This commit was manufactured by cvs2svn to create tag 'OpenSSL-engine-

0_9_6c'.
This commit was manufactured by cvs2svn to create branch 'OpenSSL-engine-
2002-02-15 07:41:44 +00:00 · 2002-02-15 07:41:43 +00:00 · 2002-02-15 07:41:42 +00:00 · 2002-02-14 16:08:55 +00:00 · 2002-02-14 15:37:38 +00:00 · 2002-02-14 14:41:13 +00:00
846 changed files with 67579 additions and 37131 deletions
--- a/.cvsignore
+++ b/.cvsignore
@@ -7,5 +7,9 @@ outinc
 rehash.time
 testlog
 make.log
 maketest.log
 cctest
 cctest.c
 cctest.a
 libcrypto.so.*
 libssl.so.*
--- a/1454
+++ b/1454
--- a/646
+++ b/646
@@ -10,7 +10,7 @@ use strict;
 # see INSTALL for instructions.
-my $usage="Usage: Configure [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [rsaref] [no-threads] [no-asm] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] os/compiler[:flags]\n";
+my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [rsaref] [no-threads] [no-asm] [no-dso] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] os/compiler[:flags]\n";
 # Options:
 #
@@ -23,15 +23,30 @@ my $usage="Usage: Configure [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [rsaref] [no
 #               default).  This needn't be set in advance, you can
 #               just as well use "make INSTALL_PREFIX=/whatever install".
 #
 # no-hw-xxx     do not compile support for specific crypto hardware.
 #               Generic OpenSSL-style methods relating to this support
 #               are always compiled but return NULL if the hardware
 #               support isn't compiled.
 # no-hw         do not compile support for any crypto hardware.
 # rsaref        use RSAref
 # [no-]threads  [don't] try to create a library that is suitable for
 #               multithreaded applications (default is "threads" if we
 #               know how to do it)
 # [no-]shared	[don't] try to create shared libraries when supported.
 #               IT IS NOT RECOMMENDED TO USE "shared"!  Since this is a
 #               development branch, the positions of the ENGINE symbols
 #               in the transfer vector are constantly moving, so binary
 #               backward compatibility can't be guaranteed in any way.
 # no-asm        do not use assembler
 # no-dso        do not compile in any native shared-library methods. This
 #               will ensure that all methods just return NULL.
 # 386           generate 80386 code
 # no-<cipher>   build without specified algorithm (rsa, idea, rc5, ...)
 # -<xxx> +<xxx> compiler options are passed through 
-# 
+#
 # DEBUG_SAFESTACK use type-safe stacks to enforce type-safety on stack items
 #		provided to stack calls. Generates unique stack functions for
 #		each possible stack type.
 # DES_PTR	use pointer lookup vs arrays in the DES in crypto/des/des_locl.h
 # DES_RISC1	use different DES_ENCRYPT macro that helps reduce register
 #		dependancies but needs to more registers, good for RISC CPU's
@@ -83,28 +98,37 @@ my $x86_elf_asm="asm/bn86-elf.o asm/co86-elf.o:asm/dx86-elf.o asm/yx86-elf.o:asm
 my $x86_out_asm="asm/bn86-out.o asm/co86-out.o:asm/dx86-out.o asm/yx86-out.o:asm/bx86-out.o:asm/mx86-out.o:asm/sx86-out.o:asm/cx86-out.o:asm/rx86-out.o:asm/rm86-out.o:asm/r586-out.o";
 my $x86_bsdi_asm="asm/bn86bsdi.o asm/co86bsdi.o:asm/dx86bsdi.o asm/yx86bsdi.o:asm/bx86bsdi.o:asm/mx86bsdi.o:asm/sx86bsdi.o:asm/cx86bsdi.o:asm/rx86bsdi.o:asm/rm86bsdi.o:asm/r586bsdi.o";
 my $mips3_irix_asm="asm/mips3.o::::::::";
 # There seems to be boundary faults in asm/alpha.s.
 #my $alpha_asm="asm/alpha.o::::::::";
 my $alpha_asm="::::::::";
 # -DB_ENDIAN slows things down on a sparc for md5, but helps sha1.
 # So the md5_locl.h file has an undef B_ENDIAN if sun is defined
-#config-string	$cc : $cflags : $unistd : $thread_cflag : $lflags : $bn_ops : $bn_obj : $des_obj : $bf_obj : $md5_obj : $sha1_obj : $cast_obj : $rc4_obj : $rmd160_obj : $rc5_obj
+#config-string	$cc : $cflags : $unistd : $thread_cflag : $lflags : $bn_ops : $bn_obj : $des_obj : $bf_obj : $md5_obj : $sha1_obj : $cast_obj : $rc4_obj : $rmd160_obj : $rc5_obj : $dso_scheme : $shared_target : $shared_cflag
 my %table=(
-#"b",		"$tcc:$tflags::$tlib:$bits1:$tbn_mul::",
+# File 'TABLE' (created by 'make TABLE') contains the data from this list,
-#"bl-4c-2c",	"$tcc:$tflags::$tlib:${bits1}BN_LLONG RC4_CHAR MD2_CHAR:$tbn_mul::",
+# formatted for better readability.
-#"bl-4c-ri",	"$tcc:$tflags::$tlib:${bits1}BN_LLONG RC4_CHAR RC4_INDEX:$tbn_mul::",
+
-#"b2-is-ri-dp",	"$tcc:$tflags::$tlib:${bits2}IDEA_SHORT RC4_INDEX DES_PTR:$tbn_mul::",
+
 #"b",		"${tcc}:${tflags}::${tlib}:${bits1}:${tbn_mul}::",
 #"bl-4c-2c",	"${tcc}:${tflags}::${tlib}:${bits1}BN_LLONG RC4_CHAR MD2_CHAR:${tbn_mul}::",
 #"bl-4c-ri",	"${tcc}:${tflags}::${tlib}:${bits1}BN_LLONG RC4_CHAR RC4_INDEX:${tbn_mul}::",
 #"b2-is-ri-dp",	"${tcc}:${tflags}::${tlib}:${bits2}IDEA_SHORT RC4_INDEX DES_PTR:${tbn_mul}::",
 # Our development configs
 "purify",	"purify gcc:-g -DPURIFY -Wall::(unknown):-lsocket -lnsl::::",
-"debug",	"gcc:-DBN_DEBUG -DREF_CHECK -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror::(unknown):-lefence::::",
+"debug",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror::(unknown):-lefence::::",
-"debug-ben",	"gcc:-DBN_DEBUG -DREF_CHECK -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown):::::",
+"debug-ben",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown):::::",
-"debug-ben-debug",	"gcc:-DBN_DEBUG -DREF_CHECK -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown):::::",
+"debug-ben-debug",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown):::::",
-"debug-ben-strict",	"gcc:-DBN_DEBUG -DREF_CHECK -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown):::::",
+"debug-ben-strict",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown):::::",
-"debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown)::BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_elf_asm",
+"debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
-"debug-bodo",	"gcc:-DBIO_PAIR_DEBUG -DL_ENDIAN -DREF_CHECK -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -g -m486 -pedantic -Wshadow -Wall::-D_REENTRANT::BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_elf_asm",
+"debug-bodo",	"gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -DPEDANTIC -DBIO_PAIR_DEBUG -g -m486 -pedantic -Wshadow -Wall::-D_REENTRANT::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
-"debug-ulf",	"gcc:-DL_ENDIAN -DREF_CHECK -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -g -O2 -m486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::$x86_gcc_des $x86_gcc_opts:$x86_elf_asm",
+"debug-ulf",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -O2 -m486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
-"debug-steve",	"gcc:-DL_ENDIAN -DREF_CHECK -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -O2 -m486 -pedantic -Wall -Werror -Wshadow -pipe::-D_REENTRANT::$x86_gcc_des $x86_gcc_opts:$x86_elf_asm",
+"debug-steve",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -O2 -m486 -pedantic -Wall -Werror -Wshadow -pipe::-D_REENTRANT::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
-"debug-levitte-linux-elf","gcc:-DRL_DEBUG -DREF_CHECK -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DNO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -ggdb -g3 -m486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -pipe::-D_REENTRANT:::",
+"debug-levitte-linux-elf","gcc:-DUSE_ALLOCATING_PRINT -DRL_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DNO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -ggdb -g3 -m486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -pipe::-D_REENTRANT:-ldl:::::::::::dlfcn",
 "dist",		"cc:-O::(unknown):::::",
 # Basic configs that should work on any (32 and less bit) box
@@ -117,32 +141,35 @@ my %table=(
 # surrounds it with #APP #NO_APP comment pair which (at least Solaris
 # 7_x86) /usr/ccs/bin/as fails to assemble with "Illegal mnemonic"
 # error message.
-"solaris-x86-gcc","gcc:-O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DNO_INLINE_ASM::-D_REENTRANT:-lsocket -lnsl:BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_sol_asm",
+"solaris-x86-gcc","gcc:-O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DNO_INLINE_ASM::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_sol_asm}:dlfcn:solaris-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 #### Solaris x86 with Sun C setups
 "solaris-x86-cc","cc:-fast -O -Xa::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 #### SPARC Solaris with GNU C setups
-"solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
+"solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris-sparcv8-gcc","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o::",
+"solaris-sparcv8-gcc","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris-sparcv9-gcc","gcc:-mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o:",
+"solaris-sparcv9-gcc","gcc:-mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # gcc pre-2.8 doesn't understand -mcpu=ultrasparc, so fall down to -mv8
 # but keep the assembler modules.
-"solaris-sparcv9-gcc27","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus-gcc27.o:::asm/md5-sparcv8plus-gcc27.o:",
+"solaris-sparcv9-gcc27","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus-gcc27.o:::asm/md5-sparcv8plus-gcc27.o::::::dlfcn:solaris-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 ####
-"debug-solaris-sparcv8-gcc","gcc:-DREF_CHECK -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o::",
+"debug-solaris-sparcv8-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-solaris-sparcv9-gcc","gcc:-DREF_CHECK -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mcpu=ultrasparc -Wall -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o::",
+"debug-solaris-sparcv9-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mcpu=ultrasparc -Wall -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::::::::dlfcn:solaris-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 #### SPARC Solaris with Sun C setups
 # DO NOT use /xO[34] on sparc with SC3.0.  It is broken, and will not pass the tests
-"solaris-sparc-sc3","cc:-fast -O -Xa -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR:::",
+"solaris-sparc-sc3","cc:-fast -O -Xa -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # SC4.0 doesn't pass 'make test', upgrade to SC5.0 or SC4.2.
 # SC4.2 is ok, better than gcc even on bn as long as you tell it -xarch=v8
 # SC5.0 note: Compiler common patch 107357-01 or later is required!
-"solaris-sparcv7-cc","cc:-xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:::",
+"solaris-sparcv7-cc","cc:-xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris-sparcv8-cc","cc:-xarch=v8 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o::",
+"solaris-sparcv8-cc","cc:-xarch=v8 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris-sparcv9-cc","cc:-xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o:",
+"solaris-sparcv9-cc","cc:-xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris64-sparcv9-cc","cc:-xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o:",
+"solaris64-sparcv9-cc","cc:-xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):/usr/ccs/bin/ar rs",
 ####
-"debug-solaris-sparcv8-cc","cc:-DREF_CHECK -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xarch=v8 -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o::",
+"debug-solaris-sparcv8-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xarch=v8 -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-solaris-sparcv9-cc","cc:-DREF_CHECK -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xtarget=ultra -xarch=v8plus -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o:",
+"debug-solaris-sparcv9-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xtarget=ultra -xarch=v8plus -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 #### SPARC Linux setups
 "linux-sparcv7","gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::",
@@ -158,21 +185,21 @@ my %table=(
 # Sunos configs, assuming sparc for the gcc one.
 ##"sunos-cc", "cc:-O4 -DNOPROTO -DNOCONST::(unknown)::DES_UNROLL:::",
-"sunos-gcc","gcc:-O3 -mv8::(unknown)::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1:::",
+"sunos-gcc","gcc:-O3 -mv8 -Dssize_t=int::(unknown)::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1:::",
 #### IRIX 5.x configs
 # -mips2 flag is added by ./config when appropriate.
-"irix-gcc","gcc:-O3 -DTERMIOS -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK DES_UNROLL DES_RISC2 DES_PTR BF_PTR:::",
+"irix-gcc","gcc:-O3 -DTERMIOS -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK DES_UNROLL DES_RISC2 DES_PTR BF_PTR::::::::::dlfcn:irix-shared::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"irix-cc", "cc:-O2 -use_readonly_const -DTERMIOS -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC2 DES_UNROLL BF_PTR:::",
+"irix-cc", "cc:-O2 -use_readonly_const -DTERMIOS -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC2 DES_UNROLL BF_PTR::::::::::dlfcn:irix-shared::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 #### IRIX 6.x configs
 # Only N32 and N64 ABIs are supported. If you need O32 ABI build, invoke
 # './Configure irix-[g]cc' manually.
 # -mips4 flag is added by ./config when appropriate.
-"irix-mips3-gcc","gcc:-mabi=n32 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::(unknown)::MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK_LL DES_UNROLL DES_RISC2 DES_PTR BF_PTR SIXTY_FOUR_BIT:asm/mips3.o::",
+"irix-mips3-gcc","gcc:-mabi=n32 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK_LL DES_UNROLL DES_RISC2 DES_PTR BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"irix-mips3-cc", "cc:-n32 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::(unknown)::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT:asm/mips3.o::",
+"irix-mips3-cc", "cc:-n32 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # N64 ABI builds.
-"irix64-mips4-gcc","gcc:-mabi=64 -mips4 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::(unknown)::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:asm/mips3.o::",
+"irix64-mips4-gcc","gcc:-mabi=64 -mips4 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}:dlfcn:irix-shared::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"irix64-mips4-cc", "cc:-64 -mips4 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::(unknown)::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:asm/mips3.o::",
+"irix64-mips4-cc", "cc:-64 -mips4 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}:dlfcn:irix-shared::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 #### Unified HP-UX ANSI C configs.
 # Special notes:
@@ -202,32 +229,46 @@ my %table=(
 #   crypto/sha/sha_lcl.h.
 #					<appro@fy.chalmers.se>
 #
-"hpux-parisc-cc","cc:-Ae +O3 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::::BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::",
+#!#"hpux-parisc-cc","cc:-Ae +O3 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY:::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl",
-"hpux-parisc-gcc","gcc:-O3 -DB_ENDIAN -DBN_DIV2W::::BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::",
+# Since there is mention of this in shlib/hpux10-cc.sh
-"hpux64-parisc-cc","cc:-Ae +DD64 +O3 +ESlit -z -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:::",
+"hpux-parisc-cc-o4","cc:-Ae +O4 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY:::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "hpux-parisc-gcc","gcc:-O3 -DB_ENDIAN -DBN_DIV2W:::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "hpux64-parisc-cc","cc:-Ae +DD64 +O3 +ESlit -z -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dlfcn:hpux64-shared:+Z:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # More attempts at unified 10.X and 11.X targets for HP C compiler.
 #
 # Chris Ruemmler <ruemmler@cup.hp.com>
 # Kevin Steves <ks@hp.se>
 "hpux-parisc-cc","cc:+O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::-D_REENTRANT:-ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl:hpux-shared:+Z:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "hpux-parisc2-cc","cc:+DA2.0 +DS2.0 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT:-ldld:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2.o:::::::::dl:hpux-shared:+Z:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "hpux64-parisc2-cc","cc:+DD64 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2W.o:::::::::dlfcn:hpux64-shared:+Z:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "hpux-parisc1_1-cc","cc:+DA1.1 +DS1.1 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT:-ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl:hpux-shared:+Z:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # HPUX 9.X config.
 # Don't use the bundled cc.  It is broken.  Use HP ANSI C if possible, or
 # egcs.  gcc 2.8.1 is also broken.
-"hpux-cc",	"cc:-DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O3 -z::(unknown)::BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::",
+"hpux-cc",	"cc:-DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O3 -z::(unknown):-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # If hpux-cc fails (e.g. during "make test"), try the next one; otherwise,
 # please report your OS and compiler version to the openssl-bugs@openssl.org
 # mailing list.
-"hpux-brokencc",	"cc:-DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z::(unknown)::DES_PTR DES_UNROLL DES_RISC1:::",
+"hpux-brokencc",	"cc:-DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z::(unknown):-ldld:DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"hpux-gcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown)::BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::",
+"hpux-gcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown):-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # If hpux-gcc fails, try this one:
-"hpux-brokengcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown)::DES_PTR DES_UNROLL DES_RISC1:::",
+"hpux-brokengcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown):-ldld:DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # HPUX 9.X on Motorola 68k platforms with gcc
 "hpux-m68k-gcc",  "gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown)::BN_LLONG DES_PTR DES_UNROLL:::",
 # HPUX 10.X config.  Supports threads.
-"hpux10-cc",	"cc:-DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O3 -z::-D_REENTRANT::BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::",
+"hpux10-cc",	"cc:-DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O3 -z::-D_REENTRANT:-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # If hpux10-cc fails, try this one (if still fails, try deleting BN_LLONG):
-"hpux10-brokencc",	"cc:-DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z::-D_REENTRANT::BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::",
+"hpux10-brokencc",	"cc:-DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z::-D_REENTRANT:-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"hpux10-gcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::-D_REENTRANT::BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::",
+"hpux10-gcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::-D_REENTRANT:-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # If hpux10-gcc fails, try this one:
-"hpux10-brokengcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::-D_REENTRANT::DES_PTR DES_UNROLL DES_RISC1:::",
+"hpux10-brokengcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::-D_REENTRANT:-ldld:DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC:.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # HPUX 11.X from www.globus.org.
