Add fixes for CAN-2005-2969

Bump release ready for OpenSSL_0_9_8a tag
Synchronise with Unixly make.
2005-10-11 10:16:21 +00:00 · 2005-10-11 10:15:56 +00:00 · 2005-10-10 00:37:36 +00:00 · 2005-10-05 17:53:40 +00:00 · 2005-10-04 06:35:14 +00:00 · 2005-10-02 12:26:06 +00:00
480 changed files with 10338 additions and 7504 deletions
--- a/124
+++ b/124
@@ -2,7 +2,73 @@
 OpenSSL CHANGES
 _______________

- Changes between 0.9.7g and 0.9.8  [xx XXX xxxx]
+ Changes between 0.9.8 and 0.9.8a  [11 Oct 2005]
+
+  *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
+     (part of SSL_OP_ALL).  This option used to disable the
+     countermeasure against man-in-the-middle protocol-version
+     rollback in the SSL 2.0 server implementation, which is a bad
+     idea.  (CAN-2005-2969)
+
+     [Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center
+     for Information Security, National Institute of Advanced Industrial
+     Science and Technology [AIST], Japan)]
+
+  *) Add two function to clear and return the verify parameter flags.
+     [Steve Henson]
+
+  *) Keep cipherlists sorted in the source instead of sorting them at
+     runtime, thus removing the need for a lock.
+     [Nils Larsch]
+
+  *) Avoid some small subgroup attacks in Diffie-Hellman.
+     [Nick Mathewson and Ben Laurie]
+
+  *) Add functions for well-known primes.
+     [Nick Mathewson]
+
+  *) Extended Windows CE support.
+     [Satoshi Nakamura and Andy Polyakov]
+
+  *) Initialize SSL_METHOD structures at compile time instead of during
+     runtime, thus removing the need for a lock.
+     [Steve Henson]
+
+  *) Make PKCS7_decrypt() work even if no certificate is supplied by
+     attempting to decrypt each encrypted key in turn. Add support to
+     smime utility.
+     [Steve Henson]
+
+ Changes between 0.9.7h and 0.9.8  [05 Jul 2005]
+
+  *) Add libcrypto.pc and libssl.pc for those who feel they need them.
+     [Richard Levitte]
+
+  *) Change CA.sh and CA.pl so they don't bundle the CSR and the private
+     key into the same file any more.
+     [Richard Levitte]
+
+  *) Add initial support for Win64, both IA64 and AMD64/x64 flavors.
+     [Andy Polyakov]
+
+  *) Add -utf8 command line and config file option to 'ca'.
+     [Stefan <stf@udoma.org]
+
+  *) Removed the macro des_crypt(), as it seems to conflict with some
+     libraries.  Use DES_crypt().
+     [Richard Levitte]
+
+  *) Correct naming of the 'chil' and '4758cca' ENGINEs. This
+     involves renaming the source and generated shared-libs for
+     both. The engines will accept the corrected or legacy ids
+     ('ncipher' and '4758_cca' respectively) when binding. NB,
+     this only applies when building 'shared'.
+     [Corinna Vinschen <vinschen@redhat.com> and Geoff Thorpe]
+
+  *) Add attribute functions to EVP_PKEY structure. Modify
+     PKCS12_create() to recognize a CSP name attribute and
+     use it. Make -CSP option work again in pkcs12 utility.
+     [Steve Henson]

  *) Add new functionality to the bn blinding code:
     - automatic re-creation of the BN_BLINDING parameters after
@@ -774,14 +840,14 @@
  *) Include some named elliptic curves, and add OIDs from X9.62,
     SECG, and WAP/WTLS.  Each curve can be obtained from the new
     function
-          EC_GROUP_new_by_nid(),
+          EC_GROUP_new_by_curve_name(),
     and the list of available named curves can be obtained with
          EC_get_builtin_curves().
     Also add a 'curve_name' member to EC_GROUP objects, which can be
     accessed via
-         EC_GROUP_set_nid()
-         EC_GROUP_get_nid()
-     [Nils Larsch <nla@trustcenter.de, Bodo Moeller]
+         EC_GROUP_set_curve_name()
+         EC_GROUP_get_curve_name()
+     [Nils Larsch <larsch@trustcenter.de, Bodo Moeller]
 
  *) Remove a few calls to bn_wexpand() in BN_sqr() (the one in there
     was actually never needed) and in BN_mul().  The removal in BN_mul()
@@ -792,7 +858,50 @@
     differing sizes.
     [Richard Levitte]

- Changes between 0.9.7g and 0.9.7h  [XX xxx XXXX]
+ Changes between 0.9.7g and 0.9.7h  [11 Oct 2005]
+
+  *) Remove the functionality of SSL_OP_MSIE_SSLV2_RSA_PADDING
+     (part of SSL_OP_ALL).  This option used to disable the
+     countermeasure against man-in-the-middle protocol-version
+     rollback in the SSL 2.0 server implementation, which is a bad
+     idea.
+
+     [Bodo Moeller; problem pointed out by Yutaka Oiwa (Research Center
+     for Information Security, National Institute of Advanced Industrial
+     Science and Technology [AIST], Japan)]
+
+  *) Minimal support for X9.31 signatures and PSS padding modes. This is
+     mainly for FIPS compliance and not fully integrated at this stage.
+     [Steve Henson]
+
+  *) For DSA signing, unless DSA_FLAG_NO_EXP_CONSTTIME is set, perform
+     the exponentiation using a fixed-length exponent.  (Otherwise,
+     the information leaked through timing could expose the secret key
+     after many signatures; cf. Bleichenbacher's attack on DSA with
+     biased k.)
+     [Bodo Moeller]
+
+  *) Make a new fixed-window mod_exp implementation the default for
+     RSA, DSA, and DH private-key operations so that the sequence of
+     squares and multiplies and the memory access pattern are
+     independent of the particular secret key.  This will mitigate
+     cache-timing and potential related attacks.
+
+     BN_mod_exp_mont_consttime() is the new exponentiation implementation,
+     and this is automatically used by BN_mod_exp_mont() if the new flag
+     BN_FLG_EXP_CONSTTIME is set for the exponent.  RSA, DSA, and DH
+     will use this BN flag for private exponents unless the flag
+     RSA_FLAG_NO_EXP_CONSTTIME, DSA_FLAG_NO_EXP_CONSTTIME, or
+     DH_FLAG_NO_EXP_CONSTTIME, respectively, is set.
+
+     [Matthew D Wood (Intel Corp), with some changes by Bodo Moeller]
+
+  *) Change the client implementation for SSLv23_method() and
+     SSLv23_client_method() so that is uses the SSL 3.0/TLS 1.0
+     Client Hello message format if the SSL_OP_NO_SSLv2 option is set.
+     (Previously, the SSL 2.0 backwards compatible Client Hello
+     message format would be used even with SSL_OP_NO_SSLv2.)
+     [Bodo Moeller]

  *) Add support for smime-type MIME parameter in S/MIME messages which some
     clients need.
@@ -810,6 +919,9 @@

 Changes between 0.9.7f and 0.9.7g  [11 Apr 2005]

+  [NB: OpenSSL 0.9.7h and later 0.9.7 patch levels were released after
+  OpenSSL 0.9.8.]
+
  *) Fixes for newer kerberos headers. NB: the casts are needed because
     the 'length' field is signed on one version and unsigned on another
     with no (?) obvious way to tell the difference, without these VC++
--- a/ChangeLog.0_9_7-stable_not-in-head
+++ b/ChangeLog.0_9_7-stable_not-in-head
@@ -133,14 +133,6 @@ be added to the end of this file.

 	Whoops, forgot FIPS DES, also add EVPs for DES CFB1 and 8.

-2003-07-31 23:30  levitte
-
-	Changed:
-		Makefile.org (1.154.2.71), "Exp", lines: +2 -0
-
-	If FDIRS is to be treated like SDIRS, let's not forget to
-	initialize it in Makefile.org.
-
 2003-08-01 12:25  ben

 	Changed:
@@ -158,48 +150,6 @@ be added to the end of this file.

 	DES CFB8 test.

-2004-05-12 16:11  ben
-
-	Changed:
-		crypto/rand/rand.h (1.26.2.8), "Exp", lines: +2 -0
-		crypto/rand/rand_err.c (1.6.2.4), "Exp", lines: +2 -0
-		fips/fingerprint.sha1 (1.1.2.5), "Exp", lines: +1 -1
-		fips/fips.c (1.1.2.4), "Exp", lines: +5 -1
-		fips/rand/fingerprint.sha1 (1.1.2.5), "Exp", lines: +1 -1
-		fips/rand/fips_rand.c (1.1.2.5), "Exp", lines: +29 -0
-
-	Blow up in people's faces if they don't reseed.
-
-2004-06-21 20:05  levitte
-
-	Changed:
-		Makefile.org (1.154.2.82), "Exp", lines: +3 -1
-
-	Standard sh doesn't tolerate ! as part of the conditional command.
-
-		PR: 900
-
-2004-08-02 16:15  levitte [FIPS]
-
-	Changed:
-		crypto/cryptlib.c (1.32.2.13), "Exp", lines: +4 -4
-
-	Let's lock a write lock when changing values, shall we?
-
-		Thanks to Dr Stephen Henson <shenson@drh-consultancy.co.uk>
-	for making me aware of this error.
-
-2005-03-15 10:46  appro [FIPS]
-
-	Changed:
-		Makefile.org (1.154.2.96), "Exp", lines: +1 -1
-		crypto/Makefile (1.1.4.6), "Exp", lines: +2 -3
-		fips/Makefile (1.1.4.8), "Exp", lines: +4 -1
-
-	Real Bourne shell doesn't accept ! as in "if ! grep ..." Fix this
-	in crypto/Makefile and make Makefile.org and fips/Makefile more
-	discreet.
-
 2005-04-19 16:21  appro

 	Changed:
--- a/ChangeLog.0_9_7-stable_not-in-head_FIPS
+++ b/ChangeLog.0_9_7-stable_not-in-head_FIPS
@@ -141,6 +141,14 @@ This is the "FIPS"-related part.

 	Missing files.

+2003-07-31 23:30  levitte
+
+	Changed:
+		Makefile.org (1.154.2.71), "Exp", lines: +2 -0
+
+	If FDIRS is to be treated like SDIRS, let's not forget to
+	initialize it in Makefile.org.
+
 2003-07-31 23:41  levitte

 	Changed:
@@ -580,6 +588,18 @@ This is the "FIPS"-related part.

 	Ignore 'Makefile.save'

+2004-05-12 16:11  ben
+
+	Changed:
+		crypto/rand/rand.h (1.26.2.8), "Exp", lines: +2 -0
+		crypto/rand/rand_err.c (1.6.2.4), "Exp", lines: +2 -0
+		fips/fingerprint.sha1 (1.1.2.5), "Exp", lines: +1 -1
+		fips/fips.c (1.1.2.4), "Exp", lines: +5 -1
+		fips/rand/fingerprint.sha1 (1.1.2.5), "Exp", lines: +1 -1
+		fips/rand/fips_rand.c (1.1.2.5), "Exp", lines: +29 -0
+
+	Blow up in people's faces if they don't reseed.
+
 2004-05-15 19:51  ben

 	Changed:
@@ -746,6 +766,15 @@ This is the "FIPS"-related part.

 		PR: 900

+2004-06-21 20:05  levitte
+
+	Changed:
+		Makefile.org (1.154.2.82), "Exp", lines: +3 -1
+
+	Standard sh doesn't tolerate ! as part of the conditional command.
+
+		PR: 900
+
 2004-06-28 22:33  levitte

 	Changed:
@@ -911,6 +940,16 @@ This is the "FIPS"-related part.
 	rebuilt to use FIPS functionality will need to be recompiled in any
 	case, thus not being a problem either.

+2004-08-02 16:15  levitte
+
+	Changed:
+		crypto/cryptlib.c (1.32.2.13), "Exp", lines: +4 -4
+
+	Let's lock a write lock when changing values, shall we?
+
+		Thanks to Dr Stephen Henson <shenson@drh-consultancy.co.uk>
+	for making me aware of this error.
+
 2004-08-05 20:11  steve

 	Changed:
@@ -1240,6 +1279,17 @@ This is the "FIPS"-related part.

 	In FIPS mode use SHA1 as default digest in x509 and req utilities.

+2005-03-15 10:46  appro
+
+	Changed:
+		Makefile.org (1.154.2.96), "Exp", lines: +1 -1
+		crypto/Makefile (1.1.4.6), "Exp", lines: +2 -3
+		fips/Makefile (1.1.4.8), "Exp", lines: +4 -1
+
+	Real Bourne shell doesn't accept ! as in "if ! grep ..." Fix this
+	in crypto/Makefile and make Makefile.org and fips/Makefile more
+	discreet.
+
 2005-03-22 18:29  steve

 	Changed:
--- a/104
+++ b/104
@@ -119,7 +119,7 @@ my $x86_coff_asm="x86cpuid-cof.o:bn86-cof.o co86-cof.o:dx86-cof.o yx86-cof.o:ax8
 my $x86_out_asm="x86cpuid-out.o:bn86-out.o co86-out.o:dx86-out.o yx86-out.o:ax86-out.o:bx86-out.o:mx86-out.o:sx86-out.o s512sse2-out.o:cx86-out.o:rx86-out.o:rm86-out.o:r586-out.o";

 my $x86_64_asm="x86_64cpuid.o:x86_64-gcc.o::::md5-x86_64.o:::rc4-x86_64.o::";
-my $ia64_asm=":ia64.o::aes_core.o aes_cbc.o aes-ia64.o:::sha1-ia64.o sha256-ia64.o sha512-ia64.o::rc4-ia64.o::";
+my $ia64_asm=":bn-ia64.o::aes_core.o aes_cbc.o aes-ia64.o:::sha1-ia64.o sha256-ia64.o sha512-ia64.o::rc4-ia64.o::";

 my $no_asm="::::::::::";

@@ -162,10 +162,10 @@ my %table=(
 "debug-levitte-linux-elf-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-levitte-linux-noasm-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "debug-geoff","gcc:-DBN_DEBUG -DBN_DEBUG_RAND -DBN_STRICT -DPURIFY -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_ASM -DOPENSSL_NO_INLINE_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -O1 -ggdb2 -Wall -Werror -Wundef -pedantic -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wsign-compare -Wmissing-prototypes -Wmissing-declarations -Wno-long-long::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-linux-pentium","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentium -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
-"debug-linux-ppro","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentiumpro -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
-"debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-linux-pentium","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentium -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
+"debug-linux-ppro","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentiumpro -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
+"debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -march=i486 -Wall::-D_REENTRANT::-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -march=i486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "dist",		"cc:-O::(unknown)::::::",

 # Basic configs that should work on any (32 and less bit) box
@@ -173,10 +173,8 @@ my %table=(
 "cc",		"cc:-O::(unknown)::::::",

 ####VOS Configurations
-"vos-gcc","gcc:-b hppa1.1-stratus-vos -O3 -Wall -Wuninitialized -D_POSIX_C_SOURCE=200112L -D_BSD::(unknown):VOS:-Wl,-map:BN_LLONG:${no_asm}:::::.so:",
-"debug-vos-gcc","gcc:-b hppa1.1-stratus-vos -O0 -g -Wall -D_POSIX_C_SOURCE=200112L -D_BSD -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG::(unknown):VOS:-Wl,-map:BN_LLONG:${no_asm}:::::.so:",
-"vos-vcc","vcc:-b i386-stratus-vos -O3 -D_POSIX_C_SOURCE=200112L -D_BSD::(unknown):VOS:-Wl,-map::${no_asm}:::::.so:",
-"debug-vos-vcc","vcc:-b i386-stratus-vos -O0 -g -D_POSIX_C_SOURCE=200112L -D_BSD -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG::(unknown):VOS:-Wl,-map::${no_asm}:::::.so:",
+"vos-gcc","gcc:-O3 -Wall -D_POSIX_C_SOURCE=200112L -D_BSD -DB_ENDIAN::(unknown):VOS:-Wl,-map:BN_LLONG:${no_asm}:::::.so:",
+"debug-vos-gcc","gcc:-O0 -g -Wall -D_POSIX_C_SOURCE=200112L -D_BSD -DB_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG::(unknown):VOS:-Wl,-map:BN_LLONG:${no_asm}:::::.so:",

 #### Solaris x86 with GNU C setups
 # -DOPENSSL_NO_INLINE_ASM switches off inline assembler. We have to do it
@@ -184,7 +182,7 @@ my %table=(
 # surrounds it with #APP #NO_APP comment pair which (at least Solaris
 # 7_x86) /usr/ccs/bin/as fails to assemble with "Illegal mnemonic"
 # error message.
-"solaris-x86-gcc","gcc:-O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DOPENSSL_NO_INLINE_ASM::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-x86-gcc","gcc:-O3 -fomit-frame-pointer -march=pentium -Wall -DL_ENDIAN -DOPENSSL_NO_INLINE_ASM::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # -shared -static-libgcc might appear controversial, but modules taken
 # from static libgcc do not have relocations and linking them into our
 # shared objects doesn't have any negative side-effects. On the contrary,
@@ -206,8 +204,8 @@ my %table=(
 "solaris-sparcv9-gcc","gcc:-m32 -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::md5-sparcv8plus.o::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "solaris64-sparcv9-gcc","gcc:-m64 -mcpu=ultrasparc -O3 -Wall -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:::des_enc-sparc.o fcrypt_b.o:::md5-sparcv9.o::::::dlfcn:solaris-shared:-fPIC:-m64 -shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 ####
-"debug-solaris-sparcv8-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8.o::::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-solaris-sparcv9-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -DPEDANTIC -O -g -mcpu=ultrasparc -pedantic -ansi -Wall -Wshadow -Wno-long-long -D__EXTENSIONS__ -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::md5-sparcv8plus.o::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-solaris-sparcv8-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8.o::::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-solaris-sparcv9-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG_ALL -DPEDANTIC -O -g -mcpu=ultrasparc -pedantic -ansi -Wall -Wshadow -Wno-long-long -D__EXTENSIONS__ -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::md5-sparcv8plus.o::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

 #### SPARC Solaris with Sun C setups
 # SC4.0 doesn't pass 'make test', upgrade to SC5.0 or SC4.2.
@@ -218,8 +216,8 @@ my %table=(
 "solaris-sparcv9-cc","cc:-xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR::sparcv8plus.o:des_enc-sparc.o fcrypt_b.o:::md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "solaris64-sparcv9-cc","cc:-xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR:::des_enc-sparc.o fcrypt_b.o:::md5-sparcv9.o::::::dlfcn:solaris-shared:-KPIC:-xarch=v9 -G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):/usr/ccs/bin/ar rs",
 ####
-"debug-solaris-sparcv8-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xarch=v8 -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::sparcv8.o::::::::::dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-solaris-sparcv9-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xtarget=ultra -xarch=v8plus -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR::sparcv8plus.o::::md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", 
+"debug-solaris-sparcv8-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG_ALL -xarch=v8 -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::sparcv8.o::::::::::dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-solaris-sparcv9-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG_ALL -xtarget=ultra -xarch=v8plus -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR::sparcv8plus.o::::md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC:-G -dy -z text:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", 

 #### SunOS configs, assuming sparc for the gcc one.
 #"sunos-cc", "cc:-O4 -DNOPROTO -DNOCONST::(unknown):SUNOS::DES_UNROLL:${no_asm}::",
@@ -232,11 +230,11 @@ my %table=(
 #### IRIX 6.x configs
 # Only N32 and N64 ABIs are supported. If you need O32 ABI build, invoke
 # './Configure irix-cc -o32' manually.
-"irix-mips3-gcc","gcc:-mabi=n32 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK_LL DES_UNROLL DES_RISC2 DES_PTR BF_PTR SIXTY_FOUR_BIT::mips3.o::::::::::dlfcn:irix-shared::-mabi=n32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"irix-mips3-cc", "cc:-n32 -mips3 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT::mips3.o::::::::::dlfcn:irix-shared::-n32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"irix-mips3-gcc","gcc:-mabi=n32 -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK_LL DES_UNROLL DES_RISC2 DES_PTR BF_PTR SIXTY_FOUR_BIT::bn-mips3.o::::::::::dlfcn:irix-shared::-mabi=n32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"irix-mips3-cc", "cc:-n32 -mips3 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT::bn-mips3.o::::::::::dlfcn:irix-shared::-n32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # N64 ABI builds.
-"irix64-mips4-gcc","gcc:-mabi=64 -mips4 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG::mips3.o::::::::::dlfcn:irix-shared::-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"irix64-mips4-cc", "cc:-64 -mips4 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG::mips3.o::::::::::dlfcn:irix-shared::-64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"irix64-mips4-gcc","gcc:-mabi=64 -mips4 -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG::bn-mips3.o::::::::::dlfcn:irix-shared::-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"irix64-mips4-cc", "cc:-64 -mips4 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG::bn-mips3.o::::::::::dlfcn:irix-shared::-64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

 #### Unified HP-UX ANSI C configs.
 # Special notes:
@@ -287,7 +285,7 @@ my %table=(
 # with debugging of the following config.
 "hpux64-ia64-cc","cc:-Ae +DD64 +O3 +Olit=all -z -DB_ENDIAN -D_REENTRANT::::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX DES_UNROLL DES_RISC1 DES_INT:${ia64_asm}:dlfcn:hpux-shared:+Z:+DD64 -b:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # GCC builds...
-"hpux-ia64-gcc","gcc:-O3 -DB_ENDIAN -D_REENTRANT::::-ldl:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX DES_UNROLL DES_RISC1 DES_INT::ia64.o::aes-ia64.o:::sha256-ia64.o sha512-ia64.o::rc4-ia64.o:::dlfcn:hpux-shared:-fpic:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux-ia64-gcc","gcc:-O3 -DB_ENDIAN -D_REENTRANT::::-ldl:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX DES_UNROLL DES_RISC1 DES_INT::bn-ia64.o::aes-ia64.o:::sha256-ia64.o sha512-ia64.o::rc4-ia64.o:::dlfcn:hpux-shared:-fpic:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "hpux64-ia64-gcc","gcc:-mlp64 -O3 -DB_ENDIAN -D_REENTRANT::::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX DES_UNROLL DES_RISC1 DES_INT:${ia64_asm}:dlfcn:hpux-shared:-fpic:-mlp64 -shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)", 

 # Legacy HPUX 9.X configs...
@@ -304,19 +302,11 @@ my %table=(
 #
 # - William Shakespeare, "Romeo & Juliet", Act II, scene II.
 #
-# There's also an alternate target available (which `config' will never
-# select) called alpha-cc-rpath.  This target builds an RPATH into the
-# shared libraries, which is very convenient on Tru64 since binaries
-# linked against that shared library will automatically inherit that RPATH,
-# and hence know where to look for the openssl libraries, even if they're in
-# an odd place.
-#
 # For gcc, the following gave a %50 speedup on a 164 over the 'DES_INT' version
 #
 "osf1-alpha-gcc", "gcc:-O3::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:${no_asm}:dlfcn:alpha-osf1-shared:::.so",
-"ofs1-alpha-cc",  "cc:-std1 -tune host -O4 -readonly_strings::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${no_asm}:dlfcn:alpha-osf1-shared:::.so",
-"tru64-alpha-cc", "cc:-std1 -tune host -fast -readonly_strings::-pthread:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${no_asm}:dlfcn:tru64-shared:::.so",
-"alpha-cc-rpath", "cc:-std1 -tune host -fast -readonly_strings::-pthread:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${no_asm}:dlfcn:tru64-shared-rpath:::.so",
+"osf1-alpha-cc",  "cc:-std1 -tune host -O4 -readonly_strings::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${no_asm}:dlfcn:alpha-osf1-shared:::.so",
+"tru64-alpha-cc", "cc:-std1 -tune host -fast -readonly_strings::-pthread:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${no_asm}:dlfcn:alpha-osf1-shared::-msym:.so",

 ####
 #### Variety of LINUX:-)
@@ -328,13 +318,14 @@ my %table=(
 #### IA-32 targets...
 "linux-ia32-icc",	"icc:-DL_ENDIAN -DTERMIO -O2 -no_cpprt::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-elf",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-aout",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
+"linux-aout",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
 ####
 "linux-generic64","gcc:-DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR:${no_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # -bpowerpc64-linux is transient option, -m64 should be the one to use...
 "linux-ppc64",	"gcc:-bpowerpc64-linux -DB_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::linux_ppc64.o::::::::::dlfcn:linux-shared:-fPIC:-bpowerpc64-linux:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-ia64",	"gcc:-DL_ENDIAN -DTERMIO -O3 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-ia64-ecc","ecc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-ia64-icc","icc:-DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-x86_64",	"gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK BF_PTR2 DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 #### SPARC Linux setups
 # Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
@@ -378,7 +369,7 @@ my %table=(
 "BSD-ia64",	"gcc:-DL_ENDIAN -DTERMIOS -O3 -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${ia64_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "BSD-x86_64",	"gcc:-DL_ENDIAN -DTERMIOS -O3 -DMD32_REG_T=int -Wall::${BSDthreads}:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL:${x86_64_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

-"bsdi-elf-gcc",     "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"bsdi-elf-gcc",     "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall::(unknown)::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

 "nextstep",	"cc:-O -Wall:<libc.h>:(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::",
 "nextstep3.3",	"cc:-O3 -Wall:<libc.h>:(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::",
@@ -405,10 +396,7 @@ my %table=(
 "unixware-2.0","cc:-DFILIO_H -DNO_STRINGS_H::-Kthread::-lsocket -lnsl -lresolv -lx:${x86_gcc_des} ${x86_gcc_opts}:::",
 "unixware-2.1","cc:-O -DFILIO_H::-Kthread::-lsocket -lnsl -lresolv -lx:${x86_gcc_des} ${x86_gcc_opts}:::",
 "unixware-7","cc:-O -DFILIO_H -Kalloca::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}:${x86_elf_asm}:dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"unixware-7-gcc","gcc:-DL_ENDIAN -DFILIO_H -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT::-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:gnu-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"OpenUNIX-8","cc:-O -DFILIO_H -Kalloca::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}:${x86_elf_asm}:dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"OpenUNIX-8-gcc","gcc:-O -DFILIO_H -fomit-frame-pointer::-pthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}:${x86_elf_asm}:dlfcn:svr5-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"sco3-gcc",  "gcc:-O3 -fomit-frame-pointer -Dssize_t=int -DNO_SYS_UN_H::(unknown)::-lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", # the SCO assembler doesn't seem to like our assembler files ...
+"unixware-7-gcc","gcc:-DL_ENDIAN -DFILIO_H -O3 -fomit-frame-pointer -march=pentium -Wall::-D_REENTRANT::-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:gnu-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # SCO 5 - Ben Laurie <ben@algroup.co.uk> says the -O breaks the SCO cc.
 "sco5-cc",  "cc:-belf::(unknown)::-lsocket -lnsl:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:svr3-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "sco5-gcc",  "gcc:-O3 -fomit-frame-pointer::(unknown)::-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:svr3-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -468,24 +456,19 @@ my %table=(
 "OS390-Unix","c89.sh:-O -DB_ENDIAN -DCHARSET_EBCDIC -DNO_SYS_PARAM_H  -D_ALL_SOURCE::(unknown):::THIRTY_TWO_BIT DES_PTR DES_UNROLL MD2_CHAR RC4_INDEX RC4_CHAR BF_PTR:::",

 # Win64 targets, WIN64I denotes IA-64 and WIN64A - AMD64
-"VC-WIN64I","cl::::WIN64I::SIXTY_FOUR_BIT EXPORT_VAR_AS_FN:${no_asm}:win32",
-"VC-WIN64A","cl::::WIN64A::SIXTY_FOUR_BIT EXPORT_VAR_AS_FN:${no_asm}:win32",
+"VC-WIN64I","cl::::WIN64I::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:${no_asm}:win32",
+"VC-WIN64A","cl::::WIN64A::SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN:${no_asm}:win32",

 # Visual C targets
 "VC-NT","cl::::WINNT::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${no_asm}:win32",
 "VC-CE","cl::::WINCE::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${no_asm}:win32",
 "VC-WIN32","cl::::WIN32::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}:${no_asm}:win32",
-"VC-WIN16","cl:::(unknown):WIN16::MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX THIRTY_TWO_BIT:::",
-"VC-W31-16","cl:::(unknown):WIN16::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX SIXTEEN_BIT:::",
-"VC-W31-32","cl::::WIN16::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX THIRTY_TWO_BIT:::",
-"VC-MSDOS","cl:::(unknown):MSDOS::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX SIXTEEN_BIT:::",

 # Borland C++ 4.5
 "BC-32","bcc32::::WIN32::BN_LLONG DES_PTR RC4_INDEX EXPORT_VAR_AS_FN:${no_asm}:win32",
-"BC-16","bcc:::(unknown):WIN16::BN_LLONG DES_PTR RC4_INDEX SIXTEEN_BIT:::",

 # MinGW
-"mingw", "gcc:-mno-cygwin -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall -D_WIN32_WINNT=0x333:::MINGW32:-lwsock32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts} EXPORT_VAR_AS_FN:${x86_coff_asm}:win32:cygwin-shared:-D_WINDLL:-mno-cygwin -shared:.dll.a",
+"mingw", "gcc:-mno-cygwin -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall -D_WIN32_WINNT=0x333:::MINGW32:-lwsock32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts} EXPORT_VAR_AS_FN:${x86_coff_asm}:win32:cygwin-shared:-D_WINDLL -DOPENSSL_USE_APPLINK:-mno-cygwin -shared:.dll.a",

 # UWIN 
 "UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall:::UWIN::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:win32",
@@ -493,29 +476,32 @@ my %table=(
 # Cygwin
 "Cygwin-pre1.3", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown):CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${no_asm}:win32",
 "Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall:::CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_coff_asm}:dlfcn:cygwin-shared:-D_WINDLL:-shared:.dll.a",
-"debug-Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -march=i486 -Wall -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -g -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror:::CYGWIN32:::${no_asm}:dlfcn:cygwin-shared:-D_WINDLL:-shared:.dll.a",
+"debug-Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -march=i486 -Wall -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -g -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror:::CYGWIN32:::${no_asm}:dlfcn:cygwin-shared:-D_WINDLL:-shared:.dll.a",

 # NetWare from David Ward (dsward@novell.com) - requires MetroWerks NLM development tools
 # netware-clib => legacy CLib c-runtime support
-"netware-clib", "mwccnlm:::::${x86_gcc_opts}:::",
+"netware-clib", "mwccnlm::::::BN_LLONG ${x86_gcc_opts}::",
 # netware-libc => LibC/NKS support
-"netware-libc", "mwccnlm:::::BN_LLONG ${x86_gcc_opts}:::",
-"netware-libc-gcc", "i586-netware-gcc:-nostdinc -I/ndk/libc/include -I/ndk/libc/include/winsock -DL_ENDIAN -DNETWARE_LIBC -DOPENSSL_SYSNAME_NETWARE -DTERMIO -O2 -Wall::::${x86_gcc_opts}:::",
+# NetWare defaults socket bio to WinSock sockets. However, the LibC build can be
+# configured to use BSD sockets instead.
+"netware-libc", "mwccnlm::::::BN_LLONG ${x86_gcc_opts}::",
+"netware-libc-bsdsock", "mwccnlm::::::BN_LLONG ${x86_gcc_opts}::",
+"netware-libc-gcc", "i586-netware-gcc:-nostdinc -I/ndk/libc/include -I/ndk/libc/include/winsock -DL_ENDIAN -DNETWARE_LIBC -DOPENSSL_SYSNAME_NETWARE -DTERMIO -O2 -Wall:::::BN_LLONG ${x86_gcc_opts}::",

 # DJGPP
-"DJGPP", "gcc:-I/dev/env/WATT_ROOT/inc -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -Wall -DDEVRANDOM=\"/dev/urandom\\x24\":::MSDOS:-L/dev/env/WATT_ROOT/lib -lwatt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:",
+"DJGPP", "gcc:-I/dev/env/WATT_ROOT/inc -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -Wall:::MSDOS:-L/dev/env/WATT_ROOT/lib -lwatt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:",

 # Ultrix from Bernhard Simon <simon@zid.tuwien.ac.at>
 "ultrix-cc","cc:-std1 -O -Olimit 2500 -DL_ENDIAN::(unknown):::::::",
-"ultrix-gcc","gcc:-O3 -DL_ENDIAN::(unknown):::::::",
+"ultrix-gcc","gcc:-O3 -DL_ENDIAN::(unknown):::BN_LLONG::::",
 # K&R C is no longer supported; you need gcc on old Ultrix installations
 ##"ultrix","cc:-O2 -DNOPROTO -DNOCONST -DL_ENDIAN::(unknown):::::::",

 ##### MacOS X (a.k.a. Rhapsody or Darwin) setup
 "rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown):MACOSX_RHAPSODY::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}::",
-"darwin-ppc-cc","cc:-O3 -DB_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::osx_ppc32.o:::::::::::darwin-shared:-fPIC -fno-common::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
-"darwin-i386-cc","cc:-O3 -fomit-frame-pointer -fno-common -DB_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
-"debug-darwin-ppc-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DB_ENDIAN -g -Wall -O::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::osx_ppc32.o:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+"darwin-ppc-cc","cc:-O3 -DB_ENDIAN::-D_REENTRANT:MACOSX:-Wl,-search_paths_first:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::osx_ppc32.o:::::::::::darwin-shared:-fPIC -fno-common:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+"darwin-i386-cc","cc:-O3 -fomit-frame-pointer -fno-common -DB_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:${no_asm}::darwin-shared:-fPIC:-dunamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+"debug-darwin-ppc-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DB_ENDIAN -g -Wall -O::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::osx_ppc32.o:::::::::::darwin-shared:-fPIC:-dynamiclib:.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",

 ##### A/UX
 "aux3-gcc","gcc:-O2 -DTERMIO::(unknown):AUX:-lbsd:RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
@@ -524,7 +510,7 @@ my %table=(
 "newsos4-gcc","gcc:-O -DB_ENDIAN::(unknown):NEWS4:-lmld -liberty:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::",

 ##### GNU Hurd
-"hurd-x86",  "gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC",
+"hurd-x86",  "gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -march=i486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC",

 ##### OS/2 EMX
 "OS2-EMX", "gcc::::::::",
@@ -532,7 +518,7 @@ my %table=(
 ##### VxWorks for various targets
 "vxworks-ppc405","ccppc:-g -msoft-float -mlongcall -DCPU=PPC405 -I\$(WIND_BASE)/target/h:::VXWORKS:-r:::::",
 "vxworks-ppc750","ccppc:-ansi -nostdinc -DPPC750 -D_REENTRANT -fvolatile -fno-builtin -fno-for-scope -fsigned-char -Wall -msoft-float -mlongcall -DCPU=PPC604 -I\$(WIND_BASE)/target/h \$(DEBUG_FLAG):::VXWORKS:-r:::::",
-"vxworks-ppc750-debug","ccppc:-ansi -nostdinc -DPPC750 -D_REENTRANT -fvolatile -fno-builtin -fno-for-scope -fsigned-char -Wall -msoft-float -mlongcall -DCPU=PPC604 -I\$(WIND_BASE)/target/h -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DDEBUG -g:::VXWORKS:-r:::::",
+"vxworks-ppc750-debug","ccppc:-ansi -nostdinc -DPPC750 -D_REENTRANT -fvolatile -fno-builtin -fno-for-scope -fsigned-char -Wall -msoft-float -mlongcall -DCPU=PPC604 -I\$(WIND_BASE)/target/h -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DDEBUG -g:::VXWORKS:-r:::::",
 "vxworks-ppc860","ccppc:-nostdinc -msoft-float -DCPU=PPC860 -DNO_STRINGS_H -I\$(WIND_BASE)/target/h:::VXWORKS:-r:::::",
 "vxworks-mipsle","ccmips:-B\$(WIND_BASE)/host/\$(WIND_HOST_TYPE)/lib/gcc-lib/ -DL_ENDIAN -EL -Wl,-EL -mips2 -mno-branch-likely -G 0 -fno-builtin -msoft-float -DCPU=MIPS32 -DMIPSEL -DNO_STRINGS_H -I\$(WIND_BASE)/target/h:::VXWORKS:-r::${no_asm}::::::ranlibmips:",

@@ -543,8 +529,7 @@ my %table=(

 my @MK1MF_Builds=qw(VC-WIN64I VC-WIN64A
 		    VC-NT VC-CE VC-WIN32
-		    VC-WIN16 VC-W31-16 VC-W31-32 VC-MSDOS
-		    BC-32 BC-16 OS2-EMX netware-clib netware-libc);
+		    BC-32 OS2-EMX netware-clib netware-libc netware-libc-bsdsock);

 my $idx = 0;
 my $idx_cc = $idx++;
@@ -775,7 +760,7 @@ PROCESS_ARGS:
 			}
 		else
 			{
-			die "target already defined - $target\n" if ($target ne "");
+			die "target already defined - $target (offending arg: $_)\n" if ($target ne "");
 			$target=$_;
 			}

@@ -896,8 +881,8 @@ foreach (sort (keys %disabled))
 			$openssl_other_defines .= "#define OPENSSL_NO_$ALGO\n";
 			print " OPENSSL_NO_$ALGO";
 		
-			if (/^err$/)
-				{ $flags .= "-DOPENSSL_NO_ERR "; }
+			if (/^err$/)	{ $flags .= "-DOPENSSL_NO_ERR "; }
+			elsif (/^asm$/)	{ $no_asm = 1; }
 			}
 		else
 			{
@@ -1147,6 +1132,7 @@ else
 	$openssl_other_defines.="#define OPENSSL_NO_STATIC_ENGINE\n";
 	}

+$cpuid_obj.=" uplink.o uplink-cof.o" if ($cflags =~ /\-DOPENSSL_USE_APPLINK/);
 # Compiler fix-ups
 if ($target =~ /icc$/)
 	{
--- a/36
+++ b/36
@@ -46,6 +46,8 @@ OpenSSL  -  Frequently Asked Questions
 * Why does the OpenSSL test suite fail on MacOS X?
 * Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]?
 * Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"?
+* Why does the OpenSSL test suite fail in sha512t on x86 CPU?
+* Why does compiler fail to compile sha512.c?

 [PROG] Questions about programming with OpenSSL

@@ -70,7 +72,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?

 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.7g was released on April 11, 2005.
+OpenSSL 0.9.8a was released on October 11th, 2005.

 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
@@ -141,8 +143,8 @@ less Unix-centric, it might have been used much earlier.

 With version 0.9.6 OpenSSL was extended to interface to external crypto
 hardware. This was realized in a special release '0.9.6-engine'. With
-version 0.9.7 (not yet released) the changes were merged into the main
-development line, so that the special release is no longer necessary.
+version 0.9.7 the changes were merged into the main development line,
+so that the special release is no longer necessary.

 * How do I check the authenticity of the OpenSSL distribution?

@@ -598,6 +600,23 @@ Reportedly elder *BSD a.out platforms also suffer from this problem and
 remedy should be same. Provided binary is statically linked and should be
 working across wider range of *BSD branches, not just OpenBSD.

+* Why does the OpenSSL test suite fail in sha512t on x86 CPU?
+
+If the test program in question fails withs SIGILL, Illegal Instruction
+exception, then you more than likely to run SSE2-capable CPU, such as
+Intel P4, under control of kernel which does not support SSE2
+instruction extentions. See accompanying INSTALL file and
+OPENSSL_ia32cap(3) documentation page for further information.
+
+* Why does compiler fail to compile sha512.c?
+
+OpenSSL SHA-512 implementation depends on compiler support for 64-bit
+integer type. Few elder compilers [ULTRIX cc, SCO compiler to mention a
+couple] lack support for this and therefore are incapable of compiling
+the module in question. The recommendation is to disable SHA-512 by
+adding no-sha512 to ./config [or ./Configure] command line. Another
+possible alternative might be to switch to GCC.
+
 [PROG] ========================================================================

 * Is OpenSSL thread-safe?
@@ -652,6 +671,17 @@ by:
 Note that debug and release libraries are NOT interchangeable.  If you
 built OpenSSL with /MD your application must use /MD and cannot use /MDd.

+As per 0.9.8 the above limitation is eliminated for .DLLs. OpenSSL
+.DLLs compiled with some specific run-time option [we recommend the
+default /MD] can be deployed with application compiled with different
+option or even different compiler. But there is a catch! Instead of
+re-compiling OpenSSL toolkit, as you would have to with prior versions,
+you have to compile small C snippet with compiler and/or options of
+your choice. The snippet gets installed as
+<install-root>/include/openssl/applink.c and should be either added to
+your project or simply #include-d in one [and only one] of your source
+files. Failure to do either manifests itself as fatal "no
+OPENSSL_Applink" error.

 * How do I read or write a DER encoded buffer using the ASN1 functions?

--- a/INSTALL.NW
+++ b/INSTALL.NW
@@ -32,6 +32,10 @@ The necessary LibC functionality ships with NetWare 6.  However, earlier
 NetWare 5.x versions will require updates in order to run the OpenSSL LibC
 build.

+As of June 2005, the LibC build can be configured to use BSD sockets instead
+of WinSock sockets. Call Configure (usually through netware\build.bat) using
+a target of "netware-libc-bsdsock" instead of "netware-libc".
+

 REQUIRED TOOLS:
 ---------------
@@ -95,7 +99,12 @@ following tools may be required:
         Microsoft SDK.  Note: The winsock2.h support headers may change
         with various versions of winsock2.h.  Check the dependencies
         section on the NDK WinSock2 download page for the latest
-         information on dependencies.
+         information on dependencies. These components are unsupported by
+         Novell. They are provided as a courtesy, but it is strongly
+         suggested that all development be done using LIBC, not CLIB.
+
+         As of June 2005, the WinSock2 components are available at:
+         http://forgeftp.novell.com//ws2comp/


      NLM and NetWare libraries for C (including CLIB and XPlat):
@@ -121,7 +130,8 @@ following tools may be required:
         
         NOTE: The LibC SDK includes the necessary WinSock2 support.  It
         It is not necessary to download the WinSock2 Developer when building
-         for LibC.
+         for LibC. The LibC SDK also includes the appropriate BSD socket support
+         if configuring to use BSD sockets.


