfixes.
-  Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h:
+  Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h [5 Dec 2002]:
      o New configuration targets for Tandem OSS and A/UX.
      o New OIDs for Microsoft attributes.
@@ -395,25 +570,25 @@
      o Fixes for smaller building problems.
      o Updates of manuals, FAQ and other instructive documents.
-  Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g:
+  Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g [9 Aug 2002]:
      o Important building fixes on Unix.
-  Major changes between OpenSSL 0.9.6e and OpenSSL 0.9.6f:
+  Major changes between OpenSSL 0.9.6e and OpenSSL 0.9.6f [8 Aug 2002]:
      o Various important bugfixes.
-  Major changes between OpenSSL 0.9.6d and OpenSSL 0.9.6e:
+  Major changes between OpenSSL 0.9.6d and OpenSSL 0.9.6e [30 Jul 2002]:
      o Important security related bugfixes.
      o Various SSL/TLS library bugfixes.
-  Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d:
+  Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d [9 May 2002]:
      o Various SSL/TLS library bugfixes.
      o Fix DH parameter generation for 'non-standard' generators.
-  Major changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c:
+  Major changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c [21 Dec 2001]:
      o Various SSL/TLS library bugfixes.
      o BIGNUM library fixes.
@@ -426,7 +601,7 @@
        Broadcom and Cryptographic Appliance's keyserver
        [in 0.9.6c-engine release].
-  Major changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b:
+  Major changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b [9 Jul 2001]:
      o Security fix: PRNG improvements.
      o Security fix: RSA OAEP check.
@@ -443,7 +618,7 @@
      o Increase default size for BIO buffering filter.
      o Compatibility fixes in some scripts.
-  Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.6a:
+  Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.6a [5 Apr 2001]:
      o Security fix: change behavior of OpenSSL to avoid using
        environment variables when running as root.
@@ -468,7 +643,7 @@
      o New function BN_rand_range().
      o Add "-rand" option to openssl s_client and s_server.
-  Major changes between OpenSSL 0.9.5a and OpenSSL 0.9.6:
+  Major changes between OpenSSL 0.9.5a and OpenSSL 0.9.6 [10 Oct 2000]:
      o Some documentation for BIO and SSL libraries.
      o Enhanced chain verification using key identifiers.
@@ -483,7 +658,7 @@
    [1] The support for external crypto devices is currently a separate
        distribution.  See the file README.ENGINE.
-  Major changes between OpenSSL 0.9.5 and OpenSSL 0.9.5a:
+  Major changes between OpenSSL 0.9.5 and OpenSSL 0.9.5a [1 Apr 2000]:
      o Bug fixes for Win32, SuSE Linux, NeXTSTEP and FreeBSD 2.2.8 
      o Shared library support for HPUX and Solaris-gcc
@@ -492,7 +667,7 @@
      o New 'rand' application
      o New way to check for existence of algorithms from scripts
-  Major changes between OpenSSL 0.9.4 and OpenSSL 0.9.5:
+  Major changes between OpenSSL 0.9.4 and OpenSSL 0.9.5 [25 May 2000]:
      o S/MIME support in new 'smime' command
      o Documentation for the OpenSSL command line application
@@ -528,7 +703,7 @@
      o Enhanced support for Alpha Linux
      o Experimental MacOS support
-  Major changes between OpenSSL 0.9.3 and OpenSSL 0.9.4:
+  Major changes between OpenSSL 0.9.3 and OpenSSL 0.9.4 [9 Aug 1999]:
      o Transparent support for PKCS#8 format private keys: these are used
        by several software packages and are more secure than the standard
@@ -539,7 +714,7 @@
      o New pipe-like BIO that allows using the SSL library when actual I/O
        must be handled by the application (BIO pair)
-  Major changes between OpenSSL 0.9.2b and OpenSSL 0.9.3:
+  Major changes between OpenSSL 0.9.2b and OpenSSL 0.9.3 [24 May 1999]:
      o Lots of enhancements and cleanups to the Configuration mechanism
      o RSA OEAP related fixes
      o Added `openssl ca -revoke' option for revoking a certificate
@@ -553,7 +728,7 @@
      o Sparc assembler bignum implementation, optimized hash functions
      o Option to disable selected ciphers
-  Major changes between OpenSSL 0.9.1c and OpenSSL 0.9.2b:
+  Major changes between OpenSSL 0.9.1c and OpenSSL 0.9.2b [22 Mar 1999]:
      o Fixed a security hole related to session resumption
      o Fixed RSA encryption routines for the p < q case
      o "ALL" in cipher lists now means "everything except NULL ciphers"
@@ -575,7 +750,7 @@
      o Lots of memory leak fixes.
      o Lots of bug fixes.
-  Major changes between SSLeay 0.9.0b and OpenSSL 0.9.1c:
+  Major changes between SSLeay 0.9.0b and OpenSSL 0.9.1c [23 Dec 1998]:
      o Integration of the popular NO_RSA/NO_DSA patches
      o Initial support for compression inside the SSL record layer
      o Added BIO proxy and filtering functionality
--- a/Netware/do_tests.pl
+++ b/Netware/do_tests.pl
@@ -270,22 +270,6 @@ sub ssl_tests
   print( OUT "\n========================================================\n");
   print( OUT "SSL TESTS:\n\n");
   system("ssltest -ssl2 (CLIB_OPT)/>$outFile");
   log_desc("Testing sslv2:");
   log_output("ssltest -ssl2", $outFile);
   system("$ssltest -ssl2 -server_auth (CLIB_OPT)/>$outFile");
   log_desc("Testing sslv2 with server authentication:");
   log_output("$ssltest -ssl2 -server_auth", $outFile);
   system("$ssltest -ssl2 -client_auth (CLIB_OPT)/>$outFile");
   log_desc("Testing sslv2 with client authentication:");
   log_output("$ssltest -ssl2 -client_auth", $outFile);
   system("$ssltest -ssl2 -server_auth -client_auth (CLIB_OPT)/>$outFile");
   log_desc("Testing sslv2 with both client and server authentication:");
   log_output("$ssltest -ssl2 -server_auth -client_auth", $outFile);
   system("ssltest -ssl3 (CLIB_OPT)/>$outFile");
   log_desc("Testing sslv3:");
   log_output("ssltest -ssl3", $outFile);
@@ -318,26 +302,10 @@ sub ssl_tests
   log_desc("Testing sslv2/sslv3 with both client and server authentication:");
   log_output("$ssltest -server_auth -client_auth", $outFile);
   system("ssltest -bio_pair -ssl2 (CLIB_OPT)/>$outFile");
   log_desc("Testing sslv2 via BIO pair:");
   log_output("ssltest -bio_pair -ssl2", $outFile);
   system("ssltest -bio_pair -dhe1024dsa -v (CLIB_OPT)/>$outFile");
   log_desc("Testing sslv2/sslv3 with 1024 bit DHE via BIO pair:");
   log_output("ssltest -bio_pair -dhe1024dsa -v", $outFile);
   system("$ssltest -bio_pair -ssl2 -server_auth (CLIB_OPT)/>$outFile");
   log_desc("Testing sslv2 with server authentication via BIO pair:");
   log_output("$ssltest -bio_pair -ssl2 -server_auth", $outFile);
   system("$ssltest -bio_pair -ssl2 -client_auth (CLIB_OPT)/>$outFile");
   log_desc("Testing sslv2 with client authentication via BIO pair:");
   log_output("$ssltest -bio_pair -ssl2 -client_auth", $outFile);
   system("$ssltest -bio_pair -ssl2 -server_auth -client_auth (CLIB_OPT)/>$outFile");
   log_desc("Testing sslv2 with both client and server authentication via BIO pair:");
   log_output("$ssltest -bio_pair -ssl2 -server_auth -client_auth", $outFile);
   system("ssltest -bio_pair -ssl3 (CLIB_OPT)/>$outFile");
   log_desc("Testing sslv3 via BIO pair:");
   log_output("ssltest -bio_pair -ssl3", $outFile);
--- a/Netware/globals.txt
+++ b/Netware/globals.txt
@@ -66,7 +66,7 @@ static LHASH *error_hash=NULL;
 static LHASH *thread_hash=NULL;
 several files have routines with static "init" to track if error strings
-   have been loaded ( may not want seperate error strings for each process )
+   have been loaded ( may not want separate error strings for each process )
   The "init" variable can't be left "global" because the error has is a ptr
   that is malloc'ed.  The malloc'ed error has is dependant on the "init"
   vars.
--- a/16
+++ b/16
@@ -47,7 +47,7 @@ While running tests, running a parallell make is a bad idea.  Many test
 scripts use the same name for output and input files, which means different
 will interfere with each other and lead to test failure.
-The solution is simple for now: don't run parallell make when testing.
+The solution is simple for now: don't run parallel make when testing.
 * Bugs in gcc triggered
@@ -197,3 +197,17 @@ reconfigure with additional no-sse2 [or 386] option passed to ./config.
 We don't have framework to associate -ldl with no-dso, therefore the only
 way is to edit Makefile right after ./config no-dso and remove -ldl from
 EX_LIBS line.
 * hpux-parisc2-cc no-asm build fails with SEGV in ECDSA/DH.
 Compiler bug, presumably at particular patch level. Remaining
 hpux*-parisc*-cc configurations can be affected too. Drop optimization
 level to +O2 when compiling bn_nist.o.
 * solaris64-sparcv9-cc link failure
 Solaris 8 ar can fail to maintain symbol table in .a, which results in
 link failures. Apply 109147-09 or later or modify Makefile generated
 by ./Configure solaris64-sparcv9-cc and replace RANLIB assignment with
 	RANLIB= /usr/ccs/bin/ar rs
--- a/204
+++ b/204
@@ -1,7 +1,7 @@
- OpenSSL 1.1.0-dev
+ OpenSSL 1.1.0-pre1 (alpha) 10 Dec 2015
- Copyright (c) 1998-2011 The OpenSSL Project
+ Copyright (c) 1998-2015 The OpenSSL Project
 Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
 All rights reserved.
@@ -10,17 +10,17 @@
 The OpenSSL Project is a collaborative effort to develop a robust,
 commercial-grade, fully featured, and Open Source toolkit implementing the
- Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
+ Secure Sockets Layer (SSLv3) and Transport Layer Security (TLS) protocols as
- protocols as well as a full-strength general purpose cryptography library.
+ well as a full-strength general purpose cryptograpic library. The project is
- The project is managed by a worldwide community of volunteers that use the
+ managed by a worldwide community of volunteers that use the Internet to
- Internet to communicate, plan, and develop the OpenSSL toolkit and its
+ communicate, plan, and develop the OpenSSL toolkit and its related
- related documentation.
+ documentation.
- OpenSSL is based on the excellent SSLeay library developed from Eric A. Young
+ OpenSSL is descended from the SSLeay library developed by Eric A. Young
 and Tim J. Hudson.  The OpenSSL toolkit is licensed under a dual-license (the
- OpenSSL license plus the SSLeay license) situation, which basically means
+ OpenSSL license plus the SSLeay license), which means that you are free to
- that you are free to get and use it for commercial and non-commercial
+ get and use it for commercial and non-commercial purposes as long as you
- purposes as long as you fulfill the conditions of both licenses.
+ fulfill the conditions of both licenses.
 OVERVIEW
 --------
@@ -28,116 +28,39 @@
 The OpenSSL toolkit includes:
 libssl.a:
-     Implementation of SSLv2, SSLv3, TLSv1 and the required code to support
+     Provides the client and server-side implementations for SSLv3 and TLS.
     both SSLv2, SSLv3 and TLSv1 in the one server and client.
 libcrypto.a:
-     General encryption and X.509 v1/v3 stuff needed by SSL/TLS but not
+     Provides general cryptographic and X.509 support needed by SSL/TLS but
-     actually logically part of it. It includes routines for the following:
+     not logically part of it.
     Ciphers
        libdes - EAY's libdes DES encryption package which was floating
                 around the net for a few years, and was then relicensed by
                 him as part of SSLeay.  It includes 15 'modes/variations'
                 of DES (1, 2 and 3 key versions of ecb, cbc, cfb and ofb;
                 pcbc and a more general form of cfb and ofb) including desx
                 in cbc mode, a fast crypt(3), and routines to read
                 passwords from the keyboard.
        RC4 encryption,
        RC2 encryption      - 4 different modes, ecb, cbc, cfb and ofb.
        Blowfish encryption - 4 different modes, ecb, cbc, cfb and ofb.
        IDEA encryption     - 4 different modes, ecb, cbc, cfb and ofb.
     Digests
        MD5 and MD2 message digest algorithms, fast implementations,
        SHA (SHA-0) and SHA-1 message digest algorithms,
        MDC2 message digest. A DES based hash that is popular on smart cards.
     Public Key
        RSA encryption/decryption/generation.
            There is no limit on the number of bits.
        DSA encryption/decryption/generation.
            There is no limit on the number of bits.
        Diffie-Hellman key-exchange/key generation.
            There is no limit on the number of bits.
     X.509v3 certificates
        X509 encoding/decoding into/from binary ASN1 and a PEM
             based ASCII-binary encoding which supports encryption with a
             private key.  Program to generate RSA and DSA certificate
             requests and to generate RSA and DSA certificates.
     Systems
        The normal digital envelope routines and base64 encoding.  Higher
        level access to ciphers and digests by name.  New ciphers can be
        loaded at run time.  The BIO io system which is a simple non-blocking
        IO abstraction.  Current methods supported are file descriptors,
        sockets, socket accept, socket connect, memory buffer, buffering, SSL
        client/server, file pointer, encryption, digest, non-blocking testing
        and null.
     Data structures
        A dynamically growing hashing system
        A simple stack.
        A Configuration loader that uses a format similar to MS .ini files.
 openssl:
     A command line tool that can be used for:
-        Creation of RSA, DH and DSA key parameters
+        Creation of key parameters
        Creation of X.509 certificates, CSRs and CRLs
-        Calculation of Message Digests
+        Calculation of message digests
-        Encryption and Decryption with Ciphers
+        Encryption and decryption
-        SSL/TLS Client and Server Tests
+        SSL/TLS client and server tests
        Handling of S/MIME signed or encrypted mail
-
+        And more...
 PATENTS
 -------
 Various companies hold various patents for various algorithms in various
 locations around the world. _YOU_ are responsible for ensuring that your use
 of any algorithms is legal by checking if there are any patents in your
 country.  The file contains some of the patents that we know about or are
 rumored to exist. This is not a definitive list.
 RSA Security holds software patents on the RC5 algorithm.  If you
 intend to use this cipher, you must contact RSA Security for
 licensing conditions. Their web page is http://www.rsasecurity.com/.
 RC4 is a trademark of RSA Security, so use of this label should perhaps
 only be used with RSA Security's permission.
 The IDEA algorithm is patented by Ascom in Austria, France, Germany, Italy,
 Japan, the Netherlands, Spain, Sweden, Switzerland, UK and the USA.  They
 should be contacted if that algorithm is to be used; their web page is
 http://www.ascom.ch/.
 NTT and Mitsubishi have patents and pending patents on the Camellia
 algorithm, but allow use at no charge without requiring an explicit
 licensing agreement: http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html
 INSTALLATION
 ------------
- To install this package under a Unix derivative, read the INSTALL file.  For
+ See the appropriate file:
- a Win32 platform, read the INSTALL.W32 file.  For OpenVMS systems, read
+        INSTALL         Linux, Unix, etc.
- INSTALL.VMS.
+        INSTALL.DJGPP   DOS platform with DJGPP
-
+        INSTALL.NW      Netware
- Read the documentation in the doc/ directory.  It is quite rough, but it
+        INSTALL.OS2     OS/2
- lists the functions; you will probably have to look at the code to work out
+        INSTALL.VMS     VMS
- how to use them. Look at the example programs.
+        INSTALL.W32     Windows (32bit)
-
+        INSTALL.W64     Windows (64bit)
- PROBLEMS
+        INSTALL.WCE     Windows CE
 --------
 For some platforms, there are some known problems that may affect the user
 or application author.  We try to collect those in doc/PROBLEMS, with current
 thoughts on how they should be solved in a future of OpenSSL.
 SUPPORT
 -------
- See the OpenSSL website www.openssl.org for details of how to obtain
+ See the OpenSSL website www.openssl.org for details on how to obtain
 commercial technical support.
 If you have any problems with OpenSSL then please take the following steps
@@ -161,58 +84,35 @@
    - Problem Description (steps that will reproduce the problem, if known)
    - Stack Traceback (if the application dumps core)
- Report the bug to the OpenSSL project via the Request Tracker
+ Email the report to:
 (http://www.openssl.org/support/rt.html) by mail to:
-    openssl-bugs@openssl.org
+    rt@openssl.org
- Note that the request tracker should NOT be used for general assistance
+ In order to avoid spam, this is a moderated mailing list, and it might
- or support queries. Just because something doesn't work the way you expect
+ take a day for the ticket to show up.  (We also scan posts to make sure
- does not mean it is necessarily a bug in OpenSSL.
+ that security disclosures aren't publically posted by mistake.) Mail to
 this address is recorded in the public RT (request tracker) database (see
 https://www.openssl.org/support/rt.html for details) and also forwarded
 the public openssl-dev mailing list.  Confidential mail may be sent to
 openssl-security@openssl.org (PGP key available from the key servers).
- Note that mail to openssl-bugs@openssl.org is recorded in the publicly
+ Please do NOT use this for general assistance or support queries.
- readable request tracker database and is forwarded to a public
+ Just because something doesn't work the way you expect does not mean it
- mailing list. Confidential mail may be sent to openssl-security@openssl.org
+ is necessarily a bug in OpenSSL.
- (PGP key available from the key servers).
+
 You can also make GitHub pull requests. If you do this, please also send
 mail to rt@openssl.org with a link to the PR so that we can more easily
 keep track of it.
 HOW TO CONTRIBUTE TO OpenSSL
 ----------------------------
- Development is coordinated on the openssl-dev mailing list (see
+ See CONTRIBUTING
 http://www.openssl.org for information on subscribing). If you
 would like to submit a patch, send it to openssl-bugs@openssl.org with
 the string "[PATCH]" in the subject. Please be sure to include a
 textual explanation of what your patch does.
- If you are unsure as to whether a feature will be useful for the general
+ LEGALITIES
- OpenSSL community please discuss it on the openssl-dev mailing list first.
+ ----------
 Someone may be already working on the same thing or there may be a good
 reason as to why that feature isn't implemented.
 Patches should be as up to date as possible, preferably relative to the
 current CVS or the last snapshot. They should follow the coding style of
 OpenSSL and compile without warnings. Some of the core team developer targets
 can be used for testing purposes, (debug-steve64, debug-geoff etc). OpenSSL
 compiles on many varied platforms: try to ensure you only use portable
 features.
 Note: For legal reasons, contributions from the US can be accepted only
 if a TSU notification and a copy of the patch are sent to crypt@bis.doc.gov
 (formerly BXA) with a copy to the ENC Encryption Request Coordinator;
 please take some time to look at
    http://www.bis.doc.gov/Encryption/PubAvailEncSourceCodeNofify.html [sic]
 and
    http://w3.access.gpo.gov/bis/ear/pdf/740.pdf (EAR Section 740.13(e))
 for the details. If "your encryption source code is too large to serve as
 an email attachment", they are glad to receive it by fax instead; hope you
 have a cheap long-distance plan.
 Our preferred format for changes is "diff -u" output. You might
 generate it like this:
 # cd openssl-work
 # [your changes]
 # ./Configure dist; make clean
 # cd ..
 # diff -ur openssl-orig openssl-work > mydiffs.patch
 A number of nations, in particular the U.S., restrict the use or export
 of cryptography. If you are potentially subject to such restrictions
 you should seek competent professional legal advice before attempting to
 develop or distribute cryptographic code.
--- a/README.ASN1
+++ b/README.ASN1
@@ -1,187 +0,0 @@
 OpenSSL ASN1 Revision
 =====================
 This document describes some of the issues relating to the new ASN1 code.
 Previous OpenSSL ASN1 problems
 =============================
 OK why did the OpenSSL ASN1 code need revising in the first place? Well
 there are lots of reasons some of which are included below...
 1. The code is difficult to read and write. For every single ASN1 structure
 (e.g. SEQUENCE) four functions need to be written for new, free, encode and
 decode operations. This is a very painful and error prone operation. Very few
 people have ever written any OpenSSL ASN1 and those that have usually wish
 they hadn't.
 2. Partly because of 1. the code is bloated and takes up a disproportionate
 amount of space. The SEQUENCE encoder is particularly bad: it essentially
 contains two copies of the same operation, one to compute the SEQUENCE length
 and the other to encode it.
 3. The code is memory based: that is it expects to be able to read the whole
 structure from memory. This is fine for small structures but if you have a
 (say) 1Gb PKCS#7 signedData structure it isn't such a good idea...
 4. The code for the ASN1 IMPLICIT tag is evil. It is handled by temporarily
 changing the tag to the expected one, attempting to read it, then changing it
 back again. This means that decode buffers have to be writable even though they
 are ultimately unchanged. This gets in the way of constification.
 5. The handling of EXPLICIT isn't much better. It adds a chunk of code into 
 the decoder and encoder for every EXPLICIT tag.
 6. APPLICATION and PRIVATE tags aren't even supported at all.
 7. Even IMPLICIT isn't complete: there is no support for implicitly tagged
 types that are not OPTIONAL.
 8. Much of the code assumes that a tag will fit in a single octet. This is
 only true if the tag is 30 or less (mercifully tags over 30 are rare).
 9. The ASN1 CHOICE type has to be largely handled manually, there aren't any
 macros that properly support it.
 10. Encoders have no concept of OPTIONAL and have no error checking. If the
 passed structure contains a NULL in a mandatory field it will not be encoded,
 resulting in an invalid structure.
 11. It is tricky to add ASN1 encoders and decoders to external applications.
 Template model
 ==============
 One of the major problems with revision is the sheer volume of the ASN1 code.
 Attempts to change (for example) the IMPLICIT behaviour would result in a
 modification of *every* single decode function. 
 I decided to adopt a template based approach. I'm using the term 'template'
 in a manner similar to SNACC templates: it has nothing to do with C++
 templates.
 A template is a description of an ASN1 module as several constant C structures.
 It describes in a machine readable way exactly how the ASN1 structure should
 behave. If this template contains enough detail then it is possible to write
 versions of new, free, encode, decode (and possibly others operations) that
 operate on templates.
 Instead of having to write code to handle each operation only a single
 template needs to be written. If new operations are needed (such as a 'print'
 operation) only a single new template based function needs to be written 
 which will then automatically handle all existing templates.
 Plans for revision
 ==================
 The revision will consist of the following steps. Other than the first two
 these can be handled in any order.
 o Design and write template new, free, encode and decode operations, initially
 memory based. *DONE*
 o Convert existing ASN1 code to template form. *IN PROGRESS*
 o Convert an existing ASN1 compiler (probably SNACC) to output templates
 in OpenSSL form.
 o Add support for BIO based ASN1 encoders and decoders to handle large
 structures, initially blocking I/O.
 o Add support for non blocking I/O: this is quite a bit harder than blocking
 I/O.
 o Add new ASN1 structures, such as OCSP, CRMF, S/MIME v3 (CMS), attribute
 certificates etc etc.
 Description of major changes
 ============================
 The BOOLEAN type now takes three values. 0xff is TRUE, 0 is FALSE and -1 is
 absent. The meaning of absent depends on the context. If for example the
 boolean type is DEFAULT FALSE (as in the case of the critical flag for
 certificate extensions) then -1 is FALSE, if DEFAULT TRUE then -1 is TRUE.
 Usually the value will only ever be read via an API which will hide this from
 an application.
 There is an evil bug in the old ASN1 code that mishandles OPTIONAL with
 SEQUENCE OF or SET OF. These are both implemented as a STACK structure. The
 old code would omit the structure if the STACK was NULL (which is fine) or if
 it had zero elements (which is NOT OK). This causes problems because an empty
 SEQUENCE OF or SET OF will result in an empty STACK when it is decoded but when
 it is encoded it will be omitted resulting in different encodings. The new code
 only omits the encoding if the STACK is NULL, if it contains zero elements it
 is encoded and empty. There is an additional problem though: because an empty
 STACK was omitted, sometimes the corresponding *_new() function would
 initialize the STACK to empty so an application could immediately use it, if
 this is done with the new code (i.e. a NULL) it wont work. Therefore a new
 STACK should be allocated first. One instance of this is the X509_CRL list of
 revoked certificates: a helper function X509_CRL_add0_revoked() has been added
 for this purpose.
 The X509_ATTRIBUTE structure used to have an element called 'set' which took
 the value 1 if the attribute value was a SET OF or 0 if it was a single. Due
 to the behaviour of CHOICE in the new code this has been changed to a field
 called 'single' which is 0 for a SET OF and 1 for single. The old field has
 been deleted to deliberately break source compatibility. Since this structure
 is normally accessed via higher level functions this shouldn't break too much.
 The X509_REQ_INFO certificate request info structure no longer has a field
 called 'req_kludge'. This used to be set to 1 if the attributes field was
 (incorrectly) omitted. You can check to see if the field is omitted now by
 checking if the attributes field is NULL. Similarly if you need to omit
 the field then free attributes and set it to NULL.
 The top level 'detached' field in the PKCS7 structure is no longer set when
 a PKCS#7 structure is read in. PKCS7_is_detached() should be called instead.
 The behaviour of PKCS7_get_detached() is unaffected.
 The values of 'type' in the GENERAL_NAME structure have changed. This is
 because the old code use the ASN1 initial octet as the selector. The new
 code uses the index in the ASN1_CHOICE template.
 The DIST_POINT_NAME structure has changed to be a true CHOICE type.
 typedef struct DIST_POINT_NAME_st {
 int type;
 union {
 	STACK_OF(GENERAL_NAME) *fullname;
 	STACK_OF(X509_NAME_ENTRY) *relativename;
 } name;
 } DIST_POINT_NAME;
 This means that name.fullname or name.relativename should be set
 and type reflects the option. That is if name.fullname is set then
 type is 0 and if name.relativename is set type is 1.
 With the old code using the i2d functions would typically involve:
 unsigned char *buf, *p;
 int len;
 /* Find length of encoding */
 len = i2d_SOMETHING(x, NULL);
 /* Allocate buffer */
 buf = OPENSSL_malloc(len);
 if(buf == NULL) {
 	/* Malloc error */
 }
 /* Use temp variable because &p gets updated to point to end of
 * encoding.
 */
 p = buf;
 i2d_SOMETHING(x, &p);
 Using the new i2d you can also do:
 unsigned char *buf = NULL;
 int len;
 len = i2d_SOMETHING(x, &buf);
 if(len < 0) {
 	/* Malloc error */
 }
 and it will automatically allocate and populate a buffer with the
 encoding. After this call 'buf' will point to the start of the
 encoding which is len bytes long.
--- a/148
+++ b/148
@@ -1,148 +0,0 @@
  OpenSSL STATUS                           Last modified at
  ______________                           $Date: 2011/02/08 17:48:56 $
  DEVELOPMENT STATE
    o  OpenSSL 1.1.0:  Under development...
    o  OpenSSL 1.0.1:  Under development...
    o  OpenSSL 1.0.0d: Released on February   8nd, 2011
    o  OpenSSL 1.0.0c: Released on December   2nd, 2010
    o  OpenSSL 1.0.0b: Released on November  16th, 2010
    o  OpenSSL 1.0.0a: Released on June      1st,  2010
    o  OpenSSL 1.0.0:  Released on March     29th, 2010
    o  OpenSSL 0.9.8r: Released on February   8nd, 2011
    o  OpenSSL 0.9.8q: Released on December   2nd, 2010
    o  OpenSSL 0.9.8p: Released on November  16th, 2010
    o  OpenSSL 0.9.8o: Released on June       1st, 2010
    o  OpenSSL 0.9.8n: Released on March     24th, 2010
    o  OpenSSL 0.9.8m: Released on February  25th, 2010
    o  OpenSSL 0.9.8l: Released on November   5th, 2009
    o  OpenSSL 0.9.8k: Released on March     25th, 2009
    o  OpenSSL 0.9.8j: Released on January    7th, 2009
    o  OpenSSL 0.9.8i: Released on September 15th, 2008
    o  OpenSSL 0.9.8h: Released on May       28th, 2008
    o  OpenSSL 0.9.8g: Released on October   19th, 2007
    o  OpenSSL 0.9.8f: Released on October   11th, 2007
    o  OpenSSL 0.9.8e: Released on February  23rd, 2007
    o  OpenSSL 0.9.8d: Released on September 28th, 2006
    o  OpenSSL 0.9.8c: Released on September  5th, 2006
    o  OpenSSL 0.9.8b: Released on May        4th, 2006
    o  OpenSSL 0.9.8a: Released on October   11th, 2005
    o  OpenSSL 0.9.8:  Released on July       5th, 2005
    o  OpenSSL 0.9.7m: Released on February  23rd, 2007
    o  OpenSSL 0.9.7l: Released on September 28th, 2006
    o  OpenSSL 0.9.7k: Released on September  5th, 2006
    o  OpenSSL 0.9.7j: Released on May        4th, 2006
    o  OpenSSL 0.9.7i: Released on October   14th, 2005
    o  OpenSSL 0.9.7h: Released on October   11th, 2005
    o  OpenSSL 0.9.7g: Released on April     11th, 2005
    o  OpenSSL 0.9.7f: Released on March     22nd, 2005
    o  OpenSSL 0.9.7e: Released on October   25th, 2004
    o  OpenSSL 0.9.7d: Released on March     17th, 2004
    o  OpenSSL 0.9.7c: Released on September 30th, 2003
    o  OpenSSL 0.9.7b: Released on April     10th, 2003
    o  OpenSSL 0.9.7a: Released on February  19th, 2003
    o  OpenSSL 0.9.7:  Released on December  31st, 2002
    o  OpenSSL 0.9.6m: Released on March     17th, 2004
    o  OpenSSL 0.9.6l: Released on November   4th, 2003
    o  OpenSSL 0.9.6k: Released on September 30th, 2003
    o  OpenSSL 0.9.6j: Released on April     10th, 2003
    o  OpenSSL 0.9.6i: Released on February  19th, 2003
    o  OpenSSL 0.9.6h: Released on December   5th, 2002
    o  OpenSSL 0.9.6g: Released on August     9th, 2002
    o  OpenSSL 0.9.6f: Released on August     8th, 2002
    o  OpenSSL 0.9.6e: Released on July      30th, 2002
    o  OpenSSL 0.9.6d: Released on May        9th, 2002
    o  OpenSSL 0.9.6c: Released on December  21st, 2001
    o  OpenSSL 0.9.6b: Released on July       9th, 2001
    o  OpenSSL 0.9.6a: Released on April      5th, 2001
    o  OpenSSL 0.9.6:  Released on September 24th, 2000
    o  OpenSSL 0.9.5a: Released on April      1st, 2000
    o  OpenSSL 0.9.5:  Released on February  28th, 2000
    o  OpenSSL 0.9.4:  Released on August    09th, 1999
    o  OpenSSL 0.9.3a: Released on May       29th, 1999
    o  OpenSSL 0.9.3:  Released on May       25th, 1999
    o  OpenSSL 0.9.2b: Released on March     22th, 1999
    o  OpenSSL 0.9.1c: Released on December  23th, 1998
  [See also http://www.openssl.org/support/rt.html]
  RELEASE SHOWSTOPPERS
    o The Makefiles fail with some SysV makes.
    o 
  AVAILABLE PATCHES
    o 
  IN PROGRESS
    o Steve is currently working on (in no particular order):
        ASN1 code redesign, butchery, replacement.
        OCSP
        EVP cipher enhancement.
        Enhanced certificate chain verification.
 	Private key, certificate and CRL API and implementation.
 	Developing and bugfixing PKCS#7 (S/MIME code).
        Various X509 issues: character sets, certificate request extensions.
    o Richard is currently working on:
 	Constification
 	Attribute Certificate support
 	Certificate Pair support
 	Storage Engines (primarly an LDAP storage engine)
 	Certificate chain validation with full RFC 3280 compatibility
  NEEDS PATCH
    o  0.9.8-dev: COMPLEMENTOFALL and COMPLEMENTOFDEFAULT do not
       handle ECCdraft cipher suites correctly.
    o  apps/ca.c: "Sign the certificate?" - "n" creates empty certificate file
    o  "OpenSSL STATUS" is never up-to-date.
  OPEN ISSUES
    o  The Makefile hierarchy and build mechanism is still not a round thing:
       1. The config vs. Configure scripts
          It's the same nasty situation as for Apache with APACI vs.
          src/Configure. It confuses.
          Suggestion: Merge Configure and config into a single configure
                      script with a Autoconf style interface ;-) and remove
                      Configure and config. Or even let us use GNU Autoconf
                      itself. Then we can avoid a lot of those platform checks
                      which are currently in Configure.
    o  Support for Shared Libraries has to be added at least
       for the major Unix platforms. The details we can rip from the stuff
       Ralf has done for the Apache src/Configure script. Ben wants the
       solution to be really simple.
       Status: Ralf will look how we can easily incorporate the
               compiler PIC and linker DSO flags from Apache
               into the OpenSSL Configure script.
               Ulf: +1 for using GNU autoconf and libtool (but not automake,
                    which apparently is not flexible enough to generate
                    libcrypto)
  WISHES
    o  Add variants of DH_generate_parameters() and BN_generate_prime() [etc?]
       where the callback function can request that the function be aborted.
       [Gregory Stark <ghstark@pobox.com>, <rayyang2000@yahoo.com>]
    o  SRP in TLS.
       [wished by:
        Dj <derek@yo.net>, Tom Wu <tom@arcot.com>,
        Tom Holroyd <tomh@po.crl.go.jp>]
       See http://search.ietf.org/internet-drafts/draft-ietf-tls-srp-00.txt
       as well as http://www-cs-students.stanford.edu/~tjw/srp/.
       Tom Holroyd tells us there is a SRP patch for OpenSSH at
       http://members.tripod.com/professor_tom/archives/, that could
       be useful.
--- a/6106
+++ b/6106
--- a/VMS/mkshared.com
+++ b/VMS/mkshared.com
@@ -6,6 +6,7 @@ $! P2: Zlib object library path (optional).
 $!
 $! Input:	[.UTIL]LIBEAY.NUM,[.xxx.EXE.CRYPTO]SSL_LIBCRYPTO[32].OLB
 $!		[.UTIL]SSLEAY.NUM,[.xxx.EXE.SSL]SSL_LIBSSL[32].OLB
 $!		[.CRYPTO.xxx]OPENSSLCONF.H
 $! Output:	[.xxx.EXE.CRYPTO]SSL_LIBCRYPTO_SHR[32].OPT,.MAP,.EXE
 $!		[.xxx.EXE.SSL]SSL_LIBSSL_SRH[32].OPT,.MAP,.EXE
 $!
@@ -70,6 +71,9 @@ $     endif
 $   endif
 $ endif
 $!
 $! ----- Prepare info for processing: disabled algorithms info
 $ gosub read_disabled_algorithms_info
 $!
 $ ZLIB = p2
 $ zlib_lib = ""
 $ if (ZLIB .nes. "")
@@ -384,8 +388,7 @@ $	alg_i = alg_i + 1
 $       if alg_entry .eqs. "" then goto loop2
 $       if alg_entry .nes. ","
 $       then
-$         if alg_entry .eqs. "KRB5" then goto loop ! Special for now
+$	  if disabled_algorithms - ("," + alg_entry + ",") .nes disabled_algorithms then goto loop
 $	  if alg_entry .eqs. "STATIC_ENGINE" then goto loop ! Special for now
 $         if f$trnlnm("OPENSSL_NO_"+alg_entry) .nes. "" then goto loop
 $	  goto loop2
 $       endif
@@ -452,3 +455,22 @@ $     endif
 $   endloop_rvi:
 $   close vf
 $   return
 $
 $! The disabled algorithms reader
 $ read_disabled_algorithms_info:
 $   disabled_algorithms = ","
 $   open /read cf [.CRYPTO.'ARCH']OPENSSLCONF.H
 $   loop_rci:
 $     read/err=endloop_rci/end=endloop_rci cf rci_line
 $     rci_line = f$edit(rci_line,"TRIM,COMPRESS")
 $     rci_ei = 0
 $     if f$extract(0,9,rci_line) .eqs. "# define " then rci_ei = 2
 $     if f$extract(0,8,rci_line) .eqs. "#define " then rci_ei = 1
 $     if rci_ei .eq. 0 then goto loop_rci
 $     rci_e = f$element(rci_ei," ",rci_line)
 $     if f$extract(0,11,rci_e) .nes. "OPENSSL_NO_" then goto loop_rci
 $     disabled_algorithms = disabled_algorithms + f$extract(11,999,rci_e) + ","
 $     goto loop_rci
 $   endloop_rci:
 $   close cf
 $   return
--- a/apps/.cvsignore
+++ b/apps/.cvsignore
@@ -1,8 +0,0 @@
 openssl
 Makefile.save
 der_chop
 der_chop.bak
 CA.pl
 *.flc
 semantic.cache
 *.dll
--- a/apps/CA.com
+++ b/apps/CA.com
@@ -10,29 +10,14 @@ $! At the end of that grab newreq.pem and newcert.pem (one has the key
 $! and the other the certificate) and cat them together and that is what
 $! you want/need ... I'll make even this a little cleaner later.
 $!
-$!
+$! default openssl.cnf file has setup as per the following
 $! 12-Jan-96 tjh    Added more things ... including CA -signcert which
 $!                  converts a certificate to a request and then signs it.
 $! 10-Jan-96 eay    Fixed a few more bugs and added the SSLEAY_CONFIG
 $!                 environment variable so this can be driven from
 $!                 a script.
 $! 25-Jul-96 eay    Cleaned up filenames some more.
 $! 11-Jun-96 eay    Fixed a few filename missmatches.
 $! 03-May-96 eay    Modified to use 'openssl cmd' instead of 'cmd'.
 $! 18-Apr-96 tjh    Original hacking
 $!
 $! Tim Hudson
 $! tjh@cryptsoft.com
 $!
 $!
 $! default ssleay.cnf file has setup as per the following
 $! demoCA ... where everything is stored
 $
-$ IF F$TYPE(SSLEAY_CONFIG) .EQS. "" THEN SSLEAY_CONFIG := SSLLIB:SSLEAY.CNF
+$ IF F$TYPE(OPENSSL_CONFIG) .EQS. "" THEN OPENSSL_CONFIG := SSLLIB:OPENSSL.CNF
 $
 $ DAYS   = "-days 365"
-$ REQ    = openssl + " req " + SSLEAY_CONFIG
+$ REQ    = openssl + " req " + OPENSSL_CONFIG
-$ CA     = openssl + " ca " + SSLEAY_CONFIG
+$ CA     = openssl + " ca " + OPENSSL_CONFIG
 $ VERIFY = openssl + " verify"
 $ X509   = openssl + " x509"
 $ PKCS12 = openssl + " pkcs12"
--- a/apps/CA.pl.in
+++ b/apps/CA.pl.in
@@ -1,93 +1,114 @@
-#!/usr/local/bin/perl
+#!/usr/bin/perl
 #
 # CA - wrapper around ca to make it easier to use ... basically ca requires
 #      some setup stuff to be done before you can use it and this makes
 #      things easier between now and when Eric is convinced to fix it :-)
 #
 # CA -newca ... will setup the right stuff
 # CA -newreq[-nodes] ... will generate a certificate request 
 # CA -sign ... will sign the generated request and output 
 #
 # At the end of that grab newreq.pem and newcert.pem (one has the key 
 # and the other the certificate) and cat them together and that is what
 # you want/need ... I'll make even this a little cleaner later.
 #
 #
 # 12-Jan-96 tjh    Added more things ... including CA -signcert which
 #                  converts a certificate to a request and then signs it.
 # 10-Jan-96 eay    Fixed a few more bugs and added the SSLEAY_CONFIG
 #		   environment variable so this can be driven from
 #		   a script.
 # 25-Jul-96 eay    Cleaned up filenames some more.
 # 11-Jun-96 eay    Fixed a few filename missmatches.
 # 03-May-96 eay    Modified to use 'ssleay cmd' instead of 'cmd'.
 # 18-Apr-96 tjh    Original hacking
 #
 # Tim Hudson
 # tjh@cryptsoft.com
 #
 # Wrapper around the ca to make it easier to use
 # Edit CA.pl.in not CA.pl!
 # 27-Apr-98 snh    Translation into perl, fix existing CA bug.
 #
 #
 # Steve Henson
 # shenson@bigfoot.com
-# default openssl.cnf file has setup as per the following
+use strict;
-# demoCA ... where everything is stored
+use warnings;
-my $openssl;
+my $openssl = "openssl";
-if(defined $ENV{OPENSSL}) {
+if(defined $ENV{'OPENSSL'}) {
-	$openssl = $ENV{OPENSSL};
+    $openssl = $ENV{'OPENSSL'};
 } else {
-	$openssl = "openssl";
+    $ENV{'OPENSSL'} = $openssl;
 	$ENV{OPENSSL} = $openssl;
 }
-$SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"};
+my $verbose = 1;
 $DAYS="-days 365";	# 1 year
 $CADAYS="-days 1095";	# 3 years
 $REQ="$openssl req $SSLEAY_CONFIG";
 $CA="$openssl ca $SSLEAY_CONFIG";
 $VERIFY="$openssl verify";
 $X509="$openssl x509";
 $PKCS12="$openssl pkcs12";
-$CATOP="./demoCA";
+my $OPENSSL_CONFIG = $ENV{"OPENSSL_CONFIG"};
-$CAKEY="cakey.pem";
+my $DAYS = "-days 365";
-$CAREQ="careq.pem";
+my $CADAYS = "-days 1095";	# 3 years
-$CACERT="cacert.pem";
+my $REQ = "$openssl req $OPENSSL_CONFIG";
 my $CA = "$openssl ca $OPENSSL_CONFIG";
 my $VERIFY = "$openssl verify";
 my $X509 = "$openssl x509";
 my $PKCS12 = "$openssl pkcs12";
-$DIRMODE = 0777;
+# default openssl.cnf file has setup as per the following
 my $CATOP = "./demoCA";
 my $CAKEY = "cakey.pem";
 my $CAREQ = "careq.pem";
 my $CACERT = "cacert.pem";
 my $CACRL = "crl.pem";
 my $DIRMODE = 0777;
-$RET = 0;
+my $NEWKEY = "newkey.pem";
 my $NEWREQ = "newreq.pem";
 my $NEWCERT = "newcert.pem";
 my $NEWP12 = "newcert.p12";
 my $RET = 0;
 my $WHAT = shift @ARGV;
 my $FILE;
-foreach (@ARGV) {
+# See if reason for a CRL entry is valid; exit if not.
-	if ( /^(-\?|-h|-help)$/ ) {
+sub crl_reason_ok
 {
    my $r = shift;
    if ($r eq 'unspecified' || $r eq 'keyCompromise'
        || $r eq 'CACompromise' || $r eq 'affiliationChanged'
        || $r eq 'superseded' || $r eq 'cessationOfOperation'
        || $r eq 'certificateHold' || $r eq 'removeFromCRL') {
        return 1;
    }
    print STDERR "Invalid CRL reason; must be one of:\n";
    print STDERR "    unspecified, keyCompromise, CACompromise,\n";
    print STDERR "    affiliationChanged, superseded, cessationOfOperation\n";
    print STDERR "    certificateHold, removeFromCRL";
    exit 1;
 }
 # Copy a PEM-format file; return like exit status (zero means ok)
 sub copy_pemfile
 {
    my ($infile, $outfile, $bound) = @_;
    my $found = 0;
    open IN, $infile || die "Cannot open $infile, $!";
    open OUT, ">$outfile" || die "Cannot write to $outfile, $!";
    while (<IN>) {
        $found = 1 if /^-----BEGIN.*$bound/;
        print OUT $_ if $found;
        $found = 2, last if /^-----END.*$bound/;
    }
    close IN;
    close OUT;
    return $found == 2 ? 0 : 1;
 }
 # Wrapper around system; useful for debugging.  Returns just the exit status
 sub run
 {
    my $cmd = shift;
    print "====\n$cmd\n" if $verbose;
    my $status = system($cmd);
    print "==> $status\n====\n" if $verbose;
    return $status >> 8;
 }
 if ( $WHAT =~ /^(-\?|-h|-help)$/ ) {
    print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
    print STDERR "       CA -pkcs12 [certname]\n";
    print STDERR "       CA -crl|-revoke cert-filename [reason]\n";
    exit 0;
-	} elsif (/^-newcert$/) {
+}
 if ($WHAT eq '-newcert' ) {
    # create a certificate
-	    system ("$REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS");
+    $RET = run("$REQ -new -x509 -keyout $NEWKEY -out $NEWCERT $DAYS");
-	    $RET=$?;
+    print "Cert is in $NEWCERT, private key is in $NEWKEY\n" if $RET == 0;
-	    print "Certificate is in newcert.pem, private key is in newkey.pem\n"
+} elsif ($WHAT eq '-newreq' ) {
 	} elsif (/^-newreq$/) {
    # create a certificate request
-	    system ("$REQ -new -keyout newkey.pem -out newreq.pem $DAYS");
+    $RET = run("$REQ -new -keyout $NEWKEY -out $NEWREQ $DAYS");
-	    $RET=$?;
+    print "Request is in $NEWREQ, private key is in $NEWKEY\n" if $RET == 0;
-	    print "Request is in newreq.pem, private key is in newkey.pem\n";
+} elsif ($WHAT eq '-newreq-nodes' ) {
 	} elsif (/^-newreq-nodes$/) {
    # create a certificate request
-	    system ("$REQ -new -nodes -keyout newkey.pem -out newreq.pem $DAYS");
+    $RET = run("$REQ -new -nodes -keyout $NEWKEY -out $NEWREQ $DAYS");
-	    $RET=$?;
+    print "Request is in $NEWREQ, private key is in $NEWKEY\n" if $RET == 0;
-	    print "Request is in newreq.pem, private key is in newkey.pem\n";
+} elsif ($WHAT eq '-newca' ) {
 	} elsif (/^-newca$/) {
 		# if explicitly asked for or it doesn't exist then setup the
 		# directory structure that Eric likes to manage things 
 	    $NEW="1";
 	    if ( "$NEW" || ! -f "${CATOP}/serial" ) {
    # create the directory hierarchy
-		mkdir $CATOP, $DIRMODE;
+    mkdir ${CATOP}, $DIRMODE;
    mkdir "${CATOP}/certs", $DIRMODE;
    mkdir "${CATOP}/crl", $DIRMODE ;
    mkdir "${CATOP}/newcerts", $DIRMODE;
@@ -97,93 +118,72 @@ foreach (@ARGV) {
    open OUT, ">${CATOP}/crlnumber";
    print OUT "01\n";
    close OUT;
-	    }
+    # ask user for existing CA certificate
 	    if ( ! -f "${CATOP}/private/$CAKEY" ) {
    print "CA certificate filename (or enter to create)\n";
    $FILE = <STDIN>;
-
+    chop $FILE if $FILE;
 		chop $FILE;
 		# ask user for existing CA certificate
    if ($FILE) {
-		    cp_pem($FILE,"${CATOP}/private/$CAKEY", "PRIVATE");
+        copy_pemfile($FILE,"${CATOP}/private/$CAKEY", "PRIVATE");
-		    cp_pem($FILE,"${CATOP}/$CACERT", "CERTIFICATE");
+        copy_pemfile($FILE,"${CATOP}/$CACERT", "CERTIFICATE");
 		    $RET=$?;
    } else {
        print "Making CA certificate ...\n";
-		    system ("$REQ -new -keyout " .
+        $RET = run("$REQ -new -keyout"
-			"${CATOP}/private/$CAKEY -out ${CATOP}/$CAREQ");
+                . " ${CATOP}/private/$CAKEY"
-		    system ("$CA -create_serial " .
+                . " -out ${CATOP}/$CAREQ");
-			"-out ${CATOP}/$CACERT $CADAYS -batch " . 
+        $RET = run("$CA -create_serial"
-			"-keyfile ${CATOP}/private/$CAKEY -selfsign " .
+                . " -out ${CATOP}/$CACERT $CADAYS -batch"
-			"-extensions v3_ca " .
+                . " -keyfile ${CATOP}/private/$CAKEY -selfsign"
-			"-infiles ${CATOP}/$CAREQ ");
+                . " -extensions v3_ca"
-		    $RET=$?;
+                . " -infiles ${CATOP}/$CAREQ") if $RET == 0;
        print "CA certificate is in ${CATOP}/$CACERT\n" if $RET == 0;
    }
-	    }
+} elsif ($WHAT eq '-pkcs12' ) {
 	} elsif (/^-pkcs12$/) {
    my $cname = $ARGV[1];
    $cname = "My Certificate" unless defined $cname;
-	    system ("$PKCS12 -in newcert.pem -inkey newkey.pem " .
+    $RET = run("$PKCS12 -in $NEWCERT -inkey $NEWKEY"
-			"-certfile ${CATOP}/$CACERT -out newcert.p12 " .
+            . " -certfile ${CATOP}/$CACERT"
-			"-export -name \"$cname\"");
+            . " -out $NEWP12"
-	    $RET=$?;
+            . " -export -name \"$cname\"");
-	    print "PKCS #12 file is in newcert.p12\n";
+    print "PKCS #12 file is in $NEWP12\n" if $RET == 0;
-	    exit $RET;
+} elsif ($WHAT eq '-xsign' ) {
-	} elsif (/^-xsign$/) {
+    $RET = run("$CA -policy policy_anything -infiles $NEWREQ");
-	    system ("$CA -policy policy_anything -infiles newreq.pem");
+} elsif ($WHAT eq '-sign' ) {
-	    $RET=$?;
+    $RET = run("$CA -policy policy_anything -out $NEWCERT -infiles $NEWREQ");
-	} elsif (/^(-sign|-signreq)$/) {
+    print "Signed certificate is in $NEWCERT\n" if $RET == 0;
-	    system ("$CA -policy policy_anything -out newcert.pem " .
+} elsif ($WHAT eq '-signCA' ) {
-							"-infiles newreq.pem");
+    $RET = run("$CA -policy policy_anything -out $NEWCERT"
-	    $RET=$?;
+            . " -extensions v3_ca -infiles $NEWREQ");
-	    print "Signed certificate is in newcert.pem\n";
+    print "Signed CA certificate is in $NEWCERT\n" if $RET == 0;
-	} elsif (/^(-signCA)$/) {
+} elsif ($WHAT eq '-signcert' ) {
-	    system ("$CA -policy policy_anything -out newcert.pem " .
+    $RET = run("$X509 -x509toreq -in $NEWREQ -signkey $NEWREQ"
-					"-extensions v3_ca -infiles newreq.pem");
+            . " -out tmp.pem");
-	    $RET=$?;
+    $RET = run("$CA -policy policy_anything -out $NEWCERT"
-	    print "Signed CA certificate is in newcert.pem\n";
+            . " -infiles tmp.pem") if $RET == 0;
-	} elsif (/^-signcert$/) {
+    print "Signed certificate is in $NEWCERT\n" if $RET == 0;
-	    system ("$X509 -x509toreq -in newreq.pem -signkey newreq.pem " .
+} elsif ($WHAT eq '-verify' ) {
-								"-out tmp.pem");
+    my @files = @ARGV ? @ARGV : ( $NEWCERT );
-	    system ("$CA -policy policy_anything -out newcert.pem " .
+    my $file;
-							"-infiles tmp.pem");
+    foreach $file (@files) {
-	    $RET = $?;
+        my $status = run("$VERIFY -CAfile ${CATOP}/$CACERT $file");
-	    print "Signed certificate is in newcert.pem\n";
+        $RET = $status if $status != 0;
 	} elsif (/^-verify$/) {
 	    if (shift) {
 		foreach $j (@ARGV) {
 		    system ("$VERIFY -CAfile $CATOP/$CACERT $j");
 		    $RET=$? if ($? != 0);
    }
-		exit $RET;
+} elsif ($WHAT eq '-crl' ) {
-	    } else {
+    $RET = run("$CA -gencrl -out ${CATOP}/crl/$CACRL");
-		    system ("$VERIFY -CAfile $CATOP/$CACERT newcert.pem");
+    print "Generated CRL is in ${CATOP}/crl/$CACRL\n" if $RET == 0;
-		    $RET=$?;
+} elsif ($WHAT eq '-revoke' ) {
-	    	    exit 0;
+    my $cname = $ARGV[1];
-	    }
+    if (!defined $cname) {
-	} else {
+        print "Certificate filename is required; reason optional.\n";
 	    print STDERR "Unknown arg $_\n";
 	    print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
        exit 1;
    }
    my $reason = $ARGV[2];
    $reason = " -crl_reason $reason"
        if defined $reason && crl_reason_ok($reason);
    $RET = run("$CA -revoke \"$cname\"" . $reason);
 } else {
    print STDERR "Unknown arg \"$WHAT\"\n";
    print STDERR "Use -help for help.\n";
    exit 1;
 }
 exit $RET;
 sub cp_pem {
 my ($infile, $outfile, $bound) = @_;
 open IN, $infile;
 open OUT, ">$outfile";
 my $flag = 0;
 while (<IN>) {
 	$flag = 1 if (/^-----BEGIN.*$bound/) ;
 	print OUT $_ if ($flag);
 	if (/^-----END.*$bound/) {
 		close IN;
 		close OUT;
 		return;
 	}
 }
 }
--- a/apps/CA.sh
+++ b/apps/CA.sh
@@ -1,198 +0,0 @@
 #!/bin/sh
 #
 # CA - wrapper around ca to make it easier to use ... basically ca requires
 #      some setup stuff to be done before you can use it and this makes
 #      things easier between now and when Eric is convinced to fix it :-)
 #
 # CA -newca ... will setup the right stuff
 # CA -newreq ... will generate a certificate request
 # CA -sign ... will sign the generated request and output
 #
 # At the end of that grab newreq.pem and newcert.pem (one has the key
 # and the other the certificate) and cat them together and that is what
 # you want/need ... I'll make even this a little cleaner later.
 #
 #
 # 12-Jan-96 tjh    Added more things ... including CA -signcert which
 #                  converts a certificate to a request and then signs it.
 # 10-Jan-96 eay    Fixed a few more bugs and added the SSLEAY_CONFIG
 #                  environment variable so this can be driven from
 #                  a script.
 # 25-Jul-96 eay    Cleaned up filenames some more.
 # 11-Jun-96 eay    Fixed a few filename missmatches.
 # 03-May-96 eay    Modified to use 'ssleay cmd' instead of 'cmd'.
 # 18-Apr-96 tjh    Original hacking
 #
 # Tim Hudson
 # tjh@cryptsoft.com
 #
 # default openssl.cnf file has setup as per the following
 # demoCA ... where everything is stored
 cp_pem() {
    infile=$1
    outfile=$2
    bound=$3
    flag=0
    exec <$infile;
    while read line; do
 	if [ $flag -eq 1 ]; then
 		echo $line|grep "^-----END.*$bound"  2>/dev/null 1>/dev/null
 		if [ $? -eq 0 ] ; then
 			echo $line >>$outfile
 			break
 		else
 			echo $line >>$outfile
 		fi
 	fi
 	echo $line|grep "^-----BEGIN.*$bound"  2>/dev/null 1>/dev/null
 	if [ $? -eq 0 ]; then
 		echo $line >$outfile
 		flag=1
 	fi
    done
 }
 usage() {
 echo "usage: $0 -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify" >&2
 }
 if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi
 if [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi	# 1 year
 CADAYS="-days 1095"	# 3 years
 REQ="$OPENSSL req $SSLEAY_CONFIG"
 CA="$OPENSSL ca $SSLEAY_CONFIG"
 VERIFY="$OPENSSL verify"
 X509="$OPENSSL x509"
 PKCS12="openssl pkcs12"
 if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi
 CAKEY=./cakey.pem
 CAREQ=./careq.pem
 CACERT=./cacert.pem
 RET=0
 while [ "$1" != "" ] ; do
 case $1 in
 -\?|-h|-help)
    usage
    exit 0
    ;;
 -newcert)
    # create a certificate
    $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS
    RET=$?
    echo "Certificate is in newcert.pem, private key is in newkey.pem"
    ;;
 -newreq)
    # create a certificate request
    $REQ -new -keyout newkey.pem -out newreq.pem $DAYS
    RET=$?
    echo "Request is in newreq.pem, private key is in newkey.pem"
    ;;
 -newreq-nodes) 
    # create a certificate request
    $REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS
    RET=$?
    echo "Request (and private key) is in newreq.pem"
    ;;
 -newca)
    # if explicitly asked for or it doesn't exist then setup the directory
    # structure that Eric likes to manage things
    NEW="1"
    if [ "$NEW" -o ! -f ${CATOP}/serial ]; then
 	# create the directory hierarchy
 	mkdir -p ${CATOP}
 	mkdir -p ${CATOP}/certs
 	mkdir -p ${CATOP}/crl
 	mkdir -p ${CATOP}/newcerts
 	mkdir -p ${CATOP}/private
 	touch ${CATOP}/index.txt
    fi
    if [ ! -f ${CATOP}/private/$CAKEY ]; then
 	echo "CA certificate filename (or enter to create)"
 	read FILE
 	# ask user for existing CA certificate
 	if [ "$FILE" ]; then
 	    cp_pem $FILE ${CATOP}/private/$CAKEY PRIVATE
 	    cp_pem $FILE ${CATOP}/$CACERT CERTIFICATE
 	    RET=$?
 	    if [ ! -f "${CATOP}/serial" ]; then
 		$X509 -in ${CATOP}/$CACERT -noout -next_serial \
 		      -out ${CATOP}/serial
 	    fi
 	else
 	    echo "Making CA certificate ..."
 	    $REQ -new -keyout ${CATOP}/private/$CAKEY \
 			   -out ${CATOP}/$CAREQ
 	    $CA -create_serial -out ${CATOP}/$CACERT $CADAYS -batch \
 			   -keyfile ${CATOP}/private/$CAKEY -selfsign \
 			   -extensions v3_ca \
 			   -infiles ${CATOP}/$CAREQ
 	    RET=$?
 	fi
    fi
    ;;
 -xsign)
    $CA -policy policy_anything -infiles newreq.pem
    RET=$?
    ;;
 -pkcs12)
    if [ -z "$2" ] ; then
 	CNAME="My Certificate"
    else
 	CNAME="$2"
    fi
    $PKCS12 -in newcert.pem -inkey newreq.pem -certfile ${CATOP}/$CACERT \
 	    -out newcert.p12 -export -name "$CNAME"
    RET=$?
    exit $RET
    ;;
 -sign|-signreq)
    $CA -policy policy_anything -out newcert.pem -infiles newreq.pem
    RET=$?
    cat newcert.pem
    echo "Signed certificate is in newcert.pem"
    ;;
 -signCA)
    $CA -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem
    RET=$?
    echo "Signed CA certificate is in newcert.pem"
    ;;
 -signcert)
    echo "Cert passphrase will be requested twice - bug?"
    $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
    $CA -policy policy_anything -out newcert.pem -infiles tmp.pem
    RET=$?
    cat newcert.pem
    echo "Signed certificate is in newcert.pem"
    ;;
 -verify)
    shift
    if [ -z "$1" ]; then
 	    $VERIFY -CAfile $CATOP/$CACERT newcert.pem
 	    RET=$?
    else
 	for j
 	do
 	    $VERIFY -CAfile $CATOP/$CACERT $j
 	    if [ $? != 0 ]; then
 		    RET=$?
 	    fi
 	done
    fi
    exit $RET
    ;;
 *)
    echo "Unknown arg $i" >&2
    usage
    exit 1
    ;;
 esac
 shift
 done
 exit $RET
--- a/apps/Makefile
+++ b/apps/Makefile
--- a/apps/app_rand.c
+++ b/apps/app_rand.c
@@ -1,4 +1,3 @@
 /* apps/app_rand.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -109,50 +108,45 @@
 *
 */
 #define NON_MAIN
 #include "apps.h"
 #undef NON_MAIN
 #include <openssl/bio.h>
 #include <openssl/rand.h>
 static int seeded = 0;
 static int egdsocket = 0;
-int app_RAND_load_file(const char *file, BIO *bio_e, int dont_warn)
+int app_RAND_load_file(const char *file, int dont_warn)
 {
    int consider_randfile = (file == NULL);
    char buffer[200];
 #ifdef OPENSSL_SYS_WINDOWS
 	BIO_printf(bio_e,"Loading 'screen' into random state -");
 	BIO_flush(bio_e);
    RAND_screen();
 	BIO_printf(bio_e," done\n");
 #endif
    if (file == NULL)
        file = RAND_file_name(buffer, sizeof buffer);
-	else if (RAND_egd(file) > 0)
+    else if (RAND_egd(file) > 0) {
-		{
+        /*
-		/* we try if the given filename is an EGD socket.
+         * we try if the given filename is an EGD socket. if it is, we don't
-		   if it is, we don't write anything back to the file. */
+         * write anything back to the file.
         */
        egdsocket = 1;
        return 1;
    }
-	if (file == NULL || !RAND_load_file(file, -1))
+    if (file == NULL || !RAND_load_file(file, -1)) {
-		{
+        if (RAND_status() == 0) {
-		if (RAND_status() == 0)
+            if (!dont_warn) {
-			{
+                BIO_printf(bio_err, "unable to load 'random state'\n");
-			if (!dont_warn)
+                BIO_printf(bio_err,
-				{
+                           "This means that the random number generator has not been seeded\n");
-				BIO_printf(bio_e,"unable to load 'random state'\n");
+                BIO_printf(bio_err, "with much random data.\n");
-				BIO_printf(bio_e,"This means that the random number generator has not been seeded\n");
+                if (consider_randfile) { /* explanation does not apply when a
-				BIO_printf(bio_e,"with much random data.\n");
+                                          * file is explicitly named */
-				if (consider_randfile) /* explanation does not apply when a file is explicitly named */
+                    BIO_printf(bio_err,
-					{
+                               "Consider setting the RANDFILE environment variable to point at a file that\n");
-					BIO_printf(bio_e,"Consider setting the RANDFILE environment variable to point at a file that\n");
+                    BIO_printf(bio_err,
-					BIO_printf(bio_e,"'random' data can be kept in (the file will be overwritten).\n");
+                               "'random' data can be kept in (the file will be overwritten).\n");
                }
            }
            return 0;
@@ -169,44 +163,46 @@ long app_RAND_load_files(char *name)
    long tot = 0;
    int egd;
-	for (;;)
+    for (;;) {
 		{
        last = 0;
        for (p = name; ((*p != '\0') && (*p != LIST_SEPARATOR_CHAR)); p++) ;
-		if (*p == '\0') last=1;
+        if (*p == '\0')
            last = 1;
        *p = '\0';
        n = name;
        name = p + 1;
-		if (*n == '\0') break;
+        if (*n == '\0')
            break;
        egd = RAND_egd(n);
        if (egd > 0)
            tot += egd;
        else
            tot += RAND_load_file(n, -1);
-		if (last) break;
+        if (last)
            break;
    }
    if (tot > 512)
        app_RAND_allow_write_file();
    return (tot);
 }
-int app_RAND_write_file(const char *file, BIO *bio_e)
+int app_RAND_write_file(const char *file)
 {
    char buffer[200];
    if (egdsocket || !seeded)
-		/* If we did not manage to read the seed file,
+        /*
-		 * we should not write a low-entropy seed file back --
+         * If we did not manage to read the seed file, we should not write a
-		 * it would suppress a crucial warning the next time
+         * low-entropy seed file back -- it would suppress a crucial warning
-		 * we want to use it. */
+         * the next time we want to use it.
         */
        return 0;
    if (file == NULL)
        file = RAND_file_name(buffer, sizeof buffer);
-	if (file == NULL || !RAND_write_file(file))
+    if (file == NULL || !RAND_write_file(file)) {
-		{
+        BIO_printf(bio_err, "unable to write 'random state'\n");
 		BIO_printf(bio_e,"unable to write 'random state'\n");
        return 0;
    }
    return 1;
--- a/apps/apps.c
+++ b/apps/apps.c
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -113,7 +113,9 @@
 # define HEADER_APPS_H
 # include "e_os.h"
 # include <assert.h>
 # include <openssl/e_os2.h>
 # include <openssl/bio.h>
 # include <openssl/x509.h>
 # include <openssl/lhash.h>
@@ -126,148 +128,338 @@
 #  include <openssl/ocsp.h>
 # endif
 # include <openssl/ossl_typ.h>
 # ifndef OPENSSL_SYS_NETWARE
 #  include <signal.h>
 # endif
-int app_RAND_load_file(const char *file, BIO *bio_e, int dont_warn);
+# if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WINCE)
-int app_RAND_write_file(const char *file, BIO *bio_e);
+#  define openssl_fdset(a,b) FD_SET((unsigned int)a, b)
-/* When `file' is NULL, use defaults.
+# else
- * `bio_e' is for error messages. */
+#  define openssl_fdset(a,b) FD_SET(a, b)
 # endif
 int app_RAND_load_file(const char *file, int dont_warn);
 int app_RAND_write_file(const char *file);
 /*
 * When `file' is NULL, use defaults. `bio_e' is for error messages.
 */
 void app_RAND_allow_write_file(void);
 long app_RAND_load_files(char *file); /* `file' is a list of files to read,
                                       * separated by LIST_SEPARATOR_CHAR
                                       * (see e_os.h).  The string is
                                       * destroyed! */
 #ifndef MONOLITH
 #define MAIN(a,v)	main(a,v)
 #ifndef NON_MAIN
 CONF *config=NULL;
 BIO *bio_err=NULL;
 #else
 extern CONF *config;
 extern BIO *bio_err;
 #endif
 #else
 #define MAIN(a,v)	PROG(a,v)
 extern CONF *config;
 extern char *default_config_file;
 extern BIO *bio_in;
 extern BIO *bio_out;
 extern BIO *bio_err;
 BIO *dup_bio_in(int format);
 BIO *dup_bio_out(int format);
 BIO *bio_open_owner(const char *filename, int format, int private);
 BIO *bio_open_default(const char *filename, char mode, int format);
 BIO *bio_open_default_quiet(const char *filename, char mode, int format);
 CONF *app_load_config(const char *filename);
 CONF *app_load_config_quiet(const char *filename);
 int app_load_modules(const CONF *config);
 void unbuffer(FILE *fp);
 void wait_for_async(SSL *s);
-#endif
+/*
 * Common verification options.
 */
 # define OPT_V_ENUM \
        OPT_V__FIRST=2000, \
        OPT_V_POLICY, OPT_V_PURPOSE, OPT_V_VERIFY_NAME, OPT_V_VERIFY_DEPTH, \
        OPT_V_ATTIME, OPT_V_VERIFY_HOSTNAME, OPT_V_VERIFY_EMAIL, \
        OPT_V_VERIFY_IP, OPT_V_IGNORE_CRITICAL, OPT_V_ISSUER_CHECKS, \
        OPT_V_CRL_CHECK, OPT_V_CRL_CHECK_ALL, OPT_V_POLICY_CHECK, \
        OPT_V_EXPLICIT_POLICY, OPT_V_INHIBIT_ANY, OPT_V_INHIBIT_MAP, \
        OPT_V_X509_STRICT, OPT_V_EXTENDED_CRL, OPT_V_USE_DELTAS, \
        OPT_V_POLICY_PRINT, OPT_V_CHECK_SS_SIG, OPT_V_TRUSTED_FIRST, \
        OPT_V_SUITEB_128_ONLY, OPT_V_SUITEB_128, OPT_V_SUITEB_192, \
        OPT_V_PARTIAL_CHAIN, OPT_V_NO_ALT_CHAINS, OPT_V_NO_CHECK_TIME, \
        OPT_V__LAST
-#ifndef OPENSSL_SYS_NETWARE
+# define OPT_V_OPTIONS \
-#include <signal.h>
+        { "policy", OPT_V_POLICY, 's' }, \
-#endif
+        { "purpose", OPT_V_PURPOSE, 's' }, \
        { "verify_name", OPT_V_VERIFY_NAME, 's' }, \
        { "verify_depth", OPT_V_VERIFY_DEPTH, 'p' }, \
        { "attime", OPT_V_ATTIME, 'p' }, \
        { "verify_hostname", OPT_V_VERIFY_HOSTNAME, 's' }, \
        { "verify_email", OPT_V_VERIFY_EMAIL, 's' }, \
        { "verify_ip", OPT_V_VERIFY_IP, 's' }, \
        { "ignore_critical", OPT_V_IGNORE_CRITICAL, '-' }, \
        { "issuer_checks", OPT_V_ISSUER_CHECKS, '-' }, \
        { "crl_check", OPT_V_CRL_CHECK, '-', "Check that peer cert has not been revoked" }, \
        { "crl_check_all", OPT_V_CRL_CHECK_ALL, '-', "Also check all certs in the chain" }, \
        { "policy_check", OPT_V_POLICY_CHECK, '-' }, \
        { "explicit_policy", OPT_V_EXPLICIT_POLICY, '-' }, \
        { "inhibit_any", OPT_V_INHIBIT_ANY, '-' }, \
        { "inhibit_map", OPT_V_INHIBIT_MAP, '-' }, \
        { "x509_strict", OPT_V_X509_STRICT, '-' }, \
        { "extended_crl", OPT_V_EXTENDED_CRL, '-' }, \
        { "use_deltas", OPT_V_USE_DELTAS, '-' }, \
        { "policy_print", OPT_V_POLICY_PRINT, '-' }, \
        { "check_ss_sig", OPT_V_CHECK_SS_SIG, '-' }, \
        { "trusted_first", OPT_V_TRUSTED_FIRST, '-', "Use locally-trusted CA's first in building chain" }, \
        { "suiteB_128_only", OPT_V_SUITEB_128_ONLY, '-' }, \
        { "suiteB_128", OPT_V_SUITEB_128, '-' }, \
        { "suiteB_192", OPT_V_SUITEB_192, '-' }, \
        { "partial_chain", OPT_V_PARTIAL_CHAIN, '-' }, \
        { "no_alt_chains", OPT_V_NO_ALT_CHAINS, '-', "Only use the first cert chain found" }, \
        { "no_check_time", OPT_V_NO_CHECK_TIME, '-', "Do not check validity against current time" }
-#ifdef SIGPIPE
+# define OPT_V_CASES \
-#define do_pipe_sig()	signal(SIGPIPE,SIG_IGN)
+        OPT_V__FIRST: case OPT_V__LAST: break; \
-#else
+        case OPT_V_POLICY: \
-#define do_pipe_sig()
+        case OPT_V_PURPOSE: \
-#endif
+        case OPT_V_VERIFY_NAME: \
        case OPT_V_VERIFY_DEPTH: \
        case OPT_V_ATTIME: \
        case OPT_V_VERIFY_HOSTNAME: \
        case OPT_V_VERIFY_EMAIL: \
        case OPT_V_VERIFY_IP: \
        case OPT_V_IGNORE_CRITICAL: \
        case OPT_V_ISSUER_CHECKS: \
        case OPT_V_CRL_CHECK: \
        case OPT_V_CRL_CHECK_ALL: \
        case OPT_V_POLICY_CHECK: \
        case OPT_V_EXPLICIT_POLICY: \
        case OPT_V_INHIBIT_ANY: \
        case OPT_V_INHIBIT_MAP: \
        case OPT_V_X509_STRICT: \
        case OPT_V_EXTENDED_CRL: \
        case OPT_V_USE_DELTAS: \
        case OPT_V_POLICY_PRINT: \
        case OPT_V_CHECK_SS_SIG: \
        case OPT_V_TRUSTED_FIRST: \
        case OPT_V_SUITEB_128_ONLY: \
        case OPT_V_SUITEB_128: \
        case OPT_V_SUITEB_192: \
        case OPT_V_PARTIAL_CHAIN: \
        case OPT_V_NO_ALT_CHAINS: \
        case OPT_V_NO_CHECK_TIME
-#ifdef OPENSSL_NO_COMP
+/*
-#define zlib_cleanup() 
+ * Common "extended"? options.
-#else
+ */
-#define zlib_cleanup() COMP_zlib_cleanup()
+# define OPT_X_ENUM \
-#endif
+        OPT_X__FIRST=1000, \
        OPT_X_KEY, OPT_X_CERT, OPT_X_CHAIN, OPT_X_CHAIN_BUILD, \
        OPT_X_CERTFORM, OPT_X_KEYFORM, \
        OPT_X__LAST
-#if defined(MONOLITH) && !defined(OPENSSL_C)
+# define OPT_X_OPTIONS \
-#  define apps_startup() \
+        { "xkey", OPT_X_KEY, '<' }, \
-		do_pipe_sig()
+        { "xcert", OPT_X_CERT, '<' }, \
-#  define apps_shutdown()
+        { "xchain", OPT_X_CHAIN, '<' }, \
-#else
+        { "xchain_build", OPT_X_CHAIN_BUILD, '-' }, \
-#  ifndef OPENSSL_NO_ENGINE
+        { "xcertform", OPT_X_CERTFORM, 'F' }, \
-#    define apps_startup() \
+        { "xkeyform", OPT_X_KEYFORM, 'F' }
 			do { do_pipe_sig(); CRYPTO_malloc_init(); \
 			ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \
 			ENGINE_load_builtin_engines(); setup_ui_method(); } while(0)
 #    define apps_shutdown() \
 			do { CONF_modules_unload(1); destroy_ui_method(); \
 			OBJ_cleanup(); EVP_cleanup(); ENGINE_cleanup(); \
 			CRYPTO_cleanup_all_ex_data(); ERR_remove_thread_state(NULL); \
 			ERR_free_strings(); zlib_cleanup();} while(0)
 #  else
 #    define apps_startup() \
 			do { do_pipe_sig(); CRYPTO_malloc_init(); \
 			ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \
 			setup_ui_method(); } while(0)
 #    define apps_shutdown() \
 			do { CONF_modules_unload(1); destroy_ui_method(); \
 			OBJ_cleanup(); EVP_cleanup(); \
 			CRYPTO_cleanup_all_ex_data(); ERR_remove_thread_state(NULL); \
 			ERR_free_strings(); zlib_cleanup(); } while(0)
 #  endif
 #endif
-#ifdef OPENSSL_SYSNAME_WIN32
+# define OPT_X_CASES \
-#  define openssl_fdset(a,b) FD_SET((unsigned int)a, b)
+        OPT_X__FIRST: case OPT_X__LAST: break; \
-#else
+        case OPT_X_KEY: \
-#  define openssl_fdset(a,b) FD_SET(a, b)
+        case OPT_X_CERT: \
-#endif
+        case OPT_X_CHAIN: \
        case OPT_X_CHAIN_BUILD: \
        case OPT_X_CERTFORM: \
        case OPT_X_KEYFORM
 /*
 * Common SSL options.
 * Any changes here must be coordinated with ../ssl/ssl_conf.c
 */
 # define OPT_S_ENUM \
        OPT_S__FIRST=3000, \
        OPT_S_NOSSL3, OPT_S_NOTLS1, OPT_S_NOTLS1_1, OPT_S_NOTLS1_2, \
        OPT_S_BUGS, OPT_S_NOCOMP, OPT_S_ECDHSINGLE, OPT_S_NOTICKET, \
        OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_LEGACYCONN, \
        OPT_S_ONRESUMP, OPT_S_NOLEGACYCONN, OPT_S_STRICT, OPT_S_SIGALGS, \
        OPT_S_CLIENTSIGALGS, OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, \
        OPT_S_DHPARAM, OPT_S_DEBUGBROKE, \
        OPT_S__LAST
-typedef struct args_st
+# define OPT_S_OPTIONS \
-	{
+        {"no_ssl3", OPT_S_NOSSL3, '-' }, \
-	char **data;
+        {"no_tls1", OPT_S_NOTLS1, '-' }, \
-	int count;
+        {"no_tls1_1", OPT_S_NOTLS1_1, '-' }, \
        {"no_tls1_2", OPT_S_NOTLS1_2, '-' }, \
        {"bugs", OPT_S_BUGS, '-' }, \
        {"no_comp", OPT_S_NOCOMP, '-', "Don't use SSL/TLS-level compression" }, \
        {"ecdh_single", OPT_S_ECDHSINGLE, '-' }, \
        {"no_ticket", OPT_S_NOTICKET, '-' }, \
        {"serverpref", OPT_S_SERVERPREF, '-' }, \
        {"legacy_renegotiation", OPT_S_LEGACYRENEG, '-' }, \
        {"legacy_server_connect", OPT_S_LEGACYCONN, '-' }, \
        {"no_resumption_on_reneg", OPT_S_ONRESUMP, '-' }, \
        {"no_legacy_server_connect", OPT_S_NOLEGACYCONN, '-' }, \
        {"strict", OPT_S_STRICT, '-' }, \
        {"sigalgs", OPT_S_SIGALGS, 's', \
            "Signature algorithms to support (colon-separated list)" }, \
        {"client_sigalgs", OPT_S_CLIENTSIGALGS, 's', \
            "Signature algorithms to support for client certificate" \
            " authentication (colon-separated list)" }, \
        {"curves", OPT_S_CURVES, 's', \
            "Elliptic curves to advertise (colon-separated list)" }, \
        {"named_curve", OPT_S_NAMEDCURVE, 's', \
            "Elliptic curve used for ECDHE (server-side only)" }, \
        {"cipher", OPT_S_CIPHER, 's', }, \
        {"dhparam", OPT_S_DHPARAM, '<' }, \
        {"debug_broken_protocol", OPT_S_DEBUGBROKE, '-' }
 # define OPT_S_CASES \
        OPT_S__FIRST: case OPT_S__LAST: break; \
        case OPT_S_NOSSL3: \
        case OPT_S_NOTLS1: \
        case OPT_S_NOTLS1_1: \
        case OPT_S_NOTLS1_2: \
        case OPT_S_BUGS: \
        case OPT_S_NOCOMP: \
        case OPT_S_ECDHSINGLE: \
        case OPT_S_NOTICKET: \
        case OPT_S_SERVERPREF: \
        case OPT_S_LEGACYRENEG: \
        case OPT_S_LEGACYCONN: \
        case OPT_S_ONRESUMP: \
        case OPT_S_NOLEGACYCONN: \
        case OPT_S_STRICT: \
        case OPT_S_SIGALGS: \
        case OPT_S_CLIENTSIGALGS: \
        case OPT_S_CURVES: \
        case OPT_S_NAMEDCURVE: \
        case OPT_S_CIPHER: \
        case OPT_S_DHPARAM: \
        case OPT_S_DEBUGBROKE
 /*
 * Option parsing.
 */
 extern const char OPT_HELP_STR[];
 extern const char OPT_MORE_STR[];
 typedef struct options_st {
    const char *name;
    int retval;
    /*
     * value type: - no value (also the value zero), n number, p positive
     * number, u unsigned, s string, < input file, > output file, f der/pem
     * format, F any format identifier.  n and u include zero; p does not.
     */
    int valtype;
    const char *helpstr;
 } OPTIONS;
 /*
 * A string/int pairing; widely use for option value lookup, hence the
 * name OPT_PAIR. But that name is misleading in s_cb.c, so we also use
 * the "generic" name STRINT_PAIR.
 */
 typedef struct string_int_pair_st {
    const char *name;
    int retval;
 } OPT_PAIR, STRINT_PAIR;
 /* Flags to pass into opt_format; see FORMAT_xxx, below. */
 # define OPT_FMT_PEMDER          (1L <<  1)
 # define OPT_FMT_PKCS12          (1L <<  2)
 # define OPT_FMT_SMIME           (1L <<  3)
 # define OPT_FMT_ENGINE          (1L <<  4)
 # define OPT_FMT_MSBLOB          (1L <<  5)
 # define OPT_FMT_NETSCAPE        (1L <<  6)
 # define OPT_FMT_NSS             (1L <<  7)
 # define OPT_FMT_TEXT            (1L <<  8)
 # define OPT_FMT_HTTP            (1L <<  9)
 # define OPT_FMT_PVK             (1L << 10)
 # define OPT_FMT_ANY     ( \
        OPT_FMT_PEMDER | OPT_FMT_PKCS12 | OPT_FMT_SMIME | \
        OPT_FMT_ENGINE | OPT_FMT_MSBLOB | OPT_FMT_NETSCAPE | \
        OPT_FMT_NSS | OPT_FMT_TEXT | OPT_FMT_HTTP | OPT_FMT_PVK)
 char *opt_progname(const char *argv0);
 char *opt_getprog(void);
 char *opt_init(int ac, char **av, const OPTIONS * o);
 int opt_next();
 int opt_format(const char *s, unsigned long flags, int *result);
 int opt_int(const char *arg, int *result);
 int opt_ulong(const char *arg, unsigned long *result);
 int opt_long(const char *arg, long *result);
 int opt_pair(const char *arg, const OPT_PAIR * pairs, int *result);
 int opt_cipher(const char *name, const EVP_CIPHER **cipherp);
 int opt_md(const char *name, const EVP_MD **mdp);
 char *opt_arg(void);
 char *opt_flag(void);
 char *opt_unknown(void);
 char *opt_reset(void);
 char **opt_rest(void);
 int opt_num_rest(void);
 int opt_verify(int i, X509_VERIFY_PARAM *vpm);
 void opt_help(const OPTIONS * list);
 int opt_format_error(const char *s, unsigned long flags);
 int opt_next(void);
 typedef struct args_st {
    int size;
    int argc;
    char **argv;
 } ARGS;
 # define PW_MIN_LENGTH 4
-typedef struct pw_cb_data
+typedef struct pw_cb_data {
 	{
    const void *password;
    const char *prompt_info;
 } PW_CB_DATA;
-int password_callback(char *buf, int bufsiz, int verify,
+int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_data);
 	PW_CB_DATA *cb_data);
 int setup_ui_method(void);
 void destroy_ui_method(void);
-int should_retry(int i);
+int chopup_args(ARGS *arg, char *buf);
 int args_from_file(char *file, int *argc, char **argv[]);
 int str2fmt(char *s);
 void program_name(char *in,char *out,int size);
 int chopup_args(ARGS *arg,char *buf, int *argc, char **argv[]);
 # ifdef HEADER_X509_H
 int dump_cert_text(BIO *out, X509 *x);
-void print_name(BIO *out, const char *title, X509_NAME *nm, unsigned long lflags);
+void print_name(BIO *out, const char *title, X509_NAME *nm,
                unsigned long lflags);
 # endif
 void print_bignum_var(BIO *, BIGNUM *, const char*, int, unsigned char *);
 void print_array(BIO *, const char *, int, const unsigned char *);
 int set_cert_ex(unsigned long *flags, const char *arg);
 int set_name_ex(unsigned long *flags, const char *arg);
 int set_ext_copy(int *copy_type, const char *arg);
 int copy_extensions(X509 *x, X509_REQ *req, int copy_type);
-int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2);
+int app_passwd(char *arg1, char *arg2, char **pass1, char **pass2);
-int add_oid_section(BIO *err, CONF *conf);
+int add_oid_section(CONF *conf);
-X509 *load_cert(BIO *err, const char *file, int format,
+X509 *load_cert(const char *file, int format,
                const char *pass, ENGINE *e, const char *cert_descrip);
-EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
+X509_CRL *load_crl(const char *infile, int format);
 int load_cert_crl_http(const char *url, X509 **pcert, X509_CRL **pcrl);
 EVP_PKEY *load_key(const char *file, int format, int maybe_stdin,
                   const char *pass, ENGINE *e, const char *key_descrip);
-EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
+EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin,
                      const char *pass, ENGINE *e, const char *key_descrip);
-STACK_OF(X509) *load_certs(BIO *err, const char *file, int format,
+STACK_OF(X509) *load_certs(const char *file, int format,
-	const char *pass, ENGINE *e, const char *cert_descrip);
+                           const char *pass, ENGINE *e,
-STACK_OF(X509_CRL) *load_crls(BIO *err, const char *file, int format,
+                           const char *cert_descrip);
-	const char *pass, ENGINE *e, const char *cert_descrip);
+STACK_OF(X509_CRL) *load_crls(const char *file, int format,
-X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath);
+                              const char *pass, ENGINE *e,
-#ifndef OPENSSL_NO_ENGINE
+                              const char *cert_descrip);
-ENGINE *setup_engine(BIO *err, const char *engine, int debug);
+X509_STORE *setup_verify(char *CAfile, char *CApath,
                         int noCAfile, int noCApath);
 int ctx_set_verify_locations(SSL_CTX *ctx, const char *CAfile,
                             const char *CApath, int noCAfile, int noCApath);
 # ifdef OPENSSL_NO_ENGINE
 #  define setup_engine(engine, debug) NULL
 # else
 ENGINE *setup_engine(const char *engine, int debug);
 # endif
 # ifndef OPENSSL_NO_OCSP
-OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req,
+OCSP_RESPONSE *process_responder(OCSP_REQUEST *req,
-			char *host, char *path, char *port, int use_ssl,
+                                 const char *host, const char *path,
                                 const char *port, int use_ssl,
                                 STACK_OF(CONF_VALUE) *headers,
                                 int req_timeout);
 # endif
 int load_config(BIO *err, CONF *cnf);
 char *make_config_name(void);
 /* Functions defined in ca.c and also used in ocsp.c */
 int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold,
                   ASN1_GENERALIZEDTIME **pinvtm, const char *str);
@@ -277,31 +469,33 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold,
 # define DB_rev_date     2
 # define DB_serial       3      /* index - unique */
 # define DB_file         4
-#define DB_name         5       /* index - unique when active and not disabled */
+# define DB_name         5      /* index - unique when active and not
                                 * disabled */
 # define DB_NUMBER       6
 # define DB_TYPE_REV     'R'
 # define DB_TYPE_EXP     'E'
 # define DB_TYPE_VAL     'V'
-typedef struct db_attr_st
+typedef struct db_attr_st {
 	{
    int unique_subject;
 } DB_ATTR;
-typedef struct ca_db_st
+typedef struct ca_db_st {
 	{
    DB_ATTR attributes;
    TXT_DB *db;
 } CA_DB;
 void* app_malloc(int sz, const char *what);
 BIGNUM *load_serial(char *serialfile, int create, ASN1_INTEGER **retai);
-int save_serial(char *serialfile, char *suffix, BIGNUM *serial, ASN1_INTEGER **retai);
+int save_serial(char *serialfile, char *suffix, BIGNUM *serial,
                ASN1_INTEGER **retai);
 int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix);
 int rand_serial(BIGNUM *b, ASN1_INTEGER *ai);
 CA_DB *load_index(char *dbfile, DB_ATTR *dbattr);
 int index_index(CA_DB *db);
 int save_index(const char *dbfile, const char *suffix, CA_DB *db);
-int rotate_index(const char *dbfile, const char *new_suffix, const char *old_suffix);
+int rotate_index(const char *dbfile, const char *new_suffix,
                 const char *old_suffix);
 void free_index(CA_DB *db);
 # define index_name_cmp_noconst(a, b) \
        index_name_cmp((const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, a), \
@@ -309,19 +503,19 @@ void free_index(CA_DB *db);
 int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b);
 int parse_yesno(const char *str, int def);
-X509_NAME *parse_name(char *str, long chtype, int multirdn);
+X509_NAME *parse_name(const char *str, long chtype, int multirdn);
 int args_verify(char ***pargs, int *pargc,
-			int *badarg, BIO *err, X509_VERIFY_PARAM **pm);
+                int *badarg, X509_VERIFY_PARAM **pm);
-void policies_print(BIO *out, X509_STORE_CTX *ctx);
+void policies_print(X509_STORE_CTX *ctx);
 int bio_to_mem(unsigned char **out, int maxlen, BIO *in);
 int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value);
-int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx,
+int init_gen_str(EVP_PKEY_CTX **pctx,
                 const char *algname, ENGINE *e, int do_param);
-int do_X509_sign(BIO *err, X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
+int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
                 STACK_OF(OPENSSL_STRING) *sigopts);
-int do_X509_REQ_sign(BIO *err, X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
+int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
                     STACK_OF(OPENSSL_STRING) *sigopts);
-int do_X509_CRL_sign(BIO *err, X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md,
+int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md,
                     STACK_OF(OPENSSL_STRING) *sigopts);
 # ifndef OPENSSL_NO_PSK
 extern char *psk_key;
@@ -331,20 +525,36 @@ void jpake_client_auth(BIO *out, BIO *conn, const char *secret);
 void jpake_server_auth(BIO *out, BIO *conn, const char *secret);
 # endif
 unsigned char *next_protos_parse(unsigned short *outlen, const char *in);
 void print_cert_checks(BIO *bio, X509 *x,
                       const char *checkhost,
                       const char *checkemail, const char *checkip);
 void store_setup_crl_download(X509_STORE *st);
 /* See OPT_FMT_xxx, above. */
 /* On some platforms, it's important to distinguish between text and binary
 * files.  On some, there might even be specific file formats for different
 * contents.  The FORMAT_xxx macros are meant to express an intent with the
 * file being read or created.
 */
 # define B_FORMAT_TEXT   0x8000
 # define FORMAT_UNDEF    0
-#define FORMAT_ASN1     1
+# define FORMAT_TEXT    (1 | B_FORMAT_TEXT)     /* Generic text */
-#define FORMAT_TEXT     2
+# define FORMAT_BINARY   2                      /* Generic binary */
-#define FORMAT_PEM      3
+# define FORMAT_BASE64  (3 | B_FORMAT_TEXT)     /* Base64 */
-#define FORMAT_NETSCAPE 4
+# define FORMAT_ASN1     4                      /* ASN.1/DER */
-#define FORMAT_PKCS12   5
+# define FORMAT_PEM     (5 | B_FORMAT_TEXT)
-#define FORMAT_SMIME    6
+# define FORMAT_PKCS12   6
-#define FORMAT_ENGINE   7
+# define FORMAT_SMIME   (7 | B_FORMAT_TEXT)
-#define FORMAT_IISSGC	8	/* XXX this stupid macro helps us to avoid
+# define FORMAT_ENGINE   8                      /* Not really a file format */
-				 * adding yet another param to load_*key() */
+# define FORMAT_PEMRSA  (9 | B_FORMAT_TEXT)     /* PEM RSAPubicKey format */
 #define FORMAT_PEMRSA	9	/* PEM RSAPubicKey format */
 # define FORMAT_ASN1RSA  10                     /* DER RSAPubicKey format */
 # define FORMAT_MSBLOB   11                     /* MS Key blob format */
 # define FORMAT_PVK      12                     /* MS PVK file format */
 # define FORMAT_HTTP     13                     /* Download using HTTP */
 # define FORMAT_NSS      14                     /* NSS keylog format */
 # define EXT_COPY_NONE   0
 # define EXT_COPY_ADD    1
@@ -356,17 +566,22 @@ void jpake_server_auth(BIO *out, BIO *conn, const char *secret);
 # define SERIAL_RAND_BITS        64
 int app_hex(char);
 int app_isdir(const char *);
 int app_access(const char *, int flag);
 int raw_read_stdin(void *, int);
 int raw_write_stdout(const void *, int);
 # define TM_START        0
 # define TM_STOP         1
 double app_tminterval(int stop, int usertime);
 #endif
-#define OPENSSL_NO_SSL_INTERN
+/* this is an accident waiting to happen (-Wshadow is your friend) */
 extern int verify_depth;
 extern int verify_quiet;
 extern int verify_error;
 extern int verify_return_error;
 # include "progs.h"
 #ifndef OPENSSL_NO_NEXTPROTONEG
 unsigned char *next_protos_parse(unsigned short *outlen, const char *in);
 #endif
--- a/apps/asn1pars.c
+++ b/apps/asn1pars.c
@@ -1,4 +1,3 @@
 /* apps/asn1pars.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -56,8 +55,9 @@
 * [including the GNU Public Licence.]