 # Only works on PA-RISC 2.0 cpus, and not optimized.  Why?
@@ -235,13 +276,43 @@ my %table=(
 #"hpux11-64bit-cc","cc:+DA2.0W -g -D_HPUX_SOURCE -Aa -Ae +ESlit::-D_REENTRANT::SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT :::",
 # Use unified settings above instead.
-# Dec Alpha, OSF/1 - the alpha164-cc is the flags for a 21164A with
+#### HP MPE/iX http://jazz.external.hp.com/src/openssl/
-# the new compiler
+"MPE/iX-gcc", "gcc:-D_ENDIAN -DBN_DIV2W -O3 -DMPE -D_POSIX_SOURCE -D_SOCKET_SOURCE -I/SYSLOG/PUB::(unknown):-L/SYSLOG/PUB -lsyslog -lsocket -lcurses:BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::",
 # Dec Alpha, OSF/1 - the alpha164-cc is historical, for the conversion
 # from the older DEC C Compiler to the newer compiler.  It's now the
 # same as the preferred entry, alpha-cc.  If you are still using the
 # older compiler (you're at 3.x or earlier, or perhaps very early 4.x)
 # you should use `alphaold-cc'.
 #
 #	"What's in a name? That which we call a rose
 #	 By any other word would smell as sweet."
 #
 # - William Shakespeare, "Romeo & Juliet", Act II, scene II.
 #
 # For OSF/1 3.2b and earlier, and Digital UNIX 3.2c - 3.2g, with the
 # vendor compiler, use alphaold-cc.
 # For Digital UNIX 4.0 - 4.0e, with the vendor compiler, use alpha-cc.
 # For Tru64 UNIX 4.f - current, with the vendor compiler, use alpha-cc.
 #
 # There's also an alternate target available (which `config' will never
 # select) called alpha-cc-rpath.  This target builds an RPATH into the
 # shared libraries, which is very convenient on Tru64 since binaries
 # linked against that shared library will automatically inherit that RPATH,
 # and hence know where to look for the openssl libraries, even if they're in
 # an odd place.
 #
 # For gcc, the following gave a %50 speedup on a 164 over the 'DES_INT' version
-"alpha-gcc","gcc:-O3::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:asm/alpha.o::",
+#
-"alpha-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:asm/alpha.o::",
+"alpha-gcc","gcc:-O3::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:${alpha_asm}:dlfcn:alpha-osf1-shared::.so",
-"alpha164-cc", "cc:-std1 -tune host -fast -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:asm/alpha.o::",
+"alphaold-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:alpha-osf1-shared::.so",
-"FreeBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC2:::",
+"alpha164-cc", "cc:-std1 -tune host -fast -readonly_strings::-pthread::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared::.so",
 "alpha-cc", "cc:-std1 -tune host -fast -readonly_strings::-pthread::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared::.so",
 "alpha-cc-rpath", "cc:-std1 -tune host -fast -readonly_strings::-pthread::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared-rpath::.so",
 #
 # This probably belongs in a different section.
 #
 "FreeBSD-alpha","gcc:-DTERMIOS -O -fomit-frame-pointer::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC2::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 #### Alpha Linux with GNU C and Compaq C setups
 # Special notes:
@@ -256,43 +327,75 @@ my %table=(
 #
 #					<appro@fy.chalmers.se>
 #
-"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:asm/alpha.o::",
+"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:asm/alpha.o::",
+"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:asm/alpha.o::",
+"linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
-"linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:asm/alpha.o::",
+"linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
 # assembler versions -- currently defunct:
-##"OpenBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2:asm/alpha.o::",
+##"OpenBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2:${alpha_asm}",
 # The intel boxes :-), It would be worth seeing if bsdi-gcc can use the
 # bn86-elf.o file file since it is hand tweaked assembler.
-"linux-elf",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT::BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_elf_asm",
+"linux-elf",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT:-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-linux-elf","gcc:-DREF_CHECK -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT:-lefence:BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_elf_asm",
+"debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT:-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
-"linux-aout",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::(unknown)::BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_out_asm",
+"debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT:-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
-"linux-mips",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::BN_LLONG:::",
+"linux-aout",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
-"linux-ppc",    "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::",
+"linux-mipsel",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::BN_LLONG:::",
-"NetBSD-sparc",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::",
+"linux-mips",   "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::BN_LLONG:::",
-"NetBSD-m68",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL:::",
+"linux-ppc",	"gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::::::::::dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"NetBSD-x86",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::(unknown)::BN_LLONG $x86_gcc_des $x86_gcc_opts:",
+"linux-m68k",   "gcc:-DB_ENDIAN -DTERMIO -O2 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::",
-"FreeBSD-elf",  "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_elf_asm",
+"linux-s390",	"gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::",
-"FreeBSD",      "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_out_asm",
+"linux-ia64",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64.o:::::::::dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"bsdi-gcc",     "gcc:-O3 -ffast-math -DL_ENDIAN -DPERL5 -m486::(unknown)::RSA_LLONG $x86_gcc_des $x86_gcc_opts:$x86_bsdi_asm",
+"NetBSD-sparc",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"bsdi-elf-gcc",     "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_elf_asm",
+"NetBSD-m68",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"nextstep",	"cc:-O -Wall:<libc.h>:(unknown)::BN_LLONG $x86_gcc_des ${x86_gcc_opts}:::",
+"NetBSD-x86",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"nextstep3.3",	"cc:-O3 -Wall:<libc.h>:(unknown)::BN_LLONG $x86_gcc_des ${x86_gcc_opts}:::",
+"FreeBSD-elf",  "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::-pthread -D_REENTRANT -D_THREAD_SAFE -D_THREADSAFE::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "FreeBSD",      "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
 "bsdi-gcc",     "gcc:-O3 -ffast-math -DL_ENDIAN -DPERL5 -m486::(unknown)::RSA_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_bsdi_asm}",
 "bsdi-elf-gcc",     "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown):-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "nextstep",	"cc:-O -Wall:<libc.h>:(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::",
 "nextstep3.3",	"cc:-O3 -Wall:<libc.h>:(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::",
 # NCR MP-RAS UNIX ver 02.03.01
-"ncr-scde","cc:-O6 -Xa -Hoff=BEHAVED -686 -Hwide -Hiw::(unknown):-lsocket -lnsl:$x86_gcc_des ${x86_gcc_opts}:::",
+"ncr-scde","cc:-O6 -Xa -Hoff=BEHAVED -686 -Hwide -Hiw::(unknown):-lsocket -lnsl:${x86_gcc_des} ${x86_gcc_opts}:::",
-# UnixWare 2.0
+# QNX 4
-"unixware-2.0","cc:-O -DFILIO_H::(unknown):-lsocket -lnsl:$x86_gcc_des ${x86_gcc_opts}:::",
+"qnx4",	"cc:-DL_ENDIAN -DTERMIO::(unknown)::${x86_gcc_des} ${x86_gcc_opts}:",
-"unixware-2.0-pentium","cc:-O -DFILIO_H -Kpentium -Kthread::(unknown):-lsocket -lnsl:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
+
 # QNX 6
 "qnx6",	"cc:-DL_ENDIAN -DTERMIOS::(unknown):-lsocket:${x86_gcc_des} ${x86_gcc_opts}:",
 # Linux on ARM
 "linux-elf-arm","gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::::::::::dlfcn:linux-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # UnixWare 2.0x fails destest with -O
 "unixware-2.0","cc:-DFILIO_H::-Kthread:-lsocket -lnsl -lx:${x86_gcc_des} ${x86_gcc_opts}:::",
 "unixware-2.0-pentium","cc:-DFILIO_H -Kpentium::-Kthread:-lsocket -lnsl -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
 # UnixWare 2.1
 "unixware-2.1","cc:-O -DFILIO_H::-Kthread:-lsocket -lnsl -lx:${x86_gcc_des} ${x86_gcc_opts}:::",
 "unixware-2.1-pentium","cc:-O -DFILIO_H -Kpentium::-Kthread:-lsocket -lnsl -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
 "unixware-2.1-p6","cc:-O -DFILIO_H -Kp6::-Kthread:-lsocket -lnsl -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
 # UnixWare 7
-"unixware-7","cc:-O -DFILIO_H -Kalloca::-Kthread:-lsocket -lnsl:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
+"unixware-7","cc:-O -DFILIO_H -Kalloca::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
 "unixware-7-pentium","cc:-O -DFILIO_H -Kalloca -Kpentium::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
 "unixware-7-pentium_pro","cc:-O -DFILIO_H -Kalloca -Kpentium_pro::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
 "unixware-7-gcc","gcc:-DL_ENDIAN -DFILIO_H -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT:-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:gnu-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # OpenUNIX 8
 "OpenUNIX-8","cc:-O -DFILIO_H -Kalloca::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
 "OpenUNIX-8-gcc","gcc:-O -DFILIO_H -fomit-frame-pointer::-pthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
 "OpenUNIX-8-pentium","cc:-O -DFILIO_H -Kalloca -Kpentium::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
 "OpenUNIX-8-pentium_pro","cc:-O -DFILIO_H -Kalloca -Kpentium_pro::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
 "OpenUNIX-8-shared","cc:-O -DFILIO_H -Kalloca::-Kthread:-lsocket -lnsl:MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-Kpic",
 "OpenUNIX-8-gcc-shared","gcc:-O3 -DFILIO_H -fomit-frame-pointer::-pthread:-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:svr5-shared:-fPIC",
 # IBM's AIX.
-"aix-cc",   "cc:-O -DAIX -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR:::",
+"aix-cc",   "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown)::BN_LLONG RC4_CHAR:::",
 "aix-gcc",  "gcc:-O3 -DAIX -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR:::",
 "aix43-cc",   "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown)::BN_LLONG RC4_CHAR::::::::::dlfcn:",
 "aix43-gcc",  "gcc:-O3 -DAIX -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR::::::::::dlfcn:",
 #
 # Cray T90 (SDSC)
@@ -319,13 +422,17 @@ my %table=(
 # DGUX, 88100.
 "dgux-R3-gcc",	"gcc:-O3 -fomit-frame-pointer::(unknown)::RC4_INDEX DES_UNROLL:::",
-"dgux-R4-gcc",	"gcc:-O3 -fomit-frame-pointer::(unknown):-lnsl -lsocket:RC4_INDEX:RC4_INDEX DES_UNROLL:::",
+"dgux-R4-gcc",	"gcc:-O3 -fomit-frame-pointer::(unknown):-lnsl -lsocket:RC4_INDEX DES_UNROLL:::",
-"dgux-R4-x86-gcc",	"gcc:-O3 -fomit-frame-pointer -DL_ENDIAN::(unknown):-lnsl -lsocket:BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_elf_asm",
+"dgux-R4-x86-gcc",	"gcc:-O3 -fomit-frame-pointer -DL_ENDIAN::(unknown):-lnsl -lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
 # SCO 3 - Tim Rice <tim@multitalents.net>
 "sco3-gcc",  "gcc:-O3 -fomit-frame-pointer -Dssize_t=int -DNO_SYS_UN_H::(unknown):-lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", # the SCO assembler doesn't seem to like our assembler files ...
 # SCO 5 - Ben Laurie <ben@algroup.co.uk> says the -O breaks the
 # SCO cc.
-"sco5-cc",  "cc:::(unknown):-lsocket:$x86_gcc_des ${x86_gcc_opts}:::", # des options?
+"sco5-cc",  "cc:::(unknown):-lsocket:${x86_gcc_des} ${x86_gcc_opts}:::", # des options?
-"sco5-gcc",  "gcc:-O3 -fomit-frame-pointer::(unknown):-lsocket:BN_LLONG $x86_gcc_des ${x86_gcc_opts}:::", # the SCO assembler doesn't seem to like our assembler files ...
+"sco5-cc-pentium",  "cc:-Kpentium::(unknown):-lsocket:${x86_gcc_des} ${x86_gcc_opts}:::", # des options?
 "sco5-gcc",  "gcc:-O3 -fomit-frame-pointer::(unknown):-lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", # the SCO assembler doesn't seem to like our assembler files ...
 # Sinix/ReliantUNIX RM400
 # NOTE: The CDS++ Compiler up to V2.0Bsomething has the IRIX_CC_BUG optimizer problem. Better use -g  */
@@ -336,24 +443,32 @@ my %table=(
 # SIEMENS BS2000/OSD: an EBCDIC-based mainframe
 "BS2000-OSD","c89:-O -XLLML -XLLMK -XL -DB_ENDIAN -DTERMIOS -DCHARSET_EBCDIC::(unknown):-lsocket -lnsl:THIRTY_TWO_BIT DES_PTR DES_UNROLL MD2_CHAR RC4_INDEX RC4_CHAR BF_PTR:::",
 # OS/390 Unix an EBCDIC-based Unix system on IBM mainframe
 # You need to compile using the c89.sh wrapper in the tools directory, because the
 # IBM compiler does not like the -L switch after any object modules.
 #
 "OS390-Unix","c89.sh:-O -DB_ENDIAN -DCHARSET_EBCDIC -DNO_SYS_PARAM_H  -D_ALL_SOURCE::(unknown)::THIRTY_TWO_BIT DES_PTR DES_UNROLL MD2_CHAR RC4_INDEX RC4_CHAR BF_PTR:::",
 # Windows NT, Microsoft Visual C++ 4.0
-"VC-NT","cl:::::BN_LLONG RC4_INDEX ${x86_gcc_opts}:::",
+"VC-NT","cl:::::BN_LLONG RC4_INDEX ${x86_gcc_opts}::::::::::win32",
-"VC-WIN32","cl:::::BN_LLONG RC4_INDEX ${x86_gcc_opts}:::",
+"VC-WIN32","cl:::::BN_LLONG RC4_INDEX ${x86_gcc_opts}::::::::::win32",
 "VC-WIN16","cl:::(unknown)::MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX THIRTY_TWO_BIT:::",
 "VC-W31-16","cl:::(unknown)::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX SIXTEEN_BIT:::",
 "VC-W31-32","cl:::::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX THIRTY_TWO_BIT:::",
 "VC-MSDOS","cl:::(unknown)::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX SIXTEEN_BIT:::",
 # Borland C++ 4.5
-"BC-32","bcc32:::::BN_LLONG DES_PTR RC4_INDEX:::",
+"BC-32","bcc32:::::BN_LLONG DES_PTR RC4_INDEX::::::::::win32",
 "BC-16","bcc:::(unknown)::BN_LLONG DES_PTR RC4_INDEX SIXTEEN_BIT:::",
-# CygWin32
+# Mingw32
 # (Note: the real CFLAGS for Windows builds are defined by util/mk1mf.pl
 # and its library files in util/pl/*)
-"CygWin32", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::::BN_LLONG $x86_gcc_des $x86_gcc_opts:",
+"Mingw32", "gcc:-DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",
-"Mingw32", "gcc:-DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::::BN_LLONG $x86_gcc_des $x86_gcc_opts:",
+
 # CygWin32
 "CygWin32", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",
 # Ultrix from Bernhard Simon <simon@zid.tuwien.ac.at>
 "ultrix-cc","cc:-std1 -O -Olimit 1000 -DL_ENDIAN::(unknown)::::::",
@@ -362,25 +477,32 @@ my %table=(
 ##"ultrix","cc:-O2 -DNOPROTO -DNOCONST -DL_ENDIAN::(unknown)::::::",
 # Some OpenBSD from Bob Beck <beck@obtuse.com>
-"OpenBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2:::",
+"OpenBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"OpenBSD-x86",  "gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -m486::(unknown)::BN_LLONG $x86_gcc_des $x86_gcc_opts:$x86_out_asm",
+"OpenBSD-x86",  "gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -m486::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"OpenBSD",      "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL:::",
+"OpenBSD",      "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"OpenBSD-mips","gcc:-O2 -DL_ENDIAN::(unknown):BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC2 DES_PTR BF_PTR::::",
+"OpenBSD-mips","gcc:-O2 -DL_ENDIAN::(unknown):BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC2 DES_PTR BF_PTR:::::::::::dlfcn:bsd-gcc-shared:-fPIC:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-##### MacOS X (a.k.a. Rhapsody) setup
+##### MacOS X (a.k.a. Rhapsody or Darwin) setup
 "rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
 "darwin-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
 ##### Sony NEWS-OS 4.x
 "newsos4-gcc","gcc:-O -DB_ENDIAN -DNEWS4::(unknown):-lmld -liberty:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::",
 );
 my @WinTargets=qw(VC-NT VC-WIN32 VC-WIN16 VC-W31-16 VC-W31-32 VC-MSDOS BC-32
-	BC-16 CygWin32 Mingw32);
+	BC-16 Mingw32);
 my $prefix="";
 my $openssldir="";
 my $exe_ext="";
 my $install_prefix="";
 my $no_threads=0;
 my $no_shared=1;
 my $threads=0;
 my $no_asm=0;
 my $no_dso=0;
 my @skip=();
 my $Makefile="Makefile.ssl";
 my $des_locl="crypto/des/des_locl.h";
@@ -402,103 +524,170 @@ my $md5_obj="";
 my $sha1_obj="";
 my $rmd160_obj="";
 my $processor="";
-my $ranlib;
+my $default_ranlib;
 my $perl;
-$ranlib=&which("ranlib") or $ranlib="true";
+$default_ranlib= &which("ranlib") or $default_ranlib="true";
 $perl=$ENV{'PERL'} or $perl=&which("perl5") or $perl=&which("perl")
  or $perl="perl";
 &usage if ($#ARGV < 0);
-my $flags="";
+my $flags;
-my $depflags="";
+my $depflags;
-my $openssl_algorithm_defines="";
+my $openssl_algorithm_defines;
-my $openssl_thread_defines="";
+my $openssl_thread_defines;
-my $openssl_other_defines="";
+my $openssl_other_defines;
-my $libs="";
+my $libs;
-my $target="";
+my $target;
-my $options="";
+my $options;
-foreach (@ARGV)
+my $symlink;
 my @argvcopy=@ARGV;
 my $argvstring="";
 my $argv_unprocessed=1;
 while($argv_unprocessed)
 	{
-	if (/^no-asm$/)
+	$flags="";
-	 	{
+	$depflags="";
-		$no_asm=1;
+	$openssl_algorithm_defines="";
-		$flags .= "-DNO_ASM ";
+	$openssl_thread_defines="";
-		$openssl_other_defines .= "#define NO_ASM\n";
+	$openssl_other_defines="";
-		}
+	$libs="";
-	elsif (/^no-threads$/)
+	$target="";
-		{ $no_threads=1; }
+	$options="";
-	elsif (/^threads$/)
+	$symlink=1;
-		{ $threads=1; }
+
-	elsif (/^no-(.+)$/)
+	$argv_unprocessed=0;
 	$argvstring=join(' ',@argvcopy);
 PROCESS_ARGS:
 	foreach (@argvcopy)
 		{
-		my $algo=$1;
+		s /^-no-/no-/; # some people just can't read the instructions
-		push @skip,$algo;