 BUILDING:
@@ -172,8 +182,9 @@ the assembly code.  Always run build.bat from the "openssl" directory.

   netware\build [target] [debug opts] [assembly opts] [configure opts]

-      target        - "netware-clib" - CLib NetWare build
-                    - "netware-libc" - LibC NetWare build
+      target        - "netware-clib" - CLib NetWare build (WinSock Sockets)
+                    - "netware-libc" - LibC NetWare build (WinSock Sockets)
+                    - "netware-libc-bsdsock" - LibC NetWare build (BSD Sockets)
 
      debug opts    - "debug"  - build debug

@@ -192,25 +203,29 @@ the assembly code.  Always run build.bat from the "openssl" directory.
      LibC build, non-debug, using NASM assembly:
         netware\build.bat netware-libc nw-nasm

+      LibC build, BSD sockets, non-debug, without assembly:
+         netware\build.bat netware-libc-bsdsock no-asm
+
 Running build.bat generates a make file to be processed by your make 
 tool (gmake or nmake):

-   CLIB ex: gmake -f netware\nlm_clib.mak 
+   CLIB ex: gmake -f netware\nlm_clib_dbg.mak 
   LibC ex: gmake -f netware\nlm_libc.mak 
+   LibC ex: gmake -f netware\nlm_libc_bsdsock.mak 


 You can also run the build scripts manually if you do not want to use the
 build.bat file.  Run the following scripts in the "\openssl"
 subdirectory (in the order listed below):

-   perl configure no-asm [other config opts] [netware-clib|netware-libc]
+   perl configure no-asm [other config opts] [netware-clib|netware-libc|netware-libc-bsdsock]
      configures no assembly build for specified netware environment
      (CLIB or LibC).

   perl util\mkfiles.pl >MINFO
      generates a listing of source files (used by mk1mf)

-   perl util\mk1mf.pl no-asm [other config opts] [netware-clib|netware-libc >netware\nlm.mak
+   perl util\mk1mf.pl no-asm [other config opts] [netware-clib|netware-libc|netware-libc-bsdsock >netware\nlm.mak
      generates the makefile for NetWare

   gmake -f netware\nlm.mak
@@ -288,13 +303,6 @@ The do_tests.pl script generates a log file "\openssl\test_out\tests.log"
 which should be reviewed for errors.  Any errors will be denoted by the word
 "ERROR" in the log.

-NOTE:  Currently (11/2002), the LibC test nlms report an error while loading
-       when launched from the perl script (do_tests.pl).  The problems are 
-       being addressed by the LibC development team and should be fixed in the
-       next release.  Until the problems are corrected, the LibC test nlms 
-       will have to be executed manually.  
-
-
 DEVELOPING WITH THE OPENSSL SDK:
 --------------------------------
 Now that everything is built and tested, you are ready to use the OpenSSL
--- a/INSTALL.W32
+++ b/INSTALL.W32
@@ -3,6 +3,7 @@
 ----------------------------------

 [Instructions for building for Windows CE can be found in INSTALL.WCE]
+ [Instructions for building for Win64 can be found in INSTALL.W64]

 Heres a few comments about building OpenSSL in Windows environments.  Most
 of this is tested on Win32 but it may also work in Win 3.1 with some
@@ -286,3 +287,21 @@
 (e.g. fopen()), and OpenSSL cannot change these; so in general you cannot
 rely on CRYPTO_malloc_init() solving your problem, and you should
 consistently use the multithreaded library.
+
+ Linking your application
+ ------------------------
+
+ If you link with static OpenSSL libraries [those built with ms/nt.mak],
+ then you're expected to additionally link your application with
+ WSOCK32.LIB, ADVAPI32.LIB, GDI32.LIB and USER32.LIB. Those developing
+ non-interactive service applications might feel concerned about linking
+ with latter two, as they are justly associated with interactive desktop,
+ which is not available to service processes. The toolkit is designed
+ to detect in which context it's currently executed, GUI, console app
+ or service, and act accordingly, namely whether or not to actually make
+ GUI calls.
+
+ If you link with OpenSSL .DLLs, then you're expected to include into
+ your application code small "shim" snippet, which provides glue between
+ OpenSSL BIO layer and your compiler run-time. Look up OPENSSL_Applink
+ reference page for further details.
--- a/INSTALL.W64
+++ b/INSTALL.W64
@@ -0,0 +1,66 @@
+
+ INSTALLATION ON THE WIN64 PLATFORM
+ ----------------------------------
+
+ Caveat lector
+ -------------
+
+ As of moment of this writing Win64 support is classified "initial"
+ for the following reasons.
+
+ - No assembler modules are engaged upon initial 0.9.8 release.
+ - API might change within 0.9.8 life-span, *but* in a manner which
+   doesn't break backward binary compatibility. Or in other words,
+   application programs compiled with initial 0.9.8 headers will
+   be expected to work with future minor release .DLL without need
+   to re-compile, even if future minor release features modified API.
+ - Above mentioned API modifications have everything to do with
+   elimination of a number of limitations, which are normally
+   considered inherent to 32-bit platforms. Which in turn is why they
+   are treated as limitations on 64-bit platform such as Win64:-)
+   The current list comprises [but not necessarily limited to]:
+
+   - null-terminated strings may not be longer than 2G-1 bytes,
+     longer strings are treated as zero-length;
+   - dynamically and *internally* allocated chunks can't be larger
+     than 2G-1 bytes;
+   - inability to encrypt/decrypt chunks of data larger than 4GB
+     [it's possibly to *hash* chunks of arbitrary size through];
+
+   Neither of these is actually big deal and hardly encountered
+   in real-life applications.
+
+ Compiling procedure
+ -------------------
+
+ You will need Perl. You can run under Cygwin or you can download
+ ActiveState Perl from http://www.activestate.com/ActivePerl.
+
+ You will need Microsoft Platform SDK, available for download at
+ http://www.microsoft.com/msdownload/platformsdk/sdkupdate/. As per
+ April 2005 Platform SDK is equipped with Win64 compilers, as well
+ as assemblers, but it might change in the future.
+
+ To build for Win64/x64:
+
+ > perl Configure VC-WIN64A
+ > ms\do_win64a
+ > nmake -f ms\ntdll.mak
+ > cd out32dll
+ > ..\ms\test
+
+ To build for Win64/IA64:
+
+ > perl Configure VC-WIN64I
+ > ms\do_win64i
+ > nmake -f ms\ntdll.mak
+ > cd out32dll
+ > ..\ms\test
+
+ Naturally test-suite itself has to be executed on the target platform.
+
+ Installation
+ ------------
+
+ TBD, for now see INSTALL.W32.
+
--- a/INSTALL.WCE
+++ b/INSTALL.WCE
@@ -11,8 +11,11 @@
 You also need Perl for Win32.  You will need ActiveState Perl, available
 from http://www.activestate.com/ActivePerl.

- Windows CE support in OpenSSL relies on wcecompat.  All Windows CE specific
- issues should be directed to www.essemer.com.au.
+ Windows CE support in OpenSSL relies on wcecompat and therefore it's
+ appropriate to check http://www.essemer.com.au/windowsce/ for updates in
+ case of compilation problems. As for the moment of this writing version
+ 1.1 is available and actually required for WCE 4.2 and newer platforms.
+ All Windows CE specific issues should be directed to www.essemer.com.au.

 The C Runtime Library implementation for Windows CE that is included with
 Microsoft eMbedded Visual C++ 3.0 is incomplete and in some places
--- a/Makefile.org
+++ b/Makefile.org
@@ -112,6 +112,8 @@ SDIRS=  \
 	buffer bio stack lhash rand err \
 	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 \
 	store pqueue
+# keep in mind that the above list is adjusted by ./Configure
+# according to no-xxx arguments...

 # tests to perform.  "alltests" is a special word indicating that all tests
 # should be performed.
@@ -144,14 +146,35 @@ WTARFILE=       $(NAME)-win.tar
 EXHEADER=       e_os2.h
 HEADER=         e_os.h

-all: Makefile build_all openssl.pc
+all: Makefile build_all openssl.pc libssl.pc libcrypto.pc
+
+# as we stick to -e, CLEARENV ensures that local variables in lower
+# Makefiles remain local and variable. $${VAR+VAR} is tribute to Korn
+# shell, which [annoyingly enough] terminates unset with error if VAR
+# is not present:-( TOP= && unset TOP is tribute to HP-UX /bin/sh,
+# which terminates unset with error if no variable was present:-(
+CLEARENV=	TOP= && unset TOP $${LIB+LIB} $${LIBS+LIBS}	\
+		$${INCLUDE+INCLUDE} $${INCLUDES+INCLUDES}	\
+		$${DIR+DIR} $${DIRS+DIRS} $${SRC+SRC}		\
+		$${LIBSRC+LIBSRC} $${LIBOBJ+LIBOBJ} $${ALL+ALL}	\
+		$${EXHEADER+EXHEADER} $${HEADER+HEADER}		\
+		$${GENERAL+GENERAL} $${CFLAGS+CFLAGS}		\
+		$${ASFLAGS+ASFLAGS} $${AFLAGS+AFLAGS}		\
+		$${LDCMD+LDCMD} $${LDFLAGS+LDFLAGS}		\
+		$${SHAREDCMD+SHAREDCMD} $${SHAREDFLAGS+SHAREDFLAGS}	\
+		$${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS}

 BUILDENV=	PLATFORM='${PLATFORM}' PROCESSOR='${PROCESSOR}' \
-		SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}'	\
 		CC='${CC}' CFLAG='${CFLAG}' 			\
 		AS='${CC}' ASFLAG='${CFLAG} -c'			\
 		AR='${AR}' PERL='${PERL}' RANLIB='${RANLIB}'	\
-		LDFLAGS="$(LDFLAGS)" SHARED_LDFLAGS="$(SHARED_LDFLAGS)"	\
+		SDIRS='${SDIRS}' LIBRPATH='${INSTALLTOP}/lib'	\
+		INSTALL_PREFIX='${INSTALL_PREFIX}'		\
+		INSTALLTOP='${INSTALLTOP}' OPENSSLDIR='${OPENSSLDIR}'	\
+		MAKEDEPEND='$$$${TOP}/util/domd $$$${TOP} -MD ${MAKEDEPPROG}' \
+		DEPFLAG='-DOPENSSL_NO_DEPRECATED ${DEPFLAG}'	\
+		MAKEDEPPROG='${MAKEDEPPROG}'			\
+		SHARED_LDFLAGS='${SHARED_LDFLAGS}'		\
 		KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}'	\
 		EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}'	\
 		SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}'	\
@@ -163,15 +186,20 @@ BUILDENV=	PLATFORM='${PLATFORM}' PROCESSOR='${PROCESSOR}' \
 		RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}'	\
 		SHA1_ASM_OBJ='${SHA1_ASM_OBJ}'			\
 		MD5_ASM_OBJ='${MD5_ASM_OBJ}'			\
-		RMD160_ASM_OBJ='${RMD160_ASM_OBJ}'
+		RMD160_ASM_OBJ='${RMD160_ASM_OBJ}'		\
+		THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES=
+# MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors,
+# which in turn eliminates ambiguities in variable treatment with -e.

-BUILD_CMD=if echo " $(DIRS) " | grep " $$dir " >/dev/null 2>/dev/null; then \
-	if [ -d "$$dir" ]; then \
-		(cd $$dir && echo "making $$target in $$dir..." && \
-		$(MAKE) -e $(BUILDENV) $$target ) || exit 1; \
-	else \
-		$(MAKE) $$dir; \
-	fi; fi
+BUILD_CMD=  if [ -d "$$dir" ]; then \
+	    (	cd $$dir && echo "making $$target in $$dir..." && \
+		$(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. DIR=$$dir $$target \
+	    ) || exit 1; \
+	    fi
+RECURSIVE_BUILD_CMD=for dir in $(DIRS); do $(BUILD_CMD); done
+
+reflect:
+	@[ -n "$(THIS)" ] && $(CLEARENV) && $(MAKE) $(THIS) -e $(BUILDENV)

 sub_all: build_all
 build_all: build_libs build_apps build_tests build_tools
@@ -241,16 +269,40 @@ do_$(SHLIB_TARGET):
 		if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 			libs="$(LIBKRB5) $$libs"; \
 		fi; \
-		$(MAKE) -f Makefile.shared \
-			$(BUILDENV) \
+		$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
 			LIBNAME=$$i LIBVERSION=${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			LIBCOMPATVERSIONS=";${SHLIB_VERSION_HISTORY}" \
 			LIBDEPS="$$libs $(EX_LIBS)" \
-			LIBRPATH="$(INSTALLTOP)/lib" \
 			link_a.$(SHLIB_TARGET); \
 		libs="-l$$i $$libs"; \
 	done

+libcrypto.pc: Makefile
+	@ ( echo 'prefix=$(INSTALLTOP)'; \
+	    echo 'exec_prefix=$${prefix}'; \
+	    echo 'libdir=$${exec_prefix}/lib'; \
+	    echo 'includedir=$${prefix}/include'; \
+	    echo ''; \
+	    echo 'Name: OpenSSL-libcrypto'; \
+	    echo 'Description: OpenSSL cryptography library'; \
+	    echo 'Version: '$(VERSION); \
+	    echo 'Requires: '; \
+	    echo 'Libs: -L$${libdir} -lcrypto $(EX_LIBS)'; \
+	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc
+
+libssl.pc: Makefile
+	@ ( echo 'prefix=$(INSTALLTOP)'; \
+	    echo 'exec_prefix=$${prefix}'; \
+	    echo 'libdir=$${exec_prefix}/lib'; \
+	    echo 'includedir=$${prefix}/include'; \
+	    echo ''; \
+	    echo 'Name: OpenSSL'; \
+	    echo 'Description: Secure Sockets Layer and cryptography libraries'; \
+	    echo 'Version: '$(VERSION); \
+	    echo 'Requires: '; \
+	    echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
+	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc
+
 openssl.pc: Makefile
 	@ ( echo 'prefix=$(INSTALLTOP)'; \
 	    echo 'exec_prefix=$${prefix}'; \
@@ -270,19 +322,13 @@ Makefile: Makefile.org Configure config
 	@false

 libclean:
-	rm -f *.map *.so *.so.* engines/*.so *.a */lib */*/lib
+	rm -f *.map *.so *.so.* *.dll engines/*.so engines/*.dll *.a engines/*.a */lib */*/lib

 clean:	libclean
 	rm -f shlib/*.o *.o core a.out fluff rehash.time testlog make.log cctest cctest.c
-	@set -e; for i in $(DIRS) ;\
-	do \
-	if [ -d "$$i" ]; then \
-		(cd $$i && echo "making clean in $$i..." && \
-		$(MAKE) SDIRS='${SDIRS}' clean ) || exit 1; \
-		rm -f $(LIBS); \
-	fi; \
-	done;
-	rm -f openssl.pc
+	@set -e; target=clean; $(RECURSIVE_BUILD_CMD)
+	rm -f $(LIBS)
+	rm -f openssl.pc libssl.pc libcrypto.pc
 	rm -f speed.* .pure
 	rm -f $(TARFILE)
 	@set -e; for i in $(ONEDIRS) ;\
@@ -296,32 +342,20 @@ makefile.one: files

 files:
 	$(PERL) $(TOP)/util/files.pl Makefile > $(TOP)/MINFO
-	@set -e; for i in $(DIRS) ;\
-	do \
-	if [ -d "$$i" ]; then \
-		(cd $$i && echo "making 'files' in $$i..." && \
-		$(MAKE) SDIRS='${SDIRS}' PERL='${PERL}' files ) || exit 1; \
-	fi; \
-	done;
+	@set -e; target=files; $(RECURSIVE_BUILD_CMD)

 links:
 	@$(PERL) $(TOP)/util/mkdir-p.pl include/openssl
 	@$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER)
-	@set -e; target=links; for dir in $(DIRS); do $(BUILD_CMD); done
+	@set -e; target=links; $(RECURSIVE_BUILD_CMD)

 gentests:
 	@(cd test && echo "generating dummy tests (if needed)..." && \
-	$(MAKE) $(BUILDENV) TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on generate );
+	$(CLEARENV) && $(MAKE) -e $(BUILDENV) TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on generate );

 dclean:
 	rm -f *.bak
-	@set -e; for i in $(DIRS) ;\
-	do \
-	if [ -d "$$i" ]; then \
-		(cd $$i && echo "making dclean in $$i..." && \
-		$(MAKE) SDIRS='${SDIRS}' PERL='${PERL}' dclean ) || exit 1; \
-	fi; \
-	done;
+	@set -e; target=dclean; $(RECURSIVE_BUILD_CMD)

 rehash: rehash.time
 rehash.time: certs
@@ -335,29 +369,17 @@ test:   tests

 tests: rehash
 	@(cd test && echo "testing..." && \
-	$(MAKE) -e $(BUILDENV) TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on tests );
+	$(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on tests );
 	util/opensslwrap.sh version -a

 report:
 	@$(PERL) util/selftest.pl

 depend:
-	@set -e; for i in $(DIRS) ;\
-	do \
-	if [ -d "$$i" ]; then \
-		(cd $$i && echo "making dependencies $$i..." && \
-		$(MAKE) SDIRS='${SDIRS}' CFLAG='-DOPENSSL_NO_DEPRECATED ${CFLAG}' DEPFLAG='${DEPFLAG}' MAKEDEPPROG='${MAKEDEPPROG}' KRB5_INCLUDES='${KRB5_INCLUDES}' PERL='${PERL}' depend ) || exit 1; \
-	fi; \
-	done;
+	@set -e; target=depend; $(RECURSIVE_BUILD_CMD)

 lint:
-	@set -e; for i in $(DIRS) ;\
-	do \
-	if [ -d "$$i" ]; then \
-		(cd $$i && echo "making lint $$i..." && \
-		$(MAKE) SDIRS='${SDIRS}' lint ) || exit 1; \
-	fi; \
-	done;
+	@set -e; target=lint; $(RECURSIVE_BUILD_CMD)

 tags:
 	rm -f TAGS
@@ -366,6 +388,7 @@ tags:
 errors:
 	$(PERL) util/mkerr.pl -recurse -write
 	(cd engines; $(MAKE) PERL=$(PERL) errors)
+	$(PERL) util/ck_errf.pl */*.c */*/*.c

 stacks:
 	$(PERL) util/mkstack.pl -write
@@ -384,11 +407,15 @@ crypto/objects/obj_mac.h: crypto/objects/objects.pl crypto/objects/objects.txt c
 apps/openssl-vms.cnf: apps/openssl.cnf
 	$(PERL) VMS/VMSify-conf.pl < apps/openssl.cnf > apps/openssl-vms.cnf

+crypto/bn/bn_prime.h: crypto/bn/bn_prime.pl
+	$(PERL) crypto/bn/bn_prime.pl >crypto/bn/bn_prime.h
+
+
 TABLE: Configure
 	(echo 'Output of `Configure TABLE'"':"; \
 	$(PERL) Configure TABLE) > TABLE

-update: depend errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h apps/openssl-vms.cnf TABLE
+update: errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h apps/openssl-vms.cnf crypto/bn/bn_prime.h TABLE depend

 # Build distribution tar-file. As the list of files returned by "find" is
 # pretty long, on several platforms a "too many arguments" error or similar
@@ -423,7 +450,7 @@ dist:
 	@$(MAKE) TAR='${TAR}' TARFLAGS='${TARFLAGS}' tar

 dist_pem_h:
-	(cd crypto/pem; $(MAKE) $(BUILDENV) pem.h; $(MAKE) clean)
+	(cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean)

 install: all install_docs install_sw

@@ -441,13 +468,7 @@ install_sw:
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
 	done;
-	@set -e; for i in $(DIRS) ;\
-	do \
-	if [ -d "$$i" ]; then \
-		(cd $$i; echo "installing $$i..."; \
-		$(MAKE) $(BUILDENV) INSTALL_PREFIX='${INSTALL_PREFIX}' OPENSSLDIR='${OPENSSLDIR}' install ); \
-	fi; \
-	done
+	@set -e; target=install; $(RECURSIVE_BUILD_CMD)
 	@set -e; for i in $(LIBS) ;\
 	do \
 		if [ -f "$$i" ]; then \
@@ -469,13 +490,13 @@ install_sw:
 					chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
 					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
 				else \
-					c=`echo $$i | sed 's/^lib/cyg/'`; \
+					c=`echo $$i | sed 's/^lib\(.*\)\.dll\.a/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \
 					cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
 					chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
 					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
-					cp $$i.a $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new; \
-					chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new; \
-					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \
+					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+					chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
 				fi ); \
 			fi; \
 		done; \
@@ -489,6 +510,10 @@ install_sw:
 			sed -e '1,/^$$/d' doc/openssl-shared.txt; \
 		fi; \
 	fi
+	cp libcrypto.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig/libcrypto.pc
+	cp libssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig/libssl.pc
 	cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig/openssl.pc

@@ -514,8 +539,8 @@ install_docs:
 			--release=$(VERSION) `basename $$i`") \
 			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(PERL) util/extract-names.pl < $$i | \
-			grep -v $$filecase "^$$fn\$$" | \
-			grep -v "[	]" | \
+			(grep -v $$filecase "^$$fn\$$"; true) | \
+			(grep -v "[	]"; true) | \
 			(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
 			 while read n; do \
 				$$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \
@@ -531,8 +556,8 @@ install_docs:
 			--release=$(VERSION) `basename $$i`") \
 			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(PERL) util/extract-names.pl < $$i | \
-			grep -v $$filecase "^$$fn\$$" | \
-			grep -v "[	]" | \
+			(grep -v $$filecase "^$$fn\$$"; true) | \
+			(grep -v "[	]"; true) | \
 			(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
 			 while read n; do \
 				$$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \
--- a/Makefile.shared
+++ b/Makefile.shared
@@ -7,6 +7,7 @@

 # CC contains the current compiler.  This one MUST be defined
 CC=cc
+CFLAGS=$(CFLAG)
 # LDFLAGS contains flags to be used when temporary object files (when building
 # shared libraries) are created, or when an application is linked.
 # SHARED_LDFLAGS contains flags to be used when the shared library is created.
@@ -88,20 +89,28 @@ CALC_VERSIONS=	\

 LINK_APP=	\
  ( $(SET_X);   \
+    LIBDEPS="$${LIBDEPS:-$(LIBDEPS)}"; \
+    LDCMD="$${LDCMD:-$(CC)}"; LDFLAGS="$${LDFLAGS:-$(CFLAGS)}"; \
    LIBPATH=`for x in $$LIBDEPS; do if echo $$x | grep '^ *-L' > /dev/null 2>&1; then echo $$x | sed -e 's/^ *-L//'; fi; done | uniq`; \
    LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
    LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
-    $$LDCMD $$LDFLAGS -o $$APPNAME $(OBJECTS) $$LIBDEPS )
+    $${LDCMD} $${LDFLAGS} -o $${APPNAME:=$(APPNAME)} $(OBJECTS) $${LIBDEPS} )

 LINK_SO=	\
  ( $(SET_X);   \
+    LIBDEPS="$${LIBDEPS:-$(LIBDEPS)}"; \
+    SHAREDCMD="$${SHAREDCMD:-$(CC)}"; \
+    SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \
    nm -Pg $$SHOBJECTS | grep ' [BDT] ' | cut -f1 -d' ' > lib$(LIBNAME).exp; \
    LIBPATH=`for x in $$LIBDEPS; do if echo $$x | grep '^ *-L' > /dev/null 2>&1; then echo $$x | sed -e 's/^ *-L//'; fi; done | uniq`; \
    LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
    LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
-    $$SHAREDCMD $$SHAREDFLAGS -o $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \
-	$$ALLSYMSFLAGS $$SHOBJECTS $$NOALLSYMSFLAGS $$LIBDEPS ) && \
-  $(SYMLINK_SO); ( $(SET_X); rm -f lib$(LIBNAME).exp )
+    $${SHAREDCMD} $${SHAREDFLAGS} \
+	-o $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \
+	$$ALLSYMSFLAGS $$SHOBJECTS $$NOALLSYMSFLAGS $$LIBDEPS \
+  ) && $(SYMLINK_SO); \
+  ( $(SET_X); rm -f lib$(LIBNAME).exp )
+
 SYMLINK_SO=	\
 	if [ -n "$$INHIBIT_SYMLINKS" ]; then :; else \
 		prev=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX; \
@@ -120,12 +129,14 @@ SYMLINK_SO=	\

 LINK_SO_A=	SHOBJECTS="lib$(LIBNAME).a $(LIBEXTRAS)"; $(LINK_SO)
 LINK_SO_O=	SHOBJECTS="$(LIBEXTRAS)"; $(LINK_SO)
+
 LINK_SO_A_VIA_O=	\
  SHOBJECTS=lib$(LIBNAME).o; \
  ALL=$$ALLSYMSFLAGS; ALLSYMSFLAGS=; NOALLSYMSFLAGS=; \
  ( $(SET_X); \
    ld $(LDFLAGS) -r -o lib$(LIBNAME).o $$ALL lib$(LIBNAME).a $(LIBEXTRAS) ); \
  $(LINK_SO) && rm -f $(LIBNAME).o
+
 LINK_SO_A_UNPACKED=	\
  UNPACKDIR=link_tmp.$$$$; rm -rf $$UNPACKDIR; mkdir $$UNPACKDIR; \
  (cd $$UNPACKDIR; ar x ../lib$(LIBNAME).a) && \
@@ -138,15 +149,11 @@ DETECT_GNU_LD=(${CC} -Wl,-V /dev/null 2>&1 | grep '^GNU ld' )>/dev/null
 DO_GNU_SO=$(CALC_VERSIONS); \
 	SHLIB=lib$(LIBNAME).so; \
 	SHLIB_SUFFIX=; \
-	LIBDEPS="$(LIBDEPS)"; \
 	ALLSYMSFLAGS='-Wl,--whole-archive'; \
 	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
-	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX -Wl,-rpath,$(LIBRPATH)"; \
-	SHAREDCMD='$(CC)'
-DO_GNU_APP=LDCMD=$(CC);\
-	LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)"; \
-	LIBDEPS="$(LIBDEPS)"; \
-	APPNAME=$(APPNAME)
+	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"
+
+DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)"

 #This is rather special.  It's a special target with which one can link
 #applications without bothering with any features that have anything to
@@ -154,10 +161,6 @@ DO_GNU_APP=LDCMD=$(CC);\
 #libraries.  It's mostly here to avoid a lot of conditionals everywhere
 #else...
 link_app.:
-	LDCMD=$(CC); \
-	LDFLAGS="$(CFLAGS)"; \
-	LIBDEPS="$(LIBDEPS)"; \
-	APPNAME="$(APPNAME)"; \
 	$(LINK_APP)

 link_o.gnu:
@@ -172,29 +175,24 @@ link_o.bsd:
 	$(CALC_VERSIONS); \
 	SHLIB=lib$(LIBNAME).so; \
 	SHLIB_SUFFIX=; \
-	LIBDEPS=; \
+	LIBDEPS=" "; \
 	ALLSYMSFLAGS="-Wl,-Bforcearchive"; \
 	NOALLSYMSFLAGS=; \
-	SHAREDFLAGS="$(CFLAGS) -shared -nostdlib"; \
-	SHAREDCMD=$(CC); \
+	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -nostdlib"; \
 	fi; $(LINK_SO_O)
 link_a.bsd:
 	@if ${DETECT_GNU_LD}; then $(DO_GNU_SO); else \
 	$(CALC_VERSIONS); \
 	SHLIB=lib$(LIBNAME).so; \
 	SHLIB_SUFFIX=; \
-	LIBDEPS=; \
+	LIBDEPS=" "; \
 	ALLSYMSFLAGS="-Wl,-Bforcearchive"; \
 	NOALLSYMSFLAGS=; \
-	SHAREDFLAGS="$(CFLAGS) -shared -nostdlib"; \
-	SHAREDCMD=$(CC); \
+	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -nostdlib"; \
 	fi; $(LINK_SO_A)
 link_app.bsd:
 	@if ${DETECT_GNU_LD}; then $(DO_GNU_APP); else \
-	LDCMD=$(CC); \
 	LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBPATH)"; \
-	LIBDEPS="$(LIBDEPS)"; \
-	APPNAME="$(APPNAME)"; \
 	fi; $(LINK_APP)

 # For Darwin AKA Mac OS/X (dyld)
@@ -202,11 +200,9 @@ link_o.darwin:
 	@ $(CALC_VERSIONS); \
 	SHLIB=lib$(LIBNAME); \
 	SHLIB_SUFFIX=.dylib; \
-	LIBDEPS="$(LIBDEPS)"; \
 	ALLSYMSFLAGS='-all_load'; \
 	NOALLSYMSFLAGS=''; \
-	SHAREDFLAGS="$(CFLAGS) -dynamiclib"; \
-	SHAREDCMD='$(CC)'; \
+	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS)"; \
 	if [ -n "$(LIBVERSION)" ]; then \
 		SHAREDFLAGS="$$SHAREDFLAGS -current_version $(LIBVERSION)"; \
 	fi; \
@@ -218,11 +214,9 @@ link_a.darwin:
 	@ $(CALC_VERSIONS); \
 	SHLIB=lib$(LIBNAME); \
 	SHLIB_SUFFIX=.dylib; \
-	LIBDEPS="$(LIBDEPS)"; \
 	ALLSYMSFLAGS='-all_load'; \
 	NOALLSYMSFLAGS=''; \
-	SHAREDFLAGS="$(CFLAGS) -dynamiclib"; \
-	SHAREDCMD='$(CC)'; \
+	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS)"; \
 	if [ -n "$(LIBVERSION)" ]; then \
 		SHAREDFLAGS="$$SHAREDFLAGS -current_version $(LIBVERSION)"; \
 	fi; \
@@ -230,11 +224,7 @@ link_a.darwin:
 		SHAREDFLAGS="$$SHAREDFLAGS -compatibility_version $$SHLIB_SOVER_NODOT"; \
 	fi; \
 	$(LINK_SO_A)
-link_app.darwin:
-	LDCMD=$(CC);\
-	LDFLAGS="$(CFLAGS)"; \
-	LIBDEPS="$(LIBDEPS)"; \
-	APPNAME="$(APPNAME)"; \
+link_app.darwin:	# is there run-path on darwin?
 	$(LINK_APP)

 link_o.cygwin:
@@ -243,12 +233,11 @@ link_o.cygwin:
 	SHLIB=cyg$(LIBNAME); \
 	expr $(PLATFORM) : 'mingw' > /dev/null && SHLIB=$(LIBNAME)eay32; \
 	SHLIB_SUFFIX=.dll; \
-	LIBDEPS="$(LIBDEPS)"; \
-	SHLIB_SOVER=-$(LIBVERSION); \
+	LIBVERSION="$(LIBVERSION)"; \
+	SHLIB_SOVER=${LIBVERSION:+"-$(LIBVERSION)"}; \
 	ALLSYMSFLAGS='-Wl,--whole-archive'; \
 	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
-	SHAREDFLAGS="$(CFLAGS) -Wl,-Bsymbolic -Wl,--out-implib,lib$(LIBNAME).dll.a"; \
-	SHAREDCMD='${CC}'; \
+	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,--out-implib,lib$(LIBNAME).dll.a"; \
 	$(LINK_SO_O)
 link_a.cygwin:
 	@ $(CALC_VERSIONS); \
@@ -256,23 +245,17 @@ link_a.cygwin:
 	SHLIB=cyg$(LIBNAME); \
 	expr $(PLATFORM) : 'mingw' > /dev/null && SHLIB=$(LIBNAME)eay32; \
 	SHLIB_SUFFIX=.dll; \
-	LIBDEPS="$(LIBDEPS)"; \
-	SHLIB_SOVER=; \
+	SHLIB_SOVER=-$(LIBVERSION); \
 	ALLSYMSFLAGS='-Wl,--whole-archive'; \
 	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
-	base=;  [ $(LIBNAME) = "crypto" ] && base=-Wl,--image-base,0x61200000; \
-	SHAREDFLAGS="$(CFLAGS) $$base -Wl,-Bsymbolic -Wl,--out-implib,lib$(LIBNAME).dll.a"; \
-	SHAREDCMD='${CC}'; \
+	base=;  [ $(LIBNAME) = "crypto" ] && base=-Wl,--image-base,0x63000000; \
+	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared $$base -Wl,-Bsymbolic -Wl,--out-implib,lib$(LIBNAME).dll.a"; \
 	[ -f apps/$$SHLIB$$SHLIB_SUFFIX ] && rm apps/$$SHLIB$$SHLIB_SUFFIX; \
 	[ -f test/$$SHLIB$$SHLIB_SUFFIX ] && rm test/$$SHLIB$$SHLIB_SUFFIX; \
 	$(LINK_SO_A) || exit 1; \
-	cp -p $$SHLIB$$SHLIB_SUFFIX apps/; \
-	cp -p $$SHLIB$$SHLIB_SUFFIX test/
+	cp -p $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX apps/; \
+	cp -p $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX test/
 link_app.cygwin:
-	LDCMD=$(CC);\
-	LDFLAGS="$(CFLAGS)"; \
-	LIBDEPS="$(LIBDEPS)"; \
-	APPNAME="$(APPNAME)"; \
 	$(LINK_APP)

 link_o.alpha-osf1:
@@ -281,7 +264,6 @@ link_o.alpha-osf1:
 	else \
 		SHLIB=lib$(LIBNAME).so; \
 		SHLIB_SUFFIX=; \
-		LIBDEPS="$(LIBDEPS)"; \
 		SHLIB_HIST=`echo "$(LIBCOMPATVERSIONS)" | cut -d';' -f2 | sed -e 's/ */:/'`; \
 		if [ -n "$$SHLIB_HIST" ]; then \
 			SHLIB_HIST="$${SHLIB_HIST}:$(LIBVERSION)"; \
@@ -291,8 +273,7 @@ link_o.alpha-osf1:
 		SHLIB_SOVER=; \
 		ALLSYMSFLAGS='-all'; \
 		NOALLSYMSFLAGS='-none'; \
-		SHAREDFLAGS="$(CFLAGS) -shared"; \
-		SHAREDCMD='$(CC)'; \
+		SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared"; \
 		if [ -n "$$SHLIB_HIST" ]; then \
 			SHAREDFLAGS="$$SHAREDFLAGS -set_version \"$$SHLIB_HIST\""; \
 		fi; \
@@ -304,7 +285,6 @@ link_a.alpha-osf1:
 	else \
 		SHLIB=lib$(LIBNAME).so; \
 		SHLIB_SUFFIX=; \
-		LIBDEPS="$(LIBDEPS)"; \
 		SHLIB_HIST=`echo "$(LIBCOMPATVERSIONS)" | cut -d';' -f2 | sed -e 's/ */:/'`; \
 		if [ -n "$$SHLIB_HIST" ]; then \
 			SHLIB_HIST="$${SHLIB_HIST}:$(LIBVERSION)"; \
@@ -314,139 +294,17 @@ link_a.alpha-osf1:
 		SHLIB_SOVER=; \
 		ALLSYMSFLAGS='-all'; \
 		NOALLSYMSFLAGS='-none'; \
-		SHAREDFLAGS="$(CFLAGS) -shared"; \
-		SHAREDCMD='$(CC)'; \
+		SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared"; \
 		if [ -n "$$SHLIB_HIST" ]; then \
 			SHAREDFLAGS="$$SHAREDFLAGS -set_version \"$$SHLIB_HIST\""; \
 		fi; \
 	fi; \
 	$(LINK_SO_A)
 link_app.alpha-osf1:
-	@ if ${DETECT_GNU_LD}; then \
+	@if ${DETECT_GNU_LD}; then \
 		$(DO_GNU_APP); \
 	else \
-		LDCMD=$(CC);\
-		LDFLAGS="$(CFLAGS)"; \
-		LIBDEPS="$(LIBDEPS)"; \
-		APPNAME="$(APPNAME)"
-	fi; \
-	$(LINK_APP)
-
-# The difference between alpha-osf1-shared and tru64-shared is the `-msym'
-# option passed to the linker.
-link_o.tru64:
-	@ if ${DETECT_GNU_LD}; then \
-		$(DO_GNU_SO); \
-	else \
-		SHLIB=lib$(LIBNAME).so; \
-		SHLIB_SUFFIX=; \
-		LIBDEPS="$(LIBDEPS)"; \
-		SHLIB_HIST=`echo "$(LIBCOMPATVERSIONS)" | cut -d';' -f2 | sed -e 's/ */:/'`; \
-		if [ -n "$$SHLIB_HIST" ]; then \
-			SHLIB_HIST="$${SHLIB_HIST}:$(LIBVERSION)"; \
-		else \
-			SHLIB_HIST="$(LIBVERSION)"; \
-		fi; \
-		SHLIB_SOVER=; \
-		ALLSYMSFLAGS='-all'; \
-		NOALLSYMSFLAGS='-none'; \
-		SHAREDFLAGS="$(CFLAGS) -shared -msym -rpath $(LIBRPATH)"; \
-		SHAREDCMD='$(CC)'; \
-		if [ -n "$$SHLIB_HIST" ]; then \
-			SHAREDFLAGS="$$SHAREDFLAGS -set_version \"$$SHLIB_HIST\""; \
-		fi; \
-	fi; \
-	$(LINK_SO_O)
-link_a.tru64:
-	@ if ${DETECT_GNU_LD}; then \
-		$(DO_GNU_SO); \
-	else \
-		SHLIB=lib$(LIBNAME).so; \
-		SHLIB_SUFFIX=; \
-		LIBDEPS="$(LIBDEPS)"; \
-		SHLIB_HIST=`echo "$(LIBCOMPATVERSIONS)" | cut -d';' -f2 | sed -e 's/ */:/'`; \
-		if [ -n "$$SHLIB_HIST" ]; then \
-			SHLIB_HIST="$${SHLIB_HIST}:$(LIBVERSION)"; \
-		else \
-			SHLIB_HIST="$(LIBVERSION)"; \
-		fi; \
-		SHLIB_SOVER=; \
-		ALLSYMSFLAGS='-all'; \
-		NOALLSYMSFLAGS='-none'; \
-		SHAREDFLAGS="$(CFLAGS) -shared -msym -rpath $(LIBRPATH)"; \
-		SHAREDCMD='$(CC)'; \
-		if [ -n "$$SHLIB_HIST" ]; then \
-			SHAREDFLAGS="$$SHAREDFLAGS -set_version \"$$SHLIB_HIST\""; \
-		fi; \
-	fi; \
-	$(LINK_SO_A)
-link_app.tru64:
-	@ if ${DETECT_GNU_LD}; then \
-		$(DO_GNU_APP); \
-	else \
-		LDCMD=$(CC);\
 		LDFLAGS="$(CFLAGS) -rpath $(LIBRPATH)"; \
-		LIBDEPS="$(LIBDEPS)"; \
-		APPNAME="$(APPNAME)"; \
-	fi; \
-	$(LINK_APP)
-
-# The difference between tru64-shared and tru64-shared-rpath is the
-# -rpath ${LIBRPATH} passed to the linker.
-link_o.tru64-rpath:
-	@ if ${DETECT_GNU_LD}; then \
-		$(DO_GNU_SO); \
-	else \
-		SHLIB=lib$(LIBNAME).so; \
-		SHLIB_SUFFIX=; \
-		LIBDEPS="$(LIBDEPS)"; \
-		SHLIB_HIST=`echo "$(LIBCOMPATVERSIONS)" | cut -d';' -f2 | sed -e 's/ */:/'`; \
-		if [ -n "$$SHLIB_HIST" ]; then \
-			SHLIB_HIST="$${SHLIB_HIST}:$(LIBVERSION)"; \
-		else \
-			SHLIB_HIST="$(LIBVERSION)"; \
-		fi; \
-		SHLIB_SOVER=; \
-		ALLSYMSFLAGS='-all'; \
-		NOALLSYMSFLAGS='-none'; \
-		SHAREDFLAGS="$(CFLAGS) -shared -msym -rpath $(LIBRPATH)"; \
-		SHAREDCMD='$(CC)'; \
-		if [ -n "$$SHLIB_HIST" ]; then \
-			SHAREDFLAGS="$$SHAREDFLAGS -set_version \"$$SHLIB_HIST\""; \
-		fi; \
-	fi; \
-	$(LINK_SO_O)
-link_a.tru64-rpath:
-	@ if ${DETECT_GNU_LD}; then \
-		$(DO_GNU_SO); \
-	else \
-		SHLIB=lib$(LIBNAME).so; \
-		SHLIB_SUFFIX=; \
-		LIBDEPS="$(LIBDEPS)"; \
-		SHLIB_HIST=`echo "$(LIBCOMPATVERSIONS)" | cut -d';' -f2 | sed -e 's/ */:/'`; \
-		if [ -n "$$SHLIB_HIST" ]; then \
-			SHLIB_HIST="$${SHLIB_HIST}:$(LIBVERSION)"; \
-		else \
-			SHLIB_HIST="$(LIBVERSION)"; \
-		fi; \
-		SHLIB_SOVER=; \
-		ALLSYMSFLAGS='-all'; \
-		NOALLSYMSFLAGS='-none'; \
-		SHAREDFLAGS="$(CFLAGS) -shared -msym -rpath $(LIBRPATH)"; \
-		SHAREDCMD='$(CC)'; \
-		if [ -n "$$SHLIB_HIST" ]; then \
-			SHAREDFLAGS="$$SHAREDFLAGS -set_version \"$$SHLIB_HIST\""; \
-		fi; \
-	fi; \
-	$(LINK_SO_A)
-link_app.tru64-rpath:
-	@ if ${DETECT_GNU_LD}; then \
-		$(DO_GNU_APP); \
-	else \
-		LDCMD=$(CC);\
-		LDFLAGS="$(CFLAGS) -rpath $(LIBRPATH)"; \
-		LIBDEPS="$(LIBDEPS)"; \
-		APPNAME="$(APPNAME)"; \
 	fi; \
 	$(LINK_APP)