 */
-/* A nice addition from Dr Stephen Henson <steve@openssl.org> to 
+/*
- * add the -strparse option which parses nested binary structures
+ * A nice addition from Dr Stephen Henson <steve@openssl.org> to add the
 * -strparse option which parses nested binary structures
 */
 #include <stdio.h>
@@ -69,216 +69,162 @@
 #include <openssl/x509.h>
 #include <openssl/pem.h>
-/* -inform arg	- input format - default PEM (DER or PEM)
+typedef enum OPTION_choice {
- * -in arg	- input file - default stdin
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
- * -i		- indent the details by depth
+    OPT_INFORM, OPT_IN, OPT_OUT, OPT_INDENT, OPT_NOOUT,
- * -offset	- where in the file to start
+    OPT_OID, OPT_OFFSET, OPT_LENGTH, OPT_DUMP, OPT_DLIMIT,
- * -length	- how many bytes to use
+    OPT_STRPARSE, OPT_GENSTR, OPT_GENCONF, OPT_STRICTPEM
- * -oid file	- extra oid description file
+} OPTION_CHOICE;
 */
-#undef PROG
+OPTIONS asn1parse_options[] = {
-#define PROG	asn1parse_main
+    {"help", OPT_HELP, '-', "Display this summary"},
    {"inform", OPT_INFORM, 'F', "input format - one of DER PEM"},
    {"in", OPT_IN, '<', "input file"},
    {"out", OPT_OUT, '>', "output file (output format is always DER)"},
    {"i", OPT_INDENT, 0, "entries"},
    {"noout", OPT_NOOUT, 0, "don't produce any output"},
    {"offset", OPT_OFFSET, 'p', "offset into file"},
    {"length", OPT_LENGTH, 'p', "length of section in file"},
    {"oid", OPT_OID, '<', "file of extra oid definitions"},
    {"dump", OPT_DUMP, 0, "unknown data in hex form"},
    {"dlimit", OPT_DLIMIT, 'p',
     "dump the first arg bytes of unknown data in hex form"},
    {"strparse", OPT_STRPARSE, 's',
     "offset; a series of these can be used to 'dig'"},
    {OPT_MORE_STR, 0, 0, "into multiple ASN1 blob wrappings"},
    {"genstr", OPT_GENSTR, 's', "string to generate ASN1 structure from"},
    {"genconf", OPT_GENCONF, 's', "file to generate ASN1 structure from"},
    {OPT_MORE_STR, 0, 0, "(-inform  will be ignored)"},
    {"strictpem", OPT_STRICTPEM, 0,
     "do not attempt base64 decode outside PEM markers"},
    {NULL}
 };
-int MAIN(int, char **);
+static int do_generate(char *genstr, char *genconf, BUF_MEM *buf);
-static int do_generate(BIO *bio, char *genstr, char *genconf, BUF_MEM *buf);
+int asn1parse_main(int argc, char **argv)
 int MAIN(int argc, char **argv)
 {
-	int i,badops=0,offset=0,ret=1,j;
+    ASN1_TYPE *at = NULL;
-	unsigned int length=0;
+    BIO *in = NULL, *b64 = NULL, *derout = NULL;
 	long num,tmplen;
 	BIO *in=NULL,*out=NULL,*b64=NULL, *derout = NULL;
 	int informat,indent=0, noout = 0, dump = 0;
 	char *infile=NULL,*str=NULL,*prog,*oidfile=NULL, *derfile=NULL;
 	char *genstr=NULL, *genconf=NULL;
 	unsigned char *tmpbuf;
 	const unsigned char *ctmpbuf;
    BUF_MEM *buf = NULL;
    STACK_OF(OPENSSL_STRING) *osk = NULL;
-	ASN1_TYPE *at=NULL;
+    char *genstr = NULL, *genconf = NULL;
    char *infile = NULL, *str = NULL, *oidfile = NULL, *derfile = NULL;
    char *name = NULL, *header = NULL, *prog;
    const unsigned char *ctmpbuf;
    int indent = 0, noout = 0, dump = 0, strictpem = 0, informat = FORMAT_PEM;
    int offset = 0, ret = 1, i, j;
    long num, tmplen;
    unsigned char *tmpbuf;
    unsigned int length = 0;
    OPTION_CHOICE o;
-	informat=FORMAT_PEM;
+    prog = opt_init(argc, argv, asn1parse_options);
-	apps_startup();
+    if ((osk = sk_OPENSSL_STRING_new_null()) == NULL) {
-
+        BIO_printf(bio_err, "%s: Memory allocation failure\n", prog);
 	if (bio_err == NULL)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 	if (!load_config(bio_err, NULL))
 		goto end;
 	prog=argv[0];
 	argc--;
 	argv++;
 	if ((osk=sk_OPENSSL_STRING_new_null()) == NULL)
 		{
 		BIO_printf(bio_err,"Memory allocation failure\n");
        goto end;
    }
-	while (argc >= 1)
+
-		{
+    while ((o = opt_next()) != OPT_EOF) {
-		if 	(strcmp(*argv,"-inform") == 0)
+        switch (o) {
-			{
+        case OPT_EOF:
-			if (--argc < 1) goto bad;
+        case OPT_ERR:
-			informat=str2fmt(*(++argv));
+ opthelp:
-			}
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
-		else if (strcmp(*argv,"-in") == 0)
+            goto end;
-			{
+        case OPT_HELP:
-			if (--argc < 1) goto bad;
+            opt_help(asn1parse_options);
-			infile= *(++argv);
+            ret = 0;
-			}
+            goto end;
-		else if (strcmp(*argv,"-out") == 0)
+        case OPT_INFORM:
-			{
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
-			if (--argc < 1) goto bad;
+                goto opthelp;
-			derfile= *(++argv);
+            break;
-			}
+        case OPT_IN:
-		else if (strcmp(*argv,"-i") == 0)
+            infile = opt_arg();
-			{
+            break;
        case OPT_OUT:
            derfile = opt_arg();
            break;
        case OPT_INDENT:
            indent = 1;
-			}
+            break;
-		else if (strcmp(*argv,"-noout") == 0) noout = 1;
+        case OPT_NOOUT:
-		else if (strcmp(*argv,"-oid") == 0)
+            noout = 1;
-			{
+            break;
-			if (--argc < 1) goto bad;
+        case OPT_OID:
-			oidfile= *(++argv);
+            oidfile = opt_arg();
-			}
+            break;
-		else if (strcmp(*argv,"-offset") == 0)
+        case OPT_OFFSET:
-			{
+            offset = strtol(opt_arg(), NULL, 0);
-			if (--argc < 1) goto bad;
+            break;
-			offset= atoi(*(++argv));
+        case OPT_LENGTH:
-			}
+            length = atoi(opt_arg());
-		else if (strcmp(*argv,"-length") == 0)
+            break;
-			{
+        case OPT_DUMP:
 			if (--argc < 1) goto bad;
 			length= atoi(*(++argv));
 			if (length == 0) goto bad;
 			}
 		else if (strcmp(*argv,"-dump") == 0)
 			{
            dump = -1;
-			}
+            break;
-		else if (strcmp(*argv,"-dlimit") == 0)
+        case OPT_DLIMIT:
-			{
+            dump = atoi(opt_arg());
-			if (--argc < 1) goto bad;
+            break;
-			dump= atoi(*(++argv));
+        case OPT_STRPARSE:
-			if (dump <= 0) goto bad;
+            sk_OPENSSL_STRING_push(osk, opt_arg());
-			}
+            break;
-		else if (strcmp(*argv,"-strparse") == 0)
+        case OPT_GENSTR:
-			{
+            genstr = opt_arg();
-			if (--argc < 1) goto bad;
+            break;
-			sk_OPENSSL_STRING_push(osk,*(++argv));
+        case OPT_GENCONF:
-			}
+            genconf = opt_arg();
-		else if (strcmp(*argv,"-genstr") == 0)
+            break;
-			{
+        case OPT_STRICTPEM:
-			if (--argc < 1) goto bad;
+            strictpem = 1;
-			genstr= *(++argv);
+            informat = FORMAT_PEM;
 			}
 		else if (strcmp(*argv,"-genconf") == 0)
 			{
 			if (--argc < 1) goto bad;
 			genconf= *(++argv);
 			}
 		else
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
 			badops=1;
            break;
        }
 		argc--;
 		argv++;
    }
    argc = opt_num_rest();
    argv = opt_rest();
-	if (badops)
+    if (oidfile != NULL) {
-		{
+        in = bio_open_default(oidfile, 'r', FORMAT_TEXT);
-bad:
+        if (in == NULL)
 		BIO_printf(bio_err,"%s [options] <infile\n",prog);
 		BIO_printf(bio_err,"where options are\n");
 		BIO_printf(bio_err," -inform arg   input format - one of DER PEM\n");
 		BIO_printf(bio_err," -in arg       input file\n");
 		BIO_printf(bio_err," -out arg      output file (output format is always DER\n");
 		BIO_printf(bio_err," -noout arg    don't produce any output\n");
 		BIO_printf(bio_err," -offset arg   offset into file\n");
 		BIO_printf(bio_err," -length arg   length of section in file\n");
 		BIO_printf(bio_err," -i            indent entries\n");
 		BIO_printf(bio_err," -dump         dump unknown data in hex form\n");
 		BIO_printf(bio_err," -dlimit arg   dump the first arg bytes of unknown data in hex form\n");
 		BIO_printf(bio_err," -oid file     file of extra oid definitions\n");
 		BIO_printf(bio_err," -strparse offset\n");
 		BIO_printf(bio_err,"               a series of these can be used to 'dig' into multiple\n");
 		BIO_printf(bio_err,"               ASN1 blob wrappings\n");
 		BIO_printf(bio_err," -genstr str   string to generate ASN1 structure from\n");
 		BIO_printf(bio_err," -genconf file file to generate ASN1 structure from\n");
            goto end;
 		}
 	ERR_load_crypto_strings();
 	in=BIO_new(BIO_s_file());
 	out=BIO_new(BIO_s_file());
 	if ((in == NULL) || (out == NULL))
 		{
 		ERR_print_errors(bio_err);
 		goto end;
 		}
 	BIO_set_fp(out,stdout,BIO_NOCLOSE|BIO_FP_TEXT);
 #ifdef OPENSSL_SYS_VMS
 	{
 	BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 	out = BIO_push(tmpbio, out);
 	}
 #endif
 	if (oidfile != NULL)
 		{
 		if (BIO_read_filename(in,oidfile) <= 0)
 			{
 			BIO_printf(bio_err,"problems opening %s\n",oidfile);
 			ERR_print_errors(bio_err);
 			goto end;
 			}
        OBJ_create_objects(in);
        BIO_free(in);
    }
-	if (infile == NULL)
+    if ((in = bio_open_default(infile, 'r', informat)) == NULL)
-		BIO_set_fp(in,stdin,BIO_NOCLOSE);
+        goto end;
-	else
+
-		{
+    if (derfile && (derout = bio_open_default(derfile, 'w', FORMAT_ASN1)) == NULL)
-		if (BIO_read_filename(in,infile) <= 0)
+        goto end;
-			{
+
-			perror(infile);
+    if (strictpem) {
        if (PEM_read_bio(in, &name, &header, (unsigned char **)&str, &num) !=
            1) {
            BIO_printf(bio_err, "Error reading PEM file\n");
            ERR_print_errors(bio_err);
            goto end;
        }
-		}
+    } else {
-	if (derfile) {
+        if ((buf = BUF_MEM_new()) == NULL)
-		if(!(derout = BIO_new_file(derfile, "wb"))) {
+            goto end;
-			BIO_printf(bio_err,"problems opening %s\n",derfile);
+        if (!BUF_MEM_grow(buf, BUFSIZ * 8))
            goto end;           /* Pre-allocate :-) */
        if (genstr || genconf) {
            num = do_generate(genstr, genconf, buf);
            if (num < 0) {
                ERR_print_errors(bio_err);
                goto end;
            }
        }
-	if ((buf=BUF_MEM_new()) == NULL) goto end;
+        else {
 	if (!BUF_MEM_grow(buf,BUFSIZ*8)) goto end; /* Pre-allocate :-) */
-	if (genstr || genconf)
+            if (informat == FORMAT_PEM) {
 		{
 		num = do_generate(bio_err, genstr, genconf, buf);
 		if (num < 0)
 			{
 			ERR_print_errors(bio_err);
 			goto end;
 			}
 		}
 	else
 		{
 		if (informat == FORMAT_PEM)
 			{
                BIO *tmp;
                if ((b64 = BIO_new(BIO_f_base64())) == NULL)
@@ -290,30 +236,31 @@ bad:
            }
            num = 0;
-		for (;;)
+            for (;;) {
-			{
+                if (!BUF_MEM_grow(buf, (int)num + BUFSIZ))
-			if (!BUF_MEM_grow(buf,(int)num+BUFSIZ)) goto end;
+                    goto end;
                i = BIO_read(in, &(buf->data[num]), BUFSIZ);
-			if (i <= 0) break;
+                if (i <= 0)
                    break;
                num += i;
            }
        }
        str = buf->data;
    }
    /* If any structs to parse go through in sequence */
-	if (sk_OPENSSL_STRING_num(osk))
+    if (sk_OPENSSL_STRING_num(osk)) {
 		{
        tmpbuf = (unsigned char *)str;
        tmplen = num;
-		for (i=0; i<sk_OPENSSL_STRING_num(osk); i++)
+        for (i = 0; i < sk_OPENSSL_STRING_num(osk); i++) {
 			{
            ASN1_TYPE *atmp;
            int typ;
            j = atoi(sk_OPENSSL_STRING_value(osk, i));
-			if (j == 0)
+            if (j == 0) {
-				{
+                BIO_printf(bio_err, "'%s' is an invalid number\n",
-				BIO_printf(bio_err,"'%s' is an invalid number\n",sk_OPENSSL_STRING_value(osk,i));
+                           sk_OPENSSL_STRING_value(osk, i));
                continue;
            }
            tmpbuf += j;
@@ -322,18 +269,16 @@ bad:
            ctmpbuf = tmpbuf;
            at = d2i_ASN1_TYPE(NULL, &ctmpbuf, tmplen);
            ASN1_TYPE_free(atmp);
-			if(!at)
+            if (!at) {
 				{
                BIO_printf(bio_err, "Error parsing structure\n");
                ERR_print_errors(bio_err);
                goto end;
            }
            typ = ASN1_TYPE_get(at);
            if ((typ == V_ASN1_OBJECT)
-				|| (typ == V_ASN1_NULL))
+                || (typ == V_ASN1_BOOLEAN)
-				{
+                || (typ == V_ASN1_NULL)) {
-				BIO_printf(bio_err, "Can't parse %s type\n",
+                BIO_printf(bio_err, "Can't parse %s type\n", ASN1_tag2str(typ));
 					typ == V_ASN1_NULL ? "NULL" : "OBJECT");
                ERR_print_errors(bio_err);
                goto end;
            }
@@ -345,15 +290,15 @@ bad:
        num = tmplen;
    }
-	if (offset >= num)
+    if (offset >= num) {
 		{
        BIO_printf(bio_err, "Error: offset too large\n");
        goto end;
    }
    num -= offset;
-	if ((length == 0) || ((long)length > num)) length=(unsigned int)num;
+    if ((length == 0) || ((long)length > num))
        length = (unsigned int)num;
    if (derout) {
        if (BIO_write(derout, str + offset, length) != (int)length) {
            BIO_printf(bio_err, "Error writing output\n");
@@ -362,46 +307,43 @@ bad:
        }
    }
    if (!noout &&
-	    !ASN1_parse_dump(out,(unsigned char *)&(str[offset]),length,
+        !ASN1_parse_dump(bio_out, (unsigned char *)&(str[offset]), length,
-		    indent,dump))
+                         indent, dump)) {
 		{
        ERR_print_errors(bio_err);
        goto end;
    }
    ret = 0;
 end:
    BIO_free(derout);
-	if (in != NULL) BIO_free(in);
+    BIO_free(in);
-	if (out != NULL) BIO_free_all(out);
+    BIO_free(b64);
 	if (b64 != NULL) BIO_free(b64);
    if (ret != 0)
        ERR_print_errors(bio_err);
-	if (buf != NULL) BUF_MEM_free(buf);
+    BUF_MEM_free(buf);
-	if (at != NULL) ASN1_TYPE_free(at);
+    OPENSSL_free(name);
-	if (osk != NULL) sk_OPENSSL_STRING_free(osk);
+    OPENSSL_free(header);
    if (strictpem)
        OPENSSL_free(str);
    ASN1_TYPE_free(at);
    sk_OPENSSL_STRING_free(osk);
    OBJ_cleanup();
-	apps_shutdown();
+    return (ret);
 	OPENSSL_EXIT(ret);
 }
-static int do_generate(BIO *bio, char *genstr, char *genconf, BUF_MEM *buf)
+static int do_generate(char *genstr, char *genconf, BUF_MEM *buf)
 {
    CONF *cnf = NULL;
    int len;
 	long errline;
    unsigned char *p;
    ASN1_TYPE *atyp = NULL;
-	if (genconf)
+    if (genconf) {
-		{
+        if ((cnf = app_load_config(genconf)) == NULL)
-		cnf = NCONF_new(NULL);
+            goto err;
 		if (!NCONF_load(cnf, genconf, &errline))
 			goto conferr;
        if (!genstr)
            genstr = NCONF_get_string(cnf, "default", "asn1");
-		if (!genstr)
+        if (!genstr) {
-			{
+            BIO_printf(bio_err, "Can't find 'asn1' in '%s'\n", genconf);
 			BIO_printf(bio, "Can't find 'asn1' in '%s'\n", genconf);
            goto err;
        }
    }
@@ -428,18 +370,8 @@ static int do_generate(BIO *bio, char *genstr, char *genconf, BUF_MEM *buf)
    ASN1_TYPE_free(atyp);
    return len;
 	conferr:
 	if (errline > 0)
 		BIO_printf(bio, "Error on line %ld of config file '%s'\n",
 							errline, genconf);
 	else
 		BIO_printf(bio, "Error loading config file '%s'\n", genconf);
 err:
    NCONF_free(cnf);
    ASN1_TYPE_free(atyp);
    return -1;
 }
--- a/apps/ca.c
+++ b/apps/ca.c
--- a/apps/ciphers.c
+++ b/apps/ciphers.c
@@ -1,4 +1,3 @@
 /* apps/ciphers.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -59,110 +58,129 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #ifdef OPENSSL_NO_STDIO
 #define APPS_WIN16
 #endif
 #include "apps.h"
 #include <openssl/err.h>
 #include <openssl/ssl.h>
-#undef PROG
+typedef enum OPTION_choice {
-#define PROG	ciphers_main
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_STDNAME,
    OPT_SSL3,
    OPT_TLS1,
    OPT_TLS1_1,
    OPT_TLS1_2,
    OPT_PSK,
    OPT_V, OPT_UPPER_V, OPT_S
 } OPTION_CHOICE;
-static const char *ciphers_usage[]={
+OPTIONS ciphers_options[] = {
-"usage: ciphers args\n",
+    {"help", OPT_HELP, '-', "Display this summary"},
-" -v          - verbose mode, a textual listing of the SSL/TLS ciphers in OpenSSL\n",
+    {"v", OPT_V, '-', "Verbose listing of the SSL/TLS ciphers"},
-" -V          - even more verbose\n",
+    {"V", OPT_UPPER_V, '-', "Even more verbose"},
-" -ssl2       - SSL2 mode\n",
+    {"s", OPT_S, '-', "Only supported ciphers"},
-" -ssl3       - SSL3 mode\n",
+    {"tls1", OPT_TLS1, '-', "TLS1 mode"},
-" -tls1       - TLS1 mode\n",
+    {"tls1_1", OPT_TLS1_1, '-', "TLS1.1 mode"},
-NULL
+    {"tls1_2", OPT_TLS1_2, '-', "TLS1.2 mode"},
-};
+#ifndef OPENSSL_NO_SSL_TRACE
-
+    {"stdname", OPT_STDNAME, '-', "Show standard cipher names"},
 int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	int ret=1,i;
 	int verbose=0,Verbose=0;
 	const char **pp;
 	const char *p;
 	int badops=0;
 	SSL_CTX *ctx=NULL;
 	SSL *ssl=NULL;
 	char *ciphers=NULL;
 	const SSL_METHOD *meth=NULL;
 	STACK_OF(SSL_CIPHER) *sk;
 	char buf[512];
 	BIO *STDout=NULL;
 #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
 	meth=SSLv23_server_method();
 #elif !defined(OPENSSL_NO_SSL3)
 	meth=SSLv3_server_method();
 #elif !defined(OPENSSL_NO_SSL2)
 	meth=SSLv2_server_method();
 #endif
 	apps_startup();
 	if (bio_err == NULL)
 		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
 	STDout=BIO_new_fp(stdout,BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 	{
 	BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 	STDout = BIO_push(tmpbio, STDout);
 	}
 #endif
 	if (!load_config(bio_err, NULL))
 		goto end;
 	argc--;
 	argv++;
 	while (argc >= 1)
 		{
 		if (strcmp(*argv,"-v") == 0)
 			verbose=1;
 		else if (strcmp(*argv,"-V") == 0)
 			verbose=Verbose=1;
 #ifndef OPENSSL_NO_SSL2
 		else if (strcmp(*argv,"-ssl2") == 0)
 			meth=SSLv2_client_method();
 #endif
 #ifndef OPENSSL_NO_SSL3
-		else if (strcmp(*argv,"-ssl3") == 0)
+    {"ssl3", OPT_SSL3, '-', "SSL3 mode"},
 #endif
 #ifndef OPENSSL_NO_PSK
    {"psk", OPT_PSK, '-', "include ciphersuites requiring PSK"},
 #endif
    {NULL}
 };
 static unsigned int dummy_psk(SSL *ssl, const char *hint, char *identity,
                              unsigned int max_identity_len,
                              unsigned char *psk,
                              unsigned int max_psk_len)
 {
    return 0;
 }
 int ciphers_main(int argc, char **argv)
 {
    SSL_CTX *ctx = NULL;
    SSL *ssl = NULL;
    STACK_OF(SSL_CIPHER) *sk = NULL;
    const SSL_METHOD *meth = TLS_server_method();
    int ret = 1, i, verbose = 0, Verbose = 0, use_supported = 0;
 #ifndef OPENSSL_NO_SSL_TRACE
    int stdname = 0;
 #endif
 #ifndef OPENSSL_NO_PSK
    int psk = 0;
 #endif
    const char *p;
    char *ciphers = NULL, *prog;
    char buf[512];
    OPTION_CHOICE o;
    prog = opt_init(argc, argv, ciphers_options);
    while ((o = opt_next()) != OPT_EOF) {
        switch (o) {
        case OPT_EOF:
        case OPT_ERR:
 opthelp:
            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
            goto end;
        case OPT_HELP:
            opt_help(ciphers_options);
            ret = 0;
            goto end;
        case OPT_V:
            verbose = 1;
            break;
        case OPT_UPPER_V:
            verbose = Verbose = 1;
            break;
        case OPT_S:
            use_supported = 1;
            break;
        case OPT_STDNAME:
 #ifndef OPENSSL_NO_SSL_TRACE
            stdname = verbose = 1;
 #endif
            break;
        case OPT_SSL3:
 #ifndef OPENSSL_NO_SSL3
            meth = SSLv3_client_method();
 #endif
-#ifndef OPENSSL_NO_TLS1
+            break;
-		else if (strcmp(*argv,"-tls1") == 0)
+        case OPT_TLS1:
            meth = TLSv1_client_method();
            break;
        case OPT_TLS1_1:
            meth = TLSv1_1_client_method();
            break;
        case OPT_TLS1_2:
            meth = TLSv1_2_client_method();
            break;
        case OPT_PSK:
 #ifndef OPENSSL_NO_PSK
            psk = 1;
 #endif
 		else if ((strncmp(*argv,"-h",2) == 0) ||
 			 (strcmp(*argv,"-?") == 0))
 			{
 			badops=1;
            break;
        }
-		else
+    }
-			{
+    argv = opt_rest();
    argc = opt_num_rest();
    if (argc == 1)
        ciphers = *argv;
-			}
+    else if (argc != 0)
-		argc--;
+        goto opthelp;
 		argv++;
 		}
 	if (badops)
 		{
 		for (pp=ciphers_usage; (*pp != NULL); pp++)
 			BIO_printf(bio_err,"%s",*pp);
 		goto end;
 		}
 	OpenSSL_add_ssl_algorithms();
    ctx = SSL_CTX_new(meth);
-	if (ctx == NULL) goto err;
+    if (ctx == NULL)
        goto err;
 #ifndef OPENSSL_NO_PSK
    if (psk)
        SSL_CTX_set_psk_client_callback(ctx, dummy_psk);
 #endif
    if (ciphers != NULL) {
        if (!SSL_CTX_set_cipher_list(ctx, ciphers)) {
            BIO_printf(bio_err, "Error in cipher list\n");
@@ -170,62 +188,65 @@ int MAIN(int argc, char **argv)
        }
    }
    ssl = SSL_new(ctx);
-	if (ssl == NULL) goto err;
+    if (ssl == NULL)
        goto err;
-
+    if (use_supported)
-	if (!verbose)
+        sk = SSL_get1_supported_ciphers(ssl);
-		{
+    else
 		for (i=0; ; i++)
 			{
 			p=SSL_get_cipher_list(ssl,i);
 			if (p == NULL) break;
 			if (i != 0) BIO_printf(STDout,":");
 			BIO_printf(STDout,"%s",p);
 			}
 		BIO_printf(STDout,"\n");
 		}
 	else /* verbose */
 		{
        sk = SSL_get_ciphers(ssl);
-		for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
+    if (!verbose) {
-			{
+        for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
            SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i);
            p = SSL_CIPHER_get_name(c);
            if (p == NULL)
                break;
            if (i != 0)
                BIO_printf(bio_out, ":");
            BIO_printf(bio_out, "%s", p);
        }
        BIO_printf(bio_out, "\n");
    } else {
        for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
            SSL_CIPHER *c;
            c = sk_SSL_CIPHER_value(sk, i);
-			if (Verbose)
+            if (Verbose) {
 				{
                unsigned long id = SSL_CIPHER_get_id(c);
                int id0 = (int)(id >> 24);
                int id1 = (int)((id >> 16) & 0xffL);
                int id2 = (int)((id >> 8) & 0xffL);
                int id3 = (int)(id & 0xffL);
-				if ((id & 0xff000000L) == 0x02000000L)
+                if ((id & 0xff000000L) == 0x03000000L)
-					BIO_printf(STDout, "     0x%02X,0x%02X,0x%02X - ", id1, id2, id3); /* SSL2 cipher */
+                    BIO_printf(bio_out, "          0x%02X,0x%02X - ", id2, id3); /* SSL3
-				else if ((id & 0xff000000L) == 0x03000000L)
+                                                                                  * cipher */
 					BIO_printf(STDout, "          0x%02X,0x%02X - ", id2, id3); /* SSL3 cipher */
                else
-					BIO_printf(STDout, "0x%02X,0x%02X,0x%02X,0x%02X - ", id0, id1, id2, id3); /* whatever */
+                    BIO_printf(bio_out, "0x%02X,0x%02X,0x%02X,0x%02X - ", id0, id1, id2, id3); /* whatever */
            }
-
+#ifndef OPENSSL_NO_SSL_TRACE
-			BIO_puts(STDout,SSL_CIPHER_description(c,buf,sizeof buf));
+            if (stdname) {
                const char *nm = SSL_CIPHER_standard_name(c);
                if (nm == NULL)
                    nm = "UNKNOWN";
                BIO_printf(bio_out, "%s - ", nm);
            }
 #endif
            BIO_puts(bio_out, SSL_CIPHER_description(c, buf, sizeof buf));
        }
    }
    ret = 0;
-	if (0)
+    goto end;
 		{
 err:
 		SSL_load_error_strings();
    ERR_print_errors(bio_err);
 		}
 end:
-	if (ctx != NULL) SSL_CTX_free(ctx);
+    if (use_supported)
-	if (ssl != NULL) SSL_free(ssl);
+        sk_SSL_CIPHER_free(sk);
-	if (STDout != NULL) BIO_free_all(STDout);
+    SSL_CTX_free(ctx);
-	apps_shutdown();
+    SSL_free(ssl);
-	OPENSSL_EXIT(ret);
+    return (ret);
 }
--- a/apps/client.pem
+++ b/apps/client.pem
@@ -1,24 +1,52 @@
-issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
+subject= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = Test Client Cert
-subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Client test cert (512 bit)
+issuer= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = OpenSSL Test Intermediate CA
 -----BEGIN CERTIFICATE-----
-MIIB6TCCAVICAQIwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCQVUxEzARBgNV
+MIID5zCCAs+gAwIBAgIJALnu1NlVpZ6yMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
-BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYD
+BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMSIwIAYDVQQLDBlGT1IgVEVT
-VQQDExJUZXN0IENBICgxMDI0IGJpdCkwHhcNOTcwNjA5MTM1NzU2WhcNOTgwNjA5
+VElORyBQVVJQT1NFUyBPTkxZMSUwIwYDVQQDDBxPcGVuU1NMIFRlc3QgSW50ZXJt
-MTM1NzU2WjBjMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEaMBgG
+ZWRpYXRlIENBMB4XDTExMTIwODE0MDE0OFoXDTIxMTAxNjE0MDE0OFowZDELMAkG
-A1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxIzAhBgNVBAMTGkNsaWVudCB0ZXN0IGNl
+A1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxIjAgBgNVBAsMGUZPUiBU
-cnQgKDUxMiBiaXQpMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALtv55QyzG6i2Plw
+RVNUSU5HIFBVUlBPU0VTIE9OTFkxGTAXBgNVBAMMEFRlc3QgQ2xpZW50IENlcnQw
-Z1pah7++Gv8L5j6Hnyr/uTZE1NLG0ABDDexmq/R4KedLjFEIYjocDui+IXs62NNt
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0ranbHRLcLVqN+0BzcZpY
-XrT8odkCAwEAATANBgkqhkiG9w0BAQQFAAOBgQBwtMmI7oGUG8nKmftQssATViH5
+yOLqxzDWT1LD9eW1stC4NzXX9/DCtSIVyN7YIHdGLrIPr64IDdXXaMRzgZ2rOKs
-NRRtoEw07DxJp/LfatHdrhqQB73eGdL5WILZJXk46Xz2e9WMSUjVCSYhdKxtflU3
+lmHCAiFpO/ja99gGCJRxH0xwQatqAULfJVHeUhs7OEGOZc2nWifjqKvGfNTilP7D
-UR2Ajv1Oo0sTNdfz0wDqJNirLNtzyhhsaq8qMTrLwXrCP31VxBiigFSQSUFnZyTE
+nwi69ipQFq9oS19FmhwVHk2wg7KZGHI1qDyG04UrfCZMRitvS9+UVhPpIPjuiBi2
-9TKwhS4GlwbtCfxSKQ==
+x3/FZIpL5gXJvvFK6xHY63oq2asyzBATntBgnP4qJFWWcvRx24wF1PnZabxuVoL2
 bPnQ/KvONDrw3IdqkKhYNTul7jEcu3OlcZIMw+7DiaKJLAzKb/bBF5gm/pwW6As9
 AgMBAAGjgY8wgYwwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwLAYJYIZI
 AYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQW
 BBSZHKyLoTh7Mb409Zn/mK1ceSDAjDAfBgNVHSMEGDAWgBQ2w2yI55X+sL3szj49
 hqshgYfa2jANBgkqhkiG9w0BAQUFAAOCAQEAD0mL7PtPYgCEuDyOQSbLpeND5hVS
 curxQdGnrJ6Acrhodb7E9ccATokeb0PLx6HBLQUicxhTZIQ9FbO43YkQcOU6C3BB
 IlwskqmtN6+VmrQzNolHCDzvxNZs9lYL2VbGPGqVRyjZeHpoAlf9cQr8PgDb4d4b
 vUx2KAhHQvV2nkmYvKyXcgnRuHggumF87mkxidriGAEFwH4qfOqetUg64WyxP7P2
 QLipm04SyQa7ONtIApfVXgHcE42Py4/f4arzCzMjKe3VyhGkS7nsT55X/fWgTaRm
 CQPkO+H94P958WTvQDt77bQ+D3IvYaVvfil8n6HJMOJfFT0LJuSUbpSXJg==
 -----END CERTIFICATE-----
 -----BEGIN RSA PRIVATE KEY-----
-MIIBOwIBAAJBALtv55QyzG6i2PlwZ1pah7++Gv8L5j6Hnyr/uTZE1NLG0ABDDexm
+MIIEpQIBAAKCAQEAtK2p2x0S3C1ajftAc3GaWPsji6scw1k9Sw/XltbLQuDc11/f
-q/R4KedLjFEIYjocDui+IXs62NNtXrT8odkCAwEAAQJAbwXq0vJ/+uyEvsNgxLko
+wwrUiFcje2CB3Ri6yD6+uCA3V12jEc4GdqzirJZhwgIhaTv42vfYBgiUcR9McEGr
-/V86mGXQ/KrSkeKlL0r4ENxjcyeMAGoKu6J9yMY7+X9+Zm4nxShNfTsf/+Freoe1
+agFC3yVR3lIbOzhBjmXNp1on46irxnzU4pT+w58IuvYqUBavaEtfRZocFR5NsIOy
-HQIhAPOSm5Q1YI+KIsII2GeVJx1U69+wnd71OasIPakS1L1XAiEAxQAW+J3/JWE0
+mRhyNag8htOFK3wmTEYrb0vflFYT6SD47ogYtsd/xWSKS+YFyb7xSusR2Ot6Ktmr
-ftEYakbhUOKL8tD1OaFZS71/5GdG7E8CIQCefUMmySSvwd6kC0VlATSWbW+d+jp/
+MswQE57QYJz+KiRVlnL0cduMBdT52Wm8blaC9mz50PyrzjQ68NyHapCoWDU7pe4x
-nWmM1KvqnAo5uQIhALqEADu5U1Wvt8UN8UDGBRPQulHWNycuNV45d3nnskWPAiAw
+HLtzpXGSDMPuw4miiSwMym/2wReYJv6cFugLPQIDAQABAoIBAAZOyc9MhIwLSU4L
-ueTyr6WsZ5+SD8g/Hy3xuvF3nPmJRH+rwvVihlcFOg==
+p4RgQvM4UVVe8/Id+3XTZ8NsXExJbWxXfIhiqGjaIfL8u4vsgRjcl+v1s/jo2/iT
 KMab4o4D8gXD7UavQVDjtjb/ta79WL3SjRl2Uc9YjjMkyq6WmDNQeo2NKDdafCTB
 1uzSJtLNipB8Z53ELPuHJhxX9QMHrMnuha49riQgXZ7buP9iQrHJFhImBjSzbxJx
 L+TI6rkyLSf9Wi0Pd3L27Ob3QWNfNRYNSeTE+08eSRChkur5W0RuXAcuAICdQlCl
 LBvWO/LmmvbzCqiDcgy/TliSb6CGGwgiNG7LJZmlkYNj8laGwalNlYZs3UrVv6NO
 Br2loAECgYEA2kvCvPGj0Dg/6g7WhXDvAkEbcaL1tSeCxBbNH+6HS2UWMWvyTtCn
 /bbD519QIdkvayy1QjEf32GV/UjUVmlULMLBcDy0DGjtL3+XpIhLKWDNxN1v1/ai
 1oz23ZJCOgnk6K4qtFtlRS1XtynjA+rBetvYvLP9SKeFrnpzCgaA2r0CgYEA0+KX
 1ACXDTNH5ySX3kMjSS9xdINf+OOw4CvPHFwbtc9aqk2HePlEsBTz5I/W3rKwXva3
 NqZ/bRqVVeZB/hHKFywgdUQk2Uc5z/S7Lw70/w1HubNTXGU06Ngb6zOFAo/o/TwZ
 zTP1BMIKSOB6PAZPS3l+aLO4FRIRotfFhgRHOoECgYEAmiZbqt8cJaJDB/5YYDzC
 mp3tSk6gIb936Q6M5VqkMYp9pIKsxhk0N8aDCnTU+kIK6SzWBpr3/d9Ecmqmfyq7
 5SvWO3KyVf0WWK9KH0abhOm2BKm2HBQvI0DB5u8sUx2/hsvOnjPYDISbZ11t0MtK
 u35Zy89yMYcSsIYJjG/ROCUCgYEAgI2P9G5PNxEP5OtMwOsW84Y3Xat/hPAQFlI+
 HES+AzbFGWJkeT8zL2nm95tVkFP1sggZ7Kxjz3w7cpx7GX0NkbWSE9O+T51pNASV
 tN1sQ3p5M+/a+cnlqgfEGJVvc7iAcXQPa3LEi5h2yPR49QYXAgG6cifn3dDSpmwn
 SUI7PQECgYEApGCIIpSRPLAEHTGmP87RBL1smurhwmy2s/pghkvUkWehtxg0sGHh
 kuaqDWcskogv+QC0sVdytiLSz8G0DwcEcsHK1Fkyb8A+ayiw6jWJDo2m9+IF4Fww
 1Te6jFPYDESnbhq7+TLGgHGhtwcu5cnb4vSuYXGXKupZGzoLOBbv1Zw=
 -----END RSA PRIVATE KEY-----
--- a/apps/cms.c
+++ b/apps/cms.c
--- a/apps/crl.c
+++ b/apps/crl.c
@@ -1,4 +1,3 @@
 /* apps/crl.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -66,381 +65,332 @@
 #include <openssl/x509v3.h>
 #include <openssl/pem.h>
-#undef PROG
+typedef enum OPTION_choice {
-#define PROG	crl_main
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_INFORM, OPT_IN, OPT_OUTFORM, OPT_OUT, OPT_KEYFORM, OPT_KEY,
    OPT_ISSUER, OPT_LASTUPDATE, OPT_NEXTUPDATE, OPT_FINGERPRINT,
    OPT_CRLNUMBER, OPT_BADSIG, OPT_GENDELTA, OPT_CAPATH, OPT_CAFILE,
    OPT_NOCAPATH, OPT_NOCAFILE, OPT_VERIFY, OPT_TEXT, OPT_HASH, OPT_HASH_OLD,
    OPT_NOOUT, OPT_NAMEOPT, OPT_MD
 } OPTION_CHOICE;
-#undef POSTFIX
+OPTIONS crl_options[] = {
-#define	POSTFIX	".rvk"
+    {"help", OPT_HELP, '-', "Display this summary"},
-
+    {"inform", OPT_INFORM, 'F', "Input format; default PEM"},
-static const char *crl_usage[]={
+    {"in", OPT_IN, '<', "Input file - default stdin"},
-"usage: crl args\n",
+    {"outform", OPT_OUTFORM, 'F', "Output format - default PEM"},
-"\n",
+    {"out", OPT_OUT, '>', "output file - default stdout"},
-" -inform arg     - input format - default PEM (DER or PEM)\n",
+    {"keyform", OPT_KEYFORM, 'F'},
-" -outform arg    - output format - default PEM\n",
+    {"key", OPT_KEY, '<'},
-" -text           - print out a text format version\n",
+    {"issuer", OPT_ISSUER, '-', "Print issuer DN"},
-" -in arg         - input file - default stdin\n",
+    {"lastupdate", OPT_LASTUPDATE, '-', "Set lastUpdate field"},
-" -out arg        - output file - default stdout\n",
+    {"nextupdate", OPT_NEXTUPDATE, '-', "Set nextUpdate field"},
-" -hash           - print hash value\n",
+    {"noout", OPT_NOOUT, '-', "No CRL output"},
-" -fingerprint    - print the crl fingerprint\n",
+    {"fingerprint", OPT_FINGERPRINT, '-', "Print the crl fingerprint"},
-" -issuer         - print issuer DN\n",
+    {"crlnumber", OPT_CRLNUMBER, '-', "Print CRL number"},
-" -lastupdate     - lastUpdate field\n",
+    {"badsig", OPT_BADSIG, '-'},
-" -nextupdate     - nextUpdate field\n",
+    {"gendelta", OPT_GENDELTA, '<'},
-" -crlnumber      - print CRL number\n",
+    {"CApath", OPT_CAPATH, '/', "Verify CRL using certificates in dir"},
-" -noout          - no CRL output\n",
+    {"CAfile", OPT_CAFILE, '<', "Verify CRL using certificates in file name"},
-" -CAfile  name   - verify CRL using certificates in file \"name\"\n",
+    {"no-CAfile", OPT_NOCAFILE, '-',
-" -CApath  dir    - verify CRL using certificates in \"dir\"\n",
+     "Do not load the default certificates file"},
-" -nameopt arg    - various certificate name options\n",
+    {"no-CApath", OPT_NOCAPATH, '-',
-NULL
+     "Do not load certificates from the default certificates directory"},
    {"verify", OPT_VERIFY, '-'},
    {"text", OPT_TEXT, '-', "Print out a text format version"},
    {"hash", OPT_HASH, '-', "Print hash value"},
    {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
    {"", OPT_MD, '-', "Any supported digest"},
 #ifndef OPENSSL_NO_MD5
    {"hash_old", OPT_HASH_OLD, '-', "Print old-style (MD5) hash value"},
 #endif
    {NULL}
 };
-static X509_CRL *load_crl(char *file, int format);
+int crl_main(int argc, char **argv)
 static BIO *bio_out=NULL;
 int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 {
 	unsigned long nmflag = 0;
    X509_CRL *x = NULL;
 	char *CAfile = NULL, *CApath = NULL;
 	int ret=1,i,num,badops=0;
    BIO *out = NULL;
 	int informat,outformat;
 	char *infile=NULL,*outfile=NULL;
 	int hash=0,issuer=0,lastupdate=0,nextupdate=0,noout=0,text=0;
 	int fingerprint = 0, crlnumber = 0;
 	const char **pp;
    X509_STORE *store = NULL;
    X509_STORE_CTX ctx;
    X509_LOOKUP *lookup = NULL;
    X509_OBJECT xobj;
    EVP_PKEY *pkey;
-	int do_ver = 0;
+    const EVP_MD *digest = EVP_sha1();
-	const EVP_MD *md_alg,*digest=EVP_sha1();
+    unsigned long nmflag = 0;
    char nmflag_set = 0;
    char *infile = NULL, *outfile = NULL, *crldiff = NULL, *keyfile = NULL;
    char *CAfile = NULL, *CApath = NULL, *prog;
    OPTION_CHOICE o;
    int hash = 0, issuer = 0, lastupdate = 0, nextupdate = 0, noout = 0;
    int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyformat = FORMAT_PEM;
    int ret = 1, num = 0, badsig = 0, fingerprint = 0, crlnumber = 0;
    int text = 0, do_ver = 0, noCAfile = 0, noCApath = 0;
    int i;
 #ifndef OPENSSL_NO_MD5
    int hash_old = 0;
 #endif
-	apps_startup();
+    prog = opt_init(argc, argv, crl_options);
-
+    while ((o = opt_next()) != OPT_EOF) {
-	if (bio_err == NULL)
+        switch (o) {
-		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+        case OPT_EOF:
-			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+        case OPT_ERR:
-
+ opthelp:
-	if (!load_config(bio_err, NULL))
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
            goto end;
-
+        case OPT_HELP:
-	if (bio_out == NULL)
+            opt_help(crl_options);
-		if ((bio_out=BIO_new(BIO_s_file())) != NULL)
+            ret = 0;
-			{
+            goto end;
-			BIO_set_fp(bio_out,stdout,BIO_NOCLOSE);
+        case OPT_INFORM:
-#ifdef OPENSSL_SYS_VMS
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
-			{
+                goto opthelp;
 			BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 			bio_out = BIO_push(tmpbio, bio_out);
 			}
 #endif
 			}
 	informat=FORMAT_PEM;
 	outformat=FORMAT_PEM;
 	argc--;
 	argv++;
 	num=0;
 	while (argc >= 1)
 		{
 #ifdef undef
 		if	(strcmp(*argv,"-p") == 0)
 			{
 			if (--argc < 1) goto bad;
 			if (!args_from_file(++argv,Nargc,Nargv)) { goto end; }*/
 			}
 #endif
 		if 	(strcmp(*argv,"-inform") == 0)
 			{
 			if (--argc < 1) goto bad;
 			informat=str2fmt(*(++argv));
 			}
 		else if (strcmp(*argv,"-outform") == 0)
 			{
 			if (--argc < 1) goto bad;
 			outformat=str2fmt(*(++argv));
 			}
 		else if (strcmp(*argv,"-in") == 0)
 			{
 			if (--argc < 1) goto bad;
 			infile= *(++argv);
 			}
 		else if (strcmp(*argv,"-out") == 0)
 			{
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
 		else if (strcmp(*argv,"-CApath") == 0)
 			{
 			if (--argc < 1) goto bad;
 			CApath = *(++argv);
 			do_ver = 1;
 			}
 		else if (strcmp(*argv,"-CAfile") == 0)
 			{
 			if (--argc < 1) goto bad;
 			CAfile = *(++argv);
 			do_ver = 1;
 			}
 		else if (strcmp(*argv,"-verify") == 0)
 			do_ver = 1;
 		else if (strcmp(*argv,"-text") == 0)
 			text = 1;
 		else if (strcmp(*argv,"-hash") == 0)
 			hash= ++num;
 		else if (strcmp(*argv,"-nameopt") == 0)
 			{
 			if (--argc < 1) goto bad;
 			if (!set_name_ex(&nmflag, *(++argv))) goto bad;
 			}
 		else if (strcmp(*argv,"-issuer") == 0)
 			issuer= ++num;
 		else if (strcmp(*argv,"-lastupdate") == 0)
 			lastupdate= ++num;
 		else if (strcmp(*argv,"-nextupdate") == 0)
 			nextupdate= ++num;
 		else if (strcmp(*argv,"-noout") == 0)
 			noout= ++num;
 		else if (strcmp(*argv,"-fingerprint") == 0)
 			fingerprint= ++num;
 		else if (strcmp(*argv,"-crlnumber") == 0)
 			crlnumber= ++num;
 		else if ((md_alg=EVP_get_digestbyname(*argv + 1)))
 			{
 			/* ok */
 			digest=md_alg;
 			}
 		else
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
 			badops=1;
            break;
        case OPT_IN:
            infile = opt_arg();
            break;
        case OPT_OUTFORM:
            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
                goto opthelp;
            break;
        case OPT_OUT:
            outfile = opt_arg();
            break;
        case OPT_KEYFORM:
            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &keyformat))
                goto opthelp;
            break;
        case OPT_KEY:
            keyfile = opt_arg();
            break;
        case OPT_GENDELTA:
            crldiff = opt_arg();
            break;
        case OPT_CAPATH:
            CApath = opt_arg();
            do_ver = 1;
            break;
        case OPT_CAFILE:
            CAfile = opt_arg();
            do_ver = 1;
            break;
        case OPT_NOCAPATH:
            noCApath =  1;
            break;
        case OPT_NOCAFILE:
            noCAfile =  1;
            break;
        case OPT_HASH_OLD:
 #ifndef OPENSSL_NO_MD5
            hash_old = ++num;
 #endif
            break;
        case OPT_VERIFY:
            do_ver = 1;
            break;
        case OPT_TEXT:
            text = 1;
            break;
        case OPT_HASH:
            hash = ++num;
            break;
        case OPT_ISSUER:
            issuer = ++num;
            break;
        case OPT_LASTUPDATE:
            lastupdate = ++num;
            break;
        case OPT_NEXTUPDATE:
            nextupdate = ++num;
            break;
        case OPT_NOOUT:
            noout = ++num;
            break;
        case OPT_FINGERPRINT:
            fingerprint = ++num;
            break;
        case OPT_CRLNUMBER:
            crlnumber = ++num;
            break;
        case OPT_BADSIG:
            badsig = 1;
            break;
        case OPT_NAMEOPT:
            nmflag_set = 1;
            if (!set_name_ex(&nmflag, opt_arg()))
                goto opthelp;
            break;
        case OPT_MD:
            if (!opt_md(opt_unknown(), &digest))
                goto opthelp;
        }
 		argc--;
 		argv++;
    }
    argc = opt_num_rest();
    argv = opt_rest();
-	if (badops)
+    if (!nmflag_set)
-		{
+        nmflag = XN_FLAG_ONELINE;
 bad:
 		for (pp=crl_usage; (*pp != NULL); pp++)
 			BIO_printf(bio_err,"%s",*pp);
 		goto end;
 		}
 	ERR_load_crypto_strings();
    x = load_crl(infile, informat);
-	if (x == NULL) { goto end; }
+    if (x == NULL)
        goto end;
    if (do_ver) {
-		store = X509_STORE_new();
+        if ((store = setup_verify(CAfile, CApath, noCAfile, noCApath)) == NULL)
            goto end;
        lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
-		if (lookup == NULL) goto end;
+        if (lookup == NULL)
-		if (!X509_LOOKUP_load_file(lookup,CAfile,X509_FILETYPE_PEM))
+            goto end;
 			X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT);
 		lookup=X509_STORE_add_lookup(store,X509_LOOKUP_hash_dir());
 		if (lookup == NULL) goto end;
 		if (!X509_LOOKUP_add_dir(lookup,CApath,X509_FILETYPE_PEM))
 			X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT);
 		ERR_clear_error();
        if (!X509_STORE_CTX_init(&ctx, store, NULL, NULL)) {
-			BIO_printf(bio_err,
+            BIO_printf(bio_err, "Error initialising X509 store\n");
 				"Error initialising X509 store\n");
            goto end;
        }
        i = X509_STORE_get_by_subject(&ctx, X509_LU_X509,
                                      X509_CRL_get_issuer(x), &xobj);
        if (i <= 0) {
-			BIO_printf(bio_err,
+            BIO_printf(bio_err, "Error getting CRL issuer certificate\n");
 				"Error getting CRL issuer certificate\n");
            goto end;
        }
        pkey = X509_get_pubkey(xobj.data.x509);
        X509_OBJECT_free_contents(&xobj);
        if (!pkey) {
-			BIO_printf(bio_err,
+            BIO_printf(bio_err, "Error getting CRL issuer public key\n");
 				"Error getting CRL issuer public key\n");
            goto end;
        }
        i = X509_CRL_verify(x, pkey);
        EVP_PKEY_free(pkey);
-		if(i < 0) goto end;
+        if (i < 0)
-		if(i == 0) BIO_printf(bio_err, "verify failure\n");
+            goto end;
-		else BIO_printf(bio_err, "verify OK\n");
+        if (i == 0)
            BIO_printf(bio_err, "verify failure\n");
        else
            BIO_printf(bio_err, "verify OK\n");
    }
-	if (num)
+    if (crldiff) {
-		{
+        X509_CRL *newcrl, *delta;
-		for (i=1; i<=num; i++)
+        if (!keyfile) {
-			{
+            BIO_puts(bio_err, "Missing CRL signing key\n");
-			if (issuer == i)
+            goto end;
 				{
 				print_name(bio_out, "issuer=", X509_CRL_get_issuer(x), nmflag);
        }
-			if (crlnumber == i)
+        newcrl = load_crl(crldiff, informat);
-				{
+        if (!newcrl)
            goto end;
        pkey = load_key(keyfile, keyformat, 0, NULL, NULL, "CRL signing key");
        if (!pkey) {
            X509_CRL_free(newcrl);
            goto end;
        }
        delta = X509_CRL_diff(x, newcrl, pkey, digest, 0);
        X509_CRL_free(newcrl);
        EVP_PKEY_free(pkey);
        if (delta) {
            X509_CRL_free(x);
            x = delta;
        } else {
            BIO_puts(bio_err, "Error creating delta CRL\n");
            goto end;
        }
    }
    if (num) {
        for (i = 1; i <= num; i++) {
            if (issuer == i) {
                print_name(bio_out, "issuer=", X509_CRL_get_issuer(x),
                           nmflag);
            }
            if (crlnumber == i) {
                ASN1_INTEGER *crlnum;
-				crlnum = X509_CRL_get_ext_d2i(x, NID_crl_number,
+                crlnum = X509_CRL_get_ext_d2i(x, NID_crl_number, NULL, NULL);
 							      NULL, NULL);
                BIO_printf(bio_out, "crlNumber=");
-				if (crlnum)
+                if (crlnum) {
 					{
                    i2a_ASN1_INTEGER(bio_out, crlnum);
                    ASN1_INTEGER_free(crlnum);
-					}
+                } else
 				else
                    BIO_puts(bio_out, "<NONE>");
                BIO_printf(bio_out, "\n");
            }
-			if (hash == i)
+            if (hash == i) {
 				{
                BIO_printf(bio_out, "%08lx\n",
                           X509_NAME_hash(X509_CRL_get_issuer(x)));
            }
-			if (lastupdate == i)
+#ifndef OPENSSL_NO_MD5
-				{
+            if (hash_old == i) {
                BIO_printf(bio_out, "%08lx\n",
                           X509_NAME_hash_old(X509_CRL_get_issuer(x)));
            }
 #endif
            if (lastupdate == i) {
                BIO_printf(bio_out, "lastUpdate=");
-				ASN1_TIME_print(bio_out,
+                ASN1_TIME_print(bio_out, X509_CRL_get_lastUpdate(x));
 						X509_CRL_get_lastUpdate(x));
                BIO_printf(bio_out, "\n");
            }
-			if (nextupdate == i)
+            if (nextupdate == i) {
 				{
                BIO_printf(bio_out, "nextUpdate=");
                if (X509_CRL_get_nextUpdate(x))
-					ASN1_TIME_print(bio_out,
+                    ASN1_TIME_print(bio_out, X509_CRL_get_nextUpdate(x));
 						X509_CRL_get_nextUpdate(x));
                else
                    BIO_printf(bio_out, "NONE");
                BIO_printf(bio_out, "\n");
            }
-			if (fingerprint == i)
+            if (fingerprint == i) {
 				{
                int j;
                unsigned int n;
                unsigned char md[EVP_MAX_MD_SIZE];
-				if (!X509_CRL_digest(x,digest,md,&n))
+                if (!X509_CRL_digest(x, digest, md, &n)) {
 					{
                    BIO_printf(bio_err, "out of memory\n");
                    goto end;
                }
                BIO_printf(bio_out, "%s Fingerprint=",
                           OBJ_nid2sn(EVP_MD_type(digest)));
-				for (j=0; j<(int)n; j++)
+                for (j = 0; j < (int)n; j++) {
-					{
+                    BIO_printf(bio_out, "%02X%c", md[j], (j + 1 == (int)n)
 					BIO_printf(bio_out,"%02X%c",md[j],
 						(j+1 == (int)n)
                               ? '\n' : ':');
                }
            }
        }
    }
-
+    out = bio_open_default(outfile, 'w', outformat);
 	out=BIO_new(BIO_s_file());
    if (out == NULL)
 		{
 		ERR_print_errors(bio_err);
        goto end;
 		}
-	if (outfile == NULL)
+    if (text)
-		{
+        X509_CRL_print(out, x);
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
 			{
 			perror(outfile);
 			goto end;
 			}
 		}
-	if (text) X509_CRL_print(out, x);
+    if (noout) {
 	if (noout) 
 		{
        ret = 0;
        goto end;
    }
    if (badsig) {
        ASN1_BIT_STRING *sig;
        unsigned char *psig;
        X509_CRL_get0_signature(&sig, NULL, x);
        psig = ASN1_STRING_data(sig);
        psig[ASN1_STRING_length(sig) - 1] ^= 0x1;
    }
    if (outformat == FORMAT_ASN1)
        i = (int)i2d_X509_CRL_bio(out, x);
 	else if (outformat == FORMAT_PEM)
 		i=PEM_write_bio_X509_CRL(out,x);
    else
-		{
+        i = PEM_write_bio_X509_CRL(out, x);
-		BIO_printf(bio_err,"bad output format specified for outfile\n");
+    if (!i) {
        BIO_printf(bio_err, "unable to write CRL\n");
        goto end;
    }
 	if (!i) { BIO_printf(bio_err,"unable to write CRL\n"); goto end; }
    ret = 0;
 end:
    if (ret != 0)
        ERR_print_errors(bio_err);
    BIO_free_all(out);
 	BIO_free_all(bio_out);
 	bio_out=NULL;
    X509_CRL_free(x);
    if (store) {
        X509_STORE_CTX_cleanup(&ctx);
        X509_STORE_free(store);
    }
-	apps_shutdown();
+    return (ret);
 	OPENSSL_EXIT(ret);
 }
 static X509_CRL *load_crl(char *infile, int format)
 	{
 	X509_CRL *x=NULL;
 	BIO *in=NULL;
 	in=BIO_new(BIO_s_file());
 	if (in == NULL)
 		{
 		ERR_print_errors(bio_err);
 		goto end;
 		}
 	if (infile == NULL)
 		BIO_set_fp(in,stdin,BIO_NOCLOSE);
 	else
 		{
 		if (BIO_read_filename(in,infile) <= 0)
 			{
 			perror(infile);
 			goto end;
 			}
 		}
 	if 	(format == FORMAT_ASN1)
 		x=d2i_X509_CRL_bio(in,NULL);
 	else if (format == FORMAT_PEM)
 		x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL);
 	else	{
 		BIO_printf(bio_err,"bad input format specified for input crl\n");
 		goto end;
 		}
 	if (x == NULL)
 		{
 		BIO_printf(bio_err,"unable to load CRL\n");
 		ERR_print_errors(bio_err);
 		goto end;
 		}
 end:
 	BIO_free(in);
 	return(x);
 	}
--- a/apps/crl2p7.c
+++ b/apps/crl2p7.c
@@ -1,4 +1,3 @@
 /* apps/crl2p7.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -56,9 +55,11 @@
 * [including the GNU Public Licence.]
 */
-/* This was written by Gordon Chaffee <chaffee@plateau.cs.berkeley.edu>
+/*
- * and donated 'to the cause' along with lots and lots of other fixes to
+ * This was written by Gordon Chaffee <chaffee@plateau.cs.berkeley.edu> and
- * the library. */
+ * donated 'to the cause' along with lots and lots of other fixes to the
 * library.
 */
 #include <stdio.h>
 #include <string.h>
@@ -72,164 +73,123 @@
 #include <openssl/objects.h>
 static int add_certs_from_file(STACK_OF(X509) *stack, char *certfile);
 #undef PROG
 #define PROG	crl2pkcs7_main
-/* -inform arg	- input format - default PEM (DER or PEM)
+typedef enum OPTION_choice {
- * -outform arg - output format - default PEM
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
- * -in arg	- input file - default stdin
+    OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_NOCRL, OPT_CERTFILE
- * -out arg	- output file - default stdout
+} OPTION_CHOICE;
 */
-int MAIN(int, char **);
+OPTIONS crl2pkcs7_options[] = {
    {"help", OPT_HELP, '-', "Display this summary"},
    {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
    {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
    {"in", OPT_IN, '<', "Input file"},
    {"out", OPT_OUT, '>', "Output file"},
    {"nocrl", OPT_NOCRL, '-', "No crl to load, just certs from '-certfile'"},
    {"certfile", OPT_CERTFILE, '<',
     "File of chain of certs to a trusted CA; can be repeated"},
    {NULL}
 };
-int MAIN(int argc, char **argv)
+int crl2pkcs7_main(int argc, char **argv)
 {
 	int i,badops=0;
    BIO *in = NULL, *out = NULL;
 	int informat,outformat;
 	char *infile,*outfile,*prog,*certfile;
    PKCS7 *p7 = NULL;
    PKCS7_SIGNED *p7s = NULL;
 	X509_CRL *crl=NULL;
    STACK_OF(OPENSSL_STRING) *certflst = NULL;
 	STACK_OF(X509_CRL) *crl_stack=NULL;
    STACK_OF(X509) *cert_stack = NULL;
-	int ret=1,nocrl=0;
+    STACK_OF(X509_CRL) *crl_stack = NULL;
    X509_CRL *crl = NULL;
    char *infile = NULL, *outfile = NULL, *prog, *certfile;
    int i = 0, informat = FORMAT_PEM, outformat = FORMAT_PEM, ret = 1, nocrl =
        0;
    OPTION_CHOICE o;
-	apps_startup();
+    prog = opt_init(argc, argv, crl2pkcs7_options);
-
+    while ((o = opt_next()) != OPT_EOF) {
-	if (bio_err == NULL)
+        switch (o) {
-		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+        case OPT_EOF:
-			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+        case OPT_ERR:
-
+ opthelp:
-	infile=NULL;
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
-	outfile=NULL;
+            goto end;
-	informat=FORMAT_PEM;
+        case OPT_HELP:
-	outformat=FORMAT_PEM;
+            opt_help(crl2pkcs7_options);
-
+            ret = 0;
-	prog=argv[0];
+            goto end;
-	argc--;
+        case OPT_INFORM:
-	argv++;
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
-	while (argc >= 1)
+                goto opthelp;
-		{
+            break;
-		if 	(strcmp(*argv,"-inform") == 0)
+        case OPT_OUTFORM:
-			{
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
-			if (--argc < 1) goto bad;
+                goto opthelp;
-			informat=str2fmt(*(++argv));
+            break;
-			}
+        case OPT_IN:
-		else if (strcmp(*argv,"-outform") == 0)
+            infile = opt_arg();
-			{
+            break;
-			if (--argc < 1) goto bad;
+        case OPT_OUT:
-			outformat=str2fmt(*(++argv));
+            outfile = opt_arg();
-			}
+            break;
-		else if (strcmp(*argv,"-in") == 0)
+        case OPT_NOCRL:
 			{
 			if (--argc < 1) goto bad;
 			infile= *(++argv);
 			}
 		else if (strcmp(*argv,"-nocrl") == 0)
 			{
            nocrl = 1;
            break;
        case OPT_CERTFILE:
            if ((certflst == NULL)
                && (certflst = sk_OPENSSL_STRING_new_null()) == NULL)
                goto end;
            if (!sk_OPENSSL_STRING_push(certflst, *(++argv))) {
                sk_OPENSSL_STRING_free(certflst);
                goto end;
            }
 		else if (strcmp(*argv,"-out") == 0)
 			{
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
 		else if (strcmp(*argv,"-certfile") == 0)
 			{
 			if (--argc < 1) goto bad;
 			if(!certflst) certflst = sk_OPENSSL_STRING_new_null();
 			sk_OPENSSL_STRING_push(certflst,*(++argv));
 			}
 		else
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
 			badops=1;
            break;
        }
 		argc--;
 		argv++;
    }
    argc = opt_num_rest();
    argv = opt_rest();
-	if (badops)
+    if (!nocrl) {
-		{
+        in = bio_open_default(infile, 'r', informat);
-bad:
+        if (in == NULL)
 		BIO_printf(bio_err,"%s [options] <infile >outfile\n",prog);
 		BIO_printf(bio_err,"where options are\n");
 		BIO_printf(bio_err," -inform arg    input format - DER or PEM\n");
 		BIO_printf(bio_err," -outform arg   output format - DER or PEM\n");
 		BIO_printf(bio_err," -in arg        input file\n");
 		BIO_printf(bio_err," -out arg       output file\n");
 		BIO_printf(bio_err," -certfile arg  certificates file of chain to a trusted CA\n");
 		BIO_printf(bio_err,"                (can be used more than once)\n");
 		BIO_printf(bio_err," -nocrl         no crl to load, just certs from '-certfile'\n");
 		ret = 1;
            goto end;
 		}
 	ERR_load_crypto_strings();
 	in=BIO_new(BIO_s_file());
 	out=BIO_new(BIO_s_file());
 	if ((in == NULL) || (out == NULL))
 		{
 		ERR_print_errors(bio_err);
 		goto end;
 		}
 	if (!nocrl)
 		{
 		if (infile == NULL)
 			BIO_set_fp(in,stdin,BIO_NOCLOSE);
 		else
 			{
 			if (BIO_read_filename(in,infile) <= 0)
 				{
 				perror(infile);
 				goto end;
 				}
 			}
        if (informat == FORMAT_ASN1)
            crl = d2i_X509_CRL_bio(in, NULL);
        else if (informat == FORMAT_PEM)
            crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
-		else	{
+        if (crl == NULL) {
 			BIO_printf(bio_err,"bad input format specified for input crl\n");
 			goto end;
 			}
 		if (crl == NULL)
 			{
            BIO_printf(bio_err, "unable to load CRL\n");
            ERR_print_errors(bio_err);
            goto end;
        }
    }
-	if ((p7=PKCS7_new()) == NULL) goto end;
+    if ((p7 = PKCS7_new()) == NULL)
-	if ((p7s=PKCS7_SIGNED_new()) == NULL) goto end;
+        goto end;
    if ((p7s = PKCS7_SIGNED_new()) == NULL)
        goto end;
    p7->type = OBJ_nid2obj(NID_pkcs7_signed);
    p7->d.sign = p7s;
    p7s->contents->type = OBJ_nid2obj(NID_pkcs7_data);
-	if (!ASN1_INTEGER_set(p7s->version,1)) goto end;
+    if (!ASN1_INTEGER_set(p7s->version, 1))
-	if ((crl_stack=sk_X509_CRL_new_null()) == NULL) goto end;
+        goto end;
    if ((crl_stack = sk_X509_CRL_new_null()) == NULL)
        goto end;
    p7s->crl = crl_stack;
-	if (crl != NULL)
+    if (crl != NULL) {
 		{
        sk_X509_CRL_push(crl_stack, crl);
        crl = NULL;             /* now part of p7 for OPENSSL_freeing */
    }
-	if ((cert_stack=sk_X509_new_null()) == NULL) goto end;
+    if ((cert_stack = sk_X509_new_null()) == NULL)
        goto end;
    p7s->cert = cert_stack;
-	if(certflst) for(i = 0; i < sk_OPENSSL_STRING_num(certflst); i++) {
+    if (certflst)
        for (i = 0; i < sk_OPENSSL_STRING_num(certflst); i++) {
            certfile = sk_OPENSSL_STRING_value(certflst, i);
-		if (add_certs_from_file(cert_stack,certfile) < 0)
+            if (add_certs_from_file(cert_stack, certfile) < 0) {
 			{
                BIO_printf(bio_err, "error loading certificates\n");
                ERR_print_errors(bio_err);
                goto end;
@@ -238,51 +198,30 @@ bad:
    sk_OPENSSL_STRING_free(certflst);
-	if (outfile == NULL)
+    out = bio_open_default(outfile, 'w', outformat);
-		{
+    if (out == NULL)
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
 			{
 			perror(outfile);
        goto end;
 			}
 		}
    if (outformat == FORMAT_ASN1)
        i = i2d_PKCS7_bio(out, p7);
    else if (outformat == FORMAT_PEM)
        i = PEM_write_bio_PKCS7(out, p7);
-	else	{
+    if (!i) {
 		BIO_printf(bio_err,"bad output format specified for outfile\n");
 		goto end;
 		}
 	if (!i)
 		{
        BIO_printf(bio_err, "unable to write pkcs7 object\n");
        ERR_print_errors(bio_err);
        goto end;
    }
    ret = 0;
 end:
-	if (in != NULL) BIO_free(in);
+    BIO_free(in);
-	if (out != NULL) BIO_free_all(out);
+    BIO_free_all(out);
-	if (p7 != NULL) PKCS7_free(p7);
+    PKCS7_free(p7);
-	if (crl != NULL) X509_CRL_free(crl);
+    X509_CRL_free(crl);
-	apps_shutdown();
+    return (ret);
 	OPENSSL_EXIT(ret);
 }
-/*
+/*-
 *----------------------------------------------------------------------
 * int add_certs_from_file
 *
@@ -300,9 +239,8 @@ static int add_certs_from_file(STACK_OF(X509) *stack, char *certfile)
    STACK_OF(X509_INFO) *sk = NULL;
    X509_INFO *xi;
-	in=BIO_new(BIO_s_file());
+    in = BIO_new_file(certfile, "r");
-	if ((in == NULL) || (BIO_read_filename(in,certfile) <= 0))
+    if (in == NULL) {
 		{
        BIO_printf(bio_err, "error opening the file, %s\n", certfile);
        goto end;
    }
@@ -315,11 +253,9 @@ static int add_certs_from_file(STACK_OF(X509) *stack, char *certfile)
    }
    /* scan over it and pull out the CRL's */
-	while (sk_X509_INFO_num(sk))
+    while (sk_X509_INFO_num(sk)) {
 		{
        xi = sk_X509_INFO_shift(sk);
-		if (xi->x509 != NULL)
+        if (xi->x509 != NULL) {
 			{
            sk_X509_push(stack, xi->x509);
            xi->x509 = NULL;
            count++;
@@ -330,8 +266,7 @@ static int add_certs_from_file(STACK_OF(X509) *stack, char *certfile)
    ret = count;
 end:
    /* never need to OPENSSL_free x */
-	if (in != NULL) BIO_free(in);
+    BIO_free(in);
-	if (sk != NULL) sk_X509_INFO_free(sk);
+    sk_X509_INFO_free(sk);
    return (ret);
 }
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -1,4 +1,3 @@
 /* apps/dgst.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -71,252 +70,198 @@
 #undef BUFSIZE
 #define BUFSIZE 1024*8
 #undef PROG
 #define PROG	dgst_main
 int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
          EVP_PKEY *key, unsigned char *sigin, int siglen,
          const char *sig_name, const char *md_name,
          const char *file, BIO *bmd);
-static void list_md_fn(const EVP_MD *m,
+typedef enum OPTION_choice {
-			const char *from, const char *to, void *arg)
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
-	{
+    OPT_C, OPT_R, OPT_RAND, OPT_OUT, OPT_SIGN, OPT_PASSIN, OPT_VERIFY,
-	const char *mname;
+    OPT_PRVERIFY, OPT_SIGNATURE, OPT_KEYFORM, OPT_ENGINE, OPT_ENGINE_IMPL,
-	/* Skip aliases */
+    OPT_HEX, OPT_BINARY, OPT_DEBUG, OPT_FIPS_FINGERPRINT,
-	if (!m)
+    OPT_NON_FIPS_ALLOW, OPT_HMAC, OPT_MAC, OPT_SIGOPT, OPT_MACOPT,
-		return;
+    OPT_DIGEST
-	mname = OBJ_nid2ln(EVP_MD_type(m));
+} OPTION_CHOICE;
 	/* Skip shortnames */
 	if (strcmp(from, mname))
 		return;
 	/* Skip clones */
 	if (EVP_MD_flags(m) & EVP_MD_FLAG_PKEY_DIGEST)
 		return;
 	if (strchr(mname, ' '))
 		mname= EVP_MD_name(m);
 	BIO_printf(arg, "-%-14s to use the %s message digest algorithm\n",
 			mname, mname);
 	}
-int MAIN(int, char **);
+OPTIONS dgst_options[] = {
-
+    {OPT_HELP_STR, 1, '-', "Usage: %s [options] [file...]\n"},
-int MAIN(int argc, char **argv)
+    {OPT_HELP_STR, 1, '-',
-	{
+        "  file... files to digest (default is stdin)\n"},
-	ENGINE *e = NULL, *impl = NULL;
+    {"help", OPT_HELP, '-', "Display this summary"},
-	unsigned char *buf=NULL;
+    {"c", OPT_C, '-', "Print the digest with separating colons"},
-	int i,err=1;
+    {"r", OPT_R, '-', "Print the digest in coreutils format"},
-	const EVP_MD *md=NULL,*m;
+    {"rand", OPT_RAND, 's'},
-	BIO *in=NULL,*inp;
+    {"out", OPT_OUT, '>', "Output to filename rather than stdout"},
-	BIO *bmd=NULL;
+    {"passin", OPT_PASSIN, 's'},
-	BIO *out = NULL;
+    {"sign", OPT_SIGN, '<', "Sign digest using private key in file"},
-#define PROG_NAME_SIZE  39
+    {"verify", OPT_VERIFY, '<',
-	char pname[PROG_NAME_SIZE+1];
+     "Verify a signature using public key in file"},
-	int separator=0;
+    {"prverify", OPT_PRVERIFY, '<',
-	int debug=0;
+     "Verify a signature using private key in file"},
-	int keyform=FORMAT_PEM;
+    {"signature", OPT_SIGNATURE, '<', "File with signature to verify"},
-	const char *outfile = NULL, *keyfile = NULL;
+    {"keyform", OPT_KEYFORM, 'f', "Key file format (PEM or ENGINE)"},
-	const char *sigfile = NULL, *randfile = NULL;
+    {"hex", OPT_HEX, '-', "Print as hex dump"},
-	int out_bin = -1, want_pub = 0, do_verify = 0;
+    {"binary", OPT_BINARY, '-', "Print in binary form"},
-	EVP_PKEY *sigkey = NULL;
+    {"d", OPT_DEBUG, '-', "Print debug info"},
-	unsigned char *sigbuf = NULL;
+    {"debug", OPT_DEBUG, '-'},
-	int siglen = 0;
+    {"fips-fingerprint", OPT_FIPS_FINGERPRINT, '-'},
-	char *passargin = NULL, *passin = NULL;
+    {"non-fips-allow", OPT_NON_FIPS_ALLOW, '-'},
    {"hmac", OPT_HMAC, 's', "Create hashed MAC with key"},
    {"mac", OPT_MAC, 's', "Create MAC (not neccessarily HMAC)"},
    {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
    {"macopt", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form or key"},
    {"", OPT_DIGEST, '-', "Any supported digest"},
 #ifndef OPENSSL_NO_ENGINE
-	char *engine=NULL;
+    {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
-	int engine_impl = 0;
+    {"engine_impl", OPT_ENGINE_IMPL, '-'},
 #endif
    {NULL}
 };
 int dgst_main(int argc, char **argv)
 {
    BIO *in = NULL, *inp, *bmd = NULL, *out = NULL;
    ENGINE *e = NULL, *impl = NULL;
    EVP_PKEY *sigkey = NULL;
    STACK_OF(OPENSSL_STRING) *sigopts = NULL, *macopts = NULL;
    char *hmac_key = NULL;
    char *mac_name = NULL;
-	STACK_OF(OPENSSL_STRING) *sigopts = NULL, *macopts = NULL;
+    char *passinarg = NULL, *passin = NULL;
    const EVP_MD *md = NULL, *m;
    const char *outfile = NULL, *keyfile = NULL, *prog = NULL;
    const char *sigfile = NULL, *randfile = NULL;
    OPTION_CHOICE o;
    int separator = 0, debug = 0, keyform = FORMAT_PEM, siglen = 0;
    int i, ret = 1, out_bin = -1, want_pub = 0, do_verify =
        0, non_fips_allow = 0;
    unsigned char *buf = NULL, *sigbuf = NULL;
    int engine_impl = 0;
-	apps_startup();
+    prog = opt_progname(argv[0]);
    buf = app_malloc(BUFSIZE, "I/O buffer");
    md = EVP_get_digestbyname(prog);
-	if ((buf=(unsigned char *)OPENSSL_malloc(BUFSIZE)) == NULL)
+    prog = opt_init(argc, argv, dgst_options);
-		{
+    while ((o = opt_next()) != OPT_EOF) {
-		BIO_printf(bio_err,"out of memory\n");
+        switch (o) {
        case OPT_EOF:
        case OPT_ERR:
 opthelp:
            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
            goto end;
-		}
+        case OPT_HELP:
-	if (bio_err == NULL)
+            opt_help(dgst_options);
-		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+            ret = 0;
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 	if (!load_config(bio_err, NULL))
            goto end;
-
+        case OPT_C:
 	/* first check the program name */
 	program_name(argv[0],pname,sizeof pname);
 	md=EVP_get_digestbyname(pname);
 	argc--;
 	argv++;
 	while (argc > 0)
 		{
 		if ((*argv)[0] != '-') break;
 		if (strcmp(*argv,"-c") == 0)
            separator = 1;
-		else if (strcmp(*argv,"-r") == 0)
+            break;
        case OPT_R:
            separator = 2;
 		else if (strcmp(*argv,"-rand") == 0)
 			{
 			if (--argc < 1) break;
 			randfile=*(++argv);
 			}
 		else if (strcmp(*argv,"-out") == 0)
 			{
 			if (--argc < 1) break;
 			outfile=*(++argv);
 			}
 		else if (strcmp(*argv,"-sign") == 0)
 			{
 			if (--argc < 1) break;
 			keyfile=*(++argv);
 			}
 		else if (!strcmp(*argv,"-passin"))
 			{
 			if (--argc < 1)
            break;
-			passargin=*++argv;
+        case OPT_RAND:
-			}
+            randfile = opt_arg();
-		else if (strcmp(*argv,"-verify") == 0)
+            break;
-			{
+        case OPT_OUT:
-			if (--argc < 1) break;
+            outfile = opt_arg();
-			keyfile=*(++argv);
+            break;
-			want_pub = 1;
+        case OPT_SIGN:
            keyfile = opt_arg();
            break;
        case OPT_PASSIN:
            passinarg = opt_arg();
            break;
        case OPT_VERIFY:
            keyfile = opt_arg();
            want_pub = do_verify = 1;
            break;
        case OPT_PRVERIFY:
            keyfile = opt_arg();
            do_verify = 1;
-			}
+            break;
-		else if (strcmp(*argv,"-prverify") == 0)
+        case OPT_SIGNATURE:
-			{
+            sigfile = opt_arg();
-			if (--argc < 1) break;
+            break;
-			keyfile=*(++argv);
+        case OPT_KEYFORM:
-			do_verify = 1;
+            if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform))
-			}
+                goto opthelp;
-		else if (strcmp(*argv,"-signature") == 0)
+            break;
-			{
+        case OPT_ENGINE:
-			if (--argc < 1) break;
+            e = setup_engine(opt_arg(), 0);
-			sigfile=*(++argv);
+            break;
-			}
+        case OPT_ENGINE_IMPL:
 		else if (strcmp(*argv,"-keyform") == 0)
 			{
 			if (--argc < 1) break;
 			keyform=str2fmt(*(++argv));
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) break;
 			engine= *(++argv);
        		e = setup_engine(bio_err, engine, 0);
 			}
 		else if (strcmp(*argv,"-engine_impl") == 0)
            engine_impl = 1;
-#endif
+            break;
-		else if (strcmp(*argv,"-hex") == 0)
+        case OPT_HEX:
            out_bin = 0;
-		else if (strcmp(*argv,"-binary") == 0)
+            break;
        case OPT_BINARY:
            out_bin = 1;
-		else if (strcmp(*argv,"-d") == 0)
+            break;
        case OPT_DEBUG:
            debug = 1;
-		else if (!strcmp(*argv,"-fips-fingerprint"))
+            break;
        case OPT_FIPS_FINGERPRINT:
            hmac_key = "etaonrishdlcupfm";
 		else if (!strcmp(*argv,"-hmac"))
 			{
 			if (--argc < 1)
            break;
-			hmac_key=*++argv;
+        case OPT_NON_FIPS_ALLOW:
-			}
+            non_fips_allow = 1;
 		else if (!strcmp(*argv,"-mac"))
 			{
 			if (--argc < 1)
            break;
-			mac_name=*++argv;
+        case OPT_HMAC:
-			}
+            hmac_key = opt_arg();
 		else if (strcmp(*argv,"-sigopt") == 0)
 			{
 			if (--argc < 1)
            break;
        case OPT_MAC:
            mac_name = opt_arg();
            break;
        case OPT_SIGOPT:
            if (!sigopts)
                sigopts = sk_OPENSSL_STRING_new_null();
-			if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, *(++argv)))
+            if (!sigopts || !sk_OPENSSL_STRING_push(sigopts, opt_arg()))
-				break;
+                goto opthelp;
 			}
 		else if (strcmp(*argv,"-macopt") == 0)
 			{
 			if (--argc < 1)
            break;
        case OPT_MACOPT:
            if (!macopts)
                macopts = sk_OPENSSL_STRING_new_null();
-			if (!macopts || !sk_OPENSSL_STRING_push(macopts, *(++argv)))
+            if (!macopts || !sk_OPENSSL_STRING_push(macopts, opt_arg()))
                goto opthelp;
            break;
-			}
+        case OPT_DIGEST:
-		else if ((m=EVP_get_digestbyname(&((*argv)[1]))) != NULL)
+            if (!opt_md(opt_unknown(), &m))
                goto opthelp;
            md = m;
 		else
            break;
 		argc--;
 		argv++;
        }
-
+    }
    argc = opt_num_rest();
    argv = opt_rest();
    if (do_verify && !sigfile) {
-		BIO_printf(bio_err, "No signature to verify: use the -signature option\n");
+        BIO_printf(bio_err,
                   "No signature to verify: use the -signature option\n");
        goto end;
    }
 	if ((argc > 0) && (argv[0][0] == '-')) /* bad option */
 		{
 		BIO_printf(bio_err,"unknown option '%s'\n",*argv);
 		BIO_printf(bio_err,"options are\n");
 		BIO_printf(bio_err,"-c              to output the digest with separating colons\n");
 		BIO_printf(bio_err,"-r              to output the digest in coreutils format\n");
 		BIO_printf(bio_err,"-d              to output debug info\n");
 		BIO_printf(bio_err,"-hex            output as hex dump\n");
 		BIO_printf(bio_err,"-binary         output in binary form\n");
 		BIO_printf(bio_err,"-sign   file    sign digest using private key in file\n");
 		BIO_printf(bio_err,"-verify file    verify a signature using public key in file\n");
 		BIO_printf(bio_err,"-prverify file  verify a signature using private key in file\n");
 		BIO_printf(bio_err,"-keyform arg    key file format (PEM or ENGINE)\n");
 		BIO_printf(bio_err,"-out filename   output to filename rather than stdout\n");
 		BIO_printf(bio_err,"-signature file signature to verify\n");
 		BIO_printf(bio_err,"-sigopt nm:v    signature parameter\n");
 		BIO_printf(bio_err,"-hmac key       create hashed MAC with key\n");
 		BIO_printf(bio_err,"-mac algorithm  create MAC (not neccessarily HMAC)\n"); 
 		BIO_printf(bio_err,"-macopt nm:v    MAC algorithm parameters or key\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err,"-engine e       use engine e, possibly a hardware device.\n");
 #endif
 		EVP_MD_do_all_sorted(list_md_fn, bio_err);
 		goto end;
 		}
 #ifndef OPENSSL_NO_ENGINE
    if (engine_impl)
        impl = e;
 #endif
    in = BIO_new(BIO_s_file());
    bmd = BIO_new(BIO_f_md());
-	if (debug)
+    if ((in == NULL) || (bmd == NULL)) {
-		{
+        ERR_print_errors(bio_err);
        goto end;
    }
    if (debug) {
        BIO_set_callback(in, BIO_debug_callback);
        /* needed for windows 3.1 */
        BIO_set_callback_arg(in, (char *)bio_err);
    }
-	if(!app_passwd(bio_err, passargin, NULL, &passin, NULL))
+    if (!app_passwd(passinarg, NULL, &passin, NULL)) {
 		{
        BIO_printf(bio_err, "Error getting password\n");
        goto end;
    }
 	if ((in == NULL) || (bmd == NULL))
 		{
 		ERR_print_errors(bio_err);
 		goto end;
 		}
    if (out_bin == -1) {
        if (keyfile)
            out_bin = 1;
@@ -325,101 +270,77 @@ int MAIN(int argc, char **argv)
    }
    if (randfile)
-		app_RAND_load_file(randfile, bio_err, 0);
+        app_RAND_load_file(randfile, 0);
-	if(outfile) {
+    out = bio_open_default(outfile, 'w', out_bin ? FORMAT_BINARY : FORMAT_TEXT);
-		if(out_bin)
+    if (out == NULL)
 			out = BIO_new_file(outfile, "wb");
 		else    out = BIO_new_file(outfile, "w");
 	} else {
 		out = BIO_new_fp(stdout, BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 	}
 	if(!out) {
 		BIO_printf(bio_err, "Error opening output file %s\n", 
 					outfile ? outfile : "(stdout)");
 		ERR_print_errors(bio_err);
        goto end;
-	}
+
-	if ((!!mac_name + !!keyfile + !!hmac_key) > 1)
+    if ((! !mac_name + ! !keyfile + ! !hmac_key) > 1) {
 		{
        BIO_printf(bio_err, "MAC and Signing key cannot both be specified\n");
        goto end;
    }
-	if(keyfile)
+    if (keyfile) {
 		{
        if (want_pub)
-			sigkey = load_pubkey(bio_err, keyfile, keyform, 0, NULL,
+            sigkey = load_pubkey(keyfile, keyform, 0, NULL, e, "key file");
 				e, "key file");
        else
-			sigkey = load_key(bio_err, keyfile, keyform, 0, passin,
+            sigkey = load_key(keyfile, keyform, 0, passin, e, "key file");
-				e, "key file");
+        if (!sigkey) {
-		if (!sigkey)
+            /*
-			{
+             * load_[pub]key() has already printed an appropriate message
-			/* load_[pub]key() has already printed an appropriate
+             */
 			   message */
            goto end;
        }
    }
-	if (mac_name)
+    if (mac_name) {
 		{
        EVP_PKEY_CTX *mac_ctx = NULL;
        int r = 0;
-		if (!init_gen_str(bio_err, &mac_ctx, mac_name, impl, 0))
+        if (!init_gen_str(&mac_ctx, mac_name, impl, 0))
            goto mac_end;
-		if (macopts)
+        if (macopts) {
 			{
            char *macopt;
-			for (i = 0; i < sk_OPENSSL_STRING_num(macopts); i++)
+            for (i = 0; i < sk_OPENSSL_STRING_num(macopts); i++) {
 				{
                macopt = sk_OPENSSL_STRING_value(macopts, i);
-				if (pkey_ctrl_string(mac_ctx, macopt) <= 0)
+                if (pkey_ctrl_string(mac_ctx, macopt) <= 0) {
 					{
                    BIO_printf(bio_err,
-						"MAC parameter error \"%s\"\n",
+                               "MAC parameter error \"%s\"\n", macopt);
 						macopt);
                    ERR_print_errors(bio_err);
                    goto mac_end;
                }
            }
        }
-		if (EVP_PKEY_keygen(mac_ctx, &sigkey) <= 0)
+        if (EVP_PKEY_keygen(mac_ctx, &sigkey) <= 0) {
 			{
            BIO_puts(bio_err, "Error generating key\n");
            ERR_print_errors(bio_err);
            goto mac_end;
        }
        r = 1;
 mac_end:
 		if (mac_ctx)
        EVP_PKEY_CTX_free(mac_ctx);
        if (r == 0)
            goto end;
    }
-	if (hmac_key)
+    if (non_fips_allow) {
-		{
+        EVP_MD_CTX *md_ctx;
        BIO_get_md_ctx(bmd, &md_ctx);
        EVP_MD_CTX_set_flags(md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
    }
    if (hmac_key) {
        sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, impl,
                                      (unsigned char *)hmac_key, -1);
        if (!sigkey)
            goto end;
    }
-	if (sigkey)
+    if (sigkey) {
 		{
        EVP_MD_CTX *mctx = NULL;
        EVP_PKEY_CTX *pctx = NULL;
        int r;
-		if (!BIO_get_md_ctx(bmd, &mctx))
+        if (!BIO_get_md_ctx(bmd, &mctx)) {
 			{
            BIO_printf(bio_err, "Error getting context\n");
            ERR_print_errors(bio_err);
            goto end;
@@ -428,23 +349,17 @@ int MAIN(int argc, char **argv)
            r = EVP_DigestVerifyInit(mctx, &pctx, md, impl, sigkey);
        else
            r = EVP_DigestSignInit(mctx, &pctx, md, impl, sigkey);
-		if (!r)
+        if (!r) {
 			{
            BIO_printf(bio_err, "Error setting context\n");
            ERR_print_errors(bio_err);
            goto end;
        }
-		if (sigopts)
+        if (sigopts) {
 			{
            char *sigopt;
-			for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++)
+            for (i = 0; i < sk_OPENSSL_STRING_num(sigopts); i++) {
 				{
                sigopt = sk_OPENSSL_STRING_value(sigopts, i);
-				if (pkey_ctrl_string(pctx, sigopt) <= 0)
+                if (pkey_ctrl_string(pctx, sigopt) <= 0) {
-					{
+                    BIO_printf(bio_err, "parameter error \"%s\"\n", sigopt);
 					BIO_printf(bio_err,
 						"parameter error \"%s\"\n",
 						sigopt);
                    ERR_print_errors(bio_err);
                    goto end;
                }
@@ -452,112 +367,90 @@ int MAIN(int argc, char **argv)
        }
    }
    /* we use md as a filter, reading from 'in' */
-	else
+    else {
 		{
        EVP_MD_CTX *mctx = NULL;
-		if (!BIO_get_md_ctx(bmd, &mctx))
+        if (!BIO_get_md_ctx(bmd, &mctx)) {
 			{
            BIO_printf(bio_err, "Error getting context\n");
            ERR_print_errors(bio_err);
            goto end;
        }
        if (md == NULL)
            md = EVP_md5();
-		if (!EVP_DigestInit_ex(mctx, md, impl))
+        if (!EVP_DigestInit_ex(mctx, md, impl)) {
-			{
+            BIO_printf(bio_err, "Error setting digest\n");
 			BIO_printf(bio_err, "Error setting digest %s\n", pname);
            ERR_print_errors(bio_err);
            goto end;
        }
    }
    if (sigfile && sigkey) {
-		BIO *sigbio;
+        BIO *sigbio = BIO_new_file(sigfile, "rb");
 		sigbio = BIO_new_file(sigfile, "rb");
 		siglen = EVP_PKEY_size(sigkey);
 		sigbuf = OPENSSL_malloc(siglen);
        if (!sigbio) {
-			BIO_printf(bio_err, "Error opening signature file %s\n",
+            BIO_printf(bio_err, "Error opening signature file %s\n", sigfile);
 								sigfile);
            ERR_print_errors(bio_err);
            goto end;
        }
        siglen = EVP_PKEY_size(sigkey);
        sigbuf = app_malloc(siglen, "signature buffer");
        siglen = BIO_read(sigbio, sigbuf, siglen);
        BIO_free(sigbio);
        if (siglen <= 0) {
-			BIO_printf(bio_err, "Error reading signature file %s\n",
+            BIO_printf(bio_err, "Error reading signature file %s\n", sigfile);
 								sigfile);
            ERR_print_errors(bio_err);
            goto end;
        }
    }
    inp = BIO_push(bmd, in);
-	if (md == NULL)
+    if (md == NULL) {
 		{
        EVP_MD_CTX *tctx;
        BIO_get_md_ctx(bmd, &tctx);
        md = EVP_MD_CTX_md(tctx);
    }
-	if (argc == 0)
+    if (argc == 0) {
 		{
        BIO_set_fp(in, stdin, BIO_NOCLOSE);
-		err=do_fp(out, buf,inp,separator, out_bin, sigkey, sigbuf,
+        ret = do_fp(out, buf, inp, separator, out_bin, sigkey, sigbuf,
                    siglen, NULL, NULL, "stdin", bmd);
-		}
+    } else {
 	else
 		{
        const char *md_name = NULL, *sig_name = NULL;
-		if(!out_bin)
+        if (!out_bin) {
-			{
+            if (sigkey) {
 			if (sigkey)
 				{
                const EVP_PKEY_ASN1_METHOD *ameth;
                ameth = EVP_PKEY_get0_asn1(sigkey);
                if (ameth)
                    EVP_PKEY_asn1_get0_info(NULL, NULL,
                                            NULL, NULL, &sig_name, ameth);
            }
            if (md)
                md_name = EVP_MD_name(md);
        }
-		err = 0;
+        ret = 0;
-		for (i=0; i<argc; i++)
+        for (i = 0; i < argc; i++) {
 			{
            int r;
-			if (BIO_read_filename(in,argv[i]) <= 0)
+            if (BIO_read_filename(in, argv[i]) <= 0) {
 				{
                perror(argv[i]);
-				err++;
+                ret++;
                continue;
-				}
+            } else
 			else
                r = do_fp(out, buf, inp, separator, out_bin, sigkey, sigbuf,
                          siglen, sig_name, md_name, argv[i], bmd);
            if (r)
-			    err=r;
+                ret = r;
            (void)BIO_reset(bmd);
        }
    }
 end:
-	if (buf != NULL)
+    OPENSSL_clear_free(buf, BUFSIZE);
-		{
+    BIO_free(in);
 		OPENSSL_cleanse(buf,BUFSIZE);
 		OPENSSL_free(buf);
 		}
 	if (in != NULL) BIO_free(in);
 	if (passin)
    OPENSSL_free(passin);
    BIO_free_all(out);
    EVP_PKEY_free(sigkey);
 	if (sigopts)
    sk_OPENSSL_STRING_free(sigopts);
 	if (macopts)
    sk_OPENSSL_STRING_free(macopts);
-	if(sigbuf) OPENSSL_free(sigbuf);
+    OPENSSL_free(sigbuf);
-	if (bmd != NULL) BIO_free(bmd);
+    BIO_free(bmd);
-	apps_shutdown();
+    return (ret);
 	OPENSSL_EXIT(err);
 }
 int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
@@ -568,76 +461,66 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
    size_t len;
    int i;
-	for (;;)
+    for (;;) {
 		{
        i = BIO_read(bp, (char *)buf, BUFSIZE);
-		if(i < 0)
+        if (i < 0) {
 			{
            BIO_printf(bio_err, "Read Error in %s\n", file);
            ERR_print_errors(bio_err);
            return 1;
        }
-		if (i == 0) break;
+        if (i == 0)
            break;
    }
-	if(sigin)
+    if (sigin) {
 		{
        EVP_MD_CTX *ctx;
        BIO_get_md_ctx(bp, &ctx);
        i = EVP_DigestVerifyFinal(ctx, sigin, (unsigned int)siglen);
        if (i > 0)
            BIO_printf(out, "Verified OK\n");
-		else if(i == 0)
+        else if (i == 0) {
 			{
            BIO_printf(out, "Verification Failure\n");
            return 1;
-			}
+        } else {
 		else
 			{
            BIO_printf(bio_err, "Error Verifying Data\n");
            ERR_print_errors(bio_err);
            return 1;
        }
        return 0;
    }
-	if(key)
+    if (key) {
 		{
        EVP_MD_CTX *ctx;
        BIO_get_md_ctx(bp, &ctx);
        len = BUFSIZE;
-		if(!EVP_DigestSignFinal(ctx, buf, &len)) 
+        if (!EVP_DigestSignFinal(ctx, buf, &len)) {
 			{
            BIO_printf(bio_err, "Error Signing Data\n");
            ERR_print_errors(bio_err);
            return 1;
        }
-		}
+    } else {
 	else
 		{
        len = BIO_gets(bp, (char *)buf, BUFSIZE);
-		if ((int)len <0)
+        if ((int)len < 0) {
 			{
            ERR_print_errors(bio_err);
            return 1;
        }
    }
-	if(binout) BIO_write(out, buf, len);
+    if (binout)
-	else if (sep == 2)
+        BIO_write(out, buf, len);
-		{
+    else if (sep == 2) {
        for (i = 0; i < (int)len; i++)
            BIO_printf(out, "%02x", buf[i]);
        BIO_printf(out, " *%s\n", file);
-		}
+    } else {
-	else 
+        if (sig_name) {
-		{
+            BIO_puts(out, sig_name);
-		if (sig_name)
+            if (md_name)
-			BIO_printf(out, "%s-%s(%s)= ", sig_name, md_name, file);
+                BIO_printf(out, "-%s", md_name);
-		else if (md_name)
+            BIO_printf(out, "(%s)= ", file);
        } else if (md_name)
            BIO_printf(out, "%s(%s)= ", md_name, file);
        else
            BIO_printf(out, "(%s)= ", file);
-		for (i=0; i<(int)len; i++)
+        for (i = 0; i < (int)len; i++) {
 			{
            if (sep && (i != 0))
                BIO_printf(out, ":");
            BIO_printf(out, "%02x", buf[i]);
@@ -646,4 +529,3 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
    }
    return 0;
 }
--- a/apps/dh.c
+++ b/apps/dh.c
@@ -1,355 +0,0 @@
 /* apps/dh.c */
 /* obsoleted by dhparam.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
 * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
 * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
 #include <openssl/opensslconf.h>	/* for OPENSSL_NO_DH */
 #ifndef OPENSSL_NO_DH
 #include <stdio.h>
 #include <stdlib.h>
 #include <time.h>
 #include <string.h>
 #include "apps.h"
 #include <openssl/bio.h>
 #include <openssl/err.h>
 #include <openssl/bn.h>
 #include <openssl/dh.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #undef PROG
 #define PROG	dh_main
 /* -inform arg	- input format - default PEM (DER or PEM)
 * -outform arg - output format - default PEM
 * -in arg	- input file - default stdin
 * -out arg	- output file - default stdout
 * -check	- check the parameters are ok
 * -noout
 * -text
 * -C
 */
 int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	DH *dh=NULL;
 	int i,badops=0,text=0;
 	BIO *in=NULL,*out=NULL;
 	int informat,outformat,check=0,noout=0,C=0,ret=1;
 	char *infile,*outfile,*prog;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine;
 #endif
 	apps_startup();
 	if (bio_err == NULL)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 	if (!load_config(bio_err, NULL))
 		goto end;
 #ifndef OPENSSL_NO_ENGINE
 	engine=NULL;
 #endif
 	infile=NULL;
 	outfile=NULL;
 	informat=FORMAT_PEM;
 	outformat=FORMAT_PEM;
 	prog=argv[0];
 	argc--;
 	argv++;
 	while (argc >= 1)
 		{
 		if 	(strcmp(*argv,"-inform") == 0)
 			{
 			if (--argc < 1) goto bad;
 			informat=str2fmt(*(++argv));
 			}
 		else if (strcmp(*argv,"-outform") == 0)
 			{
 			if (--argc < 1) goto bad;
 			outformat=str2fmt(*(++argv));
 			}
 		else if (strcmp(*argv,"-in") == 0)
 			{
 			if (--argc < 1) goto bad;
 			infile= *(++argv);
 			}
 		else if (strcmp(*argv,"-out") == 0)
 			{
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 #endif
 		else if (strcmp(*argv,"-check") == 0)
 			check=1;
 		else if (strcmp(*argv,"-text") == 0)
 			text=1;
 		else if (strcmp(*argv,"-C") == 0)
 			C=1;
 		else if (strcmp(*argv,"-noout") == 0)
 			noout=1;
 		else
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
 			badops=1;
 			break;
 			}
 		argc--;
 		argv++;
 		}
 	if (badops)
 		{
 bad:
 		BIO_printf(bio_err,"%s [options] <infile >outfile\n",prog);
 		BIO_printf(bio_err,"where options are\n");
 		BIO_printf(bio_err," -inform arg   input format - one of DER PEM\n");
 		BIO_printf(bio_err," -outform arg  output format - one of DER PEM\n");
 		BIO_printf(bio_err," -in arg       input file\n");
 		BIO_printf(bio_err," -out arg      output file\n");
 		BIO_printf(bio_err," -check        check the DH parameters\n");
 		BIO_printf(bio_err," -text         print a text form of the DH parameters\n");
 		BIO_printf(bio_err," -C            Output C code\n");
 		BIO_printf(bio_err," -noout        no output\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," -engine e     use engine e, possibly a hardware device.\n");
 #endif
 		goto end;
 		}
 	ERR_load_crypto_strings();
 #ifndef OPENSSL_NO_ENGINE
        setup_engine(bio_err, engine, 0);
 #endif
 	in=BIO_new(BIO_s_file());
 	out=BIO_new(BIO_s_file());
 	if ((in == NULL) || (out == NULL))
 		{
 		ERR_print_errors(bio_err);
 		goto end;
 		}
 	if (infile == NULL)
 		BIO_set_fp(in,stdin,BIO_NOCLOSE);
 	else
 		{
 		if (BIO_read_filename(in,infile) <= 0)
 			{
 			perror(infile);
 			goto end;
 			}
 		}
 	if (outfile == NULL)
 		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
 			{
 			perror(outfile);
 			goto end;
 			}
 		}
 	if	(informat == FORMAT_ASN1)
 		dh=d2i_DHparams_bio(in,NULL);
 	else if (informat == FORMAT_PEM)
 		dh=PEM_read_bio_DHparams(in,NULL,NULL,NULL);
 	else
 		{
 		BIO_printf(bio_err,"bad input format specified\n");
 		goto end;
 		}
 	if (dh == NULL)
 		{
 		BIO_printf(bio_err,"unable to load DH parameters\n");
 		ERR_print_errors(bio_err);
 		goto end;
 		}
 	if (text)
 		{
 		DHparams_print(out,dh);
 #ifdef undef
 		printf("p=");
 		BN_print(stdout,dh->p);
 		printf("\ng=");
 		BN_print(stdout,dh->g);
 		printf("\n");
 		if (dh->length != 0)
 			printf("recommended private length=%ld\n",dh->length);
 #endif
 		}
 	if (check)
 		{
 		if (!DH_check(dh,&i))
 			{
 			ERR_print_errors(bio_err);
 			goto end;
 			}
 		if (i & DH_CHECK_P_NOT_PRIME)
 			printf("p value is not prime\n");
 		if (i & DH_CHECK_P_NOT_SAFE_PRIME)
 			printf("p value is not a safe prime\n");
 		if (i & DH_UNABLE_TO_CHECK_GENERATOR)
 			printf("unable to check the generator value\n");
 		if (i & DH_NOT_SUITABLE_GENERATOR)
 			printf("the g value is not a generator\n");
 		if (i == 0)
 			printf("DH parameters appear to be ok.\n");
 		}
 	if (C)
 		{
 		unsigned char *data;
 		int len,l,bits;
 		len=BN_num_bytes(dh->p);
 		bits=BN_num_bits(dh->p);
 		data=(unsigned char *)OPENSSL_malloc(len);
 		if (data == NULL)
 			{
 			perror("OPENSSL_malloc");
 			goto end;
 			}
 		l=BN_bn2bin(dh->p,data);
 		printf("static unsigned char dh%d_p[]={",bits);
 		for (i=0; i<l; i++)
 			{
 			if ((i%12) == 0) printf("\n\t");
 			printf("0x%02X,",data[i]);
 			}
 		printf("\n\t};\n");
 		l=BN_bn2bin(dh->g,data);
 		printf("static unsigned char dh%d_g[]={",bits);
 		for (i=0; i<l; i++)
 			{
 			if ((i%12) == 0) printf("\n\t");
 			printf("0x%02X,",data[i]);
 			}
 		printf("\n\t};\n\n");
 		printf("DH *get_dh%d()\n\t{\n",bits);
 		printf("\tDH *dh;\n\n");
 		printf("\tif ((dh=DH_new()) == NULL) return(NULL);\n");
 		printf("\tdh->p=BN_bin2bn(dh%d_p,sizeof(dh%d_p),NULL);\n",
 			bits,bits);
 		printf("\tdh->g=BN_bin2bn(dh%d_g,sizeof(dh%d_g),NULL);\n",
 			bits,bits);
 		printf("\tif ((dh->p == NULL) || (dh->g == NULL))\n");
 		printf("\t\treturn(NULL);\n");
 		printf("\treturn(dh);\n\t}\n");
 		OPENSSL_free(data);
 		}
 	if (!noout)
 		{
 		if 	(outformat == FORMAT_ASN1)
 			i=i2d_DHparams_bio(out,dh);
 		else if (outformat == FORMAT_PEM)
 			i=PEM_write_bio_DHparams(out,dh);
 		else	{
 			BIO_printf(bio_err,"bad output format specified for outfile\n");
 			goto end;
 			}
 		if (!i)
 			{
 			BIO_printf(bio_err,"unable to write DH parameters\n");
 			ERR_print_errors(bio_err);
 			goto end;
 			}
 		}
 	ret=0;
 end:
 	if (in != NULL) BIO_free(in);
 	if (out != NULL) BIO_free_all(out);
 	if (dh != NULL) DH_free(dh);
 	apps_shutdown();
 	OPENSSL_EXIT(ret);
 	}
 #else /* !OPENSSL_NO_DH */
 # if PEDANTIC
 static void *dummy=&dummy;
 # endif
 #endif
--- a/apps/dh512.pem
+++ b/apps/dh512.pem
@@ -1,9 +0,0 @@
 -----BEGIN DH PARAMETERS-----
 MEYCQQD1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6ypUM2Zafq9AKUJsCRtMIPWak
 XUGfnHy9iUsiGSa6q6Jew1XpKgVfAgEC
 -----END DH PARAMETERS-----
 These are the 512 bit DH parameters from "Assigned Number for SKIP Protocols"
 (http://www.skip-vpn.org/spec/numbers.html).