+		if (/^no-asm$/)
-		$algo =~ tr/[a-z]/[A-Z]/;
+		 	{
-		$flags .= "-DNO_$algo ";
+			$no_asm=1;
-		$depflags .= "-DNO_$algo ";
+			$flags .= "-DNO_ASM ";
-		$openssl_algorithm_defines .= "#define NO_$algo\n";
+			$openssl_other_defines .= "#define NO_ASM\n";
 		if ($algo eq "DES")
 			{
 			push @skip, "mdc2";
 			$options .= " no-mdc2";
 			$flags .= "-DNO_MDC2 ";
 			$depflags .= "-DNO_MDC2 ";
 			$openssl_algorithm_defines .= "#define NO_MDC2\n";
 			}
-		}
+		elsif (/^no-hw-(.+)$/)
 	elsif (/^386$/)
 		{ $processor=386; }
 	elsif (/^rsaref$/)
 		{
 		$libs.= "-lRSAglue -lrsaref ";
 		$flags.= "-DRSAref ";
 		$openssl_other_defines .= "#define RSAref\n";
 		}
 	elsif (/^[-+]/)
 		{
 		if (/^-[lL](.*)$/)
 			{
-			$libs.=$_." ";
+			my $hw=$1;
 			$hw =~ tr/[a-z]/[A-Z]/;
 			$flags .= "-DNO_HW_$hw ";
 			$openssl_other_defines .= "#define NO_HW_$hw\n";
 			}
-		elsif (/^-[^-]/ or /^\+/)
+		elsif (/^no-hw$/)
 			{
-			$flags.=$_." ";
+			$flags .= "-DNO_HW ";
 			$openssl_other_defines .= "#define NO_HW\n";
 			}
-		elsif (/^--prefix=(.*)$/)
+		elsif (/^no-dso$/)
 			{ $no_dso=1; }
 		elsif (/^no-threads$/)
 			{ $no_threads=1; }
 		elsif (/^threads$/)
 			{ $threads=1; }
 		elsif (/^no-shared$/)
 			{ $no_shared=1; }
 		elsif (/^shared$/)
 			{ $no_shared=0; }
 		elsif (/^no-symlinks$/)
 			{ $symlink=0; }
 		elsif (/^no-(.+)$/)
 			{
-			$prefix=$1;
+			my $algo=$1;
 			push @skip,$algo;
 			$algo =~ tr/[a-z]/[A-Z]/;
 			$flags .= "-DNO_$algo ";
 			$depflags .= "-DNO_$algo ";
 			$openssl_algorithm_defines .= "#define NO_$algo\n";
 			if ($algo eq "DES")
 				{
 				push @skip, "mdc2";
 				$options .= " no-mdc2";
 				$flags .= "-DNO_MDC2 ";
 				$depflags .= "-DNO_MDC2 ";
 				$openssl_algorithm_defines .= "#define NO_MDC2\n";
 				}
 			}
-		elsif (/^--openssldir=(.*)$/)
+		elsif (/^reconfigure/ || /^reconf/)
 			{
-			$openssldir=$1;
+			if (open(IN,"<$Makefile"))
 				{
 				while (<IN>)
 					{
 					chop;
 					if (/^CONFIGURE_ARGS=(.*)/)
 						{
 						$argvstring=$1;
 						@argvcopy=split(' ',$argvstring);
 						die "Incorrect data to reconfigure, please do a normal configuration\n"
 							if (grep(/^reconf/,@argvcopy));
 						print "Reconfiguring with: $argvstring\n";
 						$argv_unprocessed=1;
 						close(IN);
 						last PROCESS_ARGS;
 						}
 					}
 				close(IN);
 				}
 			die "Insufficient data to reconfigure, please do a normal configuration\n";
 			}
-		elsif (/^--install.prefix=(.*)$/)
+		elsif (/^386$/)
 			{ $processor=386; }
 		elsif (/^rsaref$/)
 			{
-			$install_prefix=$1;
+			$libs.= "-lRSAglue -lrsaref ";
 			$flags.= "-DRSAref ";
 			$openssl_other_defines .= "#define RSAref\n";
 			}
 		elsif (/^[-+]/)
 			{
 			if (/^-[lL](.*)$/)
 				{
 				$libs.=$_." ";
 				}
 			elsif (/^-[^-]/ or /^\+/)
 				{
 				$flags.=$_." ";
 				}
 			elsif (/^--prefix=(.*)$/)
 				{
 				$prefix=$1;
 				}
 			elsif (/^--openssldir=(.*)$/)
 				{
 				$openssldir=$1;
 				}
 			elsif (/^--install.prefix=(.*)$/)
 				{
 				$install_prefix=$1;
 				}
 			else
 				{
 				print STDERR $usage;
 				exit(1);
 				}
 			}
 		elsif ($_ =~ /^([^:]+):(.+)$/)
 			{
 			eval "\$table{\$1} = \"$2\""; # allow $xxx constructs in the string
 			$target=$1;
 			}
 		else
 			{
-			print STDERR $usage;
+			die "target already defined - $target\n" if ($target ne "");
-			exit(1);
+			$target=$_;
 			}
 		unless ($_ eq $target) {
 			if ($options eq "") {
 				$options = $_;
 			} else {
 				$options .= " ".$_;
 			}
 		}
 	elsif ($_ =~ /^([^:]+):(.+)$/)
 		{
 		eval "\$table{\$1} = \"$2\""; # allow $xxx constructs in the string
 		$target=$1;
 		}
 	else
 		{
 		die "target already defined - $target\n" if ($target ne "");
 		$target=$_;
 		}
 	unless ($_ eq $target) {
 		if ($options eq "") {
 			$options = $_;
 		} else {
 			$options .= " ".$_;
 		}
 	}
 }
@@ -518,10 +707,13 @@ if ($target eq "LIST") {
 	exit 0;
 }
 print "Configuring for $target\n";
 &usage if (!defined($table{$target}));
 my $IsWindows=scalar grep /^$target$/,@WinTargets;
 $exe_ext=".exe" if ($target eq "CygWin32");
 $openssldir="/usr/local/ssl" if ($openssldir eq "" and $prefix eq "");
 $prefix=$openssldir if $prefix eq "";
@@ -535,10 +727,39 @@ $openssldir=$prefix . "/" . $openssldir if $openssldir !~ /^\//;
 print "IsWindows=$IsWindows\n";
 (my $cc,my $cflags,my $unistd,my $thread_cflag,my $lflags,my $bn_ops,my $bn_obj,my $des_obj,my $bf_obj,
- $md5_obj,$sha1_obj,my $cast_obj,my $rc4_obj,$rmd160_obj,my $rc5_obj)=
+ $md5_obj,$sha1_obj,my $cast_obj,my $rc4_obj,$rmd160_obj,my $rc5_obj,my $dso_scheme,my $shared_target,my $shared_cflag,my $shared_extension,my $ranlib)=
-	split(/\s*:\s*/,$table{$target} . ":" x 20 , -1);
+	split(/\s*:\s*/,$table{$target} . ":" x 30 , -1);
 $cflags="$flags$cflags" if ($flags ne "");
 # The DSO code currently always implements all functions so that no
 # applications will have to worry about that from a compilation point
 # of view. However, the "method"s may return zero unless that platform
 # has support compiled in for them. Currently each method is enabled
 # by a define "DSO_<name>" ... we translate the "dso_scheme" config
 # string entry into using the following logic;
 my $dso_cflags;
 if (!$no_dso && $dso_scheme ne "")
 	{
 	$dso_scheme =~ tr/[a-z]/[A-Z]/;
 	if ($dso_scheme eq "DLFCN")
 		{
 		$dso_cflags = "-DDSO_DLFCN -DHAVE_DLFCN_H";
 		$openssl_other_defines .= "#define DSO_DLFCN\n";
 		$openssl_other_defines .= "#define HAVE_DLFCN_H\n";
 		}
 	elsif ($dso_scheme eq "DLFCN_NO_H")
 		{
 		$dso_cflags = "-DDSO_DLFCN";
 		$openssl_other_defines .= "#define DSO_DLFCN\n";
 		}
 	else
 		{
 		$dso_cflags = "-DDSO_$dso_scheme";
 		$openssl_other_defines .= "#define DSO_$dso_scheme\n";
 		}
 	$cflags = "$dso_cflags $cflags";
 	}
 my $thread_cflags;
 my $thread_defines;
 if ($thread_cflag ne "(unknown)" && !$no_threads)
@@ -581,6 +802,29 @@ if ($threads)
 		$openssl_thread_defines .= $thread_defines;
 	}
 # You will find shlib_mark1 and shlib_mark2 explained in Makefile.org
 my $shared_mark = "";
 if ($shared_target ne "")
 	{
 	if ($shared_cflag ne "")
 		{
 		$cflags = "$shared_cflag $cflags";
 		}
 	if (!$no_shared)
 		{
 		#$shared_mark = "\$(SHARED_LIBS)";
 		}
 	}
 else
 	{
 	$no_shared = 1;
 	}
 if ($ranlib eq "")
 	{
 	$ranlib = $default_ranlib;
 	}
 #my ($bn1)=split(/\s+/,$bn_obj);
 #$bn1 = "" unless defined $bn1;
 #$bn1=$bn_asm unless ($bn1 =~ /\.o$/);
@@ -612,13 +856,20 @@ if ($rmd160_obj =~ /\.o$/)
 my $version = "unknown";
 my $major = "unknown";
 my $minor = "unknown";
 my $shlib_version_number = "unknown";
 my $shlib_version_history = "unknown";
 my $shlib_major = "unknown";
 my $shlib_minor = "unknown";
 open(IN,'<crypto/opensslv.h') || die "unable to read opensslv.h:$!\n";
 while (<IN>)
 	{
 	$version=$1 if /OPENSSL.VERSION.TEXT.*OpenSSL (\S+) /;
 	$shlib_version_number=$1 if /SHLIB_VERSION_NUMBER *"([^"]+)"/;
 	$shlib_version_history=$1 if /SHLIB_VERSION_HISTORY *"([^"]*)"/;
 	}
 close(IN);
 if ($shlib_version_history ne "") { $shlib_version_history .= ":"; }
 if ($version =~ /(^[0-9]*)\.([0-9\.]*)/)
 	{
@@ -626,6 +877,12 @@ if ($version =~ /(^[0-9]*)\.([0-9\.]*)/)
 	$minor=$2;
 	}
 if ($shlib_version_number =~ /(^[0-9]*)\.([0-9\.]*)/)
 	{
 	$shlib_major=$1;
 	$shlib_minor=$2;
 	}
 open(IN,'<Makefile.org') || die "unable to read Makefile.org:$!\n";
 open(OUT,">$Makefile") || die "unable to create $Makefile:$!\n";
 print OUT "### Generated automatically from Makefile.org by Configure.\n\n";
@@ -644,15 +901,22 @@ while (<IN>)
 	s/^VERSION=.*/VERSION=$version/;
 	s/^MAJOR=.*/MAJOR=$major/;
 	s/^MINOR=.*/MINOR=$minor/;
 	s/^SHLIB_VERSION_NUMBER=.*/SHLIB_VERSION_NUMBER=$shlib_version_number/;
 	s/^SHLIB_VERSION_HISTORY=.*/SHLIB_VERSION_HISTORY=$shlib_version_history/;
 	s/^SHLIB_MAJOR=.*/SHLIB_MAJOR=$shlib_major/;
 	s/^SHLIB_MINOR=.*/SHLIB_MINOR=$shlib_minor/;
 	s/^SHLIB_EXT=.*/SHLIB_EXT=$shared_extension/;
 	s/^INSTALLTOP=.*$/INSTALLTOP=$prefix/;
 	s/^OPENSSLDIR=.*$/OPENSSLDIR=$openssldir/;
 	s/^INSTALL_PREFIX=.*$/INSTALL_PREFIX=$install_prefix/;
 	s/^PLATFORM=.*$/PLATFORM=$target/;
 	s/^OPTIONS=.*$/OPTIONS=$options/;
 	s/^CONFIGURE_ARGS=.*$/CONFIGURE_ARGS=$argvstring/;
 	s/^CC=.*$/CC= $cc/;
 	s/^CFLAG=.*$/CFLAG= $cflags/;
 	s/^DEPFLAG=.*$/DEPFLAG= $depflags/;
 	s/^EX_LIBS=.*$/EX_LIBS= $lflags/;
 	s/^EXE_EXT=.*$/EXE_EXT= $exe_ext/;
 	s/^BN_ASM=.*$/BN_ASM= $bn_obj/;
 	s/^DES_ENC=.*$/DES_ENC= $des_obj/;
 	s/^BF_ENC=.*$/BF_ENC= $bf_obj/;
@@ -665,6 +929,19 @@ while (<IN>)
 	s/^PROCESSOR=.*/PROCESSOR= $processor/;
 	s/^RANLIB=.*/RANLIB= $ranlib/;
 	s/^PERL=.*/PERL= $perl/;
 	s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/;
 	s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/;
 	s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared);
 	if ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*$/)
 		{
 		my $sotmp = $1;
 		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp/
 		}
 	elsif ($shared_extension ne "" && $shared_extension =~ /^\.s([ol])\.[^\.]*\.[^\.]*$/)
 		{
 		my $sotmp = $1;
 		s/^SHARED_LIBS_LINK_EXTS=.*/SHARED_LIBS_LINK_EXTS=.s$sotmp.\$(SHLIB_MAJOR) .s$sotmp/;
 		}
 	print OUT $_."\n";
 	}
 close(IN);
@@ -847,16 +1124,18 @@ if($IsWindows) {
 EOF
 	close(OUT);
 } else {
-	(system "make -f Makefile.ssl PERL=\'$perl\' links") == 0 or exit $?;
+	(system "make -f Makefile.ssl PERL=\'$perl\' links") == 0 or exit $?
 		if $symlink;
 	### (system 'make depend') == 0 or exit $? if $depflags ne "";
 	# Run "make depend" manually if you want to be able to delete
 	# the source code files of ciphers you left out.
 	&dofile("tools/c_rehash",$openssldir,'^DIR=',	'DIR=%s',);
 	if ( $perl =~ m@^/@) {
 	    &dofile("tools/c_rehash",$perl,'^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";');
 	    &dofile("apps/der_chop",$perl,'^#!/', '#!%s');
 	    &dofile("apps/CA.pl",$perl,'^#!/', '#!%s');
 	} else {
 	    # No path for Perl known ...
 	    &dofile("tools/c_rehash",'/usr/local/bin/perl','^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";');
 	    &dofile("apps/der_chop",'/usr/local/bin/perl','^#!/', '#!%s');
 	    &dofile("apps/CA.pl",'/usr/local/bin/perl','^#!/', '#!%s');
 	}	    
@@ -865,9 +1144,6 @@ EOF
 print <<EOF;
 Configured for $target.
 NOTE: OpenSSL header files were moved from <*.h> to <openssl/*.h>;
 see file INSTALL for hints on coping with compatibility problems.
 EOF
 print <<\EOF if (!$no_threads && !$threads);
@@ -938,12 +1214,11 @@ sub dofile
 		{
 		grep(/$k/ && ($_=sprintf($m{$k}."\n",$p)),@a);
 		}
-	($ff=$f) =~ s/\..*$//;
+	open(OUT,">$f.new") || die "unable to open $f.new:$!\n";
 	open(OUT,">$ff.new") || die "unable to open $f:$!\n";
 	print OUT @a;
 	close(OUT);
-	rename($f,"$ff.bak") || die "unable to rename $f\n" if -e $f;
+	rename($f,"$f.bak") || die "unable to rename $f\n" if -e $f;
-	rename("$ff.new",$f) || die "unable to rename $ff.new\n";
+	rename("$f.new",$f) || die "unable to rename $f.new\n";
 	}
 sub print_table_entry
@@ -952,8 +1227,10 @@ sub print_table_entry
 	(my $cc,my $cflags,my $unistd,my $thread_cflag,my $lflags,my $bn_ops,
 	my $bn_obj,my $des_obj,my $bf_obj,
-	$md5_obj,$sha1_obj,my $cast_obj,my $rc4_obj,$rmd160_obj,my $rc5_obj)=
+	my $md5_obj,my $sha1_obj,my $cast_obj,my $rc4_obj,my $rmd160_obj,
-	split(/\s*:\s*/,$table{$target} . ":" x 20 , -1);
+	my $rc5_obj,my $dso_scheme,my $shared_target,my $shared_cflag,
 	my $shared_extension,my $ranlib)=
 	split(/\s*:\s*/,$table{$target} . ":" x 30 , -1);
 	print <<EOF
@@ -973,5 +1250,10 @@ sub print_table_entry
 \$rc4_obj      = $rc4_obj
 \$rmd160_obj   = $rmd160_obj
 \$rc5_obj      = $rc5_obj
 \$dso_scheme   = $dso_scheme
 \$shared_target= $shared_target
 \$shared_cflag = $shared_cflag
 \$shared_extension = $shared_extension
 \$ranlib       = $ranlib
 EOF
 	}
--- a/614
+++ b/614
@@ -1,20 +1,65 @@
 OpenSSL  -  Frequently Asked Questions
 --------------------------------------
 [MISC] Miscellaneous questions
 * Which is the current version of OpenSSL?
 * Where is the documentation?
 * How can I contact the OpenSSL developers?
 * Do I need patent licenses to use OpenSSL?
 * Is OpenSSL thread-safe?
 * Why do I get a "PRNG not seeded" error message?
 * Why does the linker complain about undefined symbols?
 * Where can I get a compiled version of OpenSSL?
 * Why aren't tools like 'autoconf' and 'libtool' used?
 * What is an 'engine' version?
 [LEGAL] Legal questions
 * Do I need patent licenses to use OpenSSL?
 * Can I use OpenSSL with GPL software? 
 [USER] Questions on using the OpenSSL applications
 * Why do I get a "PRNG not seeded" error message?
 * Why do I get an "unable to write 'random state'" error message?
 * How do I create certificates or certificate requests?
 * Why can't I create certificate requests?
 * Why does <SSL program> fail with a certificate verify error?
 * Why can I only use weak ciphers when I connect to a server using OpenSSL?
 * How can I create DSA certificates?
 * Why can't I make an SSL connection using a DSA certificate?
 * How can I remove the passphrase on a private key?
 * Why can't I use OpenSSL certificates with SSL client authentication?
 * Why does my browser give a warning about a mismatched hostname?
 * How do I install a CA certificate into a browser?
 [BUILD] Questions about building and testing OpenSSL
 * Why does the linker complain about undefined symbols?
 * Why does the OpenSSL test fail with "bc: command not found"?
 * Why does the OpenSSL test fail with "bc: 1 no implemented"?
 * Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
 * Why does the OpenSSL compilation fail with "ar: command not found"?
 * Why does the OpenSSL compilation fail on Win32 with VC++?
 [PROG] Questions about programming with OpenSSL
 * Is OpenSSL thread-safe?
 * I've compiled a program under Windows and it crashes: why?
 * How do I read or write a DER encoded buffer using the ASN1 functions?
 * I've tried using <M_some_evil_pkcs12_macro> and I get errors why?
 * I've called <some function> and it fails, why?
 * I just get a load of numbers for the error output, what do they mean?
 * Why do I get errors about unknown algorithms?
 * Why can't the OpenSSH configure script detect OpenSSL?
 * Can I use OpenSSL's SSL library with non-blocking I/O?
 * Why doesn't my server application receive a client certificate?
 ===============================================================================
 [MISC] ========================================================================
 * Which is the current version of OpenSSL?
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.5 was released on February 28th, 2000.
+OpenSSL 0.9.6c was released on December 21st, 2001.
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
@@ -60,63 +105,6 @@ OpenSSL.  Information on the OpenSSL mailing lists is available from
 <URL: http://www.openssl.org>.
 * Do I need patent licenses to use OpenSSL?
 The patents section of the README file lists patents that may apply to
 you if you want to use OpenSSL.  For information on intellectual
 property rights, please consult a lawyer.  The OpenSSL team does not
 offer legal advice.
 You can configure OpenSSL so as not to use RC5 and IDEA by using
 ./config no-rc5 no-idea
 Until the RSA patent expires, U.S. users may want to use
 ./config no-rc5 no-idea no-rsa
 Please note that you will *not* be able to communicate with most of
 the popular web browsers without RSA support.
 * Is OpenSSL thread-safe?
 Yes.  On Windows and many Unix systems, OpenSSL automatically uses the
 multi-threaded versions of the standard libraries.  If your platform
 is not one of these, consult the INSTALL file.
 Multi-threaded applications must provide two callback functions to
 OpenSSL.  This is described in the threads(3) manpage.
 * Why do I get a "PRNG not seeded" error message?
 Cryptographic software needs a source of unpredictable data to work
 correctly.  Many open source operating systems provide a "randomness
 device" that serves this purpose.  On other systems, applications have
 to call the RAND_add() or RAND_seed() function with appropriate data
 before generating keys or performing public key encryption.
 Some broken applications do not do this.  As of version 0.9.5, the
 OpenSSL functions that need randomness report an error if the random
 number generator has not been seeded with at least 128 bits of
 randomness.  If this error occurs, please contact the author of the
 application you are using.  It is likely that it never worked
 correctly.  OpenSSL 0.9.5 makes the error visible by refusing to
 perform potentially insecure encryption.
 * Why does the linker complain about undefined symbols?
 Maybe the compilation was interrupted, and make doesn't notice that
 something is missing.  Run "make clean; make".
 If you used ./Configure instead of ./config, make sure that you
 selected the right target.  File formats may differ slightly between
 OS versions (for example sparcv8/sparcv9, or a.out/elf).
 If that doesn't help, you may want to try using the current snapshot.
 If the problem persists, please submit a bug report.
 * Where can I get a compiled version of OpenSSL?
 Some applications that use OpenSSL are distributed in binary form.
@@ -128,3 +116,505 @@ a C compiler, read the "Mingw32" section of INSTALL.W32 for information
 on how to obtain and install the free GNU C compiler.
 A number of Linux and *BSD distributions include OpenSSL.
 * Why aren't tools like 'autoconf' and 'libtool' used?
 autoconf will probably be used in future OpenSSL versions. If it was
 less Unix-centric, it might have been used much earlier.
 * What is an 'engine' version?
 With version 0.9.6 OpenSSL was extended to interface to external crypto
 hardware. This was realized in a special release '0.9.6-engine'. With
 version 0.9.7 (not yet released) the changes were merged into the main
 development line, so that the special release is no longer necessary.