@@ -456,14 +314,12 @@ link_o.solaris:
 	else \
 		$(CALC_VERSIONS); \
 		MINUSZ='-z '; \
-		(${CC} -v 2>&1 | grep gcc) > /dev/null && MINUSZ='-Wl,-z,'; \
+		($(CC) -v 2>&1 | grep gcc) > /dev/null && MINUSZ='-Wl,-z,'; \
 		SHLIB=lib$(LIBNAME).so; \
 		SHLIB_SUFFIX=; \
-		LIBDEPS="$(LIBDEPS)"; \
 		ALLSYMSFLAGS="$${MINUSZ}allextract"; \
 		NOALLSYMSFLAGS="$${MINUSZ}defaultextract"; \
-		SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX -R $(LIBRPATH) -Wl,-Bsymbolic"; \
-		SHAREDCMD='$(CC)'; \
+		SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX -Wl,-Bsymbolic"; \
 	fi; \
 	$(LINK_SO_O)
 link_a.solaris:
@@ -475,21 +331,16 @@ link_a.solaris:
 		(${CC} -v 2>&1 | grep gcc) > /dev/null && MINUSZ='-Wl,-z,'; \
 		SHLIB=lib$(LIBNAME).so; \
 		SHLIB_SUFFIX=;\
-		LIBDEPS="$(LIBDEPS)"; \
 		ALLSYMSFLAGS="$${MINUSZ}allextract"; \
 		NOALLSYMSFLAGS="$${MINUSZ}defaultextract"; \
-		SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX -R $(LIBRPATH) -Wl,-Bsymbolic"; \
-		SHAREDCMD='$(CC)'; \
+		SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX -Wl,-Bsymbolic"; \
 	fi; \
 	$(LINK_SO_A)
 link_app.solaris:
 	@ if ${DETECT_GNU_LD}; then \
 		$(DO_GNU_APP); \
 	else \
-		LDCMD=$(CC);\
 		LDFLAGS="$(CFLAGS) -R $(LIBRPATH)"; \
-		LIBDEPS="$(LIBDEPS)"; \
-		APPNAME="$(APPNAME)"; \
 	fi; \
 	$(LINK_APP)

@@ -501,11 +352,9 @@ link_o.svr3:
 		$(CALC_VERSIONS); \
 		SHLIB=lib$(LIBNAME).so; \
 		SHLIB_SUFFIX=; \
-		LIBDEPS="$(LIBDEPS)"; \
 		ALLSYMSFLAGS=''; \
 		NOALLSYMSFLAGS=''; \
 		SHAREDFLAGS="$(CFLAGS) -G -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \
-		SHAREDCMD='$(CC)'; \
 	fi; \
 	$(LINK_SO_O)
 link_a.svr3:
@@ -515,22 +364,13 @@ link_a.svr3:
 		$(CALC_VERSIONS); \
 		SHLIB=lib$(LIBNAME).so; \
 		SHLIB_SUFFIX=; \
-		LIBDEPS="$(LIBDEPS)"; \
 		ALLSYMSFLAGS=''; \
 		NOALLSYMSFLAGS=''; \
 		SHAREDFLAGS="$(CFLAGS) -G -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \
-		SHAREDCMD='$(CC)'; \
 	fi; \
 	$(LINK_SO_A_UNPACKED)
 link_app.svr3:
-	@ if ${DETECT_GNU_LD}; then \
-		$(DO_GNU_APP); \
-	else \
-		LDCMD=$(CC);\
-		LDFLAGS="$(CFLAGS)"; \
-		LIBDEPS="$(LIBDEPS)"; \
-		APPNAME="$(APPNAME)"; \
-	fi; \
+	@${DETECT_GNU_LD} && $(DO_GNU_APP); \
 	$(LINK_APP)

 # UnixWare 7 and OpenUNIX 8 native compilers used
@@ -540,14 +380,12 @@ link_o.svr5:
 	else \
 		$(CALC_VERSIONS); \
 		SHARE_FLAG='-G'; \
-		(${CC} -v 2>&1 | grep gcc) > /dev/null && SHARE_FLAG='-shared'; \
+		($(CC) -v 2>&1 | grep gcc) > /dev/null && SHARE_FLAG='-shared'; \
 		SHLIB=lib$(LIBNAME).so; \
 		SHLIB_SUFFIX=; \
-		LIBDEPS="$(LIBDEPS)"; \
 		ALLSYMSFLAGS=''; \
 		NOALLSYMSFLAGS=''; \
 		SHAREDFLAGS="$(CFLAGS) $${SHARE_FLAG} -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \
-		SHAREDCMD='$(CC)'; \
 	fi; \
 	$(LINK_SO_O)
 link_a.svr5:
@@ -559,22 +397,13 @@ link_a.svr5:
 		(${CC} -v 2>&1 | grep gcc) > /dev/null && SHARE_FLAG='-shared'; \
 		SHLIB=lib$(LIBNAME).so; \
 		SHLIB_SUFFIX=; \
-		LIBDEPS="$(LIBDEPS)"; \
 		ALLSYMSFLAGS=''; \
 		NOALLSYMSFLAGS=''; \
 		SHAREDFLAGS="$(CFLAGS) $${SHARE_FLAG} -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \
-		SHAREDCMD='$(CC)'; \
 	fi; \
 	$(LINK_SO_A_UNPACKED)
 link_app.svr5:
-	@ if ${DETECT_GNU_LD}; then \
-		$(DO_GNU_APP); \
-	else \
-		LDCMD=$(CC);\
-		LDFLAGS="$(CFLAGS)"; \
-		LIBDEPS="$(LIBDEPS)"; \
-		APPNAME="$(APPNAME)"; \
-	fi; \
+	@${DETECT_GNU_LD} && $(DO_GNU_APP); \
 	$(LINK_APP)

 link_o.irix:
@@ -584,13 +413,11 @@ link_o.irix:
 		$(CALC_VERSIONS); \
 		SHLIB=lib$(LIBNAME).so; \
 		SHLIB_SUFFIX=; \
-		LIBDEPS="$(LIBDEPS)"; \
 		MINUSWL=""; \
 		($(CC) -v 2>&1 | grep gcc) > /dev/null && MINUSWL="-Wl,"; \
 		ALLSYMSFLAGS="$${MINUSWL}-all"; \
 		NOALLSYMSFLAGS="$${MINUSWL}-none"; \
-		SHAREDFLAGS="$(CFLAGS) -shared -Wl,-soname,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX -Wl,-rpath,$(LIBRPATH)"; \
-		SHAREDCMD='$(CC)'; \
+		SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-soname,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \
 	fi; \
 	$(LINK_SO_O)
 link_a.irix:
@@ -600,24 +427,15 @@ link_a.irix:
 		$(CALC_VERSIONS); \
 		SHLIB=lib$(LIBNAME).so; \
 		SHLIB_SUFFIX=; \
-		LIBDEPS="$(LIBDEPS)"; \
 		MINUSWL=""; \
 		($(CC) -v 2>&1 | grep gcc) > /dev/null && MINUSWL="-Wl,"; \
 		ALLSYMSFLAGS="$${MINUSWL}-all"; \
 		NOALLSYMSFLAGS="$${MINUSWL}-none"; \
-		SHAREDFLAGS="$(CFLAGS) -shared -Wl,-soname,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX -Wl,-rpath,$(LIBRPATH)"; \
-		SHAREDCMD='$(CC)'; \
+		SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-soname,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \
 	fi; \
 	$(LINK_SO_A)
 link_app.irix:
-	@ if ${DETECT_GNU_LD}; then \
-		$(DO_GNU_APP); \
-	else \
-		LDCMD=$(CC);\
-		LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)"; \
-		LIBDEPS="$(LIBDEPS)"; \
-		APPNAME="$(APPNAME)"; \
-	fi; \
+	@LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)"; \
 	$(LINK_APP)

 # 32-bit PA-RISC HP-UX embeds the -L pathname of libs we link with, so
@@ -634,13 +452,12 @@ link_o.hpux:
 	SHLIB=lib$(LIBNAME).sl; \
 	expr $(PLATFORM) : '.*ia64' > /dev/null && SHLIB=lib$(LIBNAME).so; \
 	SHLIB_SUFFIX=; \
-	LIBDEPS="$(LIBDEPS)"; \
 	ALLSYMSFLAGS='-Wl,-Fl'; \
 	NOALLSYMSFLAGS=''; \
 	expr $(PLATFORM) : 'hpux64' > /dev/null && ALLSYMSFLAGS='-Wl,+forceload'; \
-	SHAREDFLAGS="$(CFLAGS) -Wl,-B,symbolic,+vnocompatwarnings,-z,+s,+cdp,../:,+cdp,./:,+h,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX,+b,$(LIBRPATH)"; \
-	SHAREDCMD=$(CC); \
+	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -Wl,-B,symbolic,+vnocompatwarnings,-z,+s,+h,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \
 	fi; \
+	rm -f $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX || :; \
 	$(LINK_SO_O) && chmod a=rx $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX
 link_a.hpux:
 	@if ${DETECT_GNU_LD}; then $(DO_GNU_SO); else \
@@ -648,20 +465,16 @@ link_a.hpux:
 	SHLIB=lib$(LIBNAME).sl; \
 	expr $(PLATFORM) : '.*ia64' > /dev/null && SHLIB=lib$(LIBNAME).so; \
 	SHLIB_SUFFIX=; \
-	LIBDEPS="$(LIBDEPS)"; \
 	ALLSYMSFLAGS='-Wl,-Fl'; \
 	NOALLSYMSFLAGS=''; \
 	expr $(PLATFORM) : 'hpux64' > /dev/null && ALLSYMSFLAGS='-Wl,+forceload'; \
-	SHAREDFLAGS="$(CFLAGS) -Wl,-B,symbolic,+vnocompatwarnings,-z,+s,+cdp,../:,+cdp,./:,+h,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX,+b,$(LIBRPATH)"; \
-	SHAREDCMD='$(CC)'; \
+	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -Wl,-B,symbolic,+vnocompatwarnings,-z,+s,+h,$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \
 	fi; \
+	rm -f $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX || :; \
 	$(LINK_SO_A) && chmod a=rx $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX
 link_app.hpux:
 	@if ${DETECT_GNU_LD}; then $(DO_GNU_APP); else \
-	LDCMD=$(CC);\
 	LDFLAGS="$(CFLAGS) -Wl,+s,+cdp,../:,+cdp,./:,+b,$(LIBRPATH)"; \
-	LIBDEPS="$(LIBDEPS)"; \
-	APPNAME="$(APPNAME)"; \
 	fi; \
 	$(LINK_APP)

@@ -671,11 +484,9 @@ link_o.aix:
 	OBJECT_MODE=$${OBJECT_MODE:-32}; export OBJECT_MODE; \
 	SHLIB=lib$(LIBNAME).so; \
 	SHLIB_SUFFIX=; \
-	LIBDEPS="$(LIBDEPS)"; \
 	ALLSYMSFLAGS='-bnogc'; \
 	NOALLSYMSFLAGS=''; \
-	SHAREDFLAGS='$(CFLAGS) -G -bE:lib$(LIBNAME).exp -bM:SRE -blibpath:$(LIBRPATH)'; \
-	SHAREDCMD='$(CC)'; \
+	SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -G -bE:lib$(LIBNAME).exp -bM:SRE'; \
 	$(LINK_SO_O); rm -rf lib$(LIBNAME).exp
 link_a.aix:
 	@ $(CALC_VERSIONS); \
@@ -683,44 +494,31 @@ link_a.aix:
 	OBJECT_MODE=$${OBJECT_MODE:-32}; export OBJECT_MODE; \
 	SHLIB=lib$(LIBNAME).so; \
 	SHLIB_SUFFIX=; \
-	LIBDEPS="$(LIBDEPS)"; \
 	ALLSYMSFLAGS='-bnogc'; \
 	NOALLSYMSFLAGS=''; \
-	SHAREDFLAGS='$(CFLAGS) -G -bE:lib$(LIBNAME).exp -bM:SRE -blibpath:$(LIBRPATH)'; \
-	SHAREDCMD='$(CC)'; \
+	SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -G -bE:lib$(LIBNAME).exp -bM:SRE'; \
 	$(LINK_SO_A_VIA_O)
 link_app.aix:
-	LDCMD=$(CC);\
 	LDFLAGS="$(CFLAGS) -blibpath:$(LIBRPATH)"; \
-	LIBDEPS="$(LIBDEPS)"; \
-	APPNAME="$(APPNAME)"
 	$(LINK_APP)

 link_o.reliantunix:
 	@ $(CALC_VERSIONS); \
 	SHLIB=lib$(LIBNAME).so; \
 	SHLIB_SUFFIX=; \
-	LIBDEPS="$(LIBDEPS)"; \
 	ALLSYMSFLAGS=; \
 	NOALLSYMSFLAGS=''; \
 	SHAREDFLAGS='$(CFLAGS) -G'; \
-	SHAREDCMD='$(CC)'; \
 	$(LINK_SO_O)
 link_a.reliantunix:
 	@ $(CALC_VERSIONS); \
 	SHLIB=lib$(LIBNAME).so; \
 	SHLIB_SUFFIX=; \
-	LIBDEPS="$(LIBDEPS)"; \
 	ALLSYMSFLAGS=; \
 	NOALLSYMSFLAGS=''; \
 	SHAREDFLAGS='$(CFLAGS) -G'; \
-	SHAREDCMD='$(CC)'; \
 	$(LINK_SO_A_UNPACKED)
 link_app.reliantunix:
-	LDCMD=$(CC);\
-	LDFLAGS="$(CFLAGS)"; \
-	LIBDEPS="$(LIBDEPS)"; \
-	APPNAME="$(APPNAME)"
 	$(LINK_APP)

 # Targets to build symbolic links when needed
--- a/79
+++ b/79
@@ -5,6 +5,85 @@
  This file gives a brief overview of the major changes between each OpenSSL
  release. For more details please read the CHANGES file.

+  Major changes between OpenSSL 0.9.8 and OpenSSL 0.9.8a:
+
+      o Fix potential SSL 2.0 rollback, CAN-2005-2969
+      o Extended Windows CE support
+
+  Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.8:
+
+      o Major work on the BIGNUM library for higher efficiency and to
+        make operations more streamlined and less contradictory.  This
+        is the result of a major audit of the BIGNUM library.
+      o Addition of BIGNUM functions for fields GF(2^m) and NIST
+        curves, to support the Elliptic Crypto functions.
+      o Major work on Elliptic Crypto; ECDH and ECDSA added, including
+        the use through EVP, X509 and ENGINE.
+      o New ASN.1 mini-compiler that's usable through the OpenSSL
+        configuration file.
+      o Added support for ASN.1 indefinite length constructed encoding.
+      o New PKCS#12 'medium level' API to manipulate PKCS#12 files.
+      o Complete rework of shared library construction and linking
+        programs with shared or static libraries, through a separate
+        Makefile.shared.
+      o Rework of the passing of parameters from one Makefile to another.
+      o Changed ENGINE framework to load dynamic engine modules
+        automatically from specifically given directories.
+      o New structure and ASN.1 functions for CertificatePair.
+      o Changed the ZLIB compression method to be stateful.
+      o Changed the key-generation and primality testing "progress"
+        mechanism to take a structure that contains the ticker
+        function and an argument.
+      o New engine module: GMP (performs private key exponentiation).
+      o New engine module: VIA PadLOck ACE extension in VIA C3
+        Nehemiah processors.
+      o Added support for IPv6 addresses in certificate extensions.
+        See RFC 1884, section 2.2.
+      o Added support for certificate policy mappings, policy
+        constraints and name constraints.
+      o Added support for multi-valued AVAs in the OpenSSL
+        configuration file.
+      o Added support for multiple certificates with the same subject
+        in the 'openssl ca' index file.
+      o Make it possible to create self-signed certificates using
+        'openssl ca -selfsign'.
+      o Make it possible to generate a serial number file with
+        'openssl ca -create_serial'.
+      o New binary search functions with extended functionality.
+      o New BUF functions.
+      o New STORE structure and library to provide an interface to all
+        sorts of data repositories.  Supports storage of public and
+        private keys, certificates, CRLs, numbers and arbitrary blobs.
+	This library is unfortunately unfinished and unused withing
+	OpenSSL.
+      o New control functions for the error stack.
+      o Changed the PKCS#7 library to support one-pass S/MIME
+        processing.
+      o Added the possibility to compile without old deprecated
+        functionality with the OPENSSL_NO_DEPRECATED macro or the
+        'no-deprecated' argument to the config and Configure scripts.
+      o Constification of all ASN.1 conversion functions, and other
+        affected functions.
+      o Improved platform support for PowerPC.
+      o New FIPS 180-2 algorithms (SHA-224, -256, -384 and -512).
+      o New X509_VERIFY_PARAM structure to support parametrisation
+        of X.509 path validation.
+      o Major overhaul of RC4 performance on Intel P4, IA-64 and
+        AMD64.
+      o Changed the Configure script to have some algorithms disabled
+        by default.  Those can be explicitely enabled with the new
+        argument form 'enable-xxx'.
+      o Change the default digest in 'openssl' commands from MD5 to
+        SHA-1.
+      o Added support for DTLS.
+      o New BIGNUM blinding.
+      o Added support for the RSA-PSS encryption scheme
+      o Added support for the RSA X.931 padding.
+      o Added support for BSD sockets on NetWare.
+      o Added support for files larger than 2GB.
+      o Added initial support for Win64.
+      o Added alternate pkg-config files.
+
  Major changes between OpenSSL 0.9.7f and OpenSSL 0.9.7g:

      o More compilation issues fixed.
--- a/Netware/build.bat
+++ b/Netware/build.bat
@@ -6,14 +6,15 @@ rem
 rem   usage:
 rem      build [target] [debug opts] [assembly opts] [configure opts]
 rem
-rem      target        - "netware-clib" - CLib NetWare build
-rem                    - "netware-libc" - LibC NKS NetWare build
+rem      target        - "netware-clib" - CLib NetWare build (WinSock Sockets)
+rem                    - "netware-libc" - LibC NKS NetWare build (WinSock Sockets)
+rem                    - "netware-libc-bsdsock" - LibC NKS NetWare build (BSD Sockets)
 rem 
 rem      debug opts    - "debug"  - build debug
 rem
 rem      assembly opts - "nw-mwasm" - use Metrowerks assembler
-rem      "nw-nasm"  - use NASM assembler
-rem      "no-asm"   - don't use assembly
+rem                    - "nw-nasm"  - use NASM assembler
+rem                    - "no-asm"   - don't use assembly
 rem
 rem      configure opts- all unrecognized arguments are passed to the
 rem                       perl configure script
@@ -76,6 +77,8 @@ if "%1" == "netware-clib" set BLD_TARGET=netware-clib
 if "%1" == "netware-clib" set ARG_PROCESSED=YES
 if "%1" == "netware-libc" set BLD_TARGET=netware-libc
 if "%1" == "netware-libc" set ARG_PROCESSED=YES
+if "%1" == "netware-libc-bsdsock" set BLD_TARGET=netware-libc-bsdsock
+if "%1" == "netware-libc-bsdsock" set ARG_PROCESSED=YES

 rem   If we didn't recognize the argument, consider it an option for config
 if "%ARG_PROCESSED%" == "NO" set CONFIG_OPTS=%CONFIG_OPTS% %1
@@ -92,6 +95,7 @@ rem build the nlm make file name which includes target and debug info
 set NLM_MAKE=
 if "%BLD_TARGET%" == "netware-clib" set NLM_MAKE=netware\nlm_clib
 if "%BLD_TARGET%" == "netware-libc" set NLM_MAKE=netware\nlm_libc
+if "%BLD_TARGET%" == "netware-libc-bsdsock" set NLM_MAKE=netware\nlm_libc_bsdsock
 if "%DEBUG%" == "" set NLM_MAKE=%NLM_MAKE%.mak
 if "%DEBUG%" == "debug" set NLM_MAKE=%NLM_MAKE%_dbg.mak

@@ -184,8 +188,9 @@ echo .  No build target specified!!!
 echo .
 echo .  usage: build [target] [debug opts] [assembly opts] [configure opts]
 echo .
-echo .     target        - "netware-clib" - CLib NetWare build
-echo .                   - "netware-libc" - LibC NKS NetWare build
+echo .     target        - "netware-clib" - CLib NetWare build (WinSock Sockets)
+echo .                   - "netware-libc" - LibC NKS NetWare build (WinSock Sockets)
+echo .                   - "netware-libc-bsdsock" - LibC NKS NetWare build (BSD Sockets)
 echo .
 echo .     debug opts    - "debug"  - build debug
 echo .
--- a/Netware/do_tests.pl
+++ b/Netware/do_tests.pl
@@ -42,8 +42,8 @@ sub main()
   encryption_tests();
   pem_tests();
   verify_tests();
-   ssl_tests();
   ca_tests();
+   ssl_tests();

   close(OUT);

@@ -66,12 +66,19 @@ sub algorithm_tests
   print( OUT "CRYPTO ALGORITHM TESTS:\n\n");

   foreach $i (@tests)
+   {
+      if (-e "$base_path\\$i.nlm")
 	  {
         $outFile = "$output_path\\$i.out";
         system("$i > $outFile");
         log_desc("Test: $i\.nlm:");
         log_output("", $outFile );
 	  }
+	  else
+	  {
+         log_desc("Test: $i\.nlm: file not found");
+	  }
+   }
 }

 ############################################################################
@@ -246,61 +253,63 @@ sub verify_tests
 sub ssl_tests
 {
   my $outFile = "$output_path\\ssl_tst.out";
+   my($CAcert) = "$output_path\\certCA.ss";
+   my($Ukey)   = "$output_path\\keyU.ss";
+   my($Ucert)  = "$output_path\\certU.ss";
+   my($ssltest)= "ssltest -key $Ukey -cert $Ucert -c_key $Ukey -c_cert $Ucert -CAfile $CAcert";

   print( "\nRUNNING SSL TESTS:\n\n");

   print( OUT "\n========================================================\n");
   print( OUT "SSL TESTS:\n\n");

-   make_tmp_cert_file();
-
   system("ssltest -ssl2 >$outFile");
   log_desc("Testing sslv2:");
   log_output("ssltest -ssl2", $outFile);

-   system("ssltest -ssl2 -server_auth -CAfile $tmp_cert >$outFile");
+   system("$ssltest -ssl2 -server_auth >$outFile");
   log_desc("Testing sslv2 with server authentication:");
-   log_output("ssltest -ssl2 -server_auth -CAfile $tmp_cert", $outFile);
+   log_output("$ssltest -ssl2 -server_auth", $outFile);

-   system("ssltest -ssl2 -client_auth -CAfile $tmp_cert >$outFile");
+   system("$ssltest -ssl2 -client_auth >$outFile");
   log_desc("Testing sslv2 with client authentication:");
-   log_output("ssltest -ssl2 -client_auth -CAfile $tmp_cert", $outFile);
+   log_output("$ssltest -ssl2 -client_auth", $outFile);

-   system("ssltest -ssl2 -server_auth -client_auth -CAfile $tmp_cert >$outFile");
+   system("$ssltest -ssl2 -server_auth -client_auth >$outFile");
   log_desc("Testing sslv2 with both client and server authentication:");
-   log_output("ssltest -ssl2 -server_auth -client_auth -CAfile $tmp_cert", $outFile);
+   log_output("$ssltest -ssl2 -server_auth -client_auth", $outFile);

   system("ssltest -ssl3 >$outFile");
   log_desc("Testing sslv3:");
   log_output("ssltest -ssl3", $outFile);

-   system("ssltest -ssl3 -server_auth -CAfile $tmp_cert >$outFile");
+   system("$ssltest -ssl3 -server_auth >$outFile");
   log_desc("Testing sslv3 with server authentication:");
-   log_output("ssltest -ssl3 -server_auth -CAfile $tmp_cert", $outFile);
+   log_output("$ssltest -ssl3 -server_auth", $outFile);

-   system("ssltest -ssl3 -client_auth -CAfile $tmp_cert >$outFile");
+   system("$ssltest -ssl3 -client_auth >$outFile");
   log_desc("Testing sslv3 with client authentication:");
-   log_output("ssltest -ssl3 -client_auth -CAfile $tmp_cert", $outFile);
+   log_output("$ssltest -ssl3 -client_auth", $outFile);

-   system("ssltest -ssl3 -server_auth -client_auth -CAfile $tmp_cert >$outFile");
+   system("$ssltest -ssl3 -server_auth -client_auth >$outFile");
   log_desc("Testing sslv3 with both client and server authentication:");
-   log_output("ssltest -ssl3 -server_auth -client_auth -CAfile $tmp_cert", $outFile);
+   log_output("$ssltest -ssl3 -server_auth -client_auth", $outFile);

   system("ssltest >$outFile");
   log_desc("Testing sslv2/sslv3:");
   log_output("ssltest", $outFile);

-   system("ssltest -server_auth -CAfile $tmp_cert >$outFile");
+   system("$ssltest -server_auth >$outFile");
   log_desc("Testing sslv2/sslv3 with server authentication:");
-   log_output("ssltest -server_auth -CAfile $tmp_cert", $outFile);
+   log_output("$ssltest -server_auth", $outFile);

-   system("ssltest -client_auth -CAfile $tmp_cert >$outFile");
+   system("$ssltest -client_auth >$outFile");
   log_desc("Testing sslv2/sslv3 with client authentication:");
-   log_output("ssltest -client_auth -CAfile $tmp_cert", $outFile);
+   log_output("$ssltest -client_auth ", $outFile);

-   system("ssltest -server_auth -client_auth -CAfile $tmp_cert >$outFile");
+   system("$ssltest -server_auth -client_auth >$outFile");
   log_desc("Testing sslv2/sslv3 with both client and server authentication:");
-   log_output("ssltest -server_auth -client_auth -CAfile $tmp_cert", $outFile);
+   log_output("$ssltest -server_auth -client_auth", $outFile);

   system("ssltest -bio_pair -ssl2 >$outFile");
   log_desc("Testing sslv2 via BIO pair:");
@@ -310,49 +319,49 @@ sub ssl_tests
   log_desc("Testing sslv2/sslv3 with 1024 bit DHE via BIO pair:");
   log_output("ssltest -bio_pair -dhe1024dsa -v", $outFile);

-   system("ssltest -bio_pair -ssl2 -server_auth -CAfile $tmp_cert >$outFile");
+   system("$ssltest -bio_pair -ssl2 -server_auth >$outFile");
   log_desc("Testing sslv2 with server authentication via BIO pair:");
-   log_output("ssltest -bio_pair -ssl2 -server_auth -CAfile $tmp_cert", $outFile);
+   log_output("$ssltest -bio_pair -ssl2 -server_auth", $outFile);

-   system("ssltest -bio_pair -ssl2 -client_auth -CAfile $tmp_cert >$outFile");
+   system("$ssltest -bio_pair -ssl2 -client_auth >$outFile");
   log_desc("Testing sslv2 with client authentication via BIO pair:");
-   log_output("ssltest -bio_pair -ssl2 -client_auth -CAfile $tmp_cert", $outFile);
+   log_output("$ssltest -bio_pair -ssl2 -client_auth", $outFile);

-   system("ssltest -bio_pair -ssl2 -server_auth -client_auth -CAfile $tmp_cert >$outFile");
+   system("$ssltest -bio_pair -ssl2 -server_auth -client_auth >$outFile");
   log_desc("Testing sslv2 with both client and server authentication via BIO pair:");
-   log_output("ssltest -bio_pair -ssl2 -server_auth -client_auth -CAfile $tmp_cert", $outFile);
+   log_output("$ssltest -bio_pair -ssl2 -server_auth -client_auth", $outFile);

   system("ssltest -bio_pair -ssl3 >$outFile");
   log_desc("Testing sslv3 via BIO pair:");
   log_output("ssltest -bio_pair -ssl3", $outFile);

-   system("ssltest -bio_pair -ssl3 -server_auth -CAfile $tmp_cert >$outFile");
+   system("$ssltest -bio_pair -ssl3 -server_auth >$outFile");
   log_desc("Testing sslv3 with server authentication via BIO pair:");
-   log_output("ssltest -bio_pair -ssl3 -server_auth -CAfile $tmp_cert", $outFile);
+   log_output("$ssltest -bio_pair -ssl3 -server_auth", $outFile);

-   system("ssltest -bio_pair -ssl3 -client_auth -CAfile $tmp_cert >$outFile");
+   system("$ssltest -bio_pair -ssl3 -client_auth >$outFile");
   log_desc("Testing sslv3 with client authentication  via BIO pair:");
-   log_output("ssltest -bio_pair -ssl3 -client_auth -CAfile $tmp_cert", $outFile);
+   log_output("$ssltest -bio_pair -ssl3 -client_auth", $outFile);

-   system("ssltest -bio_pair -ssl3 -server_auth -client_auth -CAfile $tmp_cert >$outFile");
+   system("$ssltest -bio_pair -ssl3 -server_auth -client_auth >$outFile");
   log_desc("Testing sslv3 with both client and server authentication via BIO pair:");
-   log_output("ssltest -bio_pair -ssl3 -server_auth -client_auth -CAfile $tmp_cert", $outFile);
+   log_output("$ssltest -bio_pair -ssl3 -server_auth -client_auth", $outFile);

   system("ssltest -bio_pair >$outFile");
   log_desc("Testing sslv2/sslv3 via BIO pair:");
   log_output("ssltest -bio_pair", $outFile);

-   system("ssltest -bio_pair -server_auth -CAfile $tmp_cert >$outFile");
+   system("$ssltest -bio_pair -server_auth >$outFile");
   log_desc("Testing sslv2/sslv3 with server authentication via BIO pair:");
-   log_output("ssltest -bio_pair -server_auth -CAfile $tmp_cert", $outFile);
+   log_output("$ssltest -bio_pair -server_auth", $outFile);

-   system("ssltest -bio_pair -client_auth -CAfile $tmp_cert >$outFile");
+   system("$ssltest -bio_pair -client_auth >$outFile");
   log_desc("Testing sslv2/sslv3 with client authentication via BIO pair:");
-   log_output("ssltest -bio_pair -client_auth -CAfile $tmp_cert", $outFile);
+   log_output("$ssltest -bio_pair -client_auth", $outFile);

-   system("ssltest -bio_pair -server_auth -client_auth -CAfile $tmp_cert >$outFile");
+   system("$ssltest -bio_pair -server_auth -client_auth >$outFile");
   log_desc("Testing sslv2/sslv3 with both client and server authentication via BIO pair:");
-   log_output("ssltest -bio_pair -server_auth -client_auth -CAfile $tmp_cert", $outFile);
+   log_output("$ssltest -bio_pair -server_auth -client_auth", $outFile);
 }


--- a/93
+++ b/93
@@ -12,8 +12,8 @@ along the whole library path before it bothers looking for .a libraries.  This
 means that -L switches won't matter unless OpenSSL is built with shared
 library support.

-The workaround may be to change the following lines in apps/Makefile.ssl and
-test/Makefile.ssl:
+The workaround may be to change the following lines in apps/Makefile and
+test/Makefile:

  LIBCRYPTO=-L.. -lcrypto
  LIBSSL=-L.. -lssl
@@ -48,20 +48,34 @@ will interfere with each other and lead to test failure.
 The solution is simple for now: don't run parallell make when testing.


-* Bugs in gcc 3.0 triggered
+* Bugs in gcc triggered

-According to a problem report, there are bugs in gcc 3.0 that are
-triggered by some of the code in OpenSSL, more specifically in
-PEM_get_EVP_CIPHER_INFO().  The triggering code is the following:
+- According to a problem report, there are bugs in gcc 3.0 that are
+  triggered by some of the code in OpenSSL, more specifically in
+  PEM_get_EVP_CIPHER_INFO().  The triggering code is the following:

 	header+=11;
 	if (*header != '4') return(0); header++;
 	if (*header != ',') return(0); header++;

-What happens is that gcc might optimize a little too agressively, and
-you end up with an extra incrementation when *header != '4'.
+  What happens is that gcc might optimize a little too agressively, and
+  you end up with an extra incrementation when *header != '4'.

-We recommend that you upgrade gcc to as high a 3.x version as you can.
+  We recommend that you upgrade gcc to as high a 3.x version as you can.
+
+- According to multiple problem reports, some of our message digest
+  implementations trigger bug[s] in code optimizer in gcc 3.3 for sparc64
+  and gcc 2.96 for ppc. Former fails to complete RIPEMD160 test, while
+  latter - SHA one.
+
+  The recomendation is to upgrade your compiler. This naturally applies to
+  other similar cases.
+
+- There is a subtle Solaris x86-specific gcc run-time environment bug, which
+  "falls between" OpenSSL [0.9.8 and later], Solaris ld and GCC. The bug
+  manifests itself as Segmentation Fault upon early application start-up.
+  The problem can be worked around by patching the environment according to
+  http://www.openssl.org/~appro/values.c.

 * solaris64-sparcv9-cc SHA-1 performance with WorkShop 6 compiler.

@@ -120,3 +134,64 @@ Any information helping to solve this issue would be deeply
 appreciated.

 NOTE: building non-shared doesn't come with this problem.
+
+* ULTRIX build fails with shell errors, such as "bad substitution"
+  and "test: argument expected"
+
+The problem is caused by ULTRIX /bin/sh supporting only original
+Bourne shell syntax/semantics, and the trouble is that the vast
+majority is so accustomed to more modern syntax, that very few
+people [if any] would recognize the ancient syntax even as valid.
+This inevitably results in non-trivial scripts breaking on ULTRIX,
+and OpenSSL isn't an exclusion. Fortunately there is workaround,
+hire /bin/ksh to do the job /bin/sh fails to do.
+
+1. Trick make(1) to use /bin/ksh by setting up following environ-
+   ment variables *prior* you execute ./Configure and make:
+
+	PROG_ENV=POSIX
+	MAKESHELL=/bin/ksh
+	export PROG_ENV MAKESHELL
+
+   or if your shell is csh-compatible:
+
+	setenv PROG_ENV POSIX
+	setenv MAKESHELL /bin/ksh
+
+2. Trick /bin/sh to use alternative expression evaluator. Create
+   following 'test' script for example in /tmp:
+
+	#!/bin/ksh
+	${0##*/} "$@"
+
+   Then 'chmod a+x /tmp/test; ln /tmp/test /tmp/[' and *prepend*
+   your $PATH with chosen location, e.g. PATH=/tmp:$PATH. Alter-
+   natively just replace system /bin/test and /bin/[ with the
+   above script.
+
+* hpux64-ia64-cc fails blowfish test.
+
+Compiler bug, presumably at particular patch level. It should be noted
+that same compiler generates correct 32-bit code, a.k.a. hpux-ia64-cc
+target. Drop optimization level to +O2 when compiling 64-bit bf_skey.o.
+
+* no-engines generates errors.
+
+Unfortunately, the 'no-engines' configuration option currently doesn't
+work properly.  Use 'no-hw' and you'll will at least get no hardware
+support.  We'll see how we fix that on OpenSSL versions past 0.9.8.
+
+* 'make test' fails in BN_sqr [commonly with "error 139" denoting SIGSEGV]
+  if elder GNU binutils were deployed to link shared libcrypto.so.
+
+As subject suggests the failure is caused by a bug in elder binutils,
+either as or ld, and was observed on FreeBSD and Linux. There are two
+options. First is naturally to upgrade binutils, the second one - to
+reconfigure with additional no-sse2 [or 386] option passed to ./config.
+
+* If configured with ./config no-dso, toolkit still gets linked with -ldl,
+  which most notably poses a problem when linking with dietlibc.
+
+We don't have framework to associate -ldl with no-dso, therefore the only
+way is to edit Makefile right after ./config no-dso and remove -ldl from
+EX_LIBS line.
--- a/2
+++ b/2
@@ -1,5 +1,5 @@

- OpenSSL 0.9.8-dev XX xxx XXXX
+ OpenSSL 0.9.8a 11 Oct 2005

 Copyright (c) 1998-2005 The OpenSSL Project
 Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
--- a/16
+++ b/16
@@ -1,10 +1,13 @@

  OpenSSL STATUS                           Last modified at
-  ______________                           $Date: 2005/04/25 21:42:14 $
+  ______________                           $Date: 2005/10/11 10:16:06 $

  DEVELOPMENT STATE

-    o  OpenSSL 0.9.8:  Under development...
+    o  OpenSSL 0.9.9:  Under development...
+    o  OpenSSL 0.9.8a: Released on October   11th, 2005
+    o  OpenSSL 0.9.8:  Released on July       5th, 2005
+    o  OpenSSL 0.9.7h: Released on October   11th, 2005
    o  OpenSSL 0.9.7g: Released on April     11th, 2005
    o  OpenSSL 0.9.7f: Released on March     22nd, 2005
    o  OpenSSL 0.9.7e: Released on October   25th, 2004
@@ -39,6 +42,7 @@

  RELEASE SHOWSTOPPERS

+    o The Makefiles fail with some SysV makes.
    o 

  AVAILABLE PATCHES
@@ -55,16 +59,8 @@
 	Private key, certificate and CRL API and implementation.
 	Developing and bugfixing PKCS#7 (S/MIME code).
        Various X509 issues: character sets, certificate request extensions.
-    o Geoff and Richard are currently working on:
-	ENGINE (the new code that gives hardware support among others).
    o Richard is currently working on:
-	UI (User Interface)
-	UTIL (a new set of library functions to support some higher level
-	      functionality that is currently missing).
-	Shared library support for VMS.
-	Kerberos 5 authentication (Heimdal)
 	Constification
-	Compression
 	Attribute Certificate support
 	Certificate Pair support
 	Storage Engines (primarly an LDAP storage engine)
--- a/447
+++ b/447
@@ -1,32 +1,5 @@
 Output of `Configure TABLE':

-*** BC-16
-$cc           = bcc
-$cflags       = 
-$unistd       = 
-$thread_cflag = (unknown)
-$sys_id       = WIN16
-$lflags       = 
-$bn_ops       = BN_LLONG DES_PTR RC4_INDEX SIXTEEN_BIT
-$cpuid_obj    = 
-$bn_obj       = 
-$des_obj      = 
-$aes_obj      = 
-$bf_obj       = 
-$md5_obj      = 
-$sha1_obj     = 
-$cast_obj     = 
-$rc4_obj      = 
-$rmd160_obj   = 
-$rc5_obj      = 
-$dso_scheme   = 
-$shared_target= 
-$shared_cflag = 
-$shared_ldflag = 
-$shared_extension = 
-$ranlib       = 
-$arflags      = 
-
 *** BC-32
 $cc           = bcc32
 $cflags       = 
@@ -144,7 +117,7 @@ $sys_id       =
 $lflags       = 
 $bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK
 $cpuid_obj    = 
-$bn_obj       = ia64.o
+$bn_obj       = bn-ia64.o
 $des_obj      = 
 $aes_obj      = aes_core.o aes_cbc.o aes-ia64.o
 $bf_obj       = 
@@ -353,7 +326,7 @@ $arflags      =

 *** DJGPP
 $cc           = gcc
-$cflags       = -I/dev/env/WATT_ROOT/inc -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -Wall -DDEVRANDOM="/dev/urandom\x24"
+$cflags       = -I/dev/env/WATT_ROOT/inc -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -Wall
 $unistd       = 
 $thread_cflag = 
 $sys_id       = MSDOS
@@ -459,60 +432,6 @@ $shared_extension =
 $ranlib       = 
 $arflags      = 

-*** OpenUNIX-8
-$cc           = cc
-$cflags       = -O -DFILIO_H -Kalloca
-$unistd       = 
-$thread_cflag = -Kthread
-$sys_id       = 
-$lflags       = -lsocket -lnsl
-$bn_ops       = BN_LLONG MD2_CHAR RC4_INDEX DES_PTR DES_RISC1 DES_UNROLL
-$cpuid_obj    = x86cpuid-elf.o
-$bn_obj       = bn86-elf.o co86-elf.o
-$des_obj      = dx86-elf.o yx86-elf.o
-$aes_obj      = ax86-elf.o
-$bf_obj       = bx86-elf.o
-$md5_obj      = mx86-elf.o
-$sha1_obj     = sx86-elf.o s512sse2-elf.o
-$cast_obj     = cx86-elf.o
-$rc4_obj      = rx86-elf.o
-$rmd160_obj   = rm86-elf.o
-$rc5_obj      = r586-elf.o
-$dso_scheme   = dlfcn
-$shared_target= svr5-shared
-$shared_cflag = -Kpic
-$shared_ldflag = 
-$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
-$ranlib       = 
-$arflags      = 
-
-*** OpenUNIX-8-gcc
-$cc           = gcc
-$cflags       = -O -DFILIO_H -fomit-frame-pointer
-$unistd       = 
-$thread_cflag = -pthread
-$sys_id       = 
-$lflags       = -lsocket -lnsl
-$bn_ops       = BN_LLONG MD2_CHAR RC4_INDEX DES_PTR DES_RISC1 DES_UNROLL
-$cpuid_obj    = x86cpuid-elf.o
-$bn_obj       = bn86-elf.o co86-elf.o
-$des_obj      = dx86-elf.o yx86-elf.o
-$aes_obj      = ax86-elf.o
-$bf_obj       = bx86-elf.o
-$md5_obj      = mx86-elf.o
-$sha1_obj     = sx86-elf.o s512sse2-elf.o
-$cast_obj     = cx86-elf.o
-$rc4_obj      = rx86-elf.o
-$rmd160_obj   = rm86-elf.o
-$rc5_obj      = r586-elf.o
-$dso_scheme   = dlfcn
-$shared_target= svr5-shared
-$shared_cflag = -fPIC
-$shared_ldflag = 
-$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
-$ranlib       = 
-$arflags      = 
-
 *** ReliantUNIX
 $cc           = cc
 $cflags       = -KPIC -g -DTERMIOS -DB_ENDIAN
@@ -648,33 +567,6 @@ $shared_extension =
 $ranlib       = 
 $arflags      = 

-*** VC-MSDOS
-$cc           = cl
-$cflags       = 
-$unistd       = 
-$thread_cflag = (unknown)
-$sys_id       = MSDOS
-$lflags       = 
-$bn_ops       = BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX SIXTEEN_BIT
-$cpuid_obj    = 
-$bn_obj       = 
-$des_obj      = 
-$aes_obj      = 
-$bf_obj       = 
-$md5_obj      = 
-$sha1_obj     = 
-$cast_obj     = 
-$rc4_obj      = 
-$rmd160_obj   = 
-$rc5_obj      = 
-$dso_scheme   = 
-$shared_target= 
-$shared_cflag = 
-$shared_ldflag = 
-$shared_extension = 
-$ranlib       = 
-$arflags      = 
-
 *** VC-NT
 $cc           = cl
 $cflags       = 
@@ -702,87 +594,6 @@ $shared_extension =
 $ranlib       = 
 $arflags      = 