 See there for how they were generated.
 Note that g is not a generator, but this is not a problem since p is a safe prime.
--- a/apps/dhparam.c
+++ b/apps/dhparam.c
@@ -1,4 +1,3 @@
 /* apps/dhparam.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -127,246 +126,192 @@
 #  include <openssl/dsa.h>
 # endif
-#undef PROG
+# define DEFBITS 2048
 #define PROG	dhparam_main
-#define DEFBITS	512
+static int dh_cb(int p, int n, BN_GENCB *cb);
-/* -inform arg	- input format - default PEM (DER or PEM)
+typedef enum OPTION_choice {
- * -outform arg - output format - default PEM
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
- * -in arg	- input file - default stdin
+    OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT,
- * -out arg	- output file - default stdout
+    OPT_ENGINE, OPT_CHECK, OPT_TEXT, OPT_NOOUT,
- * -dsaparam  - read or generate DSA parameters, convert to DH
+    OPT_RAND, OPT_DSAPARAM, OPT_C, OPT_2, OPT_5
- * -check	- check the parameters are ok
+} OPTION_CHOICE;
 * -noout
 * -text
 * -C
 */
-static int MS_CALLBACK dh_cb(int p, int n, BN_GENCB *cb);
+OPTIONS dhparam_options[] = {
-
+    {OPT_HELP_STR, 1, '-', "Usage: %s [flags] [numbits]\n"},
-int MAIN(int, char **);
+    {OPT_HELP_STR, 1, '-', "Valid options are:\n"},
-
+    {"help", OPT_HELP, '-', "Display this summary"},
-int MAIN(int argc, char **argv)
+    {"in", OPT_IN, '<', "Input file"},
-	{
+    {"inform", OPT_INFORM, 'F', "Input format, DER or PEM"},
-	DH *dh=NULL;
+    {"outform", OPT_OUTFORM, 'F', "Output format, DER or PEM"},
-	int i,badops=0,text=0;
+    {"out", OPT_OUT, '>', "Output file"},
    {"check", OPT_CHECK, '-', "Check the DH parameters"},
    {"text", OPT_TEXT, '-', "Print a text form of the DH parameters"},
    {"noout", OPT_NOOUT, '-'},
    {"rand", OPT_RAND, 's',
     "Load the file(s) into the random number generator"},
    {"C", OPT_C, '-', "Print C code"},
    {"2", OPT_2, '-', "Generate parameters using 2 as the generator value"},
    {"5", OPT_5, '-', "Generate parameters using 5 as the generator value"},
 # ifndef OPENSSL_NO_DSA
-	int dsaparam=0;
+    {"dsaparam", OPT_DSAPARAM, '-',
     "Read or generate DSA parameters, convert to DH"},
 # endif
 # ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
 # endif
    {NULL}
 };
 int dhparam_main(int argc, char **argv)
 {
    BIO *in = NULL, *out = NULL;
-	int informat,outformat,check=0,noout=0,C=0,ret=1;
+    DH *dh = NULL;
-	char *infile,*outfile,*prog;
+    char *infile = NULL, *outfile = NULL, *prog, *inrand = NULL;
-	char *inrand=NULL;
+    int dsaparam = 0, i, text = 0, C = 0, ret = 1, num = 0, g = 0;
-#ifndef OPENSSL_NO_ENGINE
+    int informat = FORMAT_PEM, outformat = FORMAT_PEM, check = 0, noout = 0;
-	char *engine=NULL;
+    OPTION_CHOICE o;
 #endif
 	int num = 0, g = 0;
-	apps_startup();
+    prog = opt_init(argc, argv, dhparam_options);
-
+    while ((o = opt_next()) != OPT_EOF) {
-	if (bio_err == NULL)
+        switch (o) {
-		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+        case OPT_EOF:
-			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+        case OPT_ERR:
-
+ opthelp:
-	if (!load_config(bio_err, NULL))
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
            goto end;
-
+        case OPT_HELP:
-	infile=NULL;
+            opt_help(dhparam_options);
-	outfile=NULL;
+            ret = 0;
-	informat=FORMAT_PEM;
+            goto end;
-	outformat=FORMAT_PEM;
+        case OPT_INFORM:
-
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
-	prog=argv[0];
+                goto opthelp;
-	argc--;
+            break;
-	argv++;
+        case OPT_OUTFORM:
-	while (argc >= 1)
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
-		{
+                goto opthelp;
-		if 	(strcmp(*argv,"-inform") == 0)
+            break;
-			{
+        case OPT_IN:
-			if (--argc < 1) goto bad;
+            infile = opt_arg();
-			informat=str2fmt(*(++argv));
+            break;
-			}
+        case OPT_OUT:
-		else if (strcmp(*argv,"-outform") == 0)
+            outfile = opt_arg();
-			{
+            break;
-			if (--argc < 1) goto bad;
+        case OPT_ENGINE:
-			outformat=str2fmt(*(++argv));
+            (void)setup_engine(opt_arg(), 0);
-			}
+            break;
-		else if (strcmp(*argv,"-in") == 0)
+        case OPT_CHECK:
 			{
 			if (--argc < 1) goto bad;
 			infile= *(++argv);
 			}
 		else if (strcmp(*argv,"-out") == 0)
 			{
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 #endif
 		else if (strcmp(*argv,"-check") == 0)
            check = 1;
-		else if (strcmp(*argv,"-text") == 0)
+            break;
        case OPT_TEXT:
            text = 1;
-#ifndef OPENSSL_NO_DSA
+            break;
-		else if (strcmp(*argv,"-dsaparam") == 0)
+        case OPT_DSAPARAM:
            dsaparam = 1;
-#endif
+            break;
-		else if (strcmp(*argv,"-C") == 0)
+        case OPT_C:
            C = 1;
-		else if (strcmp(*argv,"-noout") == 0)
+            break;
-			noout=1;
+        case OPT_2:
 		else if (strcmp(*argv,"-2") == 0)
            g = 2;
-		else if (strcmp(*argv,"-5") == 0)
+            break;
        case OPT_5:
            g = 5;
-		else if (strcmp(*argv,"-rand") == 0)
+            break;
-			{
+        case OPT_NOOUT:
-			if (--argc < 1) goto bad;
+            noout = 1;
-			inrand= *(++argv);
+            break;
        case OPT_RAND:
            inrand = opt_arg();
            break;
        }
 		else if (((sscanf(*argv,"%d",&num) == 0) || (num <= 0)))
 			goto bad;
 		argv++;
 		argc--;
    }
    argc = opt_num_rest();
    argv = opt_rest();
-	if (badops)
+    if (argv[0] && (!opt_int(argv[0], &num) || num <= 0))
 		{
 bad:
 		BIO_printf(bio_err,"%s [options] [numbits]\n",prog);
 		BIO_printf(bio_err,"where options are\n");
 		BIO_printf(bio_err," -inform arg   input format - one of DER PEM\n");
 		BIO_printf(bio_err," -outform arg  output format - one of DER PEM\n");
 		BIO_printf(bio_err," -in arg       input file\n");
 		BIO_printf(bio_err," -out arg      output file\n");
 #ifndef OPENSSL_NO_DSA
 		BIO_printf(bio_err," -dsaparam     read or generate DSA parameters, convert to DH\n");
 #endif
 		BIO_printf(bio_err," -check        check the DH parameters\n");
 		BIO_printf(bio_err," -text         print a text form of the DH parameters\n");
 		BIO_printf(bio_err," -C            Output C code\n");
 		BIO_printf(bio_err," -2            generate parameters using  2 as the generator value\n");
 		BIO_printf(bio_err," -5            generate parameters using  5 as the generator value\n");
 		BIO_printf(bio_err," numbits       number of bits in to generate (default 512)\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," -engine e     use engine e, possibly a hardware device.\n");
 #endif
 		BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err,"               - load the file (or the files in the directory) into\n");
 		BIO_printf(bio_err,"               the random number generator\n");
 		BIO_printf(bio_err," -noout        no output\n");
        goto end;
 		}
 	ERR_load_crypto_strings();
 #ifndef OPENSSL_NO_ENGINE
        setup_engine(bio_err, engine, 0);
 #endif
    if (g && !num)
        num = DEFBITS;
 # ifndef OPENSSL_NO_DSA
-	if (dsaparam)
+    if (dsaparam && g) {
-		{
+        BIO_printf(bio_err,
-		if (g)
+                   "generator may not be chosen for DSA parameters\n");
 			{
 			BIO_printf(bio_err, "generator may not be chosen for DSA parameters\n");
        goto end;
    }
 		}
 	else
 # endif
 		{
    /* DH parameters */
    if (num && !g)
        g = 2;
 		}
    if (num) {
-		BN_GENCB cb;
+        BN_GENCB *cb;
-		BN_GENCB_set(&cb, dh_cb, bio_err);
+        cb = BN_GENCB_new();
-		if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL)
+        if (cb == NULL) {
-			{
+            ERR_print_errors(bio_err);
-			BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
+            goto end;
        }
        BN_GENCB_set(cb, dh_cb, bio_err);
        if (!app_RAND_load_file(NULL, 1) && inrand == NULL) {
            BIO_printf(bio_err,
                       "warning, not much extra random data, consider using the -rand option\n");
        }
        if (inrand != NULL)
            BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
                       app_RAND_load_files(inrand));
 # ifndef OPENSSL_NO_DSA
-		if (dsaparam)
+        if (dsaparam) {
 			{
            DSA *dsa = DSA_new();
-			BIO_printf(bio_err,"Generating DSA parameters, %d bit long prime\n",num);
+            BIO_printf(bio_err,
-			if(!dsa || !DSA_generate_parameters_ex(dsa, num,
+                       "Generating DSA parameters, %d bit long prime\n", num);
-						NULL, 0, NULL, NULL, &cb))
+            if (dsa == NULL
-				{
+                || !DSA_generate_parameters_ex(dsa, num, NULL, 0, NULL, NULL,
-				if(dsa) DSA_free(dsa);
+                                               cb)) {
                DSA_free(dsa);
                BN_GENCB_free(cb);
                ERR_print_errors(bio_err);
                goto end;
            }
            dh = DSA_dup_DH(dsa);
            DSA_free(dsa);
-			if (dh == NULL)
+            if (dh == NULL) {
-				{
+                BN_GENCB_free(cb);
                ERR_print_errors(bio_err);
                goto end;
            }
-			}
+        } else
 		else
 # endif
        {
            dh = DH_new();
-			BIO_printf(bio_err,"Generating DH parameters, %d bit long safe prime, generator %d\n",num,g);
+            BIO_printf(bio_err,
                       "Generating DH parameters, %d bit long safe prime, generator %d\n",
                       num, g);
            BIO_printf(bio_err, "This is going to take a long time\n");
-			if(!dh || !DH_generate_parameters_ex(dh, num, g, &cb))
+            if (dh == NULL || !DH_generate_parameters_ex(dh, num, g, cb)) {
-				{
+                BN_GENCB_free(cb);
 				if(dh) DH_free(dh);
                ERR_print_errors(bio_err);
                goto end;
            }
        }
-		app_RAND_write_file(NULL, bio_err);
+        BN_GENCB_free(cb);
        app_RAND_write_file(NULL);
    } else {
-		in=BIO_new(BIO_s_file());
+        in = bio_open_default(infile, 'r', informat);
        if (in == NULL)
 			{
 			ERR_print_errors(bio_err);
            goto end;
 			}
 		if (infile == NULL)
 			BIO_set_fp(in,stdin,BIO_NOCLOSE);
 		else
 			{
 			if (BIO_read_filename(in,infile) <= 0)
 				{
 				perror(infile);
 				goto end;
 				}
 			}
 		if	(informat != FORMAT_ASN1 && informat != FORMAT_PEM)
 			{
 			BIO_printf(bio_err,"bad input format specified\n");
 			goto end;
 			}
 # ifndef OPENSSL_NO_DSA
-		if (dsaparam)
+        if (dsaparam) {
 			{
            DSA *dsa;
            if (informat == FORMAT_ASN1)
@@ -374,8 +319,7 @@ bad:
            else                /* informat == FORMAT_PEM */
                dsa = PEM_read_bio_DSAparams(in, NULL, NULL, NULL);
-			if (dsa == NULL)
+            if (dsa == NULL) {
 				{
                BIO_printf(bio_err, "unable to load DSA parameters\n");
                ERR_print_errors(bio_err);
                goto end;
@@ -383,13 +327,11 @@ bad:
            dh = DSA_dup_DH(dsa);
            DSA_free(dsa);
-			if (dh == NULL)
+            if (dh == NULL) {
 				{
                ERR_print_errors(bio_err);
                goto end;
            }
-			}
+        } else
 		else
 # endif
        {
            if (informat == FORMAT_ASN1)
@@ -397,8 +339,7 @@ bad:
            else                /* informat == FORMAT_PEM */
                dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL);
-			if (dh == NULL)
+            if (dh == NULL) {
 				{
                BIO_printf(bio_err, "unable to load DH parameters\n");
                ERR_print_errors(bio_err);
                goto end;
@@ -408,41 +349,16 @@ bad:
        /* dh != NULL */
    }
-	out=BIO_new(BIO_s_file());
+    out = bio_open_default(outfile, 'w', outformat);
    if (out == NULL)
 		{
 		ERR_print_errors(bio_err);
        goto end;
 		}
 	if (outfile == NULL)
 		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
 			{
 			perror(outfile);
 			goto end;
 			}
 		}
-
+    if (text) {
 	if (text)
 		{
        DHparams_print(out, dh);
    }
-	if (check)
+    if (check) {
-		{
+        if (!DH_check(dh, &i)) {
 		if (!DH_check(dh,&i))
 			{
            ERR_print_errors(bio_err);
            goto end;
        }
@@ -457,69 +373,47 @@ bad:
        if (i == 0)
            printf("DH parameters appear to be ok.\n");
    }
-	if (C)
+    if (C) {
 		{
        unsigned char *data;
-		int len,l,bits;
+        int len, bits;
        len = BN_num_bytes(dh->p);
        bits = BN_num_bits(dh->p);
-		data=(unsigned char *)OPENSSL_malloc(len);
+        data = app_malloc(len, "print a BN");
-		if (data == NULL)
+        BIO_printf(out, "#ifndef HEADER_DH_H\n"
 			{
 			perror("OPENSSL_malloc");
 			goto end;
 			}
 		printf("#ifndef HEADER_DH_H\n"
                        "# include <openssl/dh.h>\n"
-		       "#endif\n");
+                        "#endif\n"
-		printf("DH *get_dh%d()\n\t{\n",bits);
+                        "\n");
-
+        BIO_printf(out, "DH *get_dh%d()\n{\n", bits);
-		l=BN_bn2bin(dh->p,data);
+        print_bignum_var(out, dh->p, "dhp", bits, data);
-		printf("\tstatic unsigned char dh%d_p[]={",bits);
+        print_bignum_var(out, dh->g, "dhg", bits, data);
-		for (i=0; i<l; i++)
+        BIO_printf(out, "    DH *dh = DN_new();\n"
-			{
+                        "\n"
-			if ((i%12) == 0) printf("\n\t\t");
+                        "    if (dh == NULL)\n"
-			printf("0x%02X,",data[i]);
+                        "        return NULL;\n");
-			}
+        BIO_printf(out, "    dh->p = BN_bin2bn(dhp_%d, sizeof (dhp_%d), NULL);\n",
 		printf("\n\t\t};\n");
 		l=BN_bn2bin(dh->g,data);
 		printf("\tstatic unsigned char dh%d_g[]={",bits);
 		for (i=0; i<l; i++)
 			{
 			if ((i%12) == 0) printf("\n\t\t");
 			printf("0x%02X,",data[i]);
 			}
 		printf("\n\t\t};\n");
 		printf("\tDH *dh;\n\n");
 		printf("\tif ((dh=DH_new()) == NULL) return(NULL);\n");
 		printf("\tdh->p=BN_bin2bn(dh%d_p,sizeof(dh%d_p),NULL);\n",
               bits, bits);
-		printf("\tdh->g=BN_bin2bn(dh%d_g,sizeof(dh%d_g),NULL);\n",
+        BIO_printf(out, "    dh->g = BN_bin2bn(dhg_%d, sizeof (dhg_%d), NULL);\n",
               bits, bits);
-		printf("\tif ((dh->p == NULL) || (dh->g == NULL))\n");
+        BIO_printf(out, "    if (!dh->p || !dh->g) {\n"
-		printf("\t\t{ DH_free(dh); return(NULL); }\n");
+                        "        DH_free(dh);\n"
                        "        return NULL;\n"
                        "    }\n");
        if (dh->length)
-			printf("\tdh->length = %ld;\n", dh->length);
+            BIO_printf(out,
-		printf("\treturn(dh);\n\t}\n");
+                        "    dh->length = %ld;\n", dh->length);
        BIO_printf(out, "    return dh;\n}\n");
        OPENSSL_free(data);
    }
-
+    if (!noout) {
 	if (!noout)
 		{
        if (outformat == FORMAT_ASN1)
            i = i2d_DHparams_bio(out, dh);
-		else if (outformat == FORMAT_PEM)
+        else if (dh->q)
            i = PEM_write_bio_DHxparams(out, dh);
        else
            i = PEM_write_bio_DHparams(out, dh);
-		else	{
+        if (!i) {
 			BIO_printf(bio_err,"bad output format specified for outfile\n");
 			goto end;
 			}
 		if (!i)
 			{
            BIO_printf(bio_err, "unable to write DH parameters\n");
            ERR_print_errors(bio_err);
            goto end;
@@ -527,27 +421,26 @@ bad:
    }
    ret = 0;
 end:
-	if (in != NULL) BIO_free(in);
+    BIO_free(in);
-	if (out != NULL) BIO_free_all(out);
+    BIO_free_all(out);
-	if (dh != NULL) DH_free(dh);
+    DH_free(dh);
-	apps_shutdown();
+    return (ret);
 	OPENSSL_EXIT(ret);
 }
-/* dh_cb is identical to dsa_cb in apps/dsaparam.c */
+static int dh_cb(int p, int n, BN_GENCB *cb)
 static int MS_CALLBACK dh_cb(int p, int n, BN_GENCB *cb)
 {
    char c = '*';
-	if (p == 0) c='.';
+    if (p == 0)
-	if (p == 1) c='+';
+        c = '.';
-	if (p == 2) c='*';
+    if (p == 1)
-	if (p == 3) c='\n';
+        c = '+';
-	BIO_write(cb->arg,&c,1);
+    if (p == 2)
-	(void)BIO_flush(cb->arg);
+        c = '*';
-#ifdef LINT
+    if (p == 3)
-	p=n;
+        c = '\n';
-#endif
+    BIO_write(BN_GENCB_get_arg(cb), &c, 1);
    (void)BIO_flush(BN_GENCB_get_arg(cb));
    return 1;
 }
--- a/apps/dsa.c
+++ b/apps/dsa.c
@@ -1,4 +1,3 @@
 /* apps/dsa.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -71,301 +70,230 @@
 # include <openssl/pem.h>
 # include <openssl/bn.h>
-#undef PROG
+typedef enum OPTION_choice {
-#define PROG	dsa_main
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT,
    OPT_ENGINE, OPT_PVK_STRONG, OPT_PVK_WEAK,
    OPT_PVK_NONE, OPT_NOOUT, OPT_TEXT, OPT_MODULUS, OPT_PUBIN,
    OPT_PUBOUT, OPT_CIPHER, OPT_PASSIN, OPT_PASSOUT
 } OPTION_CHOICE;
-/* -inform arg	- input format - default PEM (one of DER, NET or PEM)
+OPTIONS dsa_options[] = {
- * -outform arg - output format - default PEM
+    {"help", OPT_HELP, '-', "Display this summary"},
- * -in arg	- input file - default stdin
+    {"inform", OPT_INFORM, 'F', "Input format, DER PEM PVK"},
- * -out arg	- output file - default stdout
+    {"outform", OPT_OUTFORM, 'F', "Output format, DER PEM PVK"},
- * -des		- encrypt output if PEM format with DES in cbc mode
+    {"in", OPT_IN, '<', "Input file"},
- * -des3	- encrypt output if PEM format
+    {"out", OPT_OUT, '>', "Output file"},
- * -idea	- encrypt output if PEM format
+    {"noout", OPT_NOOUT, '-', "Don't print key out"},
- * -aes128	- encrypt output if PEM format
+    {"text", OPT_TEXT, '-', "Print the key in text"},
- * -aes192	- encrypt output if PEM format
+    {"modulus", OPT_MODULUS, '-', "Print the DSA public value"},
- * -aes256	- encrypt output if PEM format
+    {"pubin", OPT_PUBIN, '-'},
- * -camellia128 - encrypt output if PEM format
+    {"pubout", OPT_PUBOUT, '-'},
- * -camellia192 - encrypt output if PEM format
+    {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
- * -camellia256 - encrypt output if PEM format
+    {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
- * -seed        - encrypt output if PEM format
+    {"", OPT_CIPHER, '-', "Any supported cipher"},
- * -text	- print a text version
+# ifndef OPENSSL_NO_RC4
- * -modulus	- print the DSA public key
+    {"pvk-strong", OPT_PVK_STRONG, '-'},
- */
+    {"pvk-weak", OPT_PVK_WEAK, '-'},
    {"pvk-none", OPT_PVK_NONE, '-'},
 # endif
 # ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
 # endif
    {NULL}
 };
-int MAIN(int, char **);
+int dsa_main(int argc, char **argv)
 int MAIN(int argc, char **argv)
 {
-	ENGINE *e = NULL;
+    BIO *out = NULL;
 	int ret=1;
    DSA *dsa = NULL;
-	int i,badops=0;
+    ENGINE *e = NULL;
    const EVP_CIPHER *enc = NULL;
-	BIO *in=NULL,*out=NULL;
+    char *infile = NULL, *outfile = NULL, *prog;
-	int informat,outformat,text=0,noout=0;
+    char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL;
-	int pubin = 0, pubout = 0;
+    OPTION_CHOICE o;
-	char *infile,*outfile,*prog;
+    int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0;
-#ifndef OPENSSL_NO_ENGINE
+    int i, modulus = 0, pubin = 0, pubout = 0, pvk_encr = 2, ret = 1;
-	char *engine;
+    int private = 0;
 #endif
 	char *passargin = NULL, *passargout = NULL;
 	char *passin = NULL, *passout = NULL;
 	int modulus=0;
-	int pvk_encr = 2;
+    prog = opt_init(argc, argv, dsa_options);
-
+    while ((o = opt_next()) != OPT_EOF) {
-	apps_startup();
+        switch (o) {
-
+        case OPT_EOF:
-	if (bio_err == NULL)
+        case OPT_ERR:
-		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+ opthelp:
-			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+            ret = 0;
-
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
 	if (!load_config(bio_err, NULL))
            goto end;
-
+        case OPT_HELP:
-#ifndef OPENSSL_NO_ENGINE
+            opt_help(dsa_options);
-	engine=NULL;
+            ret = 0;
-#endif
+            goto end;
-	infile=NULL;
+        case OPT_INFORM:
-	outfile=NULL;
+            if (!opt_format
-	informat=FORMAT_PEM;
+                (opt_arg(), OPT_FMT_PEMDER | OPT_FMT_PVK, &informat))
-	outformat=FORMAT_PEM;
+                goto opthelp;
-
+            break;
-	prog=argv[0];
+        case OPT_IN:
-	argc--;
+            infile = opt_arg();
-	argv++;
+            break;
-	while (argc >= 1)
+        case OPT_OUTFORM:
-		{
+            if (!opt_format
-		if 	(strcmp(*argv,"-inform") == 0)
+                (opt_arg(), OPT_FMT_PEMDER | OPT_FMT_PVK, &outformat))
-			{
+                goto opthelp;
-			if (--argc < 1) goto bad;
+            break;
-			informat=str2fmt(*(++argv));
+        case OPT_OUT:
-			}
+            outfile = opt_arg();
-		else if (strcmp(*argv,"-outform") == 0)
+            break;
-			{
+        case OPT_ENGINE:
-			if (--argc < 1) goto bad;
+            e = setup_engine(opt_arg(), 0);
-			outformat=str2fmt(*(++argv));
+            break;
-			}
+        case OPT_PASSIN:
-		else if (strcmp(*argv,"-in") == 0)
+            passinarg = opt_arg();
-			{
+            break;
-			if (--argc < 1) goto bad;
+        case OPT_PASSOUT:
-			infile= *(++argv);
+            passoutarg = opt_arg();
-			}
+            break;
-		else if (strcmp(*argv,"-out") == 0)
+#ifndef OPENSSL_NO_RC4
-			{
+        case OPT_PVK_STRONG:
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
 		else if (strcmp(*argv,"-passin") == 0)
 			{
 			if (--argc < 1) goto bad;
 			passargin= *(++argv);
 			}
 		else if (strcmp(*argv,"-passout") == 0)
 			{
 			if (--argc < 1) goto bad;
 			passargout= *(++argv);
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 #endif
 		else if (strcmp(*argv,"-pvk-strong") == 0)
            pvk_encr = 2;
-		else if (strcmp(*argv,"-pvk-weak") == 0)
+            break;
        case OPT_PVK_WEAK:
            pvk_encr = 1;
-		else if (strcmp(*argv,"-pvk-none") == 0)
+            break;
        case OPT_PVK_NONE:
            pvk_encr = 0;
-		else if (strcmp(*argv,"-noout") == 0)
+            break;
 #else
        case OPT_PVK_STRONG:
        case OPT_PVK_WEAK:
        case OPT_PVK_NONE:
            break;
 #endif
        case OPT_NOOUT:
            noout = 1;
-		else if (strcmp(*argv,"-text") == 0)
+            break;
        case OPT_TEXT:
            text = 1;
-		else if (strcmp(*argv,"-modulus") == 0)
+            break;
        case OPT_MODULUS:
            modulus = 1;
-		else if (strcmp(*argv,"-pubin") == 0)
+            break;
        case OPT_PUBIN:
            pubin = 1;
-		else if (strcmp(*argv,"-pubout") == 0)
+            break;
        case OPT_PUBOUT:
            pubout = 1;
-		else if ((enc=EVP_get_cipherbyname(&(argv[0][1]))) == NULL)
+            break;
-			{
+        case OPT_CIPHER:
-			BIO_printf(bio_err,"unknown option %s\n",*argv);
+            if (!opt_cipher(opt_unknown(), &enc))
-			badops=1;
+                goto end;
            break;
        }
 		argc--;
 		argv++;
    }
    argc = opt_num_rest();
    argv = opt_rest();
    private = pubin || pubout ? 0 : 1;
    if (text)
        private = 1;
-	if (badops)
+    if (!app_passwd(passinarg, passoutarg, &passin, &passout)) {
 		{
 bad:
 		BIO_printf(bio_err,"%s [options] <infile >outfile\n",prog);
 		BIO_printf(bio_err,"where options are\n");
 		BIO_printf(bio_err," -inform arg     input format - DER or PEM\n");
 		BIO_printf(bio_err," -outform arg    output format - DER or PEM\n");
 		BIO_printf(bio_err," -in arg         input file\n");
 		BIO_printf(bio_err," -passin arg     input file pass phrase source\n");
 		BIO_printf(bio_err," -out arg        output file\n");
 		BIO_printf(bio_err," -passout arg    output file pass phrase source\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," -engine e       use engine e, possibly a hardware device.\n");
 #endif
 		BIO_printf(bio_err," -des            encrypt PEM output with cbc des\n");
 		BIO_printf(bio_err," -des3           encrypt PEM output with ede cbc des using 168 bit key\n");
 #ifndef OPENSSL_NO_IDEA
 		BIO_printf(bio_err," -idea           encrypt PEM output with cbc idea\n");
 #endif
 #ifndef OPENSSL_NO_AES
 		BIO_printf(bio_err," -aes128, -aes192, -aes256\n");
 		BIO_printf(bio_err,"                 encrypt PEM output with cbc aes\n");
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
 		BIO_printf(bio_err," -camellia128, -camellia192, -camellia256\n");
 		BIO_printf(bio_err,"                 encrypt PEM output with cbc camellia\n");
 #endif
 #ifndef OPENSSL_NO_SEED
 		BIO_printf(bio_err," -seed           encrypt PEM output with cbc seed\n");
 #endif
 		BIO_printf(bio_err," -text           print the key in text\n");
 		BIO_printf(bio_err," -noout          don't print key out\n");
 		BIO_printf(bio_err," -modulus        print the DSA public value\n");
 		goto end;
 		}
 	ERR_load_crypto_strings();
 #ifndef OPENSSL_NO_ENGINE
        e = setup_engine(bio_err, engine, 0);
 #endif
 	if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
        BIO_printf(bio_err, "Error getting passwords\n");
        goto end;
    }
 	in=BIO_new(BIO_s_file());
 	out=BIO_new(BIO_s_file());
 	if ((in == NULL) || (out == NULL))
 		{
 		ERR_print_errors(bio_err);
 		goto end;
 		}
 	if (infile == NULL)
 		BIO_set_fp(in,stdin,BIO_NOCLOSE);
 	else
 		{
 		if (BIO_read_filename(in,infile) <= 0)
 			{
 			perror(infile);
 			goto end;
 			}
 		}
    BIO_printf(bio_err, "read DSA key\n");
    {
        EVP_PKEY *pkey;
        if (pubin)
-			pkey = load_pubkey(bio_err, infile, informat, 1,
+            pkey = load_pubkey(infile, informat, 1, passin, e, "Public Key");
 				passin, e, "Public Key");
        else
-			pkey = load_key(bio_err, infile, informat, 1,
+            pkey = load_key(infile, informat, 1, passin, e, "Private Key");
 				passin, e, "Private Key");
-		if (pkey)
+        if (pkey) {
 			{
            dsa = EVP_PKEY_get1_DSA(pkey);
            EVP_PKEY_free(pkey);
        }
    }
-	if (dsa == NULL)
+    if (dsa == NULL) {
 		{
        BIO_printf(bio_err, "unable to load Key\n");
        ERR_print_errors(bio_err);
        goto end;
    }
-	if (outfile == NULL)
+    out = bio_open_owner(outfile, outformat, private);
-		{
+    if (out == NULL)
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
 			{
 			perror(outfile);
        goto end;
 			}
 		}
-	if (text) 
+    if (text) {
-		if (!DSA_print(out,dsa,0))
+        assert(private);
-			{
+        if (!DSA_print(out, dsa, 0)) {
            perror(outfile);
            ERR_print_errors(bio_err);
            goto end;
        }
 	if (modulus)
 		{
 		fprintf(stdout,"Public Key=");
 		BN_print(out,dsa->pub_key);
 		fprintf(stdout,"\n");
    }
-	if (noout) goto end;
+    if (modulus) {
        BIO_printf(out, "Public Key=");
        BN_print(out, dsa->pub_key);
        BIO_printf(out, "\n");
    }
    if (noout) {
        ret = 0;
        goto end;
    }
    BIO_printf(bio_err, "writing DSA key\n");
    if (outformat == FORMAT_ASN1) {
-		if(pubin || pubout) i=i2d_DSA_PUBKEY_bio(out,dsa);
+        if (pubin || pubout)
-		else i=i2d_DSAPrivateKey_bio(out,dsa);
+            i = i2d_DSA_PUBKEY_bio(out, dsa);
        else {
            assert(private);
            i = i2d_DSAPrivateKey_bio(out, dsa);
        }
    } else if (outformat == FORMAT_PEM) {
        if (pubin || pubout)
            i = PEM_write_bio_DSA_PUBKEY(out, dsa);
-		else i=PEM_write_bio_DSAPrivateKey(out,dsa,enc,
+        else {
            assert(private);
            i = PEM_write_bio_DSAPrivateKey(out, dsa, enc,
                                            NULL, 0, NULL, passout);
        }
 # if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_RC4)
    } else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) {
        EVP_PKEY *pk;
        pk = EVP_PKEY_new();
        EVP_PKEY_set1_DSA(pk, dsa);
-		if (outformat == FORMAT_PVK)
+        if (outformat == FORMAT_PVK) {
            assert(private);
            i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout);
        }
        else if (pubin || pubout)
            i = i2b_PublicKey_bio(out, pk);
-		else
+        else {
            assert(private);
            i = i2b_PrivateKey_bio(out, pk);
        }
        EVP_PKEY_free(pk);
 # endif
    } else {
        BIO_printf(bio_err, "bad output format specified for outfile\n");
        goto end;
    }
-	if (i <= 0)
+    if (i <= 0) {
 		{
        BIO_printf(bio_err, "unable to write private key\n");
        ERR_print_errors(bio_err);
        goto end;
    }
 	else
    ret = 0;
 end:
-	if(in != NULL) BIO_free(in);
+    BIO_free_all(out);
-	if(out != NULL) BIO_free_all(out);
+    DSA_free(dsa);
-	if(dsa != NULL) DSA_free(dsa);
+    OPENSSL_free(passin);
-	if(passin) OPENSSL_free(passin);
+    OPENSSL_free(passout);
-	if(passout) OPENSSL_free(passout);
+    return (ret);
 	apps_shutdown();
 	OPENSSL_EXIT(ret);
 }
 #else                           /* !OPENSSL_NO_DSA */
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -1,4 +1,3 @@
 /* apps/dsaparam.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -57,14 +56,8 @@
 */
 #include <openssl/opensslconf.h> /* for OPENSSL_NO_DSA */
 /* Until the key-gen callbacks are modified to use newer prototypes, we allow
 * deprecated functions for openssl-internal code */
 #ifdef OPENSSL_NO_DEPRECATED
 #undef OPENSSL_NO_DEPRECATED
 #endif
 #ifndef OPENSSL_NO_DSA
 #include <assert.h>
 # include <stdio.h>
 # include <stdlib.h>
 # include <time.h>
@@ -77,23 +70,6 @@
 # include <openssl/x509.h>
 # include <openssl/pem.h>
 #undef PROG
 #define PROG	dsaparam_main
 /* -inform arg	- input format - default PEM (DER or PEM)
 * -outform arg - output format - default PEM
 * -in arg	- input file - default stdin
 * -out arg	- output file - default stdout
 * -noout
 * -text
 * -C
 * -noout
 * -genkey
 *  #ifdef GENCB_TEST
 * -timebomb n  - interrupt keygen after <n> seconds
 *  #endif
 */
 # ifdef GENCB_TEST
 static int stop_keygen_flag = 0;
@@ -105,226 +81,167 @@ static void timebomb_sigalarm(int foo)
 # endif
-static int MS_CALLBACK dsa_cb(int p, int n, BN_GENCB *cb);
+static int dsa_cb(int p, int n, BN_GENCB *cb);
-int MAIN(int, char **);
+typedef enum OPTION_choice {
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_TEXT, OPT_C,
    OPT_NOOUT, OPT_GENKEY, OPT_RAND, OPT_NON_FIPS_ALLOW, OPT_ENGINE,
    OPT_TIMEBOMB
 } OPTION_CHOICE;
-int MAIN(int argc, char **argv)
+OPTIONS dsaparam_options[] = {
    {"help", OPT_HELP, '-', "Display this summary"},
    {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
    {"in", OPT_IN, '<', "Input file"},
    {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
    {"out", OPT_OUT, '>', "Output file"},
    {"text", OPT_TEXT, '-', "Print as text"},
    {"C", OPT_C, '-', "Output C code"},
    {"noout", OPT_NOOUT, '-', "No output"},
    {"genkey", OPT_GENKEY, '-', "Generate a DSA key"},
    {"rand", OPT_RAND, 's', "Files to use for random number input"},
    {"non-fips-allow", OPT_NON_FIPS_ALLOW, '-'},
 # ifdef GENCB_TEST
    {"timebomb", OPT_TIMEBOMB, 'p', "Interrupt keygen after 'pnum' seconds"},
 # endif
 # ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
 # endif
    {NULL}
 };
 int dsaparam_main(int argc, char **argv)
 {
    DSA *dsa = NULL;
 	int i,badops=0,text=0;
    BIO *in = NULL, *out = NULL;
-	int informat,outformat,noout=0,C=0,ret=1;
+    BN_GENCB *cb = NULL;
-	char *infile,*outfile,*prog,*inrand=NULL;
+    int numbits = -1, num = 0, genkey = 0, need_rand = 0, non_fips_allow = 0;
-	int numbits= -1,num,genkey=0;
+    int informat = FORMAT_PEM, outformat = FORMAT_PEM, noout = 0, C = 0;
-	int need_rand=0;
+    int ret = 1, i, text = 0, private = 0;
 	int non_fips_allow = 0;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine=NULL;
 #endif
 # ifdef GENCB_TEST
    int timebomb = 0;
 # endif
    char *infile = NULL, *outfile = NULL, *prog, *inrand = NULL;
    OPTION_CHOICE o;
-	apps_startup();
+    prog = opt_init(argc, argv, dsaparam_options);
-
+    while ((o = opt_next()) != OPT_EOF) {
-	if (bio_err == NULL)
+        switch (o) {
-		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+        case OPT_EOF:
-			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+        case OPT_ERR:
-
+ opthelp:
-	if (!load_config(bio_err, NULL))
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
            goto end;
-
+        case OPT_HELP:
-	infile=NULL;
+            opt_help(dsaparam_options);
-	outfile=NULL;
+            ret = 0;
-	informat=FORMAT_PEM;
+            goto end;
-	outformat=FORMAT_PEM;
+        case OPT_INFORM:
-
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
-	prog=argv[0];
+                goto opthelp;
-	argc--;
+            break;
-	argv++;
+        case OPT_IN:
-	while (argc >= 1)
+            infile = opt_arg();
-		{
+            break;
-		if 	(strcmp(*argv,"-inform") == 0)
+        case OPT_OUTFORM:
-			{
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
-			if (--argc < 1) goto bad;
+                goto opthelp;
-			informat=str2fmt(*(++argv));
+            break;
-			}
+        case OPT_OUT:
-		else if (strcmp(*argv,"-outform") == 0)
+            outfile = opt_arg();
-			{
+            break;
-			if (--argc < 1) goto bad;
+        case OPT_ENGINE:
-			outformat=str2fmt(*(++argv));
+            (void)setup_engine(opt_arg(), 0);
-			}
+            break;
-		else if (strcmp(*argv,"-in") == 0)
+        case OPT_TIMEBOMB:
 			{
 			if (--argc < 1) goto bad;
 			infile= *(++argv);
 			}
 		else if (strcmp(*argv,"-out") == 0)
 			{
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if(strcmp(*argv, "-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine = *(++argv);
 			}
 #endif
 # ifdef GENCB_TEST
-		else if(strcmp(*argv, "-timebomb") == 0)
+            timebomb = atoi(opt_arg());
-			{
+            break;
 			if (--argc < 1) goto bad;
 			timebomb = atoi(*(++argv));
 			}
 # endif
-		else if (strcmp(*argv,"-text") == 0)
+        case OPT_TEXT:
            text = 1;
-		else if (strcmp(*argv,"-C") == 0)
+            break;
        case OPT_C:
            C = 1;
-		else if (strcmp(*argv,"-genkey") == 0)
+            break;
-			{
+        case OPT_GENKEY:
-			genkey=1;
+            genkey = need_rand = 1;
            break;
        case OPT_RAND:
            inrand = opt_arg();
            need_rand = 1;
-			}
+            break;
-		else if (strcmp(*argv,"-rand") == 0)
+        case OPT_NOOUT:
 			{
 			if (--argc < 1) goto bad;
 			inrand= *(++argv);
 			need_rand=1;
 			}
 		else if (strcmp(*argv,"-noout") == 0)
            noout = 1;
-		else if (strcmp(*argv,"-non-fips-allow") == 0)
+            break;
        case OPT_NON_FIPS_ALLOW:
            non_fips_allow = 1;
-		else if (sscanf(*argv,"%d",&num) == 1)
+            break;
-			{
+        }
    }
    argc = opt_num_rest();
    argv = opt_rest();
    if (argc == 1) {
        if (!opt_int(argv[0], &num))
            goto end;
        /* generate a key */
        numbits = num;
        need_rand = 1;
    }
-		else
+    private = genkey ? 1 : 0;
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
 			badops=1;
 			break;
 			}
 		argc--;
 		argv++;
 		}
-	if (badops)
+    in = bio_open_default(infile, 'r', informat);
-		{
+    if (in == NULL)
 bad:
 		BIO_printf(bio_err,"%s [options] [bits] <infile >outfile\n",prog);
 		BIO_printf(bio_err,"where options are\n");
 		BIO_printf(bio_err," -inform arg   input format - DER or PEM\n");
 		BIO_printf(bio_err," -outform arg  output format - DER or PEM\n");
 		BIO_printf(bio_err," -in arg       input file\n");
 		BIO_printf(bio_err," -out arg      output file\n");
 		BIO_printf(bio_err," -text         print as text\n");
 		BIO_printf(bio_err," -C            Output C code\n");
 		BIO_printf(bio_err," -noout        no output\n");
 		BIO_printf(bio_err," -genkey       generate a DSA key\n");
 		BIO_printf(bio_err," -rand         files to use for random number input\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," -engine e     use engine e, possibly a hardware device.\n");
 #endif
 #ifdef GENCB_TEST
 		BIO_printf(bio_err," -timebomb n   interrupt keygen after <n> seconds\n");
 #endif
 		BIO_printf(bio_err," number        number of bits to use for generating private key\n");
        goto end;
-		}
+    out = bio_open_owner(outfile, outformat, private);
-
+    if (out == NULL)
 	ERR_load_crypto_strings();
 	in=BIO_new(BIO_s_file());
 	out=BIO_new(BIO_s_file());
 	if ((in == NULL) || (out == NULL))
 		{
 		ERR_print_errors(bio_err);
        goto end;
 		}
-	if (infile == NULL)
+    if (need_rand) {
-		BIO_set_fp(in,stdin,BIO_NOCLOSE);
+        app_RAND_load_file(NULL, (inrand != NULL));
 	else
 		{
 		if (BIO_read_filename(in,infile) <= 0)
 			{
 			perror(infile);
 			goto end;
 			}
 		}
 	if (outfile == NULL)
 		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
 			{
 			perror(outfile);
 			goto end;
 			}
 		}
 #ifndef OPENSSL_NO_ENGINE
        setup_engine(bio_err, engine, 0);
 #endif
 	if (need_rand)
 		{
 		app_RAND_load_file(NULL, bio_err, (inrand != NULL));
        if (inrand != NULL)
            BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
                       app_RAND_load_files(inrand));
    }
-	if (numbits > 0)
+    if (numbits > 0) {
-		{
+        cb = BN_GENCB_new();
-		BN_GENCB cb;
+        if (cb == NULL) {
-		BN_GENCB_set(&cb, dsa_cb, bio_err);
+            BIO_printf(bio_err, "Error allocating BN_GENCB object\n");
            goto end;
        }
        BN_GENCB_set(cb, dsa_cb, bio_err);
        assert(need_rand);
        dsa = DSA_new();
-		if(!dsa)
+        if (dsa == NULL) {
 			{
            BIO_printf(bio_err, "Error allocating DSA object\n");
            goto end;
        }
        if (non_fips_allow)
            dsa->flags |= DSA_FLAG_NON_FIPS_ALLOW;
-		BIO_printf(bio_err,"Generating DSA parameters, %d bit long prime\n",num);
+        BIO_printf(bio_err, "Generating DSA parameters, %d bit long prime\n",
                   num);
        BIO_printf(bio_err, "This could take some time\n");
 # ifdef GENCB_TEST
-		if(timebomb > 0)
+        if (timebomb > 0) {
 	{
            struct sigaction act;
            act.sa_handler = timebomb_sigalarm;
            act.sa_flags = 0;
-		BIO_printf(bio_err,"(though I'll stop it if not done within %d secs)\n",
+            BIO_printf(bio_err,
                       "(though I'll stop it if not done within %d secs)\n",
                       timebomb);
-		if(sigaction(SIGALRM, &act, NULL) != 0)
+            if (sigaction(SIGALRM, &act, NULL) != 0) {
 			{
                BIO_printf(bio_err, "Error, couldn't set SIGALRM handler\n");
                goto end;
            }
            alarm(timebomb);
        }
 # endif
-	        if(!DSA_generate_parameters_ex(dsa,num,NULL,0,NULL,NULL, &cb))
+        if (!DSA_generate_parameters_ex(dsa, num, NULL, 0, NULL, NULL, cb)) {
 			{
 # ifdef GENCB_TEST
-			if(stop_keygen_flag)
+            if (stop_keygen_flag) {
 				{
                BIO_printf(bio_err, "DSA key generation time-stopped\n");
                /* This is an asked-for behaviour! */
                ret = 0;
@@ -335,149 +252,103 @@ bad:
            BIO_printf(bio_err, "Error, DSA key generation failed\n");
            goto end;
        }
-		}
+    } else if (informat == FORMAT_ASN1)
 	else if	(informat == FORMAT_ASN1)
        dsa = d2i_DSAparams_bio(in, NULL);
 	else if (informat == FORMAT_PEM)
 		dsa=PEM_read_bio_DSAparams(in,NULL,NULL,NULL);
    else
-		{
+        dsa = PEM_read_bio_DSAparams(in, NULL, NULL, NULL);
-		BIO_printf(bio_err,"bad input format specified\n");
+    if (dsa == NULL) {
 		goto end;
 		}
 	if (dsa == NULL)
 		{
        BIO_printf(bio_err, "unable to load DSA parameters\n");
        ERR_print_errors(bio_err);
        goto end;
    }
-	if (text)
+    if (text) {
 		{
        DSAparams_print(out, dsa);
    }
-	if (C)
+    if (C) {
-		{
+        int len = BN_num_bytes(dsa->p);
-		unsigned char *data;
+        int bits_p = BN_num_bits(dsa->p);
-		int l,len,bits_p;
+        unsigned char *data = app_malloc(len + 20, "BN space");
-		len=BN_num_bytes(dsa->p);
+        BIO_printf(bio_out, "DSA *get_dsa%d()\n{\n", bits_p);
-		bits_p=BN_num_bits(dsa->p);
+        print_bignum_var(bio_out, dsa->p, "dsap", len, data);
-		data=(unsigned char *)OPENSSL_malloc(len+20);
+        print_bignum_var(bio_out, dsa->q, "dsaq", len, data);
-		if (data == NULL)
+        print_bignum_var(bio_out, dsa->g, "dsag", len, data);
-			{
+        BIO_printf(bio_out, "    DSA *dsa = DSA_new();\n"
-			perror("OPENSSL_malloc");
+                            "\n");
-			goto end;
+        BIO_printf(bio_out, "    if (dsa == NULL)\n"
-			}
+                            "        return NULL;\n");
-		l=BN_bn2bin(dsa->p,data);
+        BIO_printf(bio_out, "    dsa->p = BN_bin2bn(dsap_%d, sizeof (dsap_%d), NULL);\n",
 		printf("static unsigned char dsa%d_p[]={",bits_p);
 		for (i=0; i<l; i++)
 			{
 			if ((i%12) == 0) printf("\n\t");
 			printf("0x%02X,",data[i]);
 			}
 		printf("\n\t};\n");
 		l=BN_bn2bin(dsa->q,data);
 		printf("static unsigned char dsa%d_q[]={",bits_p);
 		for (i=0; i<l; i++)
 			{
 			if ((i%12) == 0) printf("\n\t");
 			printf("0x%02X,",data[i]);
 			}
 		printf("\n\t};\n");
 		l=BN_bn2bin(dsa->g,data);
 		printf("static unsigned char dsa%d_g[]={",bits_p);
 		for (i=0; i<l; i++)
 			{
 			if ((i%12) == 0) printf("\n\t");
 			printf("0x%02X,",data[i]);
 			}
 		printf("\n\t};\n\n");
 		printf("DSA *get_dsa%d()\n\t{\n",bits_p);
 		printf("\tDSA *dsa;\n\n");
 		printf("\tif ((dsa=DSA_new()) == NULL) return(NULL);\n");
 		printf("\tdsa->p=BN_bin2bn(dsa%d_p,sizeof(dsa%d_p),NULL);\n",
               bits_p, bits_p);
-		printf("\tdsa->q=BN_bin2bn(dsa%d_q,sizeof(dsa%d_q),NULL);\n",
+        BIO_printf(bio_out, "    dsa->q = BN_bin2bn(dsaq_%d, sizeof (dsaq_%d), NULL);\n",
               bits_p, bits_p);
-		printf("\tdsa->g=BN_bin2bn(dsa%d_g,sizeof(dsa%d_g),NULL);\n",
+        BIO_printf(bio_out, "    dsa->g = BN_bin2bn(dsag_%d, sizeof (dsag_%d), NULL);\n",
               bits_p, bits_p);
-		printf("\tif ((dsa->p == NULL) || (dsa->q == NULL) || (dsa->g == NULL))\n");
+        BIO_printf(bio_out, "    if (!dsa->p || !dsa->q || !dsa->g) {\n"
-		printf("\t\t{ DSA_free(dsa); return(NULL); }\n");
+                            "        DSA_free(dsa);\n"
-		printf("\treturn(dsa);\n\t}\n");
+                            "        return NULL;\n"
                            "    }\n"
                            "    return(dsa);\n}\n");
    }
-
+    if (!noout) {
 	if (!noout)
 		{
        if (outformat == FORMAT_ASN1)
            i = i2d_DSAparams_bio(out, dsa);
-		else if (outformat == FORMAT_PEM)
+        else
            i = PEM_write_bio_DSAparams(out, dsa);
-		else	{
+        if (!i) {
 			BIO_printf(bio_err,"bad output format specified for outfile\n");
 			goto end;
 			}
 		if (!i)
 			{
            BIO_printf(bio_err, "unable to write DSA parameters\n");
            ERR_print_errors(bio_err);
            goto end;
        }
    }
-	if (genkey)
+    if (genkey) {
 		{
        DSA *dsakey;
        assert(need_rand);
-		if ((dsakey=DSAparams_dup(dsa)) == NULL) goto end;
+        if ((dsakey = DSAparams_dup(dsa)) == NULL)
            goto end;
        if (non_fips_allow)
            dsakey->flags |= DSA_FLAG_NON_FIPS_ALLOW;
-		if (!DSA_generate_key(dsakey))
+        if (!DSA_generate_key(dsakey)) {
 			{
            ERR_print_errors(bio_err);
            DSA_free(dsakey);
            goto end;
        }
        assert(private);
        if (outformat == FORMAT_ASN1)
            i = i2d_DSAPrivateKey_bio(out, dsakey);
-		else if (outformat == FORMAT_PEM)
+        else
-			i=PEM_write_bio_DSAPrivateKey(out,dsakey,NULL,NULL,0,NULL,NULL);
+            i = PEM_write_bio_DSAPrivateKey(out, dsakey, NULL, NULL, 0, NULL,
-		else	{
+                                            NULL);
 			BIO_printf(bio_err,"bad output format specified for outfile\n");
 			DSA_free(dsakey);
 			goto end;
 			}
        DSA_free(dsakey);
    }
    if (need_rand)
-		app_RAND_write_file(NULL, bio_err);
+        app_RAND_write_file(NULL);
    ret = 0;
 end:
-	if (in != NULL) BIO_free(in);
+    BN_GENCB_free(cb);
-	if (out != NULL) BIO_free_all(out);
+    BIO_free(in);
-	if (dsa != NULL) DSA_free(dsa);
+    BIO_free_all(out);
-	apps_shutdown();
+    DSA_free(dsa);
-	OPENSSL_EXIT(ret);
+    return (ret);
 }
-static int MS_CALLBACK dsa_cb(int p, int n, BN_GENCB *cb)
+static int dsa_cb(int p, int n, BN_GENCB *cb)
 {
    char c = '*';
-	if (p == 0) c='.';
+    if (p == 0)
-	if (p == 1) c='+';
+        c = '.';
-	if (p == 2) c='*';
+    if (p == 1)
-	if (p == 3) c='\n';
+        c = '+';
-	BIO_write(cb->arg,&c,1);
+    if (p == 2)
-	(void)BIO_flush(cb->arg);
+        c = '*';
-#ifdef LINT
+    if (p == 3)
-	p=n;
+        c = '\n';
-#endif
+    BIO_write(BN_GENCB_get_arg(cb), &c, 1);
    (void)BIO_flush(BN_GENCB_get_arg(cb));
 # ifdef GENCB_TEST
    if (stop_keygen_flag)
        return 0;
--- a/apps/ec.c
+++ b/apps/ec.c
@@ -1,4 +1,3 @@
 /* apps/ec.c */
 /*
 * Written by Nils Larsch for the OpenSSL project.
 */
@@ -67,265 +66,167 @@
 # include <openssl/evp.h>
 # include <openssl/pem.h>
-#undef PROG
+static OPT_PAIR conv_forms[] = {
-#define PROG	ec_main
+    {"compressed", POINT_CONVERSION_COMPRESSED},
    {"uncompressed", POINT_CONVERSION_UNCOMPRESSED},
    {"hybrid", POINT_CONVERSION_HYBRID},
    {NULL}
 };
-/* -inform arg    - input format - default PEM (one of DER, NET or PEM)
+static OPT_PAIR param_enc[] = {
- * -outform arg   - output format - default PEM
+    {"named_curve", OPENSSL_EC_NAMED_CURVE},
- * -in arg        - input file - default stdin
+    {"explicit", 0},
- * -out arg       - output file - default stdout
+    {NULL}
- * -des           - encrypt output if PEM format with DES in cbc mode
+};
 * -text          - print a text version
 * -param_out     - print the elliptic curve parameters
 * -conv_form arg - specifies the point encoding form
 * -param_enc arg - specifies the parameter encoding
 */
-int MAIN(int, char **);
+typedef enum OPTION_choice {
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT,
    OPT_NOOUT, OPT_TEXT, OPT_PARAM_OUT, OPT_PUBIN, OPT_PUBOUT,
    OPT_PASSIN, OPT_PASSOUT, OPT_PARAM_ENC, OPT_CONV_FORM, OPT_CIPHER
 } OPTION_CHOICE;
-int MAIN(int argc, char **argv)
+OPTIONS ec_options[] = {
    {"help", OPT_HELP, '-', "Display this summary"},
    {"in", OPT_IN, '<', "Input file"},
    {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
    {"out", OPT_OUT, '>', "Output file"},
    {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
    {"noout", OPT_NOOUT, '-', "Don't print key out"},
    {"text", OPT_TEXT, '-', "Print the key"},
    {"param_out", OPT_PARAM_OUT, '-', "Print the elliptic curve parameters"},
    {"pubin", OPT_PUBIN, '-'},
    {"pubout", OPT_PUBOUT, '-'},
    {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
    {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
    {"param_enc", OPT_PARAM_ENC, 's',
     "Specifies the way the ec parameters are encoded"},
    {"conv_form", OPT_CONV_FORM, 's', "Specifies the point conversion form "},
    {"", OPT_CIPHER, '-', "Any supported cipher"},
 # ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 # endif
    {NULL}
 };
 int ec_main(int argc, char **argv)
 {
-	int 	ret = 1;
+    BIO *in = NULL, *out = NULL;
    EC_KEY *eckey = NULL;
    const EC_GROUP *group;
 	int 	i, badops = 0;
    const EVP_CIPHER *enc = NULL;
 	BIO 	*in = NULL, *out = NULL;
 	int 	informat, outformat, text=0, noout=0;
 	int  	pubin = 0, pubout = 0, param_out = 0;
 	char 	*infile, *outfile, *prog, *engine;
 	char 	*passargin = NULL, *passargout = NULL;
 	char 	*passin = NULL, *passout = NULL;
    point_conversion_form_t form = POINT_CONVERSION_UNCOMPRESSED;
-	int	new_form = 0;
+    char *infile = NULL, *outfile = NULL, *prog;
-	int	asn1_flag = OPENSSL_EC_NAMED_CURVE;
+    char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL;
-	int 	new_asn1_flag = 0;
+    OPTION_CHOICE o;
    int asn1_flag = OPENSSL_EC_NAMED_CURVE, new_form = 0, new_asn1_flag = 0;
    int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0;
    int pubin = 0, pubout = 0, param_out = 0, i, ret = 1, private = 0;
-	apps_startup();
+    prog = opt_init(argc, argv, ec_options);
-
+    while ((o = opt_next()) != OPT_EOF) {
-	if (bio_err == NULL)
+        switch (o) {
-		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+        case OPT_EOF:
-			BIO_set_fp(bio_err, stderr, BIO_NOCLOSE|BIO_FP_TEXT);
+        case OPT_ERR:
-
+ opthelp:
-	if (!load_config(bio_err, NULL))
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
            goto end;
-
+        case OPT_HELP:
-	engine = NULL;
+            opt_help(ec_options);
-	infile = NULL;
+            ret = 0;
-	outfile = NULL;
+            goto end;
-	informat = FORMAT_PEM;
+        case OPT_INFORM:
-	outformat = FORMAT_PEM;
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
-
+                goto opthelp;
-	prog = argv[0];
+            break;
-	argc--;
+        case OPT_IN:
-	argv++;
+            infile = opt_arg();
-	while (argc >= 1)
+            break;
-		{
+        case OPT_OUTFORM:
-		if (strcmp(*argv,"-inform") == 0)
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
-			{
+                goto opthelp;
-			if (--argc < 1) goto bad;
+            break;
-			informat=str2fmt(*(++argv));
+        case OPT_OUT:
-			}
+            outfile = opt_arg();
-		else if (strcmp(*argv,"-outform") == 0)
+            break;
-			{
+        case OPT_NOOUT:
 			if (--argc < 1) goto bad;
 			outformat=str2fmt(*(++argv));
 			}
 		else if (strcmp(*argv,"-in") == 0)
 			{
 			if (--argc < 1) goto bad;
 			infile= *(++argv);
 			}
 		else if (strcmp(*argv,"-out") == 0)
 			{
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
 		else if (strcmp(*argv,"-passin") == 0)
 			{
 			if (--argc < 1) goto bad;
 			passargin= *(++argv);
 			}
 		else if (strcmp(*argv,"-passout") == 0)
 			{
 			if (--argc < 1) goto bad;
 			passargout= *(++argv);
 			}
 		else if (strcmp(*argv, "-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 		else if (strcmp(*argv, "-noout") == 0)
            noout = 1;
-		else if (strcmp(*argv, "-text") == 0)
+            break;
        case OPT_TEXT:
            text = 1;
-		else if (strcmp(*argv, "-conv_form") == 0)
+            break;
-			{
+        case OPT_PARAM_OUT:
 			if (--argc < 1)
 				goto bad;
 			++argv;
 			new_form = 1;
 			if (strcmp(*argv, "compressed") == 0)
 				form = POINT_CONVERSION_COMPRESSED;
 			else if (strcmp(*argv, "uncompressed") == 0)
 				form = POINT_CONVERSION_UNCOMPRESSED;
 			else if (strcmp(*argv, "hybrid") == 0)
 				form = POINT_CONVERSION_HYBRID;
 			else
 				goto bad;
 			}
 		else if (strcmp(*argv, "-param_enc") == 0)
 			{
 			if (--argc < 1)
 				goto bad;
 			++argv;
 			new_asn1_flag = 1;
 			if (strcmp(*argv, "named_curve") == 0)
 				asn1_flag = OPENSSL_EC_NAMED_CURVE;
 			else if (strcmp(*argv, "explicit") == 0)
 				asn1_flag = 0;
 			else
 				goto bad;
 			}
 		else if (strcmp(*argv, "-param_out") == 0)
            param_out = 1;
-		else if (strcmp(*argv, "-pubin") == 0)
+            break;
        case OPT_PUBIN:
            pubin = 1;
-		else if (strcmp(*argv, "-pubout") == 0)
+            break;
        case OPT_PUBOUT:
            pubout = 1;
-		else if ((enc=EVP_get_cipherbyname(&(argv[0][1]))) == NULL)
+            break;
-			{
+        case OPT_PASSIN:
-			BIO_printf(bio_err, "unknown option %s\n", *argv);
+            passinarg = opt_arg();
-			badops=1;
+            break;
        case OPT_PASSOUT:
            passoutarg = opt_arg();
            break;
        case OPT_ENGINE:
            (void)setup_engine(opt_arg(), 0);
            break;
        case OPT_CIPHER:
            if (!opt_cipher(opt_unknown(), &enc))
                goto opthelp;
            break;
        case OPT_CONV_FORM:
            if (!opt_pair(opt_arg(), conv_forms, &i))
                goto opthelp;
            new_form = 1;
            form = i;
            break;
        case OPT_PARAM_ENC:
            if (!opt_pair(opt_arg(), param_enc, &i))
                goto opthelp;
            new_asn1_flag = 1;
            asn1_flag = i;
            break;
        }
 		argc--;
 		argv++;
    }
    argc = opt_num_rest();
    argv = opt_rest();
    private = param_out || pubin || pubout ? 0 : 1;
    if (text)
        private = 1;
-	if (badops)
+    if (!app_passwd(passinarg, passoutarg, &passin, &passout)) {
 		{
 bad:
 		BIO_printf(bio_err, "%s [options] <infile >outfile\n", prog);
 		BIO_printf(bio_err, "where options are\n");
 		BIO_printf(bio_err, " -inform arg     input format - "
 				"DER or PEM\n");
 		BIO_printf(bio_err, " -outform arg    output format - "
 				"DER or PEM\n");
 		BIO_printf(bio_err, " -in arg         input file\n");
 		BIO_printf(bio_err, " -passin arg     input file pass "
 				"phrase source\n");
 		BIO_printf(bio_err, " -out arg        output file\n");
 		BIO_printf(bio_err, " -passout arg    output file pass "
 				"phrase source\n");
 		BIO_printf(bio_err, " -engine e       use engine e, "
 				"possibly a hardware device.\n");
 		BIO_printf(bio_err, " -des            encrypt PEM output, "
 				"instead of 'des' every other \n"
 				"                 cipher "
 				"supported by OpenSSL can be used\n");
 		BIO_printf(bio_err, " -text           print the key\n");
 		BIO_printf(bio_err, " -noout          don't print key out\n");
 		BIO_printf(bio_err, " -param_out      print the elliptic "
 				"curve parameters\n");
 		BIO_printf(bio_err, " -conv_form arg  specifies the "
 				"point conversion form \n");
 		BIO_printf(bio_err, "                 possible values:"
 				" compressed\n");
 		BIO_printf(bio_err, "                                 "
 				" uncompressed (default)\n");
 		BIO_printf(bio_err, "                                  "
 				" hybrid\n");
 		BIO_printf(bio_err, " -param_enc arg  specifies the way"
 				" the ec parameters are encoded\n");
 		BIO_printf(bio_err, "                 in the asn1 der "
 				"encoding\n");
 		BIO_printf(bio_err, "                 possible values:"
 				" named_curve (default)\n");
 		BIO_printf(bio_err,"                                  "
 				"explicit\n");
 		goto end;
 		}
 	ERR_load_crypto_strings();
 #ifndef OPENSSL_NO_ENGINE
        setup_engine(bio_err, engine, 0);
 #endif
 	if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) 
 		{
        BIO_printf(bio_err, "Error getting passwords\n");
        goto end;
    }
-	in = BIO_new(BIO_s_file());
+    in = bio_open_default(infile, 'r', informat);
-	out = BIO_new(BIO_s_file());
+    if (in == NULL)
 	if ((in == NULL) || (out == NULL))
 		{
 		ERR_print_errors(bio_err);
        goto end;
 		}
 	if (infile == NULL)
 		BIO_set_fp(in, stdin, BIO_NOCLOSE);
 	else
 		{
 		if (BIO_read_filename(in, infile) <= 0)
 			{
 			perror(infile);
 			goto end;
 			}
 		}
    BIO_printf(bio_err, "read EC key\n");
-	if (informat == FORMAT_ASN1) 
+    if (informat == FORMAT_ASN1) {
 		{
        if (pubin)
            eckey = d2i_EC_PUBKEY_bio(in, NULL);
        else
            eckey = d2i_ECPrivateKey_bio(in, NULL);
-		} 
+    } else {
 	else if (informat == FORMAT_PEM) 
 		{
        if (pubin)
-			eckey = PEM_read_bio_EC_PUBKEY(in, NULL, NULL, 
+            eckey = PEM_read_bio_EC_PUBKEY(in, NULL, NULL, NULL);
 				NULL);
        else
-			eckey = PEM_read_bio_ECPrivateKey(in, NULL, NULL,
+            eckey = PEM_read_bio_ECPrivateKey(in, NULL, NULL, passin);
 				passin);
    }
-	else
+    if (eckey == NULL) {
 		{
 		BIO_printf(bio_err, "bad input format specified for key\n");
 		goto end;
 		}
 	if (eckey == NULL)
 		{
        BIO_printf(bio_err, "unable to load Key\n");
        ERR_print_errors(bio_err);
        goto end;
    }
-	if (outfile == NULL)
+    out = bio_open_owner(outfile, outformat, private);
-		{
+    if (out == NULL)
 		BIO_set_fp(out, stdout, BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 			{
 			BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 			out = BIO_push(tmpbio, out);
 			}
 #endif
 		}
 	else
 		{
 		if (BIO_write_filename(out, outfile) <= 0)
 			{
 			perror(outfile);
        goto end;
 			}
 		}
    group = EC_KEY_get0_group(eckey);
@@ -335,67 +236,54 @@ bad:
    if (new_asn1_flag)
        EC_KEY_set_asn1_flag(eckey, asn1_flag);
-	if (text) 
+    if (text) {
-		if (!EC_KEY_print(out, eckey, 0))
+        assert(private);
-			{
+        if (!EC_KEY_print(out, eckey, 0)) {
            perror(outfile);
            ERR_print_errors(bio_err);
            goto end;
        }
    }
-	if (noout) 
+    if (noout) {
 		{
        ret = 0;
        goto end;
    }
    BIO_printf(bio_err, "writing EC key\n");
-	if (outformat == FORMAT_ASN1) 
+    if (outformat == FORMAT_ASN1) {
 		{
        if (param_out)
            i = i2d_ECPKParameters_bio(out, group);
        else if (pubin || pubout)
            i = i2d_EC_PUBKEY_bio(out, eckey);
-		else 
+        else {
            assert(private);
            i = i2d_ECPrivateKey_bio(out, eckey);
        }
-	else if (outformat == FORMAT_PEM) 
+    } else {
 		{
        if (param_out)
            i = PEM_write_bio_ECPKParameters(out, group);
        else if (pubin || pubout)
            i = PEM_write_bio_EC_PUBKEY(out, eckey);
-		else 
+        else {
            assert(private);
            i = PEM_write_bio_ECPrivateKey(out, eckey, enc,
                                           NULL, 0, NULL, passout);
        }
 	else 
 		{
 		BIO_printf(bio_err, "bad output format specified for "
 			"outfile\n");
 		goto end;
    }
-	if (!i)
+    if (!i) {
 		{
        BIO_printf(bio_err, "unable to write private key\n");
        ERR_print_errors(bio_err);
-		}
+    } else
 	else
        ret = 0;
 end:
 	if (in)
    BIO_free(in);
 	if (out)
    BIO_free_all(out);
 	if (eckey)
    EC_KEY_free(eckey);
 	if (passin)
    OPENSSL_free(passin);
 	if (passout)
    OPENSSL_free(passout);
-	apps_shutdown();
+    return (ret);
 	OPENSSL_EXIT(ret);
 }
 #else                           /* !OPENSSL_NO_EC */
--- a/apps/ecparam.c
+++ b/apps/ecparam.c
@@ -1,4 +1,3 @@
 /* apps/ecparam.c */
 /*
 * Written by Nils Larsch for the OpenSSL project.
 */
@@ -71,7 +70,6 @@
 #include <openssl/opensslconf.h>
 #ifndef OPENSSL_NO_EC
 #include <assert.h>
 # include <stdio.h>
 # include <stdlib.h>
 # include <time.h>
@@ -84,284 +82,163 @@
 # include <openssl/x509.h>
 # include <openssl/pem.h>
-#undef PROG
+typedef enum OPTION_choice {
-#define PROG	ecparam_main
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_TEXT, OPT_C,
    OPT_CHECK, OPT_LIST_CURVES, OPT_NO_SEED, OPT_NOOUT, OPT_NAME,
    OPT_CONV_FORM, OPT_PARAM_ENC, OPT_GENKEY, OPT_RAND, OPT_ENGINE
 } OPTION_CHOICE;
-/* -inform arg      - input format - default PEM (DER or PEM)
+OPTIONS ecparam_options[] = {
- * -outform arg     - output format - default PEM
+    {"help", OPT_HELP, '-', "Display this summary"},
- * -in  arg         - input file  - default stdin
+    {"inform", OPT_INFORM, 'F', "Input format - default PEM (DER or PEM)"},
- * -out arg         - output file - default stdout
+    {"outform", OPT_OUTFORM, 'F', "Output format - default PEM"},
- * -noout           - do not print the ec parameter
+    {"in", OPT_IN, '<', "Input file  - default stdin"},
- * -text            - print the ec parameters in text form
+    {"out", OPT_OUT, '>', "Output file - default stdout"},
- * -check           - validate the ec parameters
+    {"text", OPT_TEXT, '-', "Print the ec parameters in text form"},
- * -C               - print a 'C' function creating the parameters
+    {"C", OPT_C, '-', "Print a 'C' function creating the parameters"},
- * -name arg        - use the ec parameters with 'short name' name
+    {"check", OPT_CHECK, '-', "Validate the ec parameters"},
- * -list_curves     - prints a list of all currently available curve 'short names'
+    {"list_curves", OPT_LIST_CURVES, '-',
- * -conv_form arg   - specifies the point conversion form 
+     "Prints a list of all curve 'short names'"},
- *                  - possible values: compressed
+    {"no_seed", OPT_NO_SEED, '-',
- *                                     uncompressed (default)
+     "If 'explicit' parameters are chosen do not use the seed"},
- *                                     hybrid
+    {"noout", OPT_NOOUT, '-', "Do not print the ec parameter"},
- * -param_enc arg   - specifies the way the ec parameters are encoded
+    {"name", OPT_NAME, 's',
- *                    in the asn1 der encoding
+     "Use the ec parameters with specified 'short name'"},
- *                    possible values: named_curve (default)
+    {"conv_form", OPT_CONV_FORM, 's', "Specifies the point conversion form "},
- *                                     explicit
+    {"param_enc", OPT_PARAM_ENC, 's',
- * -no_seed         - if 'explicit' parameters are choosen do not use the seed
+     "Specifies the way the ec parameters are encoded"},
- * -genkey          - generate ec key
+    {"genkey", OPT_GENKEY, '-', "Generate ec key"},
- * -rand file       - files to use for random number input
+    {"rand", OPT_RAND, 's', "Files to use for random number input"},
- * -engine e        - use engine e, possibly a hardware device
+# ifndef OPENSSL_NO_ENGINE
- */
+    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 # endif
    {NULL}
 };
 static OPT_PAIR forms[] = {
    {"compressed", POINT_CONVERSION_COMPRESSED},
    {"uncompressed", POINT_CONVERSION_UNCOMPRESSED},
    {"hybrid", POINT_CONVERSION_HYBRID},
    {NULL}
 };
-static int ecparam_print_var(BIO *,BIGNUM *,const char *,int,unsigned char *);
+static OPT_PAIR encodings[] = {
    {"named_curve", OPENSSL_EC_NAMED_CURVE},
    {"explicit", 0},
    {NULL}
 };
-int MAIN(int, char **);
+int ecparam_main(int argc, char **argv)
 int MAIN(int argc, char **argv)
 {
    BIGNUM *ec_gen = NULL, *ec_order = NULL, *ec_cofactor = NULL;
    BIGNUM *ec_p = NULL, *ec_a = NULL, *ec_b = NULL;
    BIO *in = NULL, *out = NULL;
    EC_GROUP *group = NULL;
    point_conversion_form_t form = POINT_CONVERSION_UNCOMPRESSED;
 	int 	new_form = 0;
 	int 	asn1_flag = OPENSSL_EC_NAMED_CURVE;
 	int 	new_asn1_flag = 0;
    char *curve_name = NULL, *inrand = NULL;
 	int	list_curves = 0, no_seed = 0, check = 0,
 		badops = 0, text = 0, i, need_rand = 0, genkey = 0;
    char *infile = NULL, *outfile = NULL, *prog;
 	BIO 	*in = NULL, *out = NULL;
 	int 	informat, outformat, noout = 0, C = 0, ret = 1;
 	char	*engine = NULL;
 	BIGNUM	*ec_p = NULL, *ec_a = NULL, *ec_b = NULL,
 		*ec_gen = NULL, *ec_order = NULL, *ec_cofactor = NULL;
    unsigned char *buffer = NULL;
    OPTION_CHOICE o;
    int asn1_flag = OPENSSL_EC_NAMED_CURVE, new_asn1_flag = 0;
    int informat = FORMAT_PEM, outformat = FORMAT_PEM, noout = 0, C = 0;
    int ret = 1, private = 0;
    int list_curves = 0, no_seed = 0, check = 0, new_form = 0;
    int text = 0, i, need_rand = 0, genkey = 0;
-	apps_startup();
+    prog = opt_init(argc, argv, ecparam_options);
-
+    while ((o = opt_next()) != OPT_EOF) {
-	if (bio_err == NULL)
+        switch (o) {
-		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+        case OPT_EOF:
-			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+        case OPT_ERR:
-
+ opthelp:
-	if (!load_config(bio_err, NULL))
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
            goto end;
-
+        case OPT_HELP:
-	informat=FORMAT_PEM;
+            opt_help(ecparam_options);
-	outformat=FORMAT_PEM;
+            ret = 0;
-
+            goto end;
-	prog=argv[0];
+        case OPT_INFORM:
-	argc--;
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
-	argv++;
+                goto opthelp;
-	while (argc >= 1)
+            break;
-		{
+        case OPT_IN:
-		if 	(strcmp(*argv,"-inform") == 0)
+            infile = opt_arg();
-			{
+            break;
-			if (--argc < 1) goto bad;
+        case OPT_OUTFORM:
-			informat=str2fmt(*(++argv));
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
-			}
+                goto opthelp;
-		else if (strcmp(*argv,"-outform") == 0)
+            break;
-			{
+        case OPT_OUT:
-			if (--argc < 1) goto bad;
+            outfile = opt_arg();
-			outformat=str2fmt(*(++argv));
+            break;
-			}
+        case OPT_TEXT:
 		else if (strcmp(*argv,"-in") == 0)
 			{
 			if (--argc < 1) goto bad;
 			infile= *(++argv);
 			}
 		else if (strcmp(*argv,"-out") == 0)
 			{
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
 		else if (strcmp(*argv,"-text") == 0)
            text = 1;
-		else if (strcmp(*argv,"-C") == 0)
+            break;
        case OPT_C:
            C = 1;
-		else if (strcmp(*argv,"-check") == 0)
+            break;
        case OPT_CHECK:
            check = 1;
-		else if (strcmp (*argv, "-name") == 0)
+            break;
-			{
+        case OPT_LIST_CURVES:
 			if (--argc < 1)
 				goto bad;
 			curve_name = *(++argv);
 			}
 		else if (strcmp(*argv, "-list_curves") == 0)
            list_curves = 1;
-		else if (strcmp(*argv, "-conv_form") == 0)
+            break;
-			{
+        case OPT_NO_SEED:
 			if (--argc < 1)
 				goto bad;
 			++argv;
 			new_form = 1;
 			if (strcmp(*argv, "compressed") == 0)
 				form = POINT_CONVERSION_COMPRESSED;
 			else if (strcmp(*argv, "uncompressed") == 0)
 				form = POINT_CONVERSION_UNCOMPRESSED;
 			else if (strcmp(*argv, "hybrid") == 0)
 				form = POINT_CONVERSION_HYBRID;
 			else
 				goto bad;
 			}
 		else if (strcmp(*argv, "-param_enc") == 0)
 			{
 			if (--argc < 1)
 				goto bad;
 			++argv;
 			new_asn1_flag = 1;
 			if (strcmp(*argv, "named_curve") == 0)
 				asn1_flag = OPENSSL_EC_NAMED_CURVE;
 			else if (strcmp(*argv, "explicit") == 0)
 				asn1_flag = 0;
 			else
 				goto bad;
 			}
 		else if (strcmp(*argv, "-no_seed") == 0)
            no_seed = 1;
-		else if (strcmp(*argv, "-noout") == 0)
+            break;
        case OPT_NOOUT:
            noout = 1;
-		else if (strcmp(*argv,"-genkey") == 0)
+            break;
-			{
+        case OPT_NAME:
-			genkey=1;
+            curve_name = opt_arg();
            break;
        case OPT_CONV_FORM:
            if (!opt_pair(opt_arg(), forms, &new_form))
                goto opthelp;
            form = new_form;
            new_form = 1;
            break;
        case OPT_PARAM_ENC:
            if (!opt_pair(opt_arg(), encodings, &asn1_flag))
                goto opthelp;
            new_asn1_flag = 1;
            break;
        case OPT_GENKEY:
            genkey = need_rand = 1;
            break;
        case OPT_RAND:
            inrand = opt_arg();
            need_rand = 1;
-			}
+            break;
-		else if (strcmp(*argv, "-rand") == 0)
+        case OPT_ENGINE:
-			{
+            (void)setup_engine(opt_arg(), 0);
 			if (--argc < 1) goto bad;
 			inrand= *(++argv);
 			need_rand=1;
 			}
 		else if(strcmp(*argv, "-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine = *(++argv);
 			}	
 		else
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
 			badops=1;
            break;
        }
 		argc--;
 		argv++;
    }
    argc = opt_num_rest();
    argv = opt_rest();
    private = genkey ? 1 : 0;
-	if (badops)
+    in = bio_open_default(infile, 'r', informat);
-		{
+    if (in == NULL)
 bad:
 		BIO_printf(bio_err, "%s [options] <infile >outfile\n",prog);
 		BIO_printf(bio_err, "where options are\n");
 		BIO_printf(bio_err, " -inform arg       input format - "
 				"default PEM (DER or PEM)\n");
 		BIO_printf(bio_err, " -outform arg      output format - "
 				"default PEM\n");
 		BIO_printf(bio_err, " -in  arg          input file  - "
 				"default stdin\n");
 		BIO_printf(bio_err, " -out arg          output file - "
 				"default stdout\n");
 		BIO_printf(bio_err, " -noout            do not print the "
 				"ec parameter\n");
 		BIO_printf(bio_err, " -text             print the ec "
 				"parameters in text form\n");
 		BIO_printf(bio_err, " -check            validate the ec "
 				"parameters\n");
 		BIO_printf(bio_err, " -C                print a 'C' "
 				"function creating the parameters\n");
 		BIO_printf(bio_err, " -name arg         use the "
 				"ec parameters with 'short name' name\n");
 		BIO_printf(bio_err, " -list_curves      prints a list of "
 				"all currently available curve 'short names'\n");
 		BIO_printf(bio_err, " -conv_form arg    specifies the "
 				"point conversion form \n");
 		BIO_printf(bio_err, "                   possible values:"
 				" compressed\n");
 		BIO_printf(bio_err, "                                   "
 				" uncompressed (default)\n");
 		BIO_printf(bio_err, "                                   "
 				" hybrid\n");
 		BIO_printf(bio_err, " -param_enc arg    specifies the way"
 				" the ec parameters are encoded\n");
 		BIO_printf(bio_err, "                   in the asn1 der "
 				"encoding\n");
 		BIO_printf(bio_err, "                   possible values:"
 				" named_curve (default)\n");
 		BIO_printf(bio_err, "                                   "
 				" explicit\n");
 		BIO_printf(bio_err, " -no_seed          if 'explicit'"
 				" parameters are choosen do not"
 				" use the seed\n");
 		BIO_printf(bio_err, " -genkey           generate ec"
 				" key\n");
 		BIO_printf(bio_err, " -rand file        files to use for"
 				" random number input\n");
 		BIO_printf(bio_err, " -engine e         use engine e, "
 				"possibly a hardware device\n");
        goto end;
-		}
+    out = bio_open_owner(outfile, outformat, private);
-
+    if (out == NULL)
 	ERR_load_crypto_strings();
 	in=BIO_new(BIO_s_file());
 	out=BIO_new(BIO_s_file());
 	if ((in == NULL) || (out == NULL))
 		{
 		ERR_print_errors(bio_err);
        goto end;
 		}
-	if (infile == NULL)
+    if (list_curves) {
 		BIO_set_fp(in,stdin,BIO_NOCLOSE);
 	else
 		{
 		if (BIO_read_filename(in,infile) <= 0)
 			{
 			perror(infile);
 			goto end;
 			}
 		}
 	if (outfile == NULL)
 		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
 			{
 			perror(outfile);
 			goto end;
 			}
 		}
 #ifndef OPENSSL_NO_ENGINE
 	setup_engine(bio_err, engine, 0);
 #endif
 	if (list_curves)
 		{
        EC_builtin_curve *curves = NULL;
-		size_t crv_len = 0;
+        size_t crv_len = EC_get_builtin_curves(NULL, 0);
-		size_t n = 0;
+        size_t n;
-		crv_len = EC_get_builtin_curves(NULL, 0);
+        curves = app_malloc((int)sizeof(*curves) * crv_len, "list curves");
-
+        if (!EC_get_builtin_curves(curves, crv_len)) {
 		curves = OPENSSL_malloc((int)(sizeof(EC_builtin_curve) * crv_len));
 		if (curves == NULL)
 			goto end;
 		if (!EC_get_builtin_curves(curves, crv_len))
 			{
            OPENSSL_free(curves);
            goto end;
        }
-		
+        for (n = 0; n < crv_len; n++) {
 		for (n = 0; n < crv_len; n++)
 			{
            const char *comment;
            const char *sname;
            comment = curves[n].comment;
@@ -380,64 +257,46 @@ bad:
        goto end;
    }
-	if (curve_name != NULL)
+    if (curve_name != NULL) {
 		{
        int nid;
-		/* workaround for the SECG curve names secp192r1
+        /*
-		 * and secp256r1 (which are the same as the curves
+         * workaround for the SECG curve names secp192r1 and secp256r1 (which
-		 * prime192v1 and prime256v1 defined in X9.62)
+         * are the same as the curves prime192v1 and prime256v1 defined in
         * X9.62)
         */
-		if (!strcmp(curve_name, "secp192r1"))
+        if (strcmp(curve_name, "secp192r1") == 0) {
 			{
            BIO_printf(bio_err, "using curve name prime192v1 "
                       "instead of secp192r1\n");
            nid = NID_X9_62_prime192v1;
-			}
+        } else if (strcmp(curve_name, "secp256r1") == 0) {
 		else if (!strcmp(curve_name, "secp256r1"))
 			{
            BIO_printf(bio_err, "using curve name prime256v1 "
                       "instead of secp256r1\n");
            nid = NID_X9_62_prime256v1;
-			}
+        } else
 		else
            nid = OBJ_sn2nid(curve_name);
        if (nid == 0)
-			{
+            nid = EC_curve_nist2nid(curve_name);
-			BIO_printf(bio_err, "unknown curve name (%s)\n", 
+
-				curve_name);
+        if (nid == 0) {
            BIO_printf(bio_err, "unknown curve name (%s)\n", curve_name);
            goto end;
        }
        group = EC_GROUP_new_by_curve_name(nid);
-		if (group == NULL)
+        if (group == NULL) {
-			{
+            BIO_printf(bio_err, "unable to create curve (%s)\n", curve_name);
 			BIO_printf(bio_err, "unable to create curve (%s)\n", 
 				curve_name);
            goto end;
        }
        EC_GROUP_set_asn1_flag(group, asn1_flag);
        EC_GROUP_set_point_conversion_form(group, form);
-		}
+    } else if (informat == FORMAT_ASN1)
 	else if (informat == FORMAT_ASN1)
 		{
        group = d2i_ECPKParameters_bio(in, NULL);
 		}
 	else if (informat == FORMAT_PEM)
 		{
 		group = PEM_read_bio_ECPKParameters(in,NULL,NULL,NULL);
 		}
    else
-		{
+        group = PEM_read_bio_ECPKParameters(in, NULL, NULL, NULL);
-		BIO_printf(bio_err, "bad input format specified\n");
+    if (group == NULL) {
-		goto end;
+        BIO_printf(bio_err, "unable to load elliptic curve parameters\n");
 		}
 	if (group == NULL)
 		{
 		BIO_printf(bio_err, 
 			"unable to load elliptic curve parameters\n");
        ERR_print_errors(bio_err);
        goto end;
    }
@@ -448,76 +307,63 @@ bad:
    if (new_asn1_flag)
        EC_GROUP_set_asn1_flag(group, asn1_flag);
-	if (no_seed)
+    if (no_seed) {
 		{
        EC_GROUP_set_seed(group, NULL, 0);
    }
-	if (text)
+    if (text) {
 		{
        if (!ECPKParameters_print(out, group, 0))
            goto end;
    }
-	if (check)
+    if (check) {
 		{
 		if (group == NULL)
 			BIO_printf(bio_err, "no elliptic curve parameters\n");
        BIO_printf(bio_err, "checking elliptic curve parameters: ");
-		if (!EC_GROUP_check(group, NULL))
+        if (!EC_GROUP_check(group, NULL)) {
 			{
            BIO_printf(bio_err, "failed\n");
            ERR_print_errors(bio_err);
            goto end;
        }
 		else
        BIO_printf(bio_err, "ok\n");
    }
-	if (C)
+    if (C) {
 		{
        size_t buf_len = 0, tmp_len = 0;
        const EC_POINT *point;
        int is_prime, len = 0;
        const EC_METHOD *meth = EC_GROUP_method_of(group);
-		if ((ec_p = BN_new()) == NULL || (ec_a = BN_new()) == NULL ||
+        if ((ec_p = BN_new()) == NULL
-		    (ec_b = BN_new()) == NULL || (ec_gen = BN_new()) == NULL ||
+                || (ec_a = BN_new()) == NULL
-		    (ec_order = BN_new()) == NULL || 
+                || (ec_b = BN_new()) == NULL
-		    (ec_cofactor = BN_new()) == NULL )
+                || (ec_gen = BN_new()) == NULL
-			{
+                || (ec_order = BN_new()) == NULL
-			perror("OPENSSL_malloc");
+                || (ec_cofactor = BN_new()) == NULL) {
            perror("Can't allocate BN");
            goto end;
        }
-		is_prime = (EC_METHOD_get_field_type(meth) == 
+        is_prime = (EC_METHOD_get_field_type(meth) == NID_X9_62_prime_field);
-			NID_X9_62_prime_field);
+        if (!is_prime) {
            BIO_printf(bio_err, "Can only handle X9.62 prime fields\n");
            goto end;
        }
-		if (is_prime)
+        if (!EC_GROUP_get_curve_GFp(group, ec_p, ec_a, ec_b, NULL))
 			{
 			if (!EC_GROUP_get_curve_GFp(group, ec_p, ec_a,
 				ec_b, NULL))
            goto end;
 			}
 		else
 			{
 			/* TODO */
 			goto end;
 			}
        if ((point = EC_GROUP_get0_generator(group)) == NULL)
            goto end;
        if (!EC_POINT_point2bn(group, point,
-			EC_GROUP_get_point_conversion_form(group), ec_gen, 
+                               EC_GROUP_get_point_conversion_form(group),
-			NULL))
+                               ec_gen, NULL))
            goto end;
        if (!EC_GROUP_get_order(group, ec_order, NULL))
            goto end;
        if (!EC_GROUP_get_cofactor(group, ec_cofactor, NULL))
            goto end;
-		if (!ec_p || !ec_a || !ec_b || !ec_gen || 
+        if (!ec_p || !ec_a || !ec_b || !ec_gen || !ec_order || !ec_cofactor)
 			!ec_order || !ec_cofactor)
            goto end;
        len = BN_num_bits(ec_order);
@@ -535,93 +381,65 @@ bad:
        if ((tmp_len = (size_t)BN_num_bytes(ec_cofactor)) > buf_len)
            buf_len = tmp_len;
-		buffer = (unsigned char *)OPENSSL_malloc(buf_len);
+        buffer = app_malloc(buf_len, "BN buffer");
-		if (buffer == NULL)
+        BIO_printf(out, "EC_GROUP *get_ec_group_%d(void)\n{\n", len);
-			{
+        print_bignum_var(out, ec_p, "ec_p", len, buffer);
-			perror("OPENSSL_malloc");
+        print_bignum_var(out, ec_a, "ec_a", len, buffer);
-			goto end;
+        print_bignum_var(out, ec_b, "ec_b", len, buffer);
-			}
+        print_bignum_var(out, ec_gen, "ec_gen", len, buffer);
        print_bignum_var(out, ec_order, "ec_order", len, buffer);
        print_bignum_var(out, ec_cofactor, "ec_cofactor", len, buffer);
        BIO_printf(out, "    int ok = 0;\n"
                        "    EC_GROUP *group = NULL;\n"
                        "    EC_POINT *point = NULL;\n"
                        "    BIGNUM *tmp_1 = NULL;\n"
                        "    BIGNUM *tmp_2 = NULL;\n"
                        "    BIGNUM *tmp_3 = NULL;\n"
                        "\n");
-		ecparam_print_var(out, ec_p, "ec_p", len, buffer);
+        BIO_printf(out, "    if ((tmp_1 = BN_bin2bn(ec_p_%d, sizeof (ec_p_%d), NULL)) == NULL)\n"
 		ecparam_print_var(out, ec_a, "ec_a", len, buffer);
 		ecparam_print_var(out, ec_b, "ec_b", len, buffer);
 		ecparam_print_var(out, ec_gen, "ec_gen", len, buffer);
 		ecparam_print_var(out, ec_order, "ec_order", len, buffer);
 		ecparam_print_var(out, ec_cofactor, "ec_cofactor", len, 
 			buffer);
 		BIO_printf(out, "\n\n");
 		BIO_printf(out, "EC_GROUP *get_ec_group_%d(void)\n\t{\n", len);
 		BIO_printf(out, "\tint ok=0;\n");
 		BIO_printf(out, "\tEC_GROUP *group = NULL;\n");
 		BIO_printf(out, "\tEC_POINT *point = NULL;\n");
 		BIO_printf(out, "\tBIGNUM   *tmp_1 = NULL, *tmp_2 = NULL, "
 				"*tmp_3 = NULL;\n\n");
 		BIO_printf(out, "\tif ((tmp_1 = BN_bin2bn(ec_p_%d, "
 				"sizeof(ec_p_%d), NULL)) == NULL)\n\t\t"
                        "        goto err;\n", len, len);
-		BIO_printf(out, "\tif ((tmp_2 = BN_bin2bn(ec_a_%d, "
+        BIO_printf(out, "    if ((tmp_2 = BN_bin2bn(ec_a_%d, sizeof (ec_a_%d), NULL)) == NULL)\n"
 				"sizeof(ec_a_%d), NULL)) == NULL)\n\t\t"
                        "        goto err;\n", len, len);
-		BIO_printf(out, "\tif ((tmp_3 = BN_bin2bn(ec_b_%d, "
+        BIO_printf(out, "    if ((tmp_3 = BN_bin2bn(ec_b_%d, sizeof (ec_b_%d), NULL)) == NULL)\n"
 				"sizeof(ec_b_%d), NULL)) == NULL)\n\t\t"
                        "        goto err;\n", len, len);
-		if (is_prime)
+        BIO_printf(out, "    if ((group = EC_GROUP_new_curve_GFp(tmp_1, tmp_2, tmp_3, NULL)) == NULL)\n"
-			{
+                        "        goto err;\n"
-			BIO_printf(out, "\tif ((group = EC_GROUP_new_curve_"
+                        "\n");
-				"GFp(tmp_1, tmp_2, tmp_3, NULL)) == NULL)"
+        BIO_printf(out, "    /* build generator */\n");
-				"\n\t\tgoto err;\n\n");
+        BIO_printf(out, "    if ((tmp_1 = BN_bin2bn(ec_gen_%d, sizeof (ec_gen_%d), tmp_1)) == NULL)\n"
-			}
+                        "        goto err;\n", len, len);
-		else
+        BIO_printf(out, "    point = EC_POINT_bn2point(group, tmp_1, NULL, NULL);\n");
-			{
+        BIO_printf(out, "    if (point == NULL)\n"
-			/* TODO */
+                        "        goto err;\n");
-			goto end;
+        BIO_printf(out, "    if ((tmp_2 = BN_bin2bn(ec_order_%d, sizeof (ec_order_%d), tmp_2)) == NULL)\n"
-			}
+                        "        goto err;\n", len, len);
-		BIO_printf(out, "\t/* build generator */\n");
+        BIO_printf(out, "    if ((tmp_3 = BN_bin2bn(ec_cofactor_%d, sizeof (ec_cofactor_%d), tmp_3)) == NULL)\n"
-		BIO_printf(out, "\tif ((tmp_1 = BN_bin2bn(ec_gen_%d, "
+                        "        goto err;\n", len, len);
-				"sizeof(ec_gen_%d), tmp_1)) == NULL)"
+        BIO_printf(out, "    if (!EC_GROUP_set_generator(group, point, tmp_2, tmp_3))\n"
-				"\n\t\tgoto err;\n", len, len);
+                        "        goto err;\n"
-		BIO_printf(out, "\tpoint = EC_POINT_bn2point(group, tmp_1, "
+                        "ok = 1;"
-				"NULL, NULL);\n");
+                        "\n");
-		BIO_printf(out, "\tif (point == NULL)\n\t\tgoto err;\n");
+        BIO_printf(out, "err:\n"
-		BIO_printf(out, "\tif ((tmp_2 = BN_bin2bn(ec_order_%d, "
+                        "    BN_free(tmp_1);\n"
-				"sizeof(ec_order_%d), tmp_2)) == NULL)"
+                        "    BN_free(tmp_2);\n"
-				"\n\t\tgoto err;\n", len, len);
+                        "    BN_free(tmp_3);\n"
-		BIO_printf(out, "\tif ((tmp_3 = BN_bin2bn(ec_cofactor_%d, "
+                        "    EC_POINT_free(point);\n"
-				"sizeof(ec_cofactor_%d), tmp_3)) == NULL)"
+                        "    if (!ok) {\n"
-				"\n\t\tgoto err;\n", len, len);
+                        "        EC_GROUP_free(group);\n"
-		BIO_printf(out, "\tif (!EC_GROUP_set_generator(group, point,"
+                        "        return NULL;\n"
-				" tmp_2, tmp_3))\n\t\tgoto err;\n");
+                        "    }\n"
-		BIO_printf(out, "\n\tok=1;\n");
+                        "    return (group);\n"
-		BIO_printf(out, "err:\n");
+                        "}\n");
 		BIO_printf(out, "\tif (tmp_1)\n\t\tBN_free(tmp_1);\n");
 		BIO_printf(out, "\tif (tmp_2)\n\t\tBN_free(tmp_2);\n");
 		BIO_printf(out, "\tif (tmp_3)\n\t\tBN_free(tmp_3);\n");
 		BIO_printf(out, "\tif (point)\n\t\tEC_POINT_free(point);\n");
 		BIO_printf(out, "\tif (!ok)\n");
 		BIO_printf(out, "\t\t{\n");
 		BIO_printf(out, "\t\tEC_GROUP_free(group);\n");
 		BIO_printf(out, "\t\tgroup = NULL;\n");
 		BIO_printf(out, "\t\t}\n");
 		BIO_printf(out, "\treturn(group);\n\t}\n");
    }
-	if (!noout)
+    if (!noout) {
 		{
        if (outformat == FORMAT_ASN1)
            i = i2d_ECPKParameters_bio(out, group);
 		else if (outformat == FORMAT_PEM)
 			i = PEM_write_bio_ECPKParameters(out, group);
        else
-			{
+            i = PEM_write_bio_ECPKParameters(out, group);
-			BIO_printf(bio_err,"bad output format specified for"
+        if (!i) {
 				" outfile\n");
 			goto end;
 			}
 		if (!i)
 			{
            BIO_printf(bio_err, "unable to write elliptic "
                       "curve parameters\n");
            ERR_print_errors(bio_err);
@@ -629,16 +447,14 @@ bad:
        }
    }
-	if (need_rand)
+    if (need_rand) {
-		{
+        app_RAND_load_file(NULL, (inrand != NULL));
 		app_RAND_load_file(NULL, bio_err, (inrand != NULL));
        if (inrand != NULL)
            BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
                       app_RAND_load_files(inrand));
    }
-	if (genkey)
+    if (genkey) {
 		{
        EC_KEY *eckey = EC_KEY_new();
        if (eckey == NULL)
@@ -649,79 +465,37 @@ bad:
        if (EC_KEY_set_group(eckey, group) == 0)
            goto end;
-		if (!EC_KEY_generate_key(eckey))
+        if (!EC_KEY_generate_key(eckey)) {
 			{
            EC_KEY_free(eckey);
            goto end;
        }
        assert(private);
        if (outformat == FORMAT_ASN1)
            i = i2d_ECPrivateKey_bio(out, eckey);
-		else if (outformat == FORMAT_PEM)
+        else
            i = PEM_write_bio_ECPrivateKey(out, eckey, NULL,
                                           NULL, 0, NULL, NULL);
 		else	
 			{
 			BIO_printf(bio_err, "bad output format specified "
 				"for outfile\n");
 			EC_KEY_free(eckey);
 			goto end;
 			}
        EC_KEY_free(eckey);
    }
    if (need_rand)
-		app_RAND_write_file(NULL, bio_err);
+        app_RAND_write_file(NULL);
    ret = 0;
 end:
 	if (ec_p)
    BN_free(ec_p);
 	if (ec_a)
    BN_free(ec_a);
 	if (ec_b)
    BN_free(ec_b);
 	if (ec_gen)
    BN_free(ec_gen);
 	if (ec_order)
    BN_free(ec_order);
 	if (ec_cofactor)
    BN_free(ec_cofactor);
 	if (buffer)
    OPENSSL_free(buffer);
 	if (in != NULL)
    BIO_free(in);
 	if (out != NULL)
    BIO_free_all(out);
 	if (group != NULL)
    EC_GROUP_free(group);
-	apps_shutdown();
+    return (ret);
 	OPENSSL_EXIT(ret);
 }
 static int ecparam_print_var(BIO *out, BIGNUM *in, const char *var,
 	int len, unsigned char *buffer)
 	{
 	BIO_printf(out, "static unsigned char %s_%d[] = {", var, len);
 	if (BN_is_zero(in))
 		BIO_printf(out, "\n\t0x00");
 	else 
 		{
 		int i, l;
 		l = BN_bn2bin(in, buffer);
 		for (i=0; i<l-1; i++)
 			{
 			if ((i%12) == 0) 
 				BIO_printf(out, "\n\t");
 			BIO_printf(out, "0x%02X,", buffer[i]);
 			}
 		if ((i%12) == 0) 
 			BIO_printf(out, "\n\t");
 		BIO_printf(out, "0x%02X", buffer[i]);
 		}
 	BIO_printf(out, "\n\t};\n\n");
 	return 1;
 	}
 #else                           /* !OPENSSL_NO_EC */
 # if PEDANTIC
--- a/apps/enc.c
+++ b/apps/enc.c
@@ -1,4 +1,3 @@
 /* apps/enc.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -67,415 +66,320 @@
 #include <openssl/x509.h>
 #include <openssl/rand.h>
 #include <openssl/pem.h>
 #ifndef OPENSSL_NO_COMP
 # include <openssl/comp.h>
 #endif
 #include <ctype.h>
 int set_hex(char *in,unsigned char *out,int size);
 #undef SIZE
 #undef BSIZE
 #undef PROG
 #define SIZE    (512)
 #define BSIZE   (8*1024)
 #define	PROG	enc_main
-static void show_ciphers(const OBJ_NAME *name,void *bio_)
+static int set_hex(char *in, unsigned char *out, int size);
-	{
+static void show_ciphers(const OBJ_NAME *name, void *bio_);
-	BIO *bio=bio_;
+
-	static int n;
+typedef enum OPTION_choice {
-
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
-	if(!islower((unsigned char)*name->name))
+    OPT_E, OPT_IN, OPT_OUT, OPT_PASS, OPT_ENGINE, OPT_D, OPT_P, OPT_V,
-		return;
+    OPT_NOPAD, OPT_SALT, OPT_NOSALT, OPT_DEBUG, OPT_UPPER_P, OPT_UPPER_A,
-
+    OPT_A, OPT_Z, OPT_BUFSIZE, OPT_K, OPT_KFILE, OPT_UPPER_K, OPT_NONE,
-	BIO_printf(bio,"-%-25s",name->name);
+    OPT_UPPER_S, OPT_IV, OPT_MD, OPT_NON_FIPS_ALLOW, OPT_CIPHER
-	if(++n == 3)
+} OPTION_CHOICE;
-		{
+
-		BIO_printf(bio,"\n");
+OPTIONS enc_options[] = {
-		n=0;
+    {"help", OPT_HELP, '-', "Display this summary"},
-		}
+    {"in", OPT_IN, '<', "Input file"},
-	else
+    {"out", OPT_OUT, '>', "Output file"},
-		BIO_printf(bio," ");
+    {"pass", OPT_PASS, 's', "Passphrase source"},
-	}
+    {"e", OPT_E, '-', "Encrypt"},
-
+    {"d", OPT_D, '-', "Decrypt"},
-int MAIN(int, char **);
+    {"p", OPT_P, '-', "Print the iv/key"},
-
+    {"P", OPT_UPPER_P, '-', "Print the iv/key and exit"},
-int MAIN(int argc, char **argv)
+    {"v", OPT_V, '-'},
    {"nopad", OPT_NOPAD, '-', "Disable standard block padding"},
    {"salt", OPT_SALT, '-'},
    {"nosalt", OPT_NOSALT, '-'},
    {"debug", OPT_DEBUG, '-'},
    {"A", OPT_UPPER_A, '-'},
    {"a", OPT_A, '-', "base64 encode/decode, depending on encryption flag"},
    {"base64", OPT_A, '-', "Base64 output as a single line"},
    {"bufsize", OPT_BUFSIZE, 's', "Buffer size"},
    {"k", OPT_K, 's', "Passphrase"},
    {"kfile", OPT_KFILE, '<', "Fead passphrase from file"},
    {"K", OPT_UPPER_K, 's', "Raw key, in hex"},
    {"S", OPT_UPPER_S, 's', "Salt, in hex"},
    {"iv", OPT_IV, 's', "IV in hex"},
    {"md", OPT_MD, 's', "Use specified digest to create key from passphrase"},
    {"non-fips-allow", OPT_NON_FIPS_ALLOW, '-'},
    {"none", OPT_NONE, '-', "Don't encrypt"},
    {"", OPT_CIPHER, '-', "Any supported cipher"},
 #ifdef ZLIB
    {"z", OPT_Z, '-', "Use zlib as the 'encryption'"},
 #endif
 #ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 #endif
    {NULL}
 };
 int enc_main(int argc, char **argv)
 {
    static char buf[128];
    static const char magic[] = "Salted__";
    BIO *in = NULL, *out = NULL, *b64 = NULL, *benc = NULL, *rbio =
        NULL, *wbio = NULL;
    EVP_CIPHER_CTX *ctx = NULL;
    const EVP_CIPHER *cipher = NULL, *c;
    const EVP_MD *dgst = NULL;
    char *hkey = NULL, *hiv = NULL, *hsalt = NULL, *p;
    char *infile = NULL, *outfile = NULL, *prog;
    char *str = NULL, *passarg = NULL, *pass = NULL, *strbuf = NULL;
    char mbuf[sizeof magic - 1];
-	char *strbuf=NULL;
+    OPTION_CHOICE o;
-	unsigned char *buff=NULL,*bufsize=NULL;
+    int bsize = BSIZE, verbose = 0, debug = 0, olb64 = 0, nosalt = 0;
-	int bsize=BSIZE,verbose=0;
+    int enc = 1, printkey = 0, i, k;
-	int ret=1,inl;
+    int base64 = 0, informat = FORMAT_BINARY, outformat = FORMAT_BINARY;
-	int nopad = 0;
+    int ret = 1, inl, nopad = 0, non_fips_allow = 0;
    unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
-	unsigned char salt[PKCS5_SALT_LEN];
+    unsigned char *buff = NULL, salt[PKCS5_SALT_LEN];
-	char *str=NULL, *passarg = NULL, *pass = NULL;
+    unsigned long n;
 	char *hkey=NULL,*hiv=NULL,*hsalt = NULL;
 	char *md=NULL;
 	int enc=1,printkey=0,i,base64=0;
 #ifdef ZLIB
    int do_zlib = 0;
    BIO *bzl = NULL;
 #endif
 	int debug=0,olb64=0,nosalt=0;
 	const EVP_CIPHER *cipher=NULL,*c;
 	EVP_CIPHER_CTX *ctx = NULL;
 	char *inf=NULL,*outf=NULL;
 	BIO *in=NULL,*out=NULL,*b64=NULL,*benc=NULL,*rbio=NULL,*wbio=NULL;
 #define PROG_NAME_SIZE  39
 	char pname[PROG_NAME_SIZE+1];
 #ifndef OPENSSL_NO_ENGINE
 	char *engine = NULL;
 #endif
 	const EVP_MD *dgst=NULL;
 	apps_startup();
 	if (bio_err == NULL)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 	if (!load_config(bio_err, NULL))
 		goto end;
    /* first check the program name */
-	program_name(argv[0],pname,sizeof pname);
+    prog = opt_progname(argv[0]);
-	if (strcmp(pname,"base64") == 0)
+    if (strcmp(prog, "base64") == 0)
        base64 = 1;
 #ifdef ZLIB
-	if (strcmp(pname,"zlib") == 0)
+    else if (strcmp(prog, "zlib") == 0)
        do_zlib = 1;
 #endif
-
+    else {
-	cipher=EVP_get_cipherbyname(pname);
+        cipher = EVP_get_cipherbyname(prog);
-#ifdef ZLIB
+        if (cipher == NULL && strcmp(prog, "enc") != 0) {
-	if (!do_zlib && !base64 && (cipher == NULL)
+            BIO_printf(bio_err, "%s is not a known cipher\n", prog);
 				&& (strcmp(pname,"enc") != 0))
 #else
 	if (!base64 && (cipher == NULL) && (strcmp(pname,"enc") != 0))
 #endif
 		{
 		BIO_printf(bio_err,"%s is an unknown cipher\n",pname);
 		goto bad;
 		}
 	argc--;
 	argv++;
 	while (argc >= 1)
 		{
 		if	(strcmp(*argv,"-e") == 0)
 			enc=1;
 		else if (strcmp(*argv,"-in") == 0)
 			{
 			if (--argc < 1) goto bad;
 			inf= *(++argv);
 			}
 		else if (strcmp(*argv,"-out") == 0)
 			{
 			if (--argc < 1) goto bad;
 			outf= *(++argv);
 			}
 		else if (strcmp(*argv,"-pass") == 0)
 			{
 			if (--argc < 1) goto bad;
 			passarg= *(++argv);
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 #endif
 		else if	(strcmp(*argv,"-d") == 0)
 			enc=0;
 		else if	(strcmp(*argv,"-p") == 0)
 			printkey=1;
 		else if	(strcmp(*argv,"-v") == 0)
 			verbose=1;
 		else if	(strcmp(*argv,"-nopad") == 0)
 			nopad=1;
 		else if	(strcmp(*argv,"-salt") == 0)
 			nosalt=0;
 		else if	(strcmp(*argv,"-nosalt") == 0)
 			nosalt=1;
 		else if	(strcmp(*argv,"-debug") == 0)
 			debug=1;
 		else if	(strcmp(*argv,"-P") == 0)
 			printkey=2;
 		else if	(strcmp(*argv,"-A") == 0)
 			olb64=1;
 		else if	(strcmp(*argv,"-a") == 0)
 			base64=1;
 		else if	(strcmp(*argv,"-base64") == 0)
 			base64=1;
 #ifdef ZLIB
 		else if	(strcmp(*argv,"-z") == 0)
 			do_zlib=1;
 #endif
 		else if (strcmp(*argv,"-bufsize") == 0)
 			{
 			if (--argc < 1) goto bad;
 			bufsize=(unsigned char *)*(++argv);
 			}
 		else if (strcmp(*argv,"-k") == 0)
 			{
 			if (--argc < 1) goto bad;
 			str= *(++argv);
 			}
 		else if (strcmp(*argv,"-kfile") == 0)
 			{
 			static char buf[128];
 			FILE *infile;
 			char *file;
 			if (--argc < 1) goto bad;
 			file= *(++argv);
 			infile=fopen(file,"r");
 			if (infile == NULL)
 				{
 				BIO_printf(bio_err,"unable to read key from '%s'\n",
 					file);
 				goto bad;
 				}
 			buf[0]='\0';
 			if (!fgets(buf,sizeof buf,infile))
 				{
 				BIO_printf(bio_err,"unable to read key from '%s'\n",
 					file);
 				goto bad;
 				}
 			fclose(infile);
 			i=strlen(buf);
 			if ((i > 0) &&
 				((buf[i-1] == '\n') || (buf[i-1] == '\r')))
 				buf[--i]='\0';
 			if ((i > 0) &&
 				((buf[i-1] == '\n') || (buf[i-1] == '\r')))
 				buf[--i]='\0';
 			if (i < 1)
 				{
 				BIO_printf(bio_err,"zero length password\n");
 				goto bad;
 				}
 			str=buf;
 			}
 		else if (strcmp(*argv,"-K") == 0)
 			{
 			if (--argc < 1) goto bad;
 			hkey= *(++argv);
 			}
 		else if (strcmp(*argv,"-S") == 0)
 			{
 			if (--argc < 1) goto bad;
 			hsalt= *(++argv);
 			}
 		else if (strcmp(*argv,"-iv") == 0)
 			{
 			if (--argc < 1) goto bad;
 			hiv= *(++argv);
 			}
 		else if (strcmp(*argv,"-md") == 0)
 			{
 			if (--argc < 1) goto bad;
 			md= *(++argv);
 			}
 		else if	((argv[0][0] == '-') &&
 			((c=EVP_get_cipherbyname(&(argv[0][1]))) != NULL))
 			{
 			cipher=c;
 			}
 		else if (strcmp(*argv,"-none") == 0)
 			cipher=NULL;
 		else
 			{
 			BIO_printf(bio_err,"unknown option '%s'\n",*argv);
 bad:
 			BIO_printf(bio_err,"options are\n");
 			BIO_printf(bio_err,"%-14s input file\n","-in <file>");
 			BIO_printf(bio_err,"%-14s output file\n","-out <file>");
 			BIO_printf(bio_err,"%-14s pass phrase source\n","-pass <arg>");
 			BIO_printf(bio_err,"%-14s encrypt\n","-e");
 			BIO_printf(bio_err,"%-14s decrypt\n","-d");
 			BIO_printf(bio_err,"%-14s base64 encode/decode, depending on encryption flag\n","-a/-base64");
 			BIO_printf(bio_err,"%-14s passphrase is the next argument\n","-k");
 			BIO_printf(bio_err,"%-14s passphrase is the first line of the file argument\n","-kfile");
 			BIO_printf(bio_err,"%-14s the next argument is the md to use to create a key\n","-md");
 			BIO_printf(bio_err,"%-14s   from a passphrase.  One of md2, md5, sha or sha1\n","");
 			BIO_printf(bio_err,"%-14s salt in hex is the next argument\n","-S");
 			BIO_printf(bio_err,"%-14s key/iv in hex is the next argument\n","-K/-iv");
 			BIO_printf(bio_err,"%-14s print the iv/key (then exit if -P)\n","-[pP]");
 			BIO_printf(bio_err,"%-14s buffer size\n","-bufsize <n>");
 			BIO_printf(bio_err,"%-14s disable standard block padding\n","-nopad");
 #ifndef OPENSSL_NO_ENGINE
 			BIO_printf(bio_err,"%-14s use engine e, possibly a hardware device.\n","-engine e");
 #endif
 			BIO_printf(bio_err,"Cipher Types\n");
 			OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_CIPHER_METH,
 					       show_ciphers,
 					       bio_err);
 			BIO_printf(bio_err,"\n");
            goto end;
        }
 		argc--;
 		argv++;
    }
-#ifndef OPENSSL_NO_ENGINE
+    prog = opt_init(argc, argv, enc_options);
-        setup_engine(bio_err, engine, 0);
+    while ((o = opt_next()) != OPT_EOF) {
        switch (o) {
        case OPT_EOF:
        case OPT_ERR:
 opthelp:
            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
            goto end;
        case OPT_HELP:
            opt_help(enc_options);
            ret = 0;
            BIO_printf(bio_err, "Cipher Types\n");
            OBJ_NAME_do_all_sorted(OBJ_NAME_TYPE_CIPHER_METH,
                                   show_ciphers, bio_err);
            BIO_printf(bio_err, "\n");
            goto end;
        case OPT_E:
            enc = 1;
            break;
        case OPT_IN:
            infile = opt_arg();
            break;
        case OPT_OUT:
            outfile = opt_arg();
            break;
        case OPT_PASS:
            passarg = opt_arg();
            break;
        case OPT_ENGINE:
            (void)setup_engine(opt_arg(), 0);
            break;
        case OPT_D:
            enc = 0;
            break;
        case OPT_P:
            printkey = 1;
            break;
        case OPT_V:
            verbose = 1;
            break;
        case OPT_NOPAD:
            nopad = 1;
            break;
        case OPT_SALT:
            nosalt = 0;
            break;
        case OPT_NOSALT:
            nosalt = 1;
            break;
        case OPT_DEBUG:
            debug = 1;
            break;
        case OPT_UPPER_P:
            printkey = 2;
            break;
        case OPT_UPPER_A:
            olb64 = 1;
            break;
        case OPT_A:
            base64 = 1;
            break;
        case OPT_Z:
 #ifdef ZLIB
            do_zlib = 1;
 #endif
            break;
        case OPT_BUFSIZE:
            p = opt_arg();
            i = (int)strlen(p) - 1;
            k = i >= 1 && p[i] == 'k';
            if (k)
                p[i] = '\0';
            if (!opt_ulong(opt_arg(), &n))
                goto opthelp;
            if (k)
                n *= 1024;
            bsize = (int)n;
            break;
        case OPT_K:
            str = opt_arg();
            break;
        case OPT_KFILE:
            in = bio_open_default(opt_arg(), 'r', FORMAT_TEXT);
            if (in == NULL)
                goto opthelp;
            i = BIO_gets(in, buf, sizeof buf);
            BIO_free(in);
            in = NULL;
            if (i <= 0) {
                BIO_printf(bio_err,
                           "%s Can't read key from %s\n", prog, opt_arg());
                goto opthelp;
            }
            while (--i > 0 && (buf[i] == '\r' || buf[i] == '\n'))
                buf[i] = '\0';
            if (i <= 0) {
                BIO_printf(bio_err, "%s: zero length password\n", prog);
                goto opthelp;
            }
            str = buf;
            break;
        case OPT_UPPER_K:
            hkey = opt_arg();
            break;
        case OPT_UPPER_S:
            hsalt = opt_arg();
            break;
        case OPT_IV:
            hiv = opt_arg();
            break;
        case OPT_MD:
            if (!opt_md(opt_arg(), &dgst))
                goto opthelp;
            break;
        case OPT_NON_FIPS_ALLOW:
            non_fips_allow = 1;
            break;
        case OPT_CIPHER:
            if (!opt_cipher(opt_unknown(), &c))
                goto opthelp;
            cipher = c;
            break;
        case OPT_NONE:
            cipher = NULL;
            break;
        }
    }
    argc = opt_num_rest();
    argv = opt_rest();
-	if (md && (dgst=EVP_get_digestbyname(md)) == NULL)
+    if (cipher && EVP_CIPHER_flags(cipher) & EVP_CIPH_FLAG_AEAD_CIPHER) {
-		{
+        BIO_printf(bio_err, "%s: AEAD ciphers not supported\n", prog);
-		BIO_printf(bio_err,"%s is an unsupported message digest type\n",md);
+        goto end;
    }
    if (cipher && (EVP_CIPHER_mode(cipher) == EVP_CIPH_XTS_MODE)) {
        BIO_printf(bio_err, "%s XTS ciphers not supported\n", prog);
        goto end;
    }
    if (dgst == NULL)
 		{
        dgst = EVP_md5();
 		}
 	if (bufsize != NULL)
 		{
 		unsigned long n;
 		for (n=0; *bufsize; bufsize++)
 			{
 			i= *bufsize;
 			if ((i <= '9') && (i >= '0'))
 				n=n*10+i-'0';
 			else if (i == 'k')
 				{
 				n*=1024;
 				bufsize++;
 				break;
 				}
 			}
 		if (*bufsize != '\0')
 			{
 			BIO_printf(bio_err,"invalid 'bufsize' specified.\n");
 			goto end;
 			}
    /* It must be large enough for a base64 encoded line */
-		if (base64 && n < 80) n=80;
+    if (base64 && bsize < 80)
        bsize = 80;
    if (verbose)
        BIO_printf(bio_err, "bufsize=%d\n", bsize);
-		bsize=(int)n;
+    if (base64) {
-		if (verbose) BIO_printf(bio_err,"bufsize=%d\n",bsize);
+        if (enc)
            outformat = FORMAT_BASE64;
        else
            informat = FORMAT_BASE64;
    }
-	strbuf=OPENSSL_malloc(SIZE);
+    strbuf = app_malloc(SIZE, "strbuf");
-	buff=(unsigned char *)OPENSSL_malloc(EVP_ENCODE_LENGTH(bsize));
+    buff = app_malloc(EVP_ENCODE_LENGTH(bsize), "evp buffer");
 	if ((buff == NULL) || (strbuf == NULL))
 		{
 		BIO_printf(bio_err,"OPENSSL_malloc failure %ld\n",(long)EVP_ENCODE_LENGTH(bsize));
 		goto end;
 		}
-	in=BIO_new(BIO_s_file());
+    if (debug) {
 	out=BIO_new(BIO_s_file());
 	if ((in == NULL) || (out == NULL))
 		{
 		ERR_print_errors(bio_err);
 		goto end;
 		}
 	if (debug)
 		{
        BIO_set_callback(in, BIO_debug_callback);
        BIO_set_callback(out, BIO_debug_callback);
        BIO_set_callback_arg(in, (char *)bio_err);
        BIO_set_callback_arg(out, (char *)bio_err);
    }
-	if (inf == NULL)
+    if (infile == NULL) {
-	        {
+        unbuffer(stdin);
-#ifndef OPENSSL_NO_SETVBUF_IONBF
+        in = dup_bio_in(informat);
-		if (bufsize != NULL)
+    } else
-			setvbuf(stdin, (char *)NULL, _IONBF, 0);
+        in = bio_open_default(infile, 'r', informat);
-#endif /* ndef OPENSSL_NO_SETVBUF_IONBF */
+    if (in == NULL)
 		BIO_set_fp(in,stdin,BIO_NOCLOSE);
 	        }
 	else
 		{
 		if (BIO_read_filename(in,inf) <= 0)
 			{
 			perror(inf);
        goto end;
 			}
 		}
    if (!str && passarg) {
-		if(!app_passwd(bio_err, passarg, NULL, &pass, NULL)) {
+        if (!app_passwd(passarg, NULL, &pass, NULL)) {
            BIO_printf(bio_err, "Error getting password\n");
            goto end;
        }
        str = pass;
    }
-	if ((str == NULL) && (cipher != NULL) && (hkey == NULL))
+    if ((str == NULL) && (cipher != NULL) && (hkey == NULL)) {
-		{
+        for (;;) {
-		for (;;)
+            char prompt[200];
 			{
 			char buf[200];
-			BIO_snprintf(buf,sizeof buf,"enter %s %s password:",
+            BIO_snprintf(prompt, sizeof prompt, "enter %s %s password:",
                         OBJ_nid2ln(EVP_CIPHER_nid(cipher)),
                         (enc) ? "encryption" : "decryption");
            strbuf[0] = '\0';
-			i=EVP_read_pw_string((char *)strbuf,SIZE,buf,enc);
+            i = EVP_read_pw_string((char *)strbuf, SIZE, prompt, enc);
-			if (i == 0)
+            if (i == 0) {
-				{
+                if (strbuf[0] == '\0') {
 				if (strbuf[0] == '\0')
 					{
                    ret = 1;
                    goto end;
                }
                str = strbuf;
                break;
            }
-			if (i < 0)
+            if (i < 0) {
 				{
                BIO_printf(bio_err, "bad password read\n");
                goto end;
            }
        }
    }
-
+    out = bio_open_default(outfile, 'w', outformat);
-	if (outf == NULL)
+    if (out == NULL)
 		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
 #ifndef OPENSSL_NO_SETVBUF_IONBF
 		if (bufsize != NULL)
 			setvbuf(stdout, (char *)NULL, _IONBF, 0);
 #endif /* ndef OPENSSL_NO_SETVBUF_IONBF */
 #ifdef OPENSSL_SYS_VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 		}
 	else
 		{
 		if (BIO_write_filename(out,outf) <= 0)
 			{
 			perror(outf);
        goto end;
 			}
 		}
    rbio = in;
    wbio = out;
 #ifdef ZLIB
-
+    if (do_zlib) {
 	if (do_zlib)
 		{
        if ((bzl = BIO_new(BIO_f_zlib())) == NULL)
            goto end;
        if (enc)
@@ -485,12 +389,10 @@ bad:
    }
 #endif
-	if (base64)
+    if (base64) {
 		{
        if ((b64 = BIO_new(BIO_f_base64())) == NULL)
            goto end;
-		if (debug)
+        if (debug) {
 			{
            BIO_set_callback(b64, BIO_debug_callback);
            BIO_set_callback_arg(b64, (char *)bio_err);
        }
@@ -502,30 +404,31 @@ bad:
            rbio = BIO_push(b64, rbio);
    }
-	if (cipher != NULL)
+    if (cipher != NULL) {
-		{
+        /*
-		/* Note that str is NULL if a key was passed on the command
+         * Note that str is NULL if a key was passed on the command line, so
-		 * line, so we get no salt in that case. Is this a bug?