 [LEGAL] =======================================================================
 * Do I need patent licenses to use OpenSSL?
 The patents section of the README file lists patents that may apply to
 you if you want to use OpenSSL.  For information on intellectual
 property rights, please consult a lawyer.  The OpenSSL team does not
 offer legal advice.
 You can configure OpenSSL so as not to use RC5 and IDEA by using
 ./config no-rc5 no-idea
 * Can I use OpenSSL with GPL software?
 On many systems including the major Linux and BSD distributions, yes (the
 GPL does not place restrictions on using libraries that are part of the
 normal operating system distribution).
 On other systems, the situation is less clear. Some GPL software copyright
 holders claim that you infringe on their rights if you use OpenSSL with
 their software on operating systems that don't normally include OpenSSL.
 If you develop open source software that uses OpenSSL, you may find it
 useful to choose an other license than the GPL, or state explicitly that
 "This program is released under the GPL with the additional exemption that
 compiling, linking, and/or using OpenSSL is allowed."  If you are using
 GPL software developed by others, you may want to ask the copyright holder
 for permission to use their software with OpenSSL.
 [USER] ========================================================================
 * Why do I get a "PRNG not seeded" error message?
 Cryptographic software needs a source of unpredictable data to work
 correctly.  Many open source operating systems provide a "randomness
 device" that serves this purpose.  On other systems, applications have
 to call the RAND_add() or RAND_seed() function with appropriate data
 before generating keys or performing public key encryption.
 (These functions initialize the pseudo-random number generator, PRNG.)
 Some broken applications do not do this.  As of version 0.9.5, the
 OpenSSL functions that need randomness report an error if the random
 number generator has not been seeded with at least 128 bits of
 randomness.  If this error occurs, please contact the author of the
 application you are using.  It is likely that it never worked
 correctly.  OpenSSL 0.9.5 and later make the error visible by refusing
 to perform potentially insecure encryption.
 On systems without /dev/urandom and /dev/random, it is a good idea to
 use the Entropy Gathering Demon (EGD); see the RAND_egd() manpage for
 details.  Starting with version 0.9.7, OpenSSL will automatically look
 for an EGD socket at /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool and
 /etc/entropy.
 Most components of the openssl command line utility automatically try
 to seed the random number generator from a file.  The name of the
 default seeding file is determined as follows: If environment variable
 RANDFILE is set, then it names the seeding file.  Otherwise if
 environment variable HOME is set, then the seeding file is $HOME/.rnd.
 If neither RANDFILE nor HOME is set, versions up to OpenSSL 0.9.6 will
 use file .rnd in the current directory while OpenSSL 0.9.6a uses no
 default seeding file at all.  OpenSSL 0.9.6b and later will behave
 similarly to 0.9.6a, but will use a default of "C:\" for HOME on
 Windows systems if the environment variable has not been set.
 If the default seeding file does not exist or is too short, the "PRNG
 not seeded" error message may occur.
 The openssl command line utility will write back a new state to the
 default seeding file (and create this file if necessary) unless
 there was no sufficient seeding.
 Pointing $RANDFILE to an Entropy Gathering Daemon socket does not work.
 Use the "-rand" option of the OpenSSL command line tools instead.
 The $RANDFILE environment variable and $HOME/.rnd are only used by the
 OpenSSL command line tools. Applications using the OpenSSL library
 provide their own configuration options to specify the entropy source,
 please check out the documentation coming the with application.
 For Solaris 2.6, Tim Nibbe <tnibbe@sprint.net> and others have suggested
 installing the SUNski package from Sun patch 105710-01 (Sparc) which
 adds a /dev/random device and make sure it gets used, usually through
 $RANDFILE.  There are probably similar patches for the other Solaris
 versions.  However, be warned that /dev/random is usually a blocking
 device, which may have some effects on OpenSSL.
 * Why do I get an "unable to write 'random state'" error message?
 Sometimes the openssl command line utility does not abort with
 a "PRNG not seeded" error message, but complains that it is
 "unable to write 'random state'".  This message refers to the
 default seeding file (see previous answer).  A possible reason
 is that no default filename is known because neither RANDFILE
 nor HOME is set.  (Versions up to 0.9.6 used file ".rnd" in the
 current directory in this case, but this has changed with 0.9.6a.)
 * How do I create certificates or certificate requests?
 Check out the CA.pl(1) manual page. This provides a simple wrapper round
 the 'req', 'verify', 'ca' and 'pkcs12' utilities. For finer control check
 out the manual pages for the individual utilities and the certificate
 extensions documentation (currently in doc/openssl.txt).
 * Why can't I create certificate requests?
 You typically get the error:
 	unable to find 'distinguished_name' in config
 	problems making Certificate Request
 This is because it can't find the configuration file. Check out the
 DIAGNOSTICS section of req(1) for more information.
 * Why does <SSL program> fail with a certificate verify error?
 This problem is usually indicated by log messages saying something like
 "unable to get local issuer certificate" or "self signed certificate".
 When a certificate is verified its root CA must be "trusted" by OpenSSL
 this typically means that the CA certificate must be placed in a directory
 or file and the relevant program configured to read it. The OpenSSL program
 'verify' behaves in a similar way and issues similar error messages: check
 the verify(1) program manual page for more information.
 * Why can I only use weak ciphers when I connect to a server using OpenSSL?
 This is almost certainly because you are using an old "export grade" browser
 which only supports weak encryption. Upgrade your browser to support 128 bit
 ciphers.
 * How can I create DSA certificates?
 Check the CA.pl(1) manual page for a DSA certificate example.
 * Why can't I make an SSL connection to a server using a DSA certificate?
 Typically you'll see a message saying there are no shared ciphers when
 the same setup works fine with an RSA certificate. There are two possible
 causes. The client may not support connections to DSA servers most web
 browsers (including Netscape and MSIE) only support connections to servers
 supporting RSA cipher suites. The other cause is that a set of DH parameters
 has not been supplied to the server. DH parameters can be created with the
 dhparam(1) command and loaded using the SSL_CTX_set_tmp_dh() for example:
 check the source to s_server in apps/s_server.c for an example.
 * How can I remove the passphrase on a private key?
 Firstly you should be really *really* sure you want to do this. Leaving
 a private key unencrypted is a major security risk. If you decide that
 you do have to do this check the EXAMPLES sections of the rsa(1) and
 dsa(1) manual pages.
 * Why can't I use OpenSSL certificates with SSL client authentication?
 What will typically happen is that when a server requests authentication
 it will either not include your certificate or tell you that you have
 no client certificates (Netscape) or present you with an empty list box
 (MSIE). The reason for this is that when a server requests a client
 certificate it includes a list of CAs names which it will accept. Browsers
 will only let you select certificates from the list on the grounds that
 there is little point presenting a certificate which the server will
 reject.
 The solution is to add the relevant CA certificate to your servers "trusted
 CA list". How you do this depends on the server software in uses. You can
 print out the servers list of acceptable CAs using the OpenSSL s_client tool:
 openssl s_client -connect www.some.host:443 -prexit
 If your server only requests certificates on certain URLs then you may need
 to manually issue an HTTP GET command to get the list when s_client connects:
 GET /some/page/needing/a/certificate.html
 If your CA does not appear in the list then this confirms the problem.
 * Why does my browser give a warning about a mismatched hostname?
 Browsers expect the server's hostname to match the value in the commonName
 (CN) field of the certificate. If it does not then you get a warning.
 * How do I install a CA certificate into a browser?
 The usual way is to send the DER encoded certificate to the browser as
 MIME type application/x-x509-ca-cert, for example by clicking on an appropriate
 link. On MSIE certain extensions such as .der or .cacert may also work, or you
 can import the certificate using the certificate import wizard.
 You can convert a certificate to DER form using the command:
 openssl x509 -in ca.pem -outform DER -out ca.der
 Occasionally someone suggests using a command such as:
 openssl pkcs12 -export -out cacert.p12 -in cacert.pem -inkey cakey.pem
 DO NOT DO THIS! This command will give away your CAs private key and
 reduces its security to zero: allowing anyone to forge certificates in
 whatever name they choose.
 [BUILD] =======================================================================
 * Why does the linker complain about undefined symbols?
 Maybe the compilation was interrupted, and make doesn't notice that
 something is missing.  Run "make clean; make".
 If you used ./Configure instead of ./config, make sure that you
 selected the right target.  File formats may differ slightly between
 OS versions (for example sparcv8/sparcv9, or a.out/elf).
 In case you get errors about the following symbols, use the config
 option "no-asm", as described in INSTALL:
 BF_cbc_encrypt, BF_decrypt, BF_encrypt, CAST_cbc_encrypt,
 CAST_decrypt, CAST_encrypt, RC4, RC5_32_cbc_encrypt, RC5_32_decrypt,
 RC5_32_encrypt, bn_add_words, bn_div_words, bn_mul_add_words,
 bn_mul_comba4, bn_mul_comba8, bn_mul_words, bn_sqr_comba4,
 bn_sqr_comba8, bn_sqr_words, bn_sub_words, des_decrypt3,
 des_ede3_cbc_encrypt, des_encrypt, des_encrypt2, des_encrypt3,
 des_ncbc_encrypt, md5_block_asm_host_order, sha1_block_asm_data_order
 If none of these helps, you may want to try using the current snapshot.
 If the problem persists, please submit a bug report.
 * Why does the OpenSSL test fail with "bc: command not found"?
 You didn't install "bc", the Unix calculator.  If you want to run the
 tests, get GNU bc from ftp://ftp.gnu.org or from your OS distributor.
 * Why does the OpenSSL test fail with "bc: 1 no implemented"?
 On some SCO installations or versions, bc has a bug that gets triggered
 when you run the test suite (using "make test").  The message returned is
 "bc: 1 not implemented".
 The best way to deal with this is to find another implementation of bc
 and compile/install it.  GNU bc (see http://www.gnu.org/software/software.html
 for download instructions) can be safely used, for example.
 * Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
 On some Alpha installations running Tru64 Unix and Compaq C, the compilation
 of crypto/sha/sha_dgst.c fails with the message 'Fatal:  Insufficient virtual
 memory to continue compilation.'  As far as the tests have shown, this may be
 a compiler bug.  What happens is that it eats up a lot of resident memory
 to build something, probably a table.  The problem is clearly in the
 optimization code, because if one eliminates optimization completely (-O0),
 the compilation goes through (and the compiler consumes about 2MB of resident
 memory instead of 240MB or whatever one's limit is currently).
 There are three options to solve this problem:
 1. set your current data segment size soft limit higher.  Experience shows
 that about 241000 kbytes seems to be enough on an AlphaServer DS10.  You do
 this with the command 'ulimit -Sd nnnnnn', where 'nnnnnn' is the number of
 kbytes to set the limit to.
 2. If you have a hard limit that is lower than what you need and you can't
 get it changed, you can compile all of OpenSSL with -O0 as optimization
 level.  This is however not a very nice thing to do for those who expect to
 get the best result from OpenSSL.  A bit more complicated solution is the
 following:
 ----- snip:start -----
  make DIRS=crypto SDIRS=sha "`grep '^CFLAG=' Makefile.ssl | \
       sed -e 's/ -O[0-9] / -O0 /'`"
  rm `ls crypto/*.o crypto/sha/*.o | grep -v 'sha_dgst\.o'`
  make
 ----- snip:end -----
 This will only compile sha_dgst.c with -O0, the rest with the optimization
 level chosen by the configuration process.  When the above is done, do the
 test and installation and you're set.
 * Why does the OpenSSL compilation fail with "ar: command not found"?
 Getting this message is quite usual on Solaris 2, because Sun has hidden
 away 'ar' and other development commands in directories that aren't in
 $PATH by default.  One of those directories is '/usr/ccs/bin'.  The
 quickest way to fix this is to do the following (it assumes you use sh
 or any sh-compatible shell):
 ----- snip:start -----
  PATH=${PATH}:/usr/ccs/bin; export PATH
 ----- snip:end -----
 and then redo the compilation.  What you should really do is make sure
 '/usr/ccs/bin' is permanently in your $PATH, for example through your
 '.profile' (again, assuming you use a sh-compatible shell).
 * Why does the OpenSSL compilation fail on Win32 with VC++?
 Sometimes, you may get reports from VC++ command line (cl) that it
 can't find standard include files like stdio.h and other weirdnesses.
 One possible cause is that the environment isn't correctly set up.
 To solve that problem, one should run VCVARS32.BAT which is found in
 the 'bin' subdirectory of the VC++ installation directory (somewhere
 under 'Program Files').  This needs to be done prior to running NMAKE,
 and the changes are only valid for the current DOS session.
 [PROG] ========================================================================
 * Is OpenSSL thread-safe?
 Yes (with limitations: an SSL connection may not concurrently be used
 by multiple threads).  On Windows and many Unix systems, OpenSSL
 automatically uses the multi-threaded versions of the standard
 libraries.  If your platform is not one of these, consult the INSTALL
 file.
 Multi-threaded applications must provide two callback functions to
 OpenSSL.  This is described in the threads(3) manpage.
 * I've compiled a program under Windows and it crashes: why?
 This is usually because you've missed the comment in INSTALL.W32.
 Your application must link against the same version of the Win32
 C-Runtime against which your openssl libraries were linked.  The
 default version for OpenSSL is /MD - "Multithreaded DLL".
 If you are using Microsoft Visual C++'s IDE (Visual Studio), in
 many cases, your new project most likely defaulted to "Debug
 Singlethreaded" - /ML.  This is NOT interchangeable with /MD and your
 program will crash, typically on the first BIO related read or write
 operation.
 For each of the six possible link stage configurations within Win32,
 your application must link  against the same by which OpenSSL was
 built.  If you are using MS Visual C++ (Studio) this can be changed
 by:
 1.  Select Settings... from the Project Menu.
 2.  Select the C/C++ Tab.
 3.  Select "Code Generation from the "Category" drop down list box
 4.  Select the Appropriate library (see table below) from the "Use
    run-time library" drop down list box.  Perform this step for both
    your debug and release versions of your application (look at the
    top left of the settings panel to change between the two)
    Single Threaded           /ML        -  MS VC++ often defaults to
                                            this for the release
                                            version of a new project.
    Debug Single Threaded     /MLd       -  MS VC++ often defaults to
                                            this for the debug version
                                            of a new project.
    Multithreaded             /MT
    Debug Multithreaded       /MTd
    Multithreaded DLL         /MD        -  OpenSSL defaults to this.
    Debug Multithreaded DLL   /MDd
 Note that debug and release libraries are NOT interchangeable.  If you
 built OpenSSL with /MD your application must use /MD and cannot use /MDd.
 * How do I read or write a DER encoded buffer using the ASN1 functions?
 You have two options. You can either use a memory BIO in conjunction
 with the i2d_XXX_bio() or d2i_XXX_bio() functions or you can use the
 i2d_XXX(), d2i_XXX() functions directly. Since these are often the
 cause of grief here are some code fragments using PKCS7 as an example:
 unsigned char *buf, *p;
 int len;
 len = i2d_PKCS7(p7, NULL);
 buf = OPENSSL_malloc(len); /* or Malloc, error checking omitted */
 p = buf;
 i2d_PKCS7(p7, &p);
 At this point buf contains the len bytes of the DER encoding of
 p7.
 The opposite assumes we already have len bytes in buf:
 unsigned char *p;
 p = buf;
 p7 = d2i_PKCS7(NULL, &p, len);
 At this point p7 contains a valid PKCS7 structure of NULL if an error
 occurred. If an error occurred ERR_print_errors(bio) should give more
 information.
 The reason for the temporary variable 'p' is that the ASN1 functions
 increment the passed pointer so it is ready to read or write the next
 structure. This is often a cause of problems: without the temporary
 variable the buffer pointer is changed to point just after the data
 that has been read or written. This may well be uninitialized data
 and attempts to free the buffer will have unpredictable results
 because it no longer points to the same address.
 * I've tried using <M_some_evil_pkcs12_macro> and I get errors why?
 This usually happens when you try compiling something using the PKCS#12
 macros with a C++ compiler. There is hardly ever any need to use the
 PKCS#12 macros in a program, it is much easier to parse and create
 PKCS#12 files using the PKCS12_parse() and PKCS12_create() functions
 documented in doc/openssl.txt and with examples in demos/pkcs12. The
 'pkcs12' application has to use the macros because it prints out 
 debugging information.
 * I've called <some function> and it fails, why?
 Before submitting a report or asking in one of the mailing lists, you
 should try to determine the cause. In particular, you should call
 ERR_print_errors() or ERR_print_errors_fp() after the failed call
 and see if the message helps. Note that the problem may occur earlier
 than you think -- you should check for errors after every call where
 it is possible, otherwise the actual problem may be hidden because
 some OpenSSL functions clear the error state.
 * I just get a load of numbers for the error output, what do they mean?
 The actual format is described in the ERR_print_errors() manual page.
 You should call the function ERR_load_crypto_strings() before hand and
 the message will be output in text form. If you can't do this (for example
 it is a pre-compiled binary) you can use the errstr utility on the error
 code itself (the hex digits after the second colon).
 * Why do I get errors about unknown algorithms?
 This can happen under several circumstances such as reading in an
 encrypted private key or attempting to decrypt a PKCS#12 file. The cause
 is forgetting to load OpenSSL's table of algorithms with
 OpenSSL_add_all_algorithms(). See the manual page for more information.
 * Why can't the OpenSSH configure script detect OpenSSL?
 Several reasons for problems with the automatic detection exist.
 OpenSSH requires at least version 0.9.5a of the OpenSSL libraries.
 Sometimes the distribution has installed an older version in the system
 locations that is detected instead of a new one installed. The OpenSSL
 library might have been compiled for another CPU or another mode (32/64 bits).
 Permissions might be wrong.
 The general answer is to check the config.log file generated when running
 the OpenSSH configure script. It should contain the detailed information
 on why the OpenSSL library was not detected or considered incompatible.
 * Can I use OpenSSL's SSL library with non-blocking I/O?
 Yes; make sure to read the SSL_get_error(3) manual page!
 A pitfall to avoid: Don't assume that SSL_read() will just read from
 the underlying transport or that SSL_write() will just write to it --
 it is also possible that SSL_write() cannot do any useful work until
 there is data to read, or that SSL_read() cannot do anything until it
 is possible to send data.  One reason for this is that the peer may
 request a new TLS/SSL handshake at any time during the protocol,
 requiring a bi-directional message exchange; both SSL_read() and
 SSL_write() will try to continue any pending handshake.
 * Why doesn't my server application receive a client certificate?
 Due to the TLS protocol definition, a client will only send a certificate,
 if explicitly asked by the server. Use the SSL_VERIFY_PEER flag of the
 SSL_CTX_set_verify() function to enable the use of client certificates.
 ===============================================================================
--- a/53
+++ b/53
@@ -2,13 +2,16 @@
 INSTALLATION ON THE UNIX PLATFORM
 ---------------------------------
- [See INSTALL.W32 for instructions for compiling OpenSSL on Windows systems,
+ [Installation on Windows, OpenVMS and MacOS (before MacOS X) is described
-  and INSTALL.VMS for installing on OpenVMS systems.]
+  in INSTALL.W32, INSTALL.VMS and INSTALL.MacOS.]
 To install OpenSSL, you will need:
  * make
  * Perl 5
  * an ANSI C compiler
  * a development environment in form of development libraries and C
    header files
  * a supported Unix operating system
 Quick Start
@@ -33,7 +36,8 @@
 Configuration Options
 ---------------------
- There are several options to ./config to customize the build:
+ There are several options to ./config (or ./Configure) to customize
 the build:
  --prefix=DIR  Install in DIR/bin, DIR/lib, DIR/include/openssl.