-*** VC-W31-16
-$cc           = cl
-$cflags       = 
-$unistd       = 
-$thread_cflag = (unknown)
-$sys_id       = WIN16
-$lflags       = 
-$bn_ops       = BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX SIXTEEN_BIT
-$cpuid_obj    = 
-$bn_obj       = 
-$des_obj      = 
-$aes_obj      = 
-$bf_obj       = 
-$md5_obj      = 
-$sha1_obj     = 
-$cast_obj     = 
-$rc4_obj      = 
-$rmd160_obj   = 
-$rc5_obj      = 
-$dso_scheme   = 
-$shared_target= 
-$shared_cflag = 
-$shared_ldflag = 
-$shared_extension = 
-$ranlib       = 
-$arflags      = 
-
-*** VC-W31-32
-$cc           = cl
-$cflags       = 
-$unistd       = 
-$thread_cflag = 
-$sys_id       = WIN16
-$lflags       = 
-$bn_ops       = BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX THIRTY_TWO_BIT
-$cpuid_obj    = 
-$bn_obj       = 
-$des_obj      = 
-$aes_obj      = 
-$bf_obj       = 
-$md5_obj      = 
-$sha1_obj     = 
-$cast_obj     = 
-$rc4_obj      = 
-$rmd160_obj   = 
-$rc5_obj      = 
-$dso_scheme   = 
-$shared_target= 
-$shared_cflag = 
-$shared_ldflag = 
-$shared_extension = 
-$ranlib       = 
-$arflags      = 
-
-*** VC-WIN16
-$cc           = cl
-$cflags       = 
-$unistd       = 
-$thread_cflag = (unknown)
-$sys_id       = WIN16
-$lflags       = 
-$bn_ops       = MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX THIRTY_TWO_BIT
-$cpuid_obj    = 
-$bn_obj       = 
-$des_obj      = 
-$aes_obj      = 
-$bf_obj       = 
-$md5_obj      = 
-$sha1_obj     = 
-$cast_obj     = 
-$rc4_obj      = 
-$rmd160_obj   = 
-$rc5_obj      = 
-$dso_scheme   = 
-$shared_target= 
-$shared_cflag = 
-$shared_ldflag = 
-$shared_extension = 
-$ranlib       = 
-$arflags      = 
-
 *** VC-WIN32
 $cc           = cl
 $cflags       = 
@@ -817,7 +628,7 @@ $unistd       =
 $thread_cflag = 
 $sys_id       = WIN64A
 $lflags       = 
-$bn_ops       = SIXTY_FOUR_BIT EXPORT_VAR_AS_FN
+$bn_ops       = SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN
 $cpuid_obj    = 
 $bn_obj       = 
 $des_obj      = 
@@ -844,7 +655,7 @@ $unistd       =
 $thread_cflag = 
 $sys_id       = WIN64I
 $lflags       = 
-$bn_ops       = SIXTY_FOUR_BIT EXPORT_VAR_AS_FN
+$bn_ops       = SIXTY_FOUR_BIT RC4_CHUNK_LL DES_INT EXPORT_VAR_AS_FN
 $cpuid_obj    = 
 $bn_obj       = 
 $des_obj      = 
@@ -972,33 +783,6 @@ $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = -X 64

-*** alpha-cc-rpath
-$cc           = cc
-$cflags       = -std1 -tune host -fast -readonly_strings
-$unistd       = 
-$thread_cflag = -pthread
-$sys_id       = 
-$lflags       = 
-$bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK
-$cpuid_obj    = 
-$bn_obj       = 
-$des_obj      = 
-$aes_obj      = 
-$bf_obj       = 
-$md5_obj      = 
-$sha1_obj     = 
-$cast_obj     = 
-$rc4_obj      = 
-$rmd160_obj   = 
-$rc5_obj      = 
-$dso_scheme   = dlfcn
-$shared_target= tru64-shared-rpath
-$shared_cflag = 
-$shared_ldflag = 
-$shared_extension = .so
-$ranlib       = 
-$arflags      = 
-
 *** aux3-gcc
 $cc           = gcc
 $cflags       = -O2 -DTERMIO
@@ -1028,7 +812,7 @@ $arflags      =

 *** bsdi-elf-gcc
 $cc           = gcc
-$cflags       = -DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall
+$cflags       = -DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall
 $unistd       = 
 $thread_cflag = (unknown)
 $sys_id       = 
@@ -1156,7 +940,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= darwin-shared
 $shared_cflag = -fPIC
-$shared_ldflag = 
+$shared_ldflag = -dunamiclib
 $shared_extension = .$(SHLIB_MAJOR).$(SHLIB_MINOR).dylib
 $ranlib       = 
 $arflags      = 
@@ -1167,7 +951,7 @@ $cflags       = -O3 -DB_ENDIAN
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = MACOSX
-$lflags       = 
+$lflags       = -Wl,-search_paths_first
 $bn_ops       = BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR
 $cpuid_obj    = 
 $bn_obj       = osx_ppc32.o
@@ -1183,7 +967,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= darwin-shared
 $shared_cflag = -fPIC -fno-common
-$shared_ldflag = 
+$shared_ldflag = -dynamiclib
 $shared_extension = .$(SHLIB_MAJOR).$(SHLIB_MINOR).dylib
 $ranlib       = 
 $arflags      = 
@@ -1244,7 +1028,7 @@ $arflags      =

 *** debug-Cygwin
 $cc           = gcc
-$cflags       = -DTERMIOS -DL_ENDIAN -march=i486 -Wall -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -g -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror
+$cflags       = -DTERMIOS -DL_ENDIAN -march=i486 -Wall -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -g -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror
 $unistd       = 
 $thread_cflag = 
 $sys_id       = CYGWIN32
@@ -1453,7 +1237,7 @@ $rc5_obj      =
 $dso_scheme   = 
 $shared_target= darwin-shared
 $shared_cflag = -fPIC
-$shared_ldflag = 
+$shared_ldflag = -dynamiclib
 $shared_extension = .$(SHLIB_MAJOR).$(SHLIB_MINOR).dylib
 $ranlib       = 
 $arflags      = 
@@ -1595,7 +1379,7 @@ $arflags      =

 *** debug-linux-elf
 $cc           = gcc
-$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall
+$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -march=i486 -Wall
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -1622,7 +1406,7 @@ $arflags      =

 *** debug-linux-elf-noefence
 $cc           = gcc
-$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall
+$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -march=i486 -Wall
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -1649,7 +1433,7 @@ $arflags      =

 *** debug-linux-pentium
 $cc           = gcc
-$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentium -Wall
+$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentium -Wall
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -1676,7 +1460,7 @@ $arflags      =

 *** debug-linux-ppro
 $cc           = gcc
-$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentiumpro -Wall
+$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentiumpro -Wall
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -1730,7 +1514,7 @@ $arflags      =

 *** debug-solaris-sparcv8-cc
 $cc           = cc
-$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xarch=v8 -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W
+$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG_ALL -xarch=v8 -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -1757,7 +1541,7 @@ $arflags      =

 *** debug-solaris-sparcv8-gcc
 $cc           = gcc
-$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN
+$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -1784,7 +1568,7 @@ $arflags      =

 *** debug-solaris-sparcv9-cc
 $cc           = cc
-$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xtarget=ultra -xarch=v8plus -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W
+$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG_ALL -xtarget=ultra -xarch=v8plus -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = ULTRASPARC
@@ -1811,7 +1595,7 @@ $arflags      =

 *** debug-solaris-sparcv9-gcc
 $cc           = gcc
-$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -DPEDANTIC -O -g -mcpu=ultrasparc -pedantic -ansi -Wall -Wshadow -Wno-long-long -D__EXTENSIONS__ -DB_ENDIAN -DBN_DIV2W
+$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG_ALL -DPEDANTIC -O -g -mcpu=ultrasparc -pedantic -ansi -Wall -Wshadow -Wno-long-long -D__EXTENSIONS__ -DB_ENDIAN -DBN_DIV2W
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = ULTRASPARC
@@ -1919,7 +1703,7 @@ $arflags      =

 *** debug-vos-gcc
 $cc           = gcc
-$cflags       = -b hppa1.1-stratus-vos -O0 -g -Wall -D_POSIX_C_SOURCE=200112L -D_BSD -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG
+$cflags       = -O0 -g -Wall -D_POSIX_C_SOURCE=200112L -D_BSD -DB_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG
 $unistd       = 
 $thread_cflag = (unknown)
 $sys_id       = VOS
@@ -1944,33 +1728,6 @@ $shared_extension = .so
 $ranlib       = 
 $arflags      = 

-*** debug-vos-vcc
-$cc           = vcc
-$cflags       = -b i386-stratus-vos -O0 -g -D_POSIX_C_SOURCE=200112L -D_BSD -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG
-$unistd       = 
-$thread_cflag = (unknown)
-$sys_id       = VOS
-$lflags       = -Wl,-map
-$bn_ops       = 
-$cpuid_obj    = 
-$bn_obj       = 
-$des_obj      = 
-$aes_obj      = 
-$bf_obj       = 
-$md5_obj      = 
-$sha1_obj     = 
-$cast_obj     = 
-$rc4_obj      = 
-$rmd160_obj   = 
-$rc5_obj      = 
-$dso_scheme   = 
-$shared_target= 
-$shared_cflag = 
-$shared_ldflag = 
-$shared_extension = .so
-$ranlib       = 
-$arflags      = 
-
 *** dgux-R3-gcc
 $cc           = gcc
 $cflags       = -O3 -fomit-frame-pointer
@@ -2169,7 +1926,7 @@ $sys_id       =
 $lflags       = -ldl
 $bn_ops       = SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX DES_UNROLL DES_RISC1 DES_INT
 $cpuid_obj    = 
-$bn_obj       = ia64.o
+$bn_obj       = bn-ia64.o
 $des_obj      = 
 $aes_obj      = aes_core.o aes_cbc.o aes-ia64.o
 $bf_obj       = 
@@ -2196,7 +1953,7 @@ $sys_id       =
 $lflags       = -ldl
 $bn_ops       = SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX DES_UNROLL DES_RISC1 DES_INT
 $cpuid_obj    = 
-$bn_obj       = ia64.o
+$bn_obj       = bn-ia64.o
 $des_obj      = 
 $aes_obj      = aes-ia64.o
 $bf_obj       = 
@@ -2385,7 +2142,7 @@ $sys_id       =
 $lflags       = -ldl
 $bn_ops       = SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX DES_UNROLL DES_RISC1 DES_INT
 $cpuid_obj    = 
-$bn_obj       = ia64.o
+$bn_obj       = bn-ia64.o
 $des_obj      = 
 $aes_obj      = aes_core.o aes_cbc.o aes-ia64.o
 $bf_obj       = 
@@ -2412,7 +2169,7 @@ $sys_id       =
 $lflags       = -ldl
 $bn_ops       = SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX DES_UNROLL DES_RISC1 DES_INT
 $cpuid_obj    = 
-$bn_obj       = ia64.o
+$bn_obj       = bn-ia64.o
 $des_obj      = 
 $aes_obj      = aes_core.o aes_cbc.o aes-ia64.o
 $bf_obj       = 
@@ -2486,7 +2243,7 @@ $arflags      =

 *** hurd-x86
 $cc           = gcc
-$cflags       = -DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall
+$cflags       = -DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -march=i486 -Wall
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -2574,7 +2331,7 @@ $sys_id       =
 $lflags       = 
 $bn_ops       = DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT
 $cpuid_obj    = 
-$bn_obj       = mips3.o
+$bn_obj       = bn-mips3.o
 $des_obj      = 
 $aes_obj      = 
 $bf_obj       = 
@@ -2594,14 +2351,14 @@ $arflags      =

 *** irix-mips3-gcc
 $cc           = gcc
-$cflags       = -mabi=n32 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W
+$cflags       = -mabi=n32 -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W
 $unistd       = 
 $thread_cflag = -D_SGI_MP_SOURCE
 $sys_id       = 
 $lflags       = 
 $bn_ops       = MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK_LL DES_UNROLL DES_RISC2 DES_PTR BF_PTR SIXTY_FOUR_BIT
 $cpuid_obj    = 
-$bn_obj       = mips3.o
+$bn_obj       = bn-mips3.o
 $des_obj      = 
 $aes_obj      = 
 $bf_obj       = 
@@ -2628,7 +2385,7 @@ $sys_id       =
 $lflags       = 
 $bn_ops       = RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG
 $cpuid_obj    = 
-$bn_obj       = mips3.o
+$bn_obj       = bn-mips3.o
 $des_obj      = 
 $aes_obj      = 
 $bf_obj       = 
@@ -2648,14 +2405,14 @@ $arflags      =

 *** irix64-mips4-gcc
 $cc           = gcc
-$cflags       = -mabi=64 -mips4 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W
+$cflags       = -mabi=64 -mips4 -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W
 $unistd       = 
 $thread_cflag = -D_SGI_MP_SOURCE
 $sys_id       = 
 $lflags       = 
 $bn_ops       = RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG
 $cpuid_obj    = 
-$bn_obj       = mips3.o
+$bn_obj       = bn-mips3.o
 $des_obj      = 
 $aes_obj      = 
 $bf_obj       = 
@@ -2783,7 +2540,7 @@ $arflags      =

 *** linux-aout
 $cc           = gcc
-$cflags       = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall
+$cflags       = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -march=i486 -Wall
 $unistd       = 
 $thread_cflag = (unknown)
 $sys_id       = 
@@ -2925,7 +2682,7 @@ $sys_id       =
 $lflags       = -ldl
 $bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK
 $cpuid_obj    = 
-$bn_obj       = ia64.o
+$bn_obj       = bn-ia64.o
 $des_obj      = 
 $aes_obj      = aes_core.o aes_cbc.o aes-ia64.o
 $bf_obj       = 
@@ -2952,7 +2709,34 @@ $sys_id       =
 $lflags       = -ldl
 $bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK
 $cpuid_obj    = 
-$bn_obj       = ia64.o
+$bn_obj       = bn-ia64.o
+$des_obj      = 
+$aes_obj      = aes_core.o aes_cbc.o aes-ia64.o
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = sha1-ia64.o sha256-ia64.o sha512-ia64.o
+$cast_obj     = 
+$rc4_obj      = rc4-ia64.o
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = dlfcn
+$shared_target= linux-shared
+$shared_cflag = -fPIC
+$shared_ldflag = 
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
+$ranlib       = 
+$arflags      = 
+
+*** linux-ia64-icc
+$cc           = icc
+$cflags       = -DL_ENDIAN -DTERMIO -O2 -Wall -no_cpprt
+$unistd       = 
+$thread_cflag = -D_REENTRANT
+$sys_id       = 
+$lflags       = -ldl
+$bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK
+$cpuid_obj    = 
+$bn_obj       = bn-ia64.o
 $des_obj      = 
 $aes_obj      = aes_core.o aes_cbc.o aes-ia64.o
 $bf_obj       = 
@@ -3153,7 +2937,7 @@ $rmd160_obj   = rm86-cof.o
 $rc5_obj      = r586-cof.o
 $dso_scheme   = win32
 $shared_target= cygwin-shared
-$shared_cflag = -D_WINDLL
+$shared_cflag = -D_WINDLL -DOPENSSL_USE_APPLINK
 $shared_ldflag = -mno-cygwin -shared
 $shared_extension = .dll.a
 $ranlib       = 
@@ -3192,8 +2976,8 @@ $cflags       =
 $unistd       = 
 $thread_cflag = 
 $sys_id       = 
-$lflags       = RC4_INDEX MD2_INT
-$bn_ops       = 
+$lflags       = 
+$bn_ops       = BN_LLONG RC4_INDEX MD2_INT
 $cpuid_obj    = 
 $bn_obj       = 
 $des_obj      = 
@@ -3219,8 +3003,35 @@ $cflags       =
 $unistd       = 
 $thread_cflag = 
 $sys_id       = 
-$lflags       = BN_LLONG RC4_INDEX MD2_INT
-$bn_ops       = 
+$lflags       = 
+$bn_ops       = BN_LLONG RC4_INDEX MD2_INT
+$cpuid_obj    = 
+$bn_obj       = 
+$des_obj      = 
+$aes_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = 
+$shared_target= 
+$shared_cflag = 
+$shared_ldflag = 
+$shared_extension = 
+$ranlib       = 
+$arflags      = 
+
+*** netware-libc-bsdsock
+$cc           = mwccnlm
+$cflags       = 
+$unistd       = 
+$thread_cflag = 
+$sys_id       = 
+$lflags       = 
+$bn_ops       = BN_LLONG RC4_INDEX MD2_INT
 $cpuid_obj    = 
 $bn_obj       = 
 $des_obj      = 
@@ -3246,8 +3057,8 @@ $cflags       = -nostdinc -I/ndk/libc/include -I/ndk/libc/include/winsock -DL_EN
 $unistd       = 
 $thread_cflag = 
 $sys_id       = 
-$lflags       = RC4_INDEX MD2_INT
-$bn_ops       = 
+$lflags       = 
+$bn_ops       = BN_LLONG RC4_INDEX MD2_INT
 $cpuid_obj    = 
 $bn_obj       = 
 $des_obj      = 
@@ -3348,7 +3159,7 @@ $shared_extension =
 $ranlib       = 
 $arflags      = 

-*** ofs1-alpha-cc
+*** osf1-alpha-cc
 $cc           = cc
 $cflags       = -std1 -tune host -O4 -readonly_strings
 $unistd       = 
@@ -3510,33 +3321,6 @@ $shared_extension =
 $ranlib       = 
 $arflags      = 

-*** sco3-gcc
-$cc           = gcc
-$cflags       = -O3 -fomit-frame-pointer -Dssize_t=int -DNO_SYS_UN_H
-$unistd       = 
-$thread_cflag = (unknown)
-$sys_id       = 
-$lflags       = -lsocket
-$bn_ops       = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
-$cpuid_obj    = 
-$bn_obj       = 
-$des_obj      = 
-$aes_obj      = 
-$bf_obj       = 
-$md5_obj      = 
-$sha1_obj     = 
-$cast_obj     = 
-$rc4_obj      = 
-$rmd160_obj   = 
-$rc5_obj      = 
-$dso_scheme   = 
-$shared_target= 
-$shared_cflag = 
-$shared_ldflag = 
-$shared_extension = 
-$ranlib       = 
-$arflags      = 
-
 *** sco5-cc
 $cc           = cc
 $cflags       = -belf
@@ -3782,7 +3566,7 @@ $arflags      =

 *** solaris-x86-gcc
 $cc           = gcc
-$cflags       = -O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DOPENSSL_NO_INLINE_ASM
+$cflags       = -O3 -fomit-frame-pointer -march=pentium -Wall -DL_ENDIAN -DOPENSSL_NO_INLINE_ASM
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -3989,9 +3773,9 @@ $rc4_obj      =
 $rmd160_obj   = 
 $rc5_obj      = 
 $dso_scheme   = dlfcn
-$shared_target= tru64-shared
+$shared_target= alpha-osf1-shared
 $shared_cflag = 
-$shared_ldflag = 
+$shared_ldflag = -msym
 $shared_extension = .so
 $ranlib       = 
 $arflags      = 
@@ -4030,7 +3814,7 @@ $unistd       =
 $thread_cflag = (unknown)
 $sys_id       = 
 $lflags       = 
-$bn_ops       = 
+$bn_ops       = BN_LLONG
 $cpuid_obj    = 
 $bn_obj       = 
 $des_obj      = 
@@ -4133,7 +3917,7 @@ $arflags      =

 *** unixware-7-gcc
 $cc           = gcc
-$cflags       = -DL_ENDIAN -DFILIO_H -O3 -fomit-frame-pointer -m486 -Wall
+$cflags       = -DL_ENDIAN -DFILIO_H -O3 -fomit-frame-pointer -march=pentium -Wall
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -4160,7 +3944,7 @@ $arflags      =

 *** vos-gcc
 $cc           = gcc
-$cflags       = -b hppa1.1-stratus-vos -O3 -Wall -Wuninitialized -D_POSIX_C_SOURCE=200112L -D_BSD
+$cflags       = -O3 -Wall -D_POSIX_C_SOURCE=200112L -D_BSD -DB_ENDIAN
 $unistd       = 
 $thread_cflag = (unknown)
 $sys_id       = VOS
@@ -4185,33 +3969,6 @@ $shared_extension = .so
 $ranlib       = 
 $arflags      = 

-*** vos-vcc
-$cc           = vcc
-$cflags       = -b i386-stratus-vos -O3 -D_POSIX_C_SOURCE=200112L -D_BSD
-$unistd       = 
-$thread_cflag = (unknown)
-$sys_id       = VOS
-$lflags       = -Wl,-map
-$bn_ops       = 
-$cpuid_obj    = 
-$bn_obj       = 
-$des_obj      = 
-$aes_obj      = 
-$bf_obj       = 
-$md5_obj      = 
-$sha1_obj     = 
-$cast_obj     = 
-$rc4_obj      = 
-$rmd160_obj   = 
-$rc5_obj      = 
-$dso_scheme   = 
-$shared_target= 
-$shared_cflag = 
-$shared_ldflag = 
-$shared_extension = .so
-$ranlib       = 
-$arflags      = 
-
 *** vxworks-mipsle
 $cc           = ccmips
 $cflags       = -B$(WIND_BASE)/host/$(WIND_HOST_TYPE)/lib/gcc-lib/ -DL_ENDIAN -EL -Wl,-EL -mips2 -mno-branch-likely -G 0 -fno-builtin -msoft-float -DCPU=MIPS32 -DMIPSEL -DNO_STRINGS_H -I$(WIND_BASE)/target/h
@@ -4295,7 +4052,7 @@ $arflags      =

 *** vxworks-ppc750-debug
 $cc           = ccppc
-$cflags       = -ansi -nostdinc -DPPC750 -D_REENTRANT -fvolatile -fno-builtin -fno-for-scope -fsigned-char -Wall -msoft-float -mlongcall -DCPU=PPC604 -I$(WIND_BASE)/target/h -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DDEBUG -g
+$cflags       = -ansi -nostdinc -DPPC750 -D_REENTRANT -fvolatile -fno-builtin -fno-for-scope -fsigned-char -Wall -msoft-float -mlongcall -DCPU=PPC604 -I$(WIND_BASE)/target/h -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DDEBUG -g
 $unistd       = 
 $thread_cflag = 
 $sys_id       = VXWORKS
--- a/apps/CA.pl.in
+++ b/apps/CA.pl.in
@@ -68,19 +68,19 @@ foreach (@ARGV) {
 	    exit 0;
 	} elsif (/^-newcert$/) {
 	    # create a certificate
-	    system ("$REQ -new -x509 -keyout newreq.pem -out newreq.pem $DAYS");
+	    system ("$REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS");
 	    $RET=$?;
-	    print "Certificate (and private key) is in newreq.pem\n"
+	    print "Certificate is in newcert.pem, private key is in newkey.pem\n"
 	} elsif (/^-newreq$/) {
 	    # create a certificate request
-	    system ("$REQ -new -keyout newreq.pem -out newreq.pem $DAYS");
+	    system ("$REQ -new -keyout newkey.pem -out newreq.pem $DAYS");
 	    $RET=$?;
-	    print "Request (and private key) is in newreq.pem\n";
+	    print "Request is in newreq.pem, private key is in newkey.pem\n";
 	} elsif (/^-newreq-nodes$/) {
 	    # create a certificate request
-	    system ("$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS");
+	    system ("$REQ -new -nodes -keyout newkey.pem -out newreq.pem $DAYS");
 	    $RET=$?;
-	    print "Request (and private key) is in newreq.pem\n";
+	    print "Request is in newreq.pem, private key is in newkey.pem\n";
 	} elsif (/^-newca$/) {
 		# if explicitly asked for or it doesn't exist then setup the
 		# directory structure that Eric likes to manage things 
@@ -120,10 +120,11 @@ foreach (@ARGV) {
 	} elsif (/^-pkcs12$/) {
 	    my $cname = $ARGV[1];
 	    $cname = "My Certificate" unless defined $cname;
-	    system ("$PKCS12 -in newcert.pem -inkey newreq.pem " .
+	    system ("$PKCS12 -in newcert.pem -inkey newkey.pem " .
 			"-certfile ${CATOP}/$CACERT -out newcert.p12 " .
 			"-export -name \"$cname\"");
 	    $RET=$?;
+	    print "PKCS #12 file is in newcert.p12\n";
 	    exit $RET;
 	} elsif (/^-xsign$/) {
 	    system ("$CA -policy policy_anything -infiles newreq.pem");
--- a/apps/CA.sh
+++ b/apps/CA.sh
@@ -53,15 +53,15 @@ case $i in
    ;;
 -newcert) 
    # create a certificate
-    $REQ -new -x509 -keyout newreq.pem -out newreq.pem $DAYS
+    $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS
    RET=$?
-    echo "Certificate (and private key) is in newreq.pem"
+    echo "Certificate is in newcert.pem, private key is in newkey.pem"
    ;;
 -newreq) 
    # create a certificate request
-    $REQ -new -keyout newreq.pem -out newreq.pem $DAYS
+    $REQ -new -keyout newkey.pem -out newreq.pem $DAYS
    RET=$?
-    echo "Request (and private key) is in newreq.pem"
+    echo "Request is in newreq.pem, private key is in newkey.pem"
    ;;
 -newca)     
    # if explicitly asked for or it doesn't exist then setup the directory
--- a/apps/Makefile
+++ b/apps/Makefile
@@ -7,11 +7,6 @@ TOP=		..
 CC=		cc
 INCLUDES=	-I$(TOP) -I../include $(KRB5_INCLUDES)
 CFLAG=		-g -static
-INSTALL_PREFIX=
-INSTALLTOP=	/usr/local/ssl
-OPENSSLDIR=	/usr/local/ssl
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 PERL=		perl
 RM=		rm -f
@@ -91,12 +86,9 @@ req: sreq.o $(A_OBJ) $(DLIBCRYPTO)
 	shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \
 		shlib_target="$(SHLIB_TARGET)"; \
 	fi; \
-	$(MAKE) -f $(TOP)/Makefile.shared \
-		APPNAME=req CC="$(CC)" CFLAGS="$(CFLAGS)" \
-		LDFLAGS="$(LDFLAG)" SHARED_LDFLAGS="$(SHARED_LDFLAGS)" \
-		OBJECTS="sreq.o $(A_OBJ) $(RAND_OBJ)" \
+	$(MAKE) -f $(TOP)/Makefile.shared -e \
+		APPNAME=req OBJECTS="sreq.o $(A_OBJ) $(RAND_OBJ)" \
 		LIBDEPS="$(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)" \
-		LIBRPATH=$(INSTALLTOP)/lib \
 		link_app.$${shlib_target}

 sreq.o: req.c 
@@ -106,6 +98,7 @@ files:
 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO

 install:
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
 	@set -e; for i in $(EXE); \
 	do  \
 	(echo installing $$i; \
@@ -135,7 +128,11 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff

 depend:
-	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(SRC)
+	@if [ -z "$(THIS)" ]; then \
+	    $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; \
+	else \
+	    $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(SRC); \
+	fi

 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -161,14 +158,10 @@ $(EXE): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL)
 	else \
 	  LIBRARIES="$(LIBSSL) $(LIBKRB5) $(LIBCRYPTO)" ; \
 	fi; \
-	$(MAKE) -f $(TOP)/Makefile.shared \
-		APPNAME=$(EXE) CC="$(CC)" CFLAGS="$(CFLAG)" \
-		LDFLAGS="$(LDFLAGS)" SHARED_LDFLAGS="$(SHARED_LDFLAGS)" \
-		OBJECTS="$(PROGRAM).o $(E_OBJ)" \
+	$(MAKE) -f $(TOP)/Makefile.shared -e \
+		APPNAME=$(EXE) OBJECTS="$(PROGRAM).o $(E_OBJ)" \
 		LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \
-		LIBRPATH=$(INSTALLTOP)/lib \
 		link_app.$${shlib_target}
-	@case "../*.dll" in *\**) ;; *) cp -p ../*.dll .;; esac
 	-(cd ..; \
 	  OPENSSL="`pwd`/util/opensslwrap.sh"; export OPENSSL; \
 	  $(PERL) tools/c_rehash certs)
@@ -242,17 +235,18 @@ ca.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
 ca.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
 ca.o: ../include/openssl/x509v3.h apps.h ca.c
 ciphers.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-ciphers.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-ciphers.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-ciphers.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-ciphers.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-ciphers.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
-ciphers.o: ../include/openssl/err.h ../include/openssl/evp.h
-ciphers.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-ciphers.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-ciphers.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-ciphers.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-ciphers.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ciphers.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+ciphers.o: ../include/openssl/comp.h ../include/openssl/conf.h
+ciphers.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
+ciphers.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+ciphers.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+ciphers.o: ../include/openssl/engine.h ../include/openssl/err.h
+ciphers.o: ../include/openssl/evp.h ../include/openssl/kssl.h
+ciphers.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+ciphers.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ciphers.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+ciphers.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+ciphers.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
 ciphers.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
 ciphers.o: ../include/openssl/sha.h ../include/openssl/ssl.h
 ciphers.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
@@ -397,17 +391,18 @@ enc.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 enc.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
 enc.o: ../include/openssl/x509_vfy.h apps.h enc.c
 engine.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-engine.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-engine.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-engine.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-engine.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-engine.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
-engine.o: ../include/openssl/err.h ../include/openssl/evp.h
-engine.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-engine.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-engine.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-engine.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-engine.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+engine.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+engine.o: ../include/openssl/comp.h ../include/openssl/conf.h
+engine.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
+engine.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+engine.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+engine.o: ../include/openssl/engine.h ../include/openssl/err.h
+engine.o: ../include/openssl/evp.h ../include/openssl/kssl.h
+engine.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+engine.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+engine.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+engine.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+engine.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
 engine.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
 engine.o: ../include/openssl/sha.h ../include/openssl/ssl.h
 engine.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
@@ -416,17 +411,18 @@ engine.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
 engine.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
 engine.o: ../include/openssl/x509_vfy.h apps.h engine.c
 errstr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-errstr.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-errstr.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-errstr.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-errstr.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-errstr.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
-errstr.o: ../include/openssl/err.h ../include/openssl/evp.h
-errstr.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-errstr.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-errstr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-errstr.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-errstr.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+errstr.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+errstr.o: ../include/openssl/comp.h ../include/openssl/conf.h
+errstr.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
+errstr.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+errstr.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+errstr.o: ../include/openssl/engine.h ../include/openssl/err.h
+errstr.o: ../include/openssl/evp.h ../include/openssl/kssl.h
+errstr.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+errstr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+errstr.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+errstr.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+errstr.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
 errstr.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
 errstr.o: ../include/openssl/sha.h ../include/openssl/ssl.h
 errstr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
@@ -513,25 +509,27 @@ ocsp.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
 ocsp.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 ocsp.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
 ocsp.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-ocsp.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
-ocsp.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-ocsp.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-ocsp.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-ocsp.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-ocsp.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-ocsp.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h ocsp.c
+ocsp.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
+ocsp.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ocsp.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ocsp.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+ocsp.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ocsp.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+ocsp.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+ocsp.o: ../include/openssl/x509v3.h apps.h ocsp.c
 openssl.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-openssl.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-openssl.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-openssl.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-openssl.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-openssl.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
-openssl.o: ../include/openssl/err.h ../include/openssl/evp.h
-openssl.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-openssl.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-openssl.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-openssl.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-openssl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+openssl.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+openssl.o: ../include/openssl/comp.h ../include/openssl/conf.h
+openssl.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
+openssl.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+openssl.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+openssl.o: ../include/openssl/engine.h ../include/openssl/err.h
+openssl.o: ../include/openssl/evp.h ../include/openssl/kssl.h
+openssl.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+openssl.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+openssl.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+openssl.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+openssl.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
 openssl.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
 openssl.o: ../include/openssl/sha.h ../include/openssl/ssl.h
 openssl.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
@@ -600,6 +598,19 @@ pkcs8.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 pkcs8.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 pkcs8.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
 pkcs8.o: ../include/openssl/x509_vfy.h apps.h pkcs8.c
+prime.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+prime.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+prime.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+prime.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+prime.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+prime.o: ../include/openssl/engine.h ../include/openssl/evp.h
+prime.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+prime.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+prime.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+prime.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
+prime.o: ../include/openssl/sha.h ../include/openssl/stack.h
+prime.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+prime.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h prime.c
 rand.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 rand.o: ../include/openssl/buffer.h ../include/openssl/conf.h
 rand.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
@@ -614,25 +625,24 @@ rand.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 rand.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 rand.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
 rand.o: ../include/openssl/x509_vfy.h apps.h rand.c
-req.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/asn1.h
-req.o: ../include/openssl/bio.h ../include/openssl/bn.h
-req.o: ../include/openssl/buffer.h ../include/openssl/conf.h
-req.o: ../include/openssl/crypto.h ../include/openssl/dh.h
-req.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-req.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-req.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
-req.o: ../include/openssl/err.h ../include/openssl/evp.h
-req.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-req.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-req.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-req.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-req.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-req.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-req.o: ../include/openssl/sha.h ../include/openssl/stack.h
-req.o: ../include/openssl/store.h ../include/openssl/symhacks.h
-req.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
-req.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-req.o: ../include/openssl/x509v3.h apps.h req.c
+req.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
+req.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+req.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+req.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+req.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+req.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+req.o: ../include/openssl/engine.h ../include/openssl/err.h
+req.o: ../include/openssl/evp.h ../include/openssl/lhash.h
+req.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+req.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+req.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+req.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+req.o: ../include/openssl/rand.h ../include/openssl/rsa.h
+req.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+req.o: ../include/openssl/stack.h ../include/openssl/store.h
+req.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+req.o: ../include/openssl/ui.h ../include/openssl/x509.h
+req.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h req.c
 rsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
 rsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h
 rsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h
@@ -664,17 +674,18 @@ rsautl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 rsautl.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
 rsautl.o: ../include/openssl/x509_vfy.h apps.h rsautl.c
 s_cb.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-s_cb.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-s_cb.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-s_cb.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-s_cb.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-s_cb.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
-s_cb.o: ../include/openssl/err.h ../include/openssl/evp.h
-s_cb.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-s_cb.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s_cb.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-s_cb.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-s_cb.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s_cb.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+s_cb.o: ../include/openssl/comp.h ../include/openssl/conf.h
+s_cb.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
+s_cb.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+s_cb.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+s_cb.o: ../include/openssl/engine.h ../include/openssl/err.h
+s_cb.o: ../include/openssl/evp.h ../include/openssl/kssl.h
+s_cb.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+s_cb.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s_cb.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s_cb.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s_cb.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
 s_cb.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
 s_cb.o: ../include/openssl/sha.h ../include/openssl/ssl.h
 s_cb.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
@@ -683,17 +694,18 @@ s_cb.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
 s_cb.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
 s_cb.o: ../include/openssl/x509_vfy.h apps.h s_apps.h s_cb.c
 s_client.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-s_client.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-s_client.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-s_client.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-s_client.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-s_client.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
-s_client.o: ../include/openssl/err.h ../include/openssl/evp.h
-s_client.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-s_client.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s_client.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-s_client.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-s_client.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s_client.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+s_client.o: ../include/openssl/comp.h ../include/openssl/conf.h
+s_client.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
+s_client.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+s_client.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+s_client.o: ../include/openssl/engine.h ../include/openssl/err.h
+s_client.o: ../include/openssl/evp.h ../include/openssl/kssl.h
+s_client.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+s_client.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s_client.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s_client.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s_client.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
 s_client.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
 s_client.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 s_client.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
@@ -715,28 +727,29 @@ s_server.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
 s_server.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
 s_server.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 s_server.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s_server.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
-s_server.o: ../include/openssl/rand.h ../include/openssl/rsa.h
-s_server.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s_server.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s_server.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s_server.o: ../include/openssl/stack.h ../include/openssl/store.h
-s_server.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s_server.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
-s_server.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
-s_server.o: s_apps.h s_server.c timeouts.h
+s_server.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
+s_server.o: ../include/openssl/pqueue.h ../include/openssl/rand.h
+s_server.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s_server.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s_server.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s_server.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s_server.o: ../include/openssl/store.h ../include/openssl/symhacks.h
+s_server.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+s_server.o: ../include/openssl/ui.h ../include/openssl/x509.h
+s_server.o: ../include/openssl/x509_vfy.h apps.h s_apps.h s_server.c timeouts.h
 s_socket.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-s_socket.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-s_socket.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-s_socket.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-s_socket.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-s_socket.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
-s_socket.o: ../include/openssl/evp.h ../include/openssl/kssl.h
-s_socket.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-s_socket.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s_socket.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s_socket.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s_socket.o: ../include/openssl/pkcs7.h ../include/openssl/pqueue.h
+s_socket.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+s_socket.o: ../include/openssl/comp.h ../include/openssl/conf.h
+s_socket.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
+s_socket.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+s_socket.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+s_socket.o: ../include/openssl/engine.h ../include/openssl/evp.h
+s_socket.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+s_socket.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+s_socket.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s_socket.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+s_socket.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s_socket.o: ../include/openssl/pq_compat.h ../include/openssl/pqueue.h
 s_socket.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 s_socket.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
 s_socket.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
@@ -745,17 +758,18 @@ s_socket.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
 s_socket.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
 s_socket.o: s_apps.h s_socket.c
 s_time.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-s_time.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-s_time.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-s_time.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-s_time.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-s_time.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
-s_time.o: ../include/openssl/err.h ../include/openssl/evp.h
-s_time.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-s_time.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s_time.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-s_time.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-s_time.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s_time.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+s_time.o: ../include/openssl/comp.h ../include/openssl/conf.h
+s_time.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
+s_time.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+s_time.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+s_time.o: ../include/openssl/engine.h ../include/openssl/err.h
+s_time.o: ../include/openssl/evp.h ../include/openssl/kssl.h
+s_time.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+s_time.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s_time.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s_time.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s_time.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
 s_time.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
 s_time.o: ../include/openssl/sha.h ../include/openssl/ssl.h
 s_time.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
@@ -764,17 +778,18 @@ s_time.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
 s_time.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
 s_time.o: ../include/openssl/x509_vfy.h apps.h s_apps.h s_time.c
 sess_id.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-sess_id.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-sess_id.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-sess_id.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-sess_id.o: ../include/openssl/ec.h ../include/openssl/ecdh.h
-sess_id.o: ../include/openssl/ecdsa.h ../include/openssl/engine.h
-sess_id.o: ../include/openssl/err.h ../include/openssl/evp.h
-sess_id.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
-sess_id.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-sess_id.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-sess_id.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-sess_id.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+sess_id.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+sess_id.o: ../include/openssl/comp.h ../include/openssl/conf.h
+sess_id.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
+sess_id.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
+sess_id.o: ../include/openssl/ecdh.h ../include/openssl/ecdsa.h
+sess_id.o: ../include/openssl/engine.h ../include/openssl/err.h
+sess_id.o: ../include/openssl/evp.h ../include/openssl/kssl.h
+sess_id.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
+sess_id.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+sess_id.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+sess_id.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+sess_id.o: ../include/openssl/pkcs7.h ../include/openssl/pq_compat.h
 sess_id.o: ../include/openssl/pqueue.h ../include/openssl/safestack.h
 sess_id.o: ../include/openssl/sha.h ../include/openssl/ssl.h
 sess_id.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -125,7 +125,9 @@
 #ifndef OPENSSL_NO_ENGINE
 #include <openssl/engine.h>
 #endif
+#ifndef OPENSSL_NO_RSA
 #include <openssl/rsa.h>
+#endif
 #include <openssl/bn.h>

 #define NON_MAIN
@@ -374,10 +376,17 @@ int chopup_args(ARGS *arg, char *buf, int *argc, char **argv[])
 		/* The start of something good :-) */
 		if (num >= arg->count)
 			{
-			arg->count+=20;
-			arg->data=(char **)OPENSSL_realloc(arg->data,
-				sizeof(char *)*arg->count);
-			if (argc == 0) return(0);
+			char **tmp_p;
+			int tlen = arg->count + 20;
+			tmp_p = (char **)OPENSSL_realloc(arg->data,
+				sizeof(char *)*tlen);
+			if (tmp_p == NULL)
+				return 0;
+			arg->data  = tmp_p;
+			arg->count = tlen;
+			/* initialize newly allocated data */
+			for (i = num; i < arg->count; i++)
+				arg->data[i] = NULL;
 			}
 		arg->data[num++]=p;

@@ -1604,8 +1613,9 @@ int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix)
 		{
 		if (errno != ENOENT 
 #ifdef ENOTDIR
-			&& errno != ENOTDIR)
+			&& errno != ENOTDIR
 #endif
+		   )
 			goto err;
 		}
 	else
@@ -1893,8 +1903,9 @@ int rotate_index(const char *dbfile, const char *new_suffix, const char *old_suf
 		{
 		if (errno != ENOENT 
 #ifdef ENOTDIR
-			&& errno != ENOTDIR)
+			&& errno != ENOTDIR
 #endif
+		   )
 			goto err;
 		}
 	else
@@ -1929,8 +1940,9 @@ int rotate_index(const char *dbfile, const char *new_suffix, const char *old_suf
 		{
 		if (errno != ENOENT 
 #ifdef ENOTDIR
-			&& errno != ENOTDIR)
+			&& errno != ENOTDIR
 #endif
+		   )
 			goto err;
 		}
 	else
--- a/apps/asn1pars.c
+++ b/apps/asn1pars.c
@@ -196,7 +196,7 @@ int MAIN(int argc, char **argv)
 bad:
 		BIO_printf(bio_err,"%s [options] <infile\n",prog);
 		BIO_printf(bio_err,"where options are\n");
-		BIO_printf(bio_err," -inform arg   input format - one of DER TXT PEM\n");
+		BIO_printf(bio_err," -inform arg   input format - one of DER PEM\n");
 		BIO_printf(bio_err," -in arg       input file\n");
 		BIO_printf(bio_err," -out arg      output file (output format is always DER\n");
 		BIO_printf(bio_err," -noout arg    don't produce any output\n");
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -105,6 +105,9 @@