+         * we get no salt in that case. Is this a bug?
         */
-		if (str != NULL)
+        if (str != NULL) {
-			{
+            /*
-			/* Salt handling: if encrypting generate a salt and
+             * Salt handling: if encrypting generate a salt and write to
-			 * write to output BIO. If decrypting read salt from
+             * output BIO. If decrypting read salt from input BIO.
 			 * input BIO.
             */
            unsigned char *sptr;
-			if(nosalt) sptr = NULL;
+            if (nosalt)
                sptr = NULL;
            else {
                if (enc) {
                    if (hsalt) {
                        if (!set_hex(hsalt, salt, sizeof salt)) {
-							BIO_printf(bio_err,
+                            BIO_printf(bio_err, "invalid hex salt value\n");
 								"invalid hex salt value\n");
                            goto end;
                        }
-					} else if (RAND_pseudo_bytes(salt, sizeof salt) < 0)
+                    } else if (RAND_bytes(salt, sizeof salt) <= 0)
                        goto end;
-					/* If -P option then don't bother writing */
+                    /*
                     * If -P option then don't bother writing
                     */
                    if ((printkey != 2)
                        && (BIO_write(wbio, magic,
                                      sizeof magic - 1) != sizeof magic - 1
@@ -549,34 +452,41 @@ bad:
                sptr = salt;
            }
-			EVP_BytesToKey(cipher,dgst,sptr,
+            if (!EVP_BytesToKey(cipher, dgst, sptr,
                                (unsigned char *)str,
-				strlen(str),1,key,iv);
+                                strlen(str), 1, key, iv)) {
-			/* zero the complete buffer or the string
+                BIO_printf(bio_err, "EVP_BytesToKey failed\n");
-			 * passed from the command line
+                goto end;
-			 * bug picked up by
+            }
-			 * Larry J. Hughes Jr. <hughes@indiana.edu> */
+            /*
             * zero the complete buffer or the string passed from the command
             * line bug picked up by Larry J. Hughes Jr. <hughes@indiana.edu>
             */
            if (str == strbuf)
                OPENSSL_cleanse(str, SIZE);
            else
                OPENSSL_cleanse(str, strlen(str));
        }
-		if ((hiv != NULL) && !set_hex(hiv,iv,sizeof iv))
+        if (hiv != NULL) {
-			{
+            int siz = EVP_CIPHER_iv_length(cipher);
            if (siz == 0) {
                BIO_printf(bio_err, "warning: iv not use by this cipher\n");
            } else if (!set_hex(hiv, iv, sizeof iv)) {
                BIO_printf(bio_err, "invalid hex iv value\n");
                goto end;
            }
        }
        if ((hiv == NULL) && (str == NULL)
-		    && EVP_CIPHER_iv_length(cipher) != 0)
+            && EVP_CIPHER_iv_length(cipher) != 0) {
-			{
+            /*
-			/* No IV was explicitly set and no IV was generated
+             * No IV was explicitly set and no IV was generated during
-			 * during EVP_BytesToKey. Hence the IV is undefined,
+             * EVP_BytesToKey. Hence the IV is undefined, making correct
-			 * making correct decryption impossible. */
+             * decryption impossible.
             */
            BIO_printf(bio_err, "iv undefined\n");
            goto end;
        }
-		if ((hkey != NULL) && !set_hex(hkey,key,sizeof key))
+        if ((hkey != NULL) && !set_hex(hkey, key, EVP_CIPHER_key_length(cipher))) {
 			{
            BIO_printf(bio_err, "invalid hex key value\n");
            goto end;
        }
@@ -584,13 +494,17 @@ bad:
        if ((benc = BIO_new(BIO_f_cipher())) == NULL)
            goto end;
-		/* Since we may be changing parameters work on the encryption
+        /*
-		 * context rather than calling BIO_set_cipher().
+         * Since we may be changing parameters work on the encryption context
         * rather than calling BIO_set_cipher().
         */
        BIO_get_cipher_ctx(benc, &ctx);
-		if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc))
+
-			{
+        if (non_fips_allow)
            EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPH_FLAG_NON_FIPS_ALLOW);
        if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc)) {
            BIO_printf(bio_err, "Error setting cipher %s\n",
                       EVP_CIPHER_name(cipher));
            ERR_print_errors(bio_err);
@@ -600,45 +514,38 @@ bad:
        if (nopad)
            EVP_CIPHER_CTX_set_padding(ctx, 0);
-		if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, enc))
+        if (!EVP_CipherInit_ex(ctx, NULL, NULL, key, iv, enc)) {
 			{
            BIO_printf(bio_err, "Error setting cipher %s\n",
                       EVP_CIPHER_name(cipher));
            ERR_print_errors(bio_err);
            goto end;
        }
-		if (debug)
+        if (debug) {
 			{
            BIO_set_callback(benc, BIO_debug_callback);
            BIO_set_callback_arg(benc, (char *)bio_err);
        }
-		if (printkey)
+        if (printkey) {
-			{
+            if (!nosalt) {
 			if (!nosalt)
 				{
                printf("salt=");
                for (i = 0; i < (int)sizeof(salt); i++)
                    printf("%02X", salt[i]);
                printf("\n");
            }
-			if (cipher->key_len > 0)
+            if (cipher->key_len > 0) {
 				{
                printf("key=");
                for (i = 0; i < cipher->key_len; i++)
                    printf("%02X", key[i]);
                printf("\n");
            }
-			if (cipher->iv_len > 0)
+            if (cipher->iv_len > 0) {
 				{
                printf("iv =");
                for (i = 0; i < cipher->iv_len; i++)
                    printf("%02X", iv[i]);
                printf("\n");
            }
-			if (printkey == 2)
+            if (printkey == 2) {
 				{
                ret = 0;
                goto end;
            }
@@ -649,72 +556,77 @@ bad:
    if (benc != NULL)
        wbio = BIO_push(benc, wbio);
-	for (;;)
+    for (;;) {
 		{
        inl = BIO_read(rbio, (char *)buff, bsize);
-		if (inl <= 0) break;
+        if (inl <= 0)
-		if (BIO_write(wbio,(char *)buff,inl) != inl)
+            break;
-			{
+        if (BIO_write(wbio, (char *)buff, inl) != inl) {
            BIO_printf(bio_err, "error writing output file\n");
            goto end;
        }
    }
-	if (!BIO_flush(wbio))
+    if (!BIO_flush(wbio)) {
 		{
        BIO_printf(bio_err, "bad decrypt\n");
        goto end;
    }
    ret = 0;
-	if (verbose)
+    if (verbose) {
-		{
+        BIO_printf(bio_err, "bytes read   :%8"PRIu64"\n", BIO_number_read(in));
-		BIO_printf(bio_err,"bytes read   :%8ld\n",BIO_number_read(in));
+        BIO_printf(bio_err, "bytes written:%8"PRIu64"\n", BIO_number_written(out));
 		BIO_printf(bio_err,"bytes written:%8ld\n",BIO_number_written(out));
    }
 end:
    ERR_print_errors(bio_err);
-	if (strbuf != NULL) OPENSSL_free(strbuf);
+    OPENSSL_free(strbuf);
-	if (buff != NULL) OPENSSL_free(buff);
+    OPENSSL_free(buff);
-	if (in != NULL) BIO_free(in);
+    BIO_free(in);
-	if (out != NULL) BIO_free_all(out);
+    BIO_free_all(out);
-	if (benc != NULL) BIO_free(benc);
+    BIO_free(benc);
-	if (b64 != NULL) BIO_free(b64);
+    BIO_free(b64);
 #ifdef ZLIB
-	if (bzl != NULL) BIO_free(bzl);
+    BIO_free(bzl);
 #endif
-	if(pass) OPENSSL_free(pass);
+    OPENSSL_free(pass);
-	apps_shutdown();
+    return (ret);
 	OPENSSL_EXIT(ret);
 }
-int set_hex(char *in, unsigned char *out, int size)
+static void show_ciphers(const OBJ_NAME *name, void *bio_)
 {
    BIO *bio = bio_;
    static int n;
    if (!islower((unsigned char)*name->name))
        return;
    BIO_printf(bio, "-%-25s", name->name);
    if (++n == 3) {
        BIO_printf(bio, "\n");
        n = 0;
    } else
        BIO_printf(bio, " ");
 }
 static int set_hex(char *in, unsigned char *out, int size)
 {
    int i, n;
    unsigned char j;
    n = strlen(in);
-	if (n > (size*2))
+    if (n > (size * 2)) {
 		{
        BIO_printf(bio_err, "hex string is too long\n");
        return (0);
    }
    memset(out, 0, size);
-	for (i=0; i<n; i++)
+    for (i = 0; i < n; i++) {
 		{
        j = (unsigned char)*in;
        *(in++) = '\0';
-		if (j == 0) break;
+        if (j == 0)
-		if ((j >= '0') && (j <= '9'))
+            break;
-			j-='0';
+        if (!isxdigit(j)) {
 		else if ((j >= 'A') && (j <= 'F'))
 			j=j-'A'+10;
 		else if ((j >= 'a') && (j <= 'f'))
 			j=j-'a'+10;
 		else
 			{
            BIO_printf(bio_err, "non-hex digit\n");
            return (0);
        }
        j = (unsigned char)app_hex(j);
        if (i & 1)
            out[i / 2] |= j;
        else
--- a/apps/engine.c
+++ b/apps/engine.c
@@ -1,6 +1,6 @@
-/* apps/engine.c -*- mode: C; c-file-style: "eay" -*- */
+/*
-/* Written by Richard Levitte <richard@levitte.org> for the OpenSSL
+ * Written by Richard Levitte <richard@levitte.org> for the OpenSSL project
- * project 2000.
+ * 2000.
 */
 /* ====================================================================
 * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
@@ -56,40 +56,35 @@
 *
 */
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #ifdef OPENSSL_NO_STDIO
 #define APPS_WIN16
 #endif
 #include "apps.h"
 #include <openssl/err.h>
 #ifndef OPENSSL_NO_ENGINE
 # include <openssl/engine.h>
 # include <openssl/ssl.h>
-#undef PROG
+typedef enum OPTION_choice {
-#define PROG	engine_main
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_C, OPT_T, OPT_TT, OPT_PRE, OPT_POST,
    OPT_V = 100, OPT_VV, OPT_VVV, OPT_VVVV
 } OPTION_CHOICE;
-static const char *engine_usage[]={
+OPTIONS engine_options[] = {
-"usage: engine opts [engine ...]\n",
+    {"help", OPT_HELP, '-', "Display this summary"},
-" -v[v[v[v]]] - verbose mode, for each engine, list its 'control commands'\n",
+    {"vvvv", OPT_VVVV, '-', "Also show internal input flags"},
-"               -vv will additionally display each command's description\n",
+    {"vvv", OPT_VVV, '-', "Also add the input flags for each command"},
-"               -vvv will also add the input flags for each command\n",
+    {"vv", OPT_VV, '-', "Also display each command's description"},
-"               -vvvv will also show internal input flags\n",
+    {"v", OPT_V, '-', "For each engine, list its 'control commands'"},
-" -c          - for each engine, also list the capabilities\n",
+    {"c", OPT_C, '-', "List the capabilities of each engine"},
-" -t[t]       - for each engine, check that they are really available\n",
+    {"t", OPT_T, '-', "Check that each engine is available"},
-"               -tt will display error trace for unavailable engines\n",
+    {"tt", OPT_TT, '-', "Display error trace for unavailable engines"},
-" -pre <cmd>  - runs command 'cmd' against the ENGINE before any attempts\n",
+    {"pre", OPT_PRE, 's', "Run command against the ENGINE before loading it"},
-"               to load it (if -t is used)\n",
+    {"post", OPT_POST, 's', "Run command against the ENGINE after loading it"},
-" -post <cmd> - runs command 'cmd' against the ENGINE after loading it\n",
+    {OPT_MORE_STR, OPT_EOF, 1,
-"               (only used if -t is also provided)\n",
+     "Commands are like \"SO_PATH:/lib/libdriver.so\""},
-" NB: -pre and -post will be applied to all ENGINEs supplied on the command\n",
+    {NULL}
 " line, or all supported ENGINEs if none are specified.\n",
 " Eg. '-pre \"SO_PATH:/lib/libdriver.so\"' calls command \"SO_PATH\" with\n",
 " argument \"/lib/libdriver.so\".\n",
 NULL
 };
 static void identity(char *ptr)
@@ -99,22 +94,13 @@ static void identity(char *ptr)
 static int append_buf(char **buf, const char *s, int *size, int step)
 {
-	int l = strlen(s);
+    if (*buf == NULL) {
 	if (*buf == NULL)
 		{
        *size = step;
-		*buf = OPENSSL_malloc(*size);
+        *buf = app_malloc(*size, "engine buffer");
 		if (*buf == NULL)
 			return 0;
        **buf = '\0';
    }
-	if (**buf != '\0')
+    if (strlen(*buf) + strlen(s) >= (unsigned int)*size) {
 		l += 2;		/* ", " */
 	if (strlen(*buf) + strlen(s) >= (unsigned int)*size)
 		{
        *size += step;
        *buf = OPENSSL_realloc(*buf, *size);
    }
@@ -129,69 +115,65 @@ static int append_buf(char **buf, const char *s, int *size, int step)
    return 1;
 }
-static int util_flags(BIO *bio_out, unsigned int flags, const char *indent)
+static int util_flags(BIO *out, unsigned int flags, const char *indent)
 {
    int started = 0, err = 0;
    /* Indent before displaying input flags */
-	BIO_printf(bio_out, "%s%s(input flags): ", indent, indent);
+    BIO_printf(out, "%s%s(input flags): ", indent, indent);
-	if(flags == 0)
+    if (flags == 0) {
-		{
+        BIO_printf(out, "<no flags>\n");
 		BIO_printf(bio_out, "<no flags>\n");
        return 1;
    }
-        /* If the object is internal, mark it in a way that shows instead of
+    /*
-         * having it part of all the other flags, even if it really is. */
+     * If the object is internal, mark it in a way that shows instead of
-	if(flags & ENGINE_CMD_FLAG_INTERNAL)
+     * having it part of all the other flags, even if it really is.
-		{
+     */
-		BIO_printf(bio_out, "[Internal] ");
+    if (flags & ENGINE_CMD_FLAG_INTERNAL) {
        BIO_printf(out, "[Internal] ");
    }
-	if(flags & ENGINE_CMD_FLAG_NUMERIC)
+    if (flags & ENGINE_CMD_FLAG_NUMERIC) {
-		{
+        BIO_printf(out, "NUMERIC");
 		BIO_printf(bio_out, "NUMERIC");
        started = 1;
    }
-	/* Now we check that no combinations of the mutually exclusive NUMERIC,
+    /*
     * Now we check that no combinations of the mutually exclusive NUMERIC,
     * STRING, and NO_INPUT flags have been used. Future flags that can be
     * OR'd together with these would need to added after these to preserve
-	 * the testing logic. */
+     * the testing logic.
-	if(flags & ENGINE_CMD_FLAG_STRING)
+     */
-		{
+    if (flags & ENGINE_CMD_FLAG_STRING) {
-		if(started)
+        if (started) {
-			{
+            BIO_printf(out, "|");
 			BIO_printf(bio_out, "|");
            err = 1;
        }
-		BIO_printf(bio_out, "STRING");
+        BIO_printf(out, "STRING");
        started = 1;
    }
-	if(flags & ENGINE_CMD_FLAG_NO_INPUT)
+    if (flags & ENGINE_CMD_FLAG_NO_INPUT) {
-		{
+        if (started) {
-		if(started)
+            BIO_printf(out, "|");
 			{
 			BIO_printf(bio_out, "|");
            err = 1;
        }
-		BIO_printf(bio_out, "NO_INPUT");
+        BIO_printf(out, "NO_INPUT");
        started = 1;
    }
    /* Check for unknown flags */
    flags = flags & ~ENGINE_CMD_FLAG_NUMERIC &
        ~ENGINE_CMD_FLAG_STRING &
-			~ENGINE_CMD_FLAG_NO_INPUT &
+        ~ENGINE_CMD_FLAG_NO_INPUT & ~ENGINE_CMD_FLAG_INTERNAL;
-			~ENGINE_CMD_FLAG_INTERNAL;
+    if (flags) {
-	if(flags)
+        if (started)
-		{
+            BIO_printf(out, "|");
-		if(started) BIO_printf(bio_out, "|");
+        BIO_printf(out, "<0x%04X>", flags);
 		BIO_printf(bio_out, "<0x%04X>", flags);
    }
    if (err)
-		BIO_printf(bio_out, "  <illegal flags!>");
+        BIO_printf(out, "  <illegal flags!>");
-	BIO_printf(bio_out, "\n");
+    BIO_printf(out, "\n");
    return 1;
 }
-static int util_verbose(ENGINE *e, int verbose, BIO *bio_out, const char *indent)
+static int util_verbose(ENGINE *e, int verbose, BIO *out, const char *indent)
 {
    static const int line_wrap = 78;
    int num;
@@ -203,32 +185,26 @@ static int util_verbose(ENGINE *e, int verbose, BIO *bio_out, const char *indent
    STACK_OF(OPENSSL_STRING) *cmds = NULL;
    if (!ENGINE_ctrl(e, ENGINE_CTRL_HAS_CTRL_FUNCTION, 0, NULL, NULL) ||
        ((num = ENGINE_ctrl(e, ENGINE_CTRL_GET_FIRST_CMD_TYPE,
-					0, NULL, NULL)) <= 0))
+                            0, NULL, NULL)) <= 0)) {
 		{
 #if 0
 		BIO_printf(bio_out, "%s<no control commands>\n", indent);
 #endif
        return 1;
    }
    cmds = sk_OPENSSL_STRING_new_null();
    if (!cmds)
        goto err;
    do {
        int len;
        /* Get the command input flags */
        if ((flags = ENGINE_ctrl(e, ENGINE_CTRL_GET_CMD_FLAGS, num,
                                 NULL, NULL)) < 0)
            goto err;
-                if (!(flags & ENGINE_CMD_FLAG_INTERNAL) || verbose >= 4)
+        if (!(flags & ENGINE_CMD_FLAG_INTERNAL) || verbose >= 4) {
                        {
            /* Get the command name */
            if ((len = ENGINE_ctrl(e, ENGINE_CTRL_GET_NAME_LEN_FROM_CMD, num,
                                   NULL, NULL)) <= 0)
                goto err;
-                        if((name = OPENSSL_malloc(len + 1)) == NULL)
+            name = app_malloc(len + 1, "name buffer");
                                goto err;
            if (ENGINE_ctrl(e, ENGINE_CTRL_GET_NAME_FROM_CMD, num, name,
                            NULL) <= 0)
                goto err;
@@ -236,10 +212,8 @@ static int util_verbose(ENGINE *e, int verbose, BIO *bio_out, const char *indent
            if ((len = ENGINE_ctrl(e, ENGINE_CTRL_GET_DESC_LEN_FROM_CMD, num,
                                   NULL, NULL)) < 0)
                goto err;
-                        if(len > 0)
+            if (len > 0) {
-                                {
+                desc = app_malloc(len + 1, "description buffer");
                                if((desc = OPENSSL_malloc(len + 1)) == NULL)
                                        goto err;
                if (ENGINE_ctrl(e, ENGINE_CTRL_GET_DESC_FROM_CMD, num, desc,
                                NULL) <= 0)
                    goto err;
@@ -247,76 +221,68 @@ static int util_verbose(ENGINE *e, int verbose, BIO *bio_out, const char *indent
            /* Now decide on the output */
            if (xpos == 0)
                /* Do an indent */
-                                xpos = BIO_puts(bio_out, indent);
+                xpos = BIO_puts(out, indent);
            else
                /* Otherwise prepend a ", " */
-                                xpos += BIO_printf(bio_out, ", ");
+                xpos += BIO_printf(out, ", ");
-                        if(verbose == 1)
+            if (verbose == 1) {
-                                {
+                /*
-                                /* We're just listing names, comma-delimited */
+                 * We're just listing names, comma-delimited
                 */
                if ((xpos > (int)strlen(indent)) &&
-					(xpos + (int)strlen(name) > line_wrap))
+                    (xpos + (int)strlen(name) > line_wrap)) {
-                                        {
+                    BIO_printf(out, "\n");
-                                        BIO_printf(bio_out, "\n");
+                    xpos = BIO_puts(out, indent);
                                        xpos = BIO_puts(bio_out, indent);
                }
-                                xpos += BIO_printf(bio_out, "%s", name);
+                xpos += BIO_printf(out, "%s", name);
-                                }
+            } else {
                        else
                                {
                /* We're listing names plus descriptions */
-                                BIO_printf(bio_out, "%s: %s\n", name,
+                BIO_printf(out, "%s: %s\n", name,
                           (desc == NULL) ? "<no description>" : desc);
                /* ... and sometimes input flags */
-                                if((verbose >= 3) && !util_flags(bio_out, flags,
+                if ((verbose >= 3) && !util_flags(out, flags, indent))
                                        indent))
                    goto err;
                xpos = 0;
            }
        }
-		OPENSSL_free(name); name = NULL;
+        OPENSSL_free(name);
-		if(desc) { OPENSSL_free(desc); desc = NULL; }
+        name = NULL;
        OPENSSL_free(desc);
        desc = NULL;
        /* Move to the next command */
-		num = ENGINE_ctrl(e, ENGINE_CTRL_GET_NEXT_CMD_TYPE,
+        num = ENGINE_ctrl(e, ENGINE_CTRL_GET_NEXT_CMD_TYPE, num, NULL, NULL);
 					num, NULL, NULL);
    } while (num > 0);
    if (xpos > 0)
-		BIO_printf(bio_out, "\n");
+        BIO_printf(out, "\n");
    ret = 1;
 err:
-	if(cmds) sk_OPENSSL_STRING_pop_free(cmds, identity);
+    sk_OPENSSL_STRING_pop_free(cmds, identity);
-	if(name) OPENSSL_free(name);
+    OPENSSL_free(name);
-	if(desc) OPENSSL_free(desc);
+    OPENSSL_free(desc);
    return ret;
 }
 static void util_do_cmds(ENGINE *e, STACK_OF(OPENSSL_STRING) *cmds,
-			BIO *bio_out, const char *indent)
+                         BIO *out, const char *indent)
 {
    int loop, res, num = sk_OPENSSL_STRING_num(cmds);
-	if(num < 0)
+    if (num < 0) {
-		{
+        BIO_printf(out, "[Error]: internal stack error\n");
 		BIO_printf(bio_out, "[Error]: internal stack error\n");
        return;
    }
-	for(loop = 0; loop < num; loop++)
+    for (loop = 0; loop < num; loop++) {
 		{
        char buf[256];
        const char *cmd, *arg;
        cmd = sk_OPENSSL_STRING_value(cmds, loop);
        res = 1;                /* assume success */
        /* Check if this command has no ":arg" */
-		if((arg = strstr(cmd, ":")) == NULL)
+        if ((arg = strstr(cmd, ":")) == NULL) {
 			{
            if (!ENGINE_ctrl_cmd_string(e, cmd, NULL, 0))
                res = 0;
-			}
+        } else {
-		else
+            if ((int)(arg - cmd) > 254) {
-			{
+                BIO_printf(out, "[Error]: command name too long\n");
 			if((int)(arg - cmd) > 254)
 				{
 				BIO_printf(bio_out,"[Error]: command name too long\n");
                return;
            }
            memcpy(buf, cmd, (int)(arg - cmd));
@@ -327,124 +293,91 @@ static void util_do_cmds(ENGINE *e, STACK_OF(OPENSSL_STRING) *cmds,
                res = 0;
        }
        if (res)
-			BIO_printf(bio_out, "[Success]: %s\n", cmd);
+            BIO_printf(out, "[Success]: %s\n", cmd);
-		else
+        else {
-			{
+            BIO_printf(out, "[Failure]: %s\n", cmd);
-			BIO_printf(bio_out, "[Failure]: %s\n", cmd);
+            ERR_print_errors(out);
 			ERR_print_errors(bio_out);
        }
    }
 }
-int MAIN(int, char **);
+int engine_main(int argc, char **argv)
 int MAIN(int argc, char **argv)
 {
    int ret = 1, i;
 	const char **pp;
    int verbose = 0, list_cap = 0, test_avail = 0, test_avail_noise = 0;
    ENGINE *e;
    STACK_OF(OPENSSL_STRING) *engines = sk_OPENSSL_STRING_new_null();
    STACK_OF(OPENSSL_STRING) *pre_cmds = sk_OPENSSL_STRING_new_null();
    STACK_OF(OPENSSL_STRING) *post_cmds = sk_OPENSSL_STRING_new_null();
-	int badops=1;
+    BIO *out;
 	BIO *bio_out=NULL;
    const char *indent = "     ";
    OPTION_CHOICE o;
    char *prog;
-	apps_startup();
+    out = dup_bio_out(FORMAT_TEXT);
-	SSL_load_error_strings();
+    prog = opt_init(argc, argv, engine_options);
-
+    if (!engines || !pre_cmds || !post_cmds)
 	if (bio_err == NULL)
 		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
 	if (!load_config(bio_err, NULL))
        goto end;
-	bio_out=BIO_new_fp(stdout,BIO_NOCLOSE);
+    while ((o = opt_next()) != OPT_EOF) {
-#ifdef OPENSSL_SYS_VMS
+        switch (o) {
-	{
+        case OPT_EOF:
-	BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+        case OPT_ERR:
-	bio_out = BIO_push(tmpbio, bio_out);
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
-	}
+            goto end;
-#endif
+        case OPT_HELP:
-
+            opt_help(engine_options);
-	argc--;
+            ret = 0;
-	argv++;
+            goto end;
-	while (argc >= 1)
+        case OPT_VVVV:
-		{
+        case OPT_VVV:
-		if (strncmp(*argv,"-v",2) == 0)
+        case OPT_VV:
-			{
+        case OPT_V:
-			if(strspn(*argv + 1, "v") < strlen(*argv + 1))
+            /* Convert to an integer from one to four. */
-				goto skip_arg_loop;
+            i = (int)(o - OPT_V) + 1;
-			if((verbose=strlen(*argv + 1)) > 4)
+            if (verbose < i)
-				goto skip_arg_loop;
+                verbose = i;
-			}
+            break;
-		else if (strcmp(*argv,"-c") == 0)
+        case OPT_C:
            list_cap = 1;
-		else if (strncmp(*argv,"-t",2) == 0)
+            break;
-			{
+        case OPT_TT:
-			test_avail=1;
+            test_avail_noise++;
-			if(strspn(*argv + 1, "t") < strlen(*argv + 1))
+        case OPT_T:
-				goto skip_arg_loop;
+            test_avail++;
-			if((test_avail_noise = strlen(*argv + 1) - 1) > 1)
+            break;
-				goto skip_arg_loop;
+        case OPT_PRE:
            sk_OPENSSL_STRING_push(pre_cmds, opt_arg());
            break;
        case OPT_POST:
            sk_OPENSSL_STRING_push(post_cmds, opt_arg());
            break;
        }
 		else if (strcmp(*argv,"-pre") == 0)
 			{
 			argc--; argv++;
 			if (argc == 0)
 				goto skip_arg_loop;
 			sk_OPENSSL_STRING_push(pre_cmds,*argv);
    }
-		else if (strcmp(*argv,"-post") == 0)
+    argc = opt_num_rest();
-			{
+    argv = opt_rest();
-			argc--; argv++;
+    for ( ; *argv; argv++)
 			if (argc == 0)
 				goto skip_arg_loop;
 			sk_OPENSSL_STRING_push(post_cmds,*argv);
 			}
 		else if ((strncmp(*argv,"-h",2) == 0) ||
 				(strcmp(*argv,"-?") == 0))
 			goto skip_arg_loop;
 		else
        sk_OPENSSL_STRING_push(engines, *argv);
 		argc--;
 		argv++;
 		}
 	/* Looks like everything went OK */
 	badops = 0;
 skip_arg_loop:
-	if (badops)
+    if (sk_OPENSSL_STRING_num(engines) == 0) {
-		{
+        for (e = ENGINE_get_first(); e != NULL; e = ENGINE_get_next(e)) {
 		for (pp=engine_usage; (*pp != NULL); pp++)
 			BIO_printf(bio_err,"%s",*pp);
 		goto end;
 		}
 	if (sk_OPENSSL_STRING_num(engines) == 0)
 		{
 		for(e = ENGINE_get_first(); e != NULL; e = ENGINE_get_next(e))
 			{
            sk_OPENSSL_STRING_push(engines, (char *)ENGINE_get_id(e));
        }
    }
-	for (i=0; i<sk_OPENSSL_STRING_num(engines); i++)
+    for (i = 0; i < sk_OPENSSL_STRING_num(engines); i++) {
 		{
        const char *id = sk_OPENSSL_STRING_value(engines, i);
-		if ((e = ENGINE_by_id(id)) != NULL)
+        if ((e = ENGINE_by_id(id)) != NULL) {
 			{
            const char *name = ENGINE_get_name(e);
-			/* Do "id" first, then "name". Easier to auto-parse. */
+            /*
-			BIO_printf(bio_out, "(%s) %s\n", id, name);
+             * Do "id" first, then "name". Easier to auto-parse.
-			util_do_cmds(e, pre_cmds, bio_out, indent);
+             */
-			if (strcmp(ENGINE_get_id(e), id) != 0)
+            BIO_printf(out, "(%s) %s\n", id, name);
-				{
+            util_do_cmds(e, pre_cmds, out, indent);
-				BIO_printf(bio_out, "Loaded: (%s) %s\n",
+            if (strcmp(ENGINE_get_id(e), id) != 0) {
                BIO_printf(out, "Loaded: (%s) %s\n",
                           ENGINE_get_id(e), ENGINE_get_name(e));
            }
-			if (list_cap)
+            if (list_cap) {
 				{
                int cap_size = 256;
                char *cap_buf = NULL;
                int k, n;
@@ -454,78 +387,69 @@ skip_arg_loop:
                ENGINE_PKEY_METHS_PTR fn_pk;
                if (ENGINE_get_RSA(e) != NULL
-					&& !append_buf(&cap_buf, "RSA",
+                    && !append_buf(&cap_buf, "RSA", &cap_size, 256))
 						&cap_size, 256))
                    goto end;
                if (ENGINE_get_DSA(e) != NULL
-					&& !append_buf(&cap_buf, "DSA",
+                    && !append_buf(&cap_buf, "DSA", &cap_size, 256))
 						&cap_size, 256))
                    goto end;
                if (ENGINE_get_DH(e) != NULL
-					&& !append_buf(&cap_buf, "DH",
+                    && !append_buf(&cap_buf, "DH", &cap_size, 256))
 						&cap_size, 256))
                    goto end;
                if (ENGINE_get_RAND(e) != NULL
-					&& !append_buf(&cap_buf, "RAND",
+                    && !append_buf(&cap_buf, "RAND", &cap_size, 256))
 						&cap_size, 256))
                    goto end;
                fn_c = ENGINE_get_ciphers(e);
-				if(!fn_c) goto skip_ciphers;
+                if (!fn_c)
                    goto skip_ciphers;
                n = fn_c(e, NULL, &nids, 0);
                for (k = 0; k < n; ++k)
                    if (!append_buf(&cap_buf,
-						       OBJ_nid2sn(nids[k]),
+                                    OBJ_nid2sn(nids[k]), &cap_size, 256))
 						       &cap_size, 256))
                        goto end;
 skip_ciphers:
                fn_d = ENGINE_get_digests(e);
-				if(!fn_d) goto skip_digests;
+                if (!fn_d)
                    goto skip_digests;
                n = fn_d(e, NULL, &nids, 0);
                for (k = 0; k < n; ++k)
                    if (!append_buf(&cap_buf,
-						       OBJ_nid2sn(nids[k]),
+                                    OBJ_nid2sn(nids[k]), &cap_size, 256))
 						       &cap_size, 256))
                        goto end;
 skip_digests:
                fn_pk = ENGINE_get_pkey_meths(e);
-				if(!fn_pk) goto skip_pmeths;
+                if (!fn_pk)
                    goto skip_pmeths;
                n = fn_pk(e, NULL, &nids, 0);
                for (k = 0; k < n; ++k)
                    if (!append_buf(&cap_buf,
-						       OBJ_nid2sn(nids[k]),
+                                    OBJ_nid2sn(nids[k]), &cap_size, 256))
 						       &cap_size, 256))
                        goto end;
 skip_pmeths:
                if (cap_buf && (*cap_buf != '\0'))
-					BIO_printf(bio_out, " [%s]\n", cap_buf);
+                    BIO_printf(out, " [%s]\n", cap_buf);
                OPENSSL_free(cap_buf);
            }
-			if(test_avail)
+            if (test_avail) {
-				{
+                BIO_printf(out, "%s", indent);
-				BIO_printf(bio_out, "%s", indent);
+                if (ENGINE_init(e)) {
-				if (ENGINE_init(e))
+                    BIO_printf(out, "[ available ]\n");
-					{
+                    util_do_cmds(e, post_cmds, out, indent);
 					BIO_printf(bio_out, "[ available ]\n");
 					util_do_cmds(e, post_cmds, bio_out, indent);
                    ENGINE_finish(e);
-					}
+                } else {
-				else
+                    BIO_printf(out, "[ unavailable ]\n");
 					{
 					BIO_printf(bio_out, "[ unavailable ]\n");
                    if (test_avail_noise)
                        ERR_print_errors_fp(stdout);
                    ERR_clear_error();
                }
            }
-			if((verbose > 0) && !util_verbose(e, verbose, bio_out, indent))
+            if ((verbose > 0) && !util_verbose(e, verbose, out, indent))
                goto end;
            ENGINE_free(e);
-			}
+        } else
 		else
            ERR_print_errors(bio_err);
    }
@@ -536,9 +460,8 @@ end:
    sk_OPENSSL_STRING_pop_free(engines, identity);
    sk_OPENSSL_STRING_pop_free(pre_cmds, identity);
    sk_OPENSSL_STRING_pop_free(post_cmds, identity);
-	if (bio_out != NULL) BIO_free_all(bio_out);
+    BIO_free_all(out);
-	apps_shutdown();
+    return (ret);
 	OPENSSL_EXIT(ret);
 }
 #else
--- a/apps/errstr.c
+++ b/apps/errstr.c
@@ -1,4 +1,3 @@
 /* apps/errstr.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -65,64 +64,60 @@
 #include <openssl/err.h>
 #include <openssl/ssl.h>
-#undef PROG
+typedef enum OPTION_choice {
-#define PROG	errstr_main
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_STATS
 } OPTION_CHOICE;
-int MAIN(int, char **);
+OPTIONS errstr_options[] = {
    {OPT_HELP_STR, 1, '-', "Usage: %s [options] errnum...\n"},
    {OPT_HELP_STR, 1, '-', "  errnum  Error number\n"},
    {"help", OPT_HELP, '-', "Display this summary"},
    {"stats", OPT_STATS, '-',
     "Print internal hashtable statistics (long!)"},
    {NULL}
 };
-int MAIN(int argc, char **argv)
+int errstr_main(int argc, char **argv)
 {
-	int i,ret=0;
+    OPTION_CHOICE o;
-	char buf[256];
+    char buf[256], *prog;
    int ret = 1;
    unsigned long l;
-	apps_startup();
+    prog = opt_init(argc, argv, errstr_options);
-
+    while ((o = opt_next()) != OPT_EOF) {
-	if (bio_err == NULL)
+        switch (o) {
-		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+        case OPT_EOF:
-			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+        case OPT_ERR:
-
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
-	SSL_load_error_strings();
+            goto end;
-
+        case OPT_HELP:
-	if ((argc > 1) && (strcmp(argv[1],"-stats") == 0))
+            opt_help(errstr_options);
-		{
+            ret = 0;
-		BIO *out=NULL;
+            goto end;
-
+        case OPT_STATS:
-		out=BIO_new(BIO_s_file());
+            lh_ERR_STRING_DATA_node_stats_bio(ERR_get_string_table(),
-		if ((out != NULL) && BIO_set_fp(out,stdout,BIO_NOCLOSE))
+                                              bio_out);
-			{
+            lh_ERR_STRING_DATA_stats_bio(ERR_get_string_table(), bio_out);
-#ifdef OPENSSL_SYS_VMS
+            lh_ERR_STRING_DATA_node_usage_stats_bio(ERR_get_string_table(),
-			{
+                                                    bio_out);
-			BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+            ret = 0;
-			out = BIO_push(tmpbio, out);
+            goto end;
        }
 #endif
 			lh_ERR_STRING_DATA_node_stats_bio(
 						  ERR_get_string_table(), out);
 			lh_ERR_STRING_DATA_stats_bio(ERR_get_string_table(),
 						     out);
 			lh_ERR_STRING_DATA_node_usage_stats_bio(
 						    ERR_get_string_table(),out);
 			}
 		if (out != NULL) BIO_free_all(out);
 		argc--;
 		argv++;
    }
    argc = opt_num_rest();
    argv = opt_rest();
-	for (i=1; i<argc; i++)
+    ret = 0;
-		{
+    for (argv = opt_rest(); *argv; argv++) {
-		if (sscanf(argv[i],"%lx",&l))
+        if (!opt_ulong(*argv, &l))
 			{
 			ERR_error_string_n(l, buf, sizeof buf);
 			printf("%s\n",buf);
 			}
 		else
 			{
 			printf("%s: bad error code\n",argv[i]);
 			printf("usage: errstr [-stats] <errno> ...\n");
            ret++;
        else {
            ERR_error_string_n(l, buf, sizeof buf);
            BIO_printf(bio_out, "%s\n", buf);
        }
    }
-	apps_shutdown();
+ end:
-	OPENSSL_EXIT(ret);
+    return (ret);
 }
--- a/apps/gendh.c
+++ b/apps/gendh.c
@@ -1,241 +0,0 @@
 /* apps/gendh.c */
 /* obsoleted by dhparam.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
 * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
 * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
 #include <openssl/opensslconf.h>
 /* Until the key-gen callbacks are modified to use newer prototypes, we allow
 * deprecated functions for openssl-internal code */
 #ifdef OPENSSL_NO_DEPRECATED
 #undef OPENSSL_NO_DEPRECATED
 #endif
 #ifndef OPENSSL_NO_DH
 #include <stdio.h>
 #include <string.h>
 #include <sys/types.h>
 #include <sys/stat.h>
 #include "apps.h"
 #include <openssl/bio.h>
 #include <openssl/rand.h>
 #include <openssl/err.h>
 #include <openssl/bn.h>
 #include <openssl/dh.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #define DEFBITS	512
 #undef PROG
 #define PROG gendh_main
 static int MS_CALLBACK dh_cb(int p, int n, BN_GENCB *cb);
 int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	BN_GENCB cb;
 	DH *dh=NULL;
 	int ret=1,num=DEFBITS;
 	int g=2;
 	char *outfile=NULL;
 	char *inrand=NULL;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine=NULL;
 #endif
 	BIO *out=NULL;
 	apps_startup();
 	BN_GENCB_set(&cb, dh_cb, bio_err);
 	if (bio_err == NULL)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 	if (!load_config(bio_err, NULL))
 		goto end;
 	argv++;
 	argc--;
 	for (;;)
 		{
 		if (argc <= 0) break;
 		if (strcmp(*argv,"-out") == 0)
 			{
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
 		else if (strcmp(*argv,"-2") == 0)
 			g=2;
 	/*	else if (strcmp(*argv,"-3") == 0)
 			g=3; */
 		else if (strcmp(*argv,"-5") == 0)
 			g=5;
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 #endif
 		else if (strcmp(*argv,"-rand") == 0)
 			{
 			if (--argc < 1) goto bad;
 			inrand= *(++argv);
 			}
 		else
 			break;
 		argv++;
 		argc--;
 		}
 	if ((argc >= 1) && ((sscanf(*argv,"%d",&num) == 0) || (num < 0)))
 		{
 bad:
 		BIO_printf(bio_err,"usage: gendh [args] [numbits]\n");
 		BIO_printf(bio_err," -out file - output the key to 'file\n");
 		BIO_printf(bio_err," -2        - use 2 as the generator value\n");
 	/*	BIO_printf(bio_err," -3        - use 3 as the generator value\n"); */
 		BIO_printf(bio_err," -5        - use 5 as the generator value\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," -engine e - use engine e, possibly a hardware device.\n");
 #endif
 		BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err,"           - load the file (or the files in the directory) into\n");
 		BIO_printf(bio_err,"             the random number generator\n");
 		goto end;
 		}
 #ifndef OPENSSL_NO_ENGINE
        setup_engine(bio_err, engine, 0);
 #endif
 	out=BIO_new(BIO_s_file());
 	if (out == NULL)
 		{
 		ERR_print_errors(bio_err);
 		goto end;
 		}
 	if (outfile == NULL)
 		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
 			{
 			perror(outfile);
 			goto end;
 			}
 		}
 	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL)
 		{
 		BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
 		}
 	if (inrand != NULL)
 		BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
 			app_RAND_load_files(inrand));
 	BIO_printf(bio_err,"Generating DH parameters, %d bit long safe prime, generator %d\n",num,g);
 	BIO_printf(bio_err,"This is going to take a long time\n");
 	if(((dh = DH_new()) == NULL) || !DH_generate_parameters_ex(dh, num, g, &cb))
 		goto end;
 	app_RAND_write_file(NULL, bio_err);
 	if (!PEM_write_bio_DHparams(out,dh))
 		goto end;
 	ret=0;
 end:
 	if (ret != 0)
 		ERR_print_errors(bio_err);
 	if (out != NULL) BIO_free_all(out);
 	if (dh != NULL) DH_free(dh);
 	apps_shutdown();
 	OPENSSL_EXIT(ret);
 	}
 static int MS_CALLBACK dh_cb(int p, int n, BN_GENCB *cb)
 	{
 	char c='*';
 	if (p == 0) c='.';
 	if (p == 1) c='+';
 	if (p == 2) c='*';
 	if (p == 3) c='\n';
 	BIO_write(cb->arg,&c,1);
 	(void)BIO_flush(cb->arg);
 #ifdef LINT
 	p=n;
 #endif
 	return 1;
 	}
 #else /* !OPENSSL_NO_DH */
 # if PEDANTIC
 static void *dummy=&dummy;
 # endif
 #endif
--- a/apps/gendsa.c
+++ b/apps/gendsa.c
@@ -1,4 +1,3 @@
 /* apps/gendsa.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -70,211 +69,121 @@
 # include <openssl/x509.h>
 # include <openssl/pem.h>
-#define DEFBITS	512
+typedef enum OPTION_choice {
-#undef PROG
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
-#define PROG gendsa_main
+    OPT_OUT, OPT_PASSOUT, OPT_ENGINE, OPT_RAND, OPT_CIPHER
 } OPTION_CHOICE;
-int MAIN(int, char **);
+OPTIONS gendsa_options[] = {
    {OPT_HELP_STR, 1, '-', "Usage: %s [args] dsaparam-file\n"},
    {OPT_HELP_STR, 1, '-', "Valid options are:\n"},
    {"help", OPT_HELP, '-', "Display this summary"},
    {"out", OPT_OUT, '>', "Output the key to the specified file"},
    {"passout", OPT_PASSOUT, 's'},
    {"rand", OPT_RAND, 's',
     "Load the file(s) into the random number generator"},
    {"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"},
 # ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 # endif
    {NULL}
 };
-int MAIN(int argc, char **argv)
+int gendsa_main(int argc, char **argv)
 {
 	DSA *dsa=NULL;
 	int ret=1;
 	char *outfile=NULL;
 	char *inrand=NULL,*dsaparams=NULL;
 	char *passargout = NULL, *passout = NULL;
    BIO *out = NULL, *in = NULL;
    DSA *dsa = NULL;
    const EVP_CIPHER *enc = NULL;
-#ifndef OPENSSL_NO_ENGINE
+    char *inrand = NULL, *dsaparams = NULL;
-	char *engine=NULL;
+    char *outfile = NULL, *passoutarg = NULL, *passout = NULL, *prog;
-#endif
+    OPTION_CHOICE o;
    int ret = 1, private = 0;
-	apps_startup();
+    prog = opt_init(argc, argv, gendsa_options);
-
+    while ((o = opt_next()) != OPT_EOF) {
-	if (bio_err == NULL)
+        switch (o) {
-		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+        case OPT_EOF:
-			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+        case OPT_ERR:
-
+ opthelp:
-	if (!load_config(bio_err, NULL))
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
            goto end;
        case OPT_HELP:
            ret = 0;
            opt_help(gendsa_options);
            goto end;
        case OPT_OUT:
            outfile = opt_arg();
            break;
        case OPT_PASSOUT:
            passoutarg = opt_arg();
            break;
        case OPT_ENGINE:
            (void)setup_engine(opt_arg(), 0);
            break;
        case OPT_RAND:
            inrand = opt_arg();
            break;
        case OPT_CIPHER:
            if (!opt_cipher(opt_unknown(), &enc))
                goto end;
            break;
        }
    }
    argc = opt_num_rest();
    argv = opt_rest();
    private = 1;
-	argv++;
+    if (argc != 1)
-	argc--;
+        goto opthelp;
 	for (;;)
 		{
 		if (argc <= 0) break;
 		if (strcmp(*argv,"-out") == 0)
 			{
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
 		else if (strcmp(*argv,"-passout") == 0)
 			{
 			if (--argc < 1) goto bad;
 			passargout= *(++argv);
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 #endif
 		else if (strcmp(*argv,"-rand") == 0)
 			{
 			if (--argc < 1) goto bad;
 			inrand= *(++argv);
 			}
 		else if (strcmp(*argv,"-") == 0)
 			goto bad;
 #ifndef OPENSSL_NO_DES
 		else if (strcmp(*argv,"-des") == 0)
 			enc=EVP_des_cbc();
 		else if (strcmp(*argv,"-des3") == 0)
 			enc=EVP_des_ede3_cbc();
 #endif
 #ifndef OPENSSL_NO_IDEA
 		else if (strcmp(*argv,"-idea") == 0)
 			enc=EVP_idea_cbc();
 #endif
 #ifndef OPENSSL_NO_SEED
 		else if (strcmp(*argv,"-seed") == 0)
 			enc=EVP_seed_cbc();
 #endif
 #ifndef OPENSSL_NO_AES
 		else if (strcmp(*argv,"-aes128") == 0)
 			enc=EVP_aes_128_cbc();
 		else if (strcmp(*argv,"-aes192") == 0)
 			enc=EVP_aes_192_cbc();
 		else if (strcmp(*argv,"-aes256") == 0)
 			enc=EVP_aes_256_cbc();
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
 		else if (strcmp(*argv,"-camellia128") == 0)
 			enc=EVP_camellia_128_cbc();
 		else if (strcmp(*argv,"-camellia192") == 0)
 			enc=EVP_camellia_192_cbc();
 		else if (strcmp(*argv,"-camellia256") == 0)
 			enc=EVP_camellia_256_cbc();
 #endif
 		else if (**argv != '-' && dsaparams == NULL)
 			{
    dsaparams = *argv;
 			}
 		else
 			goto bad;
 		argv++;
 		argc--;
 		}
-	if (dsaparams == NULL)
+    if (!app_passwd(NULL, passoutarg, NULL, &passout)) {
 		{
 bad:
 		BIO_printf(bio_err,"usage: gendsa [args] dsaparam-file\n");
 		BIO_printf(bio_err," -out file - output the key to 'file'\n");
 #ifndef OPENSSL_NO_DES
 		BIO_printf(bio_err," -des      - encrypt the generated key with DES in cbc mode\n");
 		BIO_printf(bio_err," -des3     - encrypt the generated key with DES in ede cbc mode (168 bit key)\n");
 #endif
 #ifndef OPENSSL_NO_IDEA
 		BIO_printf(bio_err," -idea     - encrypt the generated key with IDEA in cbc mode\n");
 #endif
 #ifndef OPENSSL_NO_SEED
 		BIO_printf(bio_err," -seed\n");
 		BIO_printf(bio_err,"                 encrypt PEM output with cbc seed\n");
 #endif
 #ifndef OPENSSL_NO_AES
 		BIO_printf(bio_err," -aes128, -aes192, -aes256\n");
 		BIO_printf(bio_err,"                 encrypt PEM output with cbc aes\n");
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
 		BIO_printf(bio_err," -camellia128, -camellia192, -camellia256\n");
 		BIO_printf(bio_err,"                 encrypt PEM output with cbc camellia\n");
 #endif
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," -engine e - use engine e, possibly a hardware device.\n");
 #endif
 		BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err,"           - load the file (or the files in the directory) into\n");
 		BIO_printf(bio_err,"             the random number generator\n");
 		BIO_printf(bio_err," dsaparam-file\n");
 		BIO_printf(bio_err,"           - a DSA parameter file as generated by the dsaparam command\n");
 		goto end;
 		}
 #ifndef OPENSSL_NO_ENGINE
        setup_engine(bio_err, engine, 0);
 #endif
 	if(!app_passwd(bio_err, NULL, passargout, NULL, &passout)) {
        BIO_printf(bio_err, "Error getting password\n");
        goto end;
    }
    in = bio_open_default(dsaparams, 'r', FORMAT_PEM);
    if (in == NULL)
        goto end2;
-	in=BIO_new(BIO_s_file());
+    if ((dsa = PEM_read_bio_DSAparams(in, NULL, NULL, NULL)) == NULL) {
 	if (!(BIO_read_filename(in,dsaparams)))
 		{
 		perror(dsaparams);
 		goto end;
 		}
 	if ((dsa=PEM_read_bio_DSAparams(in,NULL,NULL,NULL)) == NULL)
 		{
        BIO_printf(bio_err, "unable to load DSA parameter file\n");
        goto end;
    }
    BIO_free(in);
    in = NULL;
-	out=BIO_new(BIO_s_file());
+    out = bio_open_owner(outfile, FORMAT_PEM, private);
-	if (out == NULL) goto end;
+    if (out == NULL)
        goto end2;
-	if (outfile == NULL)
+    if (!app_RAND_load_file(NULL, 1) && inrand == NULL) {
-		{
+        BIO_printf(bio_err,
-		BIO_set_fp(out,stdout,BIO_NOCLOSE);
+                   "warning, not much extra random data, consider using the -rand option\n");
 #ifdef OPENSSL_SYS_VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
 			{
 			perror(outfile);
 			goto end;
 			}
 		}
 	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL)
 		{
 		BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
    }
    if (inrand != NULL)
        BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
                   app_RAND_load_files(inrand));
-	BIO_printf(bio_err,"Generating DSA key, %d bits\n",
+    BIO_printf(bio_err, "Generating DSA key, %d bits\n", BN_num_bits(dsa->p));
-							BN_num_bits(dsa->p));
+    if (!DSA_generate_key(dsa))
-	if (!DSA_generate_key(dsa)) goto end;
+        goto end;
-	app_RAND_write_file(NULL, bio_err);
+    app_RAND_write_file(NULL);
    assert(private);
    if (!PEM_write_bio_DSAPrivateKey(out, dsa, enc, NULL, 0, NULL, passout))
        goto end;
    ret = 0;
 end:
    if (ret != 0)
        ERR_print_errors(bio_err);
-	if (in != NULL) BIO_free(in);
+ end2:
-	if (out != NULL) BIO_free_all(out);
+    BIO_free(in);
-	if (dsa != NULL) DSA_free(dsa);
+    BIO_free_all(out);
-	if(passout) OPENSSL_free(passout);
+    DSA_free(dsa);
-	apps_shutdown();
+    OPENSSL_free(passout);
-	OPENSSL_EXIT(ret);
+    return (ret);
 }
 #else                           /* !OPENSSL_NO_DSA */
--- a/apps/genpkey.c
+++ b/apps/genpkey.c
@@ -1,6 +1,6 @@
-/* apps/genpkey.c */
+/*
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * project 2006
+ * 2006
 */
 /* ====================================================================
 * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
@@ -65,198 +65,137 @@
 # include <openssl/engine.h>
 #endif
-static int init_keygen_file(BIO *err, EVP_PKEY_CTX **pctx,
+static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, ENGINE *e);
 				const char *file, ENGINE *e);
 static int genpkey_cb(EVP_PKEY_CTX *ctx);
-#define PROG genpkey_main
+typedef enum OPTION_choice {
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_ENGINE, OPT_OUTFORM, OPT_OUT, OPT_PASS, OPT_PARAMFILE,
    OPT_ALGORITHM, OPT_PKEYOPT, OPT_GENPARAM, OPT_TEXT, OPT_CIPHER
 } OPTION_CHOICE;
-int MAIN(int, char **);
+OPTIONS genpkey_options[] = {
    {"help", OPT_HELP, '-', "Display this summary"},
    {"out", OPT_OUT, '>', "Output file"},
    {"outform", OPT_OUTFORM, 'F', "output format (DER or PEM)"},
    {"pass", OPT_PASS, 's', "Output file pass phrase source"},
    {"paramfile", OPT_PARAMFILE, '<', "Parameters file"},
    {"algorithm", OPT_ALGORITHM, 's', "The public key algorithm"},
    {"pkeyopt", OPT_PKEYOPT, 's',
     "Set the public key algorithm option as opt:value"},
    {"genparam", OPT_GENPARAM, '-', "Generate parameters, not key"},
    {"text", OPT_TEXT, '-', "Print the in text"},
    {"", OPT_CIPHER, '-', "Cipher to use to encrypt the key"},
 #ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 #endif
    /* This is deliberately last. */
    {OPT_HELP_STR, 1, 1,
     "Order of options may be important!  See the documentation.\n"},
    {NULL}
 };
-int MAIN(int argc, char **argv)
+int genpkey_main(int argc, char **argv)
 {
 	ENGINE *e = NULL;
 	char **args, *outfile = NULL;
 	char *passarg = NULL;
    BIO *in = NULL, *out = NULL;
-	const EVP_CIPHER *cipher = NULL;
+    ENGINE *e = NULL;
 	int outformat;
 	int text = 0;
    EVP_PKEY *pkey = NULL;
    EVP_PKEY_CTX *ctx = NULL;
-	char *pass = NULL;
+    char *outfile = NULL, *passarg = NULL, *pass = NULL, *prog;
-	int badarg = 0;
+    const EVP_CIPHER *cipher = NULL;
-	int ret = 1, rv;
+    OPTION_CHOICE o;
    int outformat = FORMAT_PEM, text = 0, ret = 1, rv, do_param = 0;
    int private = 0;
-	int do_param = 0;
+    prog = opt_init(argc, argv, genpkey_options);
-
+    while ((o = opt_next()) != OPT_EOF) {
-	if (bio_err == NULL)
+        switch (o) {
-		bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
+        case OPT_EOF:
-
+        case OPT_ERR:
-	if (!load_config(bio_err, NULL))
+ opthelp:
            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
            goto end;
-
+        case OPT_HELP:
-	outformat=FORMAT_PEM;
+            ret = 0;
-
+            opt_help(genpkey_options);
-	ERR_load_crypto_strings();
+            goto end;
-	OpenSSL_add_all_algorithms();
+        case OPT_OUTFORM:
-	args = argv + 1;
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
-	while (!badarg && *args && *args[0] == '-')
+                goto opthelp;
-		{
+            break;
-		if (!strcmp(*args,"-outform"))
+        case OPT_OUT:
-			{
+            outfile = opt_arg();
-			if (args[1])
+            break;
-				{
+        case OPT_PASS:
-				args++;
+            passarg = opt_arg();
-				outformat=str2fmt(*args);
+            break;
-				}
+        case OPT_ENGINE:
-			else badarg = 1;
+            e = setup_engine(opt_arg(), 0);
-			}
+            break;
-		else if (!strcmp(*args,"-pass"))
+        case OPT_PARAMFILE:
 			{
 			if (!args[1]) goto bad;
 			passarg= *(++args);
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(*args,"-engine") == 0)
 			{
 			if (!args[1])
 				goto bad;
        		e = setup_engine(bio_err, *(++args), 0);
 			}
 #endif
 		else if (!strcmp (*args, "-paramfile"))
 			{
 			if (!args[1])
 				goto bad;
 			args++;
            if (do_param == 1)
-				goto bad;
+                goto opthelp;
-			if (!init_keygen_file(bio_err, &ctx, *args, e))
+            if (!init_keygen_file(&ctx, opt_arg(), e))
                goto end;
-			}
+            break;
-		else if (!strcmp (*args, "-out"))
+        case OPT_ALGORITHM:
-			{
+            if (!init_gen_str(&ctx, opt_arg(), e, do_param))
 			if (args[1])
 				{
 				args++;
 				outfile = *args;
 				}
 			else badarg = 1;
 			}
 		else if (strcmp(*args,"-algorithm") == 0)
 			{
 			if (!args[1])
 				goto bad;
 			if (!init_gen_str(bio_err, &ctx, *(++args),e, do_param))
                goto end;
            break;
        case OPT_PKEYOPT:
            if (ctx == NULL) {
                BIO_printf(bio_err, "%s: No keytype specified.\n", prog);
                goto opthelp;
            }
-		else if (strcmp(*args,"-pkeyopt") == 0)
+            if (pkey_ctrl_string(ctx, opt_arg()) <= 0) {
-			{
+                BIO_printf(bio_err,
-			if (!args[1])
+                           "%s: Error setting %s parameter:\n",
-				goto bad;
+                           prog, opt_arg());
 			if (!ctx)
 				{
 				BIO_puts(bio_err, "No keytype specified\n");
 				goto bad;
 				}
 			else if (pkey_ctrl_string(ctx, *(++args)) <= 0)
 				{
 				BIO_puts(bio_err, "parameter setting error\n");
                ERR_print_errors(bio_err);
                goto end;
            }
-			}
+            break;
-		else if (strcmp(*args,"-genparam") == 0)
+        case OPT_GENPARAM:
-			{
+            if (ctx != NULL)
-			if (ctx)
+                goto opthelp;
 				goto bad;
            do_param = 1;
-			}
+            break;
-		else if (strcmp(*args,"-text") == 0)
+        case OPT_TEXT:
            text = 1;
-		else
+            break;
-			{
+        case OPT_CIPHER:
-			cipher = EVP_get_cipherbyname(*args + 1);
+            if (!opt_cipher(opt_unknown(), &cipher)
-			if (!cipher)
+                || do_param == 1)
-				{
+                goto opthelp;
 				BIO_printf(bio_err, "Unknown cipher %s\n",
 								*args + 1);
 				badarg = 1;
        }
 			if (do_param == 1)
 				badarg = 1;
 			}
 		args++;
    }
    argc = opt_num_rest();
    argv = opt_rest();
    private = do_param ? 0 : 1;
-	if (!ctx)
+    if (ctx == NULL)
-		badarg = 1;
+        goto opthelp;
-	if (badarg)
+    if (!app_passwd(passarg, NULL, &pass, NULL)) {
 		{
 		bad:
 		BIO_printf(bio_err, "Usage: genpkey [options]\n");
 		BIO_printf(bio_err, "where options may be\n");
 		BIO_printf(bio_err, "-out file          output file\n");
 		BIO_printf(bio_err, "-outform X         output format (DER or PEM)\n");
 		BIO_printf(bio_err, "-pass arg          output file pass phrase source\n");
 		BIO_printf(bio_err, "-<cipher>          use cipher <cipher> to encrypt the key\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err, "-engine e          use engine e, possibly a hardware device.\n");
 #endif
 		BIO_printf(bio_err, "-paramfile file    parameters file\n");
 		BIO_printf(bio_err, "-algorithm alg     the public key algorithm\n");
 		BIO_printf(bio_err, "-pkeyopt opt:value set the public key algorithm option <opt>\n"
 				            "                   to value <value>\n");
 		BIO_printf(bio_err, "-genparam          generate parameters, not key\n");
 		BIO_printf(bio_err, "-text              print the in text\n");
 		BIO_printf(bio_err, "NB: options order may be important!  See the manual page.\n");
 		goto end;
 		}
 	if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
 		{
        BIO_puts(bio_err, "Error getting password\n");
        goto end;
    }
-	if (outfile)
+    out = bio_open_owner(outfile, outformat, private);
-		{
+    if (out == NULL)
 		if (!(out = BIO_new_file (outfile, "wb")))
 			{
 			BIO_printf(bio_err,
 				 "Can't open output file %s\n", outfile);
        goto end;
 			}
 		}
 	else
 		{
 		out = BIO_new_fp (stdout, BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 			{
 			BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 			out = BIO_push(tmpbio, out);
 			}
 #endif
 		}
    EVP_PKEY_CTX_set_cb(ctx, genpkey_cb);
    EVP_PKEY_CTX_set_app_data(ctx, bio_err);
-	if (do_param)
+    if (do_param) {
-		{
+        if (EVP_PKEY_paramgen(ctx, &pkey) <= 0) {
 		if (EVP_PKEY_paramgen(ctx, &pkey) <= 0)
 			{
            BIO_puts(bio_err, "Error generating parameters\n");
            ERR_print_errors(bio_err);
            goto end;
        }
-		}
+    } else {
-	else
+        if (EVP_PKEY_keygen(ctx, &pkey) <= 0) {
 		{
 		if (EVP_PKEY_keygen(ctx, &pkey) <= 0)
 			{
            BIO_puts(bio_err, "Error generating key\n");
            ERR_print_errors(bio_err);
            goto end;
@@ -265,32 +204,29 @@ int MAIN(int argc, char **argv)
    if (do_param)
        rv = PEM_write_bio_Parameters(out, pkey);
-	else if (outformat == FORMAT_PEM) 
+    else if (outformat == FORMAT_PEM) {
-		rv = PEM_write_bio_PrivateKey(out, pkey, cipher, NULL, 0,
+        assert(private);
-								NULL, pass);
+        rv = PEM_write_bio_PrivateKey(out, pkey, cipher, NULL, 0, NULL, pass);
-	else if (outformat == FORMAT_ASN1)
+    } else if (outformat == FORMAT_ASN1) {
        assert(private);
        rv = i2d_PrivateKey_bio(out, pkey);
-	else
+    } else {
 		{
        BIO_printf(bio_err, "Bad format specified for key\n");
        goto end;
    }
-	if (rv <= 0)
+    if (rv <= 0) {
 		{
        BIO_puts(bio_err, "Error writing key\n");
        ERR_print_errors(bio_err);
    }
-	if (text)
+    if (text) {
 		{
        if (do_param)
            rv = EVP_PKEY_print_params(out, pkey, 0, NULL);
        else
            rv = EVP_PKEY_print_private(out, pkey, 0, NULL);
-		if (rv <= 0)
+        if (rv <= 0) {
 			{
            BIO_puts(bio_err, "Error printing key\n");
            ERR_print_errors(bio_err);
        }
@@ -299,49 +235,41 @@ int MAIN(int argc, char **argv)
    ret = 0;
 end:
 	if (pkey)
    EVP_PKEY_free(pkey);
 	if (ctx)
    EVP_PKEY_CTX_free(ctx);
 	if (out)
    BIO_free_all(out);
    BIO_free(in);
 	if (pass)
    OPENSSL_free(pass);
    return ret;
 }
-static int init_keygen_file(BIO *err, EVP_PKEY_CTX **pctx,
+static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, ENGINE *e)
 				const char *file, ENGINE *e)
 {
    BIO *pbio;
    EVP_PKEY *pkey = NULL;
    EVP_PKEY_CTX *ctx = NULL;
-	if (*pctx)
+    if (*pctx) {
-		{
+        BIO_puts(bio_err, "Parameters already set!\n");
 		BIO_puts(err, "Parameters already set!\n");
        return 0;
    }
    pbio = BIO_new_file(file, "r");
-	if (!pbio)
+    if (!pbio) {
-		{
+        BIO_printf(bio_err, "Can't open parameter file %s\n", file);
 		BIO_printf(err, "Can't open parameter file %s\n", file);
        return 0;
    }
    pkey = PEM_read_bio_Parameters(pbio, NULL);
    BIO_free(pbio);
-	if (!pkey)
+    if (!pkey) {
 		{
        BIO_printf(bio_err, "Error reading parameter file %s\n", file);
        return 0;
    }
    ctx = EVP_PKEY_CTX_new(pkey, e);
-	if (!ctx)
+    if (ctx == NULL)
        goto err;
    if (EVP_PKEY_keygen_init(ctx) <= 0)
        goto err;
@@ -350,17 +278,15 @@ static int init_keygen_file(BIO *err, EVP_PKEY_CTX **pctx,
    return 1;
 err:
-	BIO_puts(err, "Error initializing context\n");
+    BIO_puts(bio_err, "Error initializing context\n");
-	ERR_print_errors(err);
+    ERR_print_errors(bio_err);
 	if (ctx)
    EVP_PKEY_CTX_free(ctx);
 	if (pkey)
    EVP_PKEY_free(pkey);
    return 0;
 }
-int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx,
+int init_gen_str(EVP_PKEY_CTX **pctx,
                 const char *algname, ENGINE *e, int do_param)
 {
    EVP_PKEY_CTX *ctx = NULL;
@@ -368,9 +294,8 @@ int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx,
    ENGINE *tmpeng = NULL;
    int pkey_id;
-	if (*pctx)
+    if (*pctx) {
-		{
+        BIO_puts(bio_err, "Algorithm already set!\n");
 		BIO_puts(err, "Algorithm already set!\n");
        return 0;
    }
@@ -381,8 +306,7 @@ int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx,
        ameth = ENGINE_get_pkey_asn1_meth_str(e, algname, -1);
 #endif
-	if (!ameth)
+    if (!ameth) {
 		{
        BIO_printf(bio_err, "Algorithm %s not found\n", algname);
        return 0;
    }
@@ -398,13 +322,10 @@ int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx,
    if (!ctx)
        goto err;
-	if (do_param)
+    if (do_param) {
 		{
        if (EVP_PKEY_paramgen_init(ctx) <= 0)
            goto err;
-		}
+    } else {
 	else
 		{
        if (EVP_PKEY_keygen_init(ctx) <= 0)
            goto err;
    }
@@ -413,9 +334,8 @@ int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx,
    return 1;
 err:
-	BIO_printf(err, "Error initializing %s context\n", algname);
+    BIO_printf(bio_err, "Error initializing %s context\n", algname);
-	ERR_print_errors(err);
+    ERR_print_errors(bio_err);
 	if (ctx)
    EVP_PKEY_CTX_free(ctx);
    return 0;
@@ -427,14 +347,15 @@ static int genpkey_cb(EVP_PKEY_CTX *ctx)
    BIO *b = EVP_PKEY_CTX_get_app_data(ctx);
    int p;
    p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
-	if (p == 0) c='.';
+    if (p == 0)
-	if (p == 1) c='+';
+        c = '.';
-	if (p == 2) c='*';
+    if (p == 1)
-	if (p == 3) c='\n';
+        c = '+';
    if (p == 2)
        c = '*';
    if (p == 3)
        c = '\n';
    BIO_write(b, &c, 1);
    (void)BIO_flush(b);
 #ifdef LINT
 	p=n;
 #endif
    return 1;
 }
--- a/apps/genrsa.c
+++ b/apps/genrsa.c
@@ -1,4 +1,3 @@
 /* apps/genrsa.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -57,11 +56,6 @@
 */
 #include <openssl/opensslconf.h>
 /* Until the key-gen callbacks are modified to use newer prototypes, we allow
 * deprecated functions for openssl-internal code */
 #ifdef OPENSSL_NO_DEPRECATED
 #undef OPENSSL_NO_DEPRECATED
 #endif
 #ifndef OPENSSL_NO_RSA
 # include <stdio.h>
@@ -78,189 +72,111 @@
 # include <openssl/pem.h>
 # include <openssl/rand.h>
-#define DEFBITS	512
+# define DEFBITS 2048
 #undef PROG
 #define PROG genrsa_main
-static int MS_CALLBACK genrsa_cb(int p, int n, BN_GENCB *cb);
+static int genrsa_cb(int p, int n, BN_GENCB *cb);
-int MAIN(int, char **);
+typedef enum OPTION_choice {
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_3, OPT_F4, OPT_NON_FIPS_ALLOW, OPT_ENGINE,
    OPT_OUT, OPT_RAND, OPT_PASSOUT, OPT_CIPHER
 } OPTION_CHOICE;
-int MAIN(int argc, char **argv)
+OPTIONS genrsa_options[] = {
-	{
+    {"help", OPT_HELP, '-', "Display this summary"},
-	BN_GENCB cb;
+    {"3", OPT_3, '-', "Use 3 for the E value"},
    {"F4", OPT_F4, '-', "Use F4 (0x10001) for the E value"},
    {"f4", OPT_F4, '-', "Use F4 (0x10001) for the E value"},
    {"non-fips-allow", OPT_NON_FIPS_ALLOW, '-'},
    {"out", OPT_OUT, 's', "Output the key to specified file"},
    {"rand", OPT_RAND, 's',
     "Load the file(s) into the random number generator"},
    {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
    {"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"},
 # ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 # endif
    {NULL}
 };
 int genrsa_main(int argc, char **argv)
 {
    BN_GENCB *cb = BN_GENCB_new();
    PW_CB_DATA cb_data;
    ENGINE *e = NULL;
 #endif
 	int ret=1;
 	int non_fips_allow = 0;
 	int i,num=DEFBITS;
 	long l;
 	const EVP_CIPHER *enc=NULL;
 	unsigned long f4=RSA_F4;
 	char *outfile=NULL;
 	char *passargout = NULL, *passout = NULL;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine=NULL;
 #endif
 	char *inrand=NULL;
 	BIO *out=NULL;
    BIGNUM *bn = BN_new();
    BIO *out = NULL;
    RSA *rsa = NULL;
    const EVP_CIPHER *enc = NULL;
    int ret = 1, non_fips_allow = 0, num = DEFBITS, private = 0;
    unsigned long f4 = RSA_F4;
    char *outfile = NULL, *passoutarg = NULL, *passout = NULL;
    char *inrand = NULL, *prog, *hexe, *dece;
    OPTION_CHOICE o;
-	if(!bn) goto err;
+    if (bn == NULL || cb == NULL)
        goto end;
-	apps_startup();
+    BN_GENCB_set(cb, genrsa_cb, bio_err);
 	BN_GENCB_set(&cb, genrsa_cb, bio_err);
-	if (bio_err == NULL)
+    prog = opt_init(argc, argv, genrsa_options);
-		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+    while ((o = opt_next()) != OPT_EOF) {
-			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+        switch (o) {
-
+        case OPT_EOF:
-	if (!load_config(bio_err, NULL))
+        case OPT_ERR:
-		goto err;
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
-	if ((out=BIO_new(BIO_s_file())) == NULL)
+            goto end;
-		{
+        case OPT_HELP:
-		BIO_printf(bio_err,"unable to create BIO for output\n");
+            ret = 0;
-		goto err;
+            opt_help(genrsa_options);
-		}
+            goto end;
-
+        case OPT_3:
 	argv++;
 	argc--;
 	for (;;)
 		{
 		if (argc <= 0) break;
 		if (strcmp(*argv,"-out") == 0)
 			{
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
 		else if (strcmp(*argv,"-3") == 0)
            f4 = 3;
 		else if (strcmp(*argv,"-F4") == 0 || strcmp(*argv,"-f4") == 0)
 			f4=RSA_F4;
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 #endif
 		else if (strcmp(*argv,"-rand") == 0)
 			{
 			if (--argc < 1) goto bad;
 			inrand= *(++argv);
 			}
 #ifndef OPENSSL_NO_DES
 		else if (strcmp(*argv,"-des") == 0)
 			enc=EVP_des_cbc();
 		else if (strcmp(*argv,"-des3") == 0)
 			enc=EVP_des_ede3_cbc();
 #endif
 #ifndef OPENSSL_NO_IDEA
 		else if (strcmp(*argv,"-idea") == 0)
 			enc=EVP_idea_cbc();
 #endif
 #ifndef OPENSSL_NO_SEED
 		else if (strcmp(*argv,"-seed") == 0)
 			enc=EVP_seed_cbc();
 #endif
 #ifndef OPENSSL_NO_AES
 		else if (strcmp(*argv,"-aes128") == 0)
 			enc=EVP_aes_128_cbc();
 		else if (strcmp(*argv,"-aes192") == 0)
 			enc=EVP_aes_192_cbc();
 		else if (strcmp(*argv,"-aes256") == 0)
 			enc=EVP_aes_256_cbc();
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
 		else if (strcmp(*argv,"-camellia128") == 0)
 			enc=EVP_camellia_128_cbc();
 		else if (strcmp(*argv,"-camellia192") == 0)
 			enc=EVP_camellia_192_cbc();
 		else if (strcmp(*argv,"-camellia256") == 0)
 			enc=EVP_camellia_256_cbc();
 #endif
 		else if (strcmp(*argv,"-passout") == 0)
 			{
 			if (--argc < 1) goto bad;
 			passargout= *(++argv);
 			}
 		else if (strcmp(*argv,"-non-fips-allow") == 0)
 			non_fips_allow = 1;
 		else
            break;
-		argv++;
+        case OPT_F4:
-		argc--;
+            f4 = RSA_F4;
            break;
        case OPT_NON_FIPS_ALLOW:
            non_fips_allow = 1;
            break;
        case OPT_OUT:
            outfile = opt_arg();
            break;
        case OPT_ENGINE:
            e = setup_engine(opt_arg(), 0);
            break;
        case OPT_RAND:
            inrand = opt_arg();
            break;
        case OPT_PASSOUT:
            passoutarg = opt_arg();
            break;
        case OPT_CIPHER:
            if (!opt_cipher(opt_unknown(), &enc))
                goto end;
            break;
        }
 	if ((argc >= 1) && ((sscanf(*argv,"%d",&num) == 0) || (num < 0)))
 		{
 bad:
 		BIO_printf(bio_err,"usage: genrsa [args] [numbits]\n");
 		BIO_printf(bio_err," -des            encrypt the generated key with DES in cbc mode\n");
 		BIO_printf(bio_err," -des3           encrypt the generated key with DES in ede cbc mode (168 bit key)\n");
 #ifndef OPENSSL_NO_IDEA
 		BIO_printf(bio_err," -idea           encrypt the generated key with IDEA in cbc mode\n");
 #endif
 #ifndef OPENSSL_NO_SEED
 		BIO_printf(bio_err," -seed\n");
 		BIO_printf(bio_err,"                 encrypt PEM output with cbc seed\n");
 #endif
 #ifndef OPENSSL_NO_AES
 		BIO_printf(bio_err," -aes128, -aes192, -aes256\n");
 		BIO_printf(bio_err,"                 encrypt PEM output with cbc aes\n");
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
 		BIO_printf(bio_err," -camellia128, -camellia192, -camellia256\n");
 		BIO_printf(bio_err,"                 encrypt PEM output with cbc camellia\n");
 #endif
 		BIO_printf(bio_err," -out file       output the key to 'file\n");
 		BIO_printf(bio_err," -passout arg    output file pass phrase source\n");
 		BIO_printf(bio_err," -f4             use F4 (0x10001) for the E value\n");
 		BIO_printf(bio_err," -3              use 3 for the E value\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," -engine e       use engine e, possibly a hardware device.\n");
 #endif
 		BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err,"                 load the file (or the files in the directory) into\n");
 		BIO_printf(bio_err,"                 the random number generator\n");
 		goto err;
    }
    argc = opt_num_rest();
    argv = opt_rest();
    private = 1;
-	ERR_load_crypto_strings();
+    if (argv[0] && (!opt_int(argv[0], &num) || num <= 0))
        goto end;
-	if(!app_passwd(bio_err, NULL, passargout, NULL, &passout)) {
+    if (!app_passwd(NULL, passoutarg, NULL, &passout)) {
        BIO_printf(bio_err, "Error getting password\n");
-		goto err;
+        goto end;
    }
-#ifndef OPENSSL_NO_ENGINE
+    out = bio_open_owner(outfile, FORMAT_PEM, private);
-        e = setup_engine(bio_err, engine, 0);
+    if (out == NULL)
-#endif
+        goto end;
-	if (outfile == NULL)
+    if (!app_RAND_load_file(NULL, 1) && inrand == NULL
-		{
+        && !RAND_status()) {
-		BIO_set_fp(out,stdout,BIO_NOCLOSE);
+        BIO_printf(bio_err,
-#ifdef OPENSSL_SYS_VMS
+                   "warning, not much extra random data, consider using the -rand option\n");
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
 			{
 			perror(outfile);
 			goto err;
 			}
 		}
 	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
 		&& !RAND_status())
 		{
 		BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
    }
    if (inrand != NULL)
        BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
@@ -268,68 +184,59 @@ bad:
    BIO_printf(bio_err, "Generating RSA private key, %d bit long modulus\n",
               num);
-#ifdef OPENSSL_NO_ENGINE
+    rsa = e ? RSA_new_method(e) : RSA_new();
-	rsa = RSA_new();
+    if (rsa == NULL)
-#else
+        goto end;
 	rsa = RSA_new_method(e);
 #endif
 	if (!rsa)
 		goto err;
    if (non_fips_allow)
        rsa->flags |= RSA_FLAG_NON_FIPS_ALLOW;
-	if(!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb))
+    if (!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, cb))
-		goto err;
+        goto end;
-	app_RAND_write_file(NULL, bio_err);
+    app_RAND_write_file(NULL);
-	/* We need to do the following for when the base number size is <
+    hexe = BN_bn2hex(rsa->e);
-	 * long, esp windows 3.1 :-(. */
+    dece = BN_bn2dec(rsa->e);
-	l=0L;
+    if (hexe && dece) {
-	for (i=0; i<rsa->e->top; i++)
+        BIO_printf(bio_err, "e is %s (0x%s)\n", dece, hexe);
 		{
 #ifndef SIXTY_FOUR_BIT
 		l<<=BN_BITS4;
 		l<<=BN_BITS4;
 #endif
 		l+=rsa->e->d[i];
    }
-	BIO_printf(bio_err,"e is %ld (0x%lX)\n",l,l);
+    OPENSSL_free(hexe);
-	{
+    OPENSSL_free(dece);
 	PW_CB_DATA cb_data;
    cb_data.password = passout;
    cb_data.prompt_info = outfile;
    assert(private);
    if (!PEM_write_bio_RSAPrivateKey(out, rsa, enc, NULL, 0,
-		(pem_password_cb *)password_callback,&cb_data))
+                                     (pem_password_cb *)password_callback,
-		goto err;
+                                     &cb_data))
-	}
+        goto end;
    ret = 0;
-err:
+ end:
-	if (bn) BN_free(bn);
+    BN_free(bn);
-	if (rsa) RSA_free(rsa);
+    BN_GENCB_free(cb);
-	if (out) BIO_free_all(out);
+    RSA_free(rsa);
-	if(passout) OPENSSL_free(passout);
+    BIO_free_all(out);
    OPENSSL_free(passout);
    if (ret != 0)
        ERR_print_errors(bio_err);
-	apps_shutdown();
+    return (ret);
 	OPENSSL_EXIT(ret);
 }
-static int MS_CALLBACK genrsa_cb(int p, int n, BN_GENCB *cb)
+static int genrsa_cb(int p, int n, BN_GENCB *cb)
 {
    char c = '*';
-	if (p == 0) c='.';
+    if (p == 0)
-	if (p == 1) c='+';
+        c = '.';
-	if (p == 2) c='*';
+    if (p == 1)
-	if (p == 3) c='\n';
+        c = '+';
-	BIO_write(cb->arg,&c,1);
+    if (p == 2)
-	(void)BIO_flush(cb->arg);
+        c = '*';
-#ifdef LINT
+    if (p == 3)
-	p=n;
+        c = '\n';
-#endif
+    BIO_write(BN_GENCB_get_arg(cb), &c, 1);
    (void)BIO_flush(BN_GENCB_get_arg(cb));
    return 1;
 }
 #else                           /* !OPENSSL_NO_RSA */
--- a/apps/makeapps.com
+++ b/apps/makeapps.com
@@ -178,7 +178,7 @@ $! NOTE: Some might think this list ugly.  However, it's made this way to
 $! reflect the E_OBJ variable in Makefile as closely as possible, thereby
 $! making it fairly easy to verify that the lists are the same.