 	        Configuration files used by OpenSSL will be in DIR/ssl
@@ -42,9 +46,6 @@
  --openssldir=DIR Directory for OpenSSL files. If no prefix is specified,
                the library files and binaries are also installed there.
  rsaref        Build with RSADSI's RSAREF toolkit (this assumes that
                librsaref.a is in the library search path).
  no-threads    Don't try to build with support for multi-threaded
                applications.
@@ -52,6 +53,15 @@
                This will usually require additional system-dependent options!
                See "Note on multi-threading" below.
  no-shared     Don't try to create shared libraries.
  shared        In addition to the usual static libraries, create shared
                libraries on platforms where it's supported.  See "Note on
                shared libraries" below.  THIS IS NOT RECOMMENDED!  Since
                this is a development branch, the positions of the ENGINE
                symbols in the transfer vector are constantly moving, so
                binary backward compatibility can't be guaranteed in any way.
  no-asm        Do not use assembler code.
  386           Use the 80386 instruction set only (the default x86 code is
@@ -117,9 +127,12 @@
     OpenSSL binary ("openssl"). The libraries will be built in the top-level
     directory, and the binary will be in the "apps" directory.
-     If "make" fails, please report the problem to <openssl-bugs@openssl.org>
+     If "make" fails, look at the output.  There may be reasons for
-     (note that your message will be forwarded to a public mailing list).
+     the failure that aren't problems in OpenSSL itself (like missing
-     Include the output of "make report" in your message.
+     standard headers).  If it is a problem with OpenSSL itself, please
     report the problem to <openssl-bugs@openssl.org> (note that your
     message will be forwarded to a public mailing list).  Include the
     output of "make report" in your message.
     [If you encounter assembler error messages, try the "no-asm"
     configuration option as an immediate fix.]
@@ -131,10 +144,13 @@
       $ make test
-    If a test fails, try removing any compiler optimization flags from
+     If a test fails, look at the output.  There may be reasons for
-    the CFLAGS line in Makefile.ssl and run "make clean; make". Please
+     the failure that isn't a problem in OpenSSL itself (like a missing
-    send a bug report to <openssl-bugs@openssl.org>, including the
+     or malfunctioning bc).  If it is a problem with OpenSSL itself,
-    output of "make report".
+     try removing any compiler optimization flags from the CFLAGS line
     in Makefile.ssl and run "make clean; make". Please send a bug
     report to <openssl-bugs@openssl.org>, including the output of
     "make report".
  4. If everything tests ok, install OpenSSL with
@@ -252,3 +268,14 @@
 you can still use "no-threads" to suppress an annoying warning message
 from the Configure script.)
 Note on shared libraries
 ------------------------
 For some systems, the OpenSSL Configure script knows what is needed to
 build shared libraries for libcrypto and libssl.  On these systems,
 the shared libraries are currently not created by default, but giving
 the option "shared" will get them created.  This method supports Makefile
 targets for shared library creation, like linux-shared.  Those targets
 can currently be used on their own just as well, but this is expected
 to change in future versions of OpenSSL.
--- a/INSTALL.MacOS
+++ b/INSTALL.MacOS
@@ -1,7 +1,7 @@
-OpenSSL - Port To The Macintosh
+OpenSSL - Port To The Macintosh OS 9 or Earlier
-===============================
+===============================================
-Thanks to Roy Wood <roy@centricsystems.ca> initial support for MacOS (pre
+Thanks to Roy Wood <roy@centricsystems.ca> initial support for Mac OS (pre
 X) is now provided. "Initial" means that unlike other platforms where you
 get an SDK and a "swiss army" openssl application, on Macintosh you only
 get one sample application which fetches a page over HTTPS(*) and dumps it
@@ -42,7 +42,7 @@ Installation procedure:
 	BSD sockets and some other POSIX APIs. The GUSI distribution is
 	expected to be found in the same directory as openssl source tree,
 	i.e. in the parent directory to the one where this very file,
-	namely INSTALL.MacOS. For more informations about GUSI, see
+	namely INSTALL.MacOS. For more information about GUSI, see
 	http://www.iis.ee.ethz.ch/~neeri/macintosh/gusi-qa.html
 Finally some essential comments from our generous contributor:-)
--- a/INSTALL.VMS
+++ b/INSTALL.VMS
@@ -8,6 +8,7 @@ Intro:
 This file is divided in the following parts:
  Requirements			- Mandatory reading.
  Checking the distribution	- Mandatory reading.
  Compilation			- Mandatory reading.
  Logical names			- Mandatory reading.
@@ -19,6 +20,15 @@ This file is divided in the following parts:
  TODO				- Things that are to come.
 Requirements:
 =============
 To build and install OpenSSL, you will need:
 * DEC C or some other ANSI C compiler.  VAX C is *not* supported.
   [Note: OpenSSL has only been tested with DEC C.  Compiling with 
    a different ANSI C compiler may require some work]
 Checking the distribution:
 ==========================
@@ -82,12 +92,17 @@ directory.  The syntax is trhe following:
      RSAREF    compile using the RSAREF Library
      NORSAREF  compile without using RSAREF
-Note 1: The RSAREF libraries are NOT INCLUDED and you have to
+Note 0: The RASREF library IS NO LONGER NEEDED.  The RSA patent
-        download it from "ftp://ftp.rsa.com/rsaref".  You have to
+        expires September 20, 2000, and RSA Security chose to make
-        get the ".tar-Z" file as the ".zip" file doesn't have the
+        the algorithm public domain two weeks before that.
-        directory structure stored.  You have to extract the file
+
-        into the [.RSAREF] directory as that is where the scripts
+Note 1: If you still want to use RSAREF, the library is NOT INCLUDED
-        will look for the files.
+        and you have to download it.  RSA Security doesn't carry it
        any more, but there are a number of places where you can find
        it.  You have to get the ".tar-Z" file as the ".zip" file
        doesn't have the directory structure stored.  You have to
        extract the file into the [.RSAREF] directory as that is where
        the scripts will look for the files.
 Note 2: I have never done this, so I've no idea if it works or not.
@@ -129,7 +144,7 @@ Currently, the logical names supported are:
                        used.  This is good to try if something doesn't work.
      OPENSSL_NO_'alg'  with value YES, the corresponding crypto algorithm
                        will not be implemented.  Supported algorithms to
-                        do this with are: RSA, DSA, DH, MD2, MD5, RIPEMD,
+                        do this with are: RSA, DSA, DH, MD2, MD4, MD5, RIPEMD,
                        SHA, DES, MDC2, CR2, RC4, RC5, IDEA, BF, CAST, HMAC,
                        SSL2.  So, for example, having the logical name
                        OPENSSL_NO_RSA with the value YES means that the
--- a/INSTALL.W32
+++ b/INSTALL.W32
@@ -108,18 +108,20 @@
 * Compiler installation:
-   Mingw32 is available from <ftp://ftp.xraylith.wisc.edu/pub/khan/gnu-win32/
+   Mingw32 is available from <ftp://ftp.xraylith.wisc.edu/pub/khan/
-   mingw32/egcs-1.1.2/egcs-1.1.2-mingw32.zip>. GNU make is at
+   gnu-win32/mingw32/gcc-2.95.2/gcc-2.95.2-msvcrt.exe>. GNU make is at
   <ftp://agnes.dida.physik.uni-essen.de/home/janjaap/mingw32/binaries/
   make-3.76.1.zip>. Install both of them in C:\egcs-1.1.2 and run
   C:\egcs-1.1.2\mingw32.bat to set the PATH.
 * Compile OpenSSL:
-   > perl Configure Mingw32
+   > ms\mingw32
   > ms\mw.bat
-   This will create the library and binaries in out.
+   This will create the library and binaries in out. In case any problems
   occur, try
   > ms\mingw32 no-asm
   instead.
   libcrypto.a and libssl.a are the static libraries. To use the DLLs,
   link with libeay32.a and libssl32.a instead.
@@ -132,6 +134,81 @@
   > cd out
   > ..\ms\test
 GNU C (CygWin32)
 ---------------
 CygWin32 provides a bash shell and GNU tools environment running on
 NT 4.0, Windows 9x and Windows 2000. Consequently, a make of OpenSSL
 with CygWin is closer to a GNU bash environment such as Linux rather
 than other W32 makes that are based on a single makefile approach.
 CygWin32 implements Posix/Unix calls through cygwin1.dll, and is
 contrasted to Mingw32 which links dynamically to msvcrt.dll or
 crtdll.dll.
 To build OpenSSL using CygWin32:
 * Install CygWin32 (see http://sourceware.cygnus.com/cygwin)
 * Install Perl and ensure it is in the path
 * Run the CygWin bash shell
 * $ tar zxvf openssl-x.x.x.tar.gz
   $ cd openssl-x.x.x
   $ ./Configure no-threads CygWin32
   [...]
   $ make
   [...]
   $ make test
   $ make install
 This will create a default install in /usr/local/ssl.
 CygWin32 Notes:
 "make test" and normal file operations may fail in directories
 mounted as text (i.e. mount -t c:\somewhere /home) due to CygWin
 stripping of carriage returns. To avoid this ensure that a binary
 mount is used, e.g. mount -b c:\somewhere /home.
 As of version 1.1.1 CygWin32 is relatively unstable in its handling
 of cr/lf issues. These make procedures succeeded with versions 1.1 and
 the snapshot 20000524 (Slow!).
 "bc" is not provided in the CygWin32 distribution.  This causes a
 non-fatal error in "make test" but is otherwise harmless.  If
 desired, GNU bc can be built with CygWin32 without change.
 Installation
 ------------
 There's currently no real installation procedure for Win32.  There are,
 however, some suggestions:
    - do nothing.  The include files are found in the inc32/ subdirectory,
      all binaries are found in out32dll/ or out32/ depending if you built
      dynamic or static libraries.
    - do as is written in INSTALL.Win32 that comes with modssl:
 	$ md c:\openssl 
 	$ md c:\openssl\bin
 	$ md c:\openssl\lib
 	$ md c:\openssl\include
 	$ md c:\openssl\include\openssl
 	$ copy /b inc32\*               c:\openssl\include\openssl
 	$ copy /b out32dll\ssleay32.lib c:\openssl\lib
 	$ copy /b out32dll\libeay32.lib c:\openssl\lib
 	$ copy /b out32dll\ssleay32.dll c:\openssl\bin
 	$ copy /b out32dll\libeay32.dll c:\openssl\bin
 	$ copy /b out32dll\openssl.exe  c:\openssl\bin
      Of course, you can choose another device than c:.  C: is used here
      because that's usually the first (and often only) harddisk device.
      Note: in the modssl INSTALL.Win32, p: is used rather than c:.
 Troubleshooting
 ---------------
--- a/2
+++ b/2
@@ -12,7 +12,7 @@
  ---------------
 /* ====================================================================
- * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
--- a/MacOS/GetHTTPS.src/GetHTTPS.cpp
+++ b/MacOS/GetHTTPS.src/GetHTTPS.cpp
@@ -19,6 +19,7 @@
 *				are installed!  Use the AppleScript applet in the "openssl-0.9.4" folder to do this!
 */
 /* modified to seed the PRNG */
 /* modified to use CRandomizer for seeding */
 //	Include some funky libs I've developed over time
@@ -26,14 +27,13 @@
 #include "CPStringUtils.hpp"
 #include "ErrorHandling.hpp"
 #include "MacSocket.h"
-
+#include "Randomizer.h"
 //	We use the OpenSSL implementation of SSL....
 //	This was a lot of work to finally get going, though you wouldn't know it by the results!
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 #include <openssl/rand.h>
 #include <timer.h>
@@ -48,10 +48,6 @@
 OSErr MyMacSocket_IdleWaitCallback(void *inUserRefPtr);
 //	My idle-wait callback.  Doesn't do much, does it?  Silly cooperative multitasking.
 OSErr MyMacSocket_IdleWaitCallback(void *inUserRefPtr)
@@ -59,31 +55,33 @@ OSErr MyMacSocket_IdleWaitCallback(void *inUserRefPtr)
 #pragma unused(inUserRefPtr)
 EventRecord		theEvent;
 	::EventAvail(everyEvent,&theEvent);
 	CRandomizer *randomizer = (CRandomizer*)inUserRefPtr;
 	if (randomizer)
 		randomizer->PeriodicAction();
 	return(noErr);
 }
 //	Finally!
 void main(void)
 {
-OSErr				errCode;
+	OSErr				errCode;
-int					theSocket = -1;
+	int					theSocket = -1;
-int					theTimeout = 30;
+	int					theTimeout = 30;
-SSL_CTX				*ssl_ctx = nil;
+	SSL_CTX				*ssl_ctx = nil;
-SSL					*ssl = nil;
+	SSL					*ssl = nil;
-char				tempString[256];
+	char				tempString[256];
-UnsignedWide		microTickCount;
+	UnsignedWide		microTickCount;
 	CRandomizer randomizer;
 #warning   -- USE A TRUE RANDOM SEED, AND ADD ENTROPY WHENEVER POSSIBLE. --
 const char seed[] = "uyq9,7-b(VHGT^%$&^F/,876;,;./lkJHGFUY{PO*";	// Just gobbledygook
 	printf("OpenSSL Demo by Roy Wood, roy@centricsystems.ca\n\n");
 	BailIfError(errCode = MacSocket_Startup());
@@ -92,7 +90,7 @@ const char seed[] = "uyq9,7-b(VHGT^%$&^F/,876;,;./lkJHGFUY{PO*";	// Just gobbled
 	//	Create a socket-like object
-	BailIfError(errCode = MacSocket_socket(&theSocket,false,theTimeout * 60,MyMacSocket_IdleWaitCallback,nil));
+	BailIfError(errCode = MacSocket_socket(&theSocket,false,theTimeout * 60,MyMacSocket_IdleWaitCallback,&randomizer));
 	//	Set up the connect string and try to connect
@@ -118,10 +116,6 @@ const char seed[] = "uyq9,7-b(VHGT^%$&^F/,876;,;./lkJHGFUY{PO*";	// Just gobbled
 //	ssl_ctx = SSL_CTX_new(SSLv3_client_method());
 	RAND_seed (seed, sizeof (seed));
 	Microseconds (&microTickCount);
 	RAND_add (&microTickCount, sizeof (microTickCount), 0);		// Entropy is actually > 0, needs an estimate
 	//	Create an SSL thingey and try to negotiate the connection
 	ssl = SSL_new(ssl_ctx);
--- a/MacOS/OpenSSL.mcp.hqx
+++ b/MacOS/OpenSSL.mcp.hqx
--- a/MacOS/Randomizer.cpp
+++ b/MacOS/Randomizer.cpp
@@ -0,0 +1,476 @@
 /* 
 ------- Strong random data generation on a Macintosh (pre - OS X) ------
 --	GENERAL: We aim to generate unpredictable bits without explicit
 	user interaction. A general review of the problem may be found
 	in RFC 1750, "Randomness Recommendations for Security", and some
 	more discussion, of general and Mac-specific issues has appeared
 	in "Using and Creating Cryptographic- Quality Random Numbers" by
 	Jon Callas (www.merrymeet.com/jon/usingrandom.html).
 	The data and entropy estimates provided below are based on my
 	limited experimentation and estimates, rather than by any
 	rigorous study, and the entropy estimates tend to be optimistic.
 	They should not be considered absolute.
 	Some of the information being collected may be correlated in
 	subtle ways. That includes mouse positions, timings, and disk
 	size measurements. Some obvious correlations will be eliminated
 	by the programmer, but other, weaker ones may remain. The
 	reliability of the code depends on such correlations being
 	poorly understood, both by us and by potential interceptors.
 	This package has been planned to be used with OpenSSL, v. 0.9.5.
 	It requires the OpenSSL function RAND_add. 
 --	OTHER WORK: Some source code and other details have been
 	published elsewhere, but I haven't found any to be satisfactory
 	for the Mac per se:
 	* The Linux random number generator (by Theodore Ts'o, in
 	  drivers/char/random.c), is a carefully designed open-source
 	  crypto random number package. It collects data from a variety
 	  of sources, including mouse, keyboard and other interrupts.
 	  One nice feature is that it explicitly estimates the entropy
 	  of the data it collects. Some of its features (e.g. interrupt
 	  timing) cannot be reliably exported to the Mac without using
 	  undocumented APIs.
 	* Truerand by Don P. Mitchell and Matt Blaze uses variations
 	  between different timing mechanisms on the same system. This
 	  has not been tested on the Mac, but requires preemptive
 	  multitasking, and is hardware-dependent, and can't be relied
 	  on to work well if only one oscillator is present.
 	* Cryptlib's RNG for the Mac (RNDMAC.C by Peter Gutmann),
 	  gathers a lot of information about the machine and system
 	  environment. Unfortunately, much of it is constant from one
 	  startup to the next. In other words, the random seed could be
 	  the same from one day to the next. Some of the APIs are
 	  hardware-dependent, and not all are compatible with Carbon (OS
 	  X). Incidentally, the EGD library is based on the UNIX entropy
 	  gathering methods in cryptlib, and isn't suitable for MacOS
 	  either.
 	* Mozilla (and perhaps earlier versions of Netscape) uses the
 	  time of day (in seconds) and an uninitialized local variable
 	  to seed the random number generator. The time of day is known
 	  to an outside interceptor (to within the accuracy of the
 	  system clock). The uninitialized variable could easily be
 	  identical between subsequent launches of an application, if it
 	  is reached through the same path.
 	* OpenSSL provides the function RAND_screen(), by G. van
 	  Oosten, which hashes the contents of the screen to generate a
 	  seed. This is not useful for an extension or for an
 	  application which launches at startup time, since the screen
 	  is likely to look identical from one launch to the next. This
 	  method is also rather slow.
 	* Using variations in disk drive seek times has been proposed
 	  (Davis, Ihaka and Fenstermacher, world.std.com/~dtd/;
 	  Jakobsson, Shriver, Hillyer and Juels,
 	  www.bell-labs.com/user/shriver/random.html). These variations
 	  appear to be due to air turbulence inside the disk drive
 	  mechanism, and are very strongly unpredictable. Unfortunately
 	  this technique is slow, and some implementations of it may be
 	  patented (see Shriver's page above.) It of course cannot be
 	  used with a RAM disk.
 --	TIMING: On the 601 PowerPC the time base register is guaranteed
 	to change at least once every 10 addi instructions, i.e. 10
 	cycles. On a 60 MHz machine (slowest PowerPC) this translates to
 	a resolution of 1/6 usec. Newer machines seem to be using a 10
 	cycle resolution as well.
 	For 68K Macs, the Microseconds() call may be used. See Develop
 	issue 29 on the Apple developer site
 	(developer.apple.com/dev/techsupport/develop/issue29/minow.html)
 	for information on its accuracy and resolution. The code below
 	has been tested only on PowerPC based machines.
 	The time from machine startup to the launch of an application in
 	the startup folder has a variance of about 1.6 msec on a new G4
 	machine with a defragmented and optimized disk, most extensions
 	off and no icons on the desktop. This can be reasonably taken as
 	a lower bound on the variance. Most of this variation is likely
 	due to disk seek time variability. The distribution of startup
 	times is probably not entirely even or uncorrelated. This needs
 	to be investigated, but I am guessing that it not a majpor
 	problem. Entropy = log2 (1600/0.166) ~= 13 bits on a 60 MHz
 	machine, ~16 bits for a 450 MHz machine.
 	User-launched application startup times will have a variance of
 	a second or more relative to machine startup time. Entropy >~22
 	bits.
 	Machine startup time is available with a 1-second resolution. It
 	is predictable to no better a minute or two, in the case of
 	people who show up punctually to work at the same time and
 	immediately start their computer. Using the scheduled startup
 	feature (when available) will cause the machine to start up at
 	the same time every day, making the value predictable. Entropy
 	>~7 bits, or 0 bits with scheduled startup.