 #define ENV_DEFAULT_CA		"default_ca"

+#define STRING_MASK	"string_mask"
+#define UTF8_IN			"utf8"
+
 #define ENV_DIR			"dir"
 #define ENV_CERTS		"certs"
 #define ENV_CRL_DIR		"crl_dir"
@@ -174,6 +177,7 @@ static const char *ca_usage[]={
 " -msie_hack      - msie modifications to handle all those universal strings\n",
 " -revoke file    - Revoke a certificate (given in file)\n",
 " -subj arg       - Use arg instead of request's subject\n",
+" -utf8           - input characters are UTF8 (default ASCII)\n",
 " -multivalue-rdn - enable support for multivalued RDNs\n",
 " -extensions ..  - Extension section (override value in config file)\n",
 " -extfile file   - Configuration file with X509v3 extentions to add\n",
@@ -195,27 +199,27 @@ extern int EF_ALIGNMENT;
 static void lookup_fail(const char *name, const char *tag);
 static int certify(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
 		   const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,CA_DB *db,
-		   BIGNUM *serial, char *subj, int multirdn, int email_dn, char *startdate,
+		   BIGNUM *serial, char *subj,unsigned long chtype, int multirdn, int email_dn, char *startdate,
 		   char *enddate, long days, int batch, char *ext_sect, CONF *conf,
 		   int verbose, unsigned long certopt, unsigned long nameopt,
 		   int default_op, int ext_copy, int selfsign);
 static int certify_cert(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
 			const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,
-			CA_DB *db, BIGNUM *serial, char *subj, int multirdn, int email_dn,
+			CA_DB *db, BIGNUM *serial, char *subj,unsigned long chtype, int multirdn, int email_dn,
 			char *startdate, char *enddate, long days, int batch,
 			char *ext_sect, CONF *conf,int verbose, unsigned long certopt,
 			unsigned long nameopt, int default_op, int ext_copy,
 			ENGINE *e);
 static int certify_spkac(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
 			 const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,
-			 CA_DB *db, BIGNUM *serial,char *subj, int multirdn, int email_dn,
+			 CA_DB *db, BIGNUM *serial,char *subj,unsigned long chtype, int multirdn, int email_dn,
 			 char *startdate, char *enddate, long days, char *ext_sect,
 			 CONF *conf, int verbose, unsigned long certopt, 
 			 unsigned long nameopt, int default_op, int ext_copy);
 static int fix_data(int nid, int *type);
 static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext);
 static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
-	STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial,char *subj, int multirdn,
+	STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial,char *subj,unsigned long chtype, int multirdn,
 	int email_dn, char *startdate, char *enddate, long days, int batch,
       	int verbose, X509_REQ *req, char *ext_sect, CONF *conf,
 	unsigned long certopt, unsigned long nameopt, int default_op,
@@ -275,6 +279,7 @@ int MAIN(int argc, char **argv)
 	char *extensions=NULL;
 	char *extfile=NULL;
 	char *subj=NULL;
+	unsigned long chtype = MBSTRING_ASC;
 	int multirdn = 0;
 	char *tmp_email_dn=NULL;
 	char *crl_ext=NULL;
@@ -356,6 +361,8 @@ EF_ALIGNMENT=0;
 			subj= *(++argv);
 			/* preserve=1; */
 			}
+		else if (strcmp(*argv,"-utf8") == 0)
+			chtype = MBSTRING_UTF8;
 		else if (strcmp(*argv,"-create_serial") == 0)
 			create_ser = 1;
 		else if (strcmp(*argv,"-multivalue-rdn") == 0)
@@ -645,6 +652,23 @@ bad:
 		ERR_clear_error();
 	app_RAND_load_file(randfile, bio_err, 0);

+	f = NCONF_get_string(conf, section, STRING_MASK);
+	if (!f)
+		ERR_clear_error();
+
+	if(f && !ASN1_STRING_set_default_mask_asc(f)) {
+		BIO_printf(bio_err, "Invalid global string mask setting %s\n", f);
+		goto err;
+	}
+
+	if (chtype != MBSTRING_UTF8){
+		f = NCONF_get_string(conf, section, UTF8_IN);
+		if (!f)
+			ERR_clear_error();
+		else if (!strcmp(f, "yes"))
+			chtype = MBSTRING_UTF8;
+	}
+
 	db_attr.unique_subject = 1;
 	p = NCONF_get_string(conf, section, ENV_UNIQUE_SUBJECT);
 	if (p)
@@ -945,7 +969,6 @@ bad:
 			if (verbose) BIO_printf(bio_err,
 				"Done. %d entries marked as expired\n",i); 
 	      		}
-			goto err;
 	  	}

 	/*****************************************************************/
@@ -1135,7 +1158,7 @@ bad:
 			{
 			total++;
 			j=certify_spkac(&x,spkac_file,pkey,x509,dgst,attribs,db,
-				serial,subj,multirdn,email_dn,startdate,enddate,days,extensions,
+				serial,subj,chtype,multirdn,email_dn,startdate,enddate,days,extensions,
 				conf,verbose,certopt,nameopt,default_op,ext_copy);
 			if (j < 0) goto err;
 			if (j > 0)
@@ -1159,7 +1182,7 @@ bad:
 			{
 			total++;
 			j=certify_cert(&x,ss_cert_file,pkey,x509,dgst,attribs,
-				db,serial,subj,multirdn,email_dn,startdate,enddate,days,batch,
+				db,serial,subj,chtype,multirdn,email_dn,startdate,enddate,days,batch,
 				extensions,conf,verbose, certopt, nameopt,
 				default_op, ext_copy, e);
 			if (j < 0) goto err;
@@ -1179,7 +1202,7 @@ bad:
 			{
 			total++;
 			j=certify(&x,infile,pkey,x509p,dgst,attribs,db,
-				serial,subj,multirdn,email_dn,startdate,enddate,days,batch,
+				serial,subj,chtype,multirdn,email_dn,startdate,enddate,days,batch,
 				extensions,conf,verbose, certopt, nameopt,
 				default_op, ext_copy, selfsign);
 			if (j < 0) goto err;
@@ -1199,7 +1222,7 @@ bad:
 			{
 			total++;
 			j=certify(&x,argv[i],pkey,x509p,dgst,attribs,db,
-				serial,subj,multirdn,email_dn,startdate,enddate,days,batch,
+				serial,subj,chtype,multirdn,email_dn,startdate,enddate,days,batch,
 				extensions,conf,verbose, certopt, nameopt,
 				default_op, ext_copy, selfsign);
 			if (j < 0) goto err;
@@ -1509,7 +1532,7 @@ static void lookup_fail(const char *name, const char *tag)

 static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
 	     const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db,
-	     BIGNUM *serial, char *subj, int multirdn, int email_dn, char *startdate, char *enddate,
+	     BIGNUM *serial, char *subj,unsigned long chtype, int multirdn, int email_dn, char *startdate, char *enddate,
 	     long days, int batch, char *ext_sect, CONF *lconf, int verbose,
 	     unsigned long certopt, unsigned long nameopt, int default_op,
 	     int ext_copy, int selfsign)
@@ -1565,7 +1588,7 @@ static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
 	else
 		BIO_printf(bio_err,"Signature ok\n");

-	ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj, multirdn, email_dn,
+	ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,chtype,multirdn, email_dn,
 		startdate,enddate,days,batch,verbose,req,ext_sect,lconf,
 		certopt, nameopt, default_op, ext_copy, selfsign);

@@ -1577,7 +1600,7 @@ err:

 static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
 	     const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db,
-	     BIGNUM *serial, char *subj, int multirdn, int email_dn, char *startdate, char *enddate,
+	     BIGNUM *serial, char *subj, unsigned long chtype, int multirdn, int email_dn, char *startdate, char *enddate,
 	     long days, int batch, char *ext_sect, CONF *lconf, int verbose,
 	     unsigned long certopt, unsigned long nameopt, int default_op,
 	     int ext_copy, ENGINE *e)
@@ -1619,7 +1642,7 @@ static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
 	if ((rreq=X509_to_X509_REQ(req,NULL,EVP_md5())) == NULL)
 		goto err;

-	ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,multirdn,email_dn,startdate,enddate,
+	ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,chtype,multirdn,email_dn,startdate,enddate,
 		days,batch,verbose,rreq,ext_sect,lconf, certopt, nameopt, default_op,
 		ext_copy, 0);

@@ -1631,7 +1654,7 @@ err:

 static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
 	     STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj,
-	     int multirdn,
+	     unsigned long chtype, int multirdn,
 	     int email_dn, char *startdate, char *enddate, long days, int batch,
 	     int verbose, X509_REQ *req, char *ext_sect, CONF *lconf,
 	     unsigned long certopt, unsigned long nameopt, int default_op,
@@ -1664,7 +1687,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,

 	if (subj)
 		{
-		X509_NAME *n = parse_name(subj, MBSTRING_ASC, multirdn);
+		X509_NAME *n = parse_name(subj, chtype, multirdn);

 		if (!n)
 			{
@@ -2201,7 +2224,7 @@ static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext)

 static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
 	     const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db,
-	     BIGNUM *serial, char *subj, int multirdn, int email_dn, char *startdate, char *enddate,
+	     BIGNUM *serial, char *subj,unsigned long chtype, int multirdn, int email_dn, char *startdate, char *enddate,
 	     long days, char *ext_sect, CONF *lconf, int verbose, unsigned long certopt,
 	     unsigned long nameopt, int default_op, int ext_copy)
 	{
@@ -2342,7 +2365,7 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,

 	X509_REQ_set_pubkey(req,pktmp);
 	EVP_PKEY_free(pktmp);
-	ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,multirdn,email_dn,startdate,enddate,
+	ok=do_body(xret,pkey,x509,dgst,policy,db,serial,subj,chtype,multirdn,email_dn,startdate,enddate,
 		   days,1,verbose,req,ext_sect,lconf, certopt, nameopt, default_op,
 			ext_copy, 0);
 err:
--- a/apps/dh.c
+++ b/apps/dh.c
@@ -57,6 +57,7 @@
 * [including the GNU Public Licence.]
 */

+#include <openssl/opensslconf.h>	/* for OPENSSL_NO_DH */
 #ifndef OPENSSL_NO_DH
 #include <stdio.h>
 #include <stdlib.h>
--- a/apps/dhparam.c
+++ b/apps/dhparam.c
@@ -109,6 +109,7 @@
 *
 */

+#include <openssl/opensslconf.h>	/* for OPENSSL_NO_DH */
 #ifndef OPENSSL_NO_DH
 #include <stdio.h>
 #include <stdlib.h>
--- a/apps/dsa.c
+++ b/apps/dsa.c
@@ -56,6 +56,7 @@
 * [including the GNU Public Licence.]
 */

+#include <openssl/opensslconf.h>	/* for OPENSSL_NO_DSA */
 #ifndef OPENSSL_NO_DSA
 #include <stdio.h>
 #include <stdlib.h>
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -56,6 +56,7 @@
 * [including the GNU Public Licence.]
 */

+#include <openssl/opensslconf.h>	/* for OPENSSL_NO_DSA */
 /* Until the key-gen callbacks are modified to use newer prototypes, we allow
 * deprecated functions for openssl-internal code */
 #ifdef OPENSSL_NO_DEPRECATED
--- a/apps/ec.c
+++ b/apps/ec.c
@@ -3,7 +3,7 @@
 * Written by Nils Larsch for the OpenSSL project.
 */
 /* ====================================================================
- * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -56,6 +56,7 @@
 *
 */

+#include <openssl/opensslconf.h>
 #ifndef OPENSSL_NO_EC
 #include <stdio.h>
 #include <stdlib.h>
@@ -89,6 +90,7 @@ int MAIN(int argc, char **argv)
 #endif
 	int 	ret = 1;
 	EC_KEY 	*eckey = NULL;
+	const EC_GROUP *group;
 	int 	i, badops = 0;
 	const EVP_CIPHER *enc = NULL;
 	BIO 	*in = NULL, *out = NULL;
@@ -328,14 +330,13 @@ bad:
 			}
 		}

+	group = EC_KEY_get0_group(eckey);
+
 	if (new_form)
-		{
-		EC_GROUP_set_point_conversion_form(eckey->group, form);
-		eckey->conv_form = form;
-		}
+		EC_KEY_set_conv_form(eckey, form);

 	if (new_asn1_flag)
-		EC_GROUP_set_asn1_flag(eckey->group, asn1_flag);
+		EC_KEY_set_asn1_flag(eckey, asn1_flag);

 	if (text) 
 		if (!EC_KEY_print(out, eckey, 0))
@@ -352,7 +353,7 @@ bad:
 	if (outformat == FORMAT_ASN1) 
 		{
 		if (param_out)
-			i = i2d_ECPKParameters_bio(out, eckey->group);
+			i = i2d_ECPKParameters_bio(out, group);
 		else if (pubin || pubout) 
 			i = i2d_EC_PUBKEY_bio(out, eckey);
 		else 
@@ -361,7 +362,7 @@ bad:
 	else if (outformat == FORMAT_PEM) 
 		{
 		if (param_out)
-			i = PEM_write_bio_ECPKParameters(out, eckey->group);
+			i = PEM_write_bio_ECPKParameters(out, group);
 		else if (pubin || pubout)
 			i = PEM_write_bio_EC_PUBKEY(out, eckey);
 		else 
--- a/apps/ecparam.c
+++ b/apps/ecparam.c
@@ -3,7 +3,7 @@
 * Written by Nils Larsch for the OpenSSL project.
 */
 /* ====================================================================
- * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2005 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -68,6 +68,8 @@
 * Sheueling Chang Shantz and Douglas Stebila of Sun Microsystems Laboratories.
 *
 */
+
+#include <openssl/opensslconf.h>
 #ifndef OPENSSL_NO_EC
 #include <assert.h>
 #include <stdio.h>
@@ -411,7 +413,7 @@ bad:
 			goto end;
 			}

-		group = EC_GROUP_new_by_nid(nid);
+		group = EC_GROUP_new_by_curve_name(nid);
 		if (group == NULL)
 			{
 			BIO_printf(bio_err, "unable to create curve (%s)\n", 
@@ -647,11 +649,11 @@ bad:

 		assert(need_rand);

-		eckey->group = group;
+		if (EC_KEY_set_group(eckey, group) == 0)
+			goto end;
 		
 		if (!EC_KEY_generate_key(eckey))
 			{
-			eckey->group = NULL;
 			EC_KEY_free(eckey);
 			goto end;
 			}
@@ -664,11 +666,9 @@ bad:
 			{
 			BIO_printf(bio_err, "bad output format specified "
 				"for outfile\n");
-			eckey->group = NULL;
 			EC_KEY_free(eckey);
 			goto end;
 			}
-		eckey->group = NULL;
 		EC_KEY_free(eckey);
 		}

--- a/apps/engine.c
+++ b/apps/engine.c
@@ -394,11 +394,15 @@ int MAIN(int argc, char **argv)
 		else if (strcmp(*argv,"-pre") == 0)
 			{
 			argc--; argv++;
+			if (argc == 0)
+				goto skip_arg_loop;
 			sk_push(pre_cmds,*argv);
 			}
 		else if (strcmp(*argv,"-post") == 0)
 			{
 			argc--; argv++;
+			if (argc == 0)
+				goto skip_arg_loop;
 			sk_push(post_cmds,*argv);
 			}
 		else if ((strncmp(*argv,"-h",2) == 0) ||
--- a/apps/gendh.c
+++ b/apps/gendh.c
@@ -57,6 +57,7 @@
 * [including the GNU Public Licence.]
 */

+#include <openssl/opensslconf.h>
 /* Until the key-gen callbacks are modified to use newer prototypes, we allow
 * deprecated functions for openssl-internal code */
 #ifdef OPENSSL_NO_DEPRECATED
--- a/apps/gendsa.c
+++ b/apps/gendsa.c
@@ -56,6 +56,7 @@
 * [including the GNU Public Licence.]
 */

+#include <openssl/opensslconf.h>	/* for OPENSSL_NO_DSA */
 #ifndef OPENSSL_NO_DSA
 #include <stdio.h>
 #include <string.h>
--- a/apps/genrsa.c
+++ b/apps/genrsa.c
@@ -56,6 +56,7 @@
 * [including the GNU Public Licence.]
 */

+#include <openssl/opensslconf.h>
 /* Until the key-gen callbacks are modified to use newer prototypes, we allow
 * deprecated functions for openssl-internal code */
 #ifdef OPENSSL_NO_DEPRECATED
--- a/apps/makeapps.com
+++ b/apps/makeapps.com
@@ -650,7 +650,7 @@ $ CCDEFS = "MONOLITH"
 $ IF F$TYPE(USER_CCDEFS) .NES. "" THEN CCDEFS = CCDEFS + "," + USER_CCDEFS
 $ CCEXTRAFLAGS = ""
 $ IF F$TYPE(USER_CCFLAGS) .NES. "" THEN CCEXTRAFLAGS = USER_CCFLAGS
-$ CCDISABLEWARNINGS = "LONGLONGTYPE,LONGLONGSUFX"
+$ CCDISABLEWARNINGS = "LONGLONGTYPE,LONGLONGSUFX,FOUNDCR"
 $ IF F$TYPE(USER_CCDISABLEWARNINGS) .NES. "" THEN -
 	CCDISABLEWARNINGS = CCDISABLEWARNINGS + "," + USER_CCDISABLEWARNINGS
 $!
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -188,7 +188,7 @@ nsComment			= "OpenSSL Generated Certificate"

 # PKIX recommendations harmless if included in all certificates.
 subjectKeyIdentifier=hash
-authorityKeyIdentifier=keyid,issuer:always
+authorityKeyIdentifier=keyid,issuer

 # This stuff is for subjectAltName and issuerAltname.
 # Import the email address.
--- a/apps/passwd.c
+++ b/apps/passwd.c
@@ -474,7 +474,8 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
 	if ((strlen(passwd) > pw_maxlen))
 		{
 		if (!quiet)
-			BIO_printf(bio_err, "Warning: truncating password to %u characters\n", pw_maxlen);
+			/* XXX: really we should know how to print a size_t, not cast it */
+			BIO_printf(bio_err, "Warning: truncating password to %u characters\n", (unsigned)pw_maxlen);
 		passwd[pw_maxlen] = 0;
 		}
 	assert(strlen(passwd) <= pw_maxlen);
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -1,6 +1,4 @@
 /* pkcs12.c */
-#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_SHA1)
-
 /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
 * project.
 */
@@ -58,6 +56,9 @@
 *
 */

+#include <openssl/opensslconf.h>
+#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_SHA1)
+
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
@@ -539,6 +540,10 @@ int MAIN(int argc, char **argv)
 		X509_alias_set1(sk_X509_value(certs, i), catmp, -1);
 		}

+	if (csp_name && key)
+		EVP_PKEY_add1_attr_by_NID(key, NID_ms_csp_name,
+				MBSTRING_ASC, (unsigned char *)csp_name, -1);
+		

 #ifdef CRYPTO_MDEBUG
 	CRYPTO_pop_info();
--- a/apps/prime.c
+++ b/apps/prime.c
@@ -115,7 +115,7 @@ int MAIN(int argc, char **argv)

    BN_print(bio_out,bn);
    BIO_printf(bio_out," is %sprime\n",
-	       BN_is_prime(bn,checks,NULL,NULL,NULL) ? "" : "not ");
+	       BN_is_prime_ex(bn,checks,NULL,NULL) ? "" : "not ");

    BN_free(bn);
    BIO_free_all(bio_out);
--- a/apps/req.c
+++ b/apps/req.c
@@ -79,7 +79,13 @@
 #include <openssl/x509v3.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
-#include "../crypto/cryptlib.h"
+#include <openssl/bn.h>
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
+#include <openssl/dsa.h>
+#endif

 #define SECTION		"req"

@@ -344,6 +350,7 @@ int MAIN(int argc, char **argv)
 				{
 				X509 *xtmp=NULL;
 				EVP_PKEY *dtmp;
+				EC_GROUP *group;

 				pkey_type=TYPE_EC;
 				p+=3;
@@ -354,9 +361,9 @@ int MAIN(int argc, char **argv)
 					}
 				if ((ec_params = EC_KEY_new()) == NULL)
 					goto end;
-				if ((ec_params->group = PEM_read_bio_ECPKParameters(in, NULL, NULL, NULL)) == NULL)
+				group = PEM_read_bio_ECPKParameters(in, NULL, NULL, NULL);
+				if (group == NULL)
 					{
-					if (ec_params)
 					EC_KEY_free(ec_params);
 					ERR_clear_error();
 					(void)BIO_reset(in);
@@ -369,7 +376,7 @@ int MAIN(int argc, char **argv)
 					if ((dtmp=X509_get_pubkey(xtmp))==NULL)
 						goto end;
 					if (dtmp->type == EVP_PKEY_EC)
-						ec_params = ECParameters_dup(dtmp->pkey.eckey);
+						ec_params = EC_KEY_dup(dtmp->pkey.ec);
 					EVP_PKEY_free(dtmp);
 					X509_free(xtmp);
 					if (ec_params == NULL)
@@ -378,12 +385,16 @@ int MAIN(int argc, char **argv)
 						goto end;
 						}
 					}
+				else
+					{
+					if (EC_KEY_set_group(ec_params, group) == 0)
+						goto end;
+					EC_GROUP_free(group);
+					}

 				BIO_free(in);
 				in=NULL;
-				
-				newkey = EC_GROUP_get_degree(ec_params->group);
-
+				newkey = EC_GROUP_get_degree(EC_KEY_get0_group(ec_params));
 				}
 			else
 #endif
@@ -720,7 +731,9 @@ bad:

 	if (newreq && (pkey == NULL))
 		{
+#ifndef OPENSSL_NO_RSA
 		BN_GENCB cb;
+#endif
 		char *randfile = NCONF_get_string(req_conf,SECTION,"RANDFILE");
 		if (randfile == NULL)
 			ERR_clear_error();
--- a/apps/rsa.c
+++ b/apps/rsa.c
@@ -56,6 +56,7 @@
 * [including the GNU Public Licence.]
 */

+#include <openssl/opensslconf.h>
 #ifndef OPENSSL_NO_RSA
 #include <stdio.h>
 #include <stdlib.h>
--- a/apps/rsautl.c
+++ b/apps/rsautl.c
@@ -56,6 +56,7 @@
 *
 */

+#include <openssl/opensslconf.h>
 #ifndef OPENSSL_NO_RSA

 #include "apps.h"
@@ -148,6 +149,7 @@ int MAIN(int argc, char **argv)
 		else if(!strcmp(*argv, "-oaep")) pad = RSA_PKCS1_OAEP_PADDING;
 		else if(!strcmp(*argv, "-ssl")) pad = RSA_SSLV23_PADDING;
 		else if(!strcmp(*argv, "-pkcs")) pad = RSA_PKCS1_PADDING;
+		else if(!strcmp(*argv, "-x931")) pad = RSA_X931_PADDING;
 		else if(!strcmp(*argv, "-sign")) {
 			rsa_mode = RSA_SIGN;
 			need_priv = 1;
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -263,6 +263,9 @@ int MAIN(int argc, char **argv)
 	int starttls_proto = 0;
 	int prexit = 0, vflags = 0;
 	SSL_METHOD *meth=NULL;
+#ifdef sock_type
+#undef sock_type
+#endif
 	int sock_type=SOCK_STREAM;
 	BIO *sbio;
 	char *inrand=NULL;
@@ -1093,7 +1096,9 @@ static void print_stuff(BIO *bio, SSL *s, int full)
 	SSL_CIPHER *c;
 	X509_NAME *xn;
 	int j,i;
+#ifndef OPENSSL_NO_COMP
 	const COMP_METHOD *comp, *expansion;
+#endif

 	if (full)
 		{
@@ -1196,12 +1201,14 @@ static void print_stuff(BIO *bio, SSL *s, int full)
 							 EVP_PKEY_bits(pktmp));
 		EVP_PKEY_free(pktmp);
 	}
+#ifndef OPENSSL_NO_COMP
 	comp=SSL_get_current_compression(s);
 	expansion=SSL_get_current_expansion(s);
 	BIO_printf(bio,"Compression: %s\n",
 		comp ? SSL_COMP_get_name(comp) : "NONE");
 	BIO_printf(bio,"Expansion: %s\n",
 		expansion ? SSL_COMP_get_name(expansion) : "NONE");
+#endif
 	SSL_SESSION_print(bio,SSL_get_session(s));
 	BIO_printf(bio,"---\n");
 	if (peer != NULL)
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -153,6 +153,12 @@ typedef unsigned int u_int;
 #include <openssl/x509.h>
 #include <openssl/ssl.h>
 #include <openssl/rand.h>
+#ifndef OPENSSL_NO_DH
+#include <openssl/dh.h>
+#endif
+#ifndef OPENSSL_NO_RSA
+#include <openssl/rsa.h>
+#endif
 #include "s_apps.h"
 #include "timeouts.h"

@@ -262,6 +268,9 @@ static char *engine_id=NULL;
 static const char *session_id_prefix=NULL;

 static int enable_timeouts = 0;
+#ifdef mtu
+#undef mtu
+#endif
 static long mtu;
 static int cert_chain = 0;

@@ -527,13 +536,18 @@ int MAIN(int argc, char *argv[])
 	char *CApath=NULL,*CAfile=NULL;
 	unsigned char *context = NULL;
 	char *dhfile = NULL;
+#ifndef OPENSSL_NO_ECDH
 	char *named_curve = NULL;
+#endif
 	int badop=0,bugs=0;
 	int ret=1;
 	int off=0;
 	int no_tmp_rsa=0,no_dhe=0,no_ecdhe=0,nocert=0;
 	int state=0;
 	SSL_METHOD *meth=NULL;
+#ifdef sock_type
+#undef sock_type
+#endif
    int sock_type=SOCK_STREAM;
 #ifndef OPENSSL_NO_ENGINE
 	ENGINE *e=NULL;
@@ -818,6 +832,8 @@ bad:
 	if (s_key_file == NULL)
 		s_key_file = s_cert_file;

+	if (nocert == 0)
+		{
 		s_key = load_key(bio_err, s_key_file, s_key_format, 0, pass, e,
 		       "server certificate private key file");
 		if (!s_key)
@@ -834,6 +850,7 @@ bad:
 			ERR_print_errors(bio_err);
 			goto end;
 			}
+		}

 	if (s_dcert_file)
 		{
@@ -981,13 +998,6 @@ bad:
 		{
 		EC_KEY *ecdh=NULL;

-		ecdh = EC_KEY_new();
-		if (ecdh == NULL)
-			{
-			BIO_printf(bio_err,"Could not create ECDH struct.\n");
-			goto end;
-			}
-
 		if (named_curve)
 			{
 			int nid = OBJ_sn2nid(named_curve);
@@ -998,9 +1008,8 @@ bad:
 					named_curve);
 				goto end;
 				}
-
-			ecdh->group = EC_GROUP_new_by_nid(nid);
-			if (ecdh->group == NULL)
+			ecdh = EC_KEY_new_by_curve_name(nid);
+			if (ecdh == NULL)
 				{
 				BIO_printf(bio_err, "unable to create curve (%s)\n", 
 					named_curve);
@@ -1008,15 +1017,15 @@ bad:
 				}
 			}

-		if (ecdh->group != NULL)
+		if (ecdh != NULL)
 			{
 			BIO_printf(bio_s_out,"Setting temp ECDH parameters\n");
 			}
 		else
 			{
 			BIO_printf(bio_s_out,"Using default temp ECDH parameters\n");
-			ecdh->group=EC_GROUP_new_by_nid(NID_sect163r2);
-			if (ecdh->group == NULL) 
+			ecdh = EC_KEY_new_by_curve_name(NID_sect163r2);
+			if (ecdh == NULL) 
 				{
 				BIO_printf(bio_err, "unable to create curve (sect163r2)\n");
 				goto end;
--- a/apps/s_socket.c
+++ b/apps/s_socket.c
@@ -87,8 +87,12 @@ typedef unsigned int u_int;

 #ifndef OPENSSL_NO_SOCK

+#if defined(OPENSSL_SYS_NETWARE) && defined(NETWARE_BSDSOCK)
+#include "netdb.h"
+#endif
+
 static struct hostent *GetHostByName(char *name);
-#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_NETWARE)
+#if defined(OPENSSL_SYS_WINDOWS) || (defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK))
 static void ssl_sock_cleanup(void);
 #endif
 static int ssl_sock_init(void);
@@ -104,7 +108,7 @@ static int host_ip(char *str, unsigned char ip[4]);
 #define SOCKET_PROTOCOL	IPPROTO_TCP
 #endif

-#ifdef OPENSSL_SYS_NETWARE
+#if defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK)
 static int wsa_init_done=0;
 #endif

@@ -156,7 +160,7 @@ static void ssl_sock_cleanup(void)
 		WSACleanup();
 		}
 	}
-#elif defined(OPENSSL_SYS_NETWARE)
+#elif defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK)
 static void sock_cleanup(void)
    {
    if (wsa_init_done)
@@ -199,7 +203,7 @@ static int ssl_sock_init(void)
 		SetWindowLong(topWnd,GWL_WNDPROC,(LONG)lpTopHookProc);
 #endif /* OPENSSL_SYS_WIN16 */
 		}
-#elif defined(OPENSSL_SYS_NETWARE)
+#elif defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK)
   WORD wVerReq;
   WSADATA wsaData;
   int err;
@@ -398,7 +402,7 @@ redoit:
 	ret=accept(acc_sock,(struct sockaddr *)&from,(void *)&len);
 	if (ret == INVALID_SOCKET)
 		{
-#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_NETWARE)
+#if defined(OPENSSL_SYS_WINDOWS) || (defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK))
 		i=WSAGetLastError();
 		BIO_printf(bio_err,"accept error %d\n",i);
 #else
--- a/apps/smime.c
+++ b/apps/smime.c
@@ -384,9 +384,9 @@ int MAIN(int argc, char **argv)
 		}
 	else if (operation == SMIME_DECRYPT)
 		{
-		if (!recipfile)
+		if (!recipfile && !keyfile)
 			{
-			BIO_printf(bio_err, "No recipient certificate and key specified\n");
+			BIO_printf(bio_err, "No recipient certificate or key specified\n");
 			badarg = 1;
 			}
 		}
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -286,9 +286,17 @@ static double results[ALGOR_NUM][SIZE_NUM];
 static int lengths[SIZE_NUM]={16,64,256,1024,8*1024};
 static double rsa_results[RSA_NUM][2];
 static double dsa_results[DSA_NUM][2];
+#ifndef OPENSSL_NO_ECDSA
 static double ecdsa_results[EC_NUM][2];
+#endif
+#ifndef OPENSSL_NO_ECDH
 static double ecdh_results[EC_NUM][1];
+#endif

+#if defined(OPENSSL_NO_DSA) && !(defined(OPENSSL_NO_ECDSA) && defined(OPENSSL_NO_ECDH))
+static const char rnd_seed[] = "string to make the random number generator think it has entropy";
+static int rnd_fake = 0;
+#endif

 #ifdef SIGALRM
 #if defined(__STDC__) || defined(sgi) || defined(_AIX)
@@ -448,6 +456,7 @@ static double Time_F(int s)
 #endif /* if defined(OPENSSL_SYS_NETWARE) */


+#ifndef OPENSSL_NO_ECDH
 static const int KDF1_SHA1_len = 20;
 static void *KDF1_SHA1(const void *in, size_t inlen, void *out, size_t *outlen)
 	{
@@ -459,8 +468,9 @@ static void *KDF1_SHA1(const void *in, size_t inlen, void *out, size_t *outlen)
 	return SHA1(in, inlen, out);
 #else
 	return NULL;
-#endif
+#endif	/* OPENSSL_NO_SHA */
 	}
+#endif	/* OPENSSL_NO_ECDH */


 int MAIN(int, char **);
@@ -496,9 +506,13 @@ int MAIN(int argc, char **argv)
 #endif
 #ifndef OPENSSL_NO_SHA
 	unsigned char sha[SHA_DIGEST_LENGTH];
+#ifndef OPENSSL_NO_SHA256
 	unsigned char sha256[SHA256_DIGEST_LENGTH];
+#endif
+#ifndef OPENSSL_NO_SHA512
 	unsigned char sha512[SHA512_DIGEST_LENGTH];
 #endif
+#endif
 #ifndef OPENSSL_NO_RIPEMD
 	unsigned char rmd160[RIPEMD160_DIGEST_LENGTH];
 #endif
@@ -523,6 +537,7 @@ int MAIN(int argc, char **argv)
 	static const unsigned char key16[16]=
 		{0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,
 		 0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12};
+#ifndef OPENSSL_NO_AES
 	static const unsigned char key24[24]=
 		{0x12,0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,
 		 0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12,
@@ -532,6 +547,7 @@ int MAIN(int argc, char **argv)
 		 0x34,0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12,
 		 0x56,0x78,0x9a,0xbc,0xde,0xf0,0x12,0x34,
 		 0x78,0x9a,0xbc,0xde,0xf0,0x12,0x34,0x56};
+#endif
 #ifndef OPENSSL_NO_AES
 #define MAX_BLOCK_SIZE 128
 #else
@@ -689,8 +705,12 @@ int MAIN(int argc, char **argv)

 	int rsa_doit[RSA_NUM];
 	int dsa_doit[DSA_NUM];
+#ifndef OPENSSL_NO_ECDSA
 	int ecdsa_doit[EC_NUM];
+#endif
+#ifndef OPENSSL_NO_ECDH
        int ecdh_doit[EC_NUM];
+#endif
 	int doit[ALGOR_NUM];
 	int pr_header=0;
 	const EVP_CIPHER *evp_cipher=NULL;
@@ -878,11 +898,15 @@ int MAIN(int argc, char **argv)
 							doit[D_SHA256]=1,
 							doit[D_SHA512]=1;
 		else
+#ifndef OPENSSL_NO_SHA256
 			if (strcmp(*argv,"sha256") == 0) doit[D_SHA256]=1;
 		else
+#endif
+#ifndef OPENSSL_NO_SHA512
 			if (strcmp(*argv,"sha512") == 0) doit[D_SHA512]=1;
 		else
 #endif
+#endif
 #ifndef OPENSSL_NO_RIPEMD
 			if (strcmp(*argv,"ripemd") == 0) doit[D_RMD160]=1;
 		else
@@ -1064,7 +1088,11 @@ int MAIN(int argc, char **argv)
 #endif
 #ifndef OPENSSL_NO_SHA1
 			BIO_printf(bio_err,"sha1     ");
+#endif
+#ifndef OPENSSL_NO_SHA256
 			BIO_printf(bio_err,"sha256   ");
+#endif
+#ifndef OPENSSL_NO_SHA512
 			BIO_printf(bio_err,"sha512   ");
 #endif
 #ifndef OPENSSL_NO_RIPEMD160
@@ -2040,7 +2068,7 @@ int MAIN(int argc, char **argv)
 		int ret;

 		if (!ecdsa_doit[j]) continue; /* Ignore Curve */ 
-		ecdsa[j] = EC_KEY_new();
+		ecdsa[j] = EC_KEY_new_by_curve_name(test_curves[j]);
 		if (ecdsa[j] == NULL) 
 			{
 			BIO_printf(bio_err,"ECDSA failure.\n");
@@ -2049,18 +2077,8 @@ int MAIN(int argc, char **argv)
 			} 
 		else 
 			{
-			ecdsa[j]->group = EC_GROUP_new_by_nid(test_curves[j]);
-			/* Could not obtain group information */
-			if (ecdsa[j]->group == NULL) 
-				{
-				BIO_printf(bio_err,"ECDSA failure.Could not obtain group information\n");
-				ERR_print_errors(bio_err);
-				rsa_count=1;
-				} 
-			else 
-				{
 #if 1
-				EC_GROUP_precompute_mult(ecdsa[j]->group, NULL);
+			EC_KEY_precompute_mult(ecdsa[j], NULL);
 #endif
 			/* Perform ECDSA signature test */
 			EC_KEY_generate_key(ecdsa[j]);
@@ -2145,7 +2163,6 @@ int MAIN(int argc, char **argv)
 				}
 			}
 		}
-		}
 	if (rnd_fake) RAND_cleanup();
 #endif

@@ -2158,8 +2175,8 @@ int MAIN(int argc, char **argv)
 	for (j=0; j<EC_NUM; j++)
 		{
 		if (!ecdh_doit[j]) continue;
-		ecdh_a[j] = EC_KEY_new();
-		ecdh_b[j] = EC_KEY_new();
+		ecdh_a[j] = EC_KEY_new_by_curve_name(test_curves[j]);
+		ecdh_b[j] = EC_KEY_new_by_curve_name(test_curves[j]);
 		if ((ecdh_a[j] == NULL) || (ecdh_b[j] == NULL))
 			{
 			BIO_printf(bio_err,"ECDH failure.\n");
@@ -2168,17 +2185,6 @@ int MAIN(int argc, char **argv)
 			}
 		else
 			{
-			ecdh_a[j]->group = EC_GROUP_new_by_nid(test_curves[j]);
-			if (ecdh_a[j]->group == NULL)
-				{
-				BIO_printf(bio_err,"ECDH failure.\n");
-				ERR_print_errors(bio_err);
-				rsa_count=1;
-				}
-			else
-				{
-				ecdh_b[j]->group = EC_GROUP_dup(ecdh_a[j]->group);
-
 			/* generate two ECDH key pairs */
 			if (!EC_KEY_generate_key(ecdh_a[j]) ||
 				!EC_KEY_generate_key(ecdh_b[j]))
@@ -2194,7 +2200,7 @@ int MAIN(int argc, char **argv)
 				 */
 				int field_size, outlen;
 				void *(*kdf)(const void *in, size_t inlen, void *out, size_t *xoutlen);
-					field_size = EC_GROUP_get_degree(ecdh_a[j]->group);
+				field_size = EC_GROUP_get_degree(EC_KEY_get0_group(ecdh_a[j]));
 				if (field_size <= 24 * 8)
 					{
 					outlen = KDF1_SHA1_len;
@@ -2206,10 +2212,10 @@ int MAIN(int argc, char **argv)
 					kdf = NULL;
 					}
 				secret_size_a = ECDH_compute_key(secret_a, outlen,
-						ecdh_b[j]->pub_key,
+					EC_KEY_get0_public_key(ecdh_b[j]),
 					ecdh_a[j], kdf);
 				secret_size_b = ECDH_compute_key(secret_b, outlen,
-						ecdh_a[j]->pub_key,
+					EC_KEY_get0_public_key(ecdh_a[j]),
 					ecdh_b[j], kdf);
 				if (secret_size_a != secret_size_b) 
 					ecdh_checks = 0;
@@ -2240,7 +2246,7 @@ int MAIN(int argc, char **argv)
 				for (count=0,run=1; COND(ecdh_c[j][0]); count++)
 					{
 					ECDH_compute_key(secret_a, outlen,
-						ecdh_b[j]->pub_key,
+					EC_KEY_get0_public_key(ecdh_b[j]),
 					ecdh_a[j], kdf);
 					}
 				d=Time_F(STOP);
@@ -2250,7 +2256,7 @@ int MAIN(int argc, char **argv)
 				rsa_count=count;
 				}
 			}
-			}
+

 		if (rsa_count <= 1)
 			{
@@ -2365,7 +2371,7 @@ show_res:
 				k,rsa_bits[k],rsa_results[k][0],
 				rsa_results[k][1]);
 		else
-			fprintf(stdout,"rsa %4u bits %8.4fs %8.4fs %8.1f %8.1f\n",
+			fprintf(stdout,"rsa %4u bits %8.6fs %8.6fs %8.1f %8.1f\n",
 				rsa_bits[k],rsa_results[k][0],rsa_results[k][1],
 				1.0/rsa_results[k][0],1.0/rsa_results[k][1]);
 		}
@@ -2384,7 +2390,7 @@ show_res:
 			fprintf(stdout,"+F3:%u:%u:%f:%f\n",
 				k,dsa_bits[k],dsa_results[k][0],dsa_results[k][1]);
 		else
-			fprintf(stdout,"dsa %4u bits %8.4fs %8.4fs %8.1f %8.1f\n",
+			fprintf(stdout,"dsa %4u bits %8.6fs %8.6fs %8.1f %8.1f\n",
 				dsa_bits[k],dsa_results[k][0],dsa_results[k][1],
 				1.0/dsa_results[k][0],1.0/dsa_results[k][1]);
 		}
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -73,8 +73,12 @@
 #include <openssl/x509v3.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
+#ifndef OPENSSL_NO_RSA
 #include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
+#endif