 $!
-$ LIB_OPENSSL = "VERIFY,ASN1PARS,REQ,DGST,DH,DHPARAM,ENC,PASSWD,GENDH,ERRSTR,"+-
+$ LIB_OPENSSL = "VERIFY,ASN1PARS,REQ,DGST,DHPARAM,ENC,PASSWD,ERRSTR,"+-
 	     	"CA,PKCS7,CRL2P7,CRL,"+-
 	      	"RSA,RSAUTL,DSA,DSAPARAM,EC,ECPARAM,"+-
 	      	"X509,GENRSA,GENDSA,GENPKEY,S_SERVER,S_CLIENT,SPEED,"+-
--- a/apps/nseq.c
+++ b/apps/nseq.c
@@ -1,6 +1,6 @@
-/* nseq.c */
+/*
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * project 1999.
+ * 1999.
 */
 /* ====================================================================
 * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
@@ -62,81 +62,73 @@
 #include <openssl/pem.h>
 #include <openssl/err.h>
-#undef PROG
+typedef enum OPTION_choice {
-#define PROG nseq_main
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_TOSEQ, OPT_IN, OPT_OUT
 } OPTION_CHOICE;
-int MAIN(int, char **);
+OPTIONS nseq_options[] = {
    {"help", OPT_HELP, '-', "Display this summary"},
    {"toseq", OPT_TOSEQ, '-', "Output NS Sequence file"},
    {"in", OPT_IN, '<', "Input file"},
    {"out", OPT_OUT, '>', "Output file"},
    {NULL}
 };
-int MAIN(int argc, char **argv)
+int nseq_main(int argc, char **argv)
 {
 	char **args, *infile = NULL, *outfile = NULL;
    BIO *in = NULL, *out = NULL;
 	int toseq = 0;
    X509 *x509 = NULL;
    NETSCAPE_CERT_SEQUENCE *seq = NULL;
-	int i, ret = 1;
+    OPTION_CHOICE o;
-	int badarg = 0;
+    int toseq = 0, ret = 1, i;
-	if (bio_err == NULL) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
+    char *infile = NULL, *outfile = NULL, *prog;
 	ERR_load_crypto_strings();
 	args = argv + 1;
 	while (!badarg && *args && *args[0] == '-') {
 		if (!strcmp (*args, "-toseq")) toseq = 1;
 		else if (!strcmp (*args, "-in")) {
 			if (args[1]) {
 				args++;
 				infile = *args;
 			} else badarg = 1;
 		} else if (!strcmp (*args, "-out")) {
 			if (args[1]) {
 				args++;
 				outfile = *args;
 			} else badarg = 1;
 		} else badarg = 1;
 		args++;
 	}
-	if (badarg) {
+    prog = opt_init(argc, argv, nseq_options);
-		BIO_printf (bio_err, "Netscape certificate sequence utility\n");
+    while ((o = opt_next()) != OPT_EOF) {
-		BIO_printf (bio_err, "Usage nseq [options]\n");
+        switch (o) {
-		BIO_printf (bio_err, "where options are\n");
+        case OPT_EOF:
-		BIO_printf (bio_err, "-in file  input file\n");
+        case OPT_ERR:
-		BIO_printf (bio_err, "-out file output file\n");
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
 		BIO_printf (bio_err, "-toseq    output NS Sequence file\n");
 		OPENSSL_EXIT(1);
 	}
 	if (infile) {
 		if (!(in = BIO_new_file (infile, "r"))) {
 			BIO_printf (bio_err,
 				 "Can't open input file %s\n", infile);
            goto end;
-		}
+        case OPT_HELP:
-	} else in = BIO_new_fp(stdin, BIO_NOCLOSE);
+            ret = 0;
-
+            opt_help(nseq_options);
 	if (outfile) {
 		if (!(out = BIO_new_file (outfile, "w"))) {
 			BIO_printf (bio_err,
 				 "Can't open output file %s\n", outfile);
            goto end;
        case OPT_TOSEQ:
            toseq = 1;
            break;
        case OPT_IN:
            infile = opt_arg();
            break;
        case OPT_OUT:
            outfile = opt_arg();
            break;
        }
 	} else {
 		out = BIO_new_fp(stdout, BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
    }
    argc = opt_num_rest();
    argv = opt_rest();
    in = bio_open_default(infile, 'r', FORMAT_PEM);
    if (in == NULL)
        goto end;
    out = bio_open_default(outfile, 'w', FORMAT_PEM);
    if (out == NULL)
        goto end;
    if (toseq) {
        seq = NETSCAPE_CERT_SEQUENCE_new();
        if (seq == NULL)
            goto end;
        seq->certs = sk_X509_new_null();
        if (seq->certs == NULL)
            goto end;
        while ((x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
            sk_X509_push(seq->certs, x509);
-		if(!sk_X509_num(seq->certs))
+        if (!sk_X509_num(seq->certs)) {
-		{
+            BIO_printf(bio_err, "%s: Error reading certs file %s\n",
-			BIO_printf (bio_err, "Error reading certs file %s\n", infile);
+                       prog, infile);
            ERR_print_errors(bio_err);
            goto end;
        }
@@ -145,8 +137,10 @@ int MAIN(int argc, char **argv)
        goto end;
    }
-	if (!(seq = PEM_read_bio_NETSCAPE_CERT_SEQUENCE(in, NULL, NULL, NULL))) {
+    seq = PEM_read_bio_NETSCAPE_CERT_SEQUENCE(in, NULL, NULL, NULL);
-		BIO_printf (bio_err, "Error reading sequence file %s\n", infile);
+    if (seq == NULL) {
        BIO_printf(bio_err, "%s: Error reading sequence file %s\n",
                   prog, infile);
        ERR_print_errors(bio_err);
        goto end;
    }
@@ -162,6 +156,5 @@ end:
    BIO_free_all(out);
    NETSCAPE_CERT_SEQUENCE_free(seq);
-	OPENSSL_EXIT(ret);
+    return (ret);
 }
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
--- a/apps/oid.cnf
+++ b/apps/oid.cnf
@@ -1,6 +0,0 @@
 2.99999.1       SET.ex1         SET x509v3 extension 1
 2.99999.2       SET.ex2         SET x509v3 extension 2
 2.99999.3       SET.ex3         SET x509v3 extension 3
 2.99999.4       SET.ex4         SET x509v3 extension 4
 2.99999.5       SET.ex5         SET x509v3 extension 5
 2.99999.6       SET.ex6         SET x509v3 extension 6
--- a/apps/openssl-vms.cnf
+++ b/apps/openssl-vms.cnf
@@ -44,7 +44,7 @@ certs		= $dir.certs]		# Where the issued certs are kept
 crl_dir		= $dir.crl]		# Where the issued crl are kept
 database	= $dir]index.txt	# database index file.
 #unique_subject	= no			# Set to 'no' to allow creation of
-					# several ctificates with same subject.
+					# several certs with same subject.
 new_certs_dir	= $dir.newcerts]		# default place for new certs.
 certificate	= $dir]cacert.pem 	# The CA certificate
@@ -55,7 +55,7 @@ crl		= $dir]crl.pem 		# The current CRL
 private_key	= $dir.private]cakey.pem# The private key
 RANDFILE	= $dir.private].rand	# private random number file
-x509_extensions	= usr_cert		# The extentions to add to the cert
+x509_extensions	= usr_cert		# The extensions to add to the cert
 # Comment out the following two lines for the "traditional"
 # (and highly broken) format.
@@ -103,11 +103,11 @@ emailAddress		= optional
 ####################################################################
 [ req ]
-default_bits		= 1024
+default_bits		= 2048
 default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
-x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+x509_extensions	= v3_ca	# The extensions to add to the self signed cert
 # Passwords for private keys if not present they will be prompted for
 # input_password = secret
@@ -145,7 +145,7 @@ localityName			= Locality Name (eg, city)
 organizationalUnitName		= Organizational Unit Name (eg, section)
 #organizationalUnitName_default	=
-commonName			= Common Name (eg, YOUR name)
+commonName			= Common Name (e.g. server FQDN or YOUR name)
 commonName_max			= 64
 emailAddress			= Email Address
@@ -335,11 +335,12 @@ signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
 certs		= $dir.cacert.pem]	# Certificate chain to include in reply
 					# (optional)
 signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
 signer_digest  = sha1			# Signing digest to use. (Optional)
 default_policy	= tsa_policy1		# Policy if request did not specify it
 					# (optional)
 other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
-digests		= md5, sha1		# Acceptable message digests (mandatory)
+digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
 accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
 clock_precision_digits  = 0	# number of digits after dot. (optional)
 ordering		= yes	# Is ordering defined for timestamps?
--- a/apps/openssl.c
+++ b/apps/openssl.c
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -44,7 +44,7 @@ certs		= $dir/certs		# Where the issued certs are kept
 crl_dir		= $dir/crl		# Where the issued crl are kept
 database	= $dir/index.txt	# database index file.
 #unique_subject	= no			# Set to 'no' to allow creation of
-					# several ctificates with same subject.
+					# several certs with same subject.
 new_certs_dir	= $dir/newcerts		# default place for new certs.
 certificate	= $dir/cacert.pem 	# The CA certificate
@@ -55,7 +55,7 @@ crl		= $dir/crl.pem 		# The current CRL
 private_key	= $dir/private/cakey.pem# The private key
 RANDFILE	= $dir/private/.rand	# private random number file
-x509_extensions	= usr_cert		# The extentions to add to the cert
+x509_extensions	= usr_cert		# The extensions to add to the cert
 # Comment out the following two lines for the "traditional"
 # (and highly broken) format.
@@ -103,11 +103,11 @@ emailAddress		= optional
 ####################################################################
 [ req ]
-default_bits		= 1024
+default_bits		= 2048
 default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
-x509_extensions	= v3_ca	# The extentions to add to the self signed cert
+x509_extensions	= v3_ca	# The extensions to add to the self signed cert
 # Passwords for private keys if not present they will be prompted for
 # input_password = secret
@@ -145,7 +145,7 @@ localityName			= Locality Name (eg, city)
 organizationalUnitName		= Organizational Unit Name (eg, section)
 #organizationalUnitName_default	=
-commonName			= Common Name (eg, YOUR name)
+commonName			= Common Name (e.g. server FQDN or YOUR name)
 commonName_max			= 64
 emailAddress			= Email Address
@@ -335,11 +335,11 @@ signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
 certs		= $dir/cacert.pem	# Certificate chain to include in reply
 					# (optional)
 signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
-
+signer_digest  = sha256			# Signing digest to use. (Optional)
 default_policy	= tsa_policy1		# Policy if request did not specify it
 					# (optional)
 other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
-digests		= md5, sha1		# Acceptable message digests (mandatory)
+digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
 accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
 clock_precision_digits  = 0	# number of digits after dot. (optional)
 ordering		= yes	# Is ordering defined for timestamps?
--- a/apps/opt.c
+++ b/apps/opt.c
@@ -0,0 +1,914 @@
 /* ====================================================================
 * Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    licensing@OpenSSL.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 */
 /* #define COMPILE_STANDALONE_TEST_DRIVER  */
 #include "apps.h"
 #include <string.h>
 #if !defined(OPENSSL_SYS_MSDOS)
 # include OPENSSL_UNISTD
 #endif
 #include <stdlib.h>
 #include <errno.h>
 #include <ctype.h>
 #include <openssl/bio.h>
 #define MAX_OPT_HELP_WIDTH 30
 const char OPT_HELP_STR[] = "--";
 const char OPT_MORE_STR[] = "---";
 /* Our state */
 static char **argv;
 static int argc;
 static int opt_index;
 static char *arg;
 static char *flag;
 static char *dunno;
 static const OPTIONS *unknown;
 static const OPTIONS *opts;
 static char prog[40];
 /*
 * Return the simple name of the program; removing various platform gunk.
 */
 #if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_NETWARE)
 char *opt_progname(const char *argv0)
 {
    size_t i, n;
    const char *p;
    char *q;
    /* find the last '/', '\' or ':' */
    for (p = argv0 + strlen(argv0); --p > argv0;)
        if (*p == '/' || *p == '\\' || *p == ':') {
            p++;
            break;
        }
    /* Strip off trailing nonsense. */
    n = strlen(p);
    if (n > 4 &&
        (strcmp(&p[n - 4], ".exe") == 0 || strcmp(&p[n - 4], ".EXE") == 0))
        n -= 4;
 #if defined(OPENSSL_SYS_NETWARE)
    if (n > 4 &&
        (strcmp(&p[n - 4], ".nlm") == 0 || strcmp(&p[n - 4], ".NLM") == 0))
        n -= 4;
 #endif
    /* Copy over the name, in lowercase. */
    if (n > sizeof prog - 1)
        n = sizeof prog - 1;
    for (q = prog, i = 0; i < n; i++, p++)
        *q++ = isupper(*p) ? tolower(*p) : *p;
    *q = '\0';
    return prog;
 }
 #elif defined(OPENSSL_SYS_VMS)
 char *opt_progname(const char *argv0)
 {
    const char *p, *q;
    /* Find last special charcter sys:[foo.bar]openssl */
    for (p = argv0 + strlen(argv0); --p > argv0;)
        if (*p == ':' || *p == ']' || *p == '>') {
            p++;
            break;
        }
    q = strrchr(p, '.');
    strncpy(prog, p, sizeof prog - 1);
    prog[sizeof prog - 1] = '\0';
    if (q == NULL || q - p >= sizeof prog)
        prog[q - p] = '\0';
    return prog;
 }
 #else
 char *opt_progname(const char *argv0)
 {
    const char *p;
    /* Could use strchr, but this is like the ones above. */
    for (p = argv0 + strlen(argv0); --p > argv0;)
        if (*p == '/') {
            p++;
            break;
        }
    strncpy(prog, p, sizeof prog - 1);
    prog[sizeof prog - 1] = '\0';
    return prog;
 }
 #endif
 char *opt_getprog(void)
 {
    return prog;
 }
 /* Set up the arg parsing. */
 char *opt_init(int ac, char **av, const OPTIONS *o)
 {
    /* Store state. */
    argc = ac;
    argv = av;
    opt_index = 1;
    opts = o;
    opt_progname(av[0]);
    unknown = NULL;
    for (; o->name; ++o) {
        const OPTIONS *next;
 #ifndef NDEBUG
        int duplicated, i;
 #endif
        if (o->name == OPT_HELP_STR || o->name == OPT_MORE_STR)
            continue;
 #ifndef NDEBUG
        i = o->valtype;
        /* Make sure options are legit. */
        assert(o->name[0] != '-');
        assert(o->retval > 0);
        assert(i == 0 || i == '-'
               || i == 'n' || i == 'p' || i == 'u'
               || i == 's' || i == '<' || i == '>' || i == '/'
               || i == 'f' || i == 'F');
        /* Make sure there are no duplicates. */
        for (next = o + 1; next->name; ++next) {
            /*
             * Some compilers inline strcmp and the assert string is too long.
             */
            duplicated = strcmp(o->name, next->name) == 0;
            assert(!duplicated);
        }
 #endif
        if (o->name[0] == '\0') {
            assert(unknown == NULL);
            unknown = o;
            assert(unknown->valtype == 0 || unknown->valtype == '-');
        }
    }
    return prog;
 }
 static OPT_PAIR formats[] = {
    {"PEM/DER", OPT_FMT_PEMDER},
    {"pkcs12", OPT_FMT_PKCS12},
    {"smime", OPT_FMT_SMIME},
    {"engine", OPT_FMT_ENGINE},
    {"msblob", OPT_FMT_MSBLOB},
    {"netscape", OPT_FMT_NETSCAPE},
    {"nss", OPT_FMT_NSS},
    {"text", OPT_FMT_TEXT},
    {"http", OPT_FMT_HTTP},
    {"pvk", OPT_FMT_PVK},
    {NULL}
 };
 /* Print an error message about a failed format parse. */
 int opt_format_error(const char *s, unsigned long flags)
 {
    OPT_PAIR *ap;
    if (flags == OPT_FMT_PEMDER)
        BIO_printf(bio_err, "%s: Bad format \"%s\"; must be pem or der\n",
                   prog, s);
    else {
        BIO_printf(bio_err, "%s: Bad format \"%s\"; must be one of:\n",
                   prog, s);
        for (ap = formats; ap->name; ap++)
            if (flags & ap->retval)
                BIO_printf(bio_err, "   %s\n", ap->name);
    }
    return 0;
 }
 /* Parse a format string, put it into *result; return 0 on failure, else 1. */
 int opt_format(const char *s, unsigned long flags, int *result)
 {
    switch (*s) {
    default:
        return 0;
    case 'D':
    case 'd':
        if ((flags & OPT_FMT_PEMDER) == 0)
            return opt_format_error(s, flags);
        *result = FORMAT_ASN1;
        break;
    case 'T':
    case 't':
        if ((flags & OPT_FMT_TEXT) == 0)
            return opt_format_error(s, flags);
        *result = FORMAT_TEXT;
        break;
    case 'N':
    case 'n':
        if ((flags & OPT_FMT_NSS) == 0)
            return opt_format_error(s, flags);
        if (strcmp(s, "NSS") != 0 && strcmp(s, "nss") != 0)
            return opt_format_error(s, flags);
        *result = FORMAT_NSS;
        break;
    case 'S':
    case 's':
        if ((flags & OPT_FMT_SMIME) == 0)
            return opt_format_error(s, flags);
        *result = FORMAT_SMIME;
        break;
    case 'M':
    case 'm':
        if ((flags & OPT_FMT_MSBLOB) == 0)
            return opt_format_error(s, flags);
        *result = FORMAT_MSBLOB;
        break;
    case 'E':
    case 'e':
        if ((flags & OPT_FMT_ENGINE) == 0)
            return opt_format_error(s, flags);
        *result = FORMAT_ENGINE;
        break;
    case 'H':
    case 'h':
        if ((flags & OPT_FMT_HTTP) == 0)
            return opt_format_error(s, flags);
        *result = FORMAT_HTTP;
        break;
    case '1':
        if ((flags & OPT_FMT_PKCS12) == 0)
            return opt_format_error(s, flags);
        *result = FORMAT_PKCS12;
        break;
    case 'P':
    case 'p':
        if (s[1] == '\0' || strcmp(s, "PEM") == 0 || strcmp(s, "pem") == 0) {
            if ((flags & OPT_FMT_PEMDER) == 0)
                return opt_format_error(s, flags);
            *result = FORMAT_PEM;
        } else if (strcmp(s, "PVK") == 0 || strcmp(s, "pvk") == 0) {
            if ((flags & OPT_FMT_PVK) == 0)
                return opt_format_error(s, flags);
            *result = FORMAT_PVK;
        } else if (strcmp(s, "P12") == 0 || strcmp(s, "p12") == 0
                   || strcmp(s, "PKCS12") == 0 || strcmp(s, "pkcs12") == 0) {
            if ((flags & OPT_FMT_PKCS12) == 0)
                return opt_format_error(s, flags);
            *result = FORMAT_PKCS12;
        } else
            return 0;
        break;
    }
    return 1;
 }
 /* Parse a cipher name, put it in *EVP_CIPHER; return 0 on failure, else 1. */
 int opt_cipher(const char *name, const EVP_CIPHER **cipherp)
 {
    *cipherp = EVP_get_cipherbyname(name);
    if (*cipherp)
        return 1;
    BIO_printf(bio_err, "%s: Unknown cipher %s\n", prog, name);
    return 0;
 }
 /*
 * Parse message digest name, put it in *EVP_MD; return 0 on failure, else 1.
 */
 int opt_md(const char *name, const EVP_MD **mdp)
 {
    *mdp = EVP_get_digestbyname(name);
    if (*mdp)
        return 1;
    BIO_printf(bio_err, "%s: Unknown digest %s\n", prog, name);
    return 0;
 }
 /* Look through a list of name/value pairs. */
 int opt_pair(const char *name, const OPT_PAIR* pairs, int *result)
 {
    const OPT_PAIR *pp;
    for (pp = pairs; pp->name; pp++)
        if (strcmp(pp->name, name) == 0) {
            *result = pp->retval;
            return 1;
        }
    BIO_printf(bio_err, "%s: Value must be one of:\n", prog);
    for (pp = pairs; pp->name; pp++)
        BIO_printf(bio_err, "\t%s\n", pp->name);
    return 0;
 }
 /* See if cp looks like a hex number, in case user left off the 0x */
 static int scanforhex(const char *cp)
 {
    if (*cp == '0' && (cp[1] == 'x' || cp[1] == 'X'))
        return 16;
    for (; *cp; cp++)
        /* Look for a hex digit that isn't a regular digit. */
        if (isxdigit(*cp) && !isdigit(*cp))
            return 16;
    return 0;
 }
 /* Parse an int, put it into *result; return 0 on failure, else 1. */
 int opt_int(const char *value, int *result)
 {
    const char *fmt = "%d";
    int base = scanforhex(value);
    if (base == 16)
        fmt = "%x";
    else if (*value == '0')
        fmt = "%o";
    if (sscanf(value, fmt, result) != 1) {
        BIO_printf(bio_err, "%s: Can't parse \"%s\" as a number\n",
                   prog, value);
        return 0;
    }
    return 1;
 }
 /* Parse a long, put it into *result; return 0 on failure, else 1. */
 int opt_long(const char *value, long *result)
 {
    char *endptr;
    int base = scanforhex(value);
    *result = strtol(value, &endptr, base);
    if (*endptr) {
        BIO_printf(bio_err,
                   "%s: Bad char %c in number %s\n", prog, *endptr, value);
        return 0;
    }
    return 1;
 }
 /*
 * Parse an unsigned long, put it into *result; return 0 on failure, else 1.
 */
 int opt_ulong(const char *value, unsigned long *result)
 {
    char *endptr;
    int base = scanforhex(value);
    *result = strtoul(value, &endptr, base);
    if (*endptr) {
        BIO_printf(bio_err,
                   "%s: Bad char %c in number %s\n", prog, *endptr, value);
        return 0;
    }
    return 1;
 }
 /*
 * We pass opt as an int but cast it to "enum range" so that all the
 * items in the OPT_V_ENUM enumeration are caught; this makes -Wswitch
 * in gcc do the right thing.
 */
 enum range { OPT_V_ENUM };
 int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
 {
    unsigned long ul;
    int i;
    ASN1_OBJECT *otmp;
    X509_PURPOSE *xptmp;
    const X509_VERIFY_PARAM *vtmp;
    assert(vpm != NULL);
    assert(opt > OPT_V__FIRST);
    assert(opt < OPT_V__LAST);
    switch ((enum range)opt) {
    case OPT_V__FIRST:
    case OPT_V__LAST:
        return 0;
    case OPT_V_POLICY:
        otmp = OBJ_txt2obj(opt_arg(), 0);
        if (otmp == NULL) {
            BIO_printf(bio_err, "%s: Invalid Policy %s\n", prog, opt_arg());
            return 0;
        }
        X509_VERIFY_PARAM_add0_policy(vpm, otmp);
        break;
    case OPT_V_PURPOSE:
        i = X509_PURPOSE_get_by_sname(opt_arg());
        if (i < 0) {
            BIO_printf(bio_err, "%s: Invalid purpose %s\n", prog, opt_arg());
            return 0;
        }
        xptmp = X509_PURPOSE_get0(i);
        i = X509_PURPOSE_get_id(xptmp);
        X509_VERIFY_PARAM_set_purpose(vpm, i);
        break;
    case OPT_V_VERIFY_NAME:
        vtmp = X509_VERIFY_PARAM_lookup(opt_arg());
        if (vtmp == NULL) {
            BIO_printf(bio_err, "%s: Invalid verify name %s\n",
                       prog, opt_arg());
            return 0;
        }
        X509_VERIFY_PARAM_set1(vpm, vtmp);
        break;
    case OPT_V_VERIFY_DEPTH:
        i = atoi(opt_arg());
        if (i >= 0)
            X509_VERIFY_PARAM_set_depth(vpm, i);
        break;
    case OPT_V_ATTIME:
        opt_ulong(opt_arg(), &ul);
        if (ul)
            X509_VERIFY_PARAM_set_time(vpm, (time_t)ul);
        break;
    case OPT_V_VERIFY_HOSTNAME:
        if (!X509_VERIFY_PARAM_set1_host(vpm, opt_arg(), 0))
            return 0;
        break;
    case OPT_V_VERIFY_EMAIL:
        if (!X509_VERIFY_PARAM_set1_email(vpm, opt_arg(), 0))
            return 0;
        break;
    case OPT_V_VERIFY_IP:
        if (!X509_VERIFY_PARAM_set1_ip_asc(vpm, opt_arg()))
            return 0;
        break;
    case OPT_V_IGNORE_CRITICAL:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_IGNORE_CRITICAL);
        break;
    case OPT_V_ISSUER_CHECKS:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CB_ISSUER_CHECK);
        break;
    case OPT_V_CRL_CHECK:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CRL_CHECK);
        break;
    case OPT_V_CRL_CHECK_ALL:
        X509_VERIFY_PARAM_set_flags(vpm,
                                    X509_V_FLAG_CRL_CHECK |
                                    X509_V_FLAG_CRL_CHECK_ALL);
        break;
    case OPT_V_POLICY_CHECK:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_POLICY_CHECK);
        break;
    case OPT_V_EXPLICIT_POLICY:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_EXPLICIT_POLICY);
        break;
    case OPT_V_INHIBIT_ANY:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_INHIBIT_ANY);
        break;
    case OPT_V_INHIBIT_MAP:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_INHIBIT_MAP);
        break;
    case OPT_V_X509_STRICT:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_X509_STRICT);
        break;
    case OPT_V_EXTENDED_CRL:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_EXTENDED_CRL_SUPPORT);
        break;
    case OPT_V_USE_DELTAS:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_USE_DELTAS);
        break;
    case OPT_V_POLICY_PRINT:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NOTIFY_POLICY);
        break;
    case OPT_V_CHECK_SS_SIG:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CHECK_SS_SIGNATURE);
        break;
    case OPT_V_TRUSTED_FIRST:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_TRUSTED_FIRST);
        break;
    case OPT_V_SUITEB_128_ONLY:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_SUITEB_128_LOS_ONLY);
        break;
    case OPT_V_SUITEB_128:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_SUITEB_128_LOS);
        break;
    case OPT_V_SUITEB_192:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_SUITEB_192_LOS);
        break;
    case OPT_V_PARTIAL_CHAIN:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_PARTIAL_CHAIN);
        break;
    case OPT_V_NO_ALT_CHAINS:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NO_ALT_CHAINS);
 	break;
    case OPT_V_NO_CHECK_TIME:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NO_CHECK_TIME);
 	break;
    }
    return 1;
 }
 /*
 * Parse the next flag (and value if specified), return 0 if done, -1 on
 * error, otherwise the flag's retval.
 */
 int opt_next(void)
 {
    char *p;
    char *endptr;
    const OPTIONS *o;
    int dummy;
    int base;
    long val;
    /* Look at current arg; at end of the list? */
    arg = NULL;
    p = argv[opt_index];
    if (p == NULL)
        return 0;
    /* If word doesn't start with a -, we're done. */
    if (*p != '-')
        return 0;
    /* Hit "--" ? We're done. */
    opt_index++;
    if (strcmp(p, "--") == 0)
        return 0;
    /* Allow -nnn and --nnn */
    if (*++p == '-')
        p++;
    flag = p - 1;
    /* If we have --flag=foo, snip it off */
    if ((arg = strchr(p, '=')) != NULL)
        *arg++ = '\0';
    for (o = opts; o->name; ++o) {
        /* If not this option, move on to the next one. */
        if (strcmp(p, o->name) != 0)
            continue;
        /* If it doesn't take a value, make sure none was given. */
        if (o->valtype == 0 || o->valtype == '-') {
            if (arg) {
                BIO_printf(bio_err,
                           "%s: Option -%s does not take a value\n", prog, p);
                return -1;
            }
            return o->retval;
        }
        /* Want a value; get the next param if =foo not used. */
        if (arg == NULL) {
            if (argv[opt_index] == NULL) {
                BIO_printf(bio_err,
                           "%s: Option -%s needs a value\n", prog, o->name);
                return -1;
            }
            arg = argv[opt_index++];
        }
        /* Syntax-check value. */
        /*
         * Do some basic syntax-checking on the value.  These tests aren't
         * perfect (ignore range overflow) but they catch common failures.
         */
        switch (o->valtype) {
        default:
        case 's':
            /* Just a string. */
            break;
        case '/':
            if (app_isdir(arg) >= 0)
                break;
            BIO_printf(bio_err, "%s: Not a directory: %s\n", prog, arg);
            return -1;
        case '<':
            /* Input file. */
            if (strcmp(arg, "-") == 0 || app_access(arg, R_OK) >= 0)
                break;
            BIO_printf(bio_err,
                       "%s: Cannot open input file %s, %s\n",
                       prog, arg, strerror(errno));
            return -1;
        case '>':
            /* Output file. */
            if (strcmp(arg, "-") == 0 || app_access(arg, W_OK) >= 0 || errno == ENOENT)
                break;
            BIO_printf(bio_err,
                       "%s: Cannot open output file %s, %s\n",
                       prog, arg, strerror(errno));
            return -1;
        case 'p':
        case 'n':
            base = scanforhex(arg);
            val = strtol(arg, &endptr, base);
            if (*endptr == '\0') {
                if (o->valtype == 'p' && val <= 0) {
                    BIO_printf(bio_err,
                               "%s: Non-positive number \"%s\" for -%s\n",
                               prog, arg, o->name);
                    return -1;
                }
                break;
            }
            BIO_printf(bio_err,
                       "%s: Invalid number \"%s\" for -%s\n",
                       prog, arg, o->name);
            return -1;
        case 'u':
            base = scanforhex(arg);
            strtoul(arg, &endptr, base);
            if (*endptr == '\0')
                break;
            BIO_printf(bio_err,
                       "%s: Invalid number \"%s\" for -%s\n",
                       prog, arg, o->name);
            return -1;
        case 'f':
        case 'F':
            if (opt_format(arg,
                           o->valtype == 'F' ? OPT_FMT_PEMDER
                           : OPT_FMT_ANY, &dummy))
                break;
            BIO_printf(bio_err,
                       "%s: Invalid format \"%s\" for -%s\n",
                       prog, arg, o->name);
            return -1;
        }
        /* Return the flag value. */
        return o->retval;
    }
    if (unknown != NULL) {
        dunno = p;
        return unknown->retval;
    }
    BIO_printf(bio_err, "%s: Option unknown option -%s\n", prog, p);
    return -1;
 }
 /* Return the most recent flag parameter. */
 char *opt_arg(void)
 {
    return arg;
 }
 /* Return the most recent flag. */
 char *opt_flag(void)
 {
    return flag;
 }
 /* Return the unknown option. */
 char *opt_unknown(void)
 {
    return dunno;
 }
 /* Return the rest of the arguments after parsing flags. */
 char **opt_rest(void)
 {
    return &argv[opt_index];
 }
 /* How many items in remaining args? */
 int opt_num_rest(void)
 {
    int i = 0;
    char **pp;
    for (pp = opt_rest(); *pp; pp++, i++)
        continue;
    return i;
 }
 /* Return a string describing the parameter type. */
 static const char *valtype2param(const OPTIONS *o)
 {
    switch (o->valtype) {
    case '-':
        return "";
    case 's':
        return "val";
    case '/':
        return "dir";
    case '<':
        return "infile";
    case '>':
        return "outfile";
    case 'p':
        return "pnum";
    case 'n':
        return "num";
    case 'u':
        return "unum";
    case 'F':
        return "der/pem";
    case 'f':
        return "format";
    }
    return "parm";
 }
 void opt_help(const OPTIONS *list)
 {
    const OPTIONS *o;
    int i;
    int standard_prolog;
    int width = 5;
    char start[80 + 1];
    char *p;
    const char *help;
    /* Starts with its own help message? */
    standard_prolog = list[0].name != OPT_HELP_STR;
    /* Find the widest help. */
    for (o = list; o->name; o++) {
        if (o->name == OPT_MORE_STR)
            continue;
        i = 2 + (int)strlen(o->name);
        if (o->valtype != '-')
            i += 1 + strlen(valtype2param(o));
        if (i < MAX_OPT_HELP_WIDTH && i > width)
            width = i;
        assert(i < (int)sizeof start);
    }
    if (standard_prolog)
        BIO_printf(bio_err, "Usage: %s [options]\nValid options are:\n",
                   prog);
    /* Now let's print. */
    for (o = list; o->name; o++) {
        help = o->helpstr ? o->helpstr : "(No additional info)";
        if (o->name == OPT_HELP_STR) {
            BIO_printf(bio_err, help, prog);
            continue;
        }
        /* Pad out prefix */
        memset(start, ' ', sizeof(start) - 1);
        start[sizeof start - 1] = '\0';
        if (o->name == OPT_MORE_STR) {
            /* Continuation of previous line; padd and print. */
            start[width] = '\0';
            BIO_printf(bio_err, "%s  %s\n", start, help);
            continue;
        }
        /* Build up the "-flag [param]" part. */
        p = start;
        *p++ = ' ';
        *p++ = '-';
        if (o->name[0])
            p += strlen(strcpy(p, o->name));
        else
            *p++ = '*';
        if (o->valtype != '-') {
            *p++ = ' ';
            p += strlen(strcpy(p, valtype2param(o)));
        }
        *p = ' ';
        if ((int)(p - start) >= MAX_OPT_HELP_WIDTH) {
            *p = '\0';
            BIO_printf(bio_err, "%s\n", start);
            memset(start, ' ', sizeof(start));
        }
        start[width] = '\0';
        BIO_printf(bio_err, "%s  %s\n", start, help);
    }
 }
 #ifdef COMPILE_STANDALONE_TEST_DRIVER
 # include <sys/stat.h>
 typedef enum OPTION_choice {
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_IN, OPT_INFORM, OPT_OUT, OPT_COUNT, OPT_U, OPT_FLAG,
    OPT_STR, OPT_NOTUSED
 } OPTION_CHOICE;
 static OPTIONS options[] = {
    {OPT_HELP_STR, 1, '-', "Usage: %s flags\n"},
    {OPT_HELP_STR, 1, '-', "Valid options are:\n"},
    {"help", OPT_HELP, '-', "Display this summary"},
    {"in", OPT_IN, '<', "input file"},
    {OPT_MORE_STR, 1, '-', "more detail about input"},
    {"inform", OPT_INFORM, 'f', "input file format; defaults to pem"},
    {"out", OPT_OUT, '>', "output file"},
    {"count", OPT_COUNT, 'p', "a counter greater than zero"},
    {"u", OPT_U, 'u', "an unsigned number"},
    {"flag", OPT_FLAG, 0, "just some flag"},
    {"str", OPT_STR, 's', "the magic word"},
    {"areallyverylongoption", OPT_HELP, '-', "long way for help"},
    {NULL}
 };
 BIO *bio_err;
 int app_isdir(const char *name)
 {
    struct stat sb;
    return name != NULL && stat(name, &sb) >= 0 && S_ISDIR(sb.st_mode);
 }
 int main(int ac, char **av)
 {
    OPTION_CHOICE o;
    char **rest;
    char *prog;
    bio_err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT);
    prog = opt_init(ac, av, options);
    while ((o = opt_next()) != OPT_EOF) {
        switch (c) {
        case OPT_NOTUSED:
        case OPT_EOF:
        case OPT_ERR:
            printf("%s: Usage error; try -help.\n", prog);
            return 1;
        case OPT_HELP:
            opt_help(options);
            return 0;
        case OPT_IN:
            printf("in %s\n", opt_arg());
            break;
        case OPT_INFORM:
            printf("inform %s\n", opt_arg());
            break;
        case OPT_OUT:
            printf("out %s\n", opt_arg());
            break;
        case OPT_COUNT:
            printf("count %s\n", opt_arg());
            break;
        case OPT_U:
            printf("u %s\n", opt_arg());
            break;
        case OPT_FLAG:
            printf("flag\n");
            break;
        case OPT_STR:
            printf("str %s\n", opt_arg());
            break;
        }
    }
    argc = opt_num_rest();
    argv = opt_rest();
    printf("args = %d\n", argc);
    if (argc)
        while (*argv)
            printf("  %s\n", *argv++);
    return 0;
 }
 #endif
--- a/apps/passwd.c
+++ b/apps/passwd.c
@@ -1,4 +1,51 @@
-/* apps/passwd.c */
+/* ====================================================================
 * Copyright (c) 2000-2015 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    licensing@OpenSSL.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 */
 #if defined OPENSSL_NO_MD5 || defined CHARSET_EBCDIC
 # define NO_MD5CRYPT_1
@@ -6,7 +53,6 @@
 #if !defined(OPENSSL_NO_DES) || !defined(NO_MD5CRYPT_1)
 #include <assert.h>
 # include <string.h>
 # include "apps.h"
@@ -22,11 +68,6 @@
 #  include <openssl/md5.h>
 # endif
 #undef PROG
 #define PROG passwd_main
 static unsigned const char cov_2char[64] = {
    /* from crypto/des/fcrypt.c */
    0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35,
@@ -40,230 +81,188 @@ static unsigned const char cov_2char[64]={
 };
 static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
-	char *passwd, BIO *out, int quiet, int table, int reverse,
+                     char *passwd, BIO *out, int quiet, int table,
-	size_t pw_maxlen, int usecrypt, int use1, int useapr1);
+                     int reverse, size_t pw_maxlen, int usecrypt, int use1,
                     int useapr1);
-/* -crypt        - standard Unix password algorithm (default)
+typedef enum OPTION_choice {
- * -1            - MD5-based password algorithm
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
- * -apr1         - MD5-based password algorithm, Apache variant
+    OPT_IN,
- * -salt string  - salt
+    OPT_NOVERIFY, OPT_QUIET, OPT_TABLE, OPT_REVERSE, OPT_APR1,
- * -in file      - read passwords from file
+    OPT_1, OPT_CRYPT, OPT_SALT, OPT_STDIN
- * -stdin        - read passwords from stdin
+} OPTION_CHOICE;
 * -noverify     - never verify when reading password from terminal
 * -quiet        - no warnings
 * -table        - format output as table
 * -reverse      - switch table columns
 */
-int MAIN(int, char **);
+OPTIONS passwd_options[] = {
-
+    {"help", OPT_HELP, '-', "Display this summary"},
-int MAIN(int argc, char **argv)
+    {"in", OPT_IN, '<', "Pead passwords from file"},
-	{
+    {"noverify", OPT_NOVERIFY, '-',
-	int ret = 1;
+     "Never verify when reading password from terminal"},
-	char *infile = NULL;
+    {"quiet", OPT_QUIET, '-', "No warnings"},
-	int in_stdin = 0;
+    {"table", OPT_TABLE, '-', "Format output as table"},
-	int in_noverify = 0;
+    {"reverse", OPT_REVERSE, '-', "Switch table columns"},
-	char *salt = NULL, *passwd = NULL, **passwds = NULL;
+    {"salt", OPT_SALT, 's', "Use provided salt"},
-	char *salt_malloc = NULL, *passwd_malloc = NULL;
+    {"stdin", OPT_STDIN, '-', "Read passwords from stdin"},
-	size_t passwd_malloc_size = 0;
+# ifndef NO_MD5CRYPT_1
-	int pw_source_defined = 0;
+    {"apr1", OPT_APR1, '-', "MD5-based password algorithm, Apache variant"},
-	BIO *in = NULL, *out = NULL;
+    {"1", OPT_1, '-', "MD5-based password algorithm"},
 	int i, badopt, opt_done;
 	int passed_salt = 0, quiet = 0, table = 0, reverse = 0;
 	int usecrypt = 0, use1 = 0, useapr1 = 0;
 	size_t pw_maxlen = 0;
 	apps_startup();
 	if (bio_err == NULL)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 	if (!load_config(bio_err, NULL))
 		goto err;
 	out = BIO_new(BIO_s_file());
 	if (out == NULL)
 		goto err;
 	BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
 #ifdef OPENSSL_SYS_VMS
 	{
 	BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 	out = BIO_push(tmpbio, out);
 	}
 # endif
 # ifndef OPENSSL_NO_DES
    {"crypt", OPT_CRYPT, '-', "Standard Unix password algorithm (default)"},
 # endif
    {NULL}
 };
-	badopt = 0, opt_done = 0;
+int passwd_main(int argc, char **argv)
 	i = 0;
 	while (!badopt && !opt_done && argv[++i] != NULL)
 		{
 		if (strcmp(argv[i], "-crypt") == 0)
 			usecrypt = 1;
 		else if (strcmp(argv[i], "-1") == 0)
 			use1 = 1;
 		else if (strcmp(argv[i], "-apr1") == 0)
 			useapr1 = 1;
 		else if (strcmp(argv[i], "-salt") == 0)
 			{
 			if ((argv[i+1] != NULL) && (salt == NULL))
 				{
 				passed_salt = 1;
 				salt = argv[++i];
 				}
 			else
 				badopt = 1;
 			}
 		else if (strcmp(argv[i], "-in") == 0)
 			{
 			if ((argv[i+1] != NULL) && !pw_source_defined)
 {
    BIO *in = NULL;
    char *infile = NULL, *salt = NULL, *passwd = NULL, **passwds = NULL;
    char *salt_malloc = NULL, *passwd_malloc = NULL, *prog;
    OPTION_CHOICE o;
    int in_stdin = 0, in_noverify = 0, pw_source_defined = 0;
    int passed_salt = 0, quiet = 0, table = 0, reverse = 0;
    int ret = 1, usecrypt = 0, use1 = 0, useapr1 = 0;
    size_t passwd_malloc_size = 0, pw_maxlen = 256;
    prog = opt_init(argc, argv, passwd_options);
    while ((o = opt_next()) != OPT_EOF) {
        switch (o) {
        case OPT_EOF:
        case OPT_ERR:
 opthelp:
            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
            goto end;
        case OPT_HELP:
            opt_help(passwd_options);
            ret = 0;
            goto end;
        case OPT_IN:
            if (pw_source_defined)
                goto opthelp;
            infile = opt_arg();
            pw_source_defined = 1;
-				infile = argv[++i];
+            break;
-				}
+        case OPT_NOVERIFY:
 			else
 				badopt = 1;
 			}
 		else if (strcmp(argv[i], "-stdin") == 0)
 			{
 			if (!pw_source_defined)
 				{
 				pw_source_defined = 1;
 				in_stdin = 1;
 				}
 			else
 				badopt = 1;
 			}
 		else if (strcmp(argv[i], "-noverify") == 0)
            in_noverify = 1;
-		else if (strcmp(argv[i], "-quiet") == 0)
+            break;
        case OPT_QUIET:
            quiet = 1;
-		else if (strcmp(argv[i], "-table") == 0)
+            break;
        case OPT_TABLE:
            table = 1;
-		else if (strcmp(argv[i], "-reverse") == 0)
+            break;
        case OPT_REVERSE:
            reverse = 1;
-		else if (argv[i][0] == '-')
+            break;
-			badopt = 1;
+        case OPT_1:
-		else if (!pw_source_defined)
+            use1 = 1;
-			/* non-option arguments, use as passwords */
+            break;
-			{
+        case OPT_APR1:
-			pw_source_defined = 1;
+            useapr1 = 1;
-			passwds = &argv[i];
+            break;
-			opt_done = 1;
+        case OPT_CRYPT:
 			}
 		else
 			badopt = 1;
 		}
 	if (!usecrypt && !use1 && !useapr1) /* use default */
            usecrypt = 1;
-	if (usecrypt + use1 + useapr1 > 1) /* conflict */
+            break;
-		badopt = 1;
+        case OPT_SALT:
            passed_salt = 1;
            salt = opt_arg();
            break;
        case OPT_STDIN:
            if (pw_source_defined)
                goto opthelp;
            in_stdin = 1;
            break;
        }
    }
    argc = opt_num_rest();
    argv = opt_rest();
    if (*argv) {
        if (pw_source_defined)
            goto opthelp;
        pw_source_defined = 1;
        passwds = argv;
    }
    if (!usecrypt && !use1 && !useapr1) {
        /* use default */
        usecrypt = 1;
    }
    if (usecrypt + use1 + useapr1 > 1) {
        /* conflict */
        goto opthelp;
    }
 	/* reject unsupported algorithms */
 # ifdef OPENSSL_NO_DES
-	if (usecrypt) badopt = 1;
+    if (usecrypt)
        goto opthelp;
 # endif
 # ifdef NO_MD5CRYPT_1
-	if (use1 || useapr1) badopt = 1;
+    if (use1 || useapr1)
        goto opthelp;
 # endif
-	if (badopt) 
+    if (infile && in_stdin) {
-		{
+        BIO_printf(bio_err, "%s: Can't combine -in and -stdin\n", prog);
-		BIO_printf(bio_err, "Usage: passwd [options] [passwords]\n");
+        goto end;
 		BIO_printf(bio_err, "where options are\n");
 #ifndef OPENSSL_NO_DES
 		BIO_printf(bio_err, "-crypt             standard Unix password algorithm (default)\n");
 #endif
 #ifndef NO_MD5CRYPT_1
 		BIO_printf(bio_err, "-1                 MD5-based password algorithm\n");
 		BIO_printf(bio_err, "-apr1              MD5-based password algorithm, Apache variant\n");
 #endif
 		BIO_printf(bio_err, "-salt string       use provided salt\n");
 		BIO_printf(bio_err, "-in file           read passwords from file\n");
 		BIO_printf(bio_err, "-stdin             read passwords from stdin\n");
 		BIO_printf(bio_err, "-noverify          never verify when reading password from terminal\n");
 		BIO_printf(bio_err, "-quiet             no warnings\n");
 		BIO_printf(bio_err, "-table             format output as table\n");
 		BIO_printf(bio_err, "-reverse           switch table columns\n");
 		goto err;
    }
-	if ((infile != NULL) || in_stdin)
+    in = bio_open_default(infile, 'r', FORMAT_TEXT);
 		{
 		in = BIO_new(BIO_s_file());
    if (in == NULL)
-			goto err;
+        goto end;
 		if (infile != NULL)
 			{
 			assert(in_stdin == 0);
 			if (BIO_read_filename(in, infile) <= 0)
 				goto err;
 			}
 		else
 			{
 			assert(in_stdin);
 			BIO_set_fp(in, stdin, BIO_NOCLOSE);
 			}
 		}
    if (usecrypt)
        pw_maxlen = 8;
    else if (use1 || useapr1)
-		pw_maxlen = 256; /* arbitrary limit, should be enough for most passwords */
+        pw_maxlen = 256;        /* arbitrary limit, should be enough for most
                                 * passwords */
-	if (passwds == NULL)
+    if (passwds == NULL) {
 		{
        /* no passwords on the command line */
        passwd_malloc_size = pw_maxlen + 2;
        /* longer than necessary so that we can warn about truncation */
-		passwd = passwd_malloc = OPENSSL_malloc(passwd_malloc_size);
+        passwd = passwd_malloc =
-		if (passwd_malloc == NULL)
+            app_malloc(passwd_malloc_size, "password buffer");
 			goto err;
    }
-	if ((in == NULL) && (passwds == NULL))
+    if ((in == NULL) && (passwds == NULL)) {
 		{
        /* build a null-terminated list */
        static char *passwds_static[2] = { NULL, NULL };
        passwds = passwds_static;
        if (in == NULL)
-			if (EVP_read_pw_string(passwd_malloc, passwd_malloc_size, "Password: ", !(passed_salt || in_noverify)) != 0)
+            if (EVP_read_pw_string
-				goto err;
+                (passwd_malloc, passwd_malloc_size, "Password: ",
                 !(passed_salt || in_noverify)) != 0)
                goto end;
        passwds[0] = passwd_malloc;
    }
-	if (in == NULL)
+    if (in == NULL) {
 		{
        assert(passwds != NULL);
        assert(*passwds != NULL);
-		do /* loop over list of passwords */
+        do {                    /* loop over list of passwords */
 			{
            passwd = *passwds++;
-			if (!do_passwd(passed_salt, &salt, &salt_malloc, passwd, out,
+            if (!do_passwd(passed_salt, &salt, &salt_malloc, passwd, bio_out,
-				quiet, table, reverse, pw_maxlen, usecrypt, use1, useapr1))
+                           quiet, table, reverse, pw_maxlen, usecrypt, use1,
-				goto err;
+                           useapr1))
                goto end;
        }
        while (*passwds != NULL);
-		}
+    } else
 	else
        /* in != NULL */
    {
        int done;
        assert(passwd != NULL);
-		do
+        do {
 			{
            int r = BIO_gets(in, passwd, pw_maxlen + 1);
-			if (r > 0)
+            if (r > 0) {
 				{
                char *c = (strchr(passwd, '\n'));
                if (c != NULL)
                    *c = 0;     /* truncate at newline */
-				else
+                else {
 					{
                    /* ignore rest of line */
                    char trash[BUFSIZ];
                    do
@@ -271,9 +270,10 @@ int MAIN(int argc, char **argv)
                    while ((r > 0) && (!strchr(trash, '\n')));
                }
-				if (!do_passwd(passed_salt, &salt, &salt_malloc, passwd, out,
+                if (!do_passwd
-					quiet, table, reverse, pw_maxlen, usecrypt, use1, useapr1))
+                    (passed_salt, &salt, &salt_malloc, passwd, bio_out, quiet,
-					goto err;
+                     table, reverse, pw_maxlen, usecrypt, use1, useapr1))
                    goto end;
            }
            done = (r <= 0);
        }
@@ -281,40 +281,33 @@ int MAIN(int argc, char **argv)
    }
    ret = 0;
-err:
+ end:
    ERR_print_errors(bio_err);
 	if (salt_malloc)
    OPENSSL_free(salt_malloc);
 	if (passwd_malloc)
    OPENSSL_free(passwd_malloc);
 	if (in)
    BIO_free(in);
-	if (out)
+    return (ret);
 		BIO_free_all(out);
 	apps_shutdown();
 	OPENSSL_EXIT(ret);
 }
 # ifndef NO_MD5CRYPT_1
-/* MD5-based password algorithm (should probably be available as a library
+/*
- * function; then the static buffer would not be acceptable).
+ * MD5-based password algorithm (should probably be available as a library
- * For magic string "1", this should be compatible to the MD5-based BSD
+ * function; then the static buffer would not be acceptable). For magic
- * password algorithm.
+ * string "1", this should be compatible to the MD5-based BSD password
- * For 'magic' string "apr1", this is compatible to the MD5-based Apache
+ * algorithm. For 'magic' string "apr1", this is compatible to the MD5-based
- * password algorithm.
+ * Apache password algorithm. (Apparently, the Apache password algorithm is
- * (Apparently, the Apache password algorithm is identical except that the
+ * identical except that the 'magic' string was changed -- the laziest
- * 'magic' string was changed -- the laziest application of the NIH principle
+ * application of the NIH principle I've ever encountered.)
 * I've ever encountered.)
 */
 static char *md5crypt(const char *passwd, const char *magic, const char *salt)
 {
-	static char out_buf[6 + 9 + 24 + 2]; /* "$apr1$..salt..$.......md5hash..........\0" */
+    /* "$apr1$..salt..$.......md5hash..........\0" */
    static char out_buf[6 + 9 + 24 + 2];
    unsigned char buf[MD5_DIGEST_LENGTH];
    char *salt_out;
    int n;
    unsigned int i;
-	EVP_MD_CTX md,md2;
+    EVP_MD_CTX *md, *md2;
    size_t passwd_len, salt_len;
    passwd_len = strlen(passwd);
@@ -329,47 +322,50 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt)
    salt_len = strlen(salt_out);
    assert(salt_len <= 8);
-	EVP_MD_CTX_init(&md);
+    md = EVP_MD_CTX_new();
-	EVP_DigestInit_ex(&md,EVP_md5(), NULL);
+    if (md == NULL)
-	EVP_DigestUpdate(&md, passwd, passwd_len);
+        return NULL;
-	EVP_DigestUpdate(&md, "$", 1);
+    EVP_DigestInit_ex(md, EVP_md5(), NULL);
-	EVP_DigestUpdate(&md, magic, strlen(magic));
+    EVP_DigestUpdate(md, passwd, passwd_len);
-	EVP_DigestUpdate(&md, "$", 1);
+    EVP_DigestUpdate(md, "$", 1);
-	EVP_DigestUpdate(&md, salt_out, salt_len);
+    EVP_DigestUpdate(md, magic, strlen(magic));
    EVP_DigestUpdate(md, "$", 1);
    EVP_DigestUpdate(md, salt_out, salt_len);
-	EVP_MD_CTX_init(&md2);
+    md2 = EVP_MD_CTX_new();
-	EVP_DigestInit_ex(&md2,EVP_md5(), NULL);
+    if (md2 == NULL)
-	EVP_DigestUpdate(&md2, passwd, passwd_len);
+        return NULL;
-	EVP_DigestUpdate(&md2, salt_out, salt_len);
+    EVP_DigestInit_ex(md2, EVP_md5(), NULL);
-	EVP_DigestUpdate(&md2, passwd, passwd_len);
+    EVP_DigestUpdate(md2, passwd, passwd_len);
-	EVP_DigestFinal_ex(&md2, buf, NULL);
+    EVP_DigestUpdate(md2, salt_out, salt_len);
    EVP_DigestUpdate(md2, passwd, passwd_len);
    EVP_DigestFinal_ex(md2, buf, NULL);
    for (i = passwd_len; i > sizeof buf; i -= sizeof buf)
-		EVP_DigestUpdate(&md, buf, sizeof buf);
+        EVP_DigestUpdate(md, buf, sizeof buf);
-	EVP_DigestUpdate(&md, buf, i);
+    EVP_DigestUpdate(md, buf, i);
    n = passwd_len;
-	while (n)
+    while (n) {
-		{
+        EVP_DigestUpdate(md, (n & 1) ? "\0" : passwd, 1);
 		EVP_DigestUpdate(&md, (n & 1) ? "\0" : passwd, 1);
        n >>= 1;
    }
-	EVP_DigestFinal_ex(&md, buf, NULL);
+    EVP_DigestFinal_ex(md, buf, NULL);
-	for (i = 0; i < 1000; i++)
+    for (i = 0; i < 1000; i++) {
-		{
+        EVP_DigestInit_ex(md2, EVP_md5(), NULL);
-		EVP_DigestInit_ex(&md2,EVP_md5(), NULL);
+        EVP_DigestUpdate(md2, (i & 1) ? (unsigned const char *)passwd : buf,
 		EVP_DigestUpdate(&md2, (i & 1) ? (unsigned const char *) passwd : buf,
                         (i & 1) ? passwd_len : sizeof buf);
        if (i % 3)
-			EVP_DigestUpdate(&md2, salt_out, salt_len);
+            EVP_DigestUpdate(md2, salt_out, salt_len);
        if (i % 7)
-			EVP_DigestUpdate(&md2, passwd, passwd_len);
+            EVP_DigestUpdate(md2, passwd, passwd_len);
-		EVP_DigestUpdate(&md2, (i & 1) ? buf : (unsigned const char *) passwd,
+        EVP_DigestUpdate(md2, (i & 1) ? buf : (unsigned const char *)passwd,
                         (i & 1) ? sizeof buf : passwd_len);
-		EVP_DigestFinal_ex(&md2, buf, NULL);
+        EVP_DigestFinal_ex(md2, buf, NULL);
    }
-	EVP_MD_CTX_cleanup(&md2);
+    EVP_MD_CTX_free(md2);
    EVP_MD_CTX_free(md);
    {
        /* transform buf into output string */
@@ -379,11 +375,13 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt)
        char *output;
        /* silly output permutation */
-		for (dest = 0, source = 0; dest < 14; dest++, source = (source + 6) % 17)
+        for (dest = 0, source = 0; dest < 14;
             dest++, source = (source + 6) % 17)
            buf_perm[dest] = buf[source];
        buf_perm[14] = buf[5];
        buf_perm[15] = buf[11];
-#ifndef PEDANTIC /* Unfortunately, this generates a "no effect" warning */
+#  ifndef PEDANTIC              /* Unfortunately, this generates a "no
                                 * effect" warning */
        assert(16 == sizeof buf_perm);
 #  endif
@@ -392,8 +390,7 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt)
        *output++ = '$';
-		for (i = 0; i < 15; i += 3)
+        for (i = 0; i < 15; i += 3) {
 			{
            *output++ = cov_2char[buf_perm[i + 2] & 0x3f];
            *output++ = cov_2char[((buf_perm[i + 1] & 0xf) << 2) |
                                  (buf_perm[i + 2] >> 6)];
@@ -407,16 +404,15 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt)
        *output = 0;
        assert(strlen(out_buf) < sizeof(out_buf));
    }
 	EVP_MD_CTX_cleanup(&md);
    return out_buf;
 }
 # endif
 static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
-	char *passwd, BIO *out,	int quiet, int table, int reverse,
+                     char *passwd, BIO *out, int quiet, int table,
-	size_t pw_maxlen, int usecrypt, int use1, int useapr1)
+                     int reverse, size_t pw_maxlen, int usecrypt, int use1,
                     int useapr1)
 {
    char *hash = NULL;
@@ -424,42 +420,33 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
    assert(salt_malloc_p != NULL);
    /* first make sure we have a salt */
-	if (!passed_salt)
+    if (!passed_salt) {
 		{
 # ifndef OPENSSL_NO_DES
-		if (usecrypt)
+        if (usecrypt) {
-			{
+            if (*salt_malloc_p == NULL) {
-			if (*salt_malloc_p == NULL)
+                *salt_p = *salt_malloc_p = app_malloc(3, "salt buffer");
 				{
 				*salt_p = *salt_malloc_p = OPENSSL_malloc(3);
 				if (*salt_malloc_p == NULL)
 					goto err;
            }
-			if (RAND_pseudo_bytes((unsigned char *)*salt_p, 2) < 0)
+            if (RAND_bytes((unsigned char *)*salt_p, 2) <= 0)
-				goto err;
+                goto end;
            (*salt_p)[0] = cov_2char[(*salt_p)[0] & 0x3f]; /* 6 bits */
            (*salt_p)[1] = cov_2char[(*salt_p)[1] & 0x3f]; /* 6 bits */
            (*salt_p)[2] = 0;
 #  ifdef CHARSET_EBCDIC
-			ascii2ebcdic(*salt_p, *salt_p, 2); /* des_crypt will convert
+            ascii2ebcdic(*salt_p, *salt_p, 2); /* des_crypt will convert back
-			                                    * back to ASCII */
+                                                * to ASCII */
 #  endif
        }
 # endif                         /* !OPENSSL_NO_DES */
 # ifndef NO_MD5CRYPT_1
-		if (use1 || useapr1)
+        if (use1 || useapr1) {
 			{
            int i;
-			if (*salt_malloc_p == NULL)
+            if (*salt_malloc_p == NULL) {
-				{
+                *salt_p = *salt_malloc_p = app_malloc(9, "salt buffer");
 				*salt_p = *salt_malloc_p = OPENSSL_malloc(9);
 				if (*salt_malloc_p == NULL)
 					goto err;
            }
-			if (RAND_pseudo_bytes((unsigned char *)*salt_p, 8) < 0)
+            if (RAND_bytes((unsigned char *)*salt_p, 8) <= 0)
-				goto err;
+                goto end;
            for (i = 0; i < 8; i++)
                (*salt_p)[i] = cov_2char[(*salt_p)[i] & 0x3f]; /* 6 bits */
@@ -471,11 +458,14 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
    assert(*salt_p != NULL);
    /* truncate password if necessary */
-	if ((strlen(passwd) > pw_maxlen))
+    if ((strlen(passwd) > pw_maxlen)) {
 		{
        if (!quiet)
-			/* XXX: really we should know how to print a size_t, not cast it */
+            /*
-			BIO_printf(bio_err, "Warning: truncating password to %u characters\n", (unsigned)pw_maxlen);
+             * XXX: really we should know how to print a size_t, not cast it
             */
            BIO_printf(bio_err,
                       "Warning: truncating password to %u characters\n",
                       (unsigned)pw_maxlen);
        passwd[pw_maxlen] = 0;
    }
    assert(strlen(passwd) <= pw_maxlen);
@@ -497,16 +487,16 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
        BIO_printf(out, "%s\t%s\n", hash, passwd);
    else
        BIO_printf(out, "%s\n", hash);
 	return 1;
 err:
    return 0;
 end:
    return 1;
 }
 #else
-int MAIN(int argc, char **argv)
+int passwd_main(int argc, char **argv)
 {
-	fputs("Program not available.\n", stderr)
+    BIO_printf(bio_err, "Program not available.\n");
-	OPENSSL_EXIT(1);
+    return (1);
 }
 #endif
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
--- a/apps/pkcs7.c
+++ b/apps/pkcs7.c
@@ -1,4 +1,3 @@
 /* apps/pkcs7.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -55,6 +54,54 @@
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
 /* ====================================================================
 * Copyright (c) 1999-2015 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    licensing@OpenSSL.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 */
 #include <stdio.h>
 #include <stdlib.h>
@@ -68,186 +115,111 @@
 #include <openssl/pkcs7.h>
 #include <openssl/pem.h>
-#undef PROG
+typedef enum OPTION_choice {
-#define PROG	pkcs7_main
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_NOOUT,
    OPT_TEXT, OPT_PRINT, OPT_PRINT_CERTS, OPT_ENGINE
 } OPTION_CHOICE;
-/* -inform arg	- input format - default PEM (DER or PEM)
+OPTIONS pkcs7_options[] = {
- * -outform arg - output format - default PEM
+    {"help", OPT_HELP, '-', "Display this summary"},
- * -in arg	- input file - default stdin
+    {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
- * -out arg	- output file - default stdout
+    {"in", OPT_IN, '<', "Input file"},
- * -print_certs
+    {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
- */
+    {"out", OPT_OUT, '>', "Output file"},
    {"noout", OPT_NOOUT, '-', "Don't output encoded data"},
    {"text", OPT_TEXT, '-', "Print full details of certificates"},
    {"print", OPT_PRINT, '-'},
    {"print_certs", OPT_PRINT_CERTS, '-',
     "Print_certs  print any certs or crl in the input"},
 #ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 #endif
    {NULL}
 };
-int MAIN(int, char **);
+int pkcs7_main(int argc, char **argv)
 int MAIN(int argc, char **argv)
 {
    PKCS7 *p7 = NULL;
 	int i,badops=0;
    BIO *in = NULL, *out = NULL;
-	int informat,outformat;
+    int informat = FORMAT_PEM, outformat = FORMAT_PEM;
-	char *infile,*outfile,*prog;
+    char *infile = NULL, *outfile = NULL, *prog;
-	int print_certs=0,text=0,noout=0,p7_print=0;
+    int i, print_certs = 0, text = 0, noout = 0, p7_print = 0, ret = 1;
-	int ret=1;
+    OPTION_CHOICE o;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine=NULL;
 #endif
-	apps_startup();
+    prog = opt_init(argc, argv, pkcs7_options);
-
+    while ((o = opt_next()) != OPT_EOF) {
-	if (bio_err == NULL)
+        switch (o) {
-		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+        case OPT_EOF:
-			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+        case OPT_ERR:
-
+ opthelp:
-	if (!load_config(bio_err, NULL))
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
            goto end;
-
+        case OPT_HELP:
-	infile=NULL;
+            opt_help(pkcs7_options);
-	outfile=NULL;
+            ret = 0;
-	informat=FORMAT_PEM;
+            goto end;
-	outformat=FORMAT_PEM;
+        case OPT_INFORM:
-
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
-	prog=argv[0];
+                goto opthelp;
-	argc--;
+            break;
-	argv++;
+        case OPT_OUTFORM:
-	while (argc >= 1)
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
-		{
+                goto opthelp;
-		if 	(strcmp(*argv,"-inform") == 0)
+            break;
-			{
+        case OPT_IN:
-			if (--argc < 1) goto bad;
+            infile = opt_arg();
-			informat=str2fmt(*(++argv));
+            break;
-			}
+        case OPT_OUT:
-		else if (strcmp(*argv,"-outform") == 0)
+            outfile = opt_arg();
-			{
+            break;
-			if (--argc < 1) goto bad;
+        case OPT_NOOUT:
 			outformat=str2fmt(*(++argv));
 			}
 		else if (strcmp(*argv,"-in") == 0)
 			{
 			if (--argc < 1) goto bad;
 			infile= *(++argv);
 			}
 		else if (strcmp(*argv,"-out") == 0)
 			{
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
 		else if (strcmp(*argv,"-noout") == 0)
            noout = 1;
-		else if (strcmp(*argv,"-text") == 0)
+            break;
        case OPT_TEXT:
            text = 1;
-		else if (strcmp(*argv,"-print") == 0)
+            break;
        case OPT_PRINT:
            p7_print = 1;
-		else if (strcmp(*argv,"-print_certs") == 0)
+            break;
        case OPT_PRINT_CERTS:
            print_certs = 1;
-#ifndef OPENSSL_NO_ENGINE
+            break;
-		else if (strcmp(*argv,"-engine") == 0)
+        case OPT_ENGINE:
-			{
+            (void)setup_engine(opt_arg(), 0);
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 #endif
 		else
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
 			badops=1;
            break;
        }
 		argc--;
 		argv++;
    }
    argc = opt_num_rest();
    argv = opt_rest();
-	if (badops)
+    in = bio_open_default(infile, 'r', informat);
 		{
 bad:
 		BIO_printf(bio_err,"%s [options] <infile >outfile\n",prog);
 		BIO_printf(bio_err,"where options are\n");
 		BIO_printf(bio_err," -inform arg   input format - DER or PEM\n");
 		BIO_printf(bio_err," -outform arg  output format - DER or PEM\n");
 		BIO_printf(bio_err," -in arg       input file\n");
 		BIO_printf(bio_err," -out arg      output file\n");
 		BIO_printf(bio_err," -print_certs  print any certs or crl in the input\n");
 		BIO_printf(bio_err," -text         print full details of certificates\n");
 		BIO_printf(bio_err," -noout        don't output encoded data\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," -engine e     use engine e, possibly a hardware device.\n");
 #endif
 		ret = 1;
 		goto end;
 		}
 	ERR_load_crypto_strings();
 #ifndef OPENSSL_NO_ENGINE
        setup_engine(bio_err, engine, 0);
 #endif
 	in=BIO_new(BIO_s_file());
 	out=BIO_new(BIO_s_file());
 	if ((in == NULL) || (out == NULL))
 		{
 		ERR_print_errors(bio_err);
                goto end;
                }
 	if (infile == NULL)
 		BIO_set_fp(in,stdin,BIO_NOCLOSE);
 	else
 		{
 		if (BIO_read_filename(in,infile) <= 0)
    if (in == NULL)
 			{
 			perror(infile);
        goto end;
 			}
 		}
    if (informat == FORMAT_ASN1)
        p7 = d2i_PKCS7_bio(in, NULL);
 	else if (informat == FORMAT_PEM)
 		p7=PEM_read_bio_PKCS7(in,NULL,NULL,NULL);
    else
-		{
+        p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL);
-		BIO_printf(bio_err,"bad input format specified for pkcs7 object\n");
+    if (p7 == NULL) {
 		goto end;
 		}
 	if (p7 == NULL)
 		{
        BIO_printf(bio_err, "unable to load PKCS7 object\n");
        ERR_print_errors(bio_err);
        goto end;
    }
-	if (outfile == NULL)
+    out = bio_open_default(outfile, 'w', outformat);
-		{
+    if (out == NULL)
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
 			{
 			perror(outfile);
        goto end;
 			}
 		}
    if (p7_print)
        PKCS7_print_ctx(out, p7, 0, NULL);
-	if (print_certs)
+    if (print_certs) {
 		{
        STACK_OF(X509) *certs = NULL;
        STACK_OF(X509_CRL) *crls = NULL;
        i = OBJ_obj2nid(p7->type);
-		switch (i)
+        switch (i) {
 			{
        case NID_pkcs7_signed:
            certs = p7->d.sign->cert;
            crls = p7->d.sign->crl;
@@ -260,31 +232,31 @@ bad:
            break;
        }
-		if (certs != NULL)
+        if (certs != NULL) {
 			{
            X509 *x;
-			for (i=0; i<sk_X509_num(certs); i++)
+            for (i = 0; i < sk_X509_num(certs); i++) {
 				{
                x = sk_X509_value(certs, i);
-				if(text) X509_print(out, x);
+                if (text)
-				else dump_cert_text(out, x);
+                    X509_print(out, x);
                else
                    dump_cert_text(out, x);
-				if(!noout) PEM_write_bio_X509(out,x);
+                if (!noout)
                    PEM_write_bio_X509(out, x);
                BIO_puts(out, "\n");
            }
        }
-		if (crls != NULL)
+        if (crls != NULL) {
 			{
            X509_CRL *crl;
-			for (i=0; i<sk_X509_CRL_num(crls); i++)
+            for (i = 0; i < sk_X509_CRL_num(crls); i++) {
 				{
                crl = sk_X509_CRL_value(crls, i);
                X509_CRL_print(out, crl);
-				if(!noout)PEM_write_bio_X509_CRL(out,crl);
+                if (!noout)
                    PEM_write_bio_X509_CRL(out, crl);
                BIO_puts(out, "\n");
            }
        }
@@ -296,15 +268,10 @@ bad:
    if (!noout) {
        if (outformat == FORMAT_ASN1)
            i = i2d_PKCS7_bio(out, p7);
-		else if (outformat == FORMAT_PEM)
+        else
            i = PEM_write_bio_PKCS7(out, p7);
 		else	{
 			BIO_printf(bio_err,"bad output format specified for outfile\n");
 			goto end;
 			}
-		if (!i)
+        if (!i) {
 			{
            BIO_printf(bio_err, "unable to write pkcs7 object\n");
            ERR_print_errors(bio_err);
            goto end;
@@ -312,9 +279,8 @@ bad:
    }
    ret = 0;
 end:
-	if (p7 != NULL) PKCS7_free(p7);
+    PKCS7_free(p7);
-	if (in != NULL) BIO_free(in);
+    BIO_free(in);
-	if (out != NULL) BIO_free_all(out);
+    BIO_free_all(out);
-	apps_shutdown();
+    return (ret);
 	OPENSSL_EXIT(ret);
 }
--- a/apps/pkcs8.c
+++ b/apps/pkcs8.c
@@ -1,6 +1,6 @@
-/* pkcs8.c */
+/*
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * project 1999-2004.
+ * 1999-2004.