 	The time of day is of course known to an outsider and thus has 0
 	entropy if the system clock is regularly calibrated.
 --	KEY TIMING: A  very fast typist (120 wpm) will have a typical
 	inter-key timing interval of 100 msec. We can assume a variance
 	of no less than 2 msec -- maybe. Do good typists have a constant
 	rhythm, like drummers? Since what we measure is not the
 	key-generated interrupt but the time at which the key event was
 	taken off the event queue, our resolution is roughly the time
 	between process switches, at best 1 tick (17 msec). I  therefore
 	consider this technique questionable and not very useful for
 	obtaining high entropy data on the Mac.
 --	MOUSE POSITION AND TIMING: The high bits of the mouse position
 	are far from arbitrary, since the mouse tends to stay in a few
 	limited areas of the screen. I am guessing that the position of
 	the mouse is arbitrary within a 6 pixel square. Since the mouse
 	stays still for long periods of time, it should be sampled only
 	after it was moved, to avoid correlated data. This gives an
 	entropy of log2(6*6) ~= 5 bits per measurement.
 	The time during which the mouse stays still can vary from zero
 	to, say, 5 seconds (occasionally longer). If the still time is
 	measured by sampling the mouse during null events, and null
 	events are received once per tick, its resolution is 1/60th of a
 	second, giving an entropy of log2 (60*5) ~= 8 bits per
 	measurement. Since the distribution of still times is uneven,
 	this estimate is on the high side.
 	For simplicity and compatibility across system versions, the
 	mouse is to be sampled explicitly (e.g. in the event loop),
 	rather than in a time manager task.
 --	STARTUP DISK TOTAL FILE SIZE: Varies typically by at least 20k
 	from one startup to the next, with 'minimal' computer use. Won't
 	vary at all if machine is started again immediately after
 	startup (unless virtual memory is on), but any application which
 	uses the web and caches information to disk is likely to cause
 	this much variation or more. The variation is probably not
 	random, but I don't know in what way. File sizes tend to be
 	divisible by 4 bytes since file format fields are often
 	long-aligned. Entropy > log2 (20000/4) ~= 12 bits.
 --	STARTUP DISK FIRST AVAILABLE ALLOCATION BLOCK: As the volume
 	gets fragmented this could be anywhere in principle. In a
 	perfectly unfragmented volume this will be strongly correlated
 	with the total file size on the disk. With more fragmentation
 	comes less certainty. I took the variation in this value to be
 	1/8 of the total file size on the volume.
 --	SYSTEM REQUIREMENTS: The code here requires System 7.0 and above
 	(for Gestalt and Microseconds calls). All the calls used are
 	Carbon-compatible.
 */
 /*------------------------------ Includes ----------------------------*/
 #include "Randomizer.h"
 // Mac OS API
 #include <Files.h>
 #include <Folders.h>
 #include <Events.h>
 #include <Processes.h>
 #include <Gestalt.h>
 #include <Resources.h>
 #include <LowMem.h>
 // Standard C library
 #include <stdlib.h>
 #include <math.h>
 /*---------------------- Function declarations -----------------------*/
 // declared in OpenSSL/crypto/rand/rand.h
 extern "C" void RAND_add (const void *buf, int num, double entropy);
 unsigned long GetPPCTimer (bool is601);	// Make it global if needed
 					// elsewhere
 /*---------------------------- Constants -----------------------------*/
 #define kMouseResolution 6		// Mouse position has to differ
 					// from the last one by this
 					// much to be entered
 #define kMousePositionEntropy 5.16	// log2 (kMouseResolution**2)
 #define kTypicalMouseIdleTicks 300.0	// I am guessing that a typical
 					// amount of time between mouse
 					// moves is 5 seconds
 #define kVolumeBytesEntropy 12.0	// about log2 (20000/4),
 					// assuming a variation of 20K
 					// in total file size and
 					// long-aligned file formats.
 #define kApplicationUpTimeEntropy 6.0	// Variance > 1 second, uptime
 					// in ticks  
 #define kSysStartupEntropy 7.0		// Entropy for machine startup
 					// time
 /*------------------------ Function definitions ----------------------*/
 CRandomizer::CRandomizer (void)
 {
 	long	result;
 	mSupportsLargeVolumes =
 		(Gestalt(gestaltFSAttr, &result) == noErr) &&
 		((result & (1L << gestaltFSSupports2TBVols)) != 0);
 	if (Gestalt (gestaltNativeCPUtype, &result) != noErr)
 	{
 		mIsPowerPC = false;
 		mIs601 = false;
 	}
 	else
 	{
 		mIs601 = (result == gestaltCPU601);
 		mIsPowerPC = (result >= gestaltCPU601);
 	}
 	mLastMouse.h = mLastMouse.v = -10;	// First mouse will
 						// always be recorded
 	mLastPeriodicTicks = TickCount();
 	GetTimeBaseResolution ();
 	// Add initial entropy
 	AddTimeSinceMachineStartup ();
 	AddAbsoluteSystemStartupTime ();
 	AddStartupVolumeInfo ();
 	AddFiller ();
 }
 void CRandomizer::PeriodicAction (void)
 {
 	AddCurrentMouse ();
 	AddNow (0.0);	// Should have a better entropy estimate here
 	mLastPeriodicTicks = TickCount();
 }
 /*------------------------- Private Methods --------------------------*/
 void CRandomizer::AddCurrentMouse (void)
 {
 	Point mouseLoc;
 	unsigned long lastCheck;	// Ticks since mouse was last
 					// sampled
 #if TARGET_API_MAC_CARBON
 	GetGlobalMouse (&mouseLoc);
 #else
 	mouseLoc = LMGetMouseLocation();
 #endif
 	if (labs (mLastMouse.h - mouseLoc.h) > kMouseResolution/2 &&
 	    labs (mLastMouse.v - mouseLoc.v) > kMouseResolution/2)
 		AddBytes (&mouseLoc, sizeof (mouseLoc),
 				kMousePositionEntropy);
 	if (mLastMouse.h == mouseLoc.h && mLastMouse.v == mouseLoc.v)
 		mMouseStill ++;
 	else
 	{
 		double entropy;
 		// Mouse has moved. Add the number of measurements for
 		// which it's been still. If the resolution is too
 		// coarse, assume the entropy is 0.
 		lastCheck = TickCount() - mLastPeriodicTicks;
 		if (lastCheck <= 0)
 			lastCheck = 1;
 		entropy = log2l
 			(kTypicalMouseIdleTicks/(double)lastCheck);
 		if (entropy < 0.0)
 			entropy = 0.0;
 		AddBytes (&mMouseStill, sizeof (mMouseStill), entropy);
 		mMouseStill = 0;
 	}
 	mLastMouse = mouseLoc;
 }
 void CRandomizer::AddAbsoluteSystemStartupTime (void)
 {
 	unsigned long	now;		// Time in seconds since
 					// 1/1/1904
 	GetDateTime (&now);
 	now -= TickCount() / 60;	// Time in ticks since machine
 					// startup
 	AddBytes (&now, sizeof (now), kSysStartupEntropy);
 }
 void CRandomizer::AddTimeSinceMachineStartup (void)
 {
 	AddNow (1.5);			// Uncertainty in app startup
 					// time is > 1.5 msec (for
 					// automated app startup).
 }
 void CRandomizer::AddAppRunningTime (void)
 {
 	ProcessSerialNumber PSN;
 	ProcessInfoRec		ProcessInfo;
 	ProcessInfo.processInfoLength = sizeof (ProcessInfoRec);
 	ProcessInfo.processName = nil;
 	ProcessInfo.processAppSpec = nil;
 	GetCurrentProcess (&PSN);
 	GetProcessInformation (&PSN, &ProcessInfo);
 	// Now add the amount of time in ticks that the current process
 	// has been active
 	AddBytes (&ProcessInfo, sizeof (ProcessInfoRec),
 			kApplicationUpTimeEntropy);
 }
 void CRandomizer::AddStartupVolumeInfo (void)
 {
 	short			vRefNum;
 	long			dirID;
 	XVolumeParam	pb;
 	OSErr			err;
 	if (!mSupportsLargeVolumes)
 		return;
 	FindFolder (kOnSystemDisk, kSystemFolderType, kDontCreateFolder,
 			&vRefNum, &dirID);
 	pb.ioVRefNum = vRefNum;
 	pb.ioCompletion = 0;
 	pb.ioNamePtr = 0;
 	pb.ioVolIndex = 0;
 	err = PBXGetVolInfoSync (&pb);
 	if (err != noErr)
 		return;
 	// Base the entropy on the amount of space used on the disk and
 	// on the next available allocation block. A lot else might be
 	// unpredictable, so might as well toss the whole block in. See
 	// comments for entropy estimate justifications.
 	AddBytes (&pb, sizeof (pb),
 		kVolumeBytesEntropy +
 		log2l (((pb.ioVTotalBytes.hi - pb.ioVFreeBytes.hi)
 				* 4294967296.0D +
 			(pb.ioVTotalBytes.lo - pb.ioVFreeBytes.lo))
 				/ pb.ioVAlBlkSiz - 3.0));
 }
 /*
 	On a typical startup CRandomizer will come up with about 60
 	bits of good, unpredictable data. Assuming no more input will
 	be available, we'll need some more lower-quality data to give
 	OpenSSL the 128 bits of entropy it desires. AddFiller adds some
 	relatively predictable data into the soup.
 */
 void CRandomizer::AddFiller (void)
 {
 	struct
 	{
 		ProcessSerialNumber psn;	// Front process serial
 						// number
 		RGBColor	hiliteRGBValue;	// User-selected
 						// highlight color
 		long		processCount;	// Number of active
 						// processes
 		long		cpuSpeed;	// Processor speed
 		long		totalMemory;	// Total logical memory
 						// (incl. virtual one)
 		long		systemVersion;	// OS version
 		short		resFile;	// Current resource file
 	} data;
 	GetNextProcess ((ProcessSerialNumber*) kNoProcess);
 	while (GetNextProcess (&data.psn) == noErr)
 		data.processCount++;
 	GetFrontProcess (&data.psn);
 	LMGetHiliteRGB (&data.hiliteRGBValue);
 	Gestalt (gestaltProcClkSpeed, &data.cpuSpeed);
 	Gestalt (gestaltLogicalRAMSize, &data.totalMemory);
 	Gestalt (gestaltSystemVersion, &data.systemVersion);
 	data.resFile = CurResFile ();
 	// Here we pretend to feed the PRNG completely random data. This
 	// is of course false, as much of the above data is predictable
 	// by an outsider. At this point we don't have any more
 	// randomness to add, but with OpenSSL we must have a 128 bit
 	// seed before we can start. We just add what we can, without a
 	// real entropy estimate, and hope for the best.
 	AddBytes (&data, sizeof(data), 8.0 * sizeof(data));
 	AddCurrentMouse ();
 	AddNow (1.0);
 }
 //-------------------  LOW LEVEL ---------------------
 void CRandomizer::AddBytes (void *data, long size, double entropy)
 {
 	RAND_add (data, size, entropy * 0.125);	// Convert entropy bits
 						// to bytes
 }
 void CRandomizer::AddNow (double millisecondUncertainty)
 {
 	long time = SysTimer();
 	AddBytes (&time, sizeof (time), log2l (millisecondUncertainty *
 			mTimebaseTicksPerMillisec));
 }
 //----------------- TIMING SUPPORT ------------------
 void CRandomizer::GetTimeBaseResolution (void)
 {	
 #ifdef __powerc
 	long speed;
 	// gestaltProcClkSpeed available on System 7.5.2 and above
 	if (Gestalt (gestaltProcClkSpeed, &speed) != noErr)
 		// Only PowerPCs running pre-7.5.2 are 60-80 MHz
 		// machines.
 		mTimebaseTicksPerMillisec =  6000.0D;
 	// Assume 10 cycles per clock update, as in 601 spec. Seems true
 	// for later chips as well.
 	mTimebaseTicksPerMillisec = speed / 1.0e4D;
 #else
 	// 68K VIA-based machines (see Develop Magazine no. 29)
 	mTimebaseTicksPerMillisec = 783.360D;
 #endif
 }
 unsigned long CRandomizer::SysTimer (void)	// returns the lower 32
 						// bit of the chip timer
 {
 #ifdef __powerc
 	return GetPPCTimer (mIs601);
 #else
 	UnsignedWide usec;
 	Microseconds (&usec);
 	return usec.lo;
 #endif
 }
 #ifdef __powerc
 // The timebase is available through mfspr on 601, mftb on later chips.
 // Motorola recommends that an 601 implementation map mftb to mfspr
 // through an exception, but I haven't tested to see if MacOS actually
 // does this. We only sample the lower 32 bits of the timer (i.e. a
 // few minutes of resolution)
 asm unsigned long GetPPCTimer (register bool is601)
 {
 	cmplwi	is601, 0	// Check if 601
 	bne	_601		// if non-zero goto _601
 	mftb  	r3		// Available on 603 and later.
 	blr			// return with result in r3
 _601:
 	mfspr r3, spr5  	// Available on 601 only.
 				// blr inserted automatically
 }
 #endif
--- a/MacOS/Randomizer.h
+++ b/MacOS/Randomizer.h
@@ -0,0 +1,43 @@
 //	Gathers unpredictable system data to be used for generating
 //	random bits
 #include <MacTypes.h>
 class CRandomizer
 {
 public:
 	CRandomizer (void);
 	void PeriodicAction (void);
 private:
 	// Private calls
 	void		AddTimeSinceMachineStartup (void);
 	void		AddAbsoluteSystemStartupTime (void);
 	void		AddAppRunningTime (void);
 	void		AddStartupVolumeInfo (void);
 	void		AddFiller (void);
 	void		AddCurrentMouse (void);
 	void		AddNow (double millisecondUncertainty);
 	void		AddBytes (void *data, long size, double entropy);
 	void		GetTimeBaseResolution (void);
 	unsigned long	SysTimer (void);
 	// System Info	
 	bool		mSupportsLargeVolumes;
 	bool		mIsPowerPC;
 	bool		mIs601;
 	// Time info
 	double		mTimebaseTicksPerMillisec;
 	unsigned long	mLastPeriodicTicks;
 	// Mouse info
 	long		mSamplePeriod;
 	Point		mLastMouse;
 	long		mMouseStill;
 };
--- a/Makefile.org
+++ b/Makefile.org
@@ -5,8 +5,16 @@
 VERSION=
 MAJOR=
 MINOR=
 SHLIB_VERSION_NUMBER=
 SHLIB_VERSION_HISTORY=
 SHLIB_MAJOR=
 SHLIB_MINOR=
 SHLIB_EXT=
 PLATFORM=dist
 OPTIONS=
 CONFIGURE_ARGS=
 SHLIB_TARGET=
 # INSTALL_PREFIX is for package builders so that they can configure
 # for, say, /usr/ and yet have everything installed to /tmp/somedir/usr/.
 # Normally it is left empty.
@@ -28,8 +36,6 @@ OPENSSLDIR=/usr/local/ssl
 # DEVRANDOM - Give this the value of the 'random device' if your OS supports
 #           one.  32 bytes will be read from this when the random
 #           number generator is initalised.
 # SSL_ALLOW_ADH - define if you want the server to be able to use the
 #           SSLv3 anon-DH ciphers.
 # SSL_FORBID_ENULL - define if you want the server to be not able to use the
 #           NULL encryption ciphers.
 #
@@ -51,13 +57,14 @@ CC= gcc
 #CFLAG= -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DSHA1_ASM -DMD5_ASM -DRMD160_ASM
 CFLAG= -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall -DSHA1_ASM -DMD5_ASM -DRMD160_ASM
 DEPFLAG= 
-PEX_LIBS= -L. -L.. -L../.. -L../../..
+PEX_LIBS= 
 EX_LIBS= 
 EXE_EXT= 
 AR=ar r
 RANLIB= ranlib
 PERL= perl
 TAR= tar
-TARFLAGS= --norecurse
+TARFLAGS= --no-recursion
 # Set BN_ASM to bn_asm.o if you want to use the C version
 BN_ASM= bn_asm.o
@@ -144,14 +151,18 @@ RMD160_ASM_OBJ= asm/rm86-out.o
 #RMD160_ASM_OBJ= asm/rm86-out.o       # a.out, FreeBSD
 #RMD160_ASM_OBJ= asm/rm86bsdi.o       # bsdi
-DIRS=   crypto ssl rsaref apps test tools
+# When we're prepared to use shared libraries in the programs we link here
 # we might set SHLIB_MARK to '$(SHARED_LIBS)'.
 SHLIB_MARK=
 DIRS=   crypto ssl rsaref $(SHLIB_MARK) apps test tools
 SHLIBDIRS= crypto ssl
 # dirs in crypto to build
 SDIRS=  \
-	md2 md5 sha mdc2 hmac ripemd \
+	md2 md4 md5 sha mdc2 hmac ripemd \
 	des rc2 rc4 rc5 idea bf cast \
-	bn rsa dsa dh \
+	bn rsa dsa dh dso engine \
 	buffer bio stack lhash rand err objects \
 	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp
@@ -167,7 +178,11 @@ TOP=    .