 #undef PROG
 #define PROG x509_main
--- a/bugs/VC16.bug
+++ b/bugs/VC16.bug
@@ -1,18 +0,0 @@
-Microsoft (R) C/C++ Optimizing Compiler Version 8.00c
-
-Compile with /O2 chokes the compiler on these files
-
-crypto\md\md5_dgst.c		warning '@(#)reg86.c:1.26', line 1110
-crypto\des\ofb64ede.c		warning '@(#)grammar.c:1.147', line 168
-crypto\des\ofb64enc.c		warning '@(#)grammar.c:1.147', line 168
-crypto\des\qud_cksm.c		warning '@(#)grammar.c:1.147', line 168
-crypto\rc2\rc2ofb64.c		warning '@(#)grammar.c:1.147', line 168
-crypto\objects\obj_dat.c	warning	'@(#)grammar.c:1.147', line 168
-				fatal	'@(#)grammar.c:1.147', line 168
-crypto\objects\obj_lib.c	warning	'@(#)grammar.c:1.147', line 168
-				fatal	'@(#)grammar.c:1.147', line 168
-ssl\ssl_auth.c			warning	'@(#)grammar.c:1.147', line 168
-				fatal	'@(#)grammar.c:1.147', line 168
-
-Turning on /G3 with build flags that worked fine for /G2 came up with
-divide by zero errors in 'normal' code in speed.c :-(
--- a/certs/argena.pem
+++ b/certs/argena.pem
@@ -0,0 +1,39 @@
+-----BEGIN CERTIFICATE-----
+MIIG0zCCBbugAwIBAgIBADANBgkqhkiG9w0BAQUFADCBzDELMAkGA1UEBhMCQVQx
+EDAOBgNVBAgTB0F1c3RyaWExDzANBgNVBAcTBlZpZW5uYTE6MDgGA1UEChMxQVJH
+RSBEQVRFTiAtIEF1c3RyaWFuIFNvY2lldHkgZm9yIERhdGEgUHJvdGVjdGlvbjEl
+MCMGA1UECxMcQS1DRVJUIENlcnRpZmljYXRpb24gU2VydmljZTEYMBYGA1UEAxMP
+QS1DRVJUIEFEVkFOQ0VEMR0wGwYJKoZIhvcNAQkBFg5pbmZvQGEtY2VydC5hdDAe
+Fw0wNDEwMjMxNDE0MTRaFw0xMTEwMjMxNDE0MTRaMIHMMQswCQYDVQQGEwJBVDEQ
+MA4GA1UECBMHQXVzdHJpYTEPMA0GA1UEBxMGVmllbm5hMTowOAYDVQQKEzFBUkdF
+IERBVEVOIC0gQXVzdHJpYW4gU29jaWV0eSBmb3IgRGF0YSBQcm90ZWN0aW9uMSUw
+IwYDVQQLExxBLUNFUlQgQ2VydGlmaWNhdGlvbiBTZXJ2aWNlMRgwFgYDVQQDEw9B
+LUNFUlQgQURWQU5DRUQxHTAbBgkqhkiG9w0BCQEWDmluZm9AYS1jZXJ0LmF0MIIB
+IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA3euXIy+mnf6BYKbK+QH5k679
+tUFqeT8jlZxMew8eNiHuw9KoxWBzL6KksK+5uK7Gatw+sbAYntEGE80P+Jg1hADM
+e+Fr5V0bc6QS3gkVtfUCW/RIvfMM39oxvmqJmOgPnJU7H6+nmLtsq61tv9kVJi/2
+4Y5wXW3odet72sF57EoG6s78w0BUVLNcMngS9bZZzmdG3/d6JbkGgoNF/8DcgCBJ
+W/t0JrcIzyppXIOVtUzzOrrU86zuUgT3Rtkl5kjG7DEHpFb9H0fTOY1v8+gRoaO6
+2gA0PCiysgVZjwgVeYe3KAg11nznyleDv198uK3Dc1oXIGYjJx2FpKWUvAuAEwID
+AQABo4ICvDCCArgwHQYDVR0OBBYEFDd/Pj6ZcWDKJNSRE3nQdCm0qCTYMIH5BgNV
+HSMEgfEwge6AFDd/Pj6ZcWDKJNSRE3nQdCm0qCTYoYHSpIHPMIHMMQswCQYDVQQG
+EwJBVDEQMA4GA1UECBMHQXVzdHJpYTEPMA0GA1UEBxMGVmllbm5hMTowOAYDVQQK
+EzFBUkdFIERBVEVOIC0gQXVzdHJpYW4gU29jaWV0eSBmb3IgRGF0YSBQcm90ZWN0
+aW9uMSUwIwYDVQQLExxBLUNFUlQgQ2VydGlmaWNhdGlvbiBTZXJ2aWNlMRgwFgYD
+VQQDEw9BLUNFUlQgQURWQU5DRUQxHTAbBgkqhkiG9w0BCQEWDmluZm9AYS1jZXJ0
+LmF0ggEAMA8GA1UdEwEB/wQFMAMBAf8wCwYDVR0PBAQDAgHmMEcGA1UdJQRAMD4G
+CCsGAQUFBwMBBggrBgEFBQcDAgYIKwYBBQUHAwMGCCsGAQUFBwMEBggrBgEFBQcD
+CAYKKwYBBAGCNwoDBDARBglghkgBhvhCAQEEBAMCAP8wUQYDVR0gBEowSDBGBggq
+KAAYAQEBAzA6MDgGCCsGAQUFBwIBFixodHRwOi8vd3d3LmEtY2VydC5hdC9jZXJ0
+aWZpY2F0ZS1wb2xpY3kuaHRtbDA7BglghkgBhvhCAQgELhYsaHR0cDovL3d3dy5h
+LWNlcnQuYXQvY2VydGlmaWNhdGUtcG9saWN5Lmh0bWwwGQYDVR0RBBIwEIEOaW5m
+b0BhLWNlcnQuYXQwLwYDVR0SBCgwJoEOaW5mb0BhLWNlcnQuYXSGFGh0dHA6Ly93
+d3cuYS1jZXJ0LmF0MEUGA1UdHwQ+MDwwOqA4oDaGNGh0dHBzOi8vc2VjdXJlLmEt
+Y2VydC5hdC9jZ2ktYmluL2EtY2VydC1hZHZhbmNlZC5jZ2kwDQYJKoZIhvcNAQEF
+BQADggEBACX1IvgfdG2rvfv35O48vSEvcVaEdlN8USFBHWz3JRAozgzvaBtwHkjK
+Zwt5l/BWOtjbvHfRjDt7ijlBEcxOOrNC1ffyMHwHrXpvff6YpQ5wnxmIYEQcURiG
+HMqruEX0WkuDNgSKwefsgXs27eeBauHgNGVcTYH1rmHu/ZyLpLxOyJQ2PCzA1DzW
+3rWkIX92ogJ7lTRdWrbxwUL1XGinxnnaQ74+/y0pI9JNEv7ic2tpkweRMpkedaLW
+msC1+orfKTebsg69aMaCx7o6jNONRmR/7TVaPf8/k6g52cHZ9YWjQvup22b5rWxG
+J5r5LZ4vCPmF4+T4lutjUYAa/lGuQTg=
+-----END CERTIFICATE-----
--- a/certs/argeng.pem
+++ b/certs/argeng.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIIDwzCCAyygAwIBAgIBADANBgkqhkiG9w0BAQQFADCBmDELMAkGA1UEBhMCQVQx
+EDAOBgNVBAgTB0F1c3RyaWExDzANBgNVBAcTBlZpZW5uYTFCMEAGA1UEChM5QXJn
+ZSBEYXRlbiBPZXN0ZXJyZWljaGlzY2hlIEdlc2VsbHNjaGFmdCBmdWVyIERhdGVu
+c2NodXR6MSIwIAYJKoZIhvcNAQkBFhNhLWNlcnRAYXJnZWRhdGVuLmF0MB4XDTAx
+MDIxMjExMzAzMFoXDTA5MDIxMjExMzAzMFowgZgxCzAJBgNVBAYTAkFUMRAwDgYD
+VQQIEwdBdXN0cmlhMQ8wDQYDVQQHEwZWaWVubmExQjBABgNVBAoTOUFyZ2UgRGF0
+ZW4gT2VzdGVycmVpY2hpc2NoZSBHZXNlbGxzY2hhZnQgZnVlciBEYXRlbnNjaHV0
+ejEiMCAGCSqGSIb3DQEJARYTYS1jZXJ0QGFyZ2VkYXRlbi5hdDCBnzANBgkqhkiG
+9w0BAQEFAAOBjQAwgYkCgYEAwgsHqoNtmmrJ86+e1I4hOVBaL4kokqKN2IPOIL+1
+XwY8vfOOUfPEdhWpaC0ldt7VYrksgDiUccgH0FROANWK2GkfKMDzjjXHysR04uEb
+Om7Kqjqn0nproOGkFG+QvBZgs+Ws+HXNFJA6V76fU4+JXq4452LSK4Lr5YcBquu3
+NJECAwEAAaOCARkwggEVMB0GA1UdDgQWBBQ0j59zH/G31zRjgK1y2P//tSAWZjCB
+xQYDVR0jBIG9MIG6gBQ0j59zH/G31zRjgK1y2P//tSAWZqGBnqSBmzCBmDELMAkG
+A1UEBhMCQVQxEDAOBgNVBAgTB0F1c3RyaWExDzANBgNVBAcTBlZpZW5uYTFCMEAG
+A1UEChM5QXJnZSBEYXRlbiBPZXN0ZXJyZWljaGlzY2hlIEdlc2VsbHNjaGFmdCBm
+dWVyIERhdGVuc2NodXR6MSIwIAYJKoZIhvcNAQkBFhNhLWNlcnRAYXJnZWRhdGVu
+LmF0ggEAMAwGA1UdEwQFMAMBAf8wCwYDVR0PBAQDAgEGMBEGCWCGSAGG+EIBAQQE
+AwICBDANBgkqhkiG9w0BAQQFAAOBgQBFuJYncqMYB6gXQS3eDOI90BEHfFTKy/dV
+AV+K7QdAYikWmqgBheRdPKddJdccPy/Zl/p3ZT7GhDyC5f3wZjcuu8AJ27BNwbCA
+x54dgxgCNcyPm79nY8MRtEdEpoRGdSsFKJemz6hpXM++MWFciyrRWIIA44XB0Gv3
+US0spjsDPQ==
+-----END CERTIFICATE-----
--- a/39
+++ b/39
@@ -84,7 +84,7 @@ if [ "x$XREL" != "x" ]; then
 	    4.2)
 		echo "whatever-whatever-unixware1"; exit 0
 		;;
-	    5)
+	    5*)
 		case "x${VERSION}" in
 		    # We hardcode i586 in place of ${MACHINE} for the
 		    # following reason. The catch is that even though Pentium
@@ -93,8 +93,7 @@ if [ "x$XREL" != "x" ]; then
 		    # with i386 is that it makes ./config pass 386 to
 		    # ./Configure, which in turn makes make generate
 		    # inefficient SHA-1 (for this moment) code.
-		    x7*)  echo "i586-sco-unixware7";           exit 0 ;;
-		    x8*)  echo "i586-unkn-OpenUNIX${VERSION}"; exit 0 ;;
+		    x[678]*)  echo "i586-sco-unixware7"; exit 0 ;;
 		esac
 		;;
 	esac
@@ -452,8 +451,6 @@ if [ "$SYSTEM" = "SunOS" ]; then
      echo "         patch #107357-01 or later applied."
      sleep 5
    fi
-  elif [ "$CC" = "cc" -a $CCVER -gt 0 ]; then
-    CC=sc3
  fi
 fi

@@ -647,34 +644,43 @@ case "$GUESSOS" in
 	    OUT="solaris64-x86_64-$CC"
 	else
 	    OUT="solaris-x86-$CC"
+	    if [ `uname -r | sed -e 's/5\.//'` -lt 10 ]; then
+		options="$options no-sse2"
+	    fi
 	fi
 	;;
  *-*-sunos4)		OUT="sunos-$CC" ;;

-  *86*-*-bsdi4)		OUT="bsdi-elf-gcc" ;;
+  *86*-*-bsdi4)		OUT="BSD-x86-elf"; options="$options no-sse2 -ldl" ;;
  alpha*-*-*bsd*)	OUT="BSD-generic64; options="$options -DL_ENDIAN" ;;
  powerpc64-*-*bsd*)	OUT="BSD-generic64; options="$options -DB_ENDIAN" ;;
  sparc64-*-*bsd*)	OUT="BSD-sparc64" ;;
  ia64-*-*bsd*)		OUT="BSD-ia64" ;;
  amd64-*-*bsd*)	OUT="BSD-x86_64" ;;
-  *86*-*-*bsd*)		case "`(file -L /usr/lib/libc.so.*) 2>/dev/null`" in
+  *86*-*-*bsd*)		# mimic ld behaviour when it's looking for libc...
+			if [ -L /usr/lib/libc.so ]; then	# [Free|Net]BSD
+			    libc=/usr/lib/libc.so
+			else					# OpenBSD
+			    # ld searches for highest libc.so.* and so do we
+			    libc=`(ls /usr/lib/libc.so.* | tail -1) 2>/dev/null`
+			fi
+			case "`(file -L $libc) 2>/dev/null`" in
 			*ELF*)	OUT="BSD-x86-elf" ;;
-			*)	OUT="BSD-x86" ;;
+			*)	OUT="BSD-x86"; options="$options no-sse2" ;;
 			esac ;;
  *-*-*bsd*)		OUT="BSD-generic32" ;;

  *-*-osf)		OUT="osf1-alpha-cc" ;;
  *-*-tru64)		OUT="tru64-alpha-cc" ;;
-  *-*-OpenUNIX*)
+  *-*-[Uu]nix[Ww]are7)
 	if [ "$CC" = "gcc" ]; then
-	  OUT="OpenUNIX-8-gcc" 
+	  OUT="unixware-7-gcc" ; options="$options no-sse2"
 	else    
-	  OUT="OpenUNIX-8" 
+	  OUT="unixware-7" ; options="$options no-sse2 -D__i386__"
 	fi
 	;;
-  *-*-[Uu]nix[Ww]are7) OUT="unixware-7" ;;
-  *-*-[Uu]nix[Ww]are20*) OUT="unixware-2.0" ;;
-  *-*-[Uu]nix[Ww]are21*) OUT="unixware-2.1" ;;
+  *-*-[Uu]nix[Ww]are20*) OUT="unixware-2.0"; options="$options no-sse2 no-sha512" ;;
+  *-*-[Uu]nix[Ww]are21*) OUT="unixware-2.1"; options="$options no-sse2 no-sha512" ;;
  *-*-vos)
 	options="$options no-threads no-shared no-asm no-dso"
 	EXE=".pm"
@@ -739,6 +745,11 @@ case "$GUESSOS" in
 		fi
 	    fi
 	fi
+	if (lsattr -E -O -l proc0 | grep -i powerpc) >/dev/null 2>&1; then
+	    :	# this applies even to Power3 and later, as they return PowerPC_POWER[345]
+	else
+	    options="$options no-asm"
+	fi
 	;;
  # these are all covered by the catchall below
  # *-dgux) OUT="dgux" ;;
--- a/crypto/Makefile
+++ b/crypto/Makefile
@@ -6,18 +6,20 @@ DIR=		crypto
 TOP=		..
 CC=		cc
 INCLUDE=	-I. -I$(TOP) -I../include
+# INCLUDES targets sudbirs!
 INCLUDES=	-I.. -I../.. -I../../include
 CFLAG=		-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=	/usr/local/ssl
-MAKE=           make
 MAKEDEPPROG=	makedepend
 MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=       Makefile
 RM=             rm -f
 AR=		ar r

+RECURSIVE_MAKE=	[ -n "$(SDIRS)" ] && for i in $(SDIRS) ; do \
+		    (cd $$i && echo "making $$target in $(DIR)/$$i..." && \
+		    $(MAKE) -e TOP=../.. DIR=$$i INCLUDES='${INCLUDES}' $$target ) || exit 1; \
+		done;
+
 PEX_LIBS=
 EX_LIBS=
 
@@ -27,14 +29,6 @@ AFLAGS=$(ASFLAGS)

 LIBS=

-SDIRS=	objects \
-	md2 md4 md5 sha mdc2 hmac ripemd \
-	des rc2 rc4 rc5 idea bf cast \
-	bn ec rsa dsa ecdsa ecdh dh dso engine aes \
-	buffer bio stack lhash rand err \
-	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 \
-	store pqueue
-
 GENERAL=Makefile README crypto-lib.com install.com

 LIB= $(TOP)/libcrypto.a
@@ -70,40 +64,35 @@ x86cpuid-cof.s: x86cpuid.pl perlasm/x86asm.pl
 x86cpuid-out.s: x86cpuid.pl perlasm/x86asm.pl
 	$(PERL) x86cpuid.pl a.out $(CFLAGS) $(PROCESSOR) > $@

+uplink.o:	../ms/uplink.c
+	$(CC) $(CFLAGS) -c -o $@ ../ms/uplink.c
+
+uplink-cof.s:	../ms/uplink.pl
+	$(PERL) ../ms/uplink.pl coff > $@
+
 x86_64cpuid.s: x86_64cpuid.pl
 	$(PERL) x86_64cpuid.pl $@
 ia64cpuid.s: ia64cpuid.S
 	$(CC) $(CFLAGS) -E ia64cpuid.S > $@

 testapps:
-	if echo ${SDIRS} | fgrep ' des '; \
-	then cd des && $(MAKE) CC='$(CC)' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' des; fi
-	if echo ${SDIRS} | fgrep ' pkcs7 '; \
-	then cd pkcs7 && $(MAKE) CC='$(CC)' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' testapps; fi
+	[ -z "$(THIS)" ] || (	if echo ${SDIRS} | fgrep ' des '; \
+				then cd des && $(MAKE) -e des; fi )
+	[ -z "$(THIS)" ] || ( cd pkcs7 && $(MAKE) -e testapps );
+	@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi

 subdirs:
-	@for i in $(SDIRS) ;\
-	do \
-	(cd $$i && echo "making all in crypto/$$i..." && \
-	$(MAKE) -e INCLUDES='${INCLUDES}' all ) || exit 1; \
-	done;
+	@target=all; $(RECURSIVE_MAKE)

 files:
 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
-	@for i in $(SDIRS) ;\
-	do \
-	(cd $$i && echo "making 'files' in crypto/$$i..." && \
-	$(MAKE) PERL='${PERL}' files ); \
-	done;
+	@target=files; $(RECURSIVE_MAKE)

 links:
 	@$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
 	@$(PERL) $(TOP)/util/mklink.pl ../test $(TEST)
 	@$(PERL) $(TOP)/util/mklink.pl ../apps $(APPS)
-	@for i in $(SDIRS); do \
-	(cd $$i && echo "making links in crypto/$$i..." && \
-	$(MAKE) CC='$(CC)' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' AR='${AR}' PERL='${PERL}' links ); \
-	done;
+	@target=links; $(RECURSIVE_MAKE)

 lib:	$(LIBOBJ)
 	$(AR) $(LIB) $(LIBOBJ)
@@ -116,64 +105,35 @@ shared: buildinf.h lib subdirs
 	fi

 libs:
-	@for i in $(SDIRS) ;\
-	do \
-	(cd $$i && echo "making libs in crypto/$$i..." && \
-	$(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' AR='${AR}' lib ); \
-	done;
-
-tests:
-	@for i in $(SDIRS) ;\
-	do \
-	(cd $$i && echo "making tests in crypto/$$i..." && \
-	$(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' AR='${AR}' tests ); \
-	done;
+	@target=lib; $(RECURSIVE_MAKE)

 install:
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
 	@headerlist="$(EXHEADER)"; for i in $$headerlist ;\
 	do \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
 	done;
-	@for i in $(SDIRS) ;\
-	do \
-	(cd $$i && echo "making install in crypto/$$i..." && \
-	$(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}'  INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' install ); \
-	done;
+	@target=install; $(RECURSIVE_MAKE)

 lint:
-	@for i in $(SDIRS) ;\
-	do \
-	(cd $$i && echo "making lint in crypto/$$i..." && \
-	$(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' lint ); \
-	done;
+	@target=lint; $(RECURSIVE_MAKE)

 depend:
-	if [ ! -f buildinf.h ]; then touch buildinf.h; fi # fake buildinf.h if it does not exist
-	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDE) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
-	if [ ! -s buildinf.h ]; then rm buildinf.h; fi
-	@for i in $(SDIRS) ;\
-	do \
-	(cd $$i && echo "making depend in crypto/$$i..." && \
-	$(MAKE) MAKEFILE='${MAKEFILE}' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' DEPFLAG='${DEPFLAG}' MAKEDEPPROG='${MAKEDEPPROG}' KRB5_INCLUDES='${KRB5_INCLUDES}' PERL='${PERL}' depend ); \
-	done;
+	@[ -z "$(THIS)" -o -f buildinf.h ] || touch buildinf.h # fake buildinf.h if it does not exist
+	@[ -z "$(THIS)" ] || $(MAKEDEPEND) -- $(CFLAG) $(INCLUDE) $(DEPFLAG) -- $(PROGS) $(LIBSRC)
+	@[ -z "$(THIS)" -o -s buildinf.h ] || rm buildinf.h
+	@[ -z "$(THIS)" ] || (set -e; target=depend; $(RECURSIVE_MAKE) )
+	@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi

 clean:
 	rm -f buildinf.h *.s *.o */*.o *.obj lib tags core .pure .nfs* *.old *.bak fluff
-	@for i in $(SDIRS) ;\
-	do \
-	(cd $$i && echo "making clean in crypto/$$i..." && \
-	$(MAKE) CC='$(CC)' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' clean ); \
-	done;
+	@target=clean; $(RECURSIVE_MAKE)

 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
 	mv -f Makefile.new $(MAKEFILE)
-	@for i in $(SDIRS) ;\
-	do \
-	(cd $$i && echo "making dclean in crypto/$$i..." && \
-	$(MAKE) PERL='${PERL}' CC='$(CC)' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' dclean ); \
-	done;
+	@target=dclean; $(RECURSIVE_MAKE)

 # DO NOT DELETE THIS LINE -- make depend depends on it.

--- a/crypto/aes/Makefile
+++ b/crypto/aes/Makefile
@@ -8,12 +8,6 @@ CC=	cc
 CPP=	$(CC) -E
 INCLUDES=
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=	/usr/local/ssl
-MAKE=		make
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r

@@ -69,9 +63,8 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)

-install: installs
-
-installs:
+install:
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
 	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
@@ -87,6 +80,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff

 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)

 dclean:
--- a/crypto/aes/aes_locl.h
+++ b/crypto/aes/aes_locl.h
@@ -62,7 +62,7 @@
 #include <stdlib.h>
 #include <string.h>

-#if defined(_MSC_VER) && !defined(_M_IA64) && !defined(OPENSSL_SYS_WINCE)
+#if defined(_MSC_VER) && (defined(_M_IX86) || defined(_M_AMD64) || defined(_M_X64))
 # define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)
 # define GETU32(p) SWAP(*((u32 *)(p)))
 # define PUTU32(ct, st) { *((u32 *)(ct)) = SWAP((st)); }
--- a/crypto/aes/asm/aes-586.pl
+++ b/crypto/aes/asm/aes-586.pl
@@ -426,7 +426,7 @@ sub _data_word() { my $i; while(defined($i=shift)) { &data_word($i,$i); } }
 #rcon:
 	&data_word(0x00000001, 0x00000002, 0x00000004, 0x00000008);
 	&data_word(0x00000010, 0x00000020, 0x00000040, 0x00000080);
-	&data_word(0x0000001b, 0x00000036);
+	&data_word(0x0000001b, 0x00000036, 0, 0, 0, 0, 0, 0);
 &function_end_B("_x86_AES_encrypt");

 # void AES_encrypt (const void *inp,void *out,const AES_KEY *key);
@@ -826,7 +826,7 @@ my $aes_key=&DWP(60,"esp");	#copy of aes_key
 	&lea    ("ebp",&DWP(&label("AES_Te")."-".&label("pic_point"),"ebp"));

 	# allocate aligned stack frame...
-	&lea	($key,&DWP(-64-260,"esp"));
+	&lea	($key,&DWP(-64-244,"esp"));
 	&and	($key,-64);

 	# ... and make sure it doesn't alias with AES_Te modulo 4096
@@ -845,7 +845,7 @@ my $aes_key=&DWP(60,"esp");	#copy of aes_key
 	&set_label("te_break_out");	# else %esp -= (p-s)&0xfff + framesz;
 	&sub	($s3,$s0);
 	&and	($s3,0xfff);
-	&add	($s3,64+320);
+	&add	($s3,64+256);
 	&sub	($key,$s3);
 	&align	(4);
 	&set_label("te_ok");
@@ -870,7 +870,7 @@ my $aes_key=&DWP(60,"esp");	#copy of aes_key
 		&jb	(&label("skip_ecopy"));
 	}
 	# copy key schedule to stack
-	&mov	("ecx",260/4);
+	&mov	("ecx",244/4);
 	&mov	("esi",$s3);
 	&lea	("edi",$aes_key);
 	&mov	($_key,"edi");
@@ -949,7 +949,7 @@ my $aes_key=&DWP(60,"esp");	#copy of aes_key
 		&jb	(&label("skip_ezero"));
 	}
 	# zero copy of key schedule
-	&mov	("ecx",256/4);
+	&mov	("ecx",240/4);
 	&xor	("eax","eax");
 	&align	(4);
 	&data_word(0xF689ABF3);	# rep stosd
@@ -991,7 +991,7 @@ my $aes_key=&DWP(60,"esp");	#copy of aes_key
 	&lea    ("ebp",&DWP(&label("AES_Td")."-".&label("pic_point"),"ebp"));

 	# allocate aligned stack frame...
-	&lea	($key,&DWP(-64-260,"esp"));
+	&lea	($key,&DWP(-64-244,"esp"));
 	&and	($key,-64);

 	# ... and make sure it doesn't alias with AES_Td modulo 4096
@@ -1010,7 +1010,7 @@ my $aes_key=&DWP(60,"esp");	#copy of aes_key
 	&set_label("td_break_out");	# else %esp -= (p-s)&0xfff + framesz;
 	&sub	($s3,$s0);
 	&and	($s3,0xfff);
-	&add	($s3,64+320);
+	&add	($s3,64+256);
 	&sub	($key,$s3);
 	&align	(4);
 	&set_label("td_ok");
@@ -1035,7 +1035,7 @@ my $aes_key=&DWP(60,"esp");	#copy of aes_key
 		&jb	(&label("skip_dcopy"));
 	}
 	# copy key schedule to stack
-	&mov	("ecx",260/4);
+	&mov	("ecx",244/4);
 	&mov	("esi",$s3);
 	&lea	("edi",$aes_key);
 	&mov	($_key,"edi");
@@ -1199,7 +1199,7 @@ my $aes_key=&DWP(60,"esp");	#copy of aes_key
 	&jb	(&label("skip_dzero"));
    }
    # zero copy of key schedule
-    &mov	("ecx",256/4);
+    &mov	("ecx",240/4);
    &xor	("eax","eax");
    &align	(4);
    &data_word(0xF689ABF3);	# rep stosd
--- a/crypto/asn1/Makefile
+++ b/crypto/asn1/Makefile
@@ -7,12 +7,6 @@ TOP=	../..
 CC=	cc
 INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKE=		make
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r

@@ -82,6 +76,7 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)

 install:
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
 	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
@@ -97,6 +92,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff

 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by top Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)

 dclean:
--- a/crypto/asn1/a_bitstr.c
+++ b/crypto/asn1/a_bitstr.c
@@ -183,9 +183,11 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value)
 	iv= ~v;
 	if (!value) v=0;

+	if (a == NULL)
+		return 0;
+
 	a->flags&= ~(ASN1_STRING_FLAG_BITS_LEFT|0x07); /* clear, set on write */

-	if (a == NULL) return(0);
 	if ((a->length < (w+1)) || (a->data == NULL))
 		{
 		if (!value) return(1); /* Don't need to set */
--- a/crypto/asn1/a_d2i_fp.c
+++ b/crypto/asn1/a_d2i_fp.c
@@ -127,7 +127,7 @@ void *ASN1_item_d2i_fp(const ASN1_ITEM *it, FILE *in, void *x)

        if ((b=BIO_new(BIO_s_file())) == NULL)
 		{
-		ASN1err(ASN1_F_ASN1_D2I_FP,ERR_R_BUF_LIB);
+		ASN1err(ASN1_F_ASN1_ITEM_D2I_FP,ERR_R_BUF_LIB);
                return(NULL);
 		}
        BIO_set_fp(b,in,BIO_NOCLOSE);
@@ -158,7 +158,7 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
 	b=BUF_MEM_new();
 	if (b == NULL)
 		{
-		ASN1err(ASN1_F_ASN1_D2I_BIO,ERR_R_MALLOC_FAILURE);
+		ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ERR_R_MALLOC_FAILURE);
 		return -1;
 		}

@@ -171,13 +171,13 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)

 			if (!BUF_MEM_grow_clean(b,len+want))
 				{
-				ASN1err(ASN1_F_ASN1_D2I_BIO,ERR_R_MALLOC_FAILURE);
+				ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ERR_R_MALLOC_FAILURE);
 				goto err;
 				}
 			i=BIO_read(in,&(b->data[len]),want);
 			if ((i < 0) && ((len-off) == 0))
 				{
-				ASN1err(ASN1_F_ASN1_D2I_BIO,ASN1_R_NOT_ENOUGH_DATA);
+				ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ASN1_R_NOT_ENOUGH_DATA);
 				goto err;
 				}
 			if (i > 0)
@@ -226,7 +226,7 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
 				want-=(len-off);
 				if (!BUF_MEM_grow_clean(b,len+want))
 					{
-					ASN1err(ASN1_F_ASN1_D2I_BIO,ERR_R_MALLOC_FAILURE);
+					ASN1err(ASN1_F_ASN1_D2I_READ_BIO,ERR_R_MALLOC_FAILURE);
 					goto err;
 					}
 				while (want > 0)
@@ -234,7 +234,7 @@ static int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
 					i=BIO_read(in,&(b->data[len]),want);
 					if (i <= 0)
 						{
-						ASN1err(ASN1_F_ASN1_D2I_BIO,
+						ASN1err(ASN1_F_ASN1_D2I_READ_BIO,
 						    ASN1_R_NOT_ENOUGH_DATA);
 						goto err;
 						}
--- a/crypto/asn1/a_dup.c
+++ b/crypto/asn1/a_dup.c
@@ -101,7 +101,7 @@ void *ASN1_item_dup(const ASN1_ITEM *it, void *x)

 	i=ASN1_item_i2d(x,&b,it);
 	if (b == NULL)
-		{ ASN1err(ASN1_F_ASN1_DUP,ERR_R_MALLOC_FAILURE); return(NULL); }
+		{ ASN1err(ASN1_F_ASN1_ITEM_DUP,ERR_R_MALLOC_FAILURE); return(NULL); }
 	p= b;
 	ret=ASN1_item_d2i(NULL,&p,i, it);
 	OPENSSL_free(b);
--- a/crypto/asn1/a_i2d_fp.c
+++ b/crypto/asn1/a_i2d_fp.c
@@ -124,7 +124,7 @@ int ASN1_item_i2d_fp(const ASN1_ITEM *it, FILE *out, void *x)

        if ((b=BIO_new(BIO_s_file())) == NULL)
 		{
-		ASN1err(ASN1_F_ASN1_I2D_FP,ERR_R_BUF_LIB);
+		ASN1err(ASN1_F_ASN1_ITEM_I2D_FP,ERR_R_BUF_LIB);
                return(0);
 		}
        BIO_set_fp(b,out,BIO_NOCLOSE);
@@ -142,7 +142,7 @@ int ASN1_item_i2d_bio(const ASN1_ITEM *it, BIO *out, void *x)
 	n = ASN1_item_i2d(x, &b, it);
 	if (b == NULL)
 		{
-		ASN1err(ASN1_F_ASN1_I2D_BIO,ERR_R_MALLOC_FAILURE);
+		ASN1err(ASN1_F_ASN1_ITEM_I2D_BIO,ERR_R_MALLOC_FAILURE);
 		return(0);
 		}

--- a/crypto/asn1/a_int.c
+++ b/crypto/asn1/a_int.c
@@ -256,7 +256,7 @@ ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **a, const unsigned char **pp,
 	*pp=pend;
 	return(ret);
 err:
-	ASN1err(ASN1_F_D2I_ASN1_INTEGER,i);
+	ASN1err(ASN1_F_C2I_ASN1_INTEGER,i);
 	if ((ret != NULL) && ((a == NULL) || (*a != ret)))
 		M_ASN1_INTEGER_free(ret);
 	return(NULL);
--- a/crypto/asn1/a_mbstr.c
+++ b/crypto/asn1/a_mbstr.c
@@ -107,7 +107,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,

 		case MBSTRING_BMP:
 		if(len & 1) {
-			ASN1err(ASN1_F_ASN1_MBSTRING_COPY,
+			ASN1err(ASN1_F_ASN1_MBSTRING_NCOPY,
 					 ASN1_R_INVALID_BMPSTRING_LENGTH);
 			return -1;
 		}
@@ -116,7 +116,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,

 		case MBSTRING_UNIV:
 		if(len & 3) {
-			ASN1err(ASN1_F_ASN1_MBSTRING_COPY,
+			ASN1err(ASN1_F_ASN1_MBSTRING_NCOPY,
 					 ASN1_R_INVALID_UNIVERSALSTRING_LENGTH);
 			return -1;
 		}
@@ -128,7 +128,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
 		/* This counts the characters and does utf8 syntax checking */
 		ret = traverse_string(in, len, MBSTRING_UTF8, in_utf8, &nchar);
 		if(ret < 0) {
-			ASN1err(ASN1_F_ASN1_MBSTRING_COPY,
+			ASN1err(ASN1_F_ASN1_MBSTRING_NCOPY,
 						 ASN1_R_INVALID_UTF8STRING);
 			return -1;
 		}
@@ -139,19 +139,19 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
 		break;

 		default:
-		ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ASN1_R_UNKNOWN_FORMAT);
+		ASN1err(ASN1_F_ASN1_MBSTRING_NCOPY, ASN1_R_UNKNOWN_FORMAT);
 		return -1;
 	}

 	if((minsize > 0) && (nchar < minsize)) {
-		ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ASN1_R_STRING_TOO_SHORT);
+		ASN1err(ASN1_F_ASN1_MBSTRING_NCOPY, ASN1_R_STRING_TOO_SHORT);
 		BIO_snprintf(strbuf, sizeof strbuf, "%ld", minsize);
 		ERR_add_error_data(2, "minsize=", strbuf);
 		return -1;
 	}

 	if((maxsize > 0) && (nchar > maxsize)) {
-		ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ASN1_R_STRING_TOO_LONG);
+		ASN1err(ASN1_F_ASN1_MBSTRING_NCOPY, ASN1_R_STRING_TOO_LONG);
 		BIO_snprintf(strbuf, sizeof strbuf, "%ld", maxsize);
 		ERR_add_error_data(2, "maxsize=", strbuf);
 		return -1;
@@ -159,7 +159,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,

 	/* Now work out minimal type (if any) */
 	if(traverse_string(in, len, inform, type_str, &mask) < 0) {
-		ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ASN1_R_ILLEGAL_CHARACTERS);
+		ASN1err(ASN1_F_ASN1_MBSTRING_NCOPY, ASN1_R_ILLEGAL_CHARACTERS);
 		return -1;
 	}

@@ -193,7 +193,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
 		free_out = 1;
 		dest = ASN1_STRING_type_new(str_type);
 		if(!dest) {
-			ASN1err(ASN1_F_ASN1_MBSTRING_COPY,
+			ASN1err(ASN1_F_ASN1_MBSTRING_NCOPY,
 							ERR_R_MALLOC_FAILURE);
 			return -1;
 		}
@@ -202,7 +202,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
 	/* If both the same type just copy across */
 	if(inform == outform) {
 		if(!ASN1_STRING_set(dest, in, len)) {
-			ASN1err(ASN1_F_ASN1_MBSTRING_COPY,ERR_R_MALLOC_FAILURE);
+			ASN1err(ASN1_F_ASN1_MBSTRING_NCOPY,ERR_R_MALLOC_FAILURE);
 			return -1;
 		}
 		return str_type;
@@ -233,7 +233,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
 	}
 	if(!(p = OPENSSL_malloc(outlen + 1))) {
 		if(free_out) ASN1_STRING_free(dest);
-		ASN1err(ASN1_F_ASN1_MBSTRING_COPY,ERR_R_MALLOC_FAILURE);
+		ASN1err(ASN1_F_ASN1_MBSTRING_NCOPY,ERR_R_MALLOC_FAILURE);
 		return -1;
 	}
 	dest->length = outlen;
--- a/crypto/asn1/a_object.c
+++ b/crypto/asn1/a_object.c
@@ -255,7 +255,7 @@ ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, const unsigned char **pp,
 	*pp=p;
 	return(ret);
 err:
-	ASN1err(ASN1_F_D2I_ASN1_OBJECT,i);
+	ASN1err(ASN1_F_C2I_ASN1_OBJECT,i);
 	if ((ret != NULL) && ((a == NULL) || (*a != ret)))
 		ASN1_OBJECT_free(ret);
 	return(NULL);
--- a/crypto/asn1/a_sign.c
+++ b/crypto/asn1/a_sign.c
@@ -248,12 +248,12 @@ int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,
 		a->algorithm=OBJ_nid2obj(type->pkey_type);
 		if (a->algorithm == NULL)
 			{
-			ASN1err(ASN1_F_ASN1_SIGN,ASN1_R_UNKNOWN_OBJECT_TYPE);
+			ASN1err(ASN1_F_ASN1_ITEM_SIGN,ASN1_R_UNKNOWN_OBJECT_TYPE);
 			goto err;
 			}
 		if (a->algorithm->length == 0)
 			{
-			ASN1err(ASN1_F_ASN1_SIGN,ASN1_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD);
+			ASN1err(ASN1_F_ASN1_ITEM_SIGN,ASN1_R_THE_ASN1_OBJECT_IDENTIFIER_IS_NOT_KNOWN_FOR_THIS_MD);
 			goto err;
 			}
 		}
@@ -263,7 +263,7 @@ int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,
 	if ((buf_in == NULL) || (buf_out == NULL))
 		{
 		outl=0;
-		ASN1err(ASN1_F_ASN1_SIGN,ERR_R_MALLOC_FAILURE);
+		ASN1err(ASN1_F_ASN1_ITEM_SIGN,ERR_R_MALLOC_FAILURE);
 		goto err;
 		}

@@ -273,7 +273,7 @@ int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1, X509_ALGOR *algor2,
 			(unsigned int *)&outl,pkey))
 		{
 		outl=0;
-		ASN1err(ASN1_F_ASN1_SIGN,ERR_R_EVP_LIB);
+		ASN1err(ASN1_F_ASN1_ITEM_SIGN,ERR_R_EVP_LIB);
 		goto err;
 		}
 	if (signature->data != NULL) OPENSSL_free(signature->data);
--- a/crypto/asn1/a_strex.c
+++ b/crypto/asn1/a_strex.c
@@ -58,12 +58,12 @@

 #include <stdio.h>
 #include <string.h>
+#include "cryptlib.h"
 #include <openssl/crypto.h>
 #include <openssl/x509.h>
 #include <openssl/asn1.h>

 #include "charmap.h"
-#include "cryptlib.h"

 /* ASN1_STRING_print_ex() and X509_NAME_print_ex().
 * Enhanced string and name printing routines handling
@@ -223,7 +223,7 @@ static int do_buf(unsigned char *buf, int buflen,

 static int do_hex_dump(char_io *io_ch, void *arg, unsigned char *buf, int buflen)
 {
-	const static char hexdig[] = "0123456789ABCDEF";
+	static const char hexdig[] = "0123456789ABCDEF";
 	unsigned char *p, *q;
 	char hextmp[2];
 	if(arg) {
@@ -279,7 +279,7 @@ static int do_dump(unsigned long lflags, char_io *io_ch, void *arg, ASN1_STRING
 * otherwise it is the number of bytes per character
 */

-const static signed char tag2nbyte[] = {
+static const signed char tag2nbyte[] = {
 	-1, -1, -1, -1, -1,	/* 0-4 */
 	-1, -1, -1, -1, -1,	/* 5-9 */
 	-1, -1, 0, -1,		/* 10-13 */
@@ -513,7 +513,7 @@ int X509_NAME_print_ex(BIO *out, X509_NAME *nm, int indent, unsigned long flags)
 	return do_name_ex(send_bio_chars, out, nm, indent, flags);
 }

-
+#ifndef OPENSSL_NO_FP_API
 int X509_NAME_print_ex_fp(FILE *fp, X509_NAME *nm, int indent, unsigned long flags)
 {
 	if(flags == XN_FLAG_COMPAT)
@@ -528,17 +528,19 @@ int X509_NAME_print_ex_fp(FILE *fp, X509_NAME *nm, int indent, unsigned long fla
 		}
 	return do_name_ex(send_fp_chars, fp, nm, indent, flags);
 }
+#endif

 int ASN1_STRING_print_ex(BIO *out, ASN1_STRING *str, unsigned long flags)
 {
 	return do_print_ex(send_bio_chars, out, flags, str);
 }

-
+#ifndef OPENSSL_NO_FP_API
 int ASN1_STRING_print_ex_fp(FILE *fp, ASN1_STRING *str, unsigned long flags)
 {
 	return do_print_ex(send_fp_chars, fp, flags, str);
 }
+#endif

 /* Utility function: convert any string type to UTF8, returns number of bytes
 * in output string or a negative error code
--- a/crypto/asn1/a_type.c
+++ b/crypto/asn1/a_type.c
@@ -57,8 +57,8 @@
 */

 #include <stdio.h>
-#include <openssl/asn1t.h>
 #include "cryptlib.h"
+#include <openssl/asn1t.h>

 int ASN1_TYPE_get(ASN1_TYPE *a)
 	{
--- a/crypto/asn1/a_verify.c
+++ b/crypto/asn1/a_verify.c
@@ -138,13 +138,13 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat
 	type=EVP_get_digestbyname(OBJ_nid2sn(i));
 	if (type == NULL)
 		{
-		ASN1err(ASN1_F_ASN1_VERIFY,ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
+		ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM);
 		goto err;
 		}

 	if (!EVP_VerifyInit_ex(&ctx,type, NULL))
 		{
-		ASN1err(ASN1_F_ASN1_VERIFY,ERR_R_EVP_LIB);
+		ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_EVP_LIB);
 		ret=0;
 		goto err;
 		}
@@ -153,7 +153,7 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat
 	
 	if (buf_in == NULL)
 		{
-		ASN1err(ASN1_F_ASN1_VERIFY,ERR_R_MALLOC_FAILURE);
+		ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_MALLOC_FAILURE);
 		goto err;
 		}