 */
 /* ====================================================================
 * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
@@ -56,6 +56,7 @@
 *
 */
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include "apps.h"
 #include <openssl/pem.h>
@@ -63,178 +64,171 @@
 #include <openssl/evp.h>
 #include <openssl/pkcs12.h>
-#define PROG pkcs8_main
+typedef enum OPTION_choice {
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT,
    OPT_TOPK8, OPT_NOITER, OPT_NOCRYPT, OPT_NOOCT, OPT_NSDB, OPT_EMBED,
 #ifndef OPENSSL_NO_SCRYPT
    OPT_SCRYPT, OPT_SCRYPT_N, OPT_SCRYPT_R, OPT_SCRYPT_P,
 #endif
    OPT_V2, OPT_V1, OPT_V2PRF, OPT_ITER, OPT_PASSIN, OPT_PASSOUT
 } OPTION_CHOICE;
-int MAIN(int, char **);
+OPTIONS pkcs8_options[] = {
    {"help", OPT_HELP, '-', "Display this summary"},
    {"inform", OPT_INFORM, 'F', "Input format (DER or PEM)"},
    {"outform", OPT_OUTFORM, 'F', "Output format (DER or PEM)"},
    {"in", OPT_IN, '<', "Input file"},
    {"out", OPT_OUT, '>', "Output file"},
    {"topk8", OPT_TOPK8, '-', "Output PKCS8 file"},
    {"noiter", OPT_NOITER, '-', "Use 1 as iteration count"},
    {"nocrypt", OPT_NOCRYPT, '-', "Use or expect unencrypted private key"},
    {"nooct", OPT_NOOCT, '-', "Use (nonstandard) no octet format"},
    {"nsdb", OPT_NSDB, '-', "Use (nonstandard) DSA Netscape DB format"},
    {"embed", OPT_EMBED, '-',
     "Use (nonstandard) embedded DSA parameters format"},
    {"v2", OPT_V2, 's', "Use PKCS#5 v2.0 and cipher"},
    {"v1", OPT_V1, 's', "Use PKCS#5 v1.5 and cipher"},
    {"v2prf", OPT_V2PRF, 's'},
    {"iter", OPT_ITER, 'p', "Specify the iteration count"},
    {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
    {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
 #ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 #endif
 #ifndef OPENSSL_NO_SCRYPT
    {"scrypt", OPT_SCRYPT, '-', "Use scrypt algorithm"},
    {"scrypt_N", OPT_SCRYPT_N, 's', "Set scrypt N parameter"},
    {"scrypt_r", OPT_SCRYPT_R, 's', "Set scrypt r parameter"},
    {"scrypt_p", OPT_SCRYPT_P, 's', "Set scrypt p parameter"},
 #endif
    {NULL}
 };
-int MAIN(int argc, char **argv)
+int pkcs8_main(int argc, char **argv)
 {
 	ENGINE *e = NULL;
 	char **args, *infile = NULL, *outfile = NULL;
 	char *passargin = NULL, *passargout = NULL;
    BIO *in = NULL, *out = NULL;
-	int topk8 = 0;
+    ENGINE *e = NULL;
 	int pbe_nid = -1;
 	const EVP_CIPHER *cipher = NULL;
 	int iter = PKCS12_DEFAULT_ITER;
 	int informat, outformat;
 	int p8_broken = PKCS8_OK;
 	int nocrypt = 0;
 	X509_SIG *p8 = NULL;
 	PKCS8_PRIV_KEY_INFO *p8inf = NULL;
    EVP_PKEY *pkey = NULL;
    PKCS8_PRIV_KEY_INFO *p8inf = NULL;
    X509_SIG *p8 = NULL;
    const EVP_CIPHER *cipher = NULL;
    char *infile = NULL, *outfile = NULL;
    char *passinarg = NULL, *passoutarg = NULL, *prog;
    char pass[50], *passin = NULL, *passout = NULL, *p8pass = NULL;
-	int badarg = 0;
+    OPTION_CHOICE o;
-	int ret = 1;
+    int nocrypt = 0, ret = 1, iter = PKCS12_DEFAULT_ITER, p8_broken = PKCS8_OK;
-#ifndef OPENSSL_NO_ENGINE
+    int informat = FORMAT_PEM, outformat = FORMAT_PEM, topk8 = 0, pbe_nid = -1;
-	char *engine=NULL;
+    int private = 0;
 #ifndef OPENSSL_NO_SCRYPT
    unsigned long scrypt_N = 0, scrypt_r = 0, scrypt_p = 0;
 #endif
-	if (bio_err == NULL) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
+    prog = opt_init(argc, argv, pkcs8_options);
-
+    while ((o = opt_next()) != OPT_EOF) {
-	if (!load_config(bio_err, NULL))
+        switch (o) {
        case OPT_EOF:
        case OPT_ERR:
 opthelp:
            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
            goto end;
-
+        case OPT_HELP:
-	informat=FORMAT_PEM;
+            opt_help(pkcs8_options);
-	outformat=FORMAT_PEM;
+            ret = 0;
-
+            goto end;
-	ERR_load_crypto_strings();
+        case OPT_INFORM:
-	OpenSSL_add_all_algorithms();
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
-	args = argv + 1;
+                goto opthelp;
-	while (!badarg && *args && *args[0] == '-')
+            break;
-		{
+        case OPT_IN:
-		if (!strcmp(*args,"-v2"))
+            infile = opt_arg();
-			{
+            break;
-			if (args[1])
+        case OPT_OUTFORM:
-				{
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
-				args++;
+                goto opthelp;
-				cipher=EVP_get_cipherbyname(*args);
+            break;
-				if (!cipher)
+        case OPT_OUT:
-					{
+            outfile = opt_arg();
-					BIO_printf(bio_err,
+            break;
-						 "Unknown cipher %s\n", *args);
+        case OPT_TOPK8:
 					badarg = 1;
 					}
 				}
 			else
 				badarg = 1;
 			}
 		else if (!strcmp(*args,"-v1"))
 			{
 			if (args[1])
 				{
 				args++;
 				pbe_nid=OBJ_txt2nid(*args);
 				if (pbe_nid == NID_undef)
 					{
 					BIO_printf(bio_err,
 						 "Unknown PBE algorithm %s\n", *args);
 					badarg = 1;
 					}
 				}
 			else
 				badarg = 1;
 			}
 		else if (!strcmp(*args,"-inform"))
 			{
 			if (args[1])
 				{
 				args++;
 				informat=str2fmt(*args);
 				}
 			else badarg = 1;
 			}
 		else if (!strcmp(*args,"-outform"))
 			{
 			if (args[1])
 				{
 				args++;
 				outformat=str2fmt(*args);
 				}
 			else badarg = 1;
 			}
 		else if (!strcmp (*args, "-topk8"))
            topk8 = 1;
-		else if (!strcmp (*args, "-noiter"))
+            break;
        case OPT_NOITER:
            iter = 1;
-		else if (!strcmp (*args, "-nocrypt"))
+            break;
        case OPT_NOCRYPT:
            nocrypt = 1;
-		else if (!strcmp (*args, "-nooct"))
+            break;
        case OPT_NOOCT:
            p8_broken = PKCS8_NO_OCTET;
-		else if (!strcmp (*args, "-nsdb"))
+            break;
        case OPT_NSDB:
            p8_broken = PKCS8_NS_DB;
-		else if (!strcmp (*args, "-embed"))
+            break;
        case OPT_EMBED:
            p8_broken = PKCS8_EMBEDDED_PARAM;
-		else if (!strcmp(*args,"-passin"))
+            break;
-			{
+        case OPT_V2:
-			if (!args[1]) goto bad;
+            if (!opt_cipher(opt_arg(), &cipher))
-			passargin= *(++args);
+                goto opthelp;
            break;
        case OPT_V1:
            pbe_nid = OBJ_txt2nid(opt_arg());
            if (pbe_nid == NID_undef) {
                BIO_printf(bio_err,
                           "%s: Unknown PBE algorithm %s\n", prog, opt_arg());
                goto opthelp;
            }
-		else if (!strcmp(*args,"-passout"))
+            break;
-			{
+        case OPT_V2PRF:
-			if (!args[1]) goto bad;
+            pbe_nid = OBJ_txt2nid(opt_arg());
-			passargout= *(++args);
+            if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, pbe_nid, NULL, NULL, 0)) {
-			}
+                BIO_printf(bio_err,
-#ifndef OPENSSL_NO_ENGINE
+                           "%s: Unknown PRF algorithm %s\n", prog, opt_arg());
-		else if (strcmp(*args,"-engine") == 0)
+                goto opthelp;
 			{
 			if (!args[1]) goto bad;
 			engine= *(++args);
            }
            break;
        case OPT_ITER:
            if (!opt_int(opt_arg(), &iter))
                goto opthelp;
            break;
        case OPT_PASSIN:
            passinarg = opt_arg();
            break;
        case OPT_PASSOUT:
            passoutarg = opt_arg();
            break;
        case OPT_ENGINE:
            e = setup_engine(opt_arg(), 0);
            break;
 #ifndef OPENSSL_NO_SCRYPT
        case OPT_SCRYPT:
            scrypt_N = 1024;
            scrypt_r = 8;
            scrypt_p = 16;
            if (cipher == NULL)
                cipher = EVP_aes_256_cbc();
            break;
        case OPT_SCRYPT_N:
            if (!opt_ulong(opt_arg(), &scrypt_N))
                goto opthelp;
            break;
        case OPT_SCRYPT_R:
            if (!opt_ulong(opt_arg(), &scrypt_r))
                goto opthelp;
            break;
        case OPT_SCRYPT_P:
            if (!opt_ulong(opt_arg(), &scrypt_p))
                goto opthelp;
            break;
 #endif
 		else if (!strcmp (*args, "-in"))
 			{
 			if (args[1])
 				{
 				args++;
 				infile = *args;
        }
 			else badarg = 1;
 			}
 		else if (!strcmp (*args, "-out"))
 			{
 			if (args[1])
 				{
 				args++;
 				outfile = *args;
 				}
 			else badarg = 1;
 			}
 		else badarg = 1;
 		args++;
    }
    argc = opt_num_rest();
    argv = opt_rest();
    private = 1;
-	if (badarg)
+    if (!app_passwd(passinarg, passoutarg, &passin, &passout)) {
 		{
 		bad:
 		BIO_printf(bio_err, "Usage pkcs8 [options]\n");
 		BIO_printf(bio_err, "where options are\n");
 		BIO_printf(bio_err, "-in file        input file\n");
 		BIO_printf(bio_err, "-inform X       input format (DER or PEM)\n");
 		BIO_printf(bio_err, "-passin arg     input file pass phrase source\n");
 		BIO_printf(bio_err, "-outform X      output format (DER or PEM)\n");
 		BIO_printf(bio_err, "-out file       output file\n");
 		BIO_printf(bio_err, "-passout arg    output file pass phrase source\n");
 		BIO_printf(bio_err, "-topk8          output PKCS8 file\n");
 		BIO_printf(bio_err, "-nooct          use (nonstandard) no octet format\n");
 		BIO_printf(bio_err, "-embed          use (nonstandard) embedded DSA parameters format\n");
 		BIO_printf(bio_err, "-nsdb           use (nonstandard) DSA Netscape DB format\n");
 		BIO_printf(bio_err, "-noiter         use 1 as iteration count\n");
 		BIO_printf(bio_err, "-nocrypt        use or expect unencrypted private key\n");
 		BIO_printf(bio_err, "-v2 alg         use PKCS#5 v2.0 and cipher \"alg\"\n");
 		BIO_printf(bio_err, "-v1 obj         use PKCS#5 v1.5 and cipher \"alg\"\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," -engine e       use engine e, possibly a hardware device.\n");
 #endif
 		goto end;
 		}
 #ifndef OPENSSL_NO_ENGINE
        e = setup_engine(bio_err, engine, 0);
 #endif
 	if (!app_passwd(bio_err, passargin, passargout, &passin, &passout))
 		{
        BIO_printf(bio_err, "Error getting passwords\n");
        goto end;
    }
@@ -242,87 +236,76 @@ int MAIN(int argc, char **argv)
    if ((pbe_nid == -1) && !cipher)
        pbe_nid = NID_pbeWithMD5AndDES_CBC;
-	if (infile)
+    in = bio_open_default(infile, 'r', informat);
-		{
+    if (in == NULL)
-		if (!(in = BIO_new_file(infile, "rb")))
+        goto end;
-			{
+    out = bio_open_owner(outfile, outformat, private);
-			BIO_printf(bio_err,
+    if (out == NULL)
 				 "Can't open input file %s\n", infile);
        goto end;
 			}
 		}
 	else
 		in = BIO_new_fp (stdin, BIO_NOCLOSE);
-	if (outfile)
+    if (topk8) {
-		{
+        pkey = load_key(infile, informat, 1, passin, e, "key");
 		if (!(out = BIO_new_file (outfile, "wb")))
 			{
 			BIO_printf(bio_err,
 				 "Can't open output file %s\n", outfile);
 			goto end;
 			}
 		}
 	else
 		{
 		out = BIO_new_fp (stdout, BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 			{
 			BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 			out = BIO_push(tmpbio, out);
 			}
 #endif
 		}
 	if (topk8)
 		{
 		pkey = load_key(bio_err, infile, informat, 1,
 			passin, e, "key");
        if (!pkey)
            goto end;
-		if (!(p8inf = EVP_PKEY2PKCS8_broken(pkey, p8_broken)))
+        if ((p8inf = EVP_PKEY2PKCS8_broken(pkey, p8_broken)) == NULL) {
 			{
            BIO_printf(bio_err, "Error converting key\n");
            ERR_print_errors(bio_err);
            goto end;
        }
-		if (nocrypt)
+        if (nocrypt) {
-			{
+            assert(private);
            if (outformat == FORMAT_PEM)
                PEM_write_bio_PKCS8_PRIV_KEY_INFO(out, p8inf);
            else if (outformat == FORMAT_ASN1)
                i2d_PKCS8_PRIV_KEY_INFO_bio(out, p8inf);
-			else
+            else {
 				{
                BIO_printf(bio_err, "Bad format specified for key\n");
                goto end;
            }
        } else {
            X509_ALGOR *pbe;
            if (cipher) {
 #ifndef OPENSSL_NO_SCRYPT
                if (scrypt_N && scrypt_r && scrypt_p)
                    pbe = PKCS5_pbe2_set_scrypt(cipher, NULL, 0, NULL,
                                                scrypt_N, scrypt_r, scrypt_p);
                else
 #endif
                    pbe = PKCS5_pbe2_set_iv(cipher, iter, NULL, 0, NULL,
                                            pbe_nid);
            } else {
                pbe = PKCS5_pbe_set(pbe_nid, iter, NULL, 0);
            }
-		else
+            if (pbe == NULL) {
-			{
+                BIO_printf(bio_err, "Error setting PBE algorithm\n");
-			if (passout)
+                ERR_print_errors(bio_err);
 				p8pass = passout;
 			else
 				{
 				p8pass = pass;
 				if (EVP_read_pw_string(pass, sizeof pass, "Enter Encryption Password:", 1))
                goto end;
            }
-			app_RAND_load_file(NULL, bio_err, 0);
+            if (passout)
-			if (!(p8 = PKCS8_encrypt(pbe_nid, cipher,
+                p8pass = passout;
-					p8pass, strlen(p8pass),
+            else {
-					NULL, 0, iter, p8inf)))
+                p8pass = pass;
-				{
+                if (EVP_read_pw_string
                    (pass, sizeof pass, "Enter Encryption Password:", 1)) {
                    X509_ALGOR_free(pbe);
                    goto end;
                }
            }
            app_RAND_load_file(NULL, 0);
            p8 = PKCS8_set0_pbe(p8pass, strlen(p8pass), p8inf, pbe);
            if (p8 == NULL) {
                X509_ALGOR_free(pbe);
                BIO_printf(bio_err, "Error encrypting key\n");
                ERR_print_errors(bio_err);
                goto end;
            }
-			app_RAND_write_file(NULL, bio_err);
+            app_RAND_write_file(NULL);
            assert(private);
            if (outformat == FORMAT_PEM)
                PEM_write_bio_PKCS8(out, p8);
            else if (outformat == FORMAT_ASN1)
                i2d_PKCS8_bio(out, p8);
-			else
+            else {
 				{
                BIO_printf(bio_err, "Bad format specified for key\n");
                goto end;
            }
@@ -332,65 +315,54 @@ int MAIN(int argc, char **argv)
        goto end;
    }
-	if (nocrypt)
+    if (nocrypt) {
 		{
        if (informat == FORMAT_PEM)
            p8inf = PEM_read_bio_PKCS8_PRIV_KEY_INFO(in, NULL, NULL, NULL);
        else if (informat == FORMAT_ASN1)
            p8inf = d2i_PKCS8_PRIV_KEY_INFO_bio(in, NULL);
-		else
+        else {
 			{
            BIO_printf(bio_err, "Bad format specified for key\n");
            goto end;
        }
-		}
+    } else {
 	else
 		{
        if (informat == FORMAT_PEM)
            p8 = PEM_read_bio_PKCS8(in, NULL, NULL, NULL);
        else if (informat == FORMAT_ASN1)
            p8 = d2i_PKCS8_bio(in, NULL);
-		else
+        else {
 			{
            BIO_printf(bio_err, "Bad format specified for key\n");
            goto end;
        }
-		if (!p8)
+        if (!p8) {
 			{
            BIO_printf(bio_err, "Error reading key\n");
            ERR_print_errors(bio_err);
            goto end;
        }
        if (passin)
            p8pass = passin;
-		else
+        else {
 			{
            p8pass = pass;
            EVP_read_pw_string(pass, sizeof pass, "Enter Password:", 0);
        }
        p8inf = PKCS8_decrypt(p8, p8pass, strlen(p8pass));
    }
-	if (!p8inf)
+    if (!p8inf) {
 		{
        BIO_printf(bio_err, "Error decrypting key\n");
        ERR_print_errors(bio_err);
        goto end;
    }
-	if (!(pkey = EVP_PKCS82PKEY(p8inf)))
+    if ((pkey = EVP_PKCS82PKEY(p8inf)) == NULL) {
 		{
        BIO_printf(bio_err, "Error converting key\n");
        ERR_print_errors(bio_err);
        goto end;
    }
-	if (p8inf->broken)
+    if (p8inf->broken) {
 		{
        BIO_printf(bio_err, "Warning: broken key encoding: ");
-		switch (p8inf->broken)
+        switch (p8inf->broken) {
 			{
        case PKCS8_NO_OCTET:
            BIO_printf(bio_err, "No Octet String in PrivateKey\n");
            break;
@@ -413,12 +385,12 @@ int MAIN(int argc, char **argv)
        }
    }
    assert(private);
    if (outformat == FORMAT_PEM)
        PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, NULL, passout);
    else if (outformat == FORMAT_ASN1)
        i2d_PrivateKey_bio(out, pkey);
-	else
+    else {
 		{
        BIO_printf(bio_err, "Bad format specified for key\n");
        goto end;
    }
@@ -430,9 +402,7 @@ int MAIN(int argc, char **argv)
    EVP_PKEY_free(pkey);
    BIO_free_all(out);
    BIO_free(in);
 	if (passin)
    OPENSSL_free(passin);
 	if (passout)
    OPENSSL_free(passout);
    return ret;
--- a/apps/pkey.c
+++ b/apps/pkey.c
@@ -1,6 +1,6 @@
-/* apps/pkey.c */
+/*
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * project 2006
+ * 2006
 */
 /* ====================================================================
 * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
@@ -62,212 +62,153 @@
 #include <openssl/err.h>
 #include <openssl/evp.h>
-#define PROG pkey_main
+typedef enum OPTION_choice {
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_INFORM, OPT_OUTFORM, OPT_PASSIN, OPT_PASSOUT, OPT_ENGINE,
    OPT_IN, OPT_OUT, OPT_PUBIN, OPT_PUBOUT, OPT_TEXT_PUB,
    OPT_TEXT, OPT_NOOUT, OPT_MD
 } OPTION_CHOICE;
-int MAIN(int, char **);
+OPTIONS pkey_options[] = {
    {"help", OPT_HELP, '-', "Display this summary"},
    {"inform", OPT_INFORM, 'F', "Input format (DER or PEM)"},
    {"outform", OPT_OUTFORM, 'F', "Output format (DER or PEM)"},
    {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
    {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
    {"in", OPT_IN, '<', "Input file"},
    {"out", OPT_OUT, '>', "Output file"},
    {"pubin", OPT_PUBIN, '-',
     "Read public key from input (default is private key)"},
    {"pubout", OPT_PUBOUT, '-', "Output public key, not private"},
    {"text_pub", OPT_TEXT_PUB, '-', "Only output public key components"},
    {"text", OPT_TEXT, '-', "Output in plaintext as well"},
    {"noout", OPT_NOOUT, '-', "Don't output the key"},
    {"", OPT_MD, '-', "Any supported cipher"},
 #ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 #endif
    {NULL}
 };
-int MAIN(int argc, char **argv)
+int pkey_main(int argc, char **argv)
 {
 	ENGINE *e = NULL;
 	char **args, *infile = NULL, *outfile = NULL;
 	char *passargin = NULL, *passargout = NULL;
    BIO *in = NULL, *out = NULL;
-	const EVP_CIPHER *cipher = NULL;
+    ENGINE *e = NULL;
 	int informat, outformat;
 	int pubin = 0, pubout = 0, pubtext = 0, text = 0, noout = 0;
    EVP_PKEY *pkey = NULL;
-	char *passin = NULL, *passout = NULL;
+    const EVP_CIPHER *cipher = NULL;
-	int badarg = 0;
+    char *infile = NULL, *outfile = NULL, *passin = NULL, *passout = NULL;
-#ifndef OPENSSL_NO_ENGINE
+    char *passinarg = NULL, *passoutarg = NULL, *prog;
-	char *engine=NULL;
+    OPTION_CHOICE o;
-#endif
+    int informat = FORMAT_PEM, outformat = FORMAT_PEM;
-	int ret = 1;
+    int pubin = 0, pubout = 0, pubtext = 0, text = 0, noout = 0, ret = 1;
    int private = 0;
-	if (bio_err == NULL)
+    prog = opt_init(argc, argv, pkey_options);
-		bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
+    while ((o = opt_next()) != OPT_EOF) {
-
+        switch (o) {
-	if (!load_config(bio_err, NULL))
+        case OPT_EOF:
        case OPT_ERR:
 opthelp:
            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
            goto end;
-
+        case OPT_HELP:
-	informat=FORMAT_PEM;
+            opt_help(pkey_options);
-	outformat=FORMAT_PEM;
+            ret = 0;
-
+            goto end;
-	ERR_load_crypto_strings();
+        case OPT_INFORM:
-	OpenSSL_add_all_algorithms();
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
-	args = argv + 1;
+                goto opthelp;
-	while (!badarg && *args && *args[0] == '-')
+            break;
-		{
+        case OPT_OUTFORM:
-		if (!strcmp(*args,"-inform"))
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
-			{
+                goto opthelp;
-			if (args[1])
+            break;
-				{
+        case OPT_PASSIN:
-				args++;
+            passinarg = opt_arg();
-				informat=str2fmt(*args);
+            break;
-				}
+        case OPT_PASSOUT:
-			else badarg = 1;
+            passoutarg = opt_arg();
-			}
+            break;
-		else if (!strcmp(*args,"-outform"))
+        case OPT_ENGINE:
-			{
+            e = setup_engine(opt_arg(), 0);
-			if (args[1])
+            break;
-				{
+        case OPT_IN:
-				args++;
+            infile = opt_arg();
-				outformat=str2fmt(*args);
+            break;
-				}
+        case OPT_OUT:
-			else badarg = 1;
+            outfile = opt_arg();
-			}
+            break;
-		else if (!strcmp(*args,"-passin"))
+        case OPT_PUBIN:
-			{
+            pubin = pubout = pubtext = 1;
-			if (!args[1]) goto bad;
+            break;
-			passargin= *(++args);
+        case OPT_PUBOUT:
 			}
 		else if (!strcmp(*args,"-passout"))
 			{
 			if (!args[1]) goto bad;
 			passargout= *(++args);
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(*args,"-engine") == 0)
 			{
 			if (!args[1]) goto bad;
 			engine= *(++args);
 			}
 #endif
 		else if (!strcmp (*args, "-in"))
 			{
 			if (args[1])
 				{
 				args++;
 				infile = *args;
 				}
 			else badarg = 1;
 			}
 		else if (!strcmp (*args, "-out"))
 			{
 			if (args[1])
 				{
 				args++;
 				outfile = *args;
 				}
 			else badarg = 1;
 			}
 		else if (strcmp(*args,"-pubin") == 0)
 			{
 			pubin=1;
            pubout = 1;
-			pubtext=1;
+            break;
-			}
+        case OPT_TEXT_PUB:
-		else if (strcmp(*args,"-pubout") == 0)
+            pubtext = text = 1;
-			pubout=1;
+            break;
-		else if (strcmp(*args,"-text_pub") == 0)
+        case OPT_TEXT:
 			{
 			pubtext=1;
            text = 1;
-			}
+            break;
-		else if (strcmp(*args,"-text") == 0)
+        case OPT_NOOUT:
 			text=1;
 		else if (strcmp(*args,"-noout") == 0)
            noout = 1;
-		else
+            break;
-			{
+        case OPT_MD:
-			cipher = EVP_get_cipherbyname(*args + 1);
+            if (!opt_cipher(opt_unknown(), &cipher))
-			if (!cipher)
+                goto opthelp;
 				{
 				BIO_printf(bio_err, "Unknown cipher %s\n",
 								*args + 1);
 				badarg = 1;
        }
    }
-		args++;
+    argc = opt_num_rest();
-		}
+    argv = opt_rest();
    private = !noout && !pubout ? 1 : 0;
    if (text && !pubtext)
        private = 1;
-	if (badarg)
+    if (!app_passwd(passinarg, passoutarg, &passin, &passout)) {
 		{
 		bad:
 		BIO_printf(bio_err, "Usage pkey [options]\n");
 		BIO_printf(bio_err, "where options are\n");
 		BIO_printf(bio_err, "-in file        input file\n");
 		BIO_printf(bio_err, "-inform X       input format (DER or PEM)\n");
 		BIO_printf(bio_err, "-passin arg     input file pass phrase source\n");
 		BIO_printf(bio_err, "-outform X      output format (DER or PEM)\n");
 		BIO_printf(bio_err, "-out file       output file\n");
 		BIO_printf(bio_err, "-passout arg    output file pass phrase source\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err, "-engine e       use engine e, possibly a hardware device.\n");
 #endif
 		return 1;
 		}
 #ifndef OPENSSL_NO_ENGINE
        e = setup_engine(bio_err, engine, 0);
 #endif
 	if (!app_passwd(bio_err, passargin, passargout, &passin, &passout))
 		{
        BIO_printf(bio_err, "Error getting passwords\n");
        goto end;
    }
-	if (outfile)
+    out = bio_open_owner(outfile, outformat, private);
-		{
+    if (out == NULL)
 		if (!(out = BIO_new_file (outfile, "wb")))
 			{
 			BIO_printf(bio_err,
 				 "Can't open output file %s\n", outfile);
        goto end;
 			}
 		}
 	else
 		{
 		out = BIO_new_fp (stdout, BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 			{
 			BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 			out = BIO_push(tmpbio, out);
 			}
 #endif
 		}
    if (pubin)
-		pkey = load_pubkey(bio_err, infile, informat, 1,
+        pkey = load_pubkey(infile, informat, 1, passin, e, "Public Key");
 			passin, e, "Public Key");
    else
-		pkey = load_key(bio_err, infile, informat, 1,
+        pkey = load_key(infile, informat, 1, passin, e, "key");
 			passin, e, "key");
    if (!pkey)
        goto end;
-	if (!noout)
+    if (!noout) {
-		{
+        if (outformat == FORMAT_PEM) {
-		if (outformat == FORMAT_PEM) 
+            assert(private);
 			{
            if (pubout)
                PEM_write_bio_PUBKEY(out, pkey);
            else
                PEM_write_bio_PrivateKey(out, pkey, cipher,
                                         NULL, 0, NULL, passout);
-			}
+        } else if (outformat == FORMAT_ASN1) {
-		else if (outformat == FORMAT_ASN1)
+            assert(private);
 			{
            if (pubout)
                i2d_PUBKEY_bio(out, pkey);
            else
                i2d_PrivateKey_bio(out, pkey);
-			}
+        } else {
 		else
 			{
            BIO_printf(bio_err, "Bad format specified for key\n");
            goto end;
        }
    }
-	if (text)
+    if (text) {
 		{
        if (pubtext)
            EVP_PKEY_print_public(out, pkey, 0, NULL);
-		else
+        else {
            assert(private);
            EVP_PKEY_print_private(out, pkey, 0, NULL);
        }
    }
    ret = 0;
@@ -275,9 +216,7 @@ int MAIN(int argc, char **argv)
    EVP_PKEY_free(pkey);
    BIO_free_all(out);
    BIO_free(in);
 	if (passin)
    OPENSSL_free(passin);
 	if (passout)
    OPENSSL_free(passout);
    return ret;
--- a/apps/pkeyparam.c
+++ b/apps/pkeyparam.c
@@ -1,6 +1,6 @@
-/* apps/pkeyparam.c */
+/*
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * project 2006
+ * 2006
 */
 /* ====================================================================
 * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
@@ -62,122 +62,70 @@
 #include <openssl/err.h>
 #include <openssl/evp.h>
-#define PROG pkeyparam_main
+typedef enum OPTION_choice {
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_IN, OPT_OUT, OPT_TEXT, OPT_NOOUT, OPT_ENGINE
 } OPTION_CHOICE;
-int MAIN(int, char **);
+OPTIONS pkeyparam_options[] = {
    {"help", OPT_HELP, '-', "Display this summary"},
    {"in", OPT_IN, '<', "Input file"},
    {"out", OPT_OUT, '>', "Output file"},
    {"text", OPT_TEXT, '-', "Print parameters as text"},
    {"noout", OPT_NOOUT, '-', "Don't output encoded parameters"},
 #ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 #endif
    {NULL}
 };
-int MAIN(int argc, char **argv)
+int pkeyparam_main(int argc, char **argv)
 {
 	char **args, *infile = NULL, *outfile = NULL;
    BIO *in = NULL, *out = NULL;
 	int text = 0, noout = 0;
    EVP_PKEY *pkey = NULL;
-	int badarg = 0;
+    int text = 0, noout = 0, ret = 1;
-#ifndef OPENSSL_NO_ENGINE
+    OPTION_CHOICE o;
-	char *engine=NULL;
+    char *infile = NULL, *outfile = NULL, *prog;
 #endif
 	int ret = 1;
-	if (bio_err == NULL)
+    prog = opt_init(argc, argv, pkeyparam_options);
-		bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
+    while ((o = opt_next()) != OPT_EOF) {
-
+        switch (o) {
-	if (!load_config(bio_err, NULL))
+        case OPT_EOF:
        case OPT_ERR:
            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
            goto end;
-
+        case OPT_HELP:
-	ERR_load_crypto_strings();
+            opt_help(pkeyparam_options);
-	OpenSSL_add_all_algorithms();
+            ret = 0;
-	args = argv + 1;
+            goto end;
-	while (!badarg && *args && *args[0] == '-')
+        case OPT_IN:
-		{
+            infile = opt_arg();
-		if (!strcmp (*args, "-in"))
+            break;
-			{
+        case OPT_OUT:
-			if (args[1])
+            outfile = opt_arg();
-				{
+            break;
-				args++;
+        case OPT_ENGINE:
-				infile = *args;
+            (void)setup_engine(opt_arg(), 0);
-				}
+            break;
-			else badarg = 1;
+        case OPT_TEXT:
 			}
 		else if (!strcmp (*args, "-out"))
 			{
 			if (args[1])
 				{
 				args++;
 				outfile = *args;
 				}
 			else badarg = 1;
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(*args,"-engine") == 0)
 			{
 			if (!args[1]) goto bad;
 			engine= *(++args);
 			}
 #endif
 		else if (strcmp(*args,"-text") == 0)
            text = 1;
-		else if (strcmp(*args,"-noout") == 0)
+            break;
        case OPT_NOOUT:
            noout = 1;
-		args++;
+            break;
        }
 	if (badarg)
 		{
 #ifndef OPENSSL_NO_ENGINE
 		bad:
 #endif
 		BIO_printf(bio_err, "Usage pkeyparam [options]\n");
 		BIO_printf(bio_err, "where options are\n");
 		BIO_printf(bio_err, "-in file        input file\n");
 		BIO_printf(bio_err, "-out file       output file\n");
 		BIO_printf(bio_err, "-text           print parameters as text\n");
 		BIO_printf(bio_err, "-noout          don't output encoded parameters\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err, "-engine e       use engine e, possibly a hardware device.\n");
 #endif
 		return 1;
    }
    argc = opt_num_rest();
    argv = opt_rest();
-#ifndef OPENSSL_NO_ENGINE
+    in = bio_open_default(infile, 'r', FORMAT_PEM);
-        setup_engine(bio_err, engine, 0);
+    if (in == NULL)
 #endif
 	if (infile)
 		{
 		if (!(in = BIO_new_file (infile, "r")))
 			{
 			BIO_printf(bio_err,
 				 "Can't open input file %s\n", infile);
        goto end;
-			}
+    out = bio_open_default(outfile, 'w', FORMAT_PEM);
-		}
+    if (out == NULL)
 	else
 		in = BIO_new_fp (stdin, BIO_NOCLOSE);
 	if (outfile)
 		{
 		if (!(out = BIO_new_file (outfile, "w")))
 			{
 			BIO_printf(bio_err,
 				 "Can't open output file %s\n", outfile);
        goto end;
 			}
 		}
 	else
 		{
 		out = BIO_new_fp (stdout, BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 			{
 			BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 			out = BIO_push(tmpbio, out);
 			}
 #endif
 		}
    pkey = PEM_read_bio_Parameters(in, NULL);
-	if (!pkey)
+    if (!pkey) {
 		{
        BIO_printf(bio_err, "Error reading parameters\n");
        ERR_print_errors(bio_err);
        goto end;
--- a/apps/pkeyutl.c
+++ b/apps/pkeyutl.c
@@ -1,5 +1,6 @@
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+/*
- * project 2006.
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
 * 2006.
 */
 /* ====================================================================
 * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
@@ -55,7 +56,6 @@
 *
 */
 #include "apps.h"
 #include <string.h>
 #include <openssl/err.h>
@@ -66,260 +66,220 @@
 #define KEY_PUBKEY      2
 #define KEY_CERT        3
 static void usage(void);
 #undef PROG
 #define PROG pkeyutl_main
 static EVP_PKEY_CTX *init_ctx(int *pkeysize,
                              char *keyfile, int keyform, int key_type,
-				char *passargin, int pkey_op, ENGINE *e);
+                              char *passinarg, int pkey_op, ENGINE *e);
-static int setup_peer(BIO *err, EVP_PKEY_CTX *ctx, int peerform,
+static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file);
 							const char *file);
 static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
                    unsigned char *out, size_t *poutlen,
                    unsigned char *in, size_t inlen);
-int MAIN(int argc, char **);
+typedef enum OPTION_choice {
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_ENGINE, OPT_IN, OPT_OUT,
    OPT_PUBIN, OPT_CERTIN, OPT_ASN1PARSE, OPT_HEXDUMP, OPT_SIGN,
    OPT_VERIFY, OPT_VERIFYRECOVER, OPT_REV, OPT_ENCRYPT, OPT_DECRYPT,
    OPT_DERIVE, OPT_SIGFILE, OPT_INKEY, OPT_PEERKEY, OPT_PASSIN,
    OPT_PEERFORM, OPT_KEYFORM, OPT_PKEYOPT
 } OPTION_CHOICE;
-int MAIN(int argc, char **argv)
+OPTIONS pkeyutl_options[] = {
    {"help", OPT_HELP, '-', "Display this summary"},
    {"in", OPT_IN, '<', "Input file"},
    {"out", OPT_OUT, '>', "Output file"},
    {"pubin", OPT_PUBIN, '-', "Input is a public key"},
    {"certin", OPT_CERTIN, '-', "Input is a cert with a public key"},
    {"asn1parse", OPT_ASN1PARSE, '-'},
    {"hexdump", OPT_HEXDUMP, '-', "Hex dump output"},
    {"sign", OPT_SIGN, '-', "Sign with private key"},
    {"verify", OPT_VERIFY, '-', "Verify with public key"},
    {"verifyrecover", OPT_VERIFYRECOVER, '-',
     "Verify with public key, recover original data"},
    {"rev", OPT_REV, '-'},
    {"encrypt", OPT_ENCRYPT, '-', "Encrypt with public key"},
    {"decrypt", OPT_DECRYPT, '-', "Decrypt with private key"},
    {"derive", OPT_DERIVE, '-', "Derive shared secret"},
    {"sigfile", OPT_SIGFILE, '<', "Signature file (verify operation only)"},
    {"inkey", OPT_INKEY, 's', "Input key"},
    {"peerkey", OPT_PEERKEY, 's'},
    {"passin", OPT_PASSIN, 's', "Pass phrase source"},
    {"peerform", OPT_PEERFORM, 'F'},
    {"keyform", OPT_KEYFORM, 'F', "Private key format - default PEM"},
    {"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"},
 #ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 #endif
    {NULL}
 };
 int pkeyutl_main(int argc, char **argv)
 {
    BIO *in = NULL, *out = NULL;
 	char *infile = NULL, *outfile = NULL, *sigfile = NULL;
    ENGINE *e = NULL;
 	int pkey_op = EVP_PKEY_OP_SIGN, key_type = KEY_PRIVKEY;
 	int keyform = FORMAT_PEM, peerform = FORMAT_PEM;
 	char badarg = 0, rev = 0;
 	char hexdump = 0, asn1parse = 0;
    EVP_PKEY_CTX *ctx = NULL;
-	char *passargin = NULL;
+    char *infile = NULL, *outfile = NULL, *sigfile = NULL, *passinarg = NULL;
-	int keysize = -1;
+    char hexdump = 0, asn1parse = 0, rev = 0, *prog;
    unsigned char *buf_in = NULL, *buf_out = NULL, *sig = NULL;
-	size_t buf_outlen;
+    OPTION_CHOICE o;
-	int buf_inlen = 0, siglen = -1;
+    int buf_inlen = 0, siglen = -1, keyform = FORMAT_PEM, peerform =
-
+        FORMAT_PEM;
    int keysize = -1, pkey_op = EVP_PKEY_OP_SIGN, key_type = KEY_PRIVKEY;
    int ret = 1, rv = -1;
    size_t buf_outlen;
-	argc--;
+    prog = opt_init(argc, argv, pkeyutl_options);
-	argv++;
+    while ((o = opt_next()) != OPT_EOF) {
-
+        switch (o) {
-	if(!bio_err) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
+        case OPT_EOF:
-
+        case OPT_ERR:
-	if (!load_config(bio_err, NULL))
+ opthelp:
            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
            goto end;
-	ERR_load_crypto_strings();
+        case OPT_HELP:
-	OpenSSL_add_all_algorithms();
+            opt_help(pkeyutl_options);
-	
+            ret = 0;
-	while(argc >= 1)
+            goto end;
-		{
+        case OPT_IN:
-		if (!strcmp(*argv,"-in"))
+            infile = opt_arg();
-			{
+            break;
-			if (--argc < 1) badarg = 1;
+        case OPT_OUT:
-                        else infile= *(++argv);
+            outfile = opt_arg();
-			}
+            break;
-		else if (!strcmp(*argv,"-out"))
+        case OPT_SIGFILE:
-			{
+            sigfile = opt_arg();
-			if (--argc < 1) badarg = 1;
+            break;
-			else outfile= *(++argv);
+        case OPT_INKEY:
-			}
+            ctx = init_ctx(&keysize, opt_arg(), keyform, key_type,
-		else if (!strcmp(*argv,"-sigfile"))
+                           passinarg, pkey_op, e);
-			{
+            if (ctx == NULL) {
-			if (--argc < 1) badarg = 1;
+                BIO_puts(bio_err, "%s: Error initializing context\n");
 			else sigfile= *(++argv);
 			}
 		else if(!strcmp(*argv, "-inkey"))
 			{
 			if (--argc < 1)
 				badarg = 1;
 			else
 				{
 				ctx = init_ctx(&keysize,
 						*(++argv), keyform, key_type,
 						passargin, pkey_op, e);
 				if (!ctx)
 					{
 					BIO_puts(bio_err,
 						"Error initializing context\n");
                ERR_print_errors(bio_err);
-					badarg = 1;
+                goto opthelp;
            }
-				}
+            break;
-			}
+        case OPT_PEERKEY:
-		else if (!strcmp(*argv,"-peerkey"))
+            if (!setup_peer(ctx, peerform, opt_arg()))
-			{
+                goto opthelp;
-			if (--argc < 1)
+            break;
-				badarg = 1;
+        case OPT_PASSIN:
-			else if (!setup_peer(bio_err, ctx, peerform, *(++argv)))
+            passinarg = opt_arg();
-				badarg = 1;
+            break;
-			}
+        case OPT_PEERFORM:
-		else if (!strcmp(*argv,"-passin"))
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &peerform))
-			{
+                goto opthelp;
-			if (--argc < 1) badarg = 1;
+            break;
-			else passargin= *(++argv);
+        case OPT_KEYFORM:
-			}
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &keyform))
-		else if (strcmp(*argv,"-peerform") == 0)
+                goto opthelp;
-			{
+            break;
-			if (--argc < 1) badarg = 1;
+        case OPT_ENGINE:
-			else peerform=str2fmt(*(++argv));
+            e = setup_engine(opt_arg(), 0);
-			}
+            break;
-		else if (strcmp(*argv,"-keyform") == 0)
+        case OPT_PUBIN:
 			{
 			if (--argc < 1) badarg = 1;
 			else keyform=str2fmt(*(++argv));
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if(!strcmp(*argv, "-engine"))
 			{
 			if (--argc < 1)
 				badarg = 1;
 			else
 				e = setup_engine(bio_err, *(++argv), 0);
 			}
 #endif
 		else if(!strcmp(*argv, "-pubin"))
            key_type = KEY_PUBKEY;
-		else if(!strcmp(*argv, "-certin"))
+            break;
        case OPT_CERTIN:
            key_type = KEY_CERT;
-		else if(!strcmp(*argv, "-asn1parse"))
+            break;
        case OPT_ASN1PARSE:
            asn1parse = 1;
-		else if(!strcmp(*argv, "-hexdump"))
+            break;
        case OPT_HEXDUMP:
            hexdump = 1;
-		else if(!strcmp(*argv, "-sign"))
+            break;
        case OPT_SIGN:
            pkey_op = EVP_PKEY_OP_SIGN;
-		else if(!strcmp(*argv, "-verify"))
+            break;
        case OPT_VERIFY:
            pkey_op = EVP_PKEY_OP_VERIFY;
-		else if(!strcmp(*argv, "-verifyrecover"))
+            break;
        case OPT_VERIFYRECOVER:
            pkey_op = EVP_PKEY_OP_VERIFYRECOVER;
-		else if(!strcmp(*argv, "-rev"))
+            break;
        case OPT_REV:
            rev = 1;
-		else if(!strcmp(*argv, "-encrypt"))
+            break;
        case OPT_ENCRYPT:
            pkey_op = EVP_PKEY_OP_ENCRYPT;
-		else if(!strcmp(*argv, "-decrypt"))
+            break;
        case OPT_DECRYPT:
            pkey_op = EVP_PKEY_OP_DECRYPT;
-		else if(!strcmp(*argv, "-derive"))
+            break;
        case OPT_DERIVE:
            pkey_op = EVP_PKEY_OP_DERIVE;
-		else if (strcmp(*argv,"-pkeyopt") == 0)
+            break;
-			{
+        case OPT_PKEYOPT:
-			if (--argc < 1)
+            if (ctx == NULL) {
-				badarg = 1;
+                BIO_printf(bio_err,
-			else if (!ctx)
+                           "%s: Must have -inkey before -pkeyopt\n", prog);
-				{
+                goto opthelp;
 				BIO_puts(bio_err,
 					"-pkeyopt command before -inkey\n");
 				badarg = 1;
            }
-			else if (pkey_ctrl_string(ctx, *(++argv)) <= 0)
+            if (pkey_ctrl_string(ctx, opt_arg()) <= 0) {
-				{
+                BIO_printf(bio_err, "%s: Can't set parameter:\n", prog);
 				BIO_puts(bio_err, "parameter setting error\n");
                ERR_print_errors(bio_err);
                goto end;
            }
            break;
        }
 		else badarg = 1;
 		if(badarg)
 			{
 			usage();
 			goto end;
 			}
 		argc--;
 		argv++;
    }
    argc = opt_num_rest();
    argv = opt_rest();
-	if (!ctx)
+    if (ctx == NULL)
-		{
+        goto opthelp;
-		usage();
+
    if (sigfile && (pkey_op != EVP_PKEY_OP_VERIFY)) {
        BIO_printf(bio_err,
                   "%s: Signature file specified for non verify\n", prog);
        goto end;
    }
-	if (sigfile && (pkey_op != EVP_PKEY_OP_VERIFY))
+    if (!sigfile && (pkey_op == EVP_PKEY_OP_VERIFY)) {
-		{
+        BIO_printf(bio_err,
-		BIO_puts(bio_err, "Signature file specified for non verify\n");
+                   "%s: No signature file specified for verify\n", prog);
 		goto end;
 		}
 	if (!sigfile && (pkey_op == EVP_PKEY_OP_VERIFY))
 		{
 		BIO_puts(bio_err, "No signature file specified for verify\n");
        goto end;
    }
 /* FIXME: seed PRNG only if needed */
-	app_RAND_load_file(NULL, bio_err, 0);
+    app_RAND_load_file(NULL, 0);
-	if (pkey_op != EVP_PKEY_OP_DERIVE)
+    if (pkey_op != EVP_PKEY_OP_DERIVE) {
-		{
+        in = bio_open_default(infile, 'r', FORMAT_BINARY);
-		if(infile)
+        if (in == NULL)
 			{
 			if(!(in = BIO_new_file(infile, "rb")))
 				{
 				BIO_puts(bio_err,
 					"Error Opening Input File\n");
 				ERR_print_errors(bio_err);	
            goto end;
    }
-			}
+    out = bio_open_default(outfile, 'w', FORMAT_BINARY);
-		else
+    if (out == NULL)
 			in = BIO_new_fp(stdin, BIO_NOCLOSE);
 		}
 	if(outfile)
 		{
 		if(!(out = BIO_new_file(outfile, "wb")))
 			{
 			BIO_printf(bio_err, "Error Creating Output File\n");
 			ERR_print_errors(bio_err);	
        goto end;
 			}
 		}
 	else
 		{
 		out = BIO_new_fp(stdout, BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 		{
 		    BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		    out = BIO_push(tmpbio, out);
 		}
 #endif
 	}
-	if (sigfile)
+    if (sigfile) {
 		{
        BIO *sigbio = BIO_new_file(sigfile, "rb");
-		if (!sigbio)
+        if (!sigbio) {
-			{
+            BIO_printf(bio_err, "Can't open signature file %s\n", sigfile);
 			BIO_printf(bio_err, "Can't open signature file %s\n",
 								sigfile);
            goto end;
        }
        siglen = bio_to_mem(&sig, keysize * 10, sigbio);
        BIO_free(sigbio);
-		if (siglen <= 0)
+        if (siglen <= 0) {
 			{
            BIO_printf(bio_err, "Error reading signature data\n");
            goto end;
        }
    }
-	if (in)
+    if (in) {
 		{
        /* Read the input data */
        buf_inlen = bio_to_mem(&buf_in, keysize * 10, in);
-		if(buf_inlen <= 0)
+        if (buf_inlen <= 0) {
 			{
            BIO_printf(bio_err, "Error reading input Data\n");
            exit(1);
        }
-		if(rev)
+        if (rev) {
 			{
            size_t i;
            unsigned char ctmp;
            size_t l = (size_t)buf_inlen;
-			for(i = 0; i < l/2; i++)
+            for (i = 0; i < l / 2; i++) {
 				{
                ctmp = buf_in[i];
                buf_in[i] = buf_in[l - 1 - i];
                buf_in[l - 1 - i] = ctmp;
@@ -327,92 +287,51 @@ int MAIN(int argc, char **argv)
        }
    }
-	if(pkey_op == EVP_PKEY_OP_VERIFY)
+    if (pkey_op == EVP_PKEY_OP_VERIFY) {
 		{
        rv = EVP_PKEY_verify(ctx, sig, (size_t)siglen,
                             buf_in, (size_t)buf_inlen);
-		if (rv == 0)
+        if (rv == 1) {
 			BIO_puts(out, "Signature Verification Failure\n");
 		else if (rv == 1)
            BIO_puts(out, "Signature Verified Successfully\n");
-		if (rv >= 0)
+            ret = 0;
        } else
            BIO_puts(out, "Signature Verification Failure\n");
        goto end;
    }
 	else
 		{	
    rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen,
                  buf_in, (size_t)buf_inlen);
-		if (rv > 0)
+    if (rv > 0) {
-			{
+        buf_out = app_malloc(buf_outlen, "buffer output");
 			buf_out = OPENSSL_malloc(buf_outlen);
 			if (!buf_out)
 				rv = -1;
 			else
        rv = do_keyop(ctx, pkey_op,
                      buf_out, (size_t *)&buf_outlen,
                      buf_in, (size_t)buf_inlen);
    }
-		}
+    if (rv <= 0) {
 	if(rv <= 0)
 		{
 		BIO_printf(bio_err, "Public Key operation error\n");
        ERR_print_errors(bio_err);
        goto end;
    }
    ret = 0;
-	if(asn1parse)
+
-		{
+    if (asn1parse) {
        if (!ASN1_parse_dump(out, buf_out, buf_outlen, 1, -1))
            ERR_print_errors(bio_err);
-		}
+    } else if (hexdump)
 	else if(hexdump)
        BIO_dump(out, (char *)buf_out, buf_outlen);
    else
        BIO_write(out, buf_out, buf_outlen);
 end:
 	if (ctx)
    EVP_PKEY_CTX_free(ctx);
    BIO_free(in);
    BIO_free_all(out);
 	if (buf_in)
    OPENSSL_free(buf_in);
 	if (buf_out)
    OPENSSL_free(buf_out);
 	if (sig)
    OPENSSL_free(sig);
    return ret;
 }
 static void usage()
 {
 	BIO_printf(bio_err, "Usage: pkeyutl [options]\n");
 	BIO_printf(bio_err, "-in file        input file\n");
 	BIO_printf(bio_err, "-out file       output file\n");
 	BIO_printf(bio_err, "-sigfile file signature file (verify operation only)\n");
 	BIO_printf(bio_err, "-inkey file     input key\n");
 	BIO_printf(bio_err, "-keyform arg    private key format - default PEM\n");
 	BIO_printf(bio_err, "-pubin          input is a public key\n");
 	BIO_printf(bio_err, "-certin         input is a certificate carrying a public key\n");
 	BIO_printf(bio_err, "-pkeyopt X:Y    public key options\n");
 	BIO_printf(bio_err, "-sign           sign with private key\n");
 	BIO_printf(bio_err, "-verify         verify with public key\n");
 	BIO_printf(bio_err, "-verifyrecover  verify with public key, recover original data\n");
 	BIO_printf(bio_err, "-encrypt        encrypt with public key\n");
 	BIO_printf(bio_err, "-decrypt        decrypt with private key\n");
 	BIO_printf(bio_err, "-derive         derive shared secret\n");
 	BIO_printf(bio_err, "-hexdump        hex dump output\n");
 #ifndef OPENSSL_NO_ENGINE
 	BIO_printf(bio_err, "-engine e       use engine e, possibly a hardware device.\n");
 #endif
 	BIO_printf(bio_err, "-passin arg     pass phrase source\n");
 }
 static EVP_PKEY_CTX *init_ctx(int *pkeysize,
                              char *keyfile, int keyform, int key_type,
-				char *passargin, int pkey_op, ENGINE *e)
+                              char *passinarg, int pkey_op, ENGINE *e)
 {
    EVP_PKEY *pkey = NULL;
    EVP_PKEY_CTX *ctx = NULL;
@@ -421,33 +340,26 @@ static EVP_PKEY_CTX *init_ctx(int *pkeysize,
    X509 *x;
    if (((pkey_op == EVP_PKEY_OP_SIGN) || (pkey_op == EVP_PKEY_OP_DECRYPT)
         || (pkey_op == EVP_PKEY_OP_DERIVE))
-		&& (key_type != KEY_PRIVKEY))
+        && (key_type != KEY_PRIVKEY)) {
 		{
        BIO_printf(bio_err, "A private key is needed for this operation\n");
        goto end;
    }
-	if(!app_passwd(bio_err, passargin, NULL, &passin, NULL))
+    if (!app_passwd(passinarg, NULL, &passin, NULL)) {
 		{
        BIO_printf(bio_err, "Error getting password\n");
        goto end;
    }
-	switch(key_type)
+    switch (key_type) {
 		{
    case KEY_PRIVKEY:
-		pkey = load_key(bio_err, keyfile, keyform, 0,
+        pkey = load_key(keyfile, keyform, 0, passin, e, "Private Key");
 			passin, e, "Private Key");
        break;
    case KEY_PUBKEY:
-		pkey = load_pubkey(bio_err, keyfile, keyform, 0,
+        pkey = load_pubkey(keyfile, keyform, 0, NULL, e, "Public Key");
 			NULL, e, "Public Key");
        break;
    case KEY_CERT:
-		x = load_cert(bio_err, keyfile, keyform,
+        x = load_cert(keyfile, keyform, NULL, e, "Certificate");
-			NULL, e, "Certificate");
+        if (x) {
 		if(x)
 			{
            pkey = X509_get_pubkey(x);
            X509_free(x);
        }
@@ -464,11 +376,10 @@ static EVP_PKEY_CTX *init_ctx(int *pkeysize,
    EVP_PKEY_free(pkey);
-	if (!ctx)
+    if (ctx == NULL)
        goto end;
-	switch(pkey_op)
+    switch (pkey_op) {
 		{
    case EVP_PKEY_OP_SIGN:
        rv = EVP_PKEY_sign_init(ctx);
        break;
@@ -494,39 +405,31 @@ static EVP_PKEY_CTX *init_ctx(int *pkeysize,
        break;
    }
-	if (rv <= 0)
+    if (rv <= 0) {
 		{
        EVP_PKEY_CTX_free(ctx);
        ctx = NULL;
    }
 end:
 	if (passin)
    OPENSSL_free(passin);
    return ctx;
 }
-static int setup_peer(BIO *err, EVP_PKEY_CTX *ctx, int peerform,
+static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file)
 							const char *file)
 {
    EVP_PKEY *peer = NULL;
    int ret;
-	if (!ctx)
+    if (!ctx) {
-		{
+        BIO_puts(bio_err, "-peerkey command before -inkey\n");
 		BIO_puts(err, "-peerkey command before -inkey\n");
        return 0;
    }
-	peer = load_pubkey(bio_err, file, peerform, 0, NULL, NULL, "Peer Key");
+    peer = load_pubkey(file, peerform, 0, NULL, NULL, "Peer Key");
-	if (!peer)
+    if (!peer) {
 		{
        BIO_printf(bio_err, "Error reading peer key %s\n", file);
-		ERR_print_errors(err);
+        ERR_print_errors(bio_err);
        return 0;
    }
@@ -534,7 +437,7 @@ static int setup_peer(BIO *err, EVP_PKEY_CTX *ctx, int peerform,
    EVP_PKEY_free(peer);
    if (ret <= 0)
-		ERR_print_errors(err);
+        ERR_print_errors(bio_err);
    return ret;
 }
@@ -543,8 +446,7 @@ static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
                    unsigned char *in, size_t inlen)
 {
    int rv = 0;
-	switch(pkey_op)
+    switch (pkey_op) {
 		{
    case EVP_PKEY_OP_VERIFYRECOVER:
        rv = EVP_PKEY_verify_recover(ctx, out, poutlen, in, inlen);
        break;
--- a/apps/prime.c
+++ b/apps/prime.c
@@ -52,109 +52,97 @@
 #include "apps.h"
 #include <openssl/bn.h>
 typedef enum OPTION_choice {
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_HEX, OPT_GENERATE, OPT_BITS, OPT_SAFE, OPT_CHECKS
 } OPTION_CHOICE;
-#undef PROG
+OPTIONS prime_options[] = {
-#define PROG prime_main
+    {OPT_HELP_STR, 1, '-', "Usage: %s [options] [number...]\n"},
    {OPT_HELP_STR, 1, '-',
        "  number Number to check for primality\n"},
    {"help", OPT_HELP, '-', "Display this summary"},
    {"hex", OPT_HEX, '-', "Hex output"},
    {"generate", OPT_GENERATE, '-', "Generate a prime"},
    {"bits", OPT_BITS, 'p', "Size of number in bits"},
    {"safe", OPT_SAFE, '-',
     "When used with -generate, generate a safe prime"},
    {"checks", OPT_CHECKS, 'p', "Number of checks"},
    {NULL}
 };
-int MAIN(int, char **);
+int prime_main(int argc, char **argv)
 int MAIN(int argc, char **argv)
 {
    int hex=0;
    int checks=20;
    int generate=0;
    int bits=0;
    int safe=0;
    BIGNUM *bn = NULL;
-    BIO *bio_out;
+    int hex = 0, checks = 20, generate = 0, bits = 0, safe = 0, ret = 1;
    char *prog;
    OPTION_CHOICE o;
-    apps_startup();
+    prog = opt_init(argc, argv, prime_options);
-
+    while ((o = opt_next()) != OPT_EOF) {
-    if (bio_err == NULL)
+        switch (o) {
-	if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+        case OPT_EOF:
-	    BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+        case OPT_ERR:
-
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
-    --argc;
+            goto end;
-    ++argv;
+        case OPT_HELP:
-    while (argc >= 1 && **argv == '-')
+            opt_help(prime_options);
-	{
+            ret = 0;
-	if(!strcmp(*argv,"-hex"))
+            goto end;
        case OPT_HEX:
            hex = 1;
-	else if(!strcmp(*argv,"-generate"))
+            break;
        case OPT_GENERATE:
            generate = 1;
-	else if(!strcmp(*argv,"-bits"))
+            break;
-	    if(--argc < 1)
+        case OPT_BITS:
-		goto bad;
+            bits = atoi(opt_arg());
-	    else
+            break;
-		bits=atoi(*++argv);
+        case OPT_SAFE:
 	else if(!strcmp(*argv,"-safe"))
            safe = 1;
-	else if(!strcmp(*argv,"-checks"))
+            break;
-	    if(--argc < 1)
+        case OPT_CHECKS:
-		goto bad;
+            checks = atoi(opt_arg());
-	    else
+            break;
 		checks=atoi(*++argv);
 	else
 	    {
 	    BIO_printf(bio_err,"Unknown option '%s'\n",*argv);
 	    goto bad;
        }
-	--argc;
+    }
-	++argv;
+    argc = opt_num_rest();
    argv = opt_rest();
    if (argc == 0 && !generate) {
        BIO_printf(bio_err, "%s: No prime specified\n", prog);
        goto end;
    }
-    if (argv[0] == NULL && !generate)
+    if (generate) {
 	{
 	BIO_printf(bio_err,"No prime specified\n");
 	goto bad;
 	}
    if ((bio_out=BIO_new(BIO_s_file())) != NULL)
 	{
 	BIO_set_fp(bio_out,stdout,BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 	    {
 	    BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 	    bio_out = BIO_push(tmpbio, bio_out);
 	    }
 #endif
 	}
    if(generate)
 	{
        char *s;
-	if(!bits)
+        if (!bits) {
-	    {
+            BIO_printf(bio_err, "Specify the number of bits.\n");
-	    BIO_printf(bio_err,"Specifiy the number of bits.\n");
+            goto end;
 	    return 1;
        }
        bn = BN_new();
        BN_generate_prime_ex(bn, bits, safe, NULL, NULL, NULL);
        s = hex ? BN_bn2hex(bn) : BN_bn2dec(bn);
        BIO_printf(bio_out, "%s\n", s);
        OPENSSL_free(s);
-	}
+    } else {
-    else
+        for ( ; *argv; argv++) {
 	{
            if (hex)
                BN_hex2bn(&bn, argv[0]);
            else
                BN_dec2bn(&bn, argv[0]);
            BN_print(bio_out, bn);
-	BIO_printf(bio_out," is %sprime\n",
+            BIO_printf(bio_out, " (%s) %s prime\n",
-		   BN_is_prime_ex(bn,checks,NULL,NULL) ? "" : "not ");
+                       argv[0],
                       BN_is_prime_ex(bn, checks, NULL, NULL)
                           ? "is" : "is not");
        }
    }
    BN_free(bn);
    BIO_free_all(bio_out);
-    return 0;
+ end:
-
+    return ret;
    bad:
    BIO_printf(bio_err,"options are\n");
    BIO_printf(bio_err,"%-14s hex\n","-hex");
    BIO_printf(bio_err,"%-14s number of checks\n","-checks <n>");
    return 1;
 }
--- a/apps/progs.h
+++ b/apps/progs.h
@@ -1,366 +1,419 @@
-/* apps/progs.h */
+/*
-/* automatically generated by progs.pl for openssl.c */
+ * Automatically generated by progs.pl for openssl.c
 * Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
 * See the openssl.c for copyright details.
 */
 typedef enum FUNC_TYPE {
    FT_none, FT_general, FT_md, FT_cipher, FT_pkey,
    FT_md_alg, FT_cipher_alg
 } FUNC_TYPE;
 typedef struct function_st {
    FUNC_TYPE type;
    const char *name;
    int (*func)(int argc,char *argv[]);
    const OPTIONS *help;
 } FUNCTION;
 extern int verify_main(int argc,char *argv[]);
 extern int asn1parse_main(int argc, char *argv[]);
 extern int req_main(int argc,char *argv[]);
 extern int dgst_main(int argc,char *argv[]);
 extern int dh_main(int argc,char *argv[]);
 extern int dhparam_main(int argc,char *argv[]);
 extern int enc_main(int argc,char *argv[]);
 extern int passwd_main(int argc,char *argv[]);
 extern int gendh_main(int argc,char *argv[]);
 extern int errstr_main(int argc,char *argv[]);
 extern int ca_main(int argc, char *argv[]);
 extern int ciphers_main(int argc, char *argv[]);
 extern int cms_main(int argc, char *argv[]);
 extern int crl_main(int argc, char *argv[]);
-extern int rsa_main(int argc,char *argv[]);
+extern int crl2pkcs7_main(int argc, char *argv[]);
-extern int rsautl_main(int argc,char *argv[]);
+extern int dgst_main(int argc, char *argv[]);
 extern int dhparam_main(int argc, char *argv[]);
 extern int dsa_main(int argc, char *argv[]);
 extern int dsaparam_main(int argc, char *argv[]);
 extern int ec_main(int argc, char *argv[]);
 extern int ecparam_main(int argc, char *argv[]);
-extern int x509_main(int argc,char *argv[]);
+extern int enc_main(int argc, char *argv[]);
-extern int genrsa_main(int argc,char *argv[]);
+extern int engine_main(int argc, char *argv[]);
 extern int errstr_main(int argc, char *argv[]);
 extern int gendsa_main(int argc, char *argv[]);
 extern int genpkey_main(int argc, char *argv[]);
-extern int s_server_main(int argc,char *argv[]);
+extern int genrsa_main(int argc, char *argv[]);
 extern int s_client_main(int argc,char *argv[]);
 extern int speed_main(int argc,char *argv[]);
 extern int s_time_main(int argc,char *argv[]);
 extern int version_main(int argc,char *argv[]);
 extern int pkcs7_main(int argc,char *argv[]);
 extern int cms_main(int argc,char *argv[]);
 extern int crl2pkcs7_main(int argc,char *argv[]);
 extern int sess_id_main(int argc,char *argv[]);
 extern int ciphers_main(int argc,char *argv[]);
 extern int nseq_main(int argc, char *argv[]);
 extern int ocsp_main(int argc, char *argv[]);
 extern int passwd_main(int argc, char *argv[]);
 extern int pkcs12_main(int argc, char *argv[]);
 extern int pkcs7_main(int argc, char *argv[]);
 extern int pkcs8_main(int argc, char *argv[]);
 extern int pkey_main(int argc, char *argv[]);
 extern int pkeyparam_main(int argc, char *argv[]);
 extern int pkeyutl_main(int argc, char *argv[]);
 extern int spkac_main(int argc,char *argv[]);
 extern int smime_main(int argc,char *argv[]);
 extern int rand_main(int argc,char *argv[]);
 extern int engine_main(int argc,char *argv[]);
 extern int ocsp_main(int argc,char *argv[]);
 extern int srp_main(int argc,char *argv[]);
 extern int prime_main(int argc, char *argv[]);
 extern int rand_main(int argc, char *argv[]);
 extern int req_main(int argc, char *argv[]);
 extern int rsa_main(int argc, char *argv[]);
 extern int rsautl_main(int argc, char *argv[]);
 extern int s_client_main(int argc, char *argv[]);
 extern int s_server_main(int argc, char *argv[]);
 extern int s_time_main(int argc, char *argv[]);
 extern int sess_id_main(int argc, char *argv[]);
 extern int smime_main(int argc, char *argv[]);
 extern int speed_main(int argc, char *argv[]);
 extern int spkac_main(int argc, char *argv[]);
 extern int srp_main(int argc, char *argv[]);
 extern int ts_main(int argc, char *argv[]);
 extern int verify_main(int argc, char *argv[]);
 extern int version_main(int argc, char *argv[]);
 extern int x509_main(int argc, char *argv[]);
 extern int rehash_main(int argc, char *argv[]);
 extern int list_main(int argc, char *argv[]);
 extern int help_main(int argc, char *argv[]);
 extern int exit_main(int argc, char *argv[]);
-#define FUNC_TYPE_GENERAL	1
+extern OPTIONS asn1parse_options[];
-#define FUNC_TYPE_MD		2
+extern OPTIONS ca_options[];
-#define FUNC_TYPE_CIPHER	3
+extern OPTIONS ciphers_options[];
-#define FUNC_TYPE_PKEY		4
+extern OPTIONS cms_options[];
-#define FUNC_TYPE_MD_ALG	5
+extern OPTIONS crl_options[];
-#define FUNC_TYPE_CIPHER_ALG	6
+extern OPTIONS crl2pkcs7_options[];
 extern OPTIONS dgst_options[];
 extern OPTIONS dhparam_options[];
 extern OPTIONS dsa_options[];
 extern OPTIONS dsaparam_options[];
 extern OPTIONS ec_options[];
 extern OPTIONS ecparam_options[];
 extern OPTIONS enc_options[];
 extern OPTIONS engine_options[];
 extern OPTIONS errstr_options[];
 extern OPTIONS gendsa_options[];
 extern OPTIONS genpkey_options[];
 extern OPTIONS genrsa_options[];
 extern OPTIONS nseq_options[];
 extern OPTIONS ocsp_options[];
 extern OPTIONS passwd_options[];
 extern OPTIONS pkcs12_options[];
 extern OPTIONS pkcs7_options[];
 extern OPTIONS pkcs8_options[];
 extern OPTIONS pkey_options[];
 extern OPTIONS pkeyparam_options[];
 extern OPTIONS pkeyutl_options[];
 extern OPTIONS prime_options[];
 extern OPTIONS rand_options[];
 extern OPTIONS req_options[];
 extern OPTIONS rsa_options[];
 extern OPTIONS rsautl_options[];
 extern OPTIONS s_client_options[];
 extern OPTIONS s_server_options[];
 extern OPTIONS s_time_options[];
 extern OPTIONS sess_id_options[];
 extern OPTIONS smime_options[];
 extern OPTIONS speed_options[];
 extern OPTIONS spkac_options[];
 extern OPTIONS srp_options[];
 extern OPTIONS ts_options[];
 extern OPTIONS verify_options[];
 extern OPTIONS version_options[];
 extern OPTIONS x509_options[];
 extern OPTIONS rehash_options[];
 extern OPTIONS list_options[];
 extern OPTIONS help_options[];
 extern OPTIONS exit_options[];
-typedef struct {
+#ifdef INCLUDE_FUNCTION_TABLE
-	int type;
+static FUNCTION functions[] = {
-	const char *name;
+    { FT_general, "asn1parse", asn1parse_main, asn1parse_options },
-	int (*func)(int argc,char *argv[]);
+    { FT_general, "ca", ca_main, ca_options },
-	} FUNCTION;
+#if !defined(OPENSSL_NO_SOCK)
-DECLARE_LHASH_OF(FUNCTION);
+    { FT_general, "ciphers", ciphers_main, ciphers_options },
 FUNCTION functions[] = {
 	{FUNC_TYPE_GENERAL,"verify",verify_main},
 	{FUNC_TYPE_GENERAL,"asn1parse",asn1parse_main},
 	{FUNC_TYPE_GENERAL,"req",req_main},
 	{FUNC_TYPE_GENERAL,"dgst",dgst_main},
 #ifndef OPENSSL_NO_DH
 	{FUNC_TYPE_GENERAL,"dh",dh_main},
 #endif
 #ifndef OPENSSL_NO_DH
 	{FUNC_TYPE_GENERAL,"dhparam",dhparam_main},
 #endif
 	{FUNC_TYPE_GENERAL,"enc",enc_main},
 	{FUNC_TYPE_GENERAL,"passwd",passwd_main},
 #ifndef OPENSSL_NO_DH
 	{FUNC_TYPE_GENERAL,"gendh",gendh_main},
 #endif
 	{FUNC_TYPE_GENERAL,"errstr",errstr_main},
 	{FUNC_TYPE_GENERAL,"ca",ca_main},
 	{FUNC_TYPE_GENERAL,"crl",crl_main},
 #ifndef OPENSSL_NO_RSA
 	{FUNC_TYPE_GENERAL,"rsa",rsa_main},
 #endif
 #ifndef OPENSSL_NO_RSA
 	{FUNC_TYPE_GENERAL,"rsautl",rsautl_main},
 #endif
 #ifndef OPENSSL_NO_DSA
 	{FUNC_TYPE_GENERAL,"dsa",dsa_main},
 #endif
 #ifndef OPENSSL_NO_DSA
 	{FUNC_TYPE_GENERAL,"dsaparam",dsaparam_main},
 #endif
 #ifndef OPENSSL_NO_EC
 	{FUNC_TYPE_GENERAL,"ec",ec_main},
 #endif
 #ifndef OPENSSL_NO_EC
 	{FUNC_TYPE_GENERAL,"ecparam",ecparam_main},
 #endif
 	{FUNC_TYPE_GENERAL,"x509",x509_main},
 #ifndef OPENSSL_NO_RSA
 	{FUNC_TYPE_GENERAL,"genrsa",genrsa_main},
 #endif
 #ifndef OPENSSL_NO_DSA
 	{FUNC_TYPE_GENERAL,"gendsa",gendsa_main},
 #endif
 	{FUNC_TYPE_GENERAL,"genpkey",genpkey_main},
 #if !defined(OPENSSL_NO_SOCK) && !(defined(OPENSSL_NO_SSL2) && defined(OPENSSL_NO_SSL3))
 	{FUNC_TYPE_GENERAL,"s_server",s_server_main},
 #endif
 #if !defined(OPENSSL_NO_SOCK) && !(defined(OPENSSL_NO_SSL2) && defined(OPENSSL_NO_SSL3))
 	{FUNC_TYPE_GENERAL,"s_client",s_client_main},
 #endif
 #ifndef OPENSSL_NO_SPEED
 	{FUNC_TYPE_GENERAL,"speed",speed_main},
 #endif
 #if !defined(OPENSSL_NO_SOCK) && !(defined(OPENSSL_NO_SSL2) && defined(OPENSSL_NO_SSL3))
 	{FUNC_TYPE_GENERAL,"s_time",s_time_main},
 #endif
 	{FUNC_TYPE_GENERAL,"version",version_main},
 	{FUNC_TYPE_GENERAL,"pkcs7",pkcs7_main},
 #ifndef OPENSSL_NO_CMS
-	{FUNC_TYPE_GENERAL,"cms",cms_main},
+    { FT_general, "cms", cms_main, cms_options },
 #endif
-	{FUNC_TYPE_GENERAL,"crl2pkcs7",crl2pkcs7_main},
+    { FT_general, "crl", crl_main, crl_options },
-	{FUNC_TYPE_GENERAL,"sess_id",sess_id_main},
+    { FT_general, "crl2pkcs7", crl2pkcs7_main, crl2pkcs7_options },
-#if !defined(OPENSSL_NO_SOCK) && !(defined(OPENSSL_NO_SSL2) && defined(OPENSSL_NO_SSL3))
+    { FT_general, "dgst", dgst_main, dgst_options },
-	{FUNC_TYPE_GENERAL,"ciphers",ciphers_main},
+#ifndef OPENSSL_NO_DH
    { FT_general, "dhparam", dhparam_main, dhparam_options },
 #endif
-	{FUNC_TYPE_GENERAL,"nseq",nseq_main},
+#ifndef OPENSSL_NO_DSA
-#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_SHA1)
+    { FT_general, "dsa", dsa_main, dsa_options },
 	{FUNC_TYPE_GENERAL,"pkcs12",pkcs12_main},
 #endif
-	{FUNC_TYPE_GENERAL,"pkcs8",pkcs8_main},
+#ifndef OPENSSL_NO_DSA
-	{FUNC_TYPE_GENERAL,"pkey",pkey_main},
+    { FT_general, "dsaparam", dsaparam_main, dsaparam_options },
-	{FUNC_TYPE_GENERAL,"pkeyparam",pkeyparam_main},
+#endif
-	{FUNC_TYPE_GENERAL,"pkeyutl",pkeyutl_main},
+#ifndef OPENSSL_NO_EC
-	{FUNC_TYPE_GENERAL,"spkac",spkac_main},
+    { FT_general, "ec", ec_main, ec_options },
-	{FUNC_TYPE_GENERAL,"smime",smime_main},
+#endif
-	{FUNC_TYPE_GENERAL,"rand",rand_main},
+#ifndef OPENSSL_NO_EC
    { FT_general, "ecparam", ecparam_main, ecparam_options },
 #endif
    { FT_general, "enc", enc_main, enc_options },
 #ifndef OPENSSL_NO_ENGINE
-	{FUNC_TYPE_GENERAL,"engine",engine_main},
+    { FT_general, "engine", engine_main, engine_options },
 #endif
    { FT_general, "errstr", errstr_main, errstr_options },
 #ifndef OPENSSL_NO_DSA
    { FT_general, "gendsa", gendsa_main, gendsa_options },
 #endif
    { FT_general, "genpkey", genpkey_main, genpkey_options },
 #ifndef OPENSSL_NO_RSA
    { FT_general, "genrsa", genrsa_main, genrsa_options },
 #endif
    { FT_general, "nseq", nseq_main, nseq_options },
 #ifndef OPENSSL_NO_OCSP
-	{FUNC_TYPE_GENERAL,"ocsp",ocsp_main},
+    { FT_general, "ocsp", ocsp_main, ocsp_options },
 #endif
    { FT_general, "passwd", passwd_main, passwd_options },
 #if !defined(OPENSSL_NO_DES)
    { FT_general, "pkcs12", pkcs12_main, pkcs12_options },
 #endif
    { FT_general, "pkcs7", pkcs7_main, pkcs7_options },
    { FT_general, "pkcs8", pkcs8_main, pkcs8_options },
    { FT_general, "pkey", pkey_main, pkey_options },
    { FT_general, "pkeyparam", pkeyparam_main, pkeyparam_options },
    { FT_general, "pkeyutl", pkeyutl_main, pkeyutl_options },
    { FT_general, "prime", prime_main, prime_options },
    { FT_general, "rand", rand_main, rand_options },
    { FT_general, "req", req_main, req_options },
 #ifndef OPENSSL_NO_RSA
    { FT_general, "rsa", rsa_main, rsa_options },
 #endif
 #ifndef OPENSSL_NO_RSA
    { FT_general, "rsautl", rsautl_main, rsautl_options },
 #endif
 #if !defined(OPENSSL_NO_SOCK)
    { FT_general, "s_client", s_client_main, s_client_options },
 #endif
 #if !defined(OPENSSL_NO_SOCK)
    { FT_general, "s_server", s_server_main, s_server_options },
 #endif
 #if !defined(OPENSSL_NO_SOCK)
    { FT_general, "s_time", s_time_main, s_time_options },
 #endif
    { FT_general, "sess_id", sess_id_main, sess_id_options },
    { FT_general, "smime", smime_main, smime_options },
    { FT_general, "speed", speed_main, speed_options },
    { FT_general, "spkac", spkac_main, spkac_options },
 #ifndef OPENSSL_NO_SRP
-	{FUNC_TYPE_GENERAL,"srp",srp_main},
+    { FT_general, "srp", srp_main, srp_options },
 #endif
-	{FUNC_TYPE_GENERAL,"prime",prime_main},
+    { FT_general, "ts", ts_main, ts_options },
-	{FUNC_TYPE_GENERAL,"ts",ts_main},
+    { FT_general, "verify", verify_main, verify_options },
    { FT_general, "version", version_main, version_options },
    { FT_general, "x509", x509_main, x509_options },
    { FT_general, "rehash", rehash_main, rehash_options },
    { FT_general, "list", list_main, list_options },
    { FT_general, "help", help_main, help_options },
    { FT_general, "exit", exit_main, exit_options },
 #ifndef OPENSSL_NO_MD2
-	{FUNC_TYPE_MD,"md2",dgst_main},
+    { FT_md, "md2", dgst_main},
 #endif
 #ifndef OPENSSL_NO_MD4
-	{FUNC_TYPE_MD,"md4",dgst_main},
+    { FT_md, "md4", dgst_main},
 #endif
 #ifndef OPENSSL_NO_MD5
-	{FUNC_TYPE_MD,"md5",dgst_main},
+    { FT_md, "md5", dgst_main},
 #endif
-#ifndef OPENSSL_NO_SHA
+#ifndef OPENSSL_NO_MD_GHOST94
-	{FUNC_TYPE_MD,"sha",dgst_main},
+    { FT_md, "md_ghost94", dgst_main},
 #endif
 #ifndef OPENSSL_NO_SHA1
 	{FUNC_TYPE_MD,"sha1",dgst_main},
 #endif
    { FT_md, "sha", dgst_main},
    { FT_md, "sha1", dgst_main},
    { FT_md, "sha224", dgst_main},
    { FT_md, "sha256", dgst_main},
    { FT_md, "sha384", dgst_main},
    { FT_md, "sha512", dgst_main},
 #ifndef OPENSSL_NO_MDC2
-	{FUNC_TYPE_MD,"mdc2",dgst_main},
+    { FT_md, "mdc2", dgst_main},
 #endif
 #ifndef OPENSSL_NO_RMD160
-	{FUNC_TYPE_MD,"rmd160",dgst_main},
+    { FT_md, "rmd160", dgst_main},
 #endif
 #ifndef OPENSSL_NO_AES
-	{FUNC_TYPE_CIPHER,"aes-128-cbc",enc_main},
+    { FT_cipher, "aes-128-cbc", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_AES
-	{FUNC_TYPE_CIPHER,"aes-128-ecb",enc_main},
+    { FT_cipher, "aes-128-ecb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_AES
-	{FUNC_TYPE_CIPHER,"aes-192-cbc",enc_main},
+    { FT_cipher, "aes-192-cbc", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_AES
-	{FUNC_TYPE_CIPHER,"aes-192-ecb",enc_main},
+    { FT_cipher, "aes-192-ecb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_AES
-	{FUNC_TYPE_CIPHER,"aes-256-cbc",enc_main},
+    { FT_cipher, "aes-256-cbc", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_AES
-	{FUNC_TYPE_CIPHER,"aes-256-ecb",enc_main},
+    { FT_cipher, "aes-256-ecb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
-	{FUNC_TYPE_CIPHER,"camellia-128-cbc",enc_main},
+    { FT_cipher, "camellia-128-cbc", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
-	{FUNC_TYPE_CIPHER,"camellia-128-ecb",enc_main},
+    { FT_cipher, "camellia-128-ecb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
-	{FUNC_TYPE_CIPHER,"camellia-192-cbc",enc_main},
+    { FT_cipher, "camellia-192-cbc", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
-	{FUNC_TYPE_CIPHER,"camellia-192-ecb",enc_main},
+    { FT_cipher, "camellia-192-ecb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
-	{FUNC_TYPE_CIPHER,"camellia-256-cbc",enc_main},
+    { FT_cipher, "camellia-256-cbc", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
-	{FUNC_TYPE_CIPHER,"camellia-256-ecb",enc_main},
+    { FT_cipher, "camellia-256-ecb", enc_main, enc_options },
 #endif
-	{FUNC_TYPE_CIPHER,"base64",enc_main},
+    { FT_cipher, "base64", enc_main, enc_options },
 #ifdef ZLIB
-	{FUNC_TYPE_CIPHER,"zlib",enc_main},
+    { FT_cipher, "zlib", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_DES
-	{FUNC_TYPE_CIPHER,"des",enc_main},
+    { FT_cipher, "des", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_DES
-	{FUNC_TYPE_CIPHER,"des3",enc_main},
+    { FT_cipher, "des3", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_DES
-	{FUNC_TYPE_CIPHER,"desx",enc_main},
+    { FT_cipher, "desx", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_IDEA
-	{FUNC_TYPE_CIPHER,"idea",enc_main},
+    { FT_cipher, "idea", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_SEED
-	{FUNC_TYPE_CIPHER,"seed",enc_main},
+    { FT_cipher, "seed", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_RC4
-	{FUNC_TYPE_CIPHER,"rc4",enc_main},
+    { FT_cipher, "rc4", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_RC4
-	{FUNC_TYPE_CIPHER,"rc4-40",enc_main},
+    { FT_cipher, "rc4-40", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_RC2
-	{FUNC_TYPE_CIPHER,"rc2",enc_main},
+    { FT_cipher, "rc2", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_BF
-	{FUNC_TYPE_CIPHER,"bf",enc_main},
+    { FT_cipher, "bf", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_CAST
-	{FUNC_TYPE_CIPHER,"cast",enc_main},
+    { FT_cipher, "cast", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_RC5
-	{FUNC_TYPE_CIPHER,"rc5",enc_main},
+    { FT_cipher, "rc5", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_DES
-	{FUNC_TYPE_CIPHER,"des-ecb",enc_main},
+    { FT_cipher, "des-ecb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_DES
-	{FUNC_TYPE_CIPHER,"des-ede",enc_main},
+    { FT_cipher, "des-ede", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_DES
-	{FUNC_TYPE_CIPHER,"des-ede3",enc_main},
+    { FT_cipher, "des-ede3", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_DES
-	{FUNC_TYPE_CIPHER,"des-cbc",enc_main},
+    { FT_cipher, "des-cbc", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_DES
-	{FUNC_TYPE_CIPHER,"des-ede-cbc",enc_main},
+    { FT_cipher, "des-ede-cbc", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_DES
-	{FUNC_TYPE_CIPHER,"des-ede3-cbc",enc_main},
+    { FT_cipher, "des-ede3-cbc", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_DES
-	{FUNC_TYPE_CIPHER,"des-cfb",enc_main},
+    { FT_cipher, "des-cfb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_DES
-	{FUNC_TYPE_CIPHER,"des-ede-cfb",enc_main},
+    { FT_cipher, "des-ede-cfb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_DES
-	{FUNC_TYPE_CIPHER,"des-ede3-cfb",enc_main},
+    { FT_cipher, "des-ede3-cfb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_DES
-	{FUNC_TYPE_CIPHER,"des-ofb",enc_main},
+    { FT_cipher, "des-ofb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_DES
-	{FUNC_TYPE_CIPHER,"des-ede-ofb",enc_main},
+    { FT_cipher, "des-ede-ofb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_DES
-	{FUNC_TYPE_CIPHER,"des-ede3-ofb",enc_main},
+    { FT_cipher, "des-ede3-ofb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_IDEA
-	{FUNC_TYPE_CIPHER,"idea-cbc",enc_main},
+    { FT_cipher, "idea-cbc", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_IDEA
-	{FUNC_TYPE_CIPHER,"idea-ecb",enc_main},
+    { FT_cipher, "idea-ecb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_IDEA
-	{FUNC_TYPE_CIPHER,"idea-cfb",enc_main},
+    { FT_cipher, "idea-cfb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_IDEA
-	{FUNC_TYPE_CIPHER,"idea-ofb",enc_main},
+    { FT_cipher, "idea-ofb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_SEED
-	{FUNC_TYPE_CIPHER,"seed-cbc",enc_main},
+    { FT_cipher, "seed-cbc", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_SEED
-	{FUNC_TYPE_CIPHER,"seed-ecb",enc_main},
+    { FT_cipher, "seed-ecb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_SEED
-	{FUNC_TYPE_CIPHER,"seed-cfb",enc_main},
+    { FT_cipher, "seed-cfb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_SEED
-	{FUNC_TYPE_CIPHER,"seed-ofb",enc_main},
+    { FT_cipher, "seed-ofb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_RC2
-	{FUNC_TYPE_CIPHER,"rc2-cbc",enc_main},
+    { FT_cipher, "rc2-cbc", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_RC2
-	{FUNC_TYPE_CIPHER,"rc2-ecb",enc_main},
+    { FT_cipher, "rc2-ecb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_RC2
-	{FUNC_TYPE_CIPHER,"rc2-cfb",enc_main},
+    { FT_cipher, "rc2-cfb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_RC2
-	{FUNC_TYPE_CIPHER,"rc2-ofb",enc_main},
+    { FT_cipher, "rc2-ofb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_RC2
-	{FUNC_TYPE_CIPHER,"rc2-64-cbc",enc_main},
+    { FT_cipher, "rc2-64-cbc", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_RC2
-	{FUNC_TYPE_CIPHER,"rc2-40-cbc",enc_main},
+    { FT_cipher, "rc2-40-cbc", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_BF
-	{FUNC_TYPE_CIPHER,"bf-cbc",enc_main},
+    { FT_cipher, "bf-cbc", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_BF
-	{FUNC_TYPE_CIPHER,"bf-ecb",enc_main},
+    { FT_cipher, "bf-ecb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_BF
-	{FUNC_TYPE_CIPHER,"bf-cfb",enc_main},
+    { FT_cipher, "bf-cfb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_BF
-	{FUNC_TYPE_CIPHER,"bf-ofb",enc_main},
+    { FT_cipher, "bf-ofb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_CAST
-	{FUNC_TYPE_CIPHER,"cast5-cbc",enc_main},
+    { FT_cipher, "cast5-cbc", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_CAST
-	{FUNC_TYPE_CIPHER,"cast5-ecb",enc_main},
+    { FT_cipher, "cast5-ecb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_CAST
-	{FUNC_TYPE_CIPHER,"cast5-cfb",enc_main},
+    { FT_cipher, "cast5-cfb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_CAST
-	{FUNC_TYPE_CIPHER,"cast5-ofb",enc_main},
+    { FT_cipher, "cast5-ofb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_CAST
-	{FUNC_TYPE_CIPHER,"cast-cbc",enc_main},
+    { FT_cipher, "cast-cbc", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_RC5
-	{FUNC_TYPE_CIPHER,"rc5-cbc",enc_main},
+    { FT_cipher, "rc5-cbc", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_RC5
-	{FUNC_TYPE_CIPHER,"rc5-ecb",enc_main},
+    { FT_cipher, "rc5-ecb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_RC5
-	{FUNC_TYPE_CIPHER,"rc5-cfb",enc_main},
+    { FT_cipher, "rc5-cfb", enc_main, enc_options },
 #endif
 #ifndef OPENSSL_NO_RC5
-	{FUNC_TYPE_CIPHER,"rc5-ofb",enc_main},
+    { FT_cipher, "rc5-ofb", enc_main, enc_options },
 #endif
    { 0, NULL, NULL}
 };
 #endif
--- a/apps/progs.pl
+++ b/apps/progs.pl
@@ -1,64 +1,81 @@
 #!/usr/local/bin/perl
-
+# Generate progs.h file from list of "programs" passed on the command line.
 print "/* apps/progs.h */\n";
 print "/* automatically generated by progs.pl for openssl.c */\n\n";
 grep(s/^asn1pars$/asn1parse/,@ARGV);
 foreach (@ARGV)
 	{ printf "extern int %s_main(int argc,char *argv[]);\n",$_; }
 print <<'EOF';
 /*
 * Automatically generated by progs.pl for openssl.c
 * Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
 * See the openssl.c for copyright details.
 */
-#define FUNC_TYPE_GENERAL	1
+typedef enum FUNC_TYPE {
-#define FUNC_TYPE_MD		2
+    FT_none, FT_general, FT_md, FT_cipher, FT_pkey,
-#define FUNC_TYPE_CIPHER	3
+    FT_md_alg, FT_cipher_alg
-#define FUNC_TYPE_PKEY		4
+} FUNC_TYPE;
 #define FUNC_TYPE_MD_ALG	5
 #define FUNC_TYPE_CIPHER_ALG	6
-typedef struct {
+typedef struct function_st {
-	int type;
+    FUNC_TYPE type;
    const char *name;
    int (*func)(int argc,char *argv[]);
    const OPTIONS *help;
 } FUNCTION;
 DECLARE_LHASH_OF(FUNCTION);
 FUNCTION functions[] = {
 EOF
-foreach (@ARGV)
+grep(s/\.o//, @ARGV);
-	{
+grep(s/^asn1pars$/asn1parse/, @ARGV);
-	push(@files,$_);
+grep(s/^crl2p7$/crl2pkcs7/, @ARGV);
-	$str="\t{FUNC_TYPE_GENERAL,\"$_\",${_}_main},\n";
+push @ARGV, 'list';
-	if (($_ =~ /^s_/) || ($_ =~ /^ciphers$/))
+push @ARGV, 'help';
-		{ print "#if !defined(OPENSSL_NO_SOCK) && !(defined(OPENSSL_NO_SSL2) && defined(OPENSSL_NO_SSL3))\n${str}#endif\n"; } 
+push @ARGV, 'exit';
-	elsif ( ($_ =~ /^speed$/))
+
-		{ print "#ifndef OPENSSL_NO_SPEED\n${str}#endif\n"; }
+foreach (@ARGV) {
-	elsif ( ($_ =~ /^engine$/))
+	printf "extern int %s_main(int argc, char *argv[]);\n", $_;
 		{ print "#ifndef OPENSSL_NO_ENGINE\n${str}#endif\n"; }
 	elsif ( ($_ =~ /^rsa$/) || ($_ =~ /^genrsa$/) || ($_ =~ /^rsautl$/)) 
 		{ print "#ifndef OPENSSL_NO_RSA\n${str}#endif\n";  }
 	elsif ( ($_ =~ /^dsa$/) || ($_ =~ /^gendsa$/) || ($_ =~ /^dsaparam$/))
 		{ print "#ifndef OPENSSL_NO_DSA\n${str}#endif\n"; }
 	elsif ( ($_ =~ /^ec$/) || ($_ =~ /^ecparam$/))
 		{ print "#ifndef OPENSSL_NO_EC\n${str}#endif\n";}
 	elsif ( ($_ =~ /^dh$/) || ($_ =~ /^gendh$/) || ($_ =~ /^dhparam$/))
 		{ print "#ifndef OPENSSL_NO_DH\n${str}#endif\n"; }
 	elsif ( ($_ =~ /^pkcs12$/))
 		{ print "#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_SHA1)\n${str}#endif\n"; }
 	elsif ( ($_ =~ /^cms$/))
 		{ print "#ifndef OPENSSL_NO_CMS\n${str}#endif\n"; }
 	elsif ( ($_ =~ /^ocsp$/))
 		{ print "#ifndef OPENSSL_NO_OCSP\n${str}#endif\n"; }
 	else
 		{ print $str; }
 }
-foreach ("md2","md4","md5","sha","sha1","mdc2","rmd160")
+print "\n";
-	{
+
-	push(@files,$_);
+foreach (@ARGV) {
-	printf "#ifndef OPENSSL_NO_".uc($_)."\n\t{FUNC_TYPE_MD,\"".$_."\",dgst_main},\n#endif\n";
+	printf "extern OPTIONS %s_options[];\n", $_;
 }
 print "\n#ifdef INCLUDE_FUNCTION_TABLE\n";
 print "static FUNCTION functions[] = {\n";
 foreach (@ARGV) {
 	$str="    { FT_general, \"$_\", ${_}_main, ${_}_options },\n";
 	if (/^s_/ || /^ciphers$/) {
 		print "#if !defined(OPENSSL_NO_SOCK)\n${str}#endif\n";
 	} elsif (/^engine$/) {
 		print "#ifndef OPENSSL_NO_ENGINE\n${str}#endif\n";
 	} elsif (/^rsa$/ || /^genrsa$/ || /^rsautl$/) {
 		print "#ifndef OPENSSL_NO_RSA\n${str}#endif\n";
 	} elsif (/^dsa$/ || /^gendsa$/ || /^dsaparam$/) {
 		print "#ifndef OPENSSL_NO_DSA\n${str}#endif\n";
 	} elsif (/^ec$/ || /^ecparam$/) {
 		print "#ifndef OPENSSL_NO_EC\n${str}#endif\n";
 	} elsif (/^dh$/ || /^gendh$/ || /^dhparam$/) {
 		print "#ifndef OPENSSL_NO_DH\n${str}#endif\n";
 	} elsif (/^pkcs12$/) {
 		print "#if !defined(OPENSSL_NO_DES)\n${str}#endif\n";
 	} elsif (/^cms$/) {
 		print "#ifndef OPENSSL_NO_CMS\n${str}#endif\n";
 	} elsif (/^ocsp$/) {
 		print "#ifndef OPENSSL_NO_OCSP\n${str}#endif\n";
 	} elsif (/^srp$/) {
 		print "#ifndef OPENSSL_NO_SRP\n${str}#endif\n";
 	} else {
 		print $str;
 	}
 }
 foreach (
 	"md2", "md4", "md5",
 	"md_ghost94",
 	"sha", "sha1", "sha224", "sha256", "sha384", "sha512",
 	"mdc2", "rmd160"
 ) {
        printf "#ifndef OPENSSL_NO_".uc($_)."\n" if ! /sha/;
        printf "    { FT_md, \"".$_."\", dgst_main},\n";
        printf "#endif\n" if ! /sha/;
 }
 foreach (
@@ -80,23 +97,35 @@ foreach (
 	"rc2-cbc", "rc2-ecb", "rc2-cfb","rc2-ofb", "rc2-64-cbc", "rc2-40-cbc",
 	"bf-cbc",  "bf-ecb",     "bf-cfb",   "bf-ofb",
 	"cast5-cbc","cast5-ecb", "cast5-cfb","cast5-ofb",
-	"cast-cbc", "rc5-cbc",   "rc5-ecb",  "rc5-cfb",  "rc5-ofb")
+	"cast-cbc", "rc5-cbc",   "rc5-ecb",  "rc5-cfb",  "rc5-ofb"
-	{
+) {
-	push(@files,$_);
+	$str="    { FT_cipher, \"$_\", enc_main, enc_options },\n";
-
+	if (/des/) {
-	$t=sprintf("\t{FUNC_TYPE_CIPHER,\"%s\",enc_main},\n",$_);
+		printf "#ifndef OPENSSL_NO_DES\n${str}#endif\n";
-	if    ($_ =~ /des/)  { $t="#ifndef OPENSSL_NO_DES\n${t}#endif\n"; }
+	} elsif (/aes/) {
-	elsif ($_ =~ /aes/)  { $t="#ifndef OPENSSL_NO_AES\n${t}#endif\n"; }
+		printf "#ifndef OPENSSL_NO_AES\n${str}#endif\n";
-	elsif ($_ =~ /camellia/)  { $t="#ifndef OPENSSL_NO_CAMELLIA\n${t}#endif\n"; }
+	} elsif (/camellia/) {
-	elsif ($_ =~ /idea/) { $t="#ifndef OPENSSL_NO_IDEA\n${t}#endif\n"; }
+		printf "#ifndef OPENSSL_NO_CAMELLIA\n${str}#endif\n";
-	elsif ($_ =~ /seed/) { $t="#ifndef OPENSSL_NO_SEED\n${t}#endif\n"; }
+	} elsif (/idea/) {
-	elsif ($_ =~ /rc4/)  { $t="#ifndef OPENSSL_NO_RC4\n${t}#endif\n"; }
+		printf "#ifndef OPENSSL_NO_IDEA\n${str}#endif\n";
-	elsif ($_ =~ /rc2/)  { $t="#ifndef OPENSSL_NO_RC2\n${t}#endif\n"; }
+	} elsif (/seed/) {
-	elsif ($_ =~ /bf/)   { $t="#ifndef OPENSSL_NO_BF\n${t}#endif\n"; }
+		printf "#ifndef OPENSSL_NO_SEED\n${str}#endif\n";
-	elsif ($_ =~ /cast/) { $t="#ifndef OPENSSL_NO_CAST\n${t}#endif\n"; }
+	} elsif (/rc4/) {
-	elsif ($_ =~ /rc5/)  { $t="#ifndef OPENSSL_NO_RC5\n${t}#endif\n"; }
+		printf "#ifndef OPENSSL_NO_RC4\n${str}#endif\n";
-	elsif ($_ =~ /zlib/)  { $t="#ifdef ZLIB\n${t}#endif\n"; }
+	} elsif (/rc2/) {
-	print $t;
+		printf "#ifndef OPENSSL_NO_RC2\n${str}#endif\n";
 	} elsif (/bf/) {
 		printf "#ifndef OPENSSL_NO_BF\n${str}#endif\n";
 	} elsif (/cast/) {
 		printf "#ifndef OPENSSL_NO_CAST\n${str}#endif\n";
 	} elsif (/rc5/) {
 		printf "#ifndef OPENSSL_NO_RC5\n${str}#endif\n";
 	} elsif (/zlib/) {
 		printf "#ifdef ZLIB\n${str}#endif\n";
 	} else {
 		print $str;
 	}
 }
-print "\t{0,NULL,NULL}\n\t};\n";
+print "    { 0, NULL, NULL}\n};\n";
 printf "#endif\n";
--- a/apps/rand.c
+++ b/apps/rand.c
@@ -1,4 +1,3 @@
 /* apps/rand.c */
 /* ====================================================================
 * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
 *
@@ -63,154 +62,87 @@
 #include <openssl/err.h>
 #include <openssl/rand.h>
-#undef PROG
+typedef enum OPTION_choice {
-#define PROG rand_main
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_OUT, OPT_ENGINE, OPT_RAND, OPT_BASE64, OPT_HEX
 } OPTION_CHOICE;
-/* -out file         - write to file
+OPTIONS rand_options[] = {
- * -rand file:file   - PRNG seed files
+    {OPT_HELP_STR, 1, '-', "Usage: %s [flags] num\n"},
- * -base64           - base64 encode output
+    {OPT_HELP_STR, 1, '-', "Valid options are:\n"},
- * -hex              - hex encode output
+    {"help", OPT_HELP, '-', "Display this summary"},
- * num               - write 'num' bytes
+    {"out", OPT_OUT, '>', "Output file"},
- */
+    {"rand", OPT_RAND, 's',
     "Load the file(s) into the random number generator"},
    {"base64", OPT_BASE64, '-', "Base64 encode output"},
    {"hex", OPT_HEX, '-', "Hex encode output"},
 #ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 #endif
    {NULL}
 };
-int MAIN(int, char **);
+int rand_main(int argc, char **argv)
 int MAIN(int argc, char **argv)
 {
 	int i, r, ret = 1;
 	int badopt;
 	char *outfile = NULL;
 	char *inrand = NULL;
 	int base64 = 0;
 	int hex = 0;
    BIO *out = NULL;
-	int num = -1;
+    char *inrand = NULL, *outfile = NULL, *prog;
-#ifndef OPENSSL_NO_ENGINE
+    OPTION_CHOICE o;
-	char *engine=NULL;
+    int format = FORMAT_BINARY, i, num = -1, r, ret = 1;
 #endif
-	apps_startup();
+    prog = opt_init(argc, argv, rand_options);
    while ((o = opt_next()) != OPT_EOF) {
        switch (o) {
        case OPT_EOF:
        case OPT_ERR:
 opthelp:
            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
            goto end;
        case OPT_HELP:
            opt_help(rand_options);
            ret = 0;
            goto end;
        case OPT_OUT:
            outfile = opt_arg();
            break;
        case OPT_ENGINE:
            (void)setup_engine(opt_arg(), 0);
            break;
        case OPT_RAND:
            inrand = opt_arg();
            break;
        case OPT_BASE64:
            format = FORMAT_BASE64;
            break;
        case OPT_HEX:
            format = FORMAT_TEXT;
            break;
        }
    }
    argc = opt_num_rest();
    argv = opt_rest();
-	if (bio_err == NULL)
+    if (argc != 1)
-		if ((bio_err = BIO_new(BIO_s_file())) != NULL)
+        goto opthelp;
-			BIO_set_fp(bio_err, stderr, BIO_NOCLOSE|BIO_FP_TEXT);
+    if (sscanf(argv[0], "%d", &num) != 1 || num < 0)
        goto opthelp;
-	if (!load_config(bio_err, NULL))
+    app_RAND_load_file(NULL, (inrand != NULL));
 		goto err;
 	badopt = 0;
 	i = 0;
 	while (!badopt && argv[++i] != NULL)
 		{
 		if (strcmp(argv[i], "-out") == 0)
 			{
 			if ((argv[i+1] != NULL) && (outfile == NULL))
 				outfile = argv[++i];
 			else
 				badopt = 1;
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(argv[i], "-engine") == 0)
 			{
 			if ((argv[i+1] != NULL) && (engine == NULL))
 				engine = argv[++i];
 			else
 				badopt = 1;
 			}
 #endif
 		else if (strcmp(argv[i], "-rand") == 0)
 			{
 			if ((argv[i+1] != NULL) && (inrand == NULL))
 				inrand = argv[++i];
 			else
 				badopt = 1;
 			}
 		else if (strcmp(argv[i], "-base64") == 0)
 			{
 			if (!base64)
 				base64 = 1;
 			else
 				badopt = 1;
 			}
 		else if (strcmp(argv[i], "-hex") == 0)
 			{
 			if (!hex)
 				hex = 1;
 			else
 				badopt = 1;
 			}
 		else if (isdigit((unsigned char)argv[i][0]))
 			{
 			if (num < 0)
 				{
 				r = sscanf(argv[i], "%d", &num);
 				if (r == 0 || num < 0)
 					badopt = 1;
 				}
 			else
 				badopt = 1;
 			}
 		else
 			badopt = 1;
 		}
 	if (hex && base64)
 		badopt = 1;
 	if (num < 0)
 		badopt = 1;
 	if (badopt) 
 		{
 		BIO_printf(bio_err, "Usage: rand [options] num\n");
 		BIO_printf(bio_err, "where options are\n");
 		BIO_printf(bio_err, "-out file             - write to file\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err, "-engine e             - use engine e, possibly a hardware device.\n");
 #endif
 		BIO_printf(bio_err, "-rand file%cfile%c... - seed PRNG from files\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err, "-base64               - base64 encode output\n");
 		BIO_printf(bio_err, "-hex                  - hex encode output\n");
 		goto err;
 		}
 #ifndef OPENSSL_NO_ENGINE
        setup_engine(bio_err, engine, 0);
 #endif
 	app_RAND_load_file(NULL, bio_err, (inrand != NULL));
    if (inrand != NULL)
        BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
                   app_RAND_load_files(inrand));
-	out = BIO_new(BIO_s_file());
+    out = bio_open_default(outfile, 'w', format);
    if (out == NULL)
-		goto err;
+        goto end;
 	if (outfile != NULL)
 		r = BIO_write_filename(out, outfile);
 	else
 		{
 		r = BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
 #ifdef OPENSSL_SYS_VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 		}
 	if (r <= 0)
 		goto err;
-	if (base64)
+    if (format == FORMAT_BASE64) {
 		{
        BIO *b64 = BIO_new(BIO_f_base64());
        if (b64 == NULL)
-			goto err;
+            goto end;
        out = BIO_push(b64, out);
    }
-	while (num > 0) 
+    while (num > 0) {
 		{
        unsigned char buf[4096];
        int chunk;
@@ -219,27 +151,23 @@ int MAIN(int argc, char **argv)
            chunk = sizeof buf;
        r = RAND_bytes(buf, chunk);
        if (r <= 0)
-			goto err;
+            goto end;
-		if (!hex) 
+        if (format != FORMAT_TEXT) /* hex */
            BIO_write(out, buf, chunk);
-		else
+        else {
 			{
            for (i = 0; i < chunk; i++)
                BIO_printf(out, "%02x", buf[i]);
        }
        num -= chunk;
    }
-	if (hex)
+    if (format == FORMAT_TEXT)
        BIO_puts(out, "\n");
    (void)BIO_flush(out);
-	app_RAND_write_file(NULL, bio_err);
+    app_RAND_write_file(NULL);
    ret = 0;
-err:
+ end:
 	ERR_print_errors(bio_err);
 	if (out)
    BIO_free_all(out);
-	apps_shutdown();
+    return (ret);
 	OPENSSL_EXIT(ret);
 }
--- a/apps/rehash.c
+++ b/apps/rehash.c
@@ -0,0 +1,494 @@
 /*
 * C implementation based on the original Perl and shell versions
 *
 * Copyright (c) 2013-2014 Timo Teräs <timo.teras@iki.fi>
 */
 /* ====================================================================
 * Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    licensing@OpenSSL.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */
 #include "apps.h"
 #if defined(OPENSSL_SYS_UNIX) || defined(__APPLE__)
 # include <unistd.h>
 # include <stdio.h>
 # include <limits.h>
 # include <errno.h>
 # include <string.h>
 # include <ctype.h>
 # include <sys/stat.h>
 # include "internal/o_dir.h"
 # include <openssl/evp.h>
 # include <openssl/pem.h>
 # include <openssl/x509.h>
 # ifndef NAME_MAX
 #  define NAME_MAX 255
 # endif
 # define MAX_COLLISIONS  256
 typedef struct hentry_st {
    struct hentry_st *next;
    char *filename;
    unsigned short old_id;
    unsigned char need_symlink;
    unsigned char digest[EVP_MAX_MD_SIZE];
 } HENTRY;
 typedef struct bucket_st {
    struct bucket_st *next;
    HENTRY *first_entry, *last_entry;
    unsigned int hash;
    unsigned short type;
    unsigned short num_needed;
 } BUCKET;
 enum Type {
    /* Keep in sync with |suffixes|, below. */
    TYPE_CERT=0, TYPE_CRL=1
 };
 enum Hash {
    HASH_OLD, HASH_NEW, HASH_BOTH
 };
 static int evpmdsize;
 static const EVP_MD *evpmd;
 static int remove_links = 1;
 static int verbose = 0;
 static BUCKET *hash_table[257];
 static const char *suffixes[] = { "", "r" };
 static const char *extensions[] = { "pem", "crt", "cer", "crl" };
 static void bit_set(unsigned char *set, unsigned int bit)
 {
    set[bit >> 3] |= 1 << (bit & 0x7);
 }
 static int bit_isset(unsigned char *set, unsigned int bit)
 {
    return set[bit >> 3] & (1 << (bit & 0x7));
 }
 /*
 * Process an entry; return number of errors.
 */
 static int add_entry(enum Type type, unsigned int hash, const char *filename,
                      const unsigned char *digest, int need_symlink,
                      unsigned short old_id)
 {
    static BUCKET nilbucket;
    static HENTRY nilhentry;
    BUCKET *bp;
    HENTRY *ep, *found = NULL;
    unsigned int ndx = (type + hash) % OSSL_NELEM(hash_table);
    for (bp = hash_table[ndx]; bp; bp = bp->next)
        if (bp->type == type && bp->hash == hash)
            break;
    if (bp == NULL) {
        bp = app_malloc(sizeof(*bp), "hash bucket");
        *bp = nilbucket;
        bp->next = hash_table[ndx];
        bp->type = type;
        bp->hash = hash;
        hash_table[ndx] = bp;
    }
    for (ep = bp->first_entry; ep; ep = ep->next) {
        if (digest && memcmp(digest, ep->digest, evpmdsize) == 0) {
            BIO_printf(bio_err,
                       "%s: skipping duplicate certificate in %s\n",
                       opt_getprog(), filename);
            return 1;
        }
        if (strcmp(filename, ep->filename) == 0) {
            found = ep;
            if (digest == NULL)
                break;
        }
    }
    ep = found;
    if (ep == NULL) {
        if (bp->num_needed >= MAX_COLLISIONS) {
            BIO_printf(bio_err,
                       "%s: hash table overflow for %s\n",
                       opt_getprog(), filename);
            return 1;
        }
        ep = app_malloc(sizeof(*ep), "collision bucket");
        *ep = nilhentry;
        ep->old_id = ~0;
        ep->filename = BUF_strdup(filename);
        if (bp->last_entry)
            bp->last_entry->next = ep;
        if (bp->first_entry == NULL)
            bp->first_entry = ep;
        bp->last_entry = ep;
    }
    if (old_id < ep->old_id)
        ep->old_id = old_id;
    if (need_symlink && !ep->need_symlink) {
        ep->need_symlink = 1;
        bp->num_needed++;
        memcpy(ep->digest, digest, evpmdsize);
    }
    return 0;
 }
 /*
 * Check if a symlink goes to the right spot; return 0 if okay.
 * This can be -1 if bad filename, or an error count.
 */
 static int handle_symlink(const char *filename, const char *fullpath)
 {
    unsigned int hash = 0;
    int i, type, id;
    unsigned char ch;
    char linktarget[PATH_MAX], *endptr;
    ssize_t n;
    for (i = 0; i < 8; i++) {
        ch = filename[i];
        if (!isxdigit(ch))
            return -1;
        hash <<= 4;
        hash += app_hex(ch);
    }
    if (filename[i++] != '.')
        return -1;
    for (type = OSSL_NELEM(suffixes) - 1; type > 0; type--)
        if (strcasecmp(suffixes[type], &filename[i]) == 0)
            break;
    i += strlen(suffixes[type]);
    id = strtoul(&filename[i], &endptr, 10);
    if (*endptr != '\0')
        return -1;
    n = readlink(fullpath, linktarget, sizeof(linktarget));
    if (n < 0 || n >= (int)sizeof(linktarget))
        return -1;
    linktarget[n] = 0;
    return add_entry(type, hash, linktarget, NULL, 0, id);
 }
 /*
 * process a file, return number of errors.
 */
 static int do_file(const char *filename, const char *fullpath, enum Hash h)
 {
    STACK_OF (X509_INFO) *inf = NULL;
    X509_INFO *x;
    X509_NAME *name = NULL;
    BIO *b;
    const char *ext;
    unsigned char digest[EVP_MAX_MD_SIZE];
    int type, errs = 0;
    size_t i;
    /* Does it end with a recognized extension? */
    if ((ext = strrchr(filename, '.')) == NULL)
        goto end;
    for (i = 0; i < OSSL_NELEM(extensions); i++) {
        if (strcasecmp(extensions[i], ext + 1) == 0)
            break;
    }
    if (i >= OSSL_NELEM(extensions))
        goto end;
    /* Does it have X.509 data in it? */
    if ((b = BIO_new_file(fullpath, "r")) == NULL) {
        BIO_printf(bio_err, "%s: skipping %s, cannot open file\n",
                   opt_getprog(), filename);
        errs++;
        goto end;
    }
    inf = PEM_X509_INFO_read_bio(b, NULL, NULL, NULL);
    BIO_free(b);
    if (inf == NULL)
        goto end;
    if (sk_X509_INFO_num(inf) != 1) {
        BIO_printf(bio_err,
                   "%s: skipping %s,"
                   "it does not contain exactly one certificate or CRL\n",
                   opt_getprog(), filename);
        /* This is not an error. */
        goto end;
    }
    x = sk_X509_INFO_value(inf, 0);
    if (x->x509) {
        type = TYPE_CERT;
        name = X509_get_subject_name(x->x509);
        X509_digest(x->x509, evpmd, digest, NULL);
    } else if (x->crl) {
        type = TYPE_CRL;
        name = X509_CRL_get_issuer(x->crl);
        X509_CRL_digest(x->crl, evpmd, digest, NULL);
    } else {
        ++errs;
        goto end;
    }
    if (name) {
        if ((h == HASH_NEW) || (h == HASH_BOTH))
            errs += add_entry(type, X509_NAME_hash(name), filename, digest, 1, ~0);
        if ((h == HASH_OLD) || (h == HASH_BOTH))
            errs += add_entry(type, X509_NAME_hash_old(name), filename, digest, 1, ~0);
    }
 end:
    sk_X509_INFO_pop_free(inf, X509_INFO_free);
    return errs;
 }
 /*
 * Process a directory; return number of errors found.