@@ -165,7 +165,7 @@ int ASN1_item_verify(const ASN1_ITEM *it, X509_ALGOR *a, ASN1_BIT_STRING *signat
 	if (EVP_VerifyFinal(&ctx,(unsigned char *)signature->data,
 			(unsigned int)signature->length,pkey) <= 0)
 		{
-		ASN1err(ASN1_F_ASN1_VERIFY,ERR_R_EVP_LIB);
+		ASN1err(ASN1_F_ASN1_ITEM_VERIFY,ERR_R_EVP_LIB);
 		ret=0;
 		goto err;
 		}
--- a/crypto/asn1/asn1.h
+++ b/crypto/asn1/asn1.h
@@ -901,22 +901,22 @@ int ASN1_object_size(int constructed, int length, int tag);
 /* Used to implement other functions */
 void *ASN1_dup(i2d_of_void *i2d, d2i_of_void *d2i, char *x);
 #define ASN1_dup_of(type,i2d,d2i,x) \
-	((type *(*)(I2D_OF(type),D2I_OF(type),type *))ASN1_dup)(i2d,d2i,x)
+	((type *(*)(I2D_OF(type),D2I_OF(type),type *))openssl_fcast(ASN1_dup))(i2d,d2i,x)
 #define ASN1_dup_of_const(type,i2d,d2i,x) \
-	((type *(*)(I2D_OF_const(type),D2I_OF(type),type *))ASN1_dup)(i2d,d2i,x)
+	((type *(*)(I2D_OF_const(type),D2I_OF(type),type *))openssl_fcast(ASN1_dup))(i2d,d2i,x)

 void *ASN1_item_dup(const ASN1_ITEM *it, void *x);

 #ifndef OPENSSL_NO_FP_API
 void *ASN1_d2i_fp(void *(*xnew)(void), d2i_of_void *d2i, FILE *in, void **x);
 #define ASN1_d2i_fp_of(type,xnew,d2i,in,x) \
-	((type *(*)(type *(*)(void),D2I_OF(type),FILE *,type **))ASN1_d2i_fp)(xnew,d2i,in,x)
+	((type *(*)(type *(*)(void),D2I_OF(type),FILE *,type **))openssl_fcast(ASN1_d2i_fp))(xnew,d2i,in,x)
 void *ASN1_item_d2i_fp(const ASN1_ITEM *it, FILE *in, void *x);
 int ASN1_i2d_fp(i2d_of_void *i2d,FILE *out,void *x);
 #define ASN1_i2d_fp_of(type,i2d,out,x) \
-	((int (*)(I2D_OF(type),FILE *,type *))ASN1_i2d_fp)(i2d,out,x)
+	((int (*)(I2D_OF(type),FILE *,type *))openssl_fcast(ASN1_i2d_fp))(i2d,out,x)
 #define ASN1_i2d_fp_of_const(type,i2d,out,x) \
-	((int (*)(I2D_OF_const(type),FILE *,type *))ASN1_i2d_fp)(i2d,out,x)
+	((int (*)(I2D_OF_const(type),FILE *,type *))openssl_fcast(ASN1_i2d_fp))(i2d,out,x)
 int ASN1_item_i2d_fp(const ASN1_ITEM *it, FILE *out, void *x);
 int ASN1_STRING_print_ex_fp(FILE *fp, ASN1_STRING *str, unsigned long flags);
 #endif
@@ -926,13 +926,13 @@ int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in);
 #ifndef OPENSSL_NO_BIO
 void *ASN1_d2i_bio(void *(*xnew)(void), d2i_of_void *d2i, BIO *in, void **x);
 #define ASN1_d2i_bio_of(type,xnew,d2i,in,x) \
-	((type *(*)(type *(*)(void),D2I_OF(type),BIO *,type **))ASN1_d2i_bio)(xnew,d2i,in,x)
+	((type *(*)(type *(*)(void),D2I_OF(type),BIO *,type **))openssl_fcast(ASN1_d2i_bio))(xnew,d2i,in,x)
 void *ASN1_item_d2i_bio(const ASN1_ITEM *it, BIO *in, void *x);
 int ASN1_i2d_bio(i2d_of_void *i2d,BIO *out, unsigned char *x);
 #define ASN1_i2d_bio_of(type,i2d,out,x) \
-	((int (*)(I2D_OF(type),BIO *,type *))ASN1_i2d_bio)(i2d,out,x)
+	((int (*)(I2D_OF(type),BIO *,type *))openssl_fcast(ASN1_i2d_bio))(i2d,out,x)
 #define ASN1_i2d_bio_of_const(type,i2d,out,x) \
-	((int (*)(I2D_OF_const(type),BIO *,type *))ASN1_i2d_bio)(i2d,out,x)
+	((int (*)(I2D_OF_const(type),BIO *,const type *))openssl_fcast(ASN1_i2d_bio))(i2d,out,x)
 int ASN1_item_i2d_bio(const ASN1_ITEM *it, BIO *out, void *x);
 int ASN1_UTCTIME_print(BIO *fp,ASN1_UTCTIME *a);
 int ASN1_GENERALIZEDTIME_print(BIO *fp,ASN1_GENERALIZEDTIME *a);
@@ -976,7 +976,7 @@ void *ASN1_item_unpack(ASN1_STRING *oct, const ASN1_ITEM *it);
 ASN1_STRING *ASN1_pack_string(void *obj, i2d_of_void *i2d,
 			      ASN1_OCTET_STRING **oct);
 #define ASN1_pack_string_of(type,obj,i2d,oct) \
-	((ASN1_STRING *(*)(type *,I2D_OF(type),ASN1_OCTET_STRING **))ASN1_pack_string)(obj,i2d,oct)
+	((ASN1_STRING *(*)(type *,I2D_OF(type),ASN1_OCTET_STRING **))openssl_fcast(ASN1_pack_string))(obj,i2d,oct)
 ASN1_STRING *ASN1_item_pack(void *obj, const ASN1_ITEM *it, ASN1_OCTET_STRING **oct);

 void ASN1_STRING_set_default_mask(unsigned long mask);
@@ -1021,20 +1021,21 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_F_A2I_ASN1_ENUMERATED			 101
 #define ASN1_F_A2I_ASN1_INTEGER				 102
 #define ASN1_F_A2I_ASN1_STRING				 103
-#define ASN1_F_APPEND_TAG				 176
+#define ASN1_F_APPEND_EXP				 176
 #define ASN1_F_ASN1_BIT_STRING_SET_BIT			 183
 #define ASN1_F_ASN1_CB					 177
 #define ASN1_F_ASN1_CHECK_TLEN				 104
 #define ASN1_F_ASN1_COLLATE_PRIMITIVE			 105
 #define ASN1_F_ASN1_COLLECT				 106
-#define ASN1_F_ASN1_D2I_BIO				 107
 #define ASN1_F_ASN1_D2I_EX_PRIMITIVE			 108
 #define ASN1_F_ASN1_D2I_FP				 109
+#define ASN1_F_ASN1_D2I_READ_BIO			 107
 #define ASN1_F_ASN1_DIGEST				 184
 #define ASN1_F_ASN1_DO_ADB				 110
 #define ASN1_F_ASN1_DUP					 111
 #define ASN1_F_ASN1_ENUMERATED_SET			 112
 #define ASN1_F_ASN1_ENUMERATED_TO_BN			 113
+#define ASN1_F_ASN1_EX_C2I				 204
 #define ASN1_F_ASN1_FIND_END				 190
 #define ASN1_F_ASN1_GENERALIZEDTIME_SET			 185
 #define ASN1_F_ASN1_GENERATE_V3				 178
@@ -1044,12 +1045,21 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_F_ASN1_I2D_FP				 117
 #define ASN1_F_ASN1_INTEGER_SET				 118
 #define ASN1_F_ASN1_INTEGER_TO_BN			 119
+#define ASN1_F_ASN1_ITEM_D2I_FP				 190
+#define ASN1_F_ASN1_ITEM_DUP				 191
+#define ASN1_F_ASN1_ITEM_EX_COMBINE_NEW			 121
 #define ASN1_F_ASN1_ITEM_EX_D2I				 120
-#define ASN1_F_ASN1_ITEM_NEW				 121
-#define ASN1_F_ASN1_MBSTRING_COPY			 122
+#define ASN1_F_ASN1_ITEM_I2D_BIO			 192
+#define ASN1_F_ASN1_ITEM_I2D_FP				 193
+#define ASN1_F_ASN1_ITEM_PACK				 198
+#define ASN1_F_ASN1_ITEM_SIGN				 195
+#define ASN1_F_ASN1_ITEM_UNPACK				 199
+#define ASN1_F_ASN1_ITEM_VERIFY				 197
+#define ASN1_F_ASN1_MBSTRING_NCOPY			 122
 #define ASN1_F_ASN1_OBJECT_NEW				 123
 #define ASN1_F_ASN1_PACK_STRING				 124
-#define ASN1_F_ASN1_PBE_SET				 125
+#define ASN1_F_ASN1_PCTX_NEW				 205
+#define ASN1_F_ASN1_PKCS5_PBE_SET			 125
 #define ASN1_F_ASN1_SEQ_PACK				 126
 #define ASN1_F_ASN1_SEQ_UNPACK				 127
 #define ASN1_F_ASN1_SIGN				 128
@@ -1057,9 +1067,9 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_F_ASN1_STRING_SET				 186
 #define ASN1_F_ASN1_STRING_TABLE_ADD			 129
 #define ASN1_F_ASN1_STRING_TYPE_NEW			 130
-#define ASN1_F_ASN1_TEMPLATE_D2I			 131
 #define ASN1_F_ASN1_TEMPLATE_EX_D2I			 132
 #define ASN1_F_ASN1_TEMPLATE_NEW			 133
+#define ASN1_F_ASN1_TEMPLATE_NOEXP_D2I			 131
 #define ASN1_F_ASN1_TIME_SET				 175
 #define ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING		 134
 #define ASN1_F_ASN1_TYPE_GET_OCTETSTRING		 135
@@ -1070,6 +1080,8 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_F_BN_TO_ASN1_ENUMERATED			 138
 #define ASN1_F_BN_TO_ASN1_INTEGER			 139
 #define ASN1_F_C2I_ASN1_BIT_STRING			 189
+#define ASN1_F_C2I_ASN1_INTEGER				 194
+#define ASN1_F_C2I_ASN1_OBJECT				 196
 #define ASN1_F_COLLECT_DATA				 140
 #define ASN1_F_D2I_ASN1_BIT_STRING			 141
 #define ASN1_F_D2I_ASN1_BOOLEAN				 142
@@ -1086,26 +1098,30 @@ void ERR_load_ASN1_strings(void);
 #define ASN1_F_D2I_NETSCAPE_RSA_2			 153
 #define ASN1_F_D2I_PRIVATEKEY				 154
 #define ASN1_F_D2I_PUBLICKEY				 155
+#define ASN1_F_D2I_RSA_NET				 200
+#define ASN1_F_D2I_RSA_NET_2				 201
 #define ASN1_F_D2I_X509					 156
 #define ASN1_F_D2I_X509_CINF				 157
-#define ASN1_F_D2I_X509_NAME				 158
 #define ASN1_F_D2I_X509_PKEY				 159
 #define ASN1_F_I2D_ASN1_SET				 188
 #define ASN1_F_I2D_ASN1_TIME				 160
 #define ASN1_F_I2D_DSA_PUBKEY				 161
 #define ASN1_F_I2D_EC_PUBKEY				 181
-#define ASN1_F_I2D_NETSCAPE_RSA				 162
 #define ASN1_F_I2D_PRIVATEKEY				 163
 #define ASN1_F_I2D_PUBLICKEY				 164
+#define ASN1_F_I2D_RSA_NET				 162
 #define ASN1_F_I2D_RSA_PUBKEY				 165
 #define ASN1_F_LONG_C2I					 166
 #define ASN1_F_OID_MODULE_INIT				 174
 #define ASN1_F_PARSE_TAGGING				 182
 #define ASN1_F_PKCS5_PBE2_SET				 167
+#define ASN1_F_PKCS5_PBE_SET				 202
 #define ASN1_F_X509_CINF_NEW				 168
 #define ASN1_F_X509_CRL_ADD0_REVOKED			 169
 #define ASN1_F_X509_INFO_NEW				 170
-#define ASN1_F_X509_NAME_NEW				 171
+#define ASN1_F_X509_NAME_ENCODE				 203
+#define ASN1_F_X509_NAME_EX_D2I				 158
+#define ASN1_F_X509_NAME_EX_NEW				 171
 #define ASN1_F_X509_NEW					 172
 #define ASN1_F_X509_PKEY_NEW				 173

--- a/crypto/asn1/asn1_err.c
+++ b/crypto/asn1/asn1_err.c
@@ -74,20 +74,21 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_FUNC(ASN1_F_A2I_ASN1_ENUMERATED),	"a2i_ASN1_ENUMERATED"},
 {ERR_FUNC(ASN1_F_A2I_ASN1_INTEGER),	"a2i_ASN1_INTEGER"},
 {ERR_FUNC(ASN1_F_A2I_ASN1_STRING),	"a2i_ASN1_STRING"},
-{ERR_FUNC(ASN1_F_APPEND_TAG),	"APPEND_TAG"},
+{ERR_FUNC(ASN1_F_APPEND_EXP),	"APPEND_EXP"},
 {ERR_FUNC(ASN1_F_ASN1_BIT_STRING_SET_BIT),	"ASN1_BIT_STRING_set_bit"},
 {ERR_FUNC(ASN1_F_ASN1_CB),	"ASN1_CB"},
 {ERR_FUNC(ASN1_F_ASN1_CHECK_TLEN),	"ASN1_CHECK_TLEN"},
 {ERR_FUNC(ASN1_F_ASN1_COLLATE_PRIMITIVE),	"ASN1_COLLATE_PRIMITIVE"},
 {ERR_FUNC(ASN1_F_ASN1_COLLECT),	"ASN1_COLLECT"},
-{ERR_FUNC(ASN1_F_ASN1_D2I_BIO),	"ASN1_d2i_bio"},
 {ERR_FUNC(ASN1_F_ASN1_D2I_EX_PRIMITIVE),	"ASN1_D2I_EX_PRIMITIVE"},
 {ERR_FUNC(ASN1_F_ASN1_D2I_FP),	"ASN1_d2i_fp"},
+{ERR_FUNC(ASN1_F_ASN1_D2I_READ_BIO),	"ASN1_D2I_READ_BIO"},
 {ERR_FUNC(ASN1_F_ASN1_DIGEST),	"ASN1_digest"},
 {ERR_FUNC(ASN1_F_ASN1_DO_ADB),	"ASN1_DO_ADB"},
 {ERR_FUNC(ASN1_F_ASN1_DUP),	"ASN1_dup"},
 {ERR_FUNC(ASN1_F_ASN1_ENUMERATED_SET),	"ASN1_ENUMERATED_set"},
 {ERR_FUNC(ASN1_F_ASN1_ENUMERATED_TO_BN),	"ASN1_ENUMERATED_to_BN"},
+{ERR_FUNC(ASN1_F_ASN1_EX_C2I),	"ASN1_EX_C2I"},
 {ERR_FUNC(ASN1_F_ASN1_FIND_END),	"ASN1_FIND_END"},
 {ERR_FUNC(ASN1_F_ASN1_GENERALIZEDTIME_SET),	"ASN1_GENERALIZEDTIME_set"},
 {ERR_FUNC(ASN1_F_ASN1_GENERATE_V3),	"ASN1_generate_v3"},
@@ -97,12 +98,21 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_FUNC(ASN1_F_ASN1_I2D_FP),	"ASN1_i2d_fp"},
 {ERR_FUNC(ASN1_F_ASN1_INTEGER_SET),	"ASN1_INTEGER_set"},
 {ERR_FUNC(ASN1_F_ASN1_INTEGER_TO_BN),	"ASN1_INTEGER_to_BN"},
+{ERR_FUNC(ASN1_F_ASN1_ITEM_D2I_FP),	"ASN1_item_d2i_fp"},
+{ERR_FUNC(ASN1_F_ASN1_ITEM_DUP),	"ASN1_item_dup"},
+{ERR_FUNC(ASN1_F_ASN1_ITEM_EX_COMBINE_NEW),	"ASN1_ITEM_EX_COMBINE_NEW"},
 {ERR_FUNC(ASN1_F_ASN1_ITEM_EX_D2I),	"ASN1_ITEM_EX_D2I"},
-{ERR_FUNC(ASN1_F_ASN1_ITEM_NEW),	"ASN1_item_new"},
-{ERR_FUNC(ASN1_F_ASN1_MBSTRING_COPY),	"ASN1_mbstring_copy"},
+{ERR_FUNC(ASN1_F_ASN1_ITEM_I2D_BIO),	"ASN1_item_i2d_bio"},
+{ERR_FUNC(ASN1_F_ASN1_ITEM_I2D_FP),	"ASN1_item_i2d_fp"},
+{ERR_FUNC(ASN1_F_ASN1_ITEM_PACK),	"ASN1_item_pack"},
+{ERR_FUNC(ASN1_F_ASN1_ITEM_SIGN),	"ASN1_item_sign"},
+{ERR_FUNC(ASN1_F_ASN1_ITEM_UNPACK),	"ASN1_item_unpack"},
+{ERR_FUNC(ASN1_F_ASN1_ITEM_VERIFY),	"ASN1_item_verify"},
+{ERR_FUNC(ASN1_F_ASN1_MBSTRING_NCOPY),	"ASN1_mbstring_ncopy"},
 {ERR_FUNC(ASN1_F_ASN1_OBJECT_NEW),	"ASN1_OBJECT_new"},
 {ERR_FUNC(ASN1_F_ASN1_PACK_STRING),	"ASN1_pack_string"},
-{ERR_FUNC(ASN1_F_ASN1_PBE_SET),	"ASN1_PBE_SET"},
+{ERR_FUNC(ASN1_F_ASN1_PCTX_NEW),	"ASN1_PCTX_NEW"},
+{ERR_FUNC(ASN1_F_ASN1_PKCS5_PBE_SET),	"ASN1_PKCS5_PBE_SET"},
 {ERR_FUNC(ASN1_F_ASN1_SEQ_PACK),	"ASN1_seq_pack"},
 {ERR_FUNC(ASN1_F_ASN1_SEQ_UNPACK),	"ASN1_seq_unpack"},
 {ERR_FUNC(ASN1_F_ASN1_SIGN),	"ASN1_sign"},
@@ -110,9 +120,9 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_FUNC(ASN1_F_ASN1_STRING_SET),	"ASN1_STRING_set"},
 {ERR_FUNC(ASN1_F_ASN1_STRING_TABLE_ADD),	"ASN1_STRING_TABLE_add"},
 {ERR_FUNC(ASN1_F_ASN1_STRING_TYPE_NEW),	"ASN1_STRING_type_new"},
-{ERR_FUNC(ASN1_F_ASN1_TEMPLATE_D2I),	"ASN1_TEMPLATE_D2I"},
 {ERR_FUNC(ASN1_F_ASN1_TEMPLATE_EX_D2I),	"ASN1_TEMPLATE_EX_D2I"},
 {ERR_FUNC(ASN1_F_ASN1_TEMPLATE_NEW),	"ASN1_TEMPLATE_NEW"},
+{ERR_FUNC(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I),	"ASN1_TEMPLATE_NOEXP_D2I"},
 {ERR_FUNC(ASN1_F_ASN1_TIME_SET),	"ASN1_TIME_set"},
 {ERR_FUNC(ASN1_F_ASN1_TYPE_GET_INT_OCTETSTRING),	"ASN1_TYPE_get_int_octetstring"},
 {ERR_FUNC(ASN1_F_ASN1_TYPE_GET_OCTETSTRING),	"ASN1_TYPE_get_octetstring"},
@@ -123,6 +133,8 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_FUNC(ASN1_F_BN_TO_ASN1_ENUMERATED),	"BN_to_ASN1_ENUMERATED"},
 {ERR_FUNC(ASN1_F_BN_TO_ASN1_INTEGER),	"BN_to_ASN1_INTEGER"},
 {ERR_FUNC(ASN1_F_C2I_ASN1_BIT_STRING),	"c2i_ASN1_BIT_STRING"},
+{ERR_FUNC(ASN1_F_C2I_ASN1_INTEGER),	"c2i_ASN1_INTEGER"},
+{ERR_FUNC(ASN1_F_C2I_ASN1_OBJECT),	"c2i_ASN1_OBJECT"},
 {ERR_FUNC(ASN1_F_COLLECT_DATA),	"COLLECT_DATA"},
 {ERR_FUNC(ASN1_F_D2I_ASN1_BIT_STRING),	"D2I_ASN1_BIT_STRING"},
 {ERR_FUNC(ASN1_F_D2I_ASN1_BOOLEAN),	"d2i_ASN1_BOOLEAN"},
@@ -139,26 +151,30 @@ static ERR_STRING_DATA ASN1_str_functs[]=
 {ERR_FUNC(ASN1_F_D2I_NETSCAPE_RSA_2),	"D2I_NETSCAPE_RSA_2"},
 {ERR_FUNC(ASN1_F_D2I_PRIVATEKEY),	"d2i_PrivateKey"},
 {ERR_FUNC(ASN1_F_D2I_PUBLICKEY),	"d2i_PublicKey"},
+{ERR_FUNC(ASN1_F_D2I_RSA_NET),	"d2i_RSA_NET"},
+{ERR_FUNC(ASN1_F_D2I_RSA_NET_2),	"D2I_RSA_NET_2"},
 {ERR_FUNC(ASN1_F_D2I_X509),	"D2I_X509"},
 {ERR_FUNC(ASN1_F_D2I_X509_CINF),	"D2I_X509_CINF"},
-{ERR_FUNC(ASN1_F_D2I_X509_NAME),	"D2I_X509_NAME"},
 {ERR_FUNC(ASN1_F_D2I_X509_PKEY),	"d2i_X509_PKEY"},
 {ERR_FUNC(ASN1_F_I2D_ASN1_SET),	"i2d_ASN1_SET"},
 {ERR_FUNC(ASN1_F_I2D_ASN1_TIME),	"I2D_ASN1_TIME"},
 {ERR_FUNC(ASN1_F_I2D_DSA_PUBKEY),	"i2d_DSA_PUBKEY"},
 {ERR_FUNC(ASN1_F_I2D_EC_PUBKEY),	"i2d_EC_PUBKEY"},
-{ERR_FUNC(ASN1_F_I2D_NETSCAPE_RSA),	"i2d_Netscape_RSA"},
 {ERR_FUNC(ASN1_F_I2D_PRIVATEKEY),	"i2d_PrivateKey"},
 {ERR_FUNC(ASN1_F_I2D_PUBLICKEY),	"i2d_PublicKey"},
+{ERR_FUNC(ASN1_F_I2D_RSA_NET),	"i2d_RSA_NET"},
 {ERR_FUNC(ASN1_F_I2D_RSA_PUBKEY),	"i2d_RSA_PUBKEY"},
 {ERR_FUNC(ASN1_F_LONG_C2I),	"LONG_C2I"},
 {ERR_FUNC(ASN1_F_OID_MODULE_INIT),	"OID_MODULE_INIT"},
 {ERR_FUNC(ASN1_F_PARSE_TAGGING),	"PARSE_TAGGING"},
 {ERR_FUNC(ASN1_F_PKCS5_PBE2_SET),	"PKCS5_pbe2_set"},
+{ERR_FUNC(ASN1_F_PKCS5_PBE_SET),	"PKCS5_pbe_set"},
 {ERR_FUNC(ASN1_F_X509_CINF_NEW),	"X509_CINF_NEW"},
 {ERR_FUNC(ASN1_F_X509_CRL_ADD0_REVOKED),	"X509_CRL_add0_revoked"},
 {ERR_FUNC(ASN1_F_X509_INFO_NEW),	"X509_INFO_new"},
-{ERR_FUNC(ASN1_F_X509_NAME_NEW),	"X509_NAME_NEW"},
+{ERR_FUNC(ASN1_F_X509_NAME_ENCODE),	"X509_NAME_ENCODE"},
+{ERR_FUNC(ASN1_F_X509_NAME_EX_D2I),	"X509_NAME_EX_D2I"},
+{ERR_FUNC(ASN1_F_X509_NAME_EX_NEW),	"X509_NAME_EX_NEW"},
 {ERR_FUNC(ASN1_F_X509_NEW),	"X509_NEW"},
 {ERR_FUNC(ASN1_F_X509_PKEY_NEW),	"X509_PKEY_new"},
 {0,NULL}
--- a/crypto/asn1/asn1_gen.c
+++ b/crypto/asn1/asn1_gen.c
@@ -512,13 +512,13 @@ static int append_exp(tag_exp_arg *arg, int exp_tag, int exp_class, int exp_cons
 	/* Can only have IMPLICIT if permitted */
 	if ((arg->imp_tag != -1) && !imp_ok)
 		{
-		ASN1err(ASN1_F_APPEND_TAG, ASN1_R_ILLEGAL_IMPLICIT_TAG);
+		ASN1err(ASN1_F_APPEND_EXP, ASN1_R_ILLEGAL_IMPLICIT_TAG);
 		return 0;
 		}

 	if (arg->exp_count == ASN1_FLAG_EXP_MAX)
 		{
-		ASN1err(ASN1_F_APPEND_TAG, ASN1_R_DEPTH_EXCEEDED);
+		ASN1err(ASN1_F_APPEND_EXP, ASN1_R_DEPTH_EXCEEDED);
 		return 0;
 		}

--- a/crypto/asn1/asn1_par.c
+++ b/crypto/asn1/asn1_par.c
@@ -419,7 +419,7 @@ end:

 const char *ASN1_tag2str(int tag)
 {
-	const static char *tag2str[] = {
+	static const char *tag2str[] = {
 	 "EOC", "BOOLEAN", "INTEGER", "BIT STRING", "OCTET STRING", /* 0-4 */
 	 "NULL", "OBJECT", "OBJECT DESCRIPTOR", "EXTERNAL", "REAL", /* 5-9 */
 	 "ENUMERATED", "<ASN1 11>", "UTF8STRING", "<ASN1 13>", 	    /* 10-13 */
--- a/crypto/asn1/asn_pack.c
+++ b/crypto/asn1/asn_pack.c
@@ -106,7 +106,7 @@ unsigned char *ASN1_seq_pack(STACK *safes, i2d_of_void *i2d,

 /* Extract an ASN1 object from an ASN1_STRING */

-void *ASN1_unpack_string (ASN1_STRING *oct, d2i_of_void *d2i)
+void *ASN1_unpack_string(ASN1_STRING *oct, d2i_of_void *d2i)
 {
 	const unsigned char *p;
 	char *ret;
@@ -155,7 +155,7 @@ ASN1_STRING *ASN1_item_pack(void *obj, const ASN1_ITEM *it, ASN1_STRING **oct)

 	if (!oct || !*oct) {
 		if (!(octmp = ASN1_STRING_new ())) {
-			ASN1err(ASN1_F_ASN1_PACK_STRING,ERR_R_MALLOC_FAILURE);
+			ASN1err(ASN1_F_ASN1_ITEM_PACK,ERR_R_MALLOC_FAILURE);
 			return NULL;
 		}
 		if (oct) *oct = octmp;
@@ -167,11 +167,11 @@ ASN1_STRING *ASN1_item_pack(void *obj, const ASN1_ITEM *it, ASN1_STRING **oct)
 	}
 		
 	if (!(octmp->length = ASN1_item_i2d(obj, &octmp->data, it))) {
-		ASN1err(ASN1_F_ASN1_PACK_STRING,ASN1_R_ENCODE_ERROR);
+		ASN1err(ASN1_F_ASN1_ITEM_PACK,ASN1_R_ENCODE_ERROR);
 		return NULL;
 	}
 	if (!octmp->data) {
-		ASN1err(ASN1_F_ASN1_PACK_STRING,ERR_R_MALLOC_FAILURE);
+		ASN1err(ASN1_F_ASN1_ITEM_PACK,ERR_R_MALLOC_FAILURE);
 		return NULL;
 	}
 	return octmp;
@@ -186,6 +186,6 @@ void *ASN1_item_unpack(ASN1_STRING *oct, const ASN1_ITEM *it)

 	p = oct->data;
 	if(!(ret = ASN1_item_d2i(NULL, &p, oct->length, it)))
-		ASN1err(ASN1_F_ASN1_UNPACK_STRING,ASN1_R_DECODE_ERROR);
+		ASN1err(ASN1_F_ASN1_ITEM_UNPACK,ASN1_R_DECODE_ERROR);
 	return ret;
 }
--- a/crypto/asn1/d2i_pr.c
+++ b/crypto/asn1/d2i_pr.c
@@ -113,7 +113,7 @@ EVP_PKEY *d2i_PrivateKey(int type, EVP_PKEY **a, const unsigned char **pp,
 #endif
 #ifndef OPENSSL_NO_EC
 	case EVP_PKEY_EC:
-		if ((ret->pkey.eckey = d2i_ECPrivateKey(NULL, 
+		if ((ret->pkey.ec = d2i_ECPrivateKey(NULL, 
 			(const unsigned char **)pp, length)) == NULL)
 			{
 			ASN1err(ASN1_F_D2I_PRIVATEKEY, ERR_R_ASN1_LIB);
--- a/crypto/asn1/d2i_pu.c
+++ b/crypto/asn1/d2i_pu.c
@@ -113,7 +113,7 @@ EVP_PKEY *d2i_PublicKey(int type, EVP_PKEY **a, const unsigned char **pp,
 #endif
 #ifndef OPENSSL_NO_EC
 	case EVP_PKEY_EC:
-		if (!o2i_ECPublicKey(&(ret->pkey.eckey),
+		if (!o2i_ECPublicKey(&(ret->pkey.ec),
 				     (const unsigned char **)pp, length))
 			{
 			ASN1err(ASN1_F_D2I_PUBLICKEY, ERR_R_ASN1_LIB);
--- a/crypto/asn1/i2d_pr.c
+++ b/crypto/asn1/i2d_pr.c
@@ -89,7 +89,7 @@ int i2d_PrivateKey(EVP_PKEY *a, unsigned char **pp)
 #ifndef OPENSSL_NO_EC
 	if (a->type == EVP_PKEY_EC)
 		{
-		return(i2d_ECPrivateKey(a->pkey.eckey, pp));
+		return(i2d_ECPrivateKey(a->pkey.ec, pp));
 		}
 #endif

--- a/crypto/asn1/i2d_pu.c
+++ b/crypto/asn1/i2d_pu.c
@@ -85,7 +85,7 @@ int i2d_PublicKey(EVP_PKEY *a, unsigned char **pp)
 #endif
 #ifndef OPENSSL_NO_EC
 	case EVP_PKEY_EC:
-		return(i2o_ECPublicKey(a->pkey.eckey, pp));
+		return(i2o_ECPublicKey(a->pkey.ec, pp));
 #endif
 	default:
 		ASN1err(ASN1_F_I2D_PUBLICKEY,ASN1_R_UNSUPPORTED_PUBLIC_KEY_TYPE);
--- a/crypto/asn1/n_pkey.c
+++ b/crypto/asn1/n_pkey.c
@@ -170,7 +170,7 @@ int i2d_RSA_NET(const RSA *a, unsigned char **pp,
 	/* Since its RC4 encrypted length is actual length */
 	if ((zz=(unsigned char *)OPENSSL_malloc(rsalen)) == NULL)
 		{
-		ASN1err(ASN1_F_I2D_NETSCAPE_RSA,ERR_R_MALLOC_FAILURE);
+		ASN1err(ASN1_F_I2D_RSA_NET,ERR_R_MALLOC_FAILURE);
 		goto err;
 		}

@@ -180,13 +180,13 @@ int i2d_RSA_NET(const RSA *a, unsigned char **pp,

 	if ((zz=OPENSSL_malloc(pkeylen)) == NULL)
 		{
-		ASN1err(ASN1_F_I2D_NETSCAPE_RSA,ERR_R_MALLOC_FAILURE);
+		ASN1err(ASN1_F_I2D_RSA_NET,ERR_R_MALLOC_FAILURE);
 		goto err;
 		}

 	if (!ASN1_STRING_set(enckey->os, "private-key", -1)) 
 		{
-		ASN1err(ASN1_F_I2D_NETSCAPE_RSA,ERR_R_MALLOC_FAILURE);
+		ASN1err(ASN1_F_I2D_RSA_NET,ERR_R_MALLOC_FAILURE);
 		goto err;
 		}
 	enckey->enckey->digest->data = zz;
@@ -200,7 +200,7 @@ int i2d_RSA_NET(const RSA *a, unsigned char **pp,
 	i=cb((char *)buf,256,"Enter Private Key password:",1);
 	if (i != 0)
 		{
-		ASN1err(ASN1_F_I2D_NETSCAPE_RSA,ASN1_R_BAD_PASSWORD_READ);
+		ASN1err(ASN1_F_I2D_RSA_NET,ASN1_R_BAD_PASSWORD_READ);
 		goto err;
 		}
 	i = strlen((char *)buf);
@@ -249,20 +249,20 @@ RSA *d2i_RSA_NET(RSA **a, const unsigned char **pp, long length,

 	enckey = d2i_NETSCAPE_ENCRYPTED_PKEY(NULL, &p, length);
 	if(!enckey) {
-		ASN1err(ASN1_F_D2I_NETSCAPE_RSA,ASN1_R_DECODING_ERROR);
+		ASN1err(ASN1_F_D2I_RSA_NET,ASN1_R_DECODING_ERROR);
 		return NULL;
 	}

 	if ((enckey->os->length != 11) || (strncmp("private-key",
 		(char *)enckey->os->data,11) != 0))
 		{
-		ASN1err(ASN1_F_D2I_NETSCAPE_RSA,ASN1_R_PRIVATE_KEY_HEADER_MISSING);
+		ASN1err(ASN1_F_D2I_RSA_NET,ASN1_R_PRIVATE_KEY_HEADER_MISSING);
 		NETSCAPE_ENCRYPTED_PKEY_free(enckey);
 		return NULL;
 		}
 	if (OBJ_obj2nid(enckey->enckey->algor->algorithm) != NID_rc4)
 		{
-		ASN1err(ASN1_F_D2I_NETSCAPE_RSA_2,ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM);
+		ASN1err(ASN1_F_D2I_RSA_NET,ASN1_R_UNSUPPORTED_ENCRYPTION_ALGORITHM);
 		goto err;
 	}
 	kp = enckey->enckey->digest->data;
@@ -293,7 +293,7 @@ static RSA *d2i_RSA_NET_2(RSA **a, ASN1_OCTET_STRING *os,
 	i=cb((char *)buf,256,"Enter Private Key password:",0);
 	if (i != 0)
 		{
-		ASN1err(ASN1_F_D2I_NETSCAPE_RSA_2,ASN1_R_BAD_PASSWORD_READ);
+		ASN1err(ASN1_F_D2I_RSA_NET_2,ASN1_R_BAD_PASSWORD_READ);
 		goto err;
 		}

@@ -318,14 +318,14 @@ static RSA *d2i_RSA_NET_2(RSA **a, ASN1_OCTET_STRING *os,

 	if ((pkey=d2i_NETSCAPE_PKEY(NULL,&zz,os->length)) == NULL)
 		{
-		ASN1err(ASN1_F_D2I_NETSCAPE_RSA_2,ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY);
+		ASN1err(ASN1_F_D2I_RSA_NET_2,ASN1_R_UNABLE_TO_DECODE_RSA_PRIVATE_KEY);
 		goto err;
 		}
 		
 	zz=pkey->private_key->data;
 	if ((ret=d2i_RSAPrivateKey(a,&zz,pkey->private_key->length)) == NULL)
 		{
-		ASN1err(ASN1_F_D2I_NETSCAPE_RSA_2,ASN1_R_UNABLE_TO_DECODE_RSA_KEY);
+		ASN1err(ASN1_F_D2I_RSA_NET_2,ASN1_R_UNABLE_TO_DECODE_RSA_KEY);
 		goto err;
 		}
 err:
--- a/crypto/asn1/p5_pbe.c
+++ b/crypto/asn1/p5_pbe.c
@@ -82,17 +82,17 @@ X509_ALGOR *PKCS5_pbe_set(int alg, int iter, unsigned char *salt,
 	ASN1_TYPE *astype=NULL;

 	if (!(pbe = PBEPARAM_new ())) {
-		ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
+		ASN1err(ASN1_F_PKCS5_PBE_SET,ERR_R_MALLOC_FAILURE);
 		goto err;
 	}
 	if(iter <= 0) iter = PKCS5_DEFAULT_ITER;
 	if (!ASN1_INTEGER_set(pbe->iter, iter)) {
-		ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
+		ASN1err(ASN1_F_PKCS5_PBE_SET,ERR_R_MALLOC_FAILURE);
 		goto err;
 	}
 	if (!saltlen) saltlen = PKCS5_SALT_LEN;
 	if (!(pbe->salt->data = OPENSSL_malloc (saltlen))) {
-		ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
+		ASN1err(ASN1_F_PKCS5_PBE_SET,ERR_R_MALLOC_FAILURE);
 		goto err;
 	}
 	pbe->salt->length = saltlen;
@@ -101,14 +101,14 @@ X509_ALGOR *PKCS5_pbe_set(int alg, int iter, unsigned char *salt,
 		goto err;

 	if (!(astype = ASN1_TYPE_new())) {
-		ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
+		ASN1err(ASN1_F_PKCS5_PBE_SET,ERR_R_MALLOC_FAILURE);
 		goto err;
 	}

 	astype->type = V_ASN1_SEQUENCE;
 	if(!ASN1_pack_string_of(PBEPARAM, pbe, i2d_PBEPARAM,
 				&astype->value.sequence)) {
-		ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
+		ASN1err(ASN1_F_PKCS5_PBE_SET,ERR_R_MALLOC_FAILURE);
 		goto err;
 	}
 	PBEPARAM_free (pbe);
@@ -116,7 +116,7 @@ X509_ALGOR *PKCS5_pbe_set(int alg, int iter, unsigned char *salt,
 	
 	al = OBJ_nid2obj(alg); /* never need to free al */
 	if (!(algor = X509_ALGOR_new())) {
-		ASN1err(ASN1_F_ASN1_PBE_SET,ERR_R_MALLOC_FAILURE);
+		ASN1err(ASN1_F_PKCS5_PBE_SET,ERR_R_MALLOC_FAILURE);
 		goto err;
 	}
 	ASN1_OBJECT_free(algor->algorithm);
--- a/crypto/asn1/t_crl.c
+++ b/crypto/asn1/t_crl.c
@@ -72,7 +72,7 @@ int X509_CRL_print_fp(FILE *fp, X509_CRL *x)

        if ((b=BIO_new(BIO_s_file())) == NULL)
 		{
-		X509err(X509_F_X509_PRINT_FP,ERR_R_BUF_LIB);
+		X509err(X509_F_X509_CRL_PRINT_FP,ERR_R_BUF_LIB);
                return(0);
 		}
        BIO_set_fp(b,fp,BIO_NOCLOSE);
--- a/crypto/asn1/t_pkey.c
+++ b/crypto/asn1/t_pkey.c
@@ -79,10 +79,12 @@
 #include <openssl/ec.h>
 #endif

-static int print(BIO *fp,const char *str,BIGNUM *num,
+static int print(BIO *fp,const char *str, const BIGNUM *num,
 		unsigned char *buf,int off);
+#ifndef OPENSSL_NO_EC
 static int print_bin(BIO *fp, const char *str, const unsigned char *num,
 		size_t len, int off);
+#endif
 #ifndef OPENSSL_NO_RSA
 #ifndef OPENSSL_NO_FP_API
 int RSA_print_fp(FILE *fp, const RSA *x, int off)
@@ -196,6 +198,11 @@ int DSA_print(BIO *bp, const DSA *x, int off)

 	if (x->p)
 		buf_len = (size_t)BN_num_bytes(x->p);
+	else
+		{
+		DSAerr(DSA_F_DSA_PRINT,DSA_R_MISSING_PARAMETERS);
+		goto err;
+		}
 	if (x->q)
 		if (buf_len < (i = (size_t)BN_num_bytes(x->q)))
 			buf_len = i;
@@ -279,7 +286,7 @@ int ECPKParameters_print(BIO *bp, const EC_GROUP *x, int off)
 	size_t	buf_len=0, i;
 	int     ret=0, reason=ERR_R_BIO_LIB;
 	BN_CTX  *ctx=NULL;
-	EC_POINT *point=NULL;
+	const EC_POINT *point=NULL;
 	BIGNUM	*p=NULL, *a=NULL, *b=NULL, *gen=NULL,
 		*order=NULL, *cofactor=NULL;
 	const unsigned char *seed;
@@ -303,7 +310,7 @@ int ECPKParameters_print(BIO *bp, const EC_GROUP *x, int off)
 		if (!BIO_indent(bp, off, 128))
 			goto err;

-		nid = EC_GROUP_get_nid(x);
+		nid = EC_GROUP_get_curve_name(x);
 		if (nid == 0)
 			goto err;

@@ -481,24 +488,29 @@ int EC_KEY_print(BIO *bp, const EC_KEY *x, int off)
 	int     ret=0, reason=ERR_R_BIO_LIB;
 	BIGNUM  *pub_key=NULL, *order=NULL;
 	BN_CTX  *ctx=NULL;
+	const EC_GROUP *group;
+	const EC_POINT *public_key;
+	const BIGNUM *priv_key;
 
-	if (!x || !x->group)
+	if (x == NULL || (group = EC_KEY_get0_group(x)) == NULL)
 		{
 		reason = ERR_R_PASSED_NULL_PARAMETER;
 		goto err;
 		}

-	if ((pub_key = EC_POINT_point2bn(x->group, x->pub_key,
-		x->conv_form, NULL, ctx)) == NULL)
+	public_key = EC_KEY_get0_public_key(x);
+	if ((pub_key = EC_POINT_point2bn(group, public_key,
+		EC_KEY_get_conv_form(x), NULL, ctx)) == NULL)
 		{
 		reason = ERR_R_EC_LIB;
 		goto err;
 		}

 	buf_len = (size_t)BN_num_bytes(pub_key);
-	if (x->priv_key)
+	priv_key = EC_KEY_get0_private_key(x);
+	if (priv_key != NULL)
 		{
-		if ((i = (size_t)BN_num_bytes(x->priv_key)) > buf_len)
+		if ((i = (size_t)BN_num_bytes(priv_key)) > buf_len)
 			buf_len = i;
 		}

@@ -509,25 +521,25 @@ int EC_KEY_print(BIO *bp, const EC_KEY *x, int off)
 		goto err;
 		}