 */
 static int do_dir(const char *dirname, enum Hash h)
 {
    BUCKET *bp, *nextbp;
    HENTRY *ep, *nextep;
    OPENSSL_DIR_CTX *d = NULL;
    struct stat st;
    unsigned char idmask[MAX_COLLISIONS / 8];
    int n, nextid, buflen, errs = 0;
    size_t i;
    const char *pathsep;
    const char *filename;
    char *buf;
    if (app_access(dirname, W_OK) < 0) {
        BIO_printf(bio_err, "Skipping %s, can't write\n", dirname);
        return 1;
    }
    buflen = strlen(dirname);
    pathsep = (buflen && dirname[buflen - 1] == '/') ? "" : "/";
    buflen += NAME_MAX + 1 + 1;
    buf = app_malloc(buflen, "filename buffer");
    if (verbose)
        BIO_printf(bio_out, "Doing %s\n", dirname);
    while ((filename = OPENSSL_DIR_read(&d, dirname)) != NULL) {
        if (snprintf(buf, buflen, "%s%s%s",
                    dirname, pathsep, filename) >= buflen)
            continue;
        if (lstat(buf, &st) < 0)
            continue;
        if (S_ISLNK(st.st_mode) && handle_symlink(filename, buf) == 0)
            continue;
        errs += do_file(filename, buf, h);
    }
    OPENSSL_DIR_end(&d);
    for (i = 0; i < OSSL_NELEM(hash_table); i++) {
        for (bp = hash_table[i]; bp; bp = nextbp) {
            nextbp = bp->next;
            nextid = 0;
            memset(idmask, 0, (bp->num_needed + 7) / 8);
            for (ep = bp->first_entry; ep; ep = ep->next)
                if (ep->old_id < bp->num_needed)
                    bit_set(idmask, ep->old_id);
            for (ep = bp->first_entry; ep; ep = nextep) {
                nextep = ep->next;
                if (ep->old_id < bp->num_needed) {
                    /* Link exists, and is used as-is */
                    snprintf(buf, buflen, "%08x.%s%d", bp->hash,
                             suffixes[bp->type], ep->old_id);
                    if (verbose)
                        BIO_printf(bio_out, "link %s -> %s\n",
                                   ep->filename, buf);
                } else if (ep->need_symlink) {
                    /* New link needed (it may replace something) */
                    while (bit_isset(idmask, nextid))
                        nextid++;
                    snprintf(buf, buflen, "%s%s%n%08x.%s%d",
                             dirname, pathsep, &n, bp->hash,
                             suffixes[bp->type], nextid);
                    if (verbose)
                        BIO_printf(bio_out, "link %s -> %s\n",
                                   ep->filename, &buf[n]);
                    if (unlink(buf) < 0 && errno != ENOENT) {
                        BIO_printf(bio_err,
                                   "%s: Can't unlink %s, %s\n",
                                   opt_getprog(), buf, strerror(errno));
                        errs++;
                    }
                    if (symlink(ep->filename, buf) < 0) {
                        BIO_printf(bio_err,
                                   "%s: Can't symlink %s, %s\n",
                                   opt_getprog(), ep->filename,
                                   strerror(errno));
                        errs++;
                    }
                } else if (remove_links) {
                    /* Link to be deleted */
                    snprintf(buf, buflen, "%s%s%n%08x.%s%d",
                             dirname, pathsep, &n, bp->hash,
                             suffixes[bp->type], ep->old_id);
                    if (verbose)
                        BIO_printf(bio_out, "unlink %s\n",
                                   &buf[n]);
                    if (unlink(buf) < 0 && errno != ENOENT) {
                        BIO_printf(bio_err,
                                   "%s: Can't unlink %s, %s\n",
                                   opt_getprog(), buf, strerror(errno));
                        errs++;
                    }
                }
                OPENSSL_free(ep->filename);
                OPENSSL_free(ep);
            }
            OPENSSL_free(bp);
        }
        hash_table[i] = NULL;
    }
    OPENSSL_free(buf);
    return errs;
 }
 typedef enum OPTION_choice {
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_COMPAT, OPT_OLD, OPT_N, OPT_VERBOSE
 } OPTION_CHOICE;
 OPTIONS rehash_options[] = {
    {OPT_HELP_STR, 1, '-', "Usage: %s [options] [cert-directory...]\n"},
    {OPT_HELP_STR, 1, '-', "Valid options are:\n"},
    {"help", OPT_HELP, '-', "Display this summary"},
    {"compat", OPT_COMPAT, '-', "Create both new- and old-style hash links"},
    {"old", OPT_OLD, '-', "Use old-style hash to generate links"},
    {"n", OPT_N, '-', "Do not remove existing links"},
    {"v", OPT_VERBOSE, '-', "Verbose output"},
    {NULL}
 };
 int rehash_main(int argc, char **argv)
 {
    const char *env, *prog;
    char *e, *m;
    int errs = 0;
    OPTION_CHOICE o;
    enum Hash h = HASH_NEW;
    prog = opt_init(argc, argv, rehash_options);
    while ((o = opt_next()) != OPT_EOF) {
        switch (o) {
        case OPT_EOF:
        case OPT_ERR:
            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
            goto end;
        case OPT_HELP:
            opt_help(rehash_options);
            goto end;
        case OPT_COMPAT:
            h = HASH_BOTH;
            break;
        case OPT_OLD:
            h = HASH_OLD;
            break;
        case OPT_N:
            remove_links = 0;
            break;
        case OPT_VERBOSE:
            verbose = 1;
            break;
        }
    }
    argc = opt_num_rest();
    argv = opt_rest();
    evpmd = EVP_sha1();
    evpmdsize = EVP_MD_size(evpmd);
    if (*argv) {
        while (*argv)
            errs += do_dir(*argv++, h);
    } else if ((env = getenv("SSL_CERT_DIR")) != NULL) {
        m = BUF_strdup(env);
        for (e = strtok(m, ":"); e != NULL; e = strtok(NULL, ":"))
            errs += do_dir(e, h);
        OPENSSL_free(m);
    } else {
        errs += do_dir("/etc/ssl/certs", h);
    }
 end:
    return errs;
 }
 #else
 OPTIONS rehash_options[] = {
    {NULL}
 };
 int rehash_main(int argc, char **argv)
 {
    BIO_printf(bio_err, "Not available; use c_rehash script\n");
    return (1);
 }
 #endif /* defined(OPENSSL_SYS_UNIX) || defined(__APPLE__) */
--- a/apps/req.c
+++ b/apps/req.c
--- a/apps/rsa.c
+++ b/apps/rsa.c
@@ -1,4 +1,3 @@
 /* apps/rsa.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -55,6 +54,54 @@
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
 /* ====================================================================
 * Copyright (c) 1999-2015 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    licensing@OpenSSL.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 */
 #include <openssl/opensslconf.h>
 #ifndef OPENSSL_NO_RSA
@@ -71,344 +118,247 @@
 # include <openssl/pem.h>
 # include <openssl/bn.h>
-#undef PROG
+typedef enum OPTION_choice {
-#define PROG	rsa_main
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT,
    OPT_PUBIN, OPT_PUBOUT, OPT_PASSOUT, OPT_PASSIN,
    OPT_RSAPUBKEY_IN, OPT_RSAPUBKEY_OUT, OPT_PVK_STRONG, OPT_PVK_WEAK,
    OPT_PVK_NONE, OPT_NOOUT, OPT_TEXT, OPT_MODULUS, OPT_CHECK, OPT_CIPHER
 } OPTION_CHOICE;
-/* -inform arg	- input format - default PEM (one of DER, NET or PEM)
+OPTIONS rsa_options[] = {
- * -outform arg - output format - default PEM
+    {"help", OPT_HELP, '-', "Display this summary"},
- * -in arg	- input file - default stdin
+    {"inform", OPT_INFORM, 'f', "Input format, one of DER NET PEM"},
- * -out arg	- output file - default stdout
+    {"outform", OPT_OUTFORM, 'f', "Output format, one of DER NET PEM PVK"},
- * -des		- encrypt output if PEM format with DES in cbc mode
+    {"in", OPT_IN, '<', "Input file"},
- * -des3	- encrypt output if PEM format
+    {"out", OPT_OUT, '>', "Output file"},
- * -idea	- encrypt output if PEM format
+    {"pubin", OPT_PUBIN, '-', "Expect a public key in input file"},
- * -seed	- encrypt output if PEM format
+    {"pubout", OPT_PUBOUT, '-', "Output a public key"},
- * -aes128	- encrypt output if PEM format
+    {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
- * -aes192	- encrypt output if PEM format
+    {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
- * -aes256	- encrypt output if PEM format
+    {"RSAPublicKey_in", OPT_RSAPUBKEY_IN, '-', "Input is an RSAPublicKey"},
- * -camellia128 - encrypt output if PEM format
+    {"RSAPublicKey_out", OPT_RSAPUBKEY_OUT, '-', "Output is an RSAPublicKey"},
- * -camellia192 - encrypt output if PEM format
+    {"noout", OPT_NOOUT, '-', "Don't print key out"},
- * -camellia256 - encrypt output if PEM format
+    {"text", OPT_TEXT, '-', "Print the key in text"},
- * -text	- print a text version
+    {"modulus", OPT_MODULUS, '-', "Print the RSA key modulus"},
- * -modulus	- print the RSA key modulus
+    {"check", OPT_CHECK, '-', "Verify key consistency"},
- * -check	- verify key consistency
+    {"", OPT_CIPHER, '-', "Any supported cipher"},
- * -pubin	- Expect a public key in input file.
+# ifdef OPENSSL_NO_RC4
- * -pubout	- Output a public key.
+    {"pvk-strong", OPT_PVK_STRONG, '-'},
- */
+    {"pvk-weak", OPT_PVK_WEAK, '-'},
    {"pvk-none", OPT_PVK_NONE, '-'},
 # endif
 # ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 # endif
    {NULL}
 };
-int MAIN(int, char **);
+int rsa_main(int argc, char **argv)
 int MAIN(int argc, char **argv)
 {
    ENGINE *e = NULL;
 	int ret=1;
 	RSA *rsa=NULL;
 	int i,badops=0, sgckey=0;
 	const EVP_CIPHER *enc=NULL;
    BIO *out = NULL;
-	int informat,outformat,text=0,check=0,noout=0;
+    RSA *rsa = NULL;
-	int pubin = 0, pubout = 0;
+    const EVP_CIPHER *enc = NULL;
-	char *infile,*outfile,*prog;
+    char *infile = NULL, *outfile = NULL, *prog;
-	char *passargin = NULL, *passargout = NULL;
+    char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL;
-	char *passin = NULL, *passout = NULL;
+    int i, private = 0;
-#ifndef OPENSSL_NO_ENGINE
+    int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, check = 0;
-	char *engine=NULL;
+    int noout = 0, modulus = 0, pubin = 0, pubout = 0, pvk_encr = 2, ret = 1;
-#endif
+    OPTION_CHOICE o;
 	int modulus=0;
-	int pvk_encr = 2;
+    prog = opt_init(argc, argv, rsa_options);
-
+    while ((o = opt_next()) != OPT_EOF) {
-	apps_startup();
+        switch (o) {
-
+        case OPT_EOF:
-	if (bio_err == NULL)
+        case OPT_ERR:
-		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+ opthelp:
-			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
 	if (!load_config(bio_err, NULL))
            goto end;
-
+        case OPT_HELP:
-	infile=NULL;
+            opt_help(rsa_options);
-	outfile=NULL;
+            ret = 0;
-	informat=FORMAT_PEM;
+            goto end;
-	outformat=FORMAT_PEM;
+        case OPT_INFORM:
-
+            if (!opt_format(opt_arg(), OPT_FMT_ANY, &informat))
-	prog=argv[0];
+                goto opthelp;
-	argc--;
+            break;
-	argv++;
+        case OPT_IN:
-	while (argc >= 1)
+            infile = opt_arg();
-		{
+            break;
-		if 	(strcmp(*argv,"-inform") == 0)
+        case OPT_OUTFORM:
-			{
+            if (!opt_format(opt_arg(), OPT_FMT_ANY, &outformat))
-			if (--argc < 1) goto bad;
+                goto opthelp;
-			informat=str2fmt(*(++argv));
+            break;
-			}
+        case OPT_OUT:
-		else if (strcmp(*argv,"-outform") == 0)
+            outfile = opt_arg();
-			{
+            break;
-			if (--argc < 1) goto bad;
+        case OPT_PASSIN:
-			outformat=str2fmt(*(++argv));
+            passinarg = opt_arg();
-			}
+            break;
-		else if (strcmp(*argv,"-in") == 0)
+        case OPT_PASSOUT:
-			{
+            passoutarg = opt_arg();
-			if (--argc < 1) goto bad;
+            break;
-			infile= *(++argv);
+        case OPT_ENGINE:
-			}
+            e = setup_engine(opt_arg(), 0);
-		else if (strcmp(*argv,"-out") == 0)
+            break;
-			{
+        case OPT_PUBIN:
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
 		else if (strcmp(*argv,"-passin") == 0)
 			{
 			if (--argc < 1) goto bad;
 			passargin= *(++argv);
 			}
 		else if (strcmp(*argv,"-passout") == 0)
 			{
 			if (--argc < 1) goto bad;
 			passargout= *(++argv);
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 #endif
 		else if (strcmp(*argv,"-sgckey") == 0)
 			sgckey=1;
 		else if (strcmp(*argv,"-pubin") == 0)
            pubin = 1;
-		else if (strcmp(*argv,"-pubout") == 0)
+            break;
        case OPT_PUBOUT:
            pubout = 1;
-		else if (strcmp(*argv,"-RSAPublicKey_in") == 0)
+            break;
        case OPT_RSAPUBKEY_IN:
            pubin = 2;
-		else if (strcmp(*argv,"-RSAPublicKey_out") == 0)
+            break;
        case OPT_RSAPUBKEY_OUT:
            pubout = 2;
-		else if (strcmp(*argv,"-pvk-strong") == 0)
+            break;
 #ifndef OPENSSL_NO_RC4
        case OPT_PVK_STRONG:
            pvk_encr = 2;
-		else if (strcmp(*argv,"-pvk-weak") == 0)
+            break;
        case OPT_PVK_WEAK:
            pvk_encr = 1;
-		else if (strcmp(*argv,"-pvk-none") == 0)
+            break;
        case OPT_PVK_NONE:
            pvk_encr = 0;
-		else if (strcmp(*argv,"-noout") == 0)
+            break;
 #else
        case OPT_PVK_STRONG:
        case OPT_PVK_WEAK:
        case OPT_PVK_NONE:
            break;
 #endif
        case OPT_NOOUT:
            noout = 1;
-		else if (strcmp(*argv,"-text") == 0)
+            break;
        case OPT_TEXT:
            text = 1;
-		else if (strcmp(*argv,"-modulus") == 0)
+            break;
        case OPT_MODULUS:
            modulus = 1;
-		else if (strcmp(*argv,"-check") == 0)
+            break;
        case OPT_CHECK:
            check = 1;
-		else if ((enc=EVP_get_cipherbyname(&(argv[0][1]))) == NULL)
+            break;
-			{
+        case OPT_CIPHER:
-			BIO_printf(bio_err,"unknown option %s\n",*argv);
+            if (!opt_cipher(opt_unknown(), &enc))
-			badops=1;
+                goto opthelp;
            break;
        }
 		argc--;
 		argv++;
    }
    argc = opt_num_rest();
    argv = opt_rest();
    private = text || (!pubout && !noout) ? 1 : 0;
-	if (badops)
+    if (!app_passwd(passinarg, passoutarg, &passin, &passout)) {
 		{
 bad:
 		BIO_printf(bio_err,"%s [options] <infile >outfile\n",prog);
 		BIO_printf(bio_err,"where options are\n");
 		BIO_printf(bio_err," -inform arg     input format - one of DER NET PEM\n");
 		BIO_printf(bio_err," -outform arg    output format - one of DER NET PEM\n");
 		BIO_printf(bio_err," -in arg         input file\n");
 		BIO_printf(bio_err," -sgckey         Use IIS SGC key format\n");
 		BIO_printf(bio_err," -passin arg     input file pass phrase source\n");
 		BIO_printf(bio_err," -out arg        output file\n");
 		BIO_printf(bio_err," -passout arg    output file pass phrase source\n");
 		BIO_printf(bio_err," -des            encrypt PEM output with cbc des\n");
 		BIO_printf(bio_err," -des3           encrypt PEM output with ede cbc des using 168 bit key\n");
 #ifndef OPENSSL_NO_IDEA
 		BIO_printf(bio_err," -idea           encrypt PEM output with cbc idea\n");
 #endif
 #ifndef OPENSSL_NO_SEED
 		BIO_printf(bio_err," -seed           encrypt PEM output with cbc seed\n");
 #endif
 #ifndef OPENSSL_NO_AES
 		BIO_printf(bio_err," -aes128, -aes192, -aes256\n");
 		BIO_printf(bio_err,"                 encrypt PEM output with cbc aes\n");
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
 		BIO_printf(bio_err," -camellia128, -camellia192, -camellia256\n");
 		BIO_printf(bio_err,"                 encrypt PEM output with cbc camellia\n");
 #endif
 		BIO_printf(bio_err," -text           print the key in text\n");
 		BIO_printf(bio_err," -noout          don't print key out\n");
 		BIO_printf(bio_err," -modulus        print the RSA key modulus\n");
 		BIO_printf(bio_err," -check          verify key consistency\n");
 		BIO_printf(bio_err," -pubin          expect a public key in input file\n");
 		BIO_printf(bio_err," -pubout         output a public key\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," -engine e       use engine e, possibly a hardware device.\n");
 #endif
 		goto end;
 		}
 	ERR_load_crypto_strings();
 #ifndef OPENSSL_NO_ENGINE
        e = setup_engine(bio_err, engine, 0);
 #endif
 	if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
        BIO_printf(bio_err, "Error getting passwords\n");
        goto end;
    }
    if (check && pubin) {
        BIO_printf(bio_err, "Only private keys can be checked\n");
        goto end;
    }
 	out=BIO_new(BIO_s_file());
    {
        EVP_PKEY *pkey;
-		if (pubin)
+        if (pubin) {
 			{
            int tmpformat = -1;
-			if (pubin == 2)
+            if (pubin == 2) {
 				{
                if (informat == FORMAT_PEM)
                    tmpformat = FORMAT_PEMRSA;
                else if (informat == FORMAT_ASN1)
                    tmpformat = FORMAT_ASN1RSA;
-				}
+            } else
 			else if (informat == FORMAT_NETSCAPE && sgckey)
 				tmpformat = FORMAT_IISSGC;
 			else
                tmpformat = informat;
-			pkey = load_pubkey(bio_err, infile, tmpformat, 1,
+            pkey = load_pubkey(infile, tmpformat, 1, passin, e, "Public Key");
-				passin, e, "Public Key");
+        } else
-			}
+            pkey = load_key(infile, informat, 1, passin, e, "Private Key");
 		else
 			pkey = load_key(bio_err, infile,
 				(informat == FORMAT_NETSCAPE && sgckey ?
 					FORMAT_IISSGC : informat), 1,
 				passin, e, "Private Key");
        if (pkey != NULL)
            rsa = EVP_PKEY_get1_RSA(pkey);
        EVP_PKEY_free(pkey);
    }
-	if (rsa == NULL)
+    if (rsa == NULL) {
 		{
        ERR_print_errors(bio_err);
        goto end;
    }
-	if (outfile == NULL)
+    out = bio_open_owner(outfile, outformat, private);
-		{
+    if (out == NULL)
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
 			{
 			perror(outfile);
        goto end;
 			}
 		}
-	if (text) 
+    if (text) {
-		if (!RSA_print(out,rsa,0))
+        assert(private);
-			{
+        if (!RSA_print(out, rsa, 0)) {
            perror(outfile);
            ERR_print_errors(bio_err);
            goto end;
        }
    }
-	if (modulus)
+    if (modulus) {
 		{
        BIO_printf(out, "Modulus=");
        BN_print(out, rsa->n);
        BIO_printf(out, "\n");
    }
-	if (check)
+    if (check) {
 		{
        int r = RSA_check_key(rsa);
        if (r == 1)
            BIO_printf(out, "RSA key ok\n");
-		else if (r == 0)
+        else if (r == 0) {
 			{
            unsigned long err;
            while ((err = ERR_peek_error()) != 0 &&
                   ERR_GET_LIB(err) == ERR_LIB_RSA &&
                   ERR_GET_FUNC(err) == RSA_F_RSA_CHECK_KEY &&
-				ERR_GET_REASON(err) != ERR_R_MALLOC_FAILURE)
+                   ERR_GET_REASON(err) != ERR_R_MALLOC_FAILURE) {
-				{
+                BIO_printf(out, "RSA key error: %s\n",
-				BIO_printf(out, "RSA key error: %s\n", ERR_reason_error_string(err));
+                           ERR_reason_error_string(err));
                ERR_get_error(); /* remove e from error stack */
            }
        }
-		if (r == -1 || ERR_peek_error() != 0) /* should happen only if r == -1 */
+        /* should happen only if r == -1 */
-			{
+        if (r == -1 || ERR_peek_error() != 0) {
            ERR_print_errors(bio_err);
            goto end;
        }
    }
-	if (noout)
+    if (noout) {
 		{
        ret = 0;
        goto end;
    }
    BIO_printf(bio_err, "writing RSA key\n");
    if (outformat == FORMAT_ASN1) {
-		if(pubout || pubin) 
+        if (pubout || pubin) {
 			{
            if (pubout == 2)
                i = i2d_RSAPublicKey_bio(out, rsa);
            else
                i = i2d_RSA_PUBKEY_bio(out, rsa);
        } else {
            assert(private);
            i = i2d_RSAPrivateKey_bio(out, rsa);
        }
 		else i=i2d_RSAPrivateKey_bio(out,rsa);
    }
 #ifndef OPENSSL_NO_RC4
 	else if (outformat == FORMAT_NETSCAPE)
 		{
 		unsigned char *p,*pp;
 		int size;
 		i=1;
 		size=i2d_RSA_NET(rsa,NULL,NULL, sgckey);
 		if ((p=(unsigned char *)OPENSSL_malloc(size)) == NULL)
 			{
 			BIO_printf(bio_err,"Memory allocation failure\n");
 			goto end;
 			}
 		pp=p;
 		i2d_RSA_NET(rsa,&p,NULL, sgckey);
 		BIO_write(out,(char *)pp,size);
 		OPENSSL_free(pp);
 		}
 #endif
    else if (outformat == FORMAT_PEM) {
-		if(pubout || pubin)
+        if (pubout || pubin) {
 			{
            if (pubout == 2)
                i = PEM_write_bio_RSAPublicKey(out, rsa);
            else
                i = PEM_write_bio_RSA_PUBKEY(out, rsa);
-			}
+        } else {
-		else i=PEM_write_bio_RSAPrivateKey(out,rsa,
+            assert(private);
            i = PEM_write_bio_RSAPrivateKey(out, rsa,
                                            enc, NULL, 0, NULL, passout);
        }
 # if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_RC4)
    } else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) {
        EVP_PKEY *pk;
@@ -418,28 +368,27 @@ bad:
            i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout);
        else if (pubin || pubout)
            i = i2b_PublicKey_bio(out, pk);
-		else
+        else {
            assert(private);
            i = i2b_PrivateKey_bio(out, pk);
        }
        EVP_PKEY_free(pk);
 # endif
    } else {
        BIO_printf(bio_err, "bad output format specified for outfile\n");
        goto end;
    }
-	if (i <= 0)
+    if (i <= 0) {
 		{
        BIO_printf(bio_err, "unable to write key\n");
        ERR_print_errors(bio_err);
-		}
+    } else
 	else
        ret = 0;
 end:
-	if(out != NULL) BIO_free_all(out);
+    BIO_free_all(out);
-	if(rsa != NULL) RSA_free(rsa);
+    RSA_free(rsa);
-	if(passin) OPENSSL_free(passin);
+    OPENSSL_free(passin);
-	if(passout) OPENSSL_free(passout);
+    OPENSSL_free(passout);
-	apps_shutdown();
+    return (ret);
 	OPENSSL_EXIT(ret);
 }
 #else                           /* !OPENSSL_NO_RSA */
--- a/apps/rsautl.c
+++ b/apps/rsautl.c
@@ -1,6 +1,6 @@
-/* rsautl.c */
+/*
-/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
+ * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
- * project 2000.
+ * 2000.
 */
 /* ====================================================================
 * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
@@ -74,142 +74,160 @@
 # define KEY_PUBKEY      2
 # define KEY_CERT        3
-static void usage(void);
+typedef enum OPTION_choice {
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_ENGINE, OPT_IN, OPT_OUT, OPT_ASN1PARSE, OPT_HEXDUMP,
    OPT_RAW, OPT_OAEP, OPT_SSL, OPT_PKCS, OPT_X931,
    OPT_SIGN, OPT_VERIFY, OPT_REV, OPT_ENCRYPT, OPT_DECRYPT,
    OPT_PUBIN, OPT_CERTIN, OPT_INKEY, OPT_PASSIN, OPT_KEYFORM
 } OPTION_CHOICE;
-#undef PROG
+OPTIONS rsautl_options[] = {
-
+    {"help", OPT_HELP, '-', "Display this summary"},
-#define PROG rsautl_main
+    {"in", OPT_IN, '<', "Input file"},
-
+    {"out", OPT_OUT, '>', "Output file"},
-int MAIN(int argc, char **);
+    {"inkey", OPT_INKEY, '<', "Input key"},
-
+    {"keyform", OPT_KEYFORM, 'F', "Private key format - default PEM"},
-int MAIN(int argc, char **argv)
+    {"pubin", OPT_PUBIN, '-', "Input is an RSA public"},
-{
+    {"certin", OPT_CERTIN, '-', "Input is a cert carrying an RSA public key"},
-	ENGINE *e = NULL;
+    {"ssl", OPT_SSL, '-', "Use SSL v2 padding"},
-	BIO *in = NULL, *out = NULL;
+    {"raw", OPT_RAW, '-', "Use no padding"},
-	char *infile = NULL, *outfile = NULL;
+    {"pkcs", OPT_PKCS, '-', "Use PKCS#1 v1.5 padding (default)"},
    {"oaep", OPT_OAEP, '-', "Use PKCS#1 OAEP"},
    {"sign", OPT_SIGN, '-', "Sign with private key"},
    {"verify", OPT_VERIFY, '-', "Verify with public key"},
    {"asn1parse", OPT_ASN1PARSE, '-'},
    {"hexdump", OPT_HEXDUMP, '-', "Hex dump output"},
    {"x931", OPT_X931, '-', "Use ANSI X9.31 padding"},
    {"rev", OPT_REV, '-'},
    {"encrypt", OPT_ENCRYPT, '-', "Encrypt with public key"},
    {"decrypt", OPT_DECRYPT, '-', "Decrypt with private key"},
    {"passin", OPT_PASSIN, 's', "Pass phrase source"},
 # ifndef OPENSSL_NO_ENGINE
-	char *engine = NULL;
+    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 # endif
-	char *keyfile = NULL;
+    {NULL}
-	char rsa_mode = RSA_VERIFY, key_type = KEY_PRIVKEY;
+};
-	int keyform = FORMAT_PEM;
+
-	char need_priv = 0, badarg = 0, rev = 0;
+int rsautl_main(int argc, char **argv)
-	char hexdump = 0, asn1parse = 0;
+{
-	X509 *x;
+    BIO *in = NULL, *out = NULL;
    ENGINE *e = NULL;
    EVP_PKEY *pkey = NULL;
    RSA *rsa = NULL;
-	unsigned char *rsa_in = NULL, *rsa_out = NULL, pad;
+    X509 *x;
-	char *passargin = NULL, *passin = NULL;
+    char *infile = NULL, *outfile = NULL, *keyfile = NULL;
-	int rsa_inlen, rsa_outlen = 0;
+    char *passinarg = NULL, *passin = NULL, *prog;
-	int keysize;
+    char rsa_mode = RSA_VERIFY, key_type = KEY_PRIVKEY;
    unsigned char *rsa_in = NULL, *rsa_out = NULL, pad = RSA_PKCS1_PADDING;
    int rsa_inlen, keyformat = FORMAT_PEM, keysize, ret = 1;
    int rsa_outlen = 0, hexdump = 0, asn1parse = 0, need_priv = 0, rev = 0;
    OPTION_CHOICE o;
-	int ret = 1;
+    prog = opt_init(argc, argv, rsautl_options);
-
+    while ((o = opt_next()) != OPT_EOF) {
-	argc--;
+        switch (o) {
-	argv++;
+        case OPT_EOF:
-
+        case OPT_ERR:
-	if(!bio_err) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
+ opthelp:
-
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
 	if (!load_config(bio_err, NULL))
            goto end;
-	ERR_load_crypto_strings();
+        case OPT_HELP:
-	OpenSSL_add_all_algorithms();
+            opt_help(rsautl_options);
            ret = 0;
            goto end;
        case OPT_KEYFORM:
            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &keyformat))
                goto opthelp;
            break;
        case OPT_IN:
            infile = opt_arg();
            break;
        case OPT_OUT:
            outfile = opt_arg();
            break;
        case OPT_ENGINE:
            e = setup_engine(opt_arg(), 0);
            break;
        case OPT_ASN1PARSE:
            asn1parse = 1;
            break;
        case OPT_HEXDUMP:
            hexdump = 1;
            break;
        case OPT_RAW:
            pad = RSA_NO_PADDING;
            break;
        case OPT_OAEP:
            pad = RSA_PKCS1_OAEP_PADDING;
            break;
        case OPT_SSL:
            pad = RSA_SSLV23_PADDING;
            break;
        case OPT_PKCS:
            pad = RSA_PKCS1_PADDING;
-	
+            break;
-	while(argc >= 1)
+        case OPT_X931:
-	{
+            pad = RSA_X931_PADDING;
-		if (!strcmp(*argv,"-in")) {
+            break;
-			if (--argc < 1)
+        case OPT_SIGN:
 				badarg = 1;
 			else
 				infile= *(++argv);
 		} else if (!strcmp(*argv,"-out")) {
 			if (--argc < 1)
 				badarg = 1;
 			else
 				outfile= *(++argv);
 		} else if(!strcmp(*argv, "-inkey")) {
 			if (--argc < 1)
 				badarg = 1;
 			else
 				keyfile = *(++argv);
 		} else if (!strcmp(*argv,"-passin")) {
 			if (--argc < 1)
 				badarg = 1;
 			else
 				passargin= *(++argv);
 		} else if (strcmp(*argv,"-keyform") == 0) {
 			if (--argc < 1)
 				badarg = 1;
 			else
 				keyform=str2fmt(*(++argv));
 #ifndef OPENSSL_NO_ENGINE
 		} else if(!strcmp(*argv, "-engine")) {
 			if (--argc < 1)
 				badarg = 1;
 			else
 				engine = *(++argv);
 #endif
 		} else if(!strcmp(*argv, "-pubin")) {
 			key_type = KEY_PUBKEY;
 		} else if(!strcmp(*argv, "-certin")) {
 			key_type = KEY_CERT;
 		} 
 		else if(!strcmp(*argv, "-asn1parse")) asn1parse = 1;
 		else if(!strcmp(*argv, "-hexdump")) hexdump = 1;
 		else if(!strcmp(*argv, "-raw")) pad = RSA_NO_PADDING;
 		else if(!strcmp(*argv, "-oaep")) pad = RSA_PKCS1_OAEP_PADDING;
 		else if(!strcmp(*argv, "-ssl")) pad = RSA_SSLV23_PADDING;
 		else if(!strcmp(*argv, "-pkcs")) pad = RSA_PKCS1_PADDING;
 		else if(!strcmp(*argv, "-x931")) pad = RSA_X931_PADDING;
 		else if(!strcmp(*argv, "-sign")) {
            rsa_mode = RSA_SIGN;
            need_priv = 1;
-		} else if(!strcmp(*argv, "-verify")) rsa_mode = RSA_VERIFY;
+            break;
-		else if(!strcmp(*argv, "-rev")) rev = 1;
+        case OPT_VERIFY:
-		else if(!strcmp(*argv, "-encrypt")) rsa_mode = RSA_ENCRYPT;
+            rsa_mode = RSA_VERIFY;
-		else if(!strcmp(*argv, "-decrypt")) {
+            break;
        case OPT_REV:
            rev = 1;
            break;
        case OPT_ENCRYPT:
            rsa_mode = RSA_ENCRYPT;
            break;
        case OPT_DECRYPT:
            rsa_mode = RSA_DECRYPT;
            need_priv = 1;
-		} else badarg = 1;
+            break;
-		if(badarg) {
+        case OPT_PUBIN:
-			usage();
+            key_type = KEY_PUBKEY;
-			goto end;
+            break;
        case OPT_CERTIN:
            key_type = KEY_CERT;
            break;
        case OPT_INKEY:
            keyfile = opt_arg();
            break;
        case OPT_PASSIN:
            passinarg = opt_arg();
            break;
        }
 		argc--;
 		argv++;
    }
    argc = opt_num_rest();
    argv = opt_rest();
    if (need_priv && (key_type != KEY_PRIVKEY)) {
        BIO_printf(bio_err, "A private key is needed for this operation\n");
        goto end;
    }
-#ifndef OPENSSL_NO_ENGINE
+    if (!app_passwd(passinarg, NULL, &passin, NULL)) {
        e = setup_engine(bio_err, engine, 0);
 #endif
 	if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
        BIO_printf(bio_err, "Error getting password\n");
        goto end;
    }
 /* FIXME: seed PRNG only if needed */
-	app_RAND_load_file(NULL, bio_err, 0);
+    app_RAND_load_file(NULL, 0);
    switch (key_type) {
    case KEY_PRIVKEY:
-		pkey = load_key(bio_err, keyfile, keyform, 0,
+        pkey = load_key(keyfile, keyformat, 0, passin, e, "Private Key");
 			passin, e, "Private Key");
        break;
    case KEY_PUBKEY:
-		pkey = load_pubkey(bio_err, keyfile, keyform, 0,
+        pkey = load_pubkey(keyfile, keyformat, 0, NULL, e, "Public Key");
 			NULL, e, "Public Key");
        break;
    case KEY_CERT:
-		x = load_cert(bio_err, keyfile, keyform,
+        x = load_cert(keyfile, keyformat, NULL, e, "Certificate");
 			NULL, e, "Certificate");
        if (x) {
            pkey = X509_get_pubkey(x);
            X509_free(x);
@@ -230,41 +248,23 @@ int MAIN(int argc, char **argv)
        goto end;
    }
-
+    in = bio_open_default(infile, 'r', FORMAT_BINARY);
-	if(infile) {
+    if (in == NULL)
 		if(!(in = BIO_new_file(infile, "rb"))) {
 			BIO_printf(bio_err, "Error Reading Input File\n");
 			ERR_print_errors(bio_err);	
        goto end;
-		}
+    out = bio_open_default(outfile, 'w', FORMAT_BINARY);
-	} else in = BIO_new_fp(stdin, BIO_NOCLOSE);
+    if (out == NULL)
 	if(outfile) {
 		if(!(out = BIO_new_file(outfile, "wb"))) {
 			BIO_printf(bio_err, "Error Reading Output File\n");
 			ERR_print_errors(bio_err);	
        goto end;
 		}
 	} else {
 		out = BIO_new_fp(stdout, BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 		{
 		    BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		    out = BIO_push(tmpbio, out);
 		}
 #endif
 	}
    keysize = RSA_size(rsa);
-	rsa_in = OPENSSL_malloc(keysize * 2);
+    rsa_in = app_malloc(keysize * 2, "hold rsa key");
-	rsa_out = OPENSSL_malloc(keysize);
+    rsa_out = app_malloc(keysize, "output rsa key");
    /* Read the input data */
    rsa_inlen = BIO_read(in, rsa_in, keysize * 2);
    if (rsa_inlen <= 0) {
        BIO_printf(bio_err, "Error reading input Data\n");
-		exit(1);
+        goto end;
    }
    if (rev) {
        int i;
@@ -282,7 +282,8 @@ int MAIN(int argc, char **argv)
        break;
    case RSA_SIGN:
-			rsa_outlen  = RSA_private_encrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad);
+        rsa_outlen =
            RSA_private_encrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad);
        break;
    case RSA_ENCRYPT:
@@ -290,7 +291,8 @@ int MAIN(int argc, char **argv)
        break;
    case RSA_DECRYPT:
-			rsa_outlen  = RSA_private_decrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad);
+        rsa_outlen =
            RSA_private_decrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad);
        break;
    }
@@ -305,43 +307,20 @@ int MAIN(int argc, char **argv)
        if (!ASN1_parse_dump(out, rsa_out, rsa_outlen, 1, -1)) {
            ERR_print_errors(bio_err);
        }
-	} else if(hexdump) BIO_dump(out, (char *)rsa_out, rsa_outlen);
+    } else if (hexdump)
-	else BIO_write(out, rsa_out, rsa_outlen);
+        BIO_dump(out, (char *)rsa_out, rsa_outlen);
    else
        BIO_write(out, rsa_out, rsa_outlen);
 end:
    RSA_free(rsa);
    BIO_free(in);
    BIO_free_all(out);
-	if(rsa_in) OPENSSL_free(rsa_in);
+    OPENSSL_free(rsa_in);
-	if(rsa_out) OPENSSL_free(rsa_out);
+    OPENSSL_free(rsa_out);
-	if(passin) OPENSSL_free(passin);
+    OPENSSL_free(passin);
    return ret;
 }
 static void usage()
 {
 	BIO_printf(bio_err, "Usage: rsautl [options]\n");
 	BIO_printf(bio_err, "-in file        input file\n");
 	BIO_printf(bio_err, "-out file       output file\n");
 	BIO_printf(bio_err, "-inkey file     input key\n");
 	BIO_printf(bio_err, "-keyform arg    private key format - default PEM\n");
 	BIO_printf(bio_err, "-pubin          input is an RSA public\n");
 	BIO_printf(bio_err, "-certin         input is a certificate carrying an RSA public key\n");
 	BIO_printf(bio_err, "-ssl            use SSL v2 padding\n");
 	BIO_printf(bio_err, "-raw            use no padding\n");
 	BIO_printf(bio_err, "-pkcs           use PKCS#1 v1.5 padding (default)\n");
 	BIO_printf(bio_err, "-oaep           use PKCS#1 OAEP\n");
 	BIO_printf(bio_err, "-sign           sign with private key\n");
 	BIO_printf(bio_err, "-verify         verify with public key\n");
 	BIO_printf(bio_err, "-encrypt        encrypt with public key\n");
 	BIO_printf(bio_err, "-decrypt        decrypt with private key\n");
 	BIO_printf(bio_err, "-hexdump        hex dump output\n");
 #ifndef OPENSSL_NO_ENGINE
 	BIO_printf(bio_err, "-engine e       use engine e, possibly a hardware device.\n");
 	BIO_printf (bio_err, "-passin arg    pass phrase source\n");
 #endif
 }
 #else                           /* !OPENSSL_NO_RSA */
 # if PEDANTIC
--- a/apps/s_apps.h
+++ b/apps/s_apps.h
@@ -108,7 +108,8 @@
 * Hudson (tjh@cryptsoft.com).
 *
 */
-#if !defined(OPENSSL_SYS_NETWARE)  /* conflicts with winsock2 stuff on netware */
+/* conflicts with winsock2 stuff on netware */
 #if !defined(OPENSSL_SYS_NETWARE)
 # include <sys/types.h>
 #endif
 #include <openssl/opensslconf.h>
@@ -122,7 +123,9 @@
 #endif
 #if defined(OPENSSL_SYS_VMS) && !defined(FD_SET)
-/* VAX C does not defined fd_set and friends, but it's actually quite simple */
+/*
 * VAX C does not defined fd_set and friends, but it's actually quite simple
 */
 /* These definitions are borrowed from SOCKETSHR.       /Richard Levitte */
 # define MAX_NOFILE      32
 # define NBBY             8     /* number of bits in a byte */
@@ -141,36 +144,75 @@ typedef fd_mask fd_set;
 # define FD_SET(n, p)    (*(p) |= (1 << ((n) % NFDBITS)))
 # define FD_CLR(n, p)    (*(p) &= ~(1 << ((n) % NFDBITS)))
 # define FD_ISSET(n, p)  (*(p) & (1 << ((n) % NFDBITS)))
-#define FD_ZERO(p)	memset((char *)(p), 0, sizeof(*(p)))
+# define FD_ZERO(p)      memset((p), 0, sizeof(*(p)))
 #endif
 #define PORT            4433
 #define PORT_STR        "4433"
 #define PROTOCOL        "tcp"
-int do_server(int port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context);
+int do_server(int port, int type, int *ret,
              int (*cb) (char *hostname, int s, int stype,
                         unsigned char *context), unsigned char *context,
              int naccept);
 #ifndef NO_SYS_UN_H
 int do_server_unix(const char *path, int *ret,
                   int (*cb) (char *hostname, int s, int stype,
                              unsigned char *context), unsigned char *context,
                   int naccept);
 #endif
 #ifdef HEADER_X509_H
-int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
+int verify_callback(int ok, X509_STORE_CTX *ctx);
 #endif
 #ifdef HEADER_SSL_H
 int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
-int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key);
+int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
                       STACK_OF(X509) *chain, int build_chain);
 int ssl_print_sigalgs(BIO *out, SSL *s);
 int ssl_print_point_formats(BIO *out, SSL *s);
 int ssl_print_curves(BIO *out, SSL *s, int noshared);
 #endif
 int ssl_print_tmp_key(BIO *out, SSL *s);
 int init_client(int *sock, const char *server, int port, int type);
 #ifndef NO_SYS_UN_H
 int init_client_unix(int *sock, const char *server);
 #endif
 int init_client(int *sock, char *server, int port, int type);
 int should_retry(int i);
-int extract_port(char *str, short *port_ptr);
+int extract_port(const char *str, unsigned short *port_ptr);
-int extract_host_port(char *str,char **host_ptr,unsigned char *ip,short *p);
+int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
                      unsigned short *p);
-long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
+long bio_dump_callback(BIO *bio, int cmd, const char *argp,
                       int argi, long argl, long ret);
 #ifdef HEADER_SSL_H
-void MS_CALLBACK apps_ssl_info_callback(const SSL *s, int where, int ret);
+void apps_ssl_info_callback(const SSL *s, int where, int ret);
-void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg);
+void msg_cb(int write_p, int version, int content_type, const void *buf,
-void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type,
+            size_t len, SSL *ssl, void *arg);
-					unsigned char *data, int len,
+void tlsext_cb(SSL *s, int client_server, int type, unsigned char *data,
-					void *arg);
+               int len, void *arg);
 #endif
-int MS_CALLBACK generate_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len);
+int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
-int MS_CALLBACK verify_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int cookie_len);
+                             unsigned int *cookie_len);
 int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
                           unsigned int cookie_len);
 typedef struct ssl_excert_st SSL_EXCERT;
 void ssl_ctx_set_excert(SSL_CTX *ctx, SSL_EXCERT *exc);
 void ssl_excert_free(SSL_EXCERT *exc);
 int args_excert(int option, SSL_EXCERT **pexc);
 int load_excert(SSL_EXCERT **pexc);
 void print_ssl_summary(SSL *s);
 #ifdef HEADER_SSL_H
 int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str,
               SSL_CTX *ctx, int no_ecdhe, int no_jpake);
 int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls,
                     int crl_download);
 int ssl_load_stores(SSL_CTX *ctx, const char *vfyCApath,
                    const char *vfyCAfile, const char *chCApath,
                    const char *chCAfile, STACK_OF(X509_CRL) *crls,
                    int crl_download);
 void ssl_ctx_security_debug(SSL_CTX *ctx, int verbose);
 #endif
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
--- a/apps/s_client.c
+++ b/apps/s_client.c
--- a/apps/s_server.c
+++ b/apps/s_server.c
--- a/apps/s_socket.c
+++ b/apps/s_socket.c
@@ -1,4 +1,3 @@
 /* apps/s_socket.c -  socket-related functions used by s_client and s_server */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -55,27 +54,76 @@
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
 /* ====================================================================
 * Copyright (c) 199-2015 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    licensing@OpenSSL.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 */
 /* socket-related functions used by s_client and s_server */
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <errno.h>
 #include <signal.h>
-/* With IPv6, it looks like Digital has mixed up the proper order of
+/*
-   recursive header file inclusion, resulting in the compiler complaining
+ * With IPv6, it looks like Digital has mixed up the proper order of
-   that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
+ * recursive header file inclusion, resulting in the compiler complaining
-   is needed to have fileno() declared correctly...  So let's define u_int */
+ * that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which is
 * needed to have fileno() declared correctly...  So let's define u_int
 */
 #if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
 # define __U_INT
 typedef unsigned int u_int;
 #endif
 #define USE_SOCKETS
 #define NON_MAIN
 #include "apps.h"
 #undef USE_SOCKETS
 #undef NON_MAIN
 #include "s_apps.h"
 #include <openssl/ssl.h>
@@ -91,7 +139,6 @@ typedef unsigned int u_int;
 #  include "netdb.h"
 # endif
 static struct hostent *GetHostByName(char *name);
 # if defined(OPENSSL_SYS_WINDOWS) || (defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK))
 static void ssl_sock_cleanup(void);
 # endif
@@ -101,12 +148,10 @@ static int init_client_ip(int *sock, const unsigned char ip[4], int port,
 static int init_server(int *sock, int port, int type);
 static int init_server_long(int *sock, int port, char *ip, int type);
 static int do_accept(int acc_sock, int *sock, char **host);
-static int host_ip(char *str, unsigned char ip[4]);
+static int host_ip(const char *str, unsigned char ip[4]);
-
+# ifndef NO_SYS_UN_H
-#ifdef OPENSSL_SYS_WIN16
+static int init_server_unix(int *sock, const char *path);
-#define SOCKET_PROTOCOL	0 /* more microsoft stupidity */
+static int do_accept_unix(int acc_sock, int *sock);
 #else
 #define SOCKET_PROTOCOL	IPPROTO_TCP
 # endif
 # if defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK)
@@ -117,43 +162,12 @@ static int wsa_init_done=0;
 static struct WSAData wsa_state;
 static int wsa_init_done = 0;
 #ifdef OPENSSL_SYS_WIN16
 static HWND topWnd=0;
 static FARPROC lpTopWndProc=NULL;
 static FARPROC lpTopHookProc=NULL;
 extern HINSTANCE _hInstance;  /* nice global CRT provides */
 static LONG FAR PASCAL topHookProc(HWND hwnd, UINT message, WPARAM wParam,
 	     LPARAM lParam)
 	{
 	if (hwnd == topWnd)
 		{
 		switch(message)
 			{
 		case WM_DESTROY:
 		case WM_CLOSE:
 			SetWindowLong(topWnd,GWL_WNDPROC,(LONG)lpTopWndProc);
 			ssl_sock_cleanup();
 			break;
 			}
 		}
 	return CallWindowProc(lpTopWndProc,hwnd,message,wParam,lParam);
 	}
 static BOOL CALLBACK enumproc(HWND hwnd,LPARAM lParam)
 	{
 	topWnd=hwnd;
 	return(FALSE);
 	}
 #endif /* OPENSSL_SYS_WIN32 */
 # endif                         /* OPENSSL_SYS_WINDOWS */
 # ifdef OPENSSL_SYS_WINDOWS
 static void ssl_sock_cleanup(void)
 {
-	if (wsa_init_done)
+    if (wsa_init_done) {
 		{
        wsa_init_done = 0;
 #  ifndef OPENSSL_SYS_WINCE
        WSACancelBlockingCall();
@@ -164,8 +178,7 @@ static void ssl_sock_cleanup(void)
 # elif defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK)
 static void sock_cleanup(void)
 {
-    if (wsa_init_done)
+    if (wsa_init_done) {
        {
        wsa_init_done = 0;
        WSACleanup();
    }
@@ -180,8 +193,7 @@ static int ssl_sock_init(void)
    if (sock_init())
        return (0);
 # elif defined(OPENSSL_SYS_WINDOWS)
-	if (!wsa_init_done)
+    if (!wsa_init_done) {
 		{
        int err;
 #  ifdef SIGINT
@@ -189,28 +201,19 @@ static int ssl_sock_init(void)
 #  endif
        wsa_init_done = 1;
        memset(&wsa_state, 0, sizeof(wsa_state));
-		if (WSAStartup(0x0101,&wsa_state)!=0)
+        if (WSAStartup(0x0101, &wsa_state) != 0) {
 			{
            err = WSAGetLastError();
-			BIO_printf(bio_err,"unable to start WINSOCK, error code=%d\n",err);
+            BIO_printf(bio_err, "unable to start WINSOCK, error code=%d\n",
                       err);
            return (0);
        }
 #ifdef OPENSSL_SYS_WIN16
 		EnumTaskWindows(GetCurrentTask(),enumproc,0L);
 		lpTopWndProc=(FARPROC)GetWindowLong(topWnd,GWL_WNDPROC);
 		lpTopHookProc=MakeProcInstance((FARPROC)topHookProc,_hInstance);
 		SetWindowLong(topWnd,GWL_WNDPROC,(LONG)lpTopHookProc);
 #endif /* OPENSSL_SYS_WIN16 */
    }
 # elif defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK)
    WORD wVerReq;
    WSADATA wsaData;
    int err;
-   if (!wsa_init_done)
+    if (!wsa_init_done) {
      {
 #  ifdef SIGINT
        signal(SIGINT, (void (*)(int))sock_cleanup);
@@ -219,26 +222,24 @@ static int ssl_sock_init(void)
        wsa_init_done = 1;
        wVerReq = MAKEWORD(2, 0);
        err = WSAStartup(wVerReq, &wsaData);
-      if (err != 0)
+        if (err != 0) {
-         {
+            BIO_printf(bio_err, "unable to start WINSOCK2, error code=%d\n",
-         BIO_printf(bio_err,"unable to start WINSOCK2, error code=%d\n",err);
+                       err);
            return (0);
        }
    }
-#endif /* OPENSSL_SYS_WINDOWS */
+# endif
    return (1);
 }
-int init_client(int *sock, char *host, int port, int type)
+int init_client(int *sock, const char *host, int port, int type)
 {
    unsigned char ip[4];
    ip[0] = ip[1] = ip[2] = ip[3] = 0;
    if (!host_ip(host, &(ip[0])))
-		{
+        return 0;
-		return(0);
+    return init_client_ip(sock, ip, port, type);
 		}
 	return(init_client_ip(sock,ip,port,type));
 }
 static int init_client_ip(int *sock, const unsigned char ip[4], int port,
@@ -248,87 +249,168 @@ static int init_client_ip(int *sock, const unsigned char ip[4], int port,
    struct sockaddr_in them;
    int s, i;
-	if (!ssl_sock_init()) return(0);
+    if (!ssl_sock_init())
        return (0);
-	memset((char *)&them,0,sizeof(them));
+    memset(&them, 0, sizeof(them));
    them.sin_family = AF_INET;
    them.sin_port = htons((unsigned short)port);
    addr = (unsigned long)
        ((unsigned long)ip[0] << 24L) |
        ((unsigned long)ip[1] << 16L) |
-		((unsigned long)ip[2]<< 8L)|
+        ((unsigned long)ip[2] << 8L) | ((unsigned long)ip[3]);
 		((unsigned long)ip[3]);
    them.sin_addr.s_addr = htonl(addr);
    if (type == SOCK_STREAM)
-		s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
+        s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
    else                        /* ( type == SOCK_DGRAM) */
        s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
-	if (s == INVALID_SOCKET) { perror("socket"); return(0); }
+    if (s == (int)INVALID_SOCKET) {
-
+        perror("socket");
-#if defined(SO_KEEPALIVE) && !defined(OPENSSL_SYS_MPE)
+        return (0);
-	if (type == SOCK_STREAM)
+    }
-		{
+# if defined(SO_KEEPALIVE)
    if (type == SOCK_STREAM) {
        i = 0;
        i = setsockopt(s, SOL_SOCKET, SO_KEEPALIVE, (char *)&i, sizeof(i));
-		if (i < 0) { perror("keepalive"); return(0); }
+        if (i < 0) {
            closesocket(s);
            perror("keepalive");
            return (0);
        }
    }
 # endif
-	if (connect(s,(struct sockaddr *)&them,sizeof(them)) == -1)
+    if (connect(s, (struct sockaddr *)&them, sizeof(them)) == -1) {
-		{ closesocket(s); perror("connect"); return(0); }
+        closesocket(s);
        perror("connect");
        return (0);
    }
    *sock = s;
    return (1);
 }
-int do_server(int port, int type, int *ret, int (*cb)(char *hostname, int s, unsigned char *context), unsigned char *context)
+# ifndef NO_SYS_UN_H
 int init_client_unix(int *sock, const char *server)
 {
    struct sockaddr_un them;
    int s;
    if (strlen(server) > (UNIX_PATH_MAX + 1))
        return (0);
    if (!ssl_sock_init())
        return (0);
    s = socket(AF_UNIX, SOCK_STREAM, 0);
    if (s == (int)INVALID_SOCKET) {
        perror("socket");
        return (0);
    }
    memset(&them, 0, sizeof(them));
    them.sun_family = AF_UNIX;
    strcpy(them.sun_path, server);
    if (connect(s, (struct sockaddr *)&them, sizeof(them)) == -1) {
        closesocket(s);
        perror("connect");
        return (0);
    }
    *sock = s;
    return (1);
 }
 # endif
 int do_server(int port, int type, int *ret,
              int (*cb) (char *hostname, int s, int stype,
                         unsigned char *context), unsigned char *context,
              int naccept)
 {
    int sock;
    char *name = NULL;
    int accept_socket = 0;
    int i;
-	if (!init_server(&accept_socket,port,type)) return(0);
+    if (!init_server(&accept_socket, port, type))
        return (0);
-	if (ret != NULL)
+    if (ret != NULL) {
 		{
        *ret = accept_socket;
        /* return(1); */
    }
-  	for (;;)
+    for (;;) {
-  		{
+        if (type == SOCK_STREAM) {
-		if (type==SOCK_STREAM)
+# ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-			{
+            if (do_accept(accept_socket, &sock, NULL) == 0)
 # else
            if (do_accept(accept_socket, &sock, &name) == 0)
 # endif
            {
                SHUTDOWN(accept_socket);
                return (0);
            }
-			}
+        } else
 		else
            sock = accept_socket;
-		i=(*cb)(name,sock, context);
+        i = (*cb) (name, sock, type, context);
-		if (name != NULL) OPENSSL_free(name);
+        OPENSSL_free(name);
        if (type == SOCK_STREAM)
            SHUTDOWN2(sock);
-		if (i < 0)
+        if (naccept != -1)
-			{
+            naccept--;
        if (i < 0 || naccept == 0) {
            SHUTDOWN2(accept_socket);
            return (i);
        }
    }
 }
 # ifndef NO_SYS_UN_H
 int do_server_unix(const char *path, int *ret,
                   int (*cb) (char *hostname, int s, int stype,
                              unsigned char *context), unsigned char *context,
                   int naccept)
 {
    int sock;
    int accept_socket = 0;
    int i;
    if (!init_server_unix(&accept_socket, path))
        return (0);
    if (ret != NULL)
        *ret = accept_socket;
    for (;;) {
        if (do_accept_unix(accept_socket, &sock) == 0) {
            SHUTDOWN(accept_socket);
            i = 0;
            goto out;
        }
        i = (*cb) (NULL, sock, 0, context);
        SHUTDOWN2(sock);
        if (naccept != -1)
            naccept--;
        if (i < 0 || naccept == 0) {
            SHUTDOWN2(accept_socket);
            goto out;
        }
    }
 out:
    unlink(path);
    return (i);
 }
 # endif
 static int init_server_long(int *sock, int port, char *ip, int type)
 {
    int ret = 0;
    struct sockaddr_in server;
    int s = -1;
-	if (!ssl_sock_init()) return(0);
+    if (!ssl_sock_init())
        return (0);
-	memset((char *)&server,0,sizeof(server));
+    memset(&server, 0, sizeof(server));
    server.sin_family = AF_INET;
    server.sin_port = htons((unsigned short)port);
    if (ip == NULL)
@@ -342,32 +424,31 @@ static int init_server_long(int *sock, int port, char *ip, int type)
 # endif
    if (type == SOCK_STREAM)
-			s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
+        s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
    else                        /* type == SOCK_DGRAM */
        s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
-	if (s == INVALID_SOCKET) goto err;
+    if (s == (int)INVALID_SOCKET)
        goto err;
 # if defined SOL_SOCKET && defined SO_REUSEADDR
    {
        int j = 1;
-		setsockopt(s, SOL_SOCKET, SO_REUSEADDR,
+        setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void *)&j, sizeof j);
 			   (void *) &j, sizeof j);
    }
 # endif
-	if (bind(s,(struct sockaddr *)&server,sizeof(server)) == -1)
+    if (bind(s, (struct sockaddr *)&server, sizeof(server)) == -1) {
 		{
 # ifndef OPENSSL_SYS_WINDOWS
        perror("bind");
 # endif
        goto err;
    }
    /* Make it 128 for linux */
-	if (type==SOCK_STREAM && listen(s,128) == -1) goto err;
+    if (type == SOCK_STREAM && listen(s, 128) == -1)
        goto err;
    *sock = s;
    ret = 1;
 err:
-	if ((ret == 0) && (s != -1))
+    if ((ret == 0) && (s != -1)) {
 		{
        SHUTDOWN(s);
    }
    return (ret);
@@ -378,6 +459,50 @@ static int init_server(int *sock, int port, int type)
    return (init_server_long(sock, port, NULL, type));
 }
 # ifndef NO_SYS_UN_H
 static int init_server_unix(int *sock, const char *path)
 {
    int ret = 0;
    struct sockaddr_un server;
    int s = -1;
    if (strlen(path) > (UNIX_PATH_MAX + 1))
        return (0);
    if (!ssl_sock_init())
        return (0);
    s = socket(AF_UNIX, SOCK_STREAM, 0);
    if (s == (int)INVALID_SOCKET)
        goto err;
    memset(&server, 0, sizeof(server));
    server.sun_family = AF_UNIX;
    strcpy(server.sun_path, path);
    if (bind(s, (struct sockaddr *)&server, sizeof(server)) == -1) {
 #  ifndef OPENSSL_SYS_WINDOWS
        perror("bind");
 #  endif
        goto err;
    }
    /* Make it 128 for linux */
    if (listen(s, 128) == -1) {
 #  ifndef OPENSSL_SYS_WINDOWS
        perror("listen");
 #  endif
        unlink(path);
        goto err;
    }
    *sock = s;
    ret = 1;
 err:
    if ((ret == 0) && (s != -1)) {
        SHUTDOWN(s);
    }
    return (ret);
 }
 # endif
 static int do_accept(int acc_sock, int *sock, char **host)
 {
    int ret;
@@ -386,49 +511,41 @@ static int do_accept(int acc_sock, int *sock, char **host)
    int len;
 /*      struct linger ling; */
-	if (!ssl_sock_init()) return(0);
+    if (!ssl_sock_init())
        return (0);
 # ifndef OPENSSL_SYS_WINDOWS
 redoit:
 # endif
-	memset((char *)&from,0,sizeof(from));
+    memset(&from, 0, sizeof(from));
    len = sizeof(from);
-	/* Note: under VMS with SOCKETSHR the fourth parameter is currently
+    /*
-	 * of type (int *) whereas under other systems it is (void *) if
+     * Note: under VMS with SOCKETSHR the fourth parameter is currently of
-	 * you don't have a cast it will choke the compiler: if you do
+     * type (int *) whereas under other systems it is (void *) if you don't
-	 * have a cast then you can either go for (int *) or (void *).
+     * have a cast it will choke the compiler: if you do have a cast then you
     * can either go for (int *) or (void *).
     */
    ret = accept(acc_sock, (struct sockaddr *)&from, (void *)&len);
-	if (ret == INVALID_SOCKET)
+    if (ret == (int)INVALID_SOCKET) {
 		{
 # if defined(OPENSSL_SYS_WINDOWS) || (defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK))
        int i;
        i = WSAGetLastError();
        BIO_printf(bio_err, "accept error %d\n", i);
 # else
-		if (errno == EINTR)
+        if (errno == EINTR) {
-			{
+            /*
-			/*check_timeout(); */
+             * check_timeout();
             */
            goto redoit;
        }
-		fprintf(stderr,"errno=%d ",errno);
+        BIO_printf(bio_err, "accept errno=%d, %s\n", errno, strerror(errno));
 		perror("accept");
 # endif
        return (0);
    }
-/*
+    if (host == NULL)
-	ling.l_onoff=1;
+        goto end;
 	ling.l_linger=0;
 	i=setsockopt(ret,SOL_SOCKET,SO_LINGER,(char *)&ling,sizeof(ling));
 	if (i < 0) { perror("linger"); return(0); }
 	i=0;
 	i=setsockopt(ret,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
 	if (i < 0) { perror("keepalive"); return(0); }
 */
 	if (host == NULL) goto end;
 # ifndef BIT_FIELD_LIMITS
    /* I should use WSAAsyncGetHostByName() under windows */
    h1 = gethostbyaddr((char *)&from.sin_addr.s_addr,
@@ -437,30 +554,23 @@ redoit:
    h1 = gethostbyaddr((char *)&from.sin_addr,
                       sizeof(struct in_addr), AF_INET);
 # endif
-	if (h1 == NULL)
+    if (h1 == NULL) {
 		{
        BIO_printf(bio_err, "bad gethostbyaddr\n");
        *host = NULL;
        /* return(0); */
-		}
+    } else {
-	else
+        *host = app_malloc(strlen(h1->h_name) + 1, "copy hostname");
 		{
 		if ((*host=(char *)OPENSSL_malloc(strlen(h1->h_name)+1)) == NULL)
 			{
 			perror("OPENSSL_malloc");
 			return(0);
 			}
        BUF_strlcpy(*host, h1->h_name, strlen(h1->h_name) + 1);
-		h2=GetHostByName(*host);
+        h2 = gethostbyname(*host);
-		if (h2 == NULL)
+        if (h2 == NULL) {
 			{
            BIO_printf(bio_err, "gethostbyname failure\n");
            closesocket(ret);
            return (0);
        }
-		if (h2->h_addrtype != AF_INET)
+        if (h2->h_addrtype != AF_INET) {
 			{
            BIO_printf(bio_err, "gethostbyname addr is not AF_INET\n");
            closesocket(ret);
            return (0);
        }
    }
@@ -469,15 +579,40 @@ end:
    return (1);
 }
 # ifndef NO_SYS_UN_H
 static int do_accept_unix(int acc_sock, int *sock)
 {
    int ret;
    if (!ssl_sock_init())
        return (0);
 redoit:
    ret = accept(acc_sock, NULL, NULL);
    if (ret == (int)INVALID_SOCKET) {
        if (errno == EINTR) {
            /*
             * check_timeout();
             */
            goto redoit;
        }
        BIO_printf(bio_err, "accept errno=%d, %s\n", errno, strerror(errno));
        return (0);
    }
    *sock = ret;
    return (1);
 }
 # endif
 int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
-	     short *port_ptr)
+                      unsigned short *port_ptr)
 {
    char *h, *p;
    h = str;
    p = strchr(str, ':');
-	if (p == NULL)
+    if (p == NULL) {
 		{
        BIO_printf(bio_err, "no port defined\n");
        return (0);
    }
@@ -485,7 +620,8 @@ int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
    if ((ip != NULL) && !host_ip(str, ip))
        goto err;
-	if (host_ptr != NULL) *host_ptr=h;
+    if (host_ptr != NULL)
        *host_ptr = h;
    if (!extract_port(p, port_ptr))
        goto err;
@@ -494,16 +630,15 @@ err:
    return (0);
 }
-static int host_ip(char *str, unsigned char ip[4])
+static int host_ip(const char *str, unsigned char ip[4])
 {
    unsigned int in[4];
    int i;
-	if (sscanf(str,"%u.%u.%u.%u",&(in[0]),&(in[1]),&(in[2]),&(in[3])) == 4)
+    if (sscanf(str, "%u.%u.%u.%u", &(in[0]), &(in[1]), &(in[2]), &(in[3])) ==
-		{
+        4) {
        for (i = 0; i < 4; i++)
-			if (in[i] > 255)
+            if (in[i] > 255) {
 				{
                BIO_printf(bio_err, "invalid IP address\n");
                goto err;
            }
@@ -511,22 +646,18 @@ static int host_ip(char *str, unsigned char ip[4])
        ip[1] = in[1];
        ip[2] = in[2];
        ip[3] = in[3];
-		}
+    } else {                    /* do a gethostbyname */
 	else
 		{ /* do a gethostbyname */
        struct hostent *he;
-		if (!ssl_sock_init()) return(0);
+        if (!ssl_sock_init())
            return (0);
-		he=GetHostByName(str);
+        he = gethostbyname(str);
-		if (he == NULL)
+        if (he == NULL) {
 			{
            BIO_printf(bio_err, "gethostbyname failure\n");
            goto err;
        }
-		/* cast to short because of win16 winsock definition */
+        if (he->h_addrtype != AF_INET) {
 		if ((short)he->h_addrtype != AF_INET)
 			{
            BIO_printf(bio_err, "gethostbyname addr is not AF_INET\n");
            return (0);
        }
@@ -540,7 +671,7 @@ err:
    return (0);
 }
-int extract_port(char *str, short *port_ptr)
+int extract_port(const char *str, unsigned short *port_ptr)
 {
    int i;
    struct servent *s;
@@ -548,11 +679,9 @@ int extract_port(char *str, short *port_ptr)
    i = atoi(str);
    if (i != 0)
        *port_ptr = (unsigned short)i;
-	else
+    else {
 		{
        s = getservbyname(str, "tcp");
-		if (s == NULL)
+        if (s == NULL) {
 			{
            BIO_printf(bio_err, "getservbyname failure for %s\n", str);
            return (0);
        }
@@ -561,57 +690,4 @@ int extract_port(char *str, short *port_ptr)
    return (1);
 }
 #define GHBN_NUM	4
 static struct ghbn_cache_st
 	{
 	char name[128];
 	struct hostent ent;
 	unsigned long order;
 	} ghbn_cache[GHBN_NUM];
 static unsigned long ghbn_hits=0L;
 static unsigned long ghbn_miss=0L;
 static struct hostent *GetHostByName(char *name)
 	{
 	struct hostent *ret;
 	int i,lowi=0;
 	unsigned long low= (unsigned long)-1;
 	for (i=0; i<GHBN_NUM; i++)
 		{
 		if (low > ghbn_cache[i].order)
 			{
 			low=ghbn_cache[i].order;
 			lowi=i;
 			}
 		if (ghbn_cache[i].order > 0)
 			{
 			if (strncmp(name,ghbn_cache[i].name,128) == 0)
 				break;
 			}
 		}
 	if (i == GHBN_NUM) /* no hit*/
 		{
 		ghbn_miss++;
 		ret=gethostbyname(name);
 		if (ret == NULL) return(NULL);
 		/* else add to cache */
 		if(strlen(name) < sizeof ghbn_cache[0].name)
 			{
 			strcpy(ghbn_cache[lowi].name,name);
 			memcpy((char *)&(ghbn_cache[lowi].ent),ret,sizeof(struct hostent));
 			ghbn_cache[lowi].order=ghbn_miss+ghbn_hits;
 			}
 		return(ret);
 		}
 	else
 		{
 		ghbn_hits++;
 		ret= &(ghbn_cache[i].ent);
 		ghbn_cache[i].order=ghbn_miss+ghbn_hits;
 		return(ret);
 		}
 	}
 #endif
--- a/apps/s_time.c
+++ b/apps/s_time.c
@@ -1,4 +1,3 @@
 /* apps/s_time.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -58,7 +57,7 @@
 #define NO_SHUTDOWN
-/*-----------------------------------------
+/* ----------------------------------------
   s_time - SSL client connection timer program
   Written and donated by Larry Streepy <streepy@healthcare.com>
  -----------------------------------------*/
@@ -69,31 +68,24 @@
 #define USE_SOCKETS
 #include "apps.h"
 #ifdef OPENSSL_NO_STDIO
 #define APPS_WIN16
 #endif
 #include <openssl/x509.h>
 #include <openssl/ssl.h>
 #include <openssl/pem.h>
 #include "s_apps.h"
 #include <openssl/err.h>
 #ifdef WIN32_STUFF
 #include "winmain.h"
 #include "wintext.h"
 #endif
 #if !defined(OPENSSL_SYS_MSDOS)
 # include OPENSSL_UNISTD
 #endif
 #undef PROG
 #define PROG s_time_main
 #undef ioctl
 #define ioctl ioctlsocket
 #define SSL_CONNECT_NAME        "localhost:4433"
-/*#define TEST_CERT "client.pem" */ /* no default cert. */
+/* no default cert. */
 /*
 * #define TEST_CERT "client.pem"
 */
 #undef BUFSIZZ
 #define BUFSIZZ 1024*10
@@ -107,218 +99,47 @@
 #undef SECONDS
 #define SECONDS 30
 #define SECONDSSTR "30"
 extern int verify_depth;
 extern int verify_error;
-static void s_time_usage(void);
+static SSL *doConnection(SSL *scon, const char *host, SSL_CTX *ctx);
 static int parseArgs( int argc, char **argv );
 static SSL *doConnection( SSL *scon );
 static void s_time_init(void);
-/***********************************************************************
+typedef enum OPTION_choice {
- * Static data declarations
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
- */
+    OPT_CONNECT, OPT_CIPHER, OPT_CERT, OPT_KEY, OPT_CAPATH,
    OPT_CAFILE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_NEW, OPT_REUSE, OPT_BUGS,
    OPT_VERIFY, OPT_TIME, OPT_SSL3,
    OPT_WWW
 } OPTION_CHOICE;
-/* static char *port=PORT_STR;*/
+OPTIONS s_time_options[] = {
-static char *host=SSL_CONNECT_NAME;
+    {"help", OPT_HELP, '-', "Display this summary"},
-static char *t_cert_file=NULL;
+    {"connect", OPT_CONNECT, 's',
-static char *t_key_file=NULL;
+     "Where to connect as post:port (default is " SSL_CONNECT_NAME ")"},
-static char *CApath=NULL;
+    {"cipher", OPT_CIPHER, 's', "Cipher to use, see 'openssl ciphers'"},
-static char *CAfile=NULL;
+    {"cert", OPT_CERT, '<', "Cert file to use, PEM format assumed"},
-static char *tm_cipher=NULL;
+    {"key", OPT_KEY, '<', "File with key, PEM; default is -cert file"},
-static int tm_verify = SSL_VERIFY_NONE;
+    {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"},
-static int maxTime = SECONDS;
+    {"cafile", OPT_CAFILE, '<', "PEM format file of CA's"},
-static SSL_CTX *tm_ctx=NULL;
+    {"no-CAfile", OPT_NOCAFILE, '-',
-static const SSL_METHOD *s_time_meth=NULL;
+     "Do not load the default certificates file"},
-static char *s_www_path=NULL;
+    {"no-CApath", OPT_NOCAPATH, '-',
-static long bytes_read=0; 
+     "Do not load certificates from the default certificates directory"},
-static int st_bugs=0;
+    {"new", OPT_NEW, '-', "Just time new connections"},
-static int perform=0;
+    {"reuse", OPT_REUSE, '-', "Just time connection reuse"},
-#ifdef FIONBIO
+    {"bugs", OPT_BUGS, '-', "Turn on SSL bug compatibility"},
-static int t_nbio=0;
+    {"verify", OPT_VERIFY, 'p',
-#endif
+     "Turn on peer certificate verification, set depth"},
-#ifdef OPENSSL_SYS_WIN32
+    {"time", OPT_TIME, 'p', "Sf seconds to collect data, default" SECONDSSTR},
-static int exitNow = 0;		/* Set when it's time to exit main */
+    {"www", OPT_WWW, 's', "Fetch specified page from the site"},
 #endif
 static void s_time_init(void)
 	{
 	host=SSL_CONNECT_NAME;
 	t_cert_file=NULL;
 	t_key_file=NULL;
 	CApath=NULL;
 	CAfile=NULL;
 	tm_cipher=NULL;
 	tm_verify = SSL_VERIFY_NONE;
 	maxTime = SECONDS;
 	tm_ctx=NULL;
 	s_time_meth=NULL;
 	s_www_path=NULL;
 	bytes_read=0; 
 	st_bugs=0;
 	perform=0;
 #ifdef FIONBIO
 	t_nbio=0;
 #endif
 #ifdef OPENSSL_SYS_WIN32
 	exitNow = 0;		/* Set when it's time to exit main */
 #endif
 	}
 /***********************************************************************
 * usage - display usage message
 */
 static void s_time_usage(void)
 {
 	static char umsg[] = "\
 -time arg     - max number of seconds to collect data, default %d\n\
 -verify arg   - turn on peer certificate verification, arg == depth\n\
 -cert arg     - certificate file to use, PEM format assumed\n\
 -key arg      - RSA file to use, PEM format assumed, key is in cert file\n\
                file if not specified by this option\n\
 -CApath arg   - PEM format directory of CA's\n\
 -CAfile arg   - PEM format file of CA's\n\
 -cipher       - preferred cipher to use, play with 'openssl ciphers'\n\n";
 	printf( "usage: s_time <args>\n\n" );
 	printf("-connect host:port - host:port to connect to (default is %s)\n",SSL_CONNECT_NAME);
 #ifdef FIONBIO
 	printf("-nbio         - Run with non-blocking IO\n");
 	printf("-ssl2         - Just use SSLv2\n");
 	printf("-ssl3         - Just use SSLv3\n");
 	printf("-bugs         - Turn on SSL bug compatibility\n");
 	printf("-new          - Just time new connections\n");
 	printf("-reuse        - Just time connection reuse\n");
 	printf("-www page     - Retrieve 'page' from the site\n");
 #endif
 	printf( umsg,SECONDS );
 }
 /***********************************************************************
 * parseArgs - Parse command line arguments and initialize data
 *
 * Returns 0 if ok, -1 on bad args
 */
 static int parseArgs(int argc, char **argv)
 {
    int badop = 0;
    verify_depth=0;
    verify_error=X509_V_OK;
    argc--;
    argv++;
    while (argc >= 1) {
 	if (strcmp(*argv,"-connect") == 0)
 		{
 		if (--argc < 1) goto bad;
 		host= *(++argv);
 		}
 #if 0
 	else if( strcmp(*argv,"-host") == 0)
 		{
 		if (--argc < 1) goto bad;
 		host= *(++argv);
 		}
 	else if( strcmp(*argv,"-port") == 0)
 		{
 		if (--argc < 1) goto bad;
 		port= *(++argv);
 		}
 #endif
 	else if (strcmp(*argv,"-reuse") == 0)
 		perform=2;
 	else if (strcmp(*argv,"-new") == 0)
 		perform=1;
 	else if( strcmp(*argv,"-verify") == 0) {
 	    tm_verify=SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE;
 	    if (--argc < 1) goto bad;
 	    verify_depth=atoi(*(++argv));
 	    BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
 	} else if( strcmp(*argv,"-cert") == 0) {
 	    if (--argc < 1) goto bad;
 	    t_cert_file= *(++argv);
 	} else if( strcmp(*argv,"-key") == 0) {
 	    if (--argc < 1) goto bad;
 	    t_key_file= *(++argv);
 	} else if( strcmp(*argv,"-CApath") == 0) {
 	    if (--argc < 1) goto bad;
 	    CApath= *(++argv);
 	} else if( strcmp(*argv,"-CAfile") == 0) {
 	    if (--argc < 1) goto bad;
 	    CAfile= *(++argv);
 	} else if( strcmp(*argv,"-cipher") == 0) {
 	    if (--argc < 1) goto bad;
 	    tm_cipher= *(++argv);
 	}
 #ifdef FIONBIO
 	else if(strcmp(*argv,"-nbio") == 0) {
 	    t_nbio=1;
 	}
 #endif
 	else if(strcmp(*argv,"-www") == 0)
 		{
 		if (--argc < 1) goto bad;
 		s_www_path= *(++argv);
 		if(strlen(s_www_path) > MYBUFSIZ-100)
 			{
 			BIO_printf(bio_err,"-www option too long\n");
 			badop=1;
 			}
 		}
 	else if(strcmp(*argv,"-bugs") == 0)
 	    st_bugs=1;
 #ifndef OPENSSL_NO_SSL2
 	else if(strcmp(*argv,"-ssl2") == 0)
 	    s_time_meth=SSLv2_client_method();
 #endif
 #ifndef OPENSSL_NO_SSL3
-	else if(strcmp(*argv,"-ssl3") == 0)
+    {"ssl3", OPT_SSL3, '-', "Just use SSLv3"},
 	    s_time_meth=SSLv3_client_method();
 #endif
-	else if( strcmp(*argv,"-time") == 0) {
+    {NULL}
 };
 	    if (--argc < 1) goto bad;
 	    maxTime= atoi(*(++argv));
 	}
 	else {
 	    BIO_printf(bio_err,"unknown option %s\n",*argv);
 	    badop=1;
 	    break;
 	}
 	argc--;
 	argv++;
    }
    if (perform == 0) perform=3;
    if(badop) {
 bad:
 		s_time_usage();
 		return -1;
    }
 	return 0;			/* Valid args */
 }
 /***********************************************************************
 * TIME - time functions
 */
 #define START   0
 #define STOP    1
@@ -327,98 +148,144 @@ static double tm_Time_F(int s)
    return app_tminterval(s, 1);
 }
-/***********************************************************************
+int s_time_main(int argc, char **argv)
 * MAIN - main processing area for client
 *			real name depends on MONOLITH
 */
 int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 {
-	double totalTime = 0.0;
+    char buf[1024 * 8];
 	int nConn = 0;
    SSL *scon = NULL;
-	long finishtime=0;
+    SSL_CTX *ctx = NULL;
-	int ret=1,i;
+    const SSL_METHOD *meth = NULL;
-	MS_STATIC char buf[1024*8];
+    char *CApath = NULL, *CAfile = NULL, *cipher = NULL, *www_path = NULL;
-	int ver;
+    char *host = SSL_CONNECT_NAME, *certfile = NULL, *keyfile = NULL, *prog;
    double totalTime = 0.0;
    int noCApath = 0, noCAfile = 0;
    int maxtime = SECONDS, nConn = 0, perform = 3, ret = 1, i, st_bugs =
        0, ver;
    long bytes_read = 0, finishtime = 0;
    OPTION_CHOICE o;
-	apps_startup();
+    meth = TLS_client_method();
-	s_time_init();
+    verify_depth = 0;
    verify_error = X509_V_OK;
-	if (bio_err == NULL)
+    prog = opt_init(argc, argv, s_time_options);
-		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
+    while ((o = opt_next()) != OPT_EOF) {
-
+        switch (o) {
-#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
+        case OPT_EOF:
-	s_time_meth=SSLv23_client_method();
+        case OPT_ERR:
-#elif !defined(OPENSSL_NO_SSL3)
+ opthelp:
-	s_time_meth=SSLv3_client_method();
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
-#elif !defined(OPENSSL_NO_SSL2)
+            goto end;
-	s_time_meth=SSLv2_client_method();
+        case OPT_HELP:
            opt_help(s_time_options);
            ret = 0;
            goto end;
        case OPT_CONNECT:
            host = opt_arg();
            break;
        case OPT_REUSE:
            perform = 2;
            break;
        case OPT_NEW:
            perform = 1;
            break;
        case OPT_VERIFY:
            if (!opt_int(opt_arg(), &verify_depth))
                goto opthelp;
            BIO_printf(bio_err, "%s: verify depth is %d\n",
                       prog, verify_depth);
            break;
        case OPT_CERT:
            certfile = opt_arg();
            break;
        case OPT_KEY:
            keyfile = opt_arg();
            break;
        case OPT_CAPATH:
            CApath = opt_arg();
            break;
        case OPT_CAFILE:
            CAfile = opt_arg();
            break;
        case OPT_NOCAPATH:
            noCApath = 1;
            break;
        case OPT_NOCAFILE:
            noCAfile = 1;
            break;
        case OPT_CIPHER:
            cipher = opt_arg();
            break;
        case OPT_BUGS:
            st_bugs = 1;
            break;
        case OPT_TIME:
            if (!opt_int(opt_arg(), &maxtime))
                goto opthelp;
            break;
        case OPT_WWW:
            www_path = opt_arg();
            if (strlen(www_path) > MYBUFSIZ - 100) {
                BIO_printf(bio_err, "%s: -www option too long\n", prog);
                goto end;
            }
            break;
        case OPT_SSL3:
 #ifndef OPENSSL_NO_SSL3
            meth = SSLv3_client_method();
 #endif
            break;
        }
    }
    argc = opt_num_rest();
    argv = opt_rest();
-	/* parse the command line arguments */
+    if (cipher == NULL)
-	if( parseArgs( argc, argv ) < 0 )
+        cipher = getenv("SSL_CIPHER");
    if (cipher == NULL) {
        BIO_printf(bio_err, "No CIPHER specified\n");
        goto end;
    }
    if ((ctx = SSL_CTX_new(meth)) == NULL)
        goto end;
-	OpenSSL_add_ssl_algorithms();
+    SSL_CTX_set_quiet_shutdown(ctx, 1);
 	if ((tm_ctx=SSL_CTX_new(s_time_meth)) == NULL) return(1);
-	SSL_CTX_set_quiet_shutdown(tm_ctx,1);
+    if (st_bugs)
-
+        SSL_CTX_set_options(ctx, SSL_OP_ALL);
-	if (st_bugs) SSL_CTX_set_options(tm_ctx,SSL_OP_ALL);
+    if (!SSL_CTX_set_cipher_list(ctx, cipher))
-	SSL_CTX_set_cipher_list(tm_ctx,tm_cipher);
+        goto end;
-	if(!set_cert_stuff(tm_ctx,t_cert_file,t_key_file)) 
+    if (!set_cert_stuff(ctx, certfile, keyfile))
        goto end;
-	SSL_load_error_strings();
+    if (!ctx_set_verify_locations(ctx, CAfile, CApath, noCAfile, noCApath)) {
 	if ((!SSL_CTX_load_verify_locations(tm_ctx,CAfile,CApath)) ||
 		(!SSL_CTX_set_default_verify_paths(tm_ctx)))
 		{
 		/* BIO_printf(bio_err,"error setting default verify locations\n"); */
        ERR_print_errors(bio_err);
-		/* goto end; */
+        goto end;
    }
-
+    if (!(perform & 1))
-	if (tm_cipher == NULL)
+        goto next;
-		tm_cipher = getenv("SSL_CIPHER");
+    printf("Collecting connection statistics for %d seconds\n", maxtime);
 	if (tm_cipher == NULL ) {
 		fprintf( stderr, "No CIPHER specified\n" );
 	}
 	if (!(perform & 1)) goto next;
 	printf( "Collecting connection statistics for %d seconds\n", maxTime );
    /* Loop and time how long it takes to make connections */
    bytes_read = 0;
-	finishtime=(long)time(NULL)+maxTime;
+    finishtime = (long)time(NULL) + maxtime;
    tm_Time_F(START);
-	for (;;)
+    for (;;) {
-		{
+        if (finishtime < (long)time(NULL))
-		if (finishtime < (long)time(NULL)) break;
+            break;
 #ifdef WIN32_STUFF
-		if( flushWinMsgs(0) == -1 )
+        if ((scon = doConnection(NULL, host, ctx)) == NULL)
            goto end;
-		if( waitingToDie || exitNow )		/* we're dead */
+        if (www_path != NULL) {
            BIO_snprintf(buf, sizeof buf, "GET %s HTTP/1.0\r\n\r\n",
                         www_path);
            if (SSL_write(scon, buf, strlen(buf)) <= 0)
                goto end;
 #endif
 		if( (scon = doConnection( NULL )) == NULL )
 			goto end;
 		if (s_www_path != NULL)
 			{
 			BIO_snprintf(buf,sizeof buf,"GET %s HTTP/1.0\r\n\r\n",s_www_path);
 			SSL_write(scon,buf,strlen(buf));
            while ((i = SSL_read(scon, buf, sizeof(buf))) > 0)
                bytes_read += i;
        }
 #ifdef NO_SHUTDOWN
        SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
 #else
@@ -429,15 +296,12 @@ int MAIN(int argc, char **argv)
        nConn += 1;
        if (SSL_session_reused(scon))
            ver = 'r';
-		else
+        else {
 			{
            ver = SSL_version(scon);
            if (ver == TLS1_VERSION)
                ver = 't';
            else if (ver == SSL3_VERSION)
                ver = '3';
 			else if (ver == SSL2_VERSION)
 				ver='2';
            else
                ver = '*';
        }
@@ -449,29 +313,35 @@ int MAIN(int argc, char **argv)
    }
    totalTime += tm_Time_F(STOP); /* Add the time for this iteration */
-	i=(int)((long)time(NULL)-finishtime+maxTime);
+    i = (int)((long)time(NULL) - finishtime + maxtime);
-	printf( "\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n", nConn, totalTime, ((double)nConn/totalTime),bytes_read);
+    printf
-	printf( "%d connections in %ld real seconds, %ld bytes read per connection\n",nConn,(long)time(NULL)-finishtime+maxTime,bytes_read/nConn);
+        ("\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n",
         nConn, totalTime, ((double)nConn / totalTime), bytes_read);
    printf
        ("%d connections in %ld real seconds, %ld bytes read per connection\n",
         nConn, (long)time(NULL) - finishtime + maxtime, bytes_read / nConn);
-	/* Now loop and time connections using the same session id over and over */
+    /*
     * Now loop and time connections using the same session id over and over
     */
 next:
-	if (!(perform & 2)) goto end;
+    if (!(perform & 2))
        goto end;
    printf("\n\nNow timing with session id reuse.\n");
    /* Get an SSL object so we can reuse the session id */
-	if( (scon = doConnection( NULL )) == NULL )
+    if ((scon = doConnection(NULL, host, ctx)) == NULL) {
-		{
+        BIO_printf(bio_err, "Unable to get connection\n");
 		fprintf( stderr, "Unable to get connection\n" );
        goto end;
    }
-	if (s_www_path != NULL)
+    if (www_path != NULL) {
-		{
+        BIO_snprintf(buf, sizeof buf, "GET %s HTTP/1.0\r\n\r\n", www_path);
-		BIO_snprintf(buf,sizeof buf,"GET %s HTTP/1.0\r\n\r\n",s_www_path);
+        if (SSL_write(scon, buf, strlen(buf)) <= 0)
-		SSL_write(scon,buf,strlen(buf));
+            goto end;
        while (SSL_read(scon, buf, sizeof(buf)) > 0)
-			;
+            continue;
    }
 #ifdef NO_SHUTDOWN
    SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
@@ -483,35 +353,27 @@ next:
    nConn = 0;
    totalTime = 0.0;
-	finishtime=(long)time(NULL)+maxTime;
+    finishtime = (long)time(NULL) + maxtime;
    printf("starting\n");
    bytes_read = 0;
    tm_Time_F(START);
-	for (;;)
+    for (;;) {
-		{
+        if (finishtime < (long)time(NULL))
-		if (finishtime < (long)time(NULL)) break;
+            break;
-#ifdef WIN32_STUFF
+        if ((doConnection(scon, host, ctx)) == NULL)
 		if( flushWinMsgs(0) == -1 )
            goto end;
-		if( waitingToDie || exitNow )	/* we're dead */
+        if (www_path) {
            BIO_snprintf(buf, sizeof buf, "GET %s HTTP/1.0\r\n\r\n",
                         www_path);
            if (SSL_write(scon, buf, strlen(buf)) <= 0)
                goto end;
 #endif
 	 	if( (doConnection( scon )) == NULL )
 			goto end;
 		if (s_www_path)
 			{
 			BIO_snprintf(buf,sizeof buf,"GET %s HTTP/1.0\r\n\r\n",s_www_path);
 			SSL_write(scon,buf,strlen(buf));
            while ((i = SSL_read(scon, buf, sizeof(buf))) > 0)
                bytes_read += i;
        }
 #ifdef NO_SHUTDOWN
        SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
 #else
@@ -522,15 +384,12 @@ next:
        nConn += 1;
        if (SSL_session_reused(scon))
            ver = 'r';
-		else
+        else {
 			{
            ver = SSL_version(scon);
            if (ver == TLS1_VERSION)
                ver = 't';
            else if (ver == SSL3_VERSION)
                ver = '3';
 			else if (ver == SSL2_VERSION)
 				ver='2';
            else
                ver = '*';
        }
@@ -539,31 +398,25 @@ next:
    }
    totalTime += tm_Time_F(STOP); /* Add the time for this iteration */
-
+    printf
-	printf( "\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n", nConn, totalTime, ((double)nConn/totalTime),bytes_read);
+        ("\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n",
-	printf( "%d connections in %ld real seconds, %ld bytes read per connection\n",nConn,(long)time(NULL)-finishtime+maxTime,bytes_read/nConn);
+         nConn, totalTime, ((double)nConn / totalTime), bytes_read);
    printf
        ("%d connections in %ld real seconds, %ld bytes read per connection\n",
         nConn, (long)time(NULL) - finishtime + maxtime, bytes_read / nConn);
    ret = 0;
 end:
-	if (scon != NULL) SSL_free(scon);
+    SSL_free(scon);
-
+    SSL_CTX_free(ctx);
-	if (tm_ctx != NULL)
+    return (ret);
 		{
 		SSL_CTX_free(tm_ctx);
 		tm_ctx=NULL;
 		}
 	apps_shutdown();
 	OPENSSL_EXIT(ret);
 }
-/***********************************************************************
+/*-
 * doConnection - make a connection
 * Args:
 *		scon	= earlier ssl connection for session id, or NULL
 * Returns:
 *		SSL *	= the connection pointer.
 */
-static SSL *doConnection(SSL *scon)
+static SSL *doConnection(SSL *scon, const char *host, SSL_CTX *ctx)
 {
    BIO *conn;
    SSL *serverCon;
@@ -573,48 +426,39 @@ static SSL *doConnection(SSL *scon)
    if ((conn = BIO_new(BIO_s_connect())) == NULL)
        return (NULL);
 /*	BIO_set_conn_port(conn,port);*/
    BIO_set_conn_hostname(conn, host);
    if (scon == NULL)
-		serverCon=SSL_new(tm_ctx);
+        serverCon = SSL_new(ctx);
-	else
+    else {
 		{
        serverCon = scon;
        SSL_set_connect_state(serverCon);
    }
    SSL_set_bio(serverCon, conn, conn);
 #if 0
 	if( scon != NULL )
 		SSL_set_session(serverCon,SSL_get_session(scon));
 #endif
    /* ok, lets connect */
    for (;;) {
        i = SSL_connect(serverCon);
-		if (BIO_sock_should_retry(i))
+        if (BIO_sock_should_retry(i)) {
 			{
            BIO_printf(bio_err, "DELAY\n");
            i = SSL_get_fd(serverCon);
            width = i + 1;
            FD_ZERO(&readfds);
            openssl_fdset(i, &readfds);
-			/* Note: under VMS with SOCKETSHR the 2nd parameter
+            /*
-			 * is currently of type (int *) whereas under other
+             * Note: under VMS with SOCKETSHR the 2nd parameter is currently
-			 * systems it is (void *) if you don't have a cast it
+             * of type (int *) whereas under other systems it is (void *) if
-			 * will choke the compiler: if you do have a cast then
+             * you don't have a cast it will choke the compiler: if you do
-			 * you can either go for (int *) or (void *).
+             * have a cast then you can either go for (int *) or (void *).