-	if (x->priv_key != NULL)
+	if (priv_key != NULL)
 		{
 		if (!BIO_indent(bp, off, 128))
 			goto err;
 		if ((order = BN_new()) == NULL)
 			goto err;
-		if (!EC_GROUP_get_order(x->group, order, NULL))
+		if (!EC_GROUP_get_order(group, order, NULL))
 			goto err;
 		if (BIO_printf(bp, "Private-Key: (%d bit)\n", 
 			BN_num_bits(order)) <= 0) goto err;
 		}
  
-	if ((x->priv_key != NULL) && !print(bp, "priv:", x->priv_key, 
+	if ((priv_key != NULL) && !print(bp, "priv:", priv_key, 
 		buffer, off))
 		goto err;
 	if ((pub_key != NULL) && !print(bp, "pub: ", pub_key,
 		buffer, off))
 		goto err;
-	if (!ECPKParameters_print(bp, x->group, off))
+	if (!ECPKParameters_print(bp, group, off))
 		goto err;
 	ret=1;
 err:
@@ -545,7 +557,7 @@ err:
 	}
 #endif /* OPENSSL_NO_EC */

-static int print(BIO *bp, const char *number, BIGNUM *num, unsigned char *buf,
+static int print(BIO *bp, const char *number, const BIGNUM *num, unsigned char *buf,
 	     int off)
 	{
 	int n,i;
@@ -596,6 +608,7 @@ static int print(BIO *bp, const char *number, BIGNUM *num, unsigned char *buf,
 	return(1);
 	}

+#ifndef OPENSSL_NO_EC
 static int print_bin(BIO *fp, const char *name, const unsigned char *buf,
 		size_t len, int off)
 	{
@@ -633,6 +646,7 @@ static int print_bin(BIO *fp, const char *name, const unsigned char *buf,

 	return 1;
 	}
+#endif

 #ifndef OPENSSL_NO_DH
 #ifndef OPENSSL_NO_FP_API
@@ -661,6 +675,11 @@ int DHparams_print(BIO *bp, const DH *x)

 	if (x->p)
 		buf_len = (size_t)BN_num_bytes(x->p);
+	else
+		{
+		reason = ERR_R_PASSED_NULL_PARAMETER;
+		goto err;
+		}
 	if (x->g)
 		if (buf_len < (i = (size_t)BN_num_bytes(x->g)))
 			buf_len = i;
@@ -714,11 +733,16 @@ int DSAparams_print_fp(FILE *fp, const DSA *x)
 int DSAparams_print(BIO *bp, const DSA *x)
 	{
 	unsigned char *m=NULL;
-	int reason=ERR_R_BUF_LIB,ret=0;
+	int ret=0;
 	size_t buf_len=0,i;

 	if (x->p)
 		buf_len = (size_t)BN_num_bytes(x->p);
+	else
+		{
+		DSAerr(DSA_F_DSA_PRINT,DSA_R_MISSING_PARAMETERS);
+		goto err;
+		}
 	if (x->q)
 		if (buf_len < (i = (size_t)BN_num_bytes(x->q)))
 			buf_len = i;
@@ -728,7 +752,7 @@ int DSAparams_print(BIO *bp, const DSA *x)
 	m=(unsigned char *)OPENSSL_malloc(buf_len+10);
 	if (m == NULL)
 		{
-		reason=ERR_R_MALLOC_FAILURE;
+		DSAerr(DSA_F_DSA_PRINT,ERR_R_MALLOC_FAILURE);
 		goto err;
 		}

@@ -741,7 +765,6 @@ int DSAparams_print(BIO *bp, const DSA *x)
 	ret=1;
 err:
 	if (m != NULL) OPENSSL_free(m);
-	DSAerr(DSA_F_DSAPARAMS_PRINT,reason);
 	return(ret);
 	}

@@ -770,8 +793,9 @@ int ECParameters_print(BIO *bp, const EC_KEY *x)
 	{
 	int     reason=ERR_R_EC_LIB, ret=0;
 	BIGNUM	*order=NULL;
+	const EC_GROUP *group;
 
-	if (!x || !x->group)
+	if (x == NULL || (group = EC_KEY_get0_group(x)) == NULL)
 		{
 		reason = ERR_R_PASSED_NULL_PARAMETER;;
 		goto err;
@@ -783,7 +807,7 @@ int ECParameters_print(BIO *bp, const EC_KEY *x)
 		goto err;
 		}

-	if (!EC_GROUP_get_order(x->group, order, NULL))
+	if (!EC_GROUP_get_order(group, order, NULL))
 		{
 		reason = ERR_R_EC_LIB;
 		goto err;
@@ -792,7 +816,7 @@ int ECParameters_print(BIO *bp, const EC_KEY *x)
 	if (BIO_printf(bp, "ECDSA-Parameters: (%d bit)\n", 
 		BN_num_bits(order)) <= 0)
 		goto err;
-	if (!ECPKParameters_print(bp, x->group, 4))
+	if (!ECPKParameters_print(bp, group, 4))
 		goto err;
 	ret=1;
 err:
--- a/crypto/asn1/t_req.c
+++ b/crypto/asn1/t_req.c
@@ -63,8 +63,12 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
+#ifndef OPENSSL_NO_RSA
 #include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
+#endif

 #ifndef OPENSSL_NO_FP_API
 int X509_REQ_print_fp(FILE *fp, X509_REQ *x)
@@ -166,7 +170,7 @@ int X509_REQ_print_ex(BIO *bp, X509_REQ *x, unsigned long nmflags, unsigned long
 		if (pkey->type == EVP_PKEY_EC)
 		{
 			BIO_printf(bp, "%12sEC Public Key: \n","");
-			EC_KEY_print(bp, pkey->pkey.eckey, 16);
+			EC_KEY_print(bp, pkey->pkey.ec, 16);
 		}
 	else
 #endif
@@ -276,7 +280,7 @@ get_next:

 	return(1);
 err:
-	X509err(X509_F_X509_REQ_PRINT,ERR_R_BUF_LIB);
+	X509err(X509_F_X509_REQ_PRINT_EX,ERR_R_BUF_LIB);
 	return(0);
 	}

--- a/crypto/asn1/t_spki.c
+++ b/crypto/asn1/t_spki.c
@@ -60,8 +60,12 @@
 #include "cryptlib.h"
 #include <openssl/x509.h>
 #include <openssl/asn1.h>
+#ifndef OPENSSL_NO_RSA
 #include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
+#endif
 #include <openssl/bn.h>

 /* Print out an SPKI */
@@ -100,7 +104,7 @@ int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki)
 		if (pkey->type == EVP_PKEY_EC)
 		{
 			BIO_printf(out, "  EC Public Key:\n");
-			EC_KEY_print(out, pkey->pkey.eckey,2);
+			EC_KEY_print(out, pkey->pkey.ec,2);
 		}
 		else
 #endif
--- a/crypto/asn1/t_x509.c
+++ b/crypto/asn1/t_x509.c
@@ -86,7 +86,7 @@ int X509_print_ex_fp(FILE *fp, X509 *x, unsigned long nmflag, unsigned long cfla

        if ((b=BIO_new(BIO_s_file())) == NULL)
 		{
-		X509err(X509_F_X509_PRINT_FP,ERR_R_BUF_LIB);
+		X509err(X509_F_X509_PRINT_EX_FP,ERR_R_BUF_LIB);
                return(0);
 		}
        BIO_set_fp(b,fp,BIO_NOCLOSE);
@@ -236,7 +236,7 @@ int X509_print_ex(BIO *bp, X509 *x, unsigned long nmflags, unsigned long cflag)
 		if (pkey->type == EVP_PKEY_EC)
 			{
 			BIO_printf(bp, "%12sEC Public Key:\n","");
-			EC_KEY_print(bp, pkey->pkey.eckey, 16);
+			EC_KEY_print(bp, pkey->pkey.ec, 16);
 			}
 		else
 #endif
--- a/crypto/asn1/tasn_dec.c
+++ b/crypto/asn1/tasn_dec.c
@@ -579,7 +579,7 @@ static int asn1_template_ex_d2i(ASN1_VALUE **val,
 			/* If NDEF we must have an EOC here */
 			if (!asn1_check_eoc(&p, len))
 				{
-				ASN1err(ASN1_F_ASN1_TEMPLATE_D2I,
+				ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I,
 						ASN1_R_MISSING_EOC);
 				goto err;
 				}
@@ -590,7 +590,7 @@ static int asn1_template_ex_d2i(ASN1_VALUE **val,
 			 * an error */
 			if (len)
 				{
-				ASN1err(ASN1_F_ASN1_TEMPLATE_D2I,
+				ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I,
 					ASN1_R_EXPLICIT_LENGTH_MISMATCH);
 				goto err;
 				}
@@ -649,7 +649,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
 					&p, len, sktag, skaclass, opt, ctx);
 		if (!ret)
 			{
-			ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I,
+			ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
 						ERR_R_NESTED_ASN1_ERROR);
 			return 0;
 			}
@@ -672,7 +672,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
 				
 		if (!*val)
 			{
-			ASN1err(ASN1_F_ASN1_TEMPLATE_EX_D2I,
+			ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
 						ERR_R_MALLOC_FAILURE);
 			goto err;
 			}
@@ -687,7 +687,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
 				{
 				if (!sk_eoc)
 					{
-					ASN1err(ASN1_F_ASN1_TEMPLATE_D2I,
+					ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
 							ASN1_R_UNEXPECTED_EOC);
 					goto err;
 					}
@@ -700,21 +700,21 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
 						ASN1_ITEM_ptr(tt->item),
 						-1, 0, 0, ctx))
 				{
-				ASN1err(ASN1_F_ASN1_TEMPLATE_D2I,
+				ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
 					ERR_R_NESTED_ASN1_ERROR);
 				goto err;
 				}
 			len -= p - q;
 			if (!sk_push((STACK *)*val, (char *)skfield))
 				{
-				ASN1err(ASN1_F_ASN1_TEMPLATE_D2I,
+				ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
 						ERR_R_MALLOC_FAILURE);
 				goto err;
 				}
 			}
 		if (sk_eoc)
 			{
-			ASN1err(ASN1_F_ASN1_TEMPLATE_D2I, ASN1_R_MISSING_EOC);
+			ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I, ASN1_R_MISSING_EOC);
 			goto err;
 			}
 		}
@@ -725,7 +725,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
 			ASN1_ITEM_ptr(tt->item), tt->tag, aclass, opt, ctx);
 		if (!ret)
 			{
-			ASN1err(ASN1_F_ASN1_TEMPLATE_D2I,
+			ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
 						ERR_R_NESTED_ASN1_ERROR);
 			goto err;
 			}
@@ -739,7 +739,7 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
 							-1, 0, opt, ctx);
 		if (!ret)
 			{
-			ASN1err(ASN1_F_ASN1_TEMPLATE_D2I,
+			ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
 					ERR_R_NESTED_ASN1_ERROR);
 			goto err;
 			}
@@ -944,7 +944,7 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
 		case V_ASN1_NULL:
 		if (len)
 			{
-			ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE,
+			ASN1err(ASN1_F_ASN1_EX_C2I,
 						ASN1_R_NULL_IS_WRONG_LENGTH);
 			goto err;
 			}
@@ -954,7 +954,7 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
 		case V_ASN1_BOOLEAN:
 		if (len != 1)
 			{
-			ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE,
+			ASN1err(ASN1_F_ASN1_EX_C2I,
 						ASN1_R_BOOLEAN_IS_WRONG_LENGTH);
 			goto err;
 			}
@@ -1006,7 +1006,7 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
 			stmp = ASN1_STRING_type_new(utype);
 			if (!stmp)
 				{
-				ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE,
+				ASN1err(ASN1_F_ASN1_EX_C2I,
 							ERR_R_MALLOC_FAILURE);
 				goto err;
 				}
@@ -1030,7 +1030,7 @@ int asn1_ex_c2i(ASN1_VALUE **pval, const unsigned char *cont, int len,
 			{
 			if (!ASN1_STRING_set(stmp, cont, len))
 				{
-				ASN1err(ASN1_F_ASN1_D2I_EX_PRIMITIVE,
+				ASN1err(ASN1_F_ASN1_EX_C2I,
 							ERR_R_MALLOC_FAILURE);
 				ASN1_STRING_free(stmp);	
 				*pval = NULL;
--- a/crypto/asn1/tasn_enc.c
+++ b/crypto/asn1/tasn_enc.c
@@ -59,6 +59,7 @@

 #include <stddef.h>
 #include <string.h>
+#include "cryptlib.h"
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include <openssl/objects.h>
--- a/crypto/asn1/tasn_new.c
+++ b/crypto/asn1/tasn_new.c
@@ -211,14 +211,14 @@ static int asn1_item_ex_combine_new(ASN1_VALUE **pval, const ASN1_ITEM *it,
 	return 1;

 	memerr:
-	ASN1err(ASN1_F_ASN1_ITEM_NEW, ERR_R_MALLOC_FAILURE);
+	ASN1err(ASN1_F_ASN1_ITEM_EX_COMBINE_NEW, ERR_R_MALLOC_FAILURE);
 #ifdef CRYPTO_MDEBUG
 	if (it->sname) CRYPTO_pop_info();
 #endif
 	return 0;

 	auxerr:
-	ASN1err(ASN1_F_ASN1_ITEM_NEW, ASN1_R_AUX_ERROR);
+	ASN1err(ASN1_F_ASN1_ITEM_EX_COMBINE_NEW, ASN1_R_AUX_ERROR);
 	ASN1_item_ex_free(pval, it);
 #ifdef CRYPTO_MDEBUG
 	if (it->sname) CRYPTO_pop_info();
@@ -326,11 +326,13 @@ int ASN1_primitive_new(ASN1_VALUE **pval, const ASN1_ITEM *it)
 	{
 	ASN1_TYPE *typ;
 	int utype;
-	const ASN1_PRIMITIVE_FUNCS *pf;
-	pf = it->funcs;

-	if (pf && pf->prim_new)
+	if (it && it->funcs)
+		{
+		const ASN1_PRIMITIVE_FUNCS *pf = it->funcs;
+		if (pf->prim_new)
 			return pf->prim_new(pval, it);
+		}

 	if (!it || (it->itype == ASN1_ITYPE_MSTRING))
 		utype = -1;
@@ -374,10 +376,9 @@ int ASN1_primitive_new(ASN1_VALUE **pval, const ASN1_ITEM *it)
 void asn1_primitive_clear(ASN1_VALUE **pval, const ASN1_ITEM *it)
 	{
 	int utype;
-	const ASN1_PRIMITIVE_FUNCS *pf;
-	pf = it->funcs;
-	if (pf)
+	if (it && it->funcs)
 		{
+		const ASN1_PRIMITIVE_FUNCS *pf = it->funcs;
 		if (pf->prim_clear)
 			pf->prim_clear(pval, it);
 		else 
--- a/crypto/asn1/x_name.c
+++ b/crypto/asn1/x_name.c
@@ -123,7 +123,7 @@ static int x509_name_ex_new(ASN1_VALUE **val, const ASN1_ITEM *it)
 	return 1;

 memerr:
-	ASN1err(ASN1_F_X509_NAME_NEW, ERR_R_MALLOC_FAILURE);
+	ASN1err(ASN1_F_X509_NAME_EX_NEW, ERR_R_MALLOC_FAILURE);
 	if (ret)
 		{
 		if (ret->entries)
@@ -197,7 +197,7 @@ static int x509_name_ex_d2i(ASN1_VALUE **val, const unsigned char **in, long len
 	*in = p;
 	return ret;
 	err:
-	ASN1err(ASN1_F_D2I_X509_NAME, ERR_R_NESTED_ASN1_ERROR);
+	ASN1err(ASN1_F_X509_NAME_EX_D2I, ERR_R_NESTED_ASN1_ERROR);
 	return 0;
 }

@@ -248,7 +248,7 @@ static int x509_name_encode(X509_NAME *a)
 	return len;
 	memerr:
 	sk_pop_free(intname, sk_internal_free);
-	ASN1err(ASN1_F_D2I_X509_NAME, ERR_R_MALLOC_FAILURE);
+	ASN1err(ASN1_F_X509_NAME_ENCODE, ERR_R_MALLOC_FAILURE);
 	return -1;
 }

--- a/crypto/asn1/x_pubkey.c
+++ b/crypto/asn1/x_pubkey.c
@@ -60,8 +60,12 @@
 #include "cryptlib.h"
 #include <openssl/asn1t.h>
 #include <openssl/x509.h>
+#ifndef OPENSSL_NO_RSA
 #include <openssl/rsa.h>
+#endif
+#ifndef OPENSSL_NO_DSA
 #include <openssl/dsa.h>
+#endif

 /* Minor tweak to operation: free up EVP_PKEY */
 static int pubkey_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
@@ -159,9 +163,10 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
 		{
 		int nid=0;
 		unsigned char *pp;
-		EC_KEY *eckey;
+		EC_KEY *ec_key;
+		const EC_GROUP *group;
 		
-		eckey = pkey->pkey.eckey;
+		ec_key = pkey->pkey.ec;
 		ASN1_TYPE_free(a->parameter);

 		if ((a->parameter = ASN1_TYPE_new()) == NULL)
@@ -170,8 +175,9 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
 			goto err;
 			}

-		if (EC_GROUP_get_asn1_flag(eckey->group)
-                     && (nid = EC_GROUP_get_nid(eckey->group)))
+		group = EC_KEY_get0_group(ec_key);
+		if (EC_GROUP_get_asn1_flag(group)
+                     && (nid = EC_GROUP_get_curve_name(group)))
 			{
 			/* just set the OID */
 			a->parameter->type = V_ASN1_OBJECT;
@@ -179,7 +185,7 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
 			}
 		else /* explicit parameters */
 			{
-			if ((i = i2d_ECParameters(eckey, NULL)) == 0)
+			if ((i = i2d_ECParameters(ec_key, NULL)) == 0)
 				{
 				X509err(X509_F_X509_PUBKEY_SET, ERR_R_EC_LIB);
 				goto err;
@@ -190,7 +196,7 @@ int X509_PUBKEY_set(X509_PUBKEY **x, EVP_PKEY *pkey)
 				goto err;
 				}	
 			pp = p;
-			if (!i2d_ECParameters(eckey, &pp))
+			if (!i2d_ECParameters(ec_key, &pp))
 				{
 				X509err(X509_F_X509_PUBKEY_SET, ERR_R_EC_LIB);
 				OPENSSL_free(p);
@@ -313,7 +319,7 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)
 			/* type == V_ASN1_SEQUENCE => we have explicit parameters
                         * (e.g. parameters in the X9_62_EC_PARAMETERS-structure )
 			 */
-			if ((ret->pkey.eckey= EC_KEY_new()) == NULL)
+			if ((ret->pkey.ec= EC_KEY_new()) == NULL)
 				{
 				X509err(X509_F_X509_PUBKEY_GET, 
 					ERR_R_MALLOC_FAILURE);
@@ -321,7 +327,7 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)
 				}
 			cp = p = a->parameter->value.sequence->data;
 			j = a->parameter->value.sequence->length;
-			if (!d2i_ECParameters(&ret->pkey.eckey, &cp, (long)j))
+			if (!d2i_ECParameters(&ret->pkey.ec, &cp, (long)j))
 				{
 				X509err(X509_F_X509_PUBKEY_GET, ERR_R_EC_LIB);
 				goto err;
@@ -332,17 +338,21 @@ EVP_PKEY *X509_PUBKEY_get(X509_PUBKEY *key)
 			/* type == V_ASN1_OBJECT => the parameters are given
 			 * by an asn1 OID
 			 */
-			EC_KEY *eckey;
-			if (ret->pkey.eckey == NULL)
-				ret->pkey.eckey = EC_KEY_new();
-			eckey = ret->pkey.eckey;
-			if (eckey->group)
-				EC_GROUP_free(eckey->group);
-			if ((eckey->group = EC_GROUP_new_by_nid(
-                             OBJ_obj2nid(a->parameter->value.object))) == NULL)
+			EC_KEY   *ec_key;
+			EC_GROUP *group;
+
+			if (ret->pkey.ec == NULL)
+				ret->pkey.ec = EC_KEY_new();
+			ec_key = ret->pkey.ec;
+			if (ec_key == NULL)
 				goto err;
-			EC_GROUP_set_asn1_flag(eckey->group, 
-						OPENSSL_EC_NAMED_CURVE);
+			group = EC_GROUP_new_by_curve_name(OBJ_obj2nid(a->parameter->value.object));
+			if (group == NULL)
+				goto err;
+			EC_GROUP_set_asn1_flag(group, OPENSSL_EC_NAMED_CURVE);
+			if (EC_KEY_set_group(ec_key, group) == 0)
+				goto err;
+			EC_GROUP_free(group);
 			}
 			/* the case implicitlyCA is currently not implemented */
 		ret->save_parameters = 1;
--- a/crypto/bf/Makefile
+++ b/crypto/bf/Makefile
@@ -8,12 +8,6 @@ CC=	cc
 CPP=	$(CC) -E
 INCLUDES=
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKE=		make
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r

@@ -68,9 +62,11 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)

-install: installs
-
-installs:
+# We need to use force because 'install' matches 'INSTALL' on case
+# insensitive systems
+FRC.install:
+install: FRC.install
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
 	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
@@ -86,6 +82,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff

 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)

 dclean:
--- a/crypto/bf/bf_enc.c
+++ b/crypto/bf/bf_enc.c
@@ -73,7 +73,7 @@ void BF_encrypt(BF_LONG *data, const BF_KEY *key)
 	{
 #ifndef BF_PTR2
 	register BF_LONG l,r;
-    const register BF_LONG *p,*s;
+	register const BF_LONG *p,*s;

 	p=key->P;
 	s= &(key->S[0]);
@@ -150,7 +150,7 @@ void BF_decrypt(BF_LONG *data, const BF_KEY *key)
 	{
 #ifndef BF_PTR2
 	register BF_LONG l,r;
-    const register BF_LONG *p,*s;
+	register const BF_LONG *p,*s;

 	p=key->P;
 	s= &(key->S[0]);
--- a/crypto/bio/Makefile
+++ b/crypto/bio/Makefile
@@ -7,12 +7,6 @@ TOP=	../..
 CC=	cc
 INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKE=		make
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r

@@ -41,7 +35,7 @@ LIBOBJ= bio_lib.o bio_cb.o bio_err.o \
 SRC= $(LIBSRC)

 EXHEADER= bio.h
-HEADER=	bss_file.c $(EXHEADER)
+HEADER=	bio_lcl.h $(EXHEADER)

 ALL=    $(GENERAL) $(SRC) $(HEADER)

@@ -64,6 +58,7 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)

 install:
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
 	@headerlist="$(EXHEADER)"; for i in $$headerlist; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
@@ -79,6 +74,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff

 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)

 dclean:
@@ -96,7 +92,7 @@ b_dump.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 b_dump.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 b_dump.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 b_dump.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-b_dump.o: ../../include/openssl/symhacks.h ../cryptlib.h b_dump.c
+b_dump.o: ../../include/openssl/symhacks.h ../cryptlib.h b_dump.c bio_lcl.h
 b_print.o: ../../e_os.h ../../include/openssl/bio.h ../../include/openssl/bn.h
 b_print.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 b_print.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
@@ -187,14 +183,14 @@ bss_fd.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bss_fd.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bss_fd.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 bss_fd.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-bss_fd.o: ../../include/openssl/symhacks.h ../cryptlib.h bss_fd.c
+bss_fd.o: ../../include/openssl/symhacks.h ../cryptlib.h bio_lcl.h bss_fd.c
 bss_file.o: ../../e_os.h ../../include/openssl/bio.h
 bss_file.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bss_file.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
 bss_file.o: ../../include/openssl/lhash.h ../../include/openssl/opensslconf.h
 bss_file.o: ../../include/openssl/opensslv.h ../../include/openssl/ossl_typ.h
 bss_file.o: ../../include/openssl/safestack.h ../../include/openssl/stack.h
-bss_file.o: ../../include/openssl/symhacks.h ../cryptlib.h bss_file.c
+bss_file.o: ../../include/openssl/symhacks.h ../cryptlib.h bio_lcl.h bss_file.c
 bss_log.o: ../../e_os.h ../../include/openssl/bio.h
 bss_log.o: ../../include/openssl/buffer.h ../../include/openssl/crypto.h
 bss_log.o: ../../include/openssl/e_os2.h ../../include/openssl/err.h
--- a/crypto/bio/b_dump.c
+++ b/crypto/bio/b_dump.c
@@ -62,7 +62,7 @@

 #include <stdio.h>
 #include "cryptlib.h"
-#include <openssl/bio.h>
+#include "bio_lcl.h"

 #define TRUNCATE
 #define DUMP_WIDTH	16
@@ -160,7 +160,7 @@ int BIO_dump_indent_cb(int (*cb)(const void *data, size_t len, void *u),
 #ifndef OPENSSL_NO_FP_API
 static int write_fp(const void *data, size_t len, void *fp)
 	{
-	return fwrite(data, len, 1, (FILE *)fp);
+	return UP_fwrite(data, len, 1, fp);
 	}
 int BIO_dump_fp(FILE *fp, const char *s, int len)
 	{
--- a/crypto/bio/b_print.c
+++ b/crypto/bio/b_print.c
@@ -576,7 +576,7 @@ abs_val(LDOUBLE value)
 }

 static LDOUBLE
-pow10(int in_exp)
+pow_10(int in_exp)
 {
    LDOUBLE result = 1;
    while (in_exp) {
@@ -640,8 +640,8 @@ fmtfp(

    /* we "cheat" by converting the fractional part to integer by
       multiplying by a factor of 10 */
-    max10 = roundv(pow10(max));
-    fracpart = roundv(pow10(max) * (ufvalue - intpart));
+    max10 = roundv(pow_10(max));
+    fracpart = roundv(pow_10(max) * (ufvalue - intpart));

    if (fracpart >= max10) {
        intpart++;
--- a/crypto/bio/b_sock.c
+++ b/crypto/bio/b_sock.c
@@ -62,6 +62,9 @@
 #define USE_SOCKETS
 #include "cryptlib.h"
 #include <openssl/bio.h>
+#if defined(OPENSSL_SYS_NETWARE) && defined(NETWARE_BSDSOCK)
+#include "netdb.h"
+#endif

 #ifndef OPENSSL_NO_SOCK

@@ -79,7 +82,7 @@
 #define MAX_LISTEN  32
 #endif

-#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_NETWARE)
+#if defined(OPENSSL_SYS_WINDOWS) || (defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK))
 static int wsa_init_done=0;
 #endif

@@ -474,7 +477,7 @@ int BIO_sock_init(void)
 		return (-1);
 #endif

-#if defined(OPENSSL_SYS_NETWARE)
+#if defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK)
    WORD wVerReq;
    WSADATA wsaData;
    int err;
@@ -512,7 +515,7 @@ void BIO_sock_cleanup(void)
 #endif
 		WSACleanup();
 		}
-#elif defined(OPENSSL_SYS_NETWARE)
+#elif defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK)
   if (wsa_init_done)
        {
        wsa_init_done=0;
--- a/crypto/bio/bio.h
+++ b/crypto/bio/bio.h
@@ -169,6 +169,11 @@ extern "C" {
 #define BIO_FLAGS_IO_SPECIAL	0x04
 #define BIO_FLAGS_RWS (BIO_FLAGS_READ|BIO_FLAGS_WRITE|BIO_FLAGS_IO_SPECIAL)
 #define BIO_FLAGS_SHOULD_RETRY	0x08
+#ifndef	BIO_FLAGS_UPLINK
+/* "UPLINK" flag denotes file descriptors provided by application.
+   It defaults to 0, as most platforms don't require UPLINK interface. */
+#define	BIO_FLAGS_UPLINK	0
+#endif

 /* Used in BIO_gethostbyname() */
 #define BIO_GHBN_CTRL_HITS		1
--- a/crypto/bio/bio_lcl.h
+++ b/crypto/bio/bio_lcl.h
@@ -0,0 +1,28 @@
+#include <openssl/bio.h>
+
+#if BIO_FLAGS_UPLINK==0
+/* Shortcut UPLINK calls on most platforms... */
+#define	UP_stdin	stdin
+#define	UP_stdout	stdout
+#define	UP_stderr	stderr
+#define	UP_fprintf	fprintf
+#define	UP_fgets	fgets
+#define	UP_fread	fread
+#define	UP_fwrite	fwrite
+#undef	UP_fsetmod
+#define	UP_feof		feof
+#define	UP_fclose	fclose
+
+#define	UP_fopen	fopen
+#define	UP_fseek	fseek
+#define	UP_ftell	ftell
+#define	UP_fflush	fflush
+#define	UP_ferror	ferror
+#define	UP_fileno	fileno
+
+#define	UP_open		open
+#define	UP_read		read
+#define	UP_write	write
+#define	UP_lseek	lseek
+#define	UP_close	close
+#endif
--- a/crypto/bio/bss_fd.c
+++ b/crypto/bio/bss_fd.c
@@ -60,7 +60,19 @@
 #include <errno.h>
 #define USE_SOCKETS
 #include "cryptlib.h"
-#include <openssl/bio.h>
+/*
+ * As for unconditional usage of "UPLINK" interface in this module.
+ * Trouble is that unlike Unix file descriptors [which are indexes
+ * in kernel-side per-process table], corresponding descriptors on
+ * platforms which require "UPLINK" interface seem to be indexes
+ * in a user-land, non-global table. Well, in fact they are indexes
+ * in stdio _iob[], and recall that _iob[] was the very reason why
+ * "UPLINK" interface was introduced in first place. But one way on
+ * another. Neither libcrypto or libssl use this BIO meaning that
+ * file descriptors can only be provided by application. Therefore
+ * "UPLINK" calls are due...
+ */
+#include "bio_lcl.h"

 static int fd_write(BIO *h, const char *buf, int num);
 static int fd_read(BIO *h, char *buf, int size);
@@ -100,9 +112,9 @@ BIO *BIO_new_fd(int fd,int close_flag)
 static int fd_new(BIO *bi)
 	{
 	bi->init=0;
-	bi->num=0;
+	bi->num=-1;
 	bi->ptr=NULL;
-	bi->flags=0;
+	bi->flags=BIO_FLAGS_UPLINK; /* essentially redundant */
 	return(1);
 	}

@@ -113,10 +125,10 @@ static int fd_free(BIO *a)
 		{
 		if (a->init)
 			{
-			close(a->num);
+			UP_close(a->num);
 			}
 		a->init=0;
-		a->flags=0;
+		a->flags=BIO_FLAGS_UPLINK;
 		}
 	return(1);
 	}
@@ -128,7 +140,7 @@ static int fd_read(BIO *b, char *out,int outl)
 	if (out != NULL)
 		{
 		clear_sys_error();
-		ret=read(b->num,out,outl);
+		ret=UP_read(b->num,out,outl);
 		BIO_clear_retry_flags(b);
 		if (ret <= 0)
 			{
@@ -143,7 +155,7 @@ static int fd_write(BIO *b, const char *in, int inl)
 	{
 	int ret;
 	clear_sys_error();
-	ret=write(b->num,in,inl);
+	ret=UP_write(b->num,in,inl);
 	BIO_clear_retry_flags(b);
 	if (ret <= 0)
 		{
@@ -163,11 +175,11 @@ static long fd_ctrl(BIO *b, int cmd, long num, void *ptr)
 	case BIO_CTRL_RESET:
 		num=0;
 	case BIO_C_FILE_SEEK:
-		ret=(long)lseek(b->num,num,0);
+		ret=(long)UP_lseek(b->num,num,0);
 		break;
 	case BIO_C_FILE_TELL:
 	case BIO_CTRL_INFO:
-		ret=(long)lseek(b->num,0,1);
+		ret=(long)UP_lseek(b->num,0,1);
 		break;
 	case BIO_C_SET_FD:
 		fd_free(b);
--- a/crypto/bio/bss_file.c
+++ b/crypto/bio/bss_file.c
@@ -65,10 +65,28 @@
 #ifndef HEADER_BSS_FILE_C
 #define HEADER_BSS_FILE_C

+#if defined(__linux) || defined(__sun) || defined(__hpux)
+/* Following definition aliases fopen to fopen64 on above mentioned
+ * platforms. This makes it possible to open and sequentially access
+ * files larger than 2GB from 32-bit application. It does not allow to
+ * traverse them beyond 2GB with fseek/ftell, but on the other hand *no*
+ * 32-bit platform permits that, not with fseek/ftell. Not to mention
+ * that breaking 2GB limit for seeking would require surgery to *our*
+ * API. But sequential access suffices for practical cases when you
+ * can run into large files, such as fingerprinting, so we can let API
+ * alone. For reference, the list of 32-bit platforms which allow for
+ * sequential access of large files without extra "magic" comprise *BSD,
+ * Darwin, IRIX...
+ */
+#ifndef _FILE_OFFSET_BITS
+#define _FILE_OFFSET_BITS 64
+#endif
+#endif
+
 #include <stdio.h>
 #include <errno.h>
 #include "cryptlib.h"
-#include <openssl/bio.h>
+#include "bio_lcl.h"
 #include <openssl/err.h>

 #if !defined(OPENSSL_NO_STDIO)
@@ -112,6 +130,7 @@ BIO *BIO_new_file(const char *filename, const char *mode)
 	if ((ret=BIO_new(BIO_s_file_internal())) == NULL)
 		return(NULL);

+	BIO_clear_flags(ret,BIO_FLAGS_UPLINK); /* we did fopen -> we disengage UPLINK */
 	BIO_set_fp(ret,file,BIO_CLOSE);
 	return(ret);
 	}
@@ -123,6 +142,7 @@ BIO *BIO_new_fp(FILE *stream, int close_flag)
 	if ((ret=BIO_new(BIO_s_file())) == NULL)
 		return(NULL);

+	BIO_set_flags(ret,BIO_FLAGS_UPLINK); /* redundant, left for documentation puposes */
 	BIO_set_fp(ret,stream,close_flag);
 	return(ret);
 	}
@@ -137,6 +157,7 @@ static int MS_CALLBACK file_new(BIO *bi)
 	bi->init=0;
 	bi->num=0;
 	bi->ptr=NULL;
+	bi->flags=BIO_FLAGS_UPLINK; /* default to UPLINK */
 	return(1);
 	}

@@ -147,8 +168,12 @@ static int MS_CALLBACK file_free(BIO *a)
 		{
 		if ((a->init) && (a->ptr != NULL))
 			{
-			fclose((FILE *)a->ptr);
+			if (a->flags&BIO_FLAGS_UPLINK)
+				UP_fclose (a->ptr);
+			else
+				fclose (a->ptr);
 			a->ptr=NULL;
+			a->flags=BIO_FLAGS_UPLINK;
 			}
 		a->init=0;
 		}
@@ -161,8 +186,11 @@ static int MS_CALLBACK file_read(BIO *b, char *out, int outl)

 	if (b->init && (out != NULL))
 		{
+		if (b->flags&BIO_FLAGS_UPLINK)
+			ret=UP_fread(out,1,(int)outl,b->ptr);
+		else
 			ret=fread(out,1,(int)outl,(FILE *)b->ptr);
-		if(ret == 0 && ferror((FILE *)b->ptr))
+		if(ret == 0 && (b->flags&BIO_FLAGS_UPLINK)?UP_ferror((FILE *)b->ptr):ferror((FILE *)b->ptr))
 			{
 			SYSerr(SYS_F_FREAD,get_last_sys_error());
 			BIOerr(BIO_F_FILE_READ,ERR_R_SYS_LIB);
@@ -178,7 +206,11 @@ static int MS_CALLBACK file_write(BIO *b, const char *in, int inl)

 	if (b->init && (in != NULL))
 		{
-		if (fwrite(in,(int)inl,1,(FILE *)b->ptr))
+		if (b->flags&BIO_FLAGS_UPLINK)
+			ret=UP_fwrite(in,(int)inl,1,b->ptr);
+		else
+			ret=fwrite(in,(int)inl,1,(FILE *)b->ptr);
+		if (ret)
 			ret=inl;
 		/* ret=fwrite(in,1,(int)inl,(FILE *)b->ptr); */
 		/* according to Tim Hudson <tjh@cryptsoft.com>, the commented
@@ -199,20 +231,45 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr)
 		{
 	case BIO_C_FILE_SEEK:
 	case BIO_CTRL_RESET:
+		if (b->flags&BIO_FLAGS_UPLINK)
+			ret=(long)UP_fseek(b->ptr,num,0);
+		else
 			ret=(long)fseek(fp,num,0);
 		break;
 	case BIO_CTRL_EOF:
+		if (b->flags&BIO_FLAGS_UPLINK)
+			ret=(long)UP_feof(fp);
+		else
 			ret=(long)feof(fp);
 		break;
 	case BIO_C_FILE_TELL:
 	case BIO_CTRL_INFO:
+		if (b->flags&BIO_FLAGS_UPLINK)
+			ret=UP_ftell(b->ptr);
+		else
 			ret=ftell(fp);
 		break;
 	case BIO_C_SET_FILE_PTR:
 		file_free(b);
 		b->shutdown=(int)num&BIO_CLOSE;
-		b->ptr=(char *)ptr;
+		b->ptr=ptr;
 		b->init=1;
+#if BIO_FLAGS_UPLINK!=0
+#if defined(__MINGW32__) && defined(__MSVCRT__) && !defined(_IOB_ENTRIES)
+#define _IOB_ENTRIES 20
+#endif
+#if defined(_IOB_ENTRIES)
+		/* Safety net to catch purely internal BIO_set_fp calls */
+		if ((size_t)ptr >= (size_t)stdin &&
+		    (size_t)ptr <  (size_t)(stdin+_IOB_ENTRIES))
+			BIO_clear_flags(b,BIO_FLAGS_UPLINK);
+#endif
+#endif
+#ifdef UP_fsetmode
+		if (b->flags&BIO_FLAGS_UPLINK)
+			UP_fsetmode(b->ptr,num&BIO_FP_TEXT?'t':'b');
+		else
+#endif
 		{
 #if defined(OPENSSL_SYS_WINDOWS)
 		int fd = fileno((FILE*)ptr);
@@ -286,7 +343,7 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr)
 		else
 			strcat(p,"t");
 #endif
-fp=fopen(ptr,p);
+		fp=fopen(ptr,p);
 		if (fp == NULL)
 			{
 			SYSerr(SYS_F_FOPEN,get_last_sys_error());
@@ -295,8 +352,9 @@ fp=fopen(ptr,p);
 			ret=0;
 			break;
 			}
-		b->ptr=(char *)fp;
+		b->ptr=fp;
 		b->init=1;
+		BIO_clear_flags(b,BIO_FLAGS_UPLINK); /* we did fopen -> we disengage UPLINK */
 		break;
 	case BIO_C_GET_FILE_PTR:
 		/* the ptr parameter is actually a FILE ** in this case. */
@@ -313,6 +371,9 @@ fp=fopen(ptr,p);
 		b->shutdown=(int)num;
 		break;
 	case BIO_CTRL_FLUSH:
+		if (b->flags&BIO_FLAGS_UPLINK)
+			UP_fflush(b->ptr);
+		else
 			fflush((FILE *)b->ptr);
 		break;
 	case BIO_CTRL_DUP:
@@ -335,6 +396,9 @@ static int MS_CALLBACK file_gets(BIO *bp, char *buf, int size)
 	int ret=0;

 	buf[0]='\0';
+	if (bp->flags&BIO_FLAGS_UPLINK)
+		UP_fgets(buf,size,bp->ptr);
+	else
 		fgets(buf,size,(FILE *)bp->ptr);
 	if (buf[0] != '\0')
 		ret=strlen(buf);
--- a/crypto/bn/Makefile
+++ b/crypto/bn/Makefile
@@ -8,12 +8,6 @@ CC=	cc
 CPP=    $(CC) -E
 INCLUDES= -I.. -I$(TOP) -I../../include
 CFLAG=-g
-INSTALL_PREFIX=
-OPENSSLDIR=     /usr/local/ssl
-INSTALLTOP=/usr/local/ssl
-MAKE=		make
-MAKEDEPPROG=	makedepend
-MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile
 AR=		ar r

@@ -34,13 +28,13 @@ LIBSRC=	bn_add.c bn_div.c bn_exp.c bn_lib.c bn_ctx.c bn_mul.c bn_mod.c \
 	bn_print.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \
 	bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c bn_asm.c \
 	bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \
-	bn_depr.c
+	bn_depr.c bn_const.c

 LIBOBJ=	bn_add.o bn_div.o bn_exp.o bn_lib.o bn_ctx.o bn_mul.o bn_mod.o \
 	bn_print.o bn_rand.o bn_shift.o bn_word.o bn_blind.o \
 	bn_kron.o bn_sqrt.o bn_gcd.o bn_prime.o bn_err.o bn_sqr.o $(BN_ASM) \
 	bn_recp.o bn_mont.o bn_mpi.o bn_exp2.o bn_gf2m.o bn_nist.o \
-	bn_depr.o
+	bn_depr.o bn_const.o

 SRC= $(LIBSRC)

@@ -85,8 +79,15 @@ co86-out.s: asm/co-586.pl ../perlasm/x86asm.pl
 	(cd asm; $(PERL) co-586.pl a.out $(CFLAGS) > ../$@)

 sparcv8.o:	asm/sparcv8.S
+	$(CC) $(CFLAGS) -c asm/sparcv8.S
 sparcv8plus.o:	asm/sparcv8plus.S
-mips3.o:	asm/mips3.s
+	$(CC) $(CFLAGS) -c asm/sparcv8plus.S
+
+bn-mips3.o:	asm/mips3.s
+	@if [ "$(CC)" = "gcc" ]; then \
+		ABI=`expr "$(CFLAGS)" : ".*-mabi=\([n3264]*\)"` && \
+		as -$$ABI -O -o $@ asm/mips3.s; \
+	else	$(CC) -c $(CFLAGS) -o $@ asm/mips3.s; fi

 x86_64-gcc.o:	asm/x86_64-gcc.c
 	$(CC) $(CFLAGS) -c -o $@ asm/x86_64-gcc.c
@@ -117,6 +118,7 @@ links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)

 install:
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
 	@headerlist="$(EXHEADER)"; for i in $$headerlist ; \
 	do  \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
@@ -140,6 +142,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff

 depend:
+	@[ -n "$(MAKEDEPEND)" ] # should be set by upper Makefile...
 	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(LIBSRC)

 dclean:
--- a/Show More
+++ b/Show More