             */
            select(width, (void *)&readfds, NULL, NULL, NULL);
            continue;
        }
        break;
    }
-	if(i <= 0)
+    if (i <= 0) {
 		{
        BIO_printf(bio_err, "ERROR\n");
        if (verify_error != X509_V_OK)
            BIO_printf(bio_err, "verify error:%s\n",
@@ -628,5 +472,3 @@ static SSL *doConnection(SSL *scon)
    return serverCon;
 }
--- a/apps/server.pem
+++ b/apps/server.pem
@@ -1,369 +1,52 @@
-issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
+subject= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = Test Server Cert
-subject= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit)
+issuer= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = OpenSSL Test Intermediate CA
 -----BEGIN CERTIFICATE-----
-MIIB6TCCAVICAQYwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCQVUxEzARBgNV
+MIID5zCCAs+gAwIBAgIJALnu1NlVpZ6zMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
-BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYD
+BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMSIwIAYDVQQLDBlGT1IgVEVT
-VQQDExJUZXN0IENBICgxMDI0IGJpdCkwHhcNMDAxMDE2MjIzMTAzWhcNMDMwMTE0
+VElORyBQVVJQT1NFUyBPTkxZMSUwIwYDVQQDDBxPcGVuU1NMIFRlc3QgSW50ZXJt
-MjIzMTAzWjBjMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEaMBgG
+ZWRpYXRlIENBMB4XDTExMTIwODE0MDE0OFoXDTIxMTAxNjE0MDE0OFowZDELMAkG
-A1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxIzAhBgNVBAMTGlNlcnZlciB0ZXN0IGNl
+A1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxIjAgBgNVBAsMGUZPUiBU
-cnQgKDUxMiBiaXQpMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ+zw4Qnlf8SMVIP
+RVNUSU5HIFBVUlBPU0VTIE9OTFkxGTAXBgNVBAMMEFRlc3QgU2VydmVyIENlcnQw
-Fe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVDTGiXav6ooKXfX3j/7tdkuD8Ey2//
+ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDzhPOSNtyyRspmeuUpxfNJ
-Kv7+ue0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQCT0grFQeZaqYb5EYfk20XixZV4
+KCLTuf7g3uQ4zu4iHOmRO5TQci+HhVlLZrHF9XqFXcIP0y4pWDbMSGuiorUmzmfi
-GmyAbXMftG1Eo7qGiMhYzRwGNWxEYojf5PZkYZXvSqZ/ZXHXa4g59jK/rJNnaVGM
+R7bfSdI/+qIQt8KXRH6HNG1t8ou0VSvWId5TS5Dq/er5ODUr9OaaDva7EquHIcMv
-k+xIX8mxQvlV0n5O9PIha5BX5teZnkHKgL8aKKLKW1BK7YTngsfSzzaeame5iKfz
+vPQGuI+OEAcnleVCy9HVEIySrO4P3CNIicnGkwwiAud05yUAq/gPXBC1hTtmlPD7
-itAE+OjGF+PFKbwX8Q==
+TVcGVSEiJdvzqqlgv02qedGrkki6GY4S7GjZxrrf7Foc2EP+51LJzwLQx3/JfrCU
 41NEWAsu/Sl0tQabXESN+zJ1pDqoZ3uHMgpQjeGiE0olr+YcsSW/tJmiU9OiAr8R
 AgMBAAGjgY8wgYwwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwLAYJYIZI
 AYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQW
 BBSCvM8AABPR9zklmifnr9LvIBturDAfBgNVHSMEGDAWgBQ2w2yI55X+sL3szj49
 hqshgYfa2jANBgkqhkiG9w0BAQUFAAOCAQEAqb1NV0B0/pbpK9Z4/bNjzPQLTRLK
 WnSNm/Jh5v0GEUOE/Beg7GNjNrmeNmqxAlpqWz9qoeoFZax+QBpIZYjROU3TS3fp
 yLsrnlr0CDQ5R7kCCDGa8dkXxemmpZZLbUCpW2Uoy8sAA4JjN9OtsZY7dvUXFgJ7
 vVNTRnI01ghknbtD+2SxSQd3CWF6QhcRMAzZJ1z1cbbwGDDzfvGFPzJ+Sq+zEPds
 xoVLLSetCiBc+40ZcDS5dV98h9XD7JMTQfxzA7mNGv73JoZJA6nFgj+ADSlJsY/t
 JBv+z1iQRueoh9Qeee+ZbRifPouCB8FDx+AltvHTANdAq0t/K3o+pplMVA==
 -----END CERTIFICATE-----
 -----BEGIN RSA PRIVATE KEY-----
-MIIBPAIBAAJBAJ+zw4Qnlf8SMVIPFe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVD
+MIIEpAIBAAKCAQEA84TzkjbcskbKZnrlKcXzSSgi07n+4N7kOM7uIhzpkTuU0HIv
-TGiXav6ooKXfX3j/7tdkuD8Ey2//Kv7+ue0CAwEAAQJAN6W31vDEP2DjdqhzCDDu
+h4VZS2axxfV6hV3CD9MuKVg2zEhroqK1Js5n4ke230nSP/qiELfCl0R+hzRtbfKL
-OA4NACqoiFqyblo7yc2tM4h4xMbC3Yx5UKMN9ZkCtX0gzrz6DyF47bdKcWBzNWCj
+tFUr1iHeU0uQ6v3q+Tg1K/Tmmg72uxKrhyHDL7z0BriPjhAHJ5XlQsvR1RCMkqzu
-gQIhANEoojVt7hq+SQ6MCN6FTAysGgQf56Q3TYoJMoWvdiXVAiEAw3e3rc+VJpOz
+D9wjSInJxpMMIgLndOclAKv4D1wQtYU7ZpTw+01XBlUhIiXb86qpYL9NqnnRq5JI
-rHuDo6bgpjUAAXM+v3fcpsfZSNO6V7kCIQCtbVjanpUwvZkMI9by02oUk9taki3b
+uhmOEuxo2ca63+xaHNhD/udSyc8C0Md/yX6wlONTRFgLLv0pdLUGm1xEjfsydaQ6
-PzPfAfNPYAbCJQIhAJXNQDWyqwn/lGmR11cqY2y9nZ1+5w3yHGatLrcDnQHxAiEA
+qGd7hzIKUI3hohNKJa/mHLElv7SZolPTogK/EQIDAQABAoIBAADq9FwNtuE5IRQn
-vnlEGo8K85u+KwIOimM48ZG8oTk7iFdkqLJR1utT3aU=
+zGtO4q7Y5uCzZ8GDNYr9RKp+P2cbuWDbvVAecYq2NV9QoIiWJOAYZKklOvekIju3
 r0UZLA0PRiIrTg6NrESx3JrjWDK8QNlUO7CPTZ39/K+FrmMkV9lem9yxjJjyC34D
 AQB+YRTx+l14HppjdxNwHjAVQpIx/uO2F5xAMuk32+3K+pq9CZUtrofe1q4Agj9R
 5s8mSy9pbRo9kW9wl5xdEotz1LivFOEiqPUJTUq5J5PeMKao3vdK726XI4Z455Nm
 W2/MA0YV0ug2FYinHcZdvKM6dimH8GLfa3X8xKRfzjGjTiMSwsdjgMa4awY3tEHH
 674jhAECgYEA/zqMrc0zsbNk83sjgaYIug5kzEpN4ic020rSZsmQxSCerJTgNhmg
 utKSCt0Re09Jt3LqG48msahX8ycqDsHNvlEGPQSbMu9IYeO3Wr3fAm75GEtFWePY
 BhM73I7gkRt4s8bUiUepMG/wY45c5tRF23xi8foReHFFe9MDzh8fJFECgYEA9EFX
 4qAik1pOJGNei9BMwmx0I0gfVEIgu0tzeVqT45vcxbxr7RkTEaDoAG6PlbWP6D9a
 WQNLp4gsgRM90ZXOJ4up5DsAWDluvaF4/omabMA+MJJ5kGZ0gCj5rbZbKqUws7x8
 bp+6iBfUPJUbcqNqFmi/08Yt7vrDnMnyMw2A/sECgYEAiiuRMxnuzVm34hQcsbhH
 6ymVqf7j0PW2qK0F4H1ocT9qhzWFd+RB3kHWrCjnqODQoI6GbGr/4JepHUpre1ex
 4UEN5oSS3G0ru0rC3U4C59dZ5KwDHFm7ffZ1pr52ljfQDUsrjjIMRtuiwNK2OoRa
 WSsqiaL+SDzSB+nBmpnAizECgYBdt/y6rerWUx4MhDwwtTnel7JwHyo2MDFS6/5g
 n8qC2Lj6/fMDRE22w+CA2esp7EJNQJGv+b27iFpbJEDh+/Lf5YzIT4MwVskQ5bYB
 JFcmRxUVmf4e09D7o705U/DjCgMH09iCsbLmqQ38ONIRSHZaJtMDtNTHD1yi+jF+
 OT43gQKBgQC/2OHZoko6iRlNOAQ/tMVFNq7fL81GivoQ9F1U0Qr+DH3ZfaH8eIkX
 xT0ToMPJUzWAn8pZv0snA0um6SIgvkCuxO84OkANCVbttzXImIsL7pFzfcwV/ERK
 UM6j0ZuSMFOCr/lGPAoOQU0fskidGEHi1/kW+suSr28TqsyYZpwBDQ==
 -----END RSA PRIVATE KEY-----
 subject=/C=US/O=AT&T Bell Laboratories/OU=Prototype Research CA
 issuer= /C=US/O=AT&T Bell Laboratories/OU=Prototype Research CA
 notBefore=950413210656Z
 notAfter =970412210656Z
 -----BEGIN X509 CERTIFICATE-----
 MIICCDCCAXECAQAwDQYJKoZIhvcNAQEEBQAwTjELMAkGA1UEBhMCVVMxHzAdBgNV
 BAoUFkFUJlQgQmVsbCBMYWJvcmF0b3JpZXMxHjAcBgNVBAsUFVByb3RvdHlwZSBS
 ZXNlYXJjaCBDQTAeFw05NTA0MTMyMTA2NTZaFw05NzA0MTIyMTA2NTZaME4xCzAJ
 BgNVBAYTAlVTMR8wHQYDVQQKFBZBVCZUIEJlbGwgTGFib3JhdG9yaWVzMR4wHAYD
 VQQLFBVQcm90b3R5cGUgUmVzZWFyY2ggQ0EwgZwwDQYJKoZIhvcNAQEBBQADgYoA
 MIGGAoGAebOmgtSCl+wCYZc86UGYeTLY8cjmW2P0FN8ToT/u2pECCoFdrlycX0OR
 3wt0ZhpFXLVNeDnHwEE9veNUih7pCL2ZBFqoIoQkB1lZmXRiVtjGonz8BLm/qrFM
 YHb0lme/Ol+s118mwKVxnn6bSAeI/OXKhLaVdYZWk+aEaxEDkVkCAQ8wDQYJKoZI
 hvcNAQEEBQADgYEAAZMG14lZmZ8bahkaHaTV9dQf4p2FZiQTFwHP9ZyGsXPC+LT5
 dG5iTaRmyjNIJdPWohZDl97kAci79aBndvuEvRKOjLHs3WRGBIwERnAcnY9Mz8u/
 zIHK23PjYVxGGaZd669OJwD0CYyqH22HH9nFUGaoJdsv39ChW0NRdLE9+y8=
 -----END X509 CERTIFICATE-----
 issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test PCA (1024 bit)
 subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
 -----BEGIN CERTIFICATE-----
 MIICJjCCAY8CAQAwDQYJKoZIhvcNAQEEBQAwXDELMAkGA1UEBhMCQVUxEzARBgNV
 BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYD
 VQQDExNUZXN0IFBDQSAoMTAyNCBiaXQpMB4XDTk3MDYwOTEzNTc0M1oXDTAxMDYw
 OTEzNTc0M1owWzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxGjAY
 BgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYDVQQDExJUZXN0IENBICgxMDI0
 IGJpdCkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKO7o8t116VP6cgybTsZ
 DCZhr95nYlZuya3aCi1IKoztqwWnjbmDFIriOqGFPrZQ+moMETC9D59iRW/dFXSv
 1F65ka/XY2hLh9exCCo7XuUcDs53Qp3bI3AmMqHjgzE8oO3ajyJAzJkTTOUecQU2
 mw/gI4tMM0LqWMQS7luTy4+xAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAM7achv3v
 hLQJcv/65eGEpBXM40ZDVoFQFFJWaY5p883HTqLB1x4FdzsXHH0QKBTcKpWwqyu4
 YDm3fb8oDugw72bCzfyZK/zVZPR/hVlqI/fvU109Qoc+7oPvIXWky71HfcK6ZBCA
 q30KIqGM/uoM60INq97qjDmCJapagcNBGQs=
 -----END CERTIFICATE-----
 -----BEGIN RSA PRIVATE KEY-----
 MIICXQIBAAKBgQCju6PLddelT+nIMm07GQwmYa/eZ2JWbsmt2gotSCqM7asFp425
 gxSK4jqhhT62UPpqDBEwvQ+fYkVv3RV0r9ReuZGv12NoS4fXsQgqO17lHA7Od0Kd
 2yNwJjKh44MxPKDt2o8iQMyZE0zlHnEFNpsP4COLTDNC6ljEEu5bk8uPsQIDAQAB
 AoGAVZmpFZsDZfr0l2S9tLLwpjRWNOlKATQkno6q2WesT0eGLQufTciY+c8ypfU6
 hyio8r5iUl/VhhdjhAtKx1mRpiotftHo/eYf8rtsrnprOnWG0bWjLjtIoMbcxGn2
 J3bN6LJmbJMjDs0eJ3KnTu646F3nDUw2oGAwmpzKXA1KAP0CQQDRvQhxk2D3Pehs
 HvG665u2pB5ipYQngEFlZO7RHJZzJOZEWSLuuMqaF/7pTfA5jiBvWqCgJeCRRInL
 21ru4dlPAkEAx9jj7BgKn5TYnMoBSSe0afjsV9oApVpN1Nacb1YDtCwy+scp3++s
 nFxlv98wxIlSdpwMUn+AUWfjiWR7Tu/G/wJBAJ/KjwZIrFVxewP0x2ILYsTRYLzz
 MS4PDsO7FB+I0i7DbBOifXS2oNSpd3I0CNMwrxFnUHzynpbOStVfN3ZL5w0CQQCa
 pwFahxBRhkJKsxhjoFJBX9yl75JoY4Wvm5Tbo9ih6UJaRx3kqfkN14L2BKYcsZgb
 KY9vmDOYy6iNfjDeWTfJAkBkfPUb8oTJ/nSP5zN6sqGxSY4krc4xLxpRmxoJ8HL2
 XfhqXkTzbU13RX9JJ/NZ8vQN9Vm2NhxRGJocQkmcdVtJ
 -----END RSA PRIVATE KEY-----
 -----BEGIN X509 CERTIFICATE-----
 MIICYDCCAiACAgEoMAkGBSsOAwINBQAwfDELMAkGA1UEBhMCVVMxNjA0BgNVBAoT
 LU5hdGlvbmFsIEFlcm9uYXV0aWNzIGFuZCBTcGFjZSBBZG1pbmlzdHJhdGlvbjEZ
 MBcGA1UECxMQVGVzdCBFbnZpcm9ubWVudDEaMBgGA1UECxMRRFNTLU5BU0EtUGls
 b3QtQ0EwHhcNOTYwMjI2MTYzMjQ1WhcNOTcwMjI1MTYzMjQ1WjB8MQswCQYDVQQG
 EwJVUzE2MDQGA1UEChMtTmF0aW9uYWwgQWVyb25hdXRpY3MgYW5kIFNwYWNlIEFk
 bWluaXN0cmF0aW9uMRkwFwYDVQQLExBUZXN0IEVudmlyb25tZW50MRowGAYDVQQL
 ExFEU1MtTkFTQS1QaWxvdC1DQTCB8jAJBgUrDgMCDAUAA4HkADCB4AJBAMA/ssKb
 hPNUG7ZlASfVwEJU21O5OyF/iyBzgHI1O8eOhJGUYO8cc8wDMjR508Mr9cp6Uhl/
 ZB7FV5GkLNEnRHYCQQDUEaSg45P2qrDwixTRhFhmWz5Nvc4lRFQ/42XPcchiJBLb
 bn3QK74T2IxY1yY+kCNq8XrIqf5fJJzIH0J/xUP3AhUAsg2wsQHfDGYk/BOSulX3
 fVd0geUCQQCzCFUQAh+ZkEmp5804cs6ZWBhrUAfnra8lJItYo9xPcXgdIfLfibcX
 R71UsyO77MRD7B0+Ag2tq794IleCVcEEMAkGBSsOAwINBQADLwAwLAIUUayDfreR
 Yh2WeU86/pHNdkUC1IgCFEfxe1f0oMpxJyrJ5XIxTi7vGdoK
 -----END X509 CERTIFICATE-----
 -----BEGIN X509 CERTIFICATE-----
 MIICGTCCAdgCAwCqTDAJBgUrDgMCDQUAMHwxCzAJBgNVBAYTAlVTMTYwNAYDVQQK
 Ey1OYXRpb25hbCBBZXJvbmF1dGljcyBhbmQgU3BhY2UgQWRtaW5pc3RyYXRpb24x
 GTAXBgNVBAsTEFRlc3QgRW52aXJvbm1lbnQxGjAYBgNVBAsTEURTUy1OQVNBLVBp
 bG90LUNBMB4XDTk2MDUxNDE3MDE0MVoXDTk3MDUxNDE3MDE0MVowMzELMAkGA1UE
 BhMCQVUxDzANBgNVBAoTBk1pbmNvbTETMBEGA1UEAxMKRXJpYyBZb3VuZzCB8jAJ
 BgUrDgMCDAUAA4HkADCB4AJBAKbfHz6vE6pXXMTpswtGUec2tvnfLJUsoxE9qs4+
 ObZX7LmLvragNPUeiTJx7UOWZ5DfBj6bXLc8eYne0lP1g3ACQQDUEaSg45P2qrDw
 ixTRhFhmWz5Nvc4lRFQ/42XPcchiJBLbbn3QK74T2IxY1yY+kCNq8XrIqf5fJJzI
 H0J/xUP3AhUAsg2wsQHfDGYk/BOSulX3fVd0geUCQQCzCFUQAh+ZkEmp5804cs6Z
 WBhrUAfnra8lJItYo9xPcXgdIfLfibcXR71UsyO77MRD7B0+Ag2tq794IleCVcEE
 MAkGBSsOAwINBQADMAAwLQIUWsuuJRE3VT4ueWkWMAJMJaZjj1ECFQCYY0zX4bzM
 LC7obsrHD8XAHG+ZRG==
 -----END X509 CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIICTTCCAbagAwIBAgIBADANBgkqhkiG9w0BAQQFADBMMQswCQYDVQQGEwJHQjEM
 MAoGA1UEChMDVUNMMRgwFgYDVQQLEw9JQ0UtVEVMIFByb2plY3QxFTATBgNVBAMT
 DFRydXN0RmFjdG9yeTAeFw05NzA0MjIxNDM5MTRaFw05ODA0MjIxNDM5MTRaMEwx
 CzAJBgNVBAYTAkdCMQwwCgYDVQQKEwNVQ0wxGDAWBgNVBAsTD0lDRS1URUwgUHJv
 amVjdDEVMBMGA1UEAxMMVHJ1c3RGYWN0b3J5MIGcMAoGBFUIAQECAgQAA4GNADCB
 iQKBgQCEieR8NcXkUW1f0G6aC6u0i8q/98JqS6RxK5YmHIGKCkuTWAUjzLfUa4dt
 U9igGCjTuxaDqlzEim+t/02pmiBZT9HaX++35MjQPUWmsChcYU5WyzGErXi+rQaw
 zlwS73zM8qiPj/97lXYycWhgL0VaiDSPxRXEUdWoaGruom4mNQIDAQABo0IwQDAd
 BgNVHQ4EFgQUHal1LZr7oVg5z6lYzrhTgZRCmcUwDgYDVR0PAQH/BAQDAgH2MA8G
 A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAfaggfl6FZoioecjv0dq8
 /DXo/u11iMZvXn08gjX/zl2b4wtPbShOSY5FhkSm8GeySasz+/Nwb/uzfnIhokWi
 lfPZHtlCWtXbIy/TN51eJyq04ceDCQDWvLC2enVg9KB+GJ34b5c5VaPRzq8MBxsA
 S7ELuYGtmYgYm9NZOIr7yU0=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIB6jCCAZQCAgEtMA0GCSqGSIb3DQEBBAUAMIGAMQswCQYDVQQGEwJVUzE2MDQG
 A1UEChMtTmF0aW9uYWwgQWVyb25hdXRpY3MgYW5kIFNwYWNlIEFkbWluaXN0cmF0
 aW9uMRkwFwYDVQQLExBUZXN0IEVudmlyb25tZW50MR4wHAYDVQQLExVNRDUtUlNB
 LU5BU0EtUGlsb3QtQ0EwHhcNOTYwNDMwMjIwNTAwWhcNOTcwNDMwMjIwNTAwWjCB
 gDELMAkGA1UEBhMCVVMxNjA0BgNVBAoTLU5hdGlvbmFsIEFlcm9uYXV0aWNzIGFu
 ZCBTcGFjZSBBZG1pbmlzdHJhdGlvbjEZMBcGA1UECxMQVGVzdCBFbnZpcm9ubWVu
 dDEeMBwGA1UECxMVTUQ1LVJTQS1OQVNBLVBpbG90LUNBMFkwCgYEVQgBAQICAgAD
 SwAwSAJBALmmX5+GqAvcrWK13rfDrNX9UfeA7f+ijyBgeFQjYUoDpFqapw4nzQBL
 bAXug8pKkRwa2Zh8YODhXsRWu2F/UckCAwEAATANBgkqhkiG9w0BAQQFAANBAH9a
 OBA+QCsjxXgnSqHx04gcU8S49DVUb1f2XVoLnHlIb8RnX0k5O6mpHT5eti9bLkiW
 GJNMJ4L0AJ/ac+SmHZc=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIICajCCAdMCBDGA0QUwDQYJKoZIhvcNAQEEBQAwfTELMAkGA1UEBhMCQ2ExDzAN
 BgNVBAcTBk5lcGVhbjEeMBwGA1UECxMVTm8gTGlhYmlsaXR5IEFjY2VwdGVkMR8w
 HQYDVQQKExZGb3IgRGVtbyBQdXJwb3NlcyBPbmx5MRwwGgYDVQQDExNFbnRydXN0
 IERlbW8gV2ViIENBMB4XDTk2MDQyNjEzMzUwMVoXDTA2MDQyNjEzMzUwMVowfTEL
 MAkGA1UEBhMCQ2ExDzANBgNVBAcTBk5lcGVhbjEeMBwGA1UECxMVTm8gTGlhYmls
 aXR5IEFjY2VwdGVkMR8wHQYDVQQKExZGb3IgRGVtbyBQdXJwb3NlcyBPbmx5MRww
 GgYDVQQDExNFbnRydXN0IERlbW8gV2ViIENBMIGdMA0GCSqGSIb3DQEBAQUAA4GL
 ADCBhwKBgQCaroS7O1DA0hm4IefNYU1cx/nqOmzEnk291d1XqznDeF4wEgakbkCc
 zTKxK791yNpXG5RmngqH7cygDRTHZJ6mfCRn0wGC+AI00F2vYTGqPGRQL1N3lZT0
 YDKFC0SQeMMjFIZ1aeQigroFQnHo0VB3zWIMpNkka8PY9lxHZAmWwQIBAzANBgkq
 hkiG9w0BAQQFAAOBgQBAx0UMVA1s54lMQyXjMX5kj99FJN5itb8bK1Rk+cegPQPF
 cWO9SEWyEjjBjIkjjzAwBkaEszFsNGxemxtXvwjIm1xEUMTVlPEWTs2qnDvAUA9W
 YqhWbhH0toGT36236QAsqCZ76rbTRVSSX2BHyJwJMG2tCRv7kRJ//NIgxj3H4w==
 -----END CERTIFICATE-----
 issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test PCA (1024 bit)
 subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test PCA (1024 bit)
 -----BEGIN CERTIFICATE-----
 MIICJzCCAZACAQAwDQYJKoZIhvcNAQEEBQAwXDELMAkGA1UEBhMCQVUxEzARBgNV
 BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYD
 VQQDExNUZXN0IFBDQSAoMTAyNCBiaXQpMB4XDTk3MDYwOTEzNTczN1oXDTAxMDYw
 OTEzNTczN1owXDELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxGjAY
 BgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYDVQQDExNUZXN0IFBDQSAoMTAy
 NCBiaXQpMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdoWk/3+WcMlfjIrkg
 40ketmnQaEogQe1LLcuOJV6rKfUSAsPgwgsabJ/wn8TxA1yy3eKJbFl3OiUXMRsp
 22Jp85PmemiDzyUIStwk72qhp1imbANZvlmlCFKiQrjUyuDfu4TABmn+kkt3vR1Y
 BEOGt+IFye1UBVSATVdRJ2UVhwIDAQABMA0GCSqGSIb3DQEBBAUAA4GBABNA1u/S
 Cg/LJZWb7GliiKJsvuhxlE4E5JxQF2zMub/CSNbF97//tYSyj96sxeFQxZXbcjm9
 xt6mr/xNLA4szNQMJ4P+L7b5e/jC5DSqlwS+CUYJgaFs/SP+qJoCSu1bR3IM9XWO
 cRBpDmcBbYLkSyB92WURvsZ1LtjEcn+cdQVI
 -----END CERTIFICATE-----
 -----BEGIN RSA PRIVATE KEY-----
 MIICXAIBAAKBgQCdoWk/3+WcMlfjIrkg40ketmnQaEogQe1LLcuOJV6rKfUSAsPg
 wgsabJ/wn8TxA1yy3eKJbFl3OiUXMRsp22Jp85PmemiDzyUIStwk72qhp1imbANZ
 vlmlCFKiQrjUyuDfu4TABmn+kkt3vR1YBEOGt+IFye1UBVSATVdRJ2UVhwIDAQAB
 AoGAba4fTtuap5l7/8ZsbE7Z1O32KJY4ZcOZukLOLUUhXxXduT+FTgGWujc0/rgc
 z9qYCLlNZHOouMYTgtSfYvuMuLZ11VIt0GYH+nRioLShE59Yy+zCRyC+gPigS1kz
 xvo14AsOIPYV14Tk/SsHyq6E0eTk7VzaIE197giiINUERPECQQDSKmtPTh/lRKw7
 HSZSM0I1mFWn/1zqrAbontRQY5w98QWIOe5qmzYyFbPXYT3d9BzlsMyhgiRNoBbD
 yvohSHXJAkEAwAHx6ezAZeWWzD5yXD36nyjpkVCw7Tk7TSmOceLJMWt1QcrCfqlS
 xA5jjpQ6Z8suU5DdtWAryM2sAir1WisYzwJAd6Zcx56jvAQ3xcPXsE6scBTVFzrj
 7FqZ6E+cclPzfLQ+QQsyOBE7bpI6e/FJppY26XGZXo3YGzV8IGXrt40oOQJALETG
 h86EFXo3qGOFbmsDy4pdP5nBERCu8X1xUCSfintiD4c2DInxgS5oGclnJeMcjTvL
 QjQoJCX3UJCi/OUO1QJBAKgcDHWjMvt+l1pjJBsSEZ0HX9AAIIVx0RQmbFGS+F2Q
 hhu5l77WnnZOQ9vvhV5u7NPCUF9nhU3jh60qWWO8mkc=
 -----END RSA PRIVATE KEY-----
 subject=/C=US/O=RSA Data Security, Inc./OU=Commercial Certification Authority
 issuer= /C=US/O=RSA Data Security, Inc./OU=Commercial Certification Authority
 notBefore=941104185834Z
 notAfter =991103185834Z
 -----BEGIN X509 CERTIFICATE-----
 MIICIzCCAZACBQJBAAAWMA0GCSqGSIb3DQEBAgUAMFwxCzAJBgNVBAYTAlVTMSAw
 HgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjErMCkGA1UECxMiQ29tbWVy
 Y2lhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NDExMDQxODU4MzRaFw05
 OTExMDMxODU4MzRaMFwxCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0EgRGF0YSBT
 ZWN1cml0eSwgSW5jLjErMCkGA1UECxMiQ29tbWVyY2lhbCBDZXJ0aWZpY2F0aW9u
 IEF1dGhvcml0eTCBmzANBgkqhkiG9w0BAQEFAAOBiQAwgYUCfgCk+4Fie84QJ93o
 975sbsZwmdu41QUDaSiCnHJ/lj+O7Kwpkj+KFPhCdr69XQO5kNTQvAayUTNfxMK/
 touPmbZiImDd298ggrTKoi8tUO2UMt7gVY3UaOLgTNLNBRYulWZcYVI4HlGogqHE
 7yXpCuaLK44xZtn42f29O2nZ6wIDAQABMA0GCSqGSIb3DQEBAgUAA34AdrW2EP4j
 9/dZYkuwX5zBaLxJu7NJbyFHXSudVMQAKD+YufKKg5tgf+tQx6sFEC097TgCwaVI
 0v5loMC86qYjFmZsGySp8+x5NRhPJsjjr1BKx6cxa9B8GJ1Qv6km+iYrRpwUqbtb
 MJhCKLVLU7tDCZJAuqiqWqTGtotXTcU=
 -----END X509 CERTIFICATE-----
 subject=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
 issuer= /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
 notBefore=941109235417Z
 notAfter =991231235417Z
 -----BEGIN X509 CERTIFICATE-----
 MIICKTCCAZYCBQJBAAABMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMSAw
 HgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UECxMlU2VjdXJl
 IFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NDExMDkyMzU0MTda
 Fw05OTEyMzEyMzU0MTdaMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0EgRGF0
 YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UECxMlU2VjdXJlIFNlcnZlciBDZXJ0aWZp
 Y2F0aW9uIEF1dGhvcml0eTCBmzANBgkqhkiG9w0BAQEFAAOBiQAwgYUCfgCSznrB
 roM+WqqJg1esJQF2DK2ujiw3zus1eGRUA+WEQFHJv48I4oqCCNIWhjdV6bEhAq12
 aIGaBaJLyUslZiJWbIgHj/eBWW2EB2VwE3F2Ppt3TONQiVaYSLkdpykaEy5KEVmc
 HhXVSVQsczppgrGXOZxtcGdI5d0t1sgeewIDAQABMA0GCSqGSIb3DQEBAgUAA34A
 iNHReSHO4ovo+MF9NFM/YYPZtgs4F7boviGNjwC4i1N+RGceIr2XJ+CchcxK9oU7
 suK+ktPlDemvXA4MRpX/oRxePug2WHpzpgr4IhFrwwk4fia7c+8AvQKk8xQNMD9h
 cHsg/jKjn7P0Z1LctO6EjJY2IN6BCINxIYoPnqk=
 -----END X509 CERTIFICATE-----
 subject=/C=ZA/SP=Western Cape/L=Cape Town/O=Thawte Consulting cc
 	/OU=Certification Services Division/CN=Thawte Server CA
 	/Email=server-certs@thawte.com
 issuer= /C=ZA/SP=Western Cape/L=Cape Town/O=Thawte Consulting cc
 	/OU=Certification Services Division/CN=Thawte Server CA
 	/Email=server-certs@thawte.com
 -----BEGIN CERTIFICATE-----
 MIIC+TCCAmICAQAwDQYJKoZIhvcNAQEEBQAwgcQxCzAJBgNVBAYTAlpBMRUwEwYD
 VQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsGA1UEChMU
 VGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2Vy
 dmljZXMgRGl2aXNpb24xGTAXBgNVBAMTEFRoYXd0ZSBTZXJ2ZXIgQ0ExJjAkBgkq
 hkiG9w0BCQEWF3NlcnZlci1jZXJ0c0B0aGF3dGUuY29tMB4XDTk2MDcyNzE4MDc1
 N1oXDTk4MDcyNzE4MDc1N1owgcQxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0
 ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsGA1UEChMUVGhhd3RlIENv
 bnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2
 aXNpb24xGTAXBgNVBAMTEFRoYXd0ZSBTZXJ2ZXIgQ0ExJjAkBgkqhkiG9w0BCQEW
 F3NlcnZlci1jZXJ0c0B0aGF3dGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
 iQKBgQDTpFBuyP9Wa+bPXbbqDGh1R6KqwtqEJfyo9EdR2oW1IHSUhh4PdcnpCGH1
 Bm0wbhUZAulSwGLbTZme4moMRDjN/r7jZAlwxf6xaym2L0nIO9QnBCUQly/nkG3A
 KEKZ10xD3sP1IW1Un13DWOHA5NlbsLjctHvfNjrCtWYiEtaHDQIDAQABMA0GCSqG
 SIb3DQEBBAUAA4GBAIsvn7ifX3RUIrvYXtpI4DOfARkTogwm6o7OwVdl93yFhDcX
 7h5t0XZ11MUAMziKdde3rmTvzUYIUCYoY5b032IwGMTvdiclK+STN6NP2m5nvFAM
 qJT5gC5O+j/jBuZRQ4i0AMYQr5F4lT8oBJnhgafw6PL8aDY2vMHGSPl9+7uf
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIDDTCCAnYCAQAwDQYJKoZIhvcNAQEEBQAwgc4xCzAJBgNVBAYTAlpBMRUwEwYD
 VQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsGA1UEChMU
 VGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2Vy
 dmljZXMgRGl2aXNpb24xITAfBgNVBAMTGFRoYXd0ZSBQcmVtaXVtIFNlcnZlciBD
 QTEoMCYGCSqGSIb3DQEJARYZcHJlbWl1bS1zZXJ2ZXJAdGhhd3RlLmNvbTAeFw05
 NjA3MjcxODA3MTRaFw05ODA3MjcxODA3MTRaMIHOMQswCQYDVQQGEwJaQTEVMBMG
 A1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAbBgNVBAoT
 FFRoYXd0ZSBDb25zdWx0aW5nIGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNl
 cnZpY2VzIERpdmlzaW9uMSEwHwYDVQQDExhUaGF3dGUgUHJlbWl1bSBTZXJ2ZXIg
 Q0ExKDAmBgkqhkiG9w0BCQEWGXByZW1pdW0tc2VydmVyQHRoYXd0ZS5jb20wgZ8w
 DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANI2NmqL18JbntqBQWKPOO5JBFXW0O8c
 G5UWR+8YSDU6UvQragaPOy/qVuOvho2eF/eetGV1Ak3vywmiIVHYm9Bn0LoNkgYU
 c9STy5cqAJxcTgy8+hVS/PJEbtoRSm4Iny8t4/mqOoZztkZTWMiJBb2DEbhzP6oH
 jfRCTedAnRw3AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAutFIgTRZVYerIZfL9lvR
 w9Eifvvo5KTZ3h+Bj+VzNnyw4Qc/IyXkPOu6SIiH9LQ3sCmWBdxpe+qr4l77rLj2
 GYuMtESFfn1XVALzkYgC7JcPuTOjMfIiMByt+uFf8AV8x0IW/Qkuv+hEQcyM9vxK
 3VZdLbCVIhNoEsysrxCpxcI=
 -----END CERTIFICATE-----
 Tims test GCI CA
 -----BEGIN CERTIFICATE-----
 MIIB8DCCAZoCAQAwDQYJKoZIhvcNAQEEBQAwgYIxCzAJBgNVBAYTAkFVMRMwEQYD
 VQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5
 cHRTb2Z0IFB0eSBMdGQxFDASBgNVBAsTC2RldmVsb3BtZW50MRkwFwYDVQQDExBD
 cnlwdFNvZnQgRGV2IENBMB4XDTk3MDMyMjEzMzQwNFoXDTk4MDMyMjEzMzQwNFow
 gYIxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhC
 cmlzYmFuZTEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxFDASBgNVBAsTC2Rl
 dmVsb3BtZW50MRkwFwYDVQQDExBDcnlwdFNvZnQgRGV2IENBMFwwDQYJKoZIhvcN
 AQEBBQADSwAwSAJBAOAOAqogG5QwAmLhzyO4CoRnx/wVy4NZP4dxJy83O1EnL0rw
 OdsamJKvPOLHgSXo3gDu9uVyvCf/QJmZAmC5ml8CAwEAATANBgkqhkiG9w0BAQQF
 AANBADRRS/GVdd7rAqRW6SdmgLJduOU2yq3avBu99kRqbp9A/dLu6r6jU+eP4oOA
 TfdbFZtAAD2Hx9jUtY3tfdrJOb8= 
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIICVjCCAgACAQAwDQYJKoZIhvcNAQEEBQAwgbUxCzAJBgNVBAYTAkFVMRMwEQYD
 VQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5
 cHRTb2Z0IFB0eSBMdGQxLDAqBgNVBAsTI1dPUlRITEVTUyBDRVJUSUZJQ0FUSU9O
 IEFVVEhPUklUSUVTMTQwMgYDVQQDEytaRVJPIFZBTFVFIENBIC0gREVNT05TVFJB
 VElPTiBQVVJQT1NFUyBPTkxZMB4XDTk3MDQwMzEzMjI1NFoXDTk4MDQwMzEzMjI1
 NFowgbUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQH
 EwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxLDAqBgNVBAsT
 I1dPUlRITEVTUyBDRVJUSUZJQ0FUSU9OIEFVVEhPUklUSUVTMTQwMgYDVQQDEyta
 RVJPIFZBTFVFIENBIC0gREVNT05TVFJBVElPTiBQVVJQT1NFUyBPTkxZMFwwDQYJ
 KoZIhvcNAQEBBQADSwAwSAJBAOZ7T7yqP/tyspcko3yPY1y0Cm2EmwNvzW4QgVXR
 Fjs3HmJ4xtSpXdo6mwcGezL3Abt/aQXaxv9PU8xt+Jr0OFUCAwEAATANBgkqhkiG
 9w0BAQQFAANBAOQpYmGgyCqCy1OljgJhCqQOu627oVlHzK1L+t9vBaMfn40AVUR4
 WzQVWO31KTgi5vTK1U+3h46fgUWqQ0h+6rU=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIAwgKADAgECAgEAMA0GCSqGSIb3DQEBBAUAMGIxETAPBgNVBAcTCEludGVybmV0
 MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNpZ24gQ2xh
 c3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjAeFw05NjA0MDgxMDIwMjda
 Fw05NzA0MDgxMDIwMjdaMGIxETAPBgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5W
 ZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNpZ24gQ2xhc3MgMSBDQSAtIElu
 ZGl2aWR1YWwgU3Vic2NyaWJlcjCAMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2
 FKbPTdAFDdjKI9BvqrQpkmOOLPhvltcunXZLEbE2jVfJw/0cxrr+Hgi6M8qV6r7j
 W80GqLd5HUQq7XPysVKDaBBwZJHXPmv5912dFEObbpdFmIFH0S3L3bty10w/cari
 QPJUObwW7s987LrbP2wqsxaxhhKdrpM01bjV0Pc+qQIDAQABAAAAADANBgkqhkiG
 9w0BAQQFAAOBgQA+1nJryNt8VBRjRr07ArDAV/3jAH7GjDc9jsrxZS68ost9v06C
 TvTNKGL+LISNmFLXl+JXhgGB0JZ9fvyYzNgHQ46HBUng1H6voalfJgS2KdEo50wW
 8EFZYMDkT1k4uynwJqkVN2QJK/2q4/A/VCov5h6SlM8Affg2W+1TLqvqkwAA
 -----END CERTIFICATE-----
 subject=/L=Internet/O=VeriSign, Inc./OU=VeriSign Class 2 CA - Individual Subscriber
 issuer= /L=Internet/O=VeriSign, Inc./OU=VeriSign Class 2 CA - Individual Subscriber
 -----BEGIN CERTIFICATE-----
 MIIEkzCCA/ygAwIBAgIRANDTUpSRL3nTFeMrMayFSPAwDQYJKoZIhvcNAQECBQAw
 YjERMA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQw
 MgYDVQQLEytWZXJpU2lnbiBDbGFzcyAyIENBIC0gSW5kaXZpZHVhbCBTdWJzY3Jp
 YmVyMB4XDTk2MDYwNDAwMDAwMFoXDTk4MDYwNDIzNTk1OVowYjERMA8GA1UEBxMI
 SW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJp
 U2lnbiBDbGFzcyAyIENBIC0gSW5kaXZpZHVhbCBTdWJzY3JpYmVyMIGfMA0GCSqG
 SIb3DQEBAQUAA4GNADCBiQKBgQC6A+2czKGRcYMfm8gdnk+0de99TDDzsqo0v5nb
 RsbUmMcdRQ7nsMbRWe0SAb/9QoLTZ/cJ0iOBqdrkz7UpqqKarVoTSdlSMVM92tWp
 3bJncZHQD1t4xd6lQVdI1/T6R+5J0T1ukOdsI9Jmf+F28S6g3R3L1SFwiHKeZKZv
 z+793wIDAQABo4ICRzCCAkMwggIpBgNVHQMBAf8EggIdMIICGTCCAhUwggIRBgtg
 hkgBhvhFAQcBATCCAgAWggGrVGhpcyBjZXJ0aWZpY2F0ZSBpbmNvcnBvcmF0ZXMg
 YnkgcmVmZXJlbmNlLCBhbmQgaXRzIHVzZSBpcyBzdHJpY3RseSBzdWJqZWN0IHRv
 LCB0aGUgVmVyaVNpZ24gQ2VydGlmaWNhdGlvbiBQcmFjdGljZSBTdGF0ZW1lbnQg
 KENQUyksIGF2YWlsYWJsZSBhdDogaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQ
 Uy0xLjA7IGJ5IEUtbWFpbCBhdCBDUFMtcmVxdWVzdHNAdmVyaXNpZ24uY29tOyBv
 ciBieSBtYWlsIGF0IFZlcmlTaWduLCBJbmMuLCAyNTkzIENvYXN0IEF2ZS4sIE1v
 dW50YWluIFZpZXcsIENBIDk0MDQzIFVTQSBUZWwuICsxICg0MTUpIDk2MS04ODMw
 IENvcHlyaWdodCAoYykgMTk5NiBWZXJpU2lnbiwgSW5jLiAgQWxsIFJpZ2h0cyBS
 ZXNlcnZlZC4gQ0VSVEFJTiBXQVJSQU5USUVTIERJU0NMQUlNRUQgYW5kIExJQUJJ
 TElUWSBMSU1JVEVELqAOBgxghkgBhvhFAQcBAQGhDgYMYIZIAYb4RQEHAQECMC8w
 LRYraHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BTLTEuMDAU
 BglghkgBhvhCAQEBAf8EBAMCAgQwDQYJKoZIhvcNAQECBQADgYEApRJRkNBqLLgs
 53IR/d18ODdLOWMTZ+QOOxBrq460iBEdUwgF8vmPRX1ku7UiDeNzaLlurE6eFqHq
 2zPyK5j60zfTLVJMWKcQWwTJLjHtXrW8pxhNtFc6Fdvy5ZkHnC/9NIl7/t4U6WqB
 p4y+p7SdMIkEwIZfds0VbnQyX5MRUJY=
 -----END CERTIFICATE-----
 subject=/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
 issuer= /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
 -----BEGIN CERTIFICATE-----
 MIICMTCCAZoCBQKhAAABMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcw
 FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMg
 UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NjAxMjkwMDAwMDBa
 Fw05OTEyMzEyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2ln
 biwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZp
 Y2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyVxZ
 nvIbigEUtBDfBEDb41evakVAj4QMC9Ez2dkRz+4CWB8l9yqoRAWq7AMfeH+ek7ma
 AKojfdashaJjRcdyJ8z0TMZ1cdI5709C8HXfCpDGjiBvmA/4rCNfcCk2pMmG57Ga
 IMtTpYXnPb59mv4kRTPcdhXtD6JxZExlLoFoRacCAwEAATANBgkqhkiG9w0BAQIF
 AAOBgQB1Zmw+0c2B27X4LzZRtvdCvM1Cr9wO+hVs+GeTVzrrtpLotgHKjLeOQ7RJ
 Zfk+7r11Ri7J/CVdqMcvi5uPaM+0nJcYwE3vH9mvgrPmZLiEXIqaB1JDYft0nls6
 NvxMsvwaPxUupVs8G5DsiCnkWRb5zget7Ond2tIxik/W2O8XjQ==
 -----END CERTIFICATE-----
 subject=/C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority
 issuer= /C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority
 -----BEGIN CERTIFICATE-----
 MIICMTCCAZoCBQKmAAABMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcw
 FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgNCBQdWJsaWMg
 UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NjAxMjkwMDAwMDBa
 Fw05OTEyMzEyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2ln
 biwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgNCBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZp
 Y2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0LJ1
 9njQrlpQ9OlQqZ+M1++RlHDo0iSQdomF1t+s5gEXMoDwnZNHvJplnR+Xrr/phnVj
 IIm9gFidBAydqMEk6QvlMXi9/C0MN2qeeIDpRnX57aP7E3vIwUzSo+/1PLBij0pd
 O92VZ48TucE81qcmm+zDO3rZTbxtm+gVAePwR6kCAwEAATANBgkqhkiG9w0BAQIF
 AAOBgQBT3dPwnCR+QKri/AAa19oM/DJhuBUNlvP6Vxt/M3yv6ZiaYch6s7f/sdyZ
 g9ysEvxwyR84Qu1E9oAuW2szaayc01znX1oYx7EteQSWQZGZQbE8DbqEOcY7l/Am
 yY7uvcxClf8exwI/VAx49byqYHwCaejcrOICdmHEPgPq0ook0Q==
 -----END CERTIFICATE-----
--- a/apps/server2.pem
+++ b/apps/server2.pem
@@ -1,376 +1,52 @@
-issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
+subject= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = Test Server Cert #2
-subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (1024 bit)
+issuer= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = OpenSSL Test Intermediate CA
 -----BEGIN CERTIFICATE-----
-MIICLjCCAZcCAQEwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCQVUxEzARBgNV
+MIID6jCCAtKgAwIBAgIJALnu1NlVpZ60MA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
-BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYD
+BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMSIwIAYDVQQLDBlGT1IgVEVT
-VQQDExJUZXN0IENBICgxMDI0IGJpdCkwHhcNOTcwNjA5MTM1NzU0WhcNOTgwNjA5
+VElORyBQVVJQT1NFUyBPTkxZMSUwIwYDVQQDDBxPcGVuU1NMIFRlc3QgSW50ZXJt
-MTM1NzU0WjBkMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEaMBgG
+ZWRpYXRlIENBMB4XDTExMTIwODE0MDE0OFoXDTIxMTAxNjE0MDE0OFowZzELMAkG
-A1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxJDAiBgNVBAMTG1NlcnZlciB0ZXN0IGNl
+A1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxIjAgBgNVBAsMGUZPUiBU
-cnQgKDEwMjQgYml0KTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAsxH1PBPm
+RVNUSU5HIFBVUlBPU0VTIE9OTFkxHDAaBgNVBAMME1Rlc3QgU2VydmVyIENlcnQg
-RkxrR11eV4bzNi4N9n11CI8nV29+ARlT1+qDe/mjVUvXlmsr1v/vf71G9GgqopSa
+IzIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDrdi7j9yctG+L4EjBy
-6RXrICLVdk/FYYYzhPvl1M+OrjaXDFO8BzBAF1Lnz6c7aRZvGRJNrRSr2nZEkqDf
+gjPmEqZzOJEQba26MoQGzglU7e5Xf59Rb/hgVQuKAoiZe7/R8rK4zJ4W7iXdXw0L
-JW9dY7r2VZEpD5QeuaRYUnuECkqeieB65GMCAwEAATANBgkqhkiG9w0BAQQFAAOB
+qBpyG8B5aGKeI32w+A9TcBApoXXL2CrYQEQjZwUIpLlYBIi2NkJj3nVkq5dgl1gO
-gQCWsOta6C0wiVzXz8wPmJKyTrurMlgUss2iSuW9366iwofZddsNg7FXniMzkIf6
+ALiQ+W8jg3kzg5Ec9rimp9r93N8wsSL3awsafurmYCvOf7leHaMP1WJ/zDRGUNHG
-dp7jnmWZwKZ9cXsNUS2o4OL07qOk2HOywC0YsNZQsOBu1CBTYYkIefDiKFL1zQHh
+/WtDjXc8ZUG1+6EXU9Jc2Fs+2Omf7fcN0l00AK/wPg8OaNS0rKyGq9JdIT9FRGV1
-8lwwNd4NP+OE3NzUNkCfh4DnFfg9WHkXUlD5UpxNRJ4gJA==
+bXe/rx58FaE5CItdwCSYhJvF/O95LWQoxJXye5bCFLmvDTEyVq9FMSCptfsmbXjE
 ZGsXAgMBAAGjgY8wgYwwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwLAYJ
 YIZIAYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1Ud
 DgQWBBR52UaWWTKzZGDH/X4mWNcuqeQVazAfBgNVHSMEGDAWgBQ2w2yI55X+sL3s
 zj49hqshgYfa2jANBgkqhkiG9w0BAQUFAAOCAQEANBW+XYLlHBqVY/31ie+3gRlS
 LPfy4SIqn0t3RJjagT29MXprblBO2cbMO8VGjkQdKGpmMXjxbht2arOOUXRHX4n/
 XTyn/QHEf0bcwIITMReO3DZUPAEw8hSjn9xEOM0IRVOCP+mH5fi74QzzQaZVCyYg
 5VtLKdww/+sc0nCbKl2KWgDluriH0nfVx95qgW3mg9dhXRr0zmf1w2zkBHYpARYL
 Dew6Z8EE4tS3HJu8/qM6meWzNtrfonQ3eiiMxjZBxzV46jchBwa2z9XYhP6AmpPb
 oeTSzcQNbWsxaGYzWo46oLDUZmJOwSBawbS31bZNMCoPIY6ukoesCzFSsUKZww==
 -----END CERTIFICATE-----
 -----BEGIN RSA PRIVATE KEY-----
-MIICXgIBAAKBgQCzEfU8E+ZGTGtHXV5XhvM2Lg32fXUIjydXb34BGVPX6oN7+aNV
+MIIEowIBAAKCAQEA63Yu4/cnLRvi+BIwcoIz5hKmcziREG2tujKEBs4JVO3uV3+f
-S9eWayvW/+9/vUb0aCqilJrpFesgItV2T8VhhjOE++XUz46uNpcMU7wHMEAXUufP
+UW/4YFULigKImXu/0fKyuMyeFu4l3V8NC6gachvAeWhiniN9sPgPU3AQKaF1y9gq
-pztpFm8ZEk2tFKvadkSSoN8lb11juvZVkSkPlB65pFhSe4QKSp6J4HrkYwIDAQAB
+2EBEI2cFCKS5WASItjZCY951ZKuXYJdYDgC4kPlvI4N5M4ORHPa4pqfa/dzfMLEi
-AoGBAKy8jvb0Lzby8q11yNLf7+78wCVdYi7ugMHcYA1JVFK8+zb1WfSm44FLQo/0
+92sLGn7q5mArzn+5Xh2jD9Vif8w0RlDRxv1rQ413PGVBtfuhF1PSXNhbPtjpn+33
-dSChAjgz36TTexeLODPYxleJndjVcOMVzsLJjSM8dLpXsTS4FCeMbhw2s2u+xqKY
+DdJdNACv8D4PDmjUtKyshqvSXSE/RURldW13v68efBWhOQiLXcAkmISbxfzveS1k
-bbPWfk+HOTyJjfnkcC5Nbg44eOmruq0gSmBeUXVM5UntlTnxAkEA7TGCA3h7kx5E
+KMSV8nuWwhS5rw0xMlavRTEgqbX7Jm14xGRrFwIDAQABAoIBAHLsTPihIfLnYIE5
-Bl4zl2pc3gPAGt+dyfk5Po9mGJUUXhF5p2zueGmYWW74TmOWB1kzt4QRdYMzFePq
+x4GsQQ5zXeBw5ITDM37ktwHnQDC+rIzyUl1aLD1AZRBoKinXd4lOTqLZ4/NHKx4A
-zfDNXEa1CwJBAMFErdY0xp0UJ13WwBbUTk8rujqQdHtjw0klhpbuKkjxu2hN0wwM
+DYr58mZtWyUmqLOMmQVuHXTZBlp7XtYuXMMNovQwjQlp9LicBeoBU6gQ5PVMtubD
-6p0D9qxF7JHaghqVRI0fAW/EE0OzdHMR9QkCQQDNR26dMFXKsoPu+vItljj/UEGf
+F4xGF89Sn0cTHW3iMkqTtQ5KcR1j57OcJO0FEb1vPvk2MXI5ZyAatUYE7YacbEzd
-QG7gERiQ4yxaFBPHgdpGo0kT31eh9x9hQGDkxTe0GNG/YSgCRvm8+C3TMcKXAkBD
+rg02uIwx3FqNSkuSI79uz4hMdV5TPtuhxx9nTwj9aLUhXFeZ0mn2PVgVzEnnMoJb
-dhGn36wkUFCddMSAM4NSJ1VN8/Z0y5HzCmI8dM3VwGtGMUQlxKxwOl30LEQzdS5M
+znlsZDgzDlJqdaD744YGWh8Z3OEssB35KfzFcdOeO6yH8lmv2Zfznk7pNPT7LTb
-0SWojNYXiT2gOBfBwtbhAkEAhafl5QEOIgUz+XazS/IlZ8goNKdDVfYgK3mHHjvv
+Lae9VgkCgYEA92p1qnAB3NtJtNcaW53i0S5WJgS1hxWKvUDx3lTB9s8X9fHpqL1a
-nY5G+AuGebdNkXJr4KSWxDcN+C2i47zuj4QXA16MAOandA==
+E94fDfWzp/hax6FefUKIvBOukPLQ6bYjTMiFoOHzVirghAIuIUoMI5VtLhwD1hKs
 Lr7l/dptMgKb1nZHyXoKHRBthsy3K4+udsPi8TzMvYElgEqyQIe/Rk0CgYEA86GL
 8HC6zLszzKERDPBxrboRmoFvVUCTQDhsfj1M8aR3nQ8V5LkdIJc7Wqm/Ggfk9QRf
 rJ8M2WUMlU5CNnCn/KCrKzCNZIReze3fV+HnKdbcXGLvgbHPrhnz8yYehUFG+RGq
 bVyDWRU94T38izy2s5qMYrMJWZEYyXncSPbfcPMCgYAtaXfxcZ+V5xYPQFARMtiX
 5nZfggvDoJuXgx0h3tK/N2HBfcaSdzbaYLG4gTmZggc/jwnl2dl5E++9oSPhUdIG
 3ONSFUbxsOsGr9PBvnKd8WZZyUCXAVRjPBzAzF+whzQNWCZy/5htnz9LN7YDI9s0
 5113Q96cheDZPFydZY0hHQKBgQDVbEhNukM5xCiNcu+f2SaMnLp9EjQ4h5g3IvaP
 5B16daw/Dw8LzcohWboqIxeAsze0GD/D1ZUJAEd0qBjC3g+a9BjefervCjKOzXng
 38mEUm+6EwVjJSQcjSmycEs+Sr/kwr/8i5WYvU32+jk4tFgMoC+o6tQe/Uesf68k
 z/dPVwKBgGbF7Vv1/3SmhlOy+zYyvJ0CrWtKxH9QP6tLIEgEpd8x7YTSuCH94yok
 kToMXYA3sWNPt22GbRDZ+rcp4c7HkDx6I6vpdP9aQEwJTp0EPy0sgWr2XwYmreIQ
 NFmkk8Itn9EY2R9VBaP7GLv5kvwxDdLAnmwGmzVtbmaVdxCaBwUk
 -----END RSA PRIVATE KEY-----
 subject=/C=US/O=AT&T Bell Laboratories/OU=Prototype Research CA
 issuer= /C=US/O=AT&T Bell Laboratories/OU=Prototype Research CA
 notBefore=950413210656Z
 notAfter =970412210656Z
 -----BEGIN X509 CERTIFICATE-----
 MIICCDCCAXECAQAwDQYJKoZIhvcNAQEEBQAwTjELMAkGA1UEBhMCVVMxHzAdBgNV
 BAoUFkFUJlQgQmVsbCBMYWJvcmF0b3JpZXMxHjAcBgNVBAsUFVByb3RvdHlwZSBS
 ZXNlYXJjaCBDQTAeFw05NTA0MTMyMTA2NTZaFw05NzA0MTIyMTA2NTZaME4xCzAJ
 BgNVBAYTAlVTMR8wHQYDVQQKFBZBVCZUIEJlbGwgTGFib3JhdG9yaWVzMR4wHAYD
 VQQLFBVQcm90b3R5cGUgUmVzZWFyY2ggQ0EwgZwwDQYJKoZIhvcNAQEBBQADgYoA
 MIGGAoGAebOmgtSCl+wCYZc86UGYeTLY8cjmW2P0FN8ToT/u2pECCoFdrlycX0OR
 3wt0ZhpFXLVNeDnHwEE9veNUih7pCL2ZBFqoIoQkB1lZmXRiVtjGonz8BLm/qrFM
 YHb0lme/Ol+s118mwKVxnn6bSAeI/OXKhLaVdYZWk+aEaxEDkVkCAQ8wDQYJKoZI
 hvcNAQEEBQADgYEAAZMG14lZmZ8bahkaHaTV9dQf4p2FZiQTFwHP9ZyGsXPC+LT5
 dG5iTaRmyjNIJdPWohZDl97kAci79aBndvuEvRKOjLHs3WRGBIwERnAcnY9Mz8u/
 zIHK23PjYVxGGaZd669OJwD0CYyqH22HH9nFUGaoJdsv39ChW0NRdLE9+y8=
 -----END X509 CERTIFICATE-----
 issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test PCA (1024 bit)
 subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
 -----BEGIN CERTIFICATE-----
 MIICJjCCAY8CAQAwDQYJKoZIhvcNAQEEBQAwXDELMAkGA1UEBhMCQVUxEzARBgNV
 BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYD
 VQQDExNUZXN0IFBDQSAoMTAyNCBiaXQpMB4XDTk3MDYwOTEzNTc0M1oXDTAxMDYw
 OTEzNTc0M1owWzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxGjAY
 BgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYDVQQDExJUZXN0IENBICgxMDI0
 IGJpdCkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKO7o8t116VP6cgybTsZ
 DCZhr95nYlZuya3aCi1IKoztqwWnjbmDFIriOqGFPrZQ+moMETC9D59iRW/dFXSv
 1F65ka/XY2hLh9exCCo7XuUcDs53Qp3bI3AmMqHjgzE8oO3ajyJAzJkTTOUecQU2
 mw/gI4tMM0LqWMQS7luTy4+xAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAM7achv3v
 hLQJcv/65eGEpBXM40ZDVoFQFFJWaY5p883HTqLB1x4FdzsXHH0QKBTcKpWwqyu4
 YDm3fb8oDugw72bCzfyZK/zVZPR/hVlqI/fvU109Qoc+7oPvIXWky71HfcK6ZBCA
 q30KIqGM/uoM60INq97qjDmCJapagcNBGQs=
 -----END CERTIFICATE-----
 -----BEGIN RSA PRIVATE KEY-----
 MIICXQIBAAKBgQCju6PLddelT+nIMm07GQwmYa/eZ2JWbsmt2gotSCqM7asFp425
 gxSK4jqhhT62UPpqDBEwvQ+fYkVv3RV0r9ReuZGv12NoS4fXsQgqO17lHA7Od0Kd
 2yNwJjKh44MxPKDt2o8iQMyZE0zlHnEFNpsP4COLTDNC6ljEEu5bk8uPsQIDAQAB
 AoGAVZmpFZsDZfr0l2S9tLLwpjRWNOlKATQkno6q2WesT0eGLQufTciY+c8ypfU6
 hyio8r5iUl/VhhdjhAtKx1mRpiotftHo/eYf8rtsrnprOnWG0bWjLjtIoMbcxGn2
 J3bN6LJmbJMjDs0eJ3KnTu646F3nDUw2oGAwmpzKXA1KAP0CQQDRvQhxk2D3Pehs
 HvG665u2pB5ipYQngEFlZO7RHJZzJOZEWSLuuMqaF/7pTfA5jiBvWqCgJeCRRInL
 21ru4dlPAkEAx9jj7BgKn5TYnMoBSSe0afjsV9oApVpN1Nacb1YDtCwy+scp3++s
 nFxlv98wxIlSdpwMUn+AUWfjiWR7Tu/G/wJBAJ/KjwZIrFVxewP0x2ILYsTRYLzz
 MS4PDsO7FB+I0i7DbBOifXS2oNSpd3I0CNMwrxFnUHzynpbOStVfN3ZL5w0CQQCa
 pwFahxBRhkJKsxhjoFJBX9yl75JoY4Wvm5Tbo9ih6UJaRx3kqfkN14L2BKYcsZgb
 KY9vmDOYy6iNfjDeWTfJAkBkfPUb8oTJ/nSP5zN6sqGxSY4krc4xLxpRmxoJ8HL2
 XfhqXkTzbU13RX9JJ/NZ8vQN9Vm2NhxRGJocQkmcdVtJ
 -----END RSA PRIVATE KEY-----
 -----BEGIN X509 CERTIFICATE-----
 MIICYDCCAiACAgEoMAkGBSsOAwINBQAwfDELMAkGA1UEBhMCVVMxNjA0BgNVBAoT
 LU5hdGlvbmFsIEFlcm9uYXV0aWNzIGFuZCBTcGFjZSBBZG1pbmlzdHJhdGlvbjEZ
 MBcGA1UECxMQVGVzdCBFbnZpcm9ubWVudDEaMBgGA1UECxMRRFNTLU5BU0EtUGls
 b3QtQ0EwHhcNOTYwMjI2MTYzMjQ1WhcNOTcwMjI1MTYzMjQ1WjB8MQswCQYDVQQG
 EwJVUzE2MDQGA1UEChMtTmF0aW9uYWwgQWVyb25hdXRpY3MgYW5kIFNwYWNlIEFk
 bWluaXN0cmF0aW9uMRkwFwYDVQQLExBUZXN0IEVudmlyb25tZW50MRowGAYDVQQL
 ExFEU1MtTkFTQS1QaWxvdC1DQTCB8jAJBgUrDgMCDAUAA4HkADCB4AJBAMA/ssKb
 hPNUG7ZlASfVwEJU21O5OyF/iyBzgHI1O8eOhJGUYO8cc8wDMjR508Mr9cp6Uhl/
 ZB7FV5GkLNEnRHYCQQDUEaSg45P2qrDwixTRhFhmWz5Nvc4lRFQ/42XPcchiJBLb
 bn3QK74T2IxY1yY+kCNq8XrIqf5fJJzIH0J/xUP3AhUAsg2wsQHfDGYk/BOSulX3
 fVd0geUCQQCzCFUQAh+ZkEmp5804cs6ZWBhrUAfnra8lJItYo9xPcXgdIfLfibcX
 R71UsyO77MRD7B0+Ag2tq794IleCVcEEMAkGBSsOAwINBQADLwAwLAIUUayDfreR
 Yh2WeU86/pHNdkUC1IgCFEfxe1f0oMpxJyrJ5XIxTi7vGdoK
 -----END X509 CERTIFICATE-----
 -----BEGIN X509 CERTIFICATE-----
 MIICGTCCAdgCAwCqTDAJBgUrDgMCDQUAMHwxCzAJBgNVBAYTAlVTMTYwNAYDVQQK
 Ey1OYXRpb25hbCBBZXJvbmF1dGljcyBhbmQgU3BhY2UgQWRtaW5pc3RyYXRpb24x
 GTAXBgNVBAsTEFRlc3QgRW52aXJvbm1lbnQxGjAYBgNVBAsTEURTUy1OQVNBLVBp
 bG90LUNBMB4XDTk2MDUxNDE3MDE0MVoXDTk3MDUxNDE3MDE0MVowMzELMAkGA1UE
 BhMCQVUxDzANBgNVBAoTBk1pbmNvbTETMBEGA1UEAxMKRXJpYyBZb3VuZzCB8jAJ
 BgUrDgMCDAUAA4HkADCB4AJBAKbfHz6vE6pXXMTpswtGUec2tvnfLJUsoxE9qs4+
 ObZX7LmLvragNPUeiTJx7UOWZ5DfBj6bXLc8eYne0lP1g3ACQQDUEaSg45P2qrDw
 ixTRhFhmWz5Nvc4lRFQ/42XPcchiJBLbbn3QK74T2IxY1yY+kCNq8XrIqf5fJJzI
 H0J/xUP3AhUAsg2wsQHfDGYk/BOSulX3fVd0geUCQQCzCFUQAh+ZkEmp5804cs6Z
 WBhrUAfnra8lJItYo9xPcXgdIfLfibcXR71UsyO77MRD7B0+Ag2tq794IleCVcEE
 MAkGBSsOAwINBQADMAAwLQIUWsuuJRE3VT4ueWkWMAJMJaZjj1ECFQCYY0zX4bzM
 LC7obsrHD8XAHG+ZRG==
 -----END X509 CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIICTTCCAbagAwIBAgIBADANBgkqhkiG9w0BAQQFADBMMQswCQYDVQQGEwJHQjEM
 MAoGA1UEChMDVUNMMRgwFgYDVQQLEw9JQ0UtVEVMIFByb2plY3QxFTATBgNVBAMT
 DFRydXN0RmFjdG9yeTAeFw05NzA0MjIxNDM5MTRaFw05ODA0MjIxNDM5MTRaMEwx
 CzAJBgNVBAYTAkdCMQwwCgYDVQQKEwNVQ0wxGDAWBgNVBAsTD0lDRS1URUwgUHJv
 amVjdDEVMBMGA1UEAxMMVHJ1c3RGYWN0b3J5MIGcMAoGBFUIAQECAgQAA4GNADCB
 iQKBgQCEieR8NcXkUW1f0G6aC6u0i8q/98JqS6RxK5YmHIGKCkuTWAUjzLfUa4dt
 U9igGCjTuxaDqlzEim+t/02pmiBZT9HaX++35MjQPUWmsChcYU5WyzGErXi+rQaw
 zlwS73zM8qiPj/97lXYycWhgL0VaiDSPxRXEUdWoaGruom4mNQIDAQABo0IwQDAd
 BgNVHQ4EFgQUHal1LZr7oVg5z6lYzrhTgZRCmcUwDgYDVR0PAQH/BAQDAgH2MA8G
 A1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEAfaggfl6FZoioecjv0dq8
 /DXo/u11iMZvXn08gjX/zl2b4wtPbShOSY5FhkSm8GeySasz+/Nwb/uzfnIhokWi
 lfPZHtlCWtXbIy/TN51eJyq04ceDCQDWvLC2enVg9KB+GJ34b5c5VaPRzq8MBxsA
 S7ELuYGtmYgYm9NZOIr7yU0=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIB6jCCAZQCAgEtMA0GCSqGSIb3DQEBBAUAMIGAMQswCQYDVQQGEwJVUzE2MDQG
 A1UEChMtTmF0aW9uYWwgQWVyb25hdXRpY3MgYW5kIFNwYWNlIEFkbWluaXN0cmF0
 aW9uMRkwFwYDVQQLExBUZXN0IEVudmlyb25tZW50MR4wHAYDVQQLExVNRDUtUlNB
 LU5BU0EtUGlsb3QtQ0EwHhcNOTYwNDMwMjIwNTAwWhcNOTcwNDMwMjIwNTAwWjCB
 gDELMAkGA1UEBhMCVVMxNjA0BgNVBAoTLU5hdGlvbmFsIEFlcm9uYXV0aWNzIGFu
 ZCBTcGFjZSBBZG1pbmlzdHJhdGlvbjEZMBcGA1UECxMQVGVzdCBFbnZpcm9ubWVu
 dDEeMBwGA1UECxMVTUQ1LVJTQS1OQVNBLVBpbG90LUNBMFkwCgYEVQgBAQICAgAD
 SwAwSAJBALmmX5+GqAvcrWK13rfDrNX9UfeA7f+ijyBgeFQjYUoDpFqapw4nzQBL
 bAXug8pKkRwa2Zh8YODhXsRWu2F/UckCAwEAATANBgkqhkiG9w0BAQQFAANBAH9a
 OBA+QCsjxXgnSqHx04gcU8S49DVUb1f2XVoLnHlIb8RnX0k5O6mpHT5eti9bLkiW
 GJNMJ4L0AJ/ac+SmHZc=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIICajCCAdMCBDGA0QUwDQYJKoZIhvcNAQEEBQAwfTELMAkGA1UEBhMCQ2ExDzAN
 BgNVBAcTBk5lcGVhbjEeMBwGA1UECxMVTm8gTGlhYmlsaXR5IEFjY2VwdGVkMR8w
 HQYDVQQKExZGb3IgRGVtbyBQdXJwb3NlcyBPbmx5MRwwGgYDVQQDExNFbnRydXN0
 IERlbW8gV2ViIENBMB4XDTk2MDQyNjEzMzUwMVoXDTA2MDQyNjEzMzUwMVowfTEL
 MAkGA1UEBhMCQ2ExDzANBgNVBAcTBk5lcGVhbjEeMBwGA1UECxMVTm8gTGlhYmls
 aXR5IEFjY2VwdGVkMR8wHQYDVQQKExZGb3IgRGVtbyBQdXJwb3NlcyBPbmx5MRww
 GgYDVQQDExNFbnRydXN0IERlbW8gV2ViIENBMIGdMA0GCSqGSIb3DQEBAQUAA4GL
 ADCBhwKBgQCaroS7O1DA0hm4IefNYU1cx/nqOmzEnk291d1XqznDeF4wEgakbkCc
 zTKxK791yNpXG5RmngqH7cygDRTHZJ6mfCRn0wGC+AI00F2vYTGqPGRQL1N3lZT0
 YDKFC0SQeMMjFIZ1aeQigroFQnHo0VB3zWIMpNkka8PY9lxHZAmWwQIBAzANBgkq
 hkiG9w0BAQQFAAOBgQBAx0UMVA1s54lMQyXjMX5kj99FJN5itb8bK1Rk+cegPQPF
 cWO9SEWyEjjBjIkjjzAwBkaEszFsNGxemxtXvwjIm1xEUMTVlPEWTs2qnDvAUA9W
 YqhWbhH0toGT36236QAsqCZ76rbTRVSSX2BHyJwJMG2tCRv7kRJ//NIgxj3H4w==
 -----END CERTIFICATE-----
 issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test PCA (1024 bit)
 subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test PCA (1024 bit)
 -----BEGIN CERTIFICATE-----
 MIICJzCCAZACAQAwDQYJKoZIhvcNAQEEBQAwXDELMAkGA1UEBhMCQVUxEzARBgNV
 BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYD
 VQQDExNUZXN0IFBDQSAoMTAyNCBiaXQpMB4XDTk3MDYwOTEzNTczN1oXDTAxMDYw
 OTEzNTczN1owXDELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQxGjAY
 BgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYDVQQDExNUZXN0IFBDQSAoMTAy
 NCBiaXQpMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdoWk/3+WcMlfjIrkg
 40ketmnQaEogQe1LLcuOJV6rKfUSAsPgwgsabJ/wn8TxA1yy3eKJbFl3OiUXMRsp
 22Jp85PmemiDzyUIStwk72qhp1imbANZvlmlCFKiQrjUyuDfu4TABmn+kkt3vR1Y
 BEOGt+IFye1UBVSATVdRJ2UVhwIDAQABMA0GCSqGSIb3DQEBBAUAA4GBABNA1u/S
 Cg/LJZWb7GliiKJsvuhxlE4E5JxQF2zMub/CSNbF97//tYSyj96sxeFQxZXbcjm9
 xt6mr/xNLA4szNQMJ4P+L7b5e/jC5DSqlwS+CUYJgaFs/SP+qJoCSu1bR3IM9XWO
 cRBpDmcBbYLkSyB92WURvsZ1LtjEcn+cdQVI
 -----END CERTIFICATE-----
 -----BEGIN RSA PRIVATE KEY-----
 MIICXAIBAAKBgQCdoWk/3+WcMlfjIrkg40ketmnQaEogQe1LLcuOJV6rKfUSAsPg
 wgsabJ/wn8TxA1yy3eKJbFl3OiUXMRsp22Jp85PmemiDzyUIStwk72qhp1imbANZ
 vlmlCFKiQrjUyuDfu4TABmn+kkt3vR1YBEOGt+IFye1UBVSATVdRJ2UVhwIDAQAB
 AoGAba4fTtuap5l7/8ZsbE7Z1O32KJY4ZcOZukLOLUUhXxXduT+FTgGWujc0/rgc
 z9qYCLlNZHOouMYTgtSfYvuMuLZ11VIt0GYH+nRioLShE59Yy+zCRyC+gPigS1kz
 xvo14AsOIPYV14Tk/SsHyq6E0eTk7VzaIE197giiINUERPECQQDSKmtPTh/lRKw7
 HSZSM0I1mFWn/1zqrAbontRQY5w98QWIOe5qmzYyFbPXYT3d9BzlsMyhgiRNoBbD
 yvohSHXJAkEAwAHx6ezAZeWWzD5yXD36nyjpkVCw7Tk7TSmOceLJMWt1QcrCfqlS
 xA5jjpQ6Z8suU5DdtWAryM2sAir1WisYzwJAd6Zcx56jvAQ3xcPXsE6scBTVFzrj
 7FqZ6E+cclPzfLQ+QQsyOBE7bpI6e/FJppY26XGZXo3YGzV8IGXrt40oOQJALETG
 h86EFXo3qGOFbmsDy4pdP5nBERCu8X1xUCSfintiD4c2DInxgS5oGclnJeMcjTvL
 QjQoJCX3UJCi/OUO1QJBAKgcDHWjMvt+l1pjJBsSEZ0HX9AAIIVx0RQmbFGS+F2Q
 hhu5l77WnnZOQ9vvhV5u7NPCUF9nhU3jh60qWWO8mkc=
 -----END RSA PRIVATE KEY-----
 subject=/C=US/O=RSA Data Security, Inc./OU=Commercial Certification Authority
 issuer= /C=US/O=RSA Data Security, Inc./OU=Commercial Certification Authority
 notBefore=941104185834Z
 notAfter =991103185834Z
 -----BEGIN X509 CERTIFICATE-----
 MIICIzCCAZACBQJBAAAWMA0GCSqGSIb3DQEBAgUAMFwxCzAJBgNVBAYTAlVTMSAw
 HgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjErMCkGA1UECxMiQ29tbWVy
 Y2lhbCBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NDExMDQxODU4MzRaFw05
 OTExMDMxODU4MzRaMFwxCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0EgRGF0YSBT
 ZWN1cml0eSwgSW5jLjErMCkGA1UECxMiQ29tbWVyY2lhbCBDZXJ0aWZpY2F0aW9u
 IEF1dGhvcml0eTCBmzANBgkqhkiG9w0BAQEFAAOBiQAwgYUCfgCk+4Fie84QJ93o
 975sbsZwmdu41QUDaSiCnHJ/lj+O7Kwpkj+KFPhCdr69XQO5kNTQvAayUTNfxMK/
 touPmbZiImDd298ggrTKoi8tUO2UMt7gVY3UaOLgTNLNBRYulWZcYVI4HlGogqHE
 7yXpCuaLK44xZtn42f29O2nZ6wIDAQABMA0GCSqGSIb3DQEBAgUAA34AdrW2EP4j
 9/dZYkuwX5zBaLxJu7NJbyFHXSudVMQAKD+YufKKg5tgf+tQx6sFEC097TgCwaVI
 0v5loMC86qYjFmZsGySp8+x5NRhPJsjjr1BKx6cxa9B8GJ1Qv6km+iYrRpwUqbtb
 MJhCKLVLU7tDCZJAuqiqWqTGtotXTcU=
 -----END X509 CERTIFICATE-----
 subject=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
 issuer= /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
 notBefore=941109235417Z
 notAfter =991231235417Z
 -----BEGIN X509 CERTIFICATE-----
 MIICKTCCAZYCBQJBAAABMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMSAw
 HgYDVQQKExdSU0EgRGF0YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UECxMlU2VjdXJl
 IFNlcnZlciBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NDExMDkyMzU0MTda
 Fw05OTEyMzEyMzU0MTdaMF8xCzAJBgNVBAYTAlVTMSAwHgYDVQQKExdSU0EgRGF0
 YSBTZWN1cml0eSwgSW5jLjEuMCwGA1UECxMlU2VjdXJlIFNlcnZlciBDZXJ0aWZp
 Y2F0aW9uIEF1dGhvcml0eTCBmzANBgkqhkiG9w0BAQEFAAOBiQAwgYUCfgCSznrB
 roM+WqqJg1esJQF2DK2ujiw3zus1eGRUA+WEQFHJv48I4oqCCNIWhjdV6bEhAq12
 aIGaBaJLyUslZiJWbIgHj/eBWW2EB2VwE3F2Ppt3TONQiVaYSLkdpykaEy5KEVmc
 HhXVSVQsczppgrGXOZxtcGdI5d0t1sgeewIDAQABMA0GCSqGSIb3DQEBAgUAA34A
 iNHReSHO4ovo+MF9NFM/YYPZtgs4F7boviGNjwC4i1N+RGceIr2XJ+CchcxK9oU7
 suK+ktPlDemvXA4MRpX/oRxePug2WHpzpgr4IhFrwwk4fia7c+8AvQKk8xQNMD9h
 cHsg/jKjn7P0Z1LctO6EjJY2IN6BCINxIYoPnqk=
 -----END X509 CERTIFICATE-----
 subject=/C=ZA/SP=Western Cape/L=Cape Town/O=Thawte Consulting cc
 	/OU=Certification Services Division/CN=Thawte Server CA
 	/Email=server-certs@thawte.com
 issuer= /C=ZA/SP=Western Cape/L=Cape Town/O=Thawte Consulting cc
 	/OU=Certification Services Division/CN=Thawte Server CA
 	/Email=server-certs@thawte.com
 -----BEGIN CERTIFICATE-----
 MIIC+TCCAmICAQAwDQYJKoZIhvcNAQEEBQAwgcQxCzAJBgNVBAYTAlpBMRUwEwYD
 VQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsGA1UEChMU
 VGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2Vy
 dmljZXMgRGl2aXNpb24xGTAXBgNVBAMTEFRoYXd0ZSBTZXJ2ZXIgQ0ExJjAkBgkq
 hkiG9w0BCQEWF3NlcnZlci1jZXJ0c0B0aGF3dGUuY29tMB4XDTk2MDcyNzE4MDc1
 N1oXDTk4MDcyNzE4MDc1N1owgcQxCzAJBgNVBAYTAlpBMRUwEwYDVQQIEwxXZXN0
 ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsGA1UEChMUVGhhd3RlIENv
 bnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2VydmljZXMgRGl2
 aXNpb24xGTAXBgNVBAMTEFRoYXd0ZSBTZXJ2ZXIgQ0ExJjAkBgkqhkiG9w0BCQEW
 F3NlcnZlci1jZXJ0c0B0aGF3dGUuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCB
 iQKBgQDTpFBuyP9Wa+bPXbbqDGh1R6KqwtqEJfyo9EdR2oW1IHSUhh4PdcnpCGH1
 Bm0wbhUZAulSwGLbTZme4moMRDjN/r7jZAlwxf6xaym2L0nIO9QnBCUQly/nkG3A
 KEKZ10xD3sP1IW1Un13DWOHA5NlbsLjctHvfNjrCtWYiEtaHDQIDAQABMA0GCSqG
 SIb3DQEBBAUAA4GBAIsvn7ifX3RUIrvYXtpI4DOfARkTogwm6o7OwVdl93yFhDcX
 7h5t0XZ11MUAMziKdde3rmTvzUYIUCYoY5b032IwGMTvdiclK+STN6NP2m5nvFAM
 qJT5gC5O+j/jBuZRQ4i0AMYQr5F4lT8oBJnhgafw6PL8aDY2vMHGSPl9+7uf
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIIDDTCCAnYCAQAwDQYJKoZIhvcNAQEEBQAwgc4xCzAJBgNVBAYTAlpBMRUwEwYD
 VQQIEwxXZXN0ZXJuIENhcGUxEjAQBgNVBAcTCUNhcGUgVG93bjEdMBsGA1UEChMU
 VGhhd3RlIENvbnN1bHRpbmcgY2MxKDAmBgNVBAsTH0NlcnRpZmljYXRpb24gU2Vy
 dmljZXMgRGl2aXNpb24xITAfBgNVBAMTGFRoYXd0ZSBQcmVtaXVtIFNlcnZlciBD
 QTEoMCYGCSqGSIb3DQEJARYZcHJlbWl1bS1zZXJ2ZXJAdGhhd3RlLmNvbTAeFw05
 NjA3MjcxODA3MTRaFw05ODA3MjcxODA3MTRaMIHOMQswCQYDVQQGEwJaQTEVMBMG
 A1UECBMMV2VzdGVybiBDYXBlMRIwEAYDVQQHEwlDYXBlIFRvd24xHTAbBgNVBAoT
 FFRoYXd0ZSBDb25zdWx0aW5nIGNjMSgwJgYDVQQLEx9DZXJ0aWZpY2F0aW9uIFNl
 cnZpY2VzIERpdmlzaW9uMSEwHwYDVQQDExhUaGF3dGUgUHJlbWl1bSBTZXJ2ZXIg
 Q0ExKDAmBgkqhkiG9w0BCQEWGXByZW1pdW0tc2VydmVyQHRoYXd0ZS5jb20wgZ8w
 DQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBANI2NmqL18JbntqBQWKPOO5JBFXW0O8c
 G5UWR+8YSDU6UvQragaPOy/qVuOvho2eF/eetGV1Ak3vywmiIVHYm9Bn0LoNkgYU
 c9STy5cqAJxcTgy8+hVS/PJEbtoRSm4Iny8t4/mqOoZztkZTWMiJBb2DEbhzP6oH
 jfRCTedAnRw3AgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAutFIgTRZVYerIZfL9lvR
 w9Eifvvo5KTZ3h+Bj+VzNnyw4Qc/IyXkPOu6SIiH9LQ3sCmWBdxpe+qr4l77rLj2
 GYuMtESFfn1XVALzkYgC7JcPuTOjMfIiMByt+uFf8AV8x0IW/Qkuv+hEQcyM9vxK
 3VZdLbCVIhNoEsysrxCpxcI=
 -----END CERTIFICATE-----
 Tims test GCI CA
 -----BEGIN CERTIFICATE-----
 MIIB8DCCAZoCAQAwDQYJKoZIhvcNAQEEBQAwgYIxCzAJBgNVBAYTAkFVMRMwEQYD
 VQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5
 cHRTb2Z0IFB0eSBMdGQxFDASBgNVBAsTC2RldmVsb3BtZW50MRkwFwYDVQQDExBD
 cnlwdFNvZnQgRGV2IENBMB4XDTk3MDMyMjEzMzQwNFoXDTk4MDMyMjEzMzQwNFow
 gYIxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhC
 cmlzYmFuZTEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxFDASBgNVBAsTC2Rl
 dmVsb3BtZW50MRkwFwYDVQQDExBDcnlwdFNvZnQgRGV2IENBMFwwDQYJKoZIhvcN
 AQEBBQADSwAwSAJBAOAOAqogG5QwAmLhzyO4CoRnx/wVy4NZP4dxJy83O1EnL0rw
 OdsamJKvPOLHgSXo3gDu9uVyvCf/QJmZAmC5ml8CAwEAATANBgkqhkiG9w0BAQQF
 AANBADRRS/GVdd7rAqRW6SdmgLJduOU2yq3avBu99kRqbp9A/dLu6r6jU+eP4oOA
 TfdbFZtAAD2Hx9jUtY3tfdrJOb8= 
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIICVjCCAgACAQAwDQYJKoZIhvcNAQEEBQAwgbUxCzAJBgNVBAYTAkFVMRMwEQYD
 VQQIEwpRdWVlbnNsYW5kMREwDwYDVQQHEwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5
 cHRTb2Z0IFB0eSBMdGQxLDAqBgNVBAsTI1dPUlRITEVTUyBDRVJUSUZJQ0FUSU9O
 IEFVVEhPUklUSUVTMTQwMgYDVQQDEytaRVJPIFZBTFVFIENBIC0gREVNT05TVFJB
 VElPTiBQVVJQT1NFUyBPTkxZMB4XDTk3MDQwMzEzMjI1NFoXDTk4MDQwMzEzMjI1
 NFowgbUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIEwpRdWVlbnNsYW5kMREwDwYDVQQH
 EwhCcmlzYmFuZTEaMBgGA1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxLDAqBgNVBAsT
 I1dPUlRITEVTUyBDRVJUSUZJQ0FUSU9OIEFVVEhPUklUSUVTMTQwMgYDVQQDEyta
 RVJPIFZBTFVFIENBIC0gREVNT05TVFJBVElPTiBQVVJQT1NFUyBPTkxZMFwwDQYJ
 KoZIhvcNAQEBBQADSwAwSAJBAOZ7T7yqP/tyspcko3yPY1y0Cm2EmwNvzW4QgVXR
 Fjs3HmJ4xtSpXdo6mwcGezL3Abt/aQXaxv9PU8xt+Jr0OFUCAwEAATANBgkqhkiG
 9w0BAQQFAANBAOQpYmGgyCqCy1OljgJhCqQOu627oVlHzK1L+t9vBaMfn40AVUR4
 WzQVWO31KTgi5vTK1U+3h46fgUWqQ0h+6rU=
 -----END CERTIFICATE-----
 -----BEGIN CERTIFICATE-----
 MIAwgKADAgECAgEAMA0GCSqGSIb3DQEBBAUAMGIxETAPBgNVBAcTCEludGVybmV0
 MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNpZ24gQ2xh
 c3MgMSBDQSAtIEluZGl2aWR1YWwgU3Vic2NyaWJlcjAeFw05NjA0MDgxMDIwMjda
 Fw05NzA0MDgxMDIwMjdaMGIxETAPBgNVBAcTCEludGVybmV0MRcwFQYDVQQKEw5W
 ZXJpU2lnbiwgSW5jLjE0MDIGA1UECxMrVmVyaVNpZ24gQ2xhc3MgMSBDQSAtIElu
 ZGl2aWR1YWwgU3Vic2NyaWJlcjCAMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2
 FKbPTdAFDdjKI9BvqrQpkmOOLPhvltcunXZLEbE2jVfJw/0cxrr+Hgi6M8qV6r7j
 W80GqLd5HUQq7XPysVKDaBBwZJHXPmv5912dFEObbpdFmIFH0S3L3bty10w/cari
 QPJUObwW7s987LrbP2wqsxaxhhKdrpM01bjV0Pc+qQIDAQABAAAAADANBgkqhkiG
 9w0BAQQFAAOBgQA+1nJryNt8VBRjRr07ArDAV/3jAH7GjDc9jsrxZS68ost9v06C
 TvTNKGL+LISNmFLXl+JXhgGB0JZ9fvyYzNgHQ46HBUng1H6voalfJgS2KdEo50wW
 8EFZYMDkT1k4uynwJqkVN2QJK/2q4/A/VCov5h6SlM8Affg2W+1TLqvqkwAA
 -----END CERTIFICATE-----
 subject=/L=Internet/O=VeriSign, Inc./OU=VeriSign Class 2 CA - Individual Subscriber
 issuer= /L=Internet/O=VeriSign, Inc./OU=VeriSign Class 2 CA - Individual Subscriber
 -----BEGIN CERTIFICATE-----
 MIIEkzCCA/ygAwIBAgIRANDTUpSRL3nTFeMrMayFSPAwDQYJKoZIhvcNAQECBQAw
 YjERMA8GA1UEBxMISW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQw
 MgYDVQQLEytWZXJpU2lnbiBDbGFzcyAyIENBIC0gSW5kaXZpZHVhbCBTdWJzY3Jp
 YmVyMB4XDTk2MDYwNDAwMDAwMFoXDTk4MDYwNDIzNTk1OVowYjERMA8GA1UEBxMI
 SW50ZXJuZXQxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTQwMgYDVQQLEytWZXJp
 U2lnbiBDbGFzcyAyIENBIC0gSW5kaXZpZHVhbCBTdWJzY3JpYmVyMIGfMA0GCSqG
 SIb3DQEBAQUAA4GNADCBiQKBgQC6A+2czKGRcYMfm8gdnk+0de99TDDzsqo0v5nb
 RsbUmMcdRQ7nsMbRWe0SAb/9QoLTZ/cJ0iOBqdrkz7UpqqKarVoTSdlSMVM92tWp
 3bJncZHQD1t4xd6lQVdI1/T6R+5J0T1ukOdsI9Jmf+F28S6g3R3L1SFwiHKeZKZv
 z+793wIDAQABo4ICRzCCAkMwggIpBgNVHQMBAf8EggIdMIICGTCCAhUwggIRBgtg
 hkgBhvhFAQcBATCCAgAWggGrVGhpcyBjZXJ0aWZpY2F0ZSBpbmNvcnBvcmF0ZXMg
 YnkgcmVmZXJlbmNlLCBhbmQgaXRzIHVzZSBpcyBzdHJpY3RseSBzdWJqZWN0IHRv
 LCB0aGUgVmVyaVNpZ24gQ2VydGlmaWNhdGlvbiBQcmFjdGljZSBTdGF0ZW1lbnQg
 KENQUyksIGF2YWlsYWJsZSBhdDogaHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL0NQ
 Uy0xLjA7IGJ5IEUtbWFpbCBhdCBDUFMtcmVxdWVzdHNAdmVyaXNpZ24uY29tOyBv
 ciBieSBtYWlsIGF0IFZlcmlTaWduLCBJbmMuLCAyNTkzIENvYXN0IEF2ZS4sIE1v
 dW50YWluIFZpZXcsIENBIDk0MDQzIFVTQSBUZWwuICsxICg0MTUpIDk2MS04ODMw
 IENvcHlyaWdodCAoYykgMTk5NiBWZXJpU2lnbiwgSW5jLiAgQWxsIFJpZ2h0cyBS
 ZXNlcnZlZC4gQ0VSVEFJTiBXQVJSQU5USUVTIERJU0NMQUlNRUQgYW5kIExJQUJJ
 TElUWSBMSU1JVEVELqAOBgxghkgBhvhFAQcBAQGhDgYMYIZIAYb4RQEHAQECMC8w
 LRYraHR0cHM6Ly93d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvQ1BTLTEuMDAU
 BglghkgBhvhCAQEBAf8EBAMCAgQwDQYJKoZIhvcNAQECBQADgYEApRJRkNBqLLgs
 53IR/d18ODdLOWMTZ+QOOxBrq460iBEdUwgF8vmPRX1ku7UiDeNzaLlurE6eFqHq
 2zPyK5j60zfTLVJMWKcQWwTJLjHtXrW8pxhNtFc6Fdvy5ZkHnC/9NIl7/t4U6WqB
 p4y+p7SdMIkEwIZfds0VbnQyX5MRUJY=
 -----END CERTIFICATE-----
 subject=/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
 issuer= /C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
 -----BEGIN CERTIFICATE-----
 MIICMTCCAZoCBQKhAAABMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcw
 FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMg
 UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NjAxMjkwMDAwMDBa
 Fw05OTEyMzEyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2ln
 biwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZp
 Y2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAyVxZ
 nvIbigEUtBDfBEDb41evakVAj4QMC9Ez2dkRz+4CWB8l9yqoRAWq7AMfeH+ek7ma
 AKojfdashaJjRcdyJ8z0TMZ1cdI5709C8HXfCpDGjiBvmA/4rCNfcCk2pMmG57Ga
 IMtTpYXnPb59mv4kRTPcdhXtD6JxZExlLoFoRacCAwEAATANBgkqhkiG9w0BAQIF
 AAOBgQB1Zmw+0c2B27X4LzZRtvdCvM1Cr9wO+hVs+GeTVzrrtpLotgHKjLeOQ7RJ
 Zfk+7r11Ri7J/CVdqMcvi5uPaM+0nJcYwE3vH9mvgrPmZLiEXIqaB1JDYft0nls6
 NvxMsvwaPxUupVs8G5DsiCnkWRb5zget7Ond2tIxik/W2O8XjQ==
 -----END CERTIFICATE-----
 subject=/C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority
 issuer= /C=US/O=VeriSign, Inc./OU=Class 4 Public Primary Certification Authority
 -----BEGIN CERTIFICATE-----
 MIICMTCCAZoCBQKmAAABMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcw
 FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgNCBQdWJsaWMg
 UHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NjAxMjkwMDAwMDBa
 Fw05OTEyMzEyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2ln
 biwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgNCBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZp
 Y2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA0LJ1
 9njQrlpQ9OlQqZ+M1++RlHDo0iSQdomF1t+s5gEXMoDwnZNHvJplnR+Xrr/phnVj
 IIm9gFidBAydqMEk6QvlMXi9/C0MN2qeeIDpRnX57aP7E3vIwUzSo+/1PLBij0pd
 O92VZ48TucE81qcmm+zDO3rZTbxtm+gVAePwR6kCAwEAATANBgkqhkiG9w0BAQIF
 AAOBgQBT3dPwnCR+QKri/AAa19oM/DJhuBUNlvP6Vxt/M3yv6ZiaYch6s7f/sdyZ
 g9ysEvxwyR84Qu1E9oAuW2szaayc01znX1oYx7EteQSWQZGZQbE8DbqEOcY7l/Am
 yY7uvcxClf8exwI/VAx49byqYHwCaejcrOICdmHEPgPq0ook0Q==
 -----END CERTIFICATE-----
--- a/apps/sess_id.c
+++ b/apps/sess_id.c
@@ -1,4 +1,3 @@
 /* apps/sess_id.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -66,173 +65,110 @@
 #include <openssl/pem.h>
 #include <openssl/ssl.h>
-#undef PROG
+typedef enum OPTION_choice {
-#define PROG	sess_id_main
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT,
    OPT_TEXT, OPT_CERT, OPT_NOOUT, OPT_CONTEXT
 } OPTION_CHOICE;
-static const char *sess_id_usage[]={
+OPTIONS sess_id_options[] = {
-"usage: sess_id args\n",
+    {"help", OPT_HELP, '-', "Display this summary"},
-"\n",
+    {"inform", OPT_INFORM, 'F', "Input format - default PEM (DER or PEM)"},
-" -inform arg     - input format - default PEM (DER or PEM)\n",
+    {"outform", OPT_OUTFORM, 'F',
-" -outform arg    - output format - default PEM\n",
+     "Output format - default PEM (PEM, DER or NSS)"},
-" -in arg         - input file - default stdin\n",
+    {"in", OPT_IN, 's', "Input file - default stdin"},
-" -out arg        - output file - default stdout\n",
+    {"out", OPT_OUT, 's', "Output file - default stdout"},
-" -text           - print ssl session id details\n",
+    {"text", OPT_TEXT, '-', "Print ssl session id details"},
-" -cert           - output certificate \n",
+    {"cert", OPT_CERT, '-', "Output certificate "},
-" -noout          - no CRL output\n",
+    {"noout", OPT_NOOUT, '-', "Don't output the encoded session info"},
-" -context arg    - set the session ID context\n",
+    {"context", OPT_CONTEXT, 's', "Set the session ID context"},
-NULL
+    {NULL}
 };
 static SSL_SESSION *load_sess_id(char *file, int format);
-int MAIN(int, char **);
+int sess_id_main(int argc, char **argv)
 int MAIN(int argc, char **argv)
 {
    SSL_SESSION *x = NULL;
    X509 *peer = NULL;
 	int ret=1,i,num,badops=0;
    BIO *out = NULL;
-	int informat,outformat;
+    char *infile = NULL, *outfile = NULL, *context = NULL, *prog;
-	char *infile=NULL,*outfile=NULL,*context=NULL;
+    int informat = FORMAT_PEM, outformat = FORMAT_PEM;
-	int cert=0,noout=0,text=0;
+    int cert = 0, noout = 0, text = 0, ret = 1, i, num = 0;
-	const char **pp;
+    OPTION_CHOICE o;
-	apps_startup();
+    prog = opt_init(argc, argv, sess_id_options);
-
+    while ((o = opt_next()) != OPT_EOF) {
-	if (bio_err == NULL)
+        switch (o) {
-		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+        case OPT_EOF:
-			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+        case OPT_ERR:
-
+ opthelp:
-	informat=FORMAT_PEM;
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
-	outformat=FORMAT_PEM;
+            goto end;
-
+        case OPT_HELP:
-	argc--;
+            opt_help(sess_id_options);
-	argv++;
+            ret = 0;
-	num=0;
+            goto end;
-	while (argc >= 1)
+        case OPT_INFORM:
-		{
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
-		if 	(strcmp(*argv,"-inform") == 0)
+                goto opthelp;
-			{
+            break;
-			if (--argc < 1) goto bad;
+        case OPT_OUTFORM:
-			informat=str2fmt(*(++argv));
+            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
-			}
+                goto opthelp;
-		else if (strcmp(*argv,"-outform") == 0)
+            break;
-			{
+        case OPT_IN:
-			if (--argc < 1) goto bad;
+            infile = opt_arg();
-			outformat=str2fmt(*(++argv));
+            break;
-			}
+        case OPT_OUT:
-		else if (strcmp(*argv,"-in") == 0)
+            outfile = opt_arg();
-			{
+            break;
-			if (--argc < 1) goto bad;
+        case OPT_TEXT:
 			infile= *(++argv);
 			}
 		else if (strcmp(*argv,"-out") == 0)
 			{
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
 		else if (strcmp(*argv,"-text") == 0)
            text = ++num;
-		else if (strcmp(*argv,"-cert") == 0)
+            break;
        case OPT_CERT:
            cert = ++num;
-		else if (strcmp(*argv,"-noout") == 0)
+            break;
        case OPT_NOOUT:
            noout = ++num;
-		else if (strcmp(*argv,"-context") == 0)
+            break;
-		    {
+        case OPT_CONTEXT:
-		    if(--argc < 1) goto bad;
+            context = opt_arg();
 		    context=*++argv;
 		    }
 		else
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
 			badops=1;
            break;
        }
 		argc--;
 		argv++;
    }
    argc = opt_num_rest();
    argv = opt_rest();
-	if (badops)
+    x = load_sess_id(infile, informat);
-		{
+    if (x == NULL) {
 bad:
 		for (pp=sess_id_usage; (*pp != NULL); pp++)
 			BIO_printf(bio_err,"%s",*pp);
        goto end;
    }
 	ERR_load_crypto_strings();
 	x=load_sess_id(infile,informat);
 	if (x == NULL) { goto end; }
    peer = SSL_SESSION_get0_peer(x);
-	if(context)
+    if (context) {
 	    {
        size_t ctx_len = strlen(context);
-	    if(ctx_len > SSL_MAX_SID_CTX_LENGTH)
+        if (ctx_len > SSL_MAX_SID_CTX_LENGTH) {
 		{
            BIO_printf(bio_err, "Context too long\n");
            goto end;
        }
-	    SSL_SESSION_set1_id_context(x, (unsigned char *)context, ctx_len);
+        if (!SSL_SESSION_set1_id_context(x, (unsigned char *)context,
                    ctx_len)) {
            BIO_printf(bio_err, "Error setting id context\n");
            goto end;
        }
    }
-#ifdef undef
+    if (!noout || text) {
-	/* just testing for memory leaks :-) */
+        out = bio_open_default(outfile, 'w', outformat);
 	{
 	SSL_SESSION *s;
 	char buf[1024*10],*p;
 	int i;
 	s=SSL_SESSION_new();
 	p= &buf;
 	i=i2d_SSL_SESSION(x,&p);
 	p= &buf;
 	d2i_SSL_SESSION(&s,&p,(long)i);
 	p= &buf;
 	d2i_SSL_SESSION(&s,&p,(long)i);
 	p= &buf;
 	d2i_SSL_SESSION(&s,&p,(long)i);
 	SSL_SESSION_free(s);
 	}
 #endif
 	if (!noout || text)
 		{
 		out=BIO_new(BIO_s_file());
        if (out == NULL)
 			{
 			ERR_print_errors(bio_err);
            goto end;
    }
-		if (outfile == NULL)
+    if (text) {
 			{
 			BIO_set_fp(out,stdout,BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 			{
 			BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 			out = BIO_push(tmpbio, out);
 			}
 #endif
 			}
 		else
 			{
 			if (BIO_write_filename(out,outfile) <= 0)
 				{
 				perror(outfile);
 				goto end;
 				}
 			}
 		}
 	if (text)
 		{
        SSL_SESSION_print(out, x);
-		if (cert)
+        if (cert) {
 			{
            if (peer == NULL)
                BIO_puts(out, "No certificate present\n");
            else
@@ -240,12 +176,13 @@ bad:
        }
    }
-	if (!noout && !cert)
+    if (!noout && !cert) {
 		{
        if (outformat == FORMAT_ASN1)
            i = i2d_SSL_SESSION_bio(out, x);
        else if (outformat == FORMAT_PEM)
            i = PEM_write_bio_SSL_SESSION(out, x);
        else if (outformat == FORMAT_NSS)
            i = SSL_SESSION_print_keylog(out, x);
        else {
            BIO_printf(bio_err, "bad output format specified for outfile\n");
            goto end;
@@ -254,9 +191,7 @@ bad:
            BIO_printf(bio_err, "unable to write SSL_SESSION\n");
            goto end;
        }
-		}
+    } else if (!noout && (peer != NULL)) { /* just print the certificate */
 	else if (!noout && (peer != NULL)) /* just print the certificate */
 		{
        if (outformat == FORMAT_ASN1)
            i = (int)i2d_X509_bio(out, peer);
        else if (outformat == FORMAT_PEM)
@@ -272,10 +207,9 @@ bad:
    }
    ret = 0;
 end:
-	if (out != NULL) BIO_free_all(out);
+    BIO_free_all(out);
-	if (x != NULL) SSL_SESSION_free(x);
+    SSL_SESSION_free(x);
-	apps_shutdown();
+    return (ret);
 	OPENSSL_EXIT(ret);
 }
 static SSL_SESSION *load_sess_id(char *infile, int format)
@@ -283,40 +217,20 @@ static SSL_SESSION *load_sess_id(char *infile, int format)
    SSL_SESSION *x = NULL;
    BIO *in = NULL;
-	in=BIO_new(BIO_s_file());
+    in = bio_open_default(infile, 'r', format);
    if (in == NULL)
 		{
 		ERR_print_errors(bio_err);
        goto end;
 		}
 	if (infile == NULL)
 		BIO_set_fp(in,stdin,BIO_NOCLOSE);
 	else
 		{
 		if (BIO_read_filename(in,infile) <= 0)
 			{
 			perror(infile);
 			goto end;
 			}
 		}
    if (format == FORMAT_ASN1)
        x = d2i_SSL_SESSION_bio(in, NULL);
-	else if (format == FORMAT_PEM)
+    else
        x = PEM_read_bio_SSL_SESSION(in, NULL, NULL, NULL);
-	else	{
+    if (x == NULL) {
 		BIO_printf(bio_err,"bad input format specified for input crl\n");
 		goto end;
 		}
 	if (x == NULL)
 		{
        BIO_printf(bio_err, "unable to load SSL_SESSION\n");
        ERR_print_errors(bio_err);
        goto end;
    }
 end:
-	if (in != NULL) BIO_free(in);
+    BIO_free(in);
    return (x);
 }
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1,2 @@`
							`Please https://www.openssl.org/community/thanks.html for the current`
							`acknowledgements.`