 ONEDIRS=out tmp
 EDIRS=  times doc bugs util include certs ms shlib mt demos perl sf dep VMS
 WDIRS=  windows
-LIBS=   libcrypto.a libssl.a 
+LIBS=   libcrypto.a libssl.a
 SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
 SHARED_SSL=libssl$(SHLIB_EXT)
 SHARED_LIBS=
 SHARED_LIBS_LINK_EXTS=
 GENERAL=        Makefile
 BASENAME=       openssl
@@ -177,38 +192,235 @@ WTARFILE=       $(NAME)-win.tar
 EXHEADER=       e_os.h e_os2.h
 HEADER=         e_os.h
-all: Makefile.ssl
+# When we're prepared to use shared libraries in the programs we link here
-	@for i in $(DIRS) ;\
+# we might remove 'clean-shared' from the targets to perform at this stage
-	do \
+
-	(cd $$i && echo "making all in $$i..." && \
+all: clean-shared Makefile.ssl sub_all
 	$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' SDIRS='${SDIRS}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' all ) || exit 1; \
 	done
 	-@# cd crypto; $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' SDIRS='${SDIRS}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' testapps
 	-@# cd perl; $(PERL) Makefile.PL; make
 sub_all:
-	@for i in $(DIRS) ;\
+	@for i in $(DIRS); \
 	do \
-	(cd $$i && echo "making all in $$i..." && \
+	if [ -d "$$i" ]; then \
-	$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' all ) || exit 1; \
+		(cd $$i && echo "making all in $$i..." && \
-	done;
+		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' EXE_EXT='${EXE_EXT}' all ) || exit 1; \
 	else \
 		$(MAKE) $$i; \
 	fi; \
 	done; \
 	if echo "$(DIRS)" | \
 	    egrep '(^| )(crypto|ssl)( |$$)' > /dev/null 2>&1 && \
 	   [ -n "$(SHARED_LIBS)" ]; then \
 		$(MAKE) $(SHARED_LIBS); \
 	fi
-linux-shared:
+libcrypto$(SHLIB_EXT): libcrypto.a
-	for i in ${SHLIBDIRS}; do \
+	@if [ "$(SHLIB_TARGET)" != "" ]; then \
-	rm -f lib$$i.a lib$$i.so \
+		$(MAKE) SHLIBDIRS=crypto build-shared; \
-		lib$$i.so.${MAJOR} lib$$i.so.${MAJOR}.${MINOR}; \
+	else \
-	${MAKE} CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='-fPIC ${CFLAG}' SDIRS='${SDIRS}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' DIRS=$$i clean all || exit 1; \
+		echo "There's no support for shared libraries on this platform" >&2; \
-	( set -x; ${CC}  -shared -o lib$$i.so.${MAJOR}.${MINOR} \
+	fi
-		-Wl,-S,-soname=lib$$i.so.${MAJOR} \
+libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a
 	@if [ "$(SHLIB_TARGET)" != "" ]; then \
 		$(MAKE) SHLIBDIRS=ssl SHLIBDEPS='-lcrypto' build-shared; \
 	else \
 		echo "There's no support for shared libraries on this platform" >&2; \
 	fi
 clean-shared:
 	@for i in $(SHLIBDIRS); do \
 		if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \
 			tmp="$(SHARED_LIBS_LINK_EXTS)"; \
 			for j in $${tmp:-x}; do \
 				( set -x; rm -f lib$$i$$j ); \
 			done; \
 		fi; \
 		( set -x; rm -f lib$$i$(SHLIB_EXT) ); \
 	done
 link-shared:
 	@for i in $(SHLIBDIRS); do \
 		prev=lib$$i$(SHLIB_EXT); \
 		if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \
 			tmp="$(SHARED_LIBS_LINK_EXTS)"; \
 			for j in $${tmp:-x}; do \
 				( set -x; ln -f -s $$prev lib$$i$$j ); \
 				prev=lib$$i$$j; \
 			done; \
 		fi; \
 	done
 build-shared: clean-shared do_$(SHLIB_TARGET) link-shared
 do_bsd-gcc-shared: do_gnu-shared
 do_linux-shared: do_gnu-shared
 do_gnu-shared:
 	libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
 	( set -x; ${CC}  -shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		-Wl,-soname=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		-Wl,--whole-archive lib$$i.a \
-		-Wl,--no-whole-archive -lc ) || exit 1; \
+		-Wl,--no-whole-archive $$libs ${EX_LIBS} -lc ) || exit 1; \
-	rm -f lib$$i.a; make -C $$i clean || exit 1 ;\
+	libs="$$libs -l$$i"; \
-	done;
+	done
-	@set -x; \
+
-	for i in ${SHLIBDIRS}; do \
+DETECT_GNU_LD=${CC} -v 2>&1 | grep '^gcc' >/dev/null 2>&1 && \
-	ln -s lib$$i.so.${MAJOR}.${MINOR} lib$$i.so.${MAJOR}; \
+	collect2=`gcc -print-prog-name=collect2 2>&1` && \
-	ln -s lib$$i.so.${MAJOR} lib$$i.so; \
+	[ -n "$$collect2" ] && \
-	done;
+	my_ld=`$$collect2 --help 2>&1 | grep Usage: | sed 's/^Usage: *\([^ ][^ ]*\).*/\1/'` && \
 	[ -n "$$my_ld" ] && \
 	$$my_ld -v 2>&1 | grep 'GNU ld' >/dev/null 2>&1
 # This assumes that GNU utilities are *not* used
 do_alpha-osf1-shared:
 	if ${DETECT_GNU_LD}; then \
 		$(MAKE) do_gnu-shared; \
 	else \
 		libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
 		( set -x; ${CC}  -shared -o lib$$i.so \
 			-set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \
 			-all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \
 		libs="$$libs -l$$i"; \
 		done; \
 	fi
 # This assumes that GNU utilities are *not* used
 # The difference between alpha-osf1-shared and tru64-shared is the `-msym'
 # option passed to the linker.
 do_tru64-shared:
 	if ${DETECT_GNU_LD}; then \
 		$(MAKE) do_gnu-shared; \
 	else \
 		libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
 		( set -x; ${CC}  -shared -msym -o lib$$i.so \
 			-set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \
 			-all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \
 		libs="$$libs -l$$i"; \
 		done; \
 	fi
 # This assumes that GNU utilities are *not* used
 # The difference between tru64-shared and tru64-shared-rpath is the
 # -rpath ${INSTALLTOP}/lib passed to the linker.
 do_tru64-shared-rpath:
 	if ${DETECT_GNU_LD}; then \
 		$(MAKE) do_gnu-shared; \
 	else \
 		libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
 		( set -x; ${CC}  -shared -msym -o lib$$i.so \
 			-rpath  ${INSTALLTOP}/lib \
 			-set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}" \
 			-all lib$$i.a -none $$libs ${EX_LIBS} -lc ) || exit 1; \
 		libs="$$libs -l$$i"; \
 		done; \
 	fi
 # This assumes that GNU utilities are *not* used
 do_solaris-shared:
 	if ${DETECT_GNU_LD}; then \
 		$(MAKE) do_gnu-shared; \
 	else \
 		libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
 		( PATH=/usr/ccs/bin:$$PATH ; export PATH; \
 		  set -x; ${CC}  -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			-h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			-z allextract lib$$i.a $$libs ${EX_LIBS} -lc ) || exit 1; \
 		libs="$$libs -l$$i"; \
 		done; \
 	fi
 # UnixWare 7 and OpenUNIX 8 native compilers used
 do_svr5-shared:
 	if ${DETECT_GNU_LD}; then \
 		$(MAKE) do_gnu-shared; \
 	else \
 		libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
 		( PATH=/usr/ccs/bin:$$PATH ; export PATH; \
 		  find . -name "*.o" -print > allobjs ; \
 		  OBJS= ; export OBJS ; \
 		  for obj in `ar t lib$$i.a` ; do \
 		    OBJS="$${OBJS} `grep $$obj allobjs`" ; \
 		  done ; \
 		  set -x; ${CC}  -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			-h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			$${OBJS} $$libs ${EX_LIBS} ) || exit 1; \
 		libs="$$libs -l$$i"; \
 		done; \
 	fi
 # This assumes that GNU utilities are *not* used
 do_irix-shared:
 	if ${DETECT_GNU_LD}; then \
 		$(MAKE) do_gnu-shared; \
 	else \
 		libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
 		( set -x; ${CC} -shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			-Wl,-soname,lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			-all lib$$i.a $$libs ${EX_LIBS} -lc) || exit 1; \
 		libs="$$libs -l$$i"; \
 		done; \
 	fi
 # This assumes that GNU utilities are *not* used
 do_hpux-shared:
 	libs='${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
 	( set -x; /usr/ccs/bin/ld +vnocompatwarnings \
 		-b -z -o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		+h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		-Fl lib$$i.a $$libs ${EX_LIBS} -lc ) || exit 1; \
 	libs="$$libs -L. -l$$i"; \
 	done
 # This assumes that GNU utilities are *not* used
 do_hpux64-shared:
 	libs='${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
 	( set -x; /usr/ccs/bin/ld -b -z -o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		+h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		+forceload lib$$i.a $$libs ${EX_LIBS} -lc ) || exit 1; \
 	libs="$$libs -L. -l$$i"; \
 	done
 # The following method is said to work on all platforms.  Tests will
 # determine if that's how it's gong to be used.
 # This assumes that for all but GNU systems, GNU utilities are *not* used.
 # ALLSYMSFLAGS would be:
 #  GNU systems: --whole-archive
 #  Tru64 Unix:  -all
 #  Solaris:     -z allextract
 #  Irix:        -all
 #  HP/UX-32bit: -Fl
 #  HP/UX-64bit: +forceload
 #  AIX:		-bnogc
 # SHAREDFLAGS would be:
 #  GNU systems: -shared -Wl,-soname=lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR}
 #  Tru64 Unix:  -shared \
 #		-set_version "${SHLIB_VERSION_HISTORY}${SHLIB_VERSION_NUMBER}"
 #  Solaris:     -G -h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR}
 #  Irix:        -shared -Wl,-soname,lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR}
 #  HP/UX-32bit: +vnocompatwarnings -b -z +s \
 #		+h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}
 #  HP/UX-64bit: -b -z +h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}
 #  AIX:		-G -bE:lib$$i.exp -bM:SRE
 # SHAREDCMD would be:
 #  GNU systems: $(CC)
 #  Tru64 Unix:  $(CC)
 #  Solaris:     $(CC)
 #  Irix:        $(CC)
 #  HP/UX-32bit: /usr/ccs/bin/ld
 #  HP/UX-64bit: /usr/ccs/bin/ld
 #  AIX:		$(CC)
 ALLSYMSFLAG=-bnogc
 SHAREDFLAGS=-G -bE:lib$$i.exp -bM:SRE
 SHAREDCMD=$(CC)
 do_aix-shared:
 	libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
 	( set -x; \
 	  ld -r -o $$i.o $(ALLSYMSFLAG) lib$$i.a && \
 	  ( nm -Pg lib$$i.o | grep ' [BD] ' | cut -f1 -d' ' > lib$$i.exp; \
 	    $(SHAREDCMD) $(SHAREDFLAG) -o lib$$i.so lib$$i.o \
 		$$libs ${EX_LIBS} ) ) \
 	|| exit 1; \
 	libs="$$libs -l$$i"; \
 	done
 Makefile.ssl: Makefile.org
 	@echo "Makefile.ssl is older than Makefile.org."
@@ -222,9 +434,11 @@ clean:
 	rm -f shlib/*.o *.o core a.out fluff *.map rehash.time testlog make.log cctest cctest.c
 	@for i in $(DIRS) ;\
 	do \
-	(cd $$i && echo "making clean in $$i..." && \
+	if [ -d "$$i" ]; then \
-	$(MAKE) SDIRS='${SDIRS}' clean ) || exit 1; \
+		(cd $$i && echo "making clean in $$i..." && \
-	rm -f $(LIBS); \
+		$(MAKE) SDIRS='${SDIRS}' clean ) || exit 1; \
 		rm -f $(LIBS); \
 	fi; \
 	done;
 	rm -f *.a *.o speed.* *.map *.so .pure core
 	rm -f $(TARFILE)
@@ -241,8 +455,10 @@ files:
 	$(PERL) $(TOP)/util/files.pl Makefile.ssl > $(TOP)/MINFO
 	@for i in $(DIRS) ;\
 	do \
-	(cd $$i && echo "making 'files' in $$i..." && \
+	if [ -d "$$i" ]; then \
-	$(MAKE) SDIRS='${SDIRS}' PERL='${PERL}' files ) || exit 1; \
+		(cd $$i && echo "making 'files' in $$i..." && \
 		$(MAKE) SDIRS='${SDIRS}' PERL='${PERL}' files ) || exit 1; \
 	fi; \
 	done;
 links:
@@ -250,28 +466,32 @@ links:
 	@$(PERL) $(TOP)/util/mkdir-p.pl include/openssl
 	@$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER)
 	@for i in $(DIRS); do \
-	(cd $$i && echo "making links in $$i..." && \
+	if [ -d "$$i" ]; then \
-	$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' links ) || exit 1; \
+		(cd $$i && echo "making links in $$i..." && \
 		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' links ) || exit 1; \
 	fi; \
 	done;
 dclean:
 	rm -f *.bak
 	@for i in $(DIRS) ;\
 	do \
-	(cd $$i && echo "making dclean in $$i..." && \
+	if [ -d "$$i" ]; then \
-	$(MAKE) SDIRS='${SDIRS}' PERL='${PERL}' dclean ) || exit 1; \
+		(cd $$i && echo "making dclean in $$i..." && \
 		$(MAKE) SDIRS='${SDIRS}' PERL='${PERL}' dclean ) || exit 1; \
 	fi; \
 	done;
 rehash: rehash.time
 rehash.time: certs
-	@(OPENSSL="`pwd`/apps/openssl"; export OPENSSL; sh tools/c_rehash certs)
+	@(OPENSSL="`pwd`/apps/openssl"; export OPENSSL; $(PERL) tools/c_rehash certs)
 	touch rehash.time
 test:   tests
 tests: rehash
 	@(cd test && echo "testing..." && \
-	$(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SDIRS='${SDIRS}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' tests );
+	$(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SDIRS='${SDIRS}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' EXE_EXT='${EXE_EXT}' tests );
 	@apps/openssl version -a
 report:
@@ -280,41 +500,52 @@ report:
 depend:
 	@for i in $(DIRS) ;\
 	do \
-	(cd $$i && echo "making dependencies $$i..." && \
+	if [ -d "$$i" ]; then \
-	$(MAKE) SDIRS='${SDIRS}' DEPFLAG='${DEPFLAG}' depend ) || exit 1; \
+		(cd $$i && echo "making dependencies $$i..." && \
 		$(MAKE) SDIRS='${SDIRS}' DEPFLAG='${DEPFLAG}' depend ) || exit 1; \
 	fi; \
 	done;
 lint:
 	@for i in $(DIRS) ;\
 	do \
-	(cd $$i && echo "making lint $$i..." && \
+	if [ -d "$$i" ]; then \
-	$(MAKE) SDIRS='${SDIRS}' lint ) || exit 1; \
+		(cd $$i && echo "making lint $$i..." && \
 		$(MAKE) SDIRS='${SDIRS}' lint ) || exit 1; \
 	fi; \
 	done;
 tags:
 	@for i in $(DIRS) ;\
 	do \
-	(cd $$i && echo "making tags $$i..." && \
+	if [ -d "$$i" ]; then \
-	$(MAKE) SDIRS='${SDIRS}' tags ) || exit 1; \
+		(cd $$i && echo "making tags $$i..." && \
 		$(MAKE) SDIRS='${SDIRS}' tags ) || exit 1; \
 	fi; \
 	done;
 errors:
-	perl util/mkerr.pl -recurse -write
+	$(PERL) util/mkerr.pl -recurse -write
 stacks:
 	$(PERL) util/mkstack.pl -write
 util/libeay.num::
-	perl util/mkdef.pl crypto update
+	$(PERL) util/mkdef.pl crypto update
 util/ssleay.num::
-	perl util/mkdef.pl ssl update
+	$(PERL) util/mkdef.pl ssl update
-crypto/objects/obj_dat.h: crypto/objects/objects.h crypto/objects/obj_dat.pl
+crypto/objects/obj_dat.h: crypto/objects/obj_mac.h crypto/objects/obj_dat.pl
-	perl crypto/objects/obj_dat.pl crypto/objects/objects.h crypto/objects/obj_dat.h
+	$(PERL) crypto/objects/obj_dat.pl crypto/objects/obj_mac.h crypto/objects/obj_dat.h
 crypto/objects/obj_mac.h: crypto/objects/objects.pl crypto/objects/objects.txt 
 	$(PERL) crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num crypto/objects/obj_mac.h
 TABLE: Configure
 	(echo 'Output of `Configure TABLE'"':"; \
-	perl Configure TABLE) > TABLE
+	$(PERL) Configure TABLE) > TABLE
-update: depend errors util/libeay.num util/ssleay.num crypto/objects/obj_dat.h TABLE
+update: depend errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h TABLE
 tar:
 	@$(TAR) $(TARFLAGS) -cvf - \
@@ -349,16 +580,34 @@ install: all install_docs
 	done;
 	@for i in $(DIRS) ;\
 	do \
-	(cd $$i; echo "installing $$i..."; \
+	if [ -d "$$i" ]; then \
-	$(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}' INSTALLTOP='${INSTALLTOP}' OPENSSLDIR='${OPENSSLDIR}' EX_LIBS='${EX_LIBS}' SDIRS='${SDIRS}' RANLIB='${RANLIB}' install ); \
+		(cd $$i; echo "installing $$i..."; \
 		$(MAKE) CC='${CC}' CFLAG='${CFLAG}' INSTALL_PREFIX='${INSTALL_PREFIX}' INSTALLTOP='${INSTALLTOP}' OPENSSLDIR='${OPENSSLDIR}' EX_LIBS='${EX_LIBS}' SDIRS='${SDIRS}' RANLIB='${RANLIB}' EXE_EXT='${EXE_EXT}' install ); \
 	fi; \
 	done
 	@for i in $(LIBS) ;\
 	do \
-	(       echo installing $$i; \
+		if [ -f "$$i" ]; then \
-		cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
+		(       echo installing $$i; \
-		$(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
+			cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
-		chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
+			$(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
 			chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
 		fi \
 	done
 	@if [ -n "$(SHARED_LIBS)" ]; then \
 		tmp="$(SHARED_LIBS)"; \
 		for i in $${tmp:-x}; \
 		do \
 			if [ -f "$$i" ]; then \
 			(       echo installing $$i; \
 				cp -f $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
 				chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
 			fi \
 		done; \
 		(	here="`pwd`"; \
 			cd $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
 			make -f $$here/Makefile link-shared ); \
 	fi
 install_docs:
 	@$(PERL) $(TOP)/util/mkdir-p.pl \
@@ -366,23 +615,23 @@ install_docs:
 		$(INSTALL_PREFIX)$(MANDIR)/man3 \
 		$(INSTALL_PREFIX)$(MANDIR)/man5 \
 		$(INSTALL_PREFIX)$(MANDIR)/man7
 	@echo installing man 1 and man 5
 	@for i in doc/apps/*.pod; do \
 		(cd `dirname $$i`; \
 		fn=`basename $$i .pod`; \
-		sec=`[ "$$fn" = "config" ] && echo 5 || echo 1`; \
+		if [ "$$fn" = "config" ]; then sec=5; else sec=1; fi; \
 		echo "installing man$$sec/`basename $$i .pod`.$$sec"; \
 		(cd `dirname $$i`; \
 		$(PERL) ../../util/pod2man.pl --section=$$sec --center=OpenSSL \
-			 --release=$(VERSION) `basename $$i` \
+			 --release=$(VERSION) `basename $$i`) \
-			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec); \
+			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \
 	done
 	@echo installing man 3 and man 7
 	@for i in doc/crypto/*.pod doc/ssl/*.pod; do \
 		(cd `dirname $$i`; \
 		fn=`basename $$i .pod`; \
-		sec=`[ "$$fn" = "des_modes" ] && echo 7 || echo 3`; \
+		if [ "$$fn" = "des_modes" ]; then sec=7; else sec=3; fi; \
 		echo "installing man$$sec/`basename $$i .pod`.$$sec"; \
 		(cd `dirname $$i`; \
 		$(PERL) ../../util/pod2man.pl --section=$$sec --center=OpenSSL \
-			--release=$(VERSION) `basename $$i` \
+			--release=$(VERSION) `basename $$i`) \
-			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec); \
+			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \
 	done
 # DO NOT DELETE THIS LINE -- make depend depends on it.
--- a/79
+++ b/79
@@ -5,6 +5,85 @@
  This file gives a brief overview of the major changes between each OpenSSL
  release. For more details please read the CHANGES file.
  Changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c:
      o Various SSL/TLS library bugfixes.
      o BIGNUM library fixes.
      o RSA OAEP and random number generation fixes.
      o Object identifiers corrected and added.
      o Add assembler BN routines for IA64.
      o Add support for OS/390 Unix, UnixWare with gcc, OpenUNIX 8,
        MIPS Linux; shared library support for Irix, HP-UX.
      o Add crypto accelerator support for AEP, Baltimore SureWare,
        Broadcom and Cryptographic Appliance's keyserver
        [in 0.9.6c-engine release].
  Changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b:
      o Security fix: PRNG improvements.
      o Security fix: RSA OAEP check.
      o Security fix: Reinsert and fix countermeasure to Bleichbacher's
        attack.
      o MIPS bug fix in BIGNUM.
      o Bug fix in "openssl enc".
      o Bug fix in X.509 printing routine.
      o Bug fix in DSA verification routine and DSA S/MIME verification.
      o Bug fix to make PRNG thread-safe.
      o Bug fix in RAND_file_name().
      o Bug fix in compatibility mode trust settings.
      o Bug fix in blowfish EVP.
      o Increase default size for BIO buffering filter.
      o Compatibility fixes in some scripts.
  Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.6a:
      o Security fix: change behavior of OpenSSL to avoid using
        environment variables when running as root.
      o Security fix: check the result of RSA-CRT to reduce the
        possibility of deducing the private key from an incorrectly
        calculated signature.
      o Security fix: prevent Bleichenbacher's DSA attack.
      o Security fix: Zero the premaster secret after deriving the
        master secret in DH ciphersuites.
      o Reimplement SSL_peek(), which had various problems.
      o Compatibility fix: the function des_encrypt() renamed to
        des_encrypt1() to avoid clashes with some Unixen libc.
      o Bug fixes for Win32, HP/UX and Irix.
      o Bug fixes in BIGNUM, SSL, PKCS#7, PKCS#12, X.509, CONF and
        memory checking routines.
      o Bug fixes for RSA operations in threaded enviroments.
      o Bug fixes in misc. openssl applications.
      o Remove a few potential memory leaks.
      o Add tighter checks of BIGNUM routines.
      o Shared library support has been reworked for generality.
      o More documentation.
      o New function BN_rand_range().
      o Add "-rand" option to openssl s_client and s_server.
  Major changes between OpenSSL 0.9.5a and OpenSSL 0.9.6:
      o Some documentation for BIO and SSL libraries.
      o Enhanced chain verification using key identifiers.
      o New sign and verify options to 'dgst' application.
      o Support for DER and PEM encoded messages in 'smime' application.
      o New 'rsautl' application, low level RSA utility.
      o MD4 now included.
      o Bugfix for SSL rollback padding check.
      o Support for external crypto devices [1].
      o Enhanced EVP interface.
    [1] The support for external crypto devices is currently a separate
        distribution.  See the file README.ENGINE.
  Major changes between OpenSSL 0.9.5 and OpenSSL 0.9.5a:
      o Bug fixes for Win32, SuSE Linux, NeXTSTEP and FreeBSD 2.2.8 
      o Shared library support for HPUX and Solaris-gcc
      o Support of Linux/IA64
      o Assembler support for Mingw32
      o New 'rand' application
      o New way to check for existence of algorithms from scripts
  Major changes between OpenSSL 0.9.4 and OpenSSL 0.9.5:
      o S/MIME support in new 'smime' command
--- a/42
+++ b/42
@@ -1,7 +1,7 @@
- OpenSSL 0.9.5  28 Feb 2000
+ OpenSSL 0.9.6c [engine] 21 dec 2001
- Copyright (c) 1998-2000 The OpenSSL Project
+ Copyright (c) 1998-2001 The OpenSSL Project
 Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
 All rights reserved.
@@ -11,9 +11,10 @@
 The OpenSSL Project is a collaborative effort to develop a robust,
 commercial-grade, fully featured, and Open Source toolkit implementing the
 Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
- protocols with full-strength cryptography world-wide. The project is managed
+ protocols as well as a full-strength general purpose cryptography library.
- by a worldwide community of volunteers that use the Internet to communicate,
+ The project is managed by a worldwide community of volunteers that use the
- plan, and develop the OpenSSL toolkit and its related documentation. 
+ Internet to communicate, plan, and develop the OpenSSL toolkit and its
 related documentation. 
 OpenSSL is based on the excellent SSLeay library developed from Eric A. Young
 and Tim J. Hudson.  The OpenSSL toolkit is licensed under a dual-license (the
@@ -61,7 +62,7 @@
     X.509v3 certificates
        X509 encoding/decoding into/from binary ASN1 and a PEM
-             based ascii-binary encoding which supports encryption with a
+             based ASCII-binary encoding which supports encryption with a
             private key.  Program to generate RSA and DSA certificate
             requests and to generate RSA and DSA certificates.
@@ -96,19 +97,18 @@
 locations around the world. _YOU_ are responsible for ensuring that your use
 of any algorithms is legal by checking if there are any patents in your
 country.  The file contains some of the patents that we know about or are
- rumoured to exist. This is not a definitive list.
+ rumored to exist. This is not a definitive list.
- RSA Data Security holds software patents on the RSA and RC5 algorithms.  If
+ RSA Security holds software patents on the RC5 algorithm.  If you
- their ciphers are used used inside the USA (and Japan?), you must contact RSA
+ intend to use this cipher, you must contact RSA Security for
- Data Security for licensing conditions. Their web page is
+ licensing conditions. Their web page is http://www.rsasecurity.com/.
 http://www.rsa.com/.
- RC4 is a trademark of RSA Data Security, so use of this label should perhaps
+ RC4 is a trademark of RSA Security, so use of this label should perhaps
- only be used with RSA Data Security's permission. 
+ only be used with RSA Security's permission. 
 The IDEA algorithm is patented by Ascom in Austria, France, Germany, Italy,
- Japan, Netherlands, Spain, Sweden, Switzerland, UK and the USA.  They should
+ Japan, the Netherlands, Spain, Sweden, Switzerland, UK and the USA.  They
- be contacted if that algorithm is to be used, their web page is
+ should be contacted if that algorithm is to be used; their web page is
 http://www.ascom.ch/.
 INSTALLATION
@@ -118,12 +118,9 @@
 a Win32 platform, read the INSTALL.W32 file.  For OpenVMS systems, read
 INSTALL.VMS.
 For people in the USA, it is possible to compile OpenSSL to use RSA Inc.'s
 public key library, RSAREF, by configuring OpenSSL with the option "rsaref".
 Read the documentation in the doc/ directory.  It is quite rough, but it
- lists the functions, you will probably have to look at the code to work out
+ lists the functions; you will probably have to look at the code to work out
- how to used them. Look at the example programs.
+ how to use them. Look at the example programs.
 SUPPORT 
 -------
@@ -166,6 +163,9 @@
 the string "[PATCH]" in the subject. Please be sure to include a
 textual explanation of what your patch does.
 Note: For legal reasons, contributions from the US can be accepted only
 if a copy of the patch is sent to crypt@bxa.doc.gov
 The preferred format for changes is "diff -u" output. You might
 generate it like this:
@@ -173,4 +173,4 @@
 # [your changes]
 # ./Configure dist; make clean
 # cd ..
- # diff -urN openssl-orig openssl-work > mydiffs.patch
+ # diff -ur openssl-orig openssl-work > mydiffs.patch
--- a/README.ENGINE
+++ b/README.ENGINE
@@ -0,0 +1,63 @@
  ENGINE
  ======
  With OpenSSL 0.9.6, a new component has been added to support external 
  crypto devices, for example accelerator cards.  The component is called
  ENGINE, and has still a pretty experimental status and almost no
  documentation.  It's designed to be fairly easily extensible by the
  calling programs.
  There's currently built-in support for the following crypto devices:
      o CryptoSwift
      o Compaq Atalla
      o nCipher CHIL
  A number of things are still needed and are being worked on:
      o An openssl utility command to handle or at least check available
        engines.
      o A better way of handling the methods that are handled by the
        engines.
      o Documentation!
  What already exists is fairly stable as far as it has been tested, but
  the test base has been a bit small most of the time.
  Because of this experimental status and what's lacking, the ENGINE
  component is not yet part of the default OpenSSL distribution.  However,
  we have made a separate kit for those who want to try this out, to be
  found in the same places as the default OpenSSL distribution, but with
  "-engine-" being part of the kit file name.  For example, version 0.9.6
  is distributed in the following two files:
      openssl-0.9.6.tar.gz
      openssl-engine-0.9.6.tar.gz
  NOTES
  =====
  openssl-engine-0.9.6.tar.gz does not depend on openssl-0.9.6.tar, you do
  not need to download both.
  openssl-engine-0.9.6.tar.gz is usable even if you don't have an external
  crypto device.  The internal OpenSSL functions are contained in the
  engine "openssl", and will be used by default.
  No external crypto device is chosen unless you say so.  You have actively
  tell the openssl utility commands to use it through a new command line
  switch called "-engine".  And if you want to use the ENGINE library to
  do something similar, you must also explicitly choose an external crypto
  device, or the built-in crypto routines will be used, just as in the
  default OpenSSL distribution.
  PROBLEMS
  ========
  It seems like the ENGINE part doesn't work too well with CryptoSwift on
  Win32.  A quick test done right before the release showed that trying
  "openssl speed -engine cswift" generated errors.  If the DSO gets enabled,
  an attempt is made to write at memory address 0x00000002.
--- a/80
+++ b/80
@@ -1,43 +1,63 @@
  OpenSSL STATUS                           Last modified at
-  ______________                           $Date: 2000/02/28 11:59:02 $
+  ______________                           $Date: 2001/11/15 08:15:00 $
  DEVELOPMENT STATE
-    o  OpenSSL 0.9.5:  Released on February 28th, 2000
+    o  OpenSSL 0.9.7:  Under development...
-    o  OpenSSL 0.9.4:  Released on August   09th, 1999
+    o  OpenSSL 0.9.6b: Released on July       9th, 2001
-    o  OpenSSL 0.9.3a: Released on May      29th, 1999
+    o  OpenSSL 0.9.6a: Released on April      5th, 2001
-    o  OpenSSL 0.9.3:  Released on May      25th, 1999
+    o  OpenSSL 0.9.6:  Released on September 24th, 2000
-    o  OpenSSL 0.9.2b: Released on March    22th, 1999
+    o  OpenSSL 0.9.5a: Released on April      1st, 2000
-    o  OpenSSL 0.9.1c: Released on December 23th, 1998
+    o  OpenSSL 0.9.5:  Released on February  28th, 2000
    o  OpenSSL 0.9.4:  Released on August    09th, 1999
    o  OpenSSL 0.9.3a: Released on May       29th, 1999
    o  OpenSSL 0.9.3:  Released on May       25th, 1999
    o  OpenSSL 0.9.2b: Released on March     22th, 1999
    o  OpenSSL 0.9.1c: Released on December  23th, 1998
  RELEASE SHOWSTOPPERS
  AVAILABLE PATCHES
-    o shared libraries <behnke@trustcenter.de>
+    o 
    o CA.pl patch (Damien Miller)
  IN PROGRESS
    o Steve is currently working on (in no particular order):
-        Proper (or at least usable) certificate chain verification.
+        ASN1 code redesign, butchery, replacement.
        OCSP
        EVP cipher enhancement.
        Enhanced certificate chain verification.
 	Private key, certificate and CRL API and implementation.
 	Developing and bugfixing PKCS#7 (S/MIME code).
        Various X509 issues: character sets, certificate request extensions.
-	Documentation for the openssl utility.
+    o Geoff and Richard are currently working on:
 	ENGINE (the new code that gives hardware support among others).
    o Richard is currently working on:
 	UI (User Interface)
 	UTIL (a new set of library functions to support some higher level
 	      functionality that is currently missing).
 	Shared library support for VMS.
 	Kerberos 5 authentication
 	Constification
 	OCSP
  NEEDS PATCH
-    o  non-blocking socket on AIX
+    o  apps/ca.c: "Sign the certificate?" - "n" creates empty certificate file
-    o  $(PERL) in */Makefile.ssl
+
-    o  "Sign the certificate?" - "n" creates empty certificate file
+    o  OpenSSL_0_9_6-stable:
       #include <openssl/e_os.h> in exported header files is illegal since
       e_os.h is suitable only for library-internal use.
    o  Whenever strncpy is used, make sure the resulting string is NULL-terminated
       or an error is reported
    o  "OpenSSL STATUS" is never up-to-date.
  OPEN ISSUES
    o internal_verify doesn't know about X509.v3 (basicConstraints
      CA flag ...)
    o  The Makefile hierarchy and build mechanism is still not a round thing:
       1. The config vs. Configure scripts
@@ -78,20 +98,16 @@
               to date.
               Paul +1
    o The EVP and ASN1 stuff is a mess. Currently you have one EVP_CIPHER
      structure for each cipher. This may make sense for things like DES but
      for variable length ciphers like RC2 and RC4 it is NBG. Need a way to
      use the EVP interface and set up the cipher parameters. The ASN1 stuff
      is also foo wrt ciphers whose AlgorithmIdentifier has more than just
      an IV in it (e.g. RC2, RC5). This also means that EVP_Seal and EVP_Open
      don't work unless the key length matches the fixed value (some vendors
      use a key length decided by the size of the RSA encrypted key and expect
      RC2 to adapt).
    o ERR_error_string(..., buf) does not know how large buf is,
      there should be ERR_error_string_n(..., buf, bufsize)
      or similar.
  WISHES
-    o 
+    o  SRP in TLS.
       [wished by:
        Dj <derek@yo.net>, Tom Wu <tom@arcot.com>,
        Tom Holroyd <tomh@po.crl.go.jp>]
       See http://search.ietf.org/internet-drafts/draft-ietf-tls-srp-00.txt
       as well as http://www-cs-students.stanford.edu/~tjw/srp/.
       Tom Holroyd tells us there is a SRP patch for OpenSSH at
       http://members.tripod.com/professor_tom/archives/, that could
       be useful.
--- a/1467
+++ b/1467
--- a/VMS/install.com
+++ b/VMS/install.com
@@ -34,10 +34,8 @@ $	IF F$PARSE("WRK_SSLINCLUDE:") .EQS. "" THEN -
 $	IF F$PARSE("WRK_SSLROOT:[VMS]") .EQS. "" THEN -
 	   CREATE/DIR/LOG WRK_SSLROOT:[VMS]
 $
-$	EXHEADER := vms_idhacks.h
+$	IF F$SEARCH("WRK_SSLINCLUDE:vms_idhacks.h") .NES. "" THEN -
-$
+	   DELETE WRK_SSLINCLUDE:vms_idhacks.h;*
 $	COPY 'EXHEADER' WRK_SSLINCLUDE: /LOG
 $	SET FILE/PROT=WORLD:RE WRK_SSLINCLUDE:'EXHEADER'
 $
 $	OPEN/WRITE SF WRK_SSLROOT:[VMS]OPENSSL_STARTUP.COM
 $	WRITE SYS$OUTPUT "%OPEN-I-CREATED,  ",F$SEARCH("WRK_SSLROOT:[VMS]OPENSSL_STARTUP.COM")," created."
--- a/VMS/vms_idhacks.h
+++ b/VMS/vms_idhacks.h
@@ -1,198 +0,0 @@
 /* ====================================================================
 * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@openssl.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */
 #ifndef HEADER_VMS_IDHACKS_H
 #define HEADER_VMS_IDHACKS_H
 #ifdef VMS
 /* Hack a long name in crypto/asn1/a_mbstr.c */
 #define ASN1_STRING_set_default_mask_asc ASN1_STRING_set_def_mask_asc
 /* Hack the names created with DECLARE_STACK_OF(PKCS7_SIGNER_INFO) */
 #define sk_PKCS7_SIGNER_INFO_new		sk_PKCS7_SIGINF_new
 #define sk_PKCS7_SIGNER_INFO_new_null		sk_PKCS7_SIGINF_new_null
 #define sk_PKCS7_SIGNER_INFO_free		sk_PKCS7_SIGINF_free
 #define sk_PKCS7_SIGNER_INFO_num		sk_PKCS7_SIGINF_num
 #define sk_PKCS7_SIGNER_INFO_value		sk_PKCS7_SIGINF_value
 #define sk_PKCS7_SIGNER_INFO_set		sk_PKCS7_SIGINF_set
 #define sk_PKCS7_SIGNER_INFO_zero		sk_PKCS7_SIGINF_zero
 #define sk_PKCS7_SIGNER_INFO_push		sk_PKCS7_SIGINF_push
 #define sk_PKCS7_SIGNER_INFO_unshift		sk_PKCS7_SIGINF_unshift
 #define sk_PKCS7_SIGNER_INFO_find		sk_PKCS7_SIGINF_find
 #define sk_PKCS7_SIGNER_INFO_delete		sk_PKCS7_SIGINF_delete
 #define sk_PKCS7_SIGNER_INFO_delete_ptr		sk_PKCS7_SIGINF_delete_ptr
 #define sk_PKCS7_SIGNER_INFO_insert		sk_PKCS7_SIGINF_insert
 #define sk_PKCS7_SIGNER_INFO_set_cmp_func	sk_PKCS7_SIGINF_set_cmp_func
 #define sk_PKCS7_SIGNER_INFO_dup		sk_PKCS7_SIGINF_dup
 #define sk_PKCS7_SIGNER_INFO_pop_free		sk_PKCS7_SIGINF_pop_free
 #define sk_PKCS7_SIGNER_INFO_shift		sk_PKCS7_SIGINF_shift
 #define sk_PKCS7_SIGNER_INFO_pop		sk_PKCS7_SIGINF_pop
 #define sk_PKCS7_SIGNER_INFO_sort		sk_PKCS7_SIGINF_sort
 /* Hack the names created with DECLARE_STACK_OF(PKCS7_RECIP_INFO) */
 #define sk_PKCS7_RECIP_INFO_new			sk_PKCS7_RECINF_new
 #define sk_PKCS7_RECIP_INFO_new_null		sk_PKCS7_RECINF_new_null
 #define sk_PKCS7_RECIP_INFO_free		sk_PKCS7_RECINF_free
 #define sk_PKCS7_RECIP_INFO_num			sk_PKCS7_RECINF_num
 #define sk_PKCS7_RECIP_INFO_value		sk_PKCS7_RECINF_value
 #define sk_PKCS7_RECIP_INFO_set			sk_PKCS7_RECINF_set
 #define sk_PKCS7_RECIP_INFO_zero		sk_PKCS7_RECINF_zero
 #define sk_PKCS7_RECIP_INFO_push		sk_PKCS7_RECINF_push
 #define sk_PKCS7_RECIP_INFO_unshift		sk_PKCS7_RECINF_unshift
 #define sk_PKCS7_RECIP_INFO_find		sk_PKCS7_RECINF_find
 #define sk_PKCS7_RECIP_INFO_delete		sk_PKCS7_RECINF_delete
 #define sk_PKCS7_RECIP_INFO_delete_ptr		sk_PKCS7_RECINF_delete_ptr
 #define sk_PKCS7_RECIP_INFO_insert		sk_PKCS7_RECINF_insert
 #define sk_PKCS7_RECIP_INFO_set_cmp_func	sk_PKCS7_RECINF_set_cmp_func
 #define sk_PKCS7_RECIP_INFO_dup			sk_PKCS7_RECINF_dup
 #define sk_PKCS7_RECIP_INFO_pop_free		sk_PKCS7_RECINF_pop_free
 #define sk_PKCS7_RECIP_INFO_shift		sk_PKCS7_RECINF_shift
 #define sk_PKCS7_RECIP_INFO_pop			sk_PKCS7_RECINF_pop
 #define sk_PKCS7_RECIP_INFO_sort		sk_PKCS7_RECINF_sort
 /* Hack the names created with DECLARE_STACK_OF(ASN1_STRING_TABLE) */
 #define sk_ASN1_STRING_TABLE_new		sk_ASN1_STRTAB_new
 #define sk_ASN1_STRING_TABLE_new_null		sk_ASN1_STRTAB_new_null
 #define sk_ASN1_STRING_TABLE_free		sk_ASN1_STRTAB_free
 #define sk_ASN1_STRING_TABLE_num		sk_ASN1_STRTAB_num
 #define sk_ASN1_STRING_TABLE_value		sk_ASN1_STRTAB_value
 #define sk_ASN1_STRING_TABLE_set		sk_ASN1_STRTAB_set
 #define sk_ASN1_STRING_TABLE_zero		sk_ASN1_STRTAB_zero
 #define sk_ASN1_STRING_TABLE_push		sk_ASN1_STRTAB_push
 #define sk_ASN1_STRING_TABLE_unshift		sk_ASN1_STRTAB_unshift
 #define sk_ASN1_STRING_TABLE_find		sk_ASN1_STRTAB_find
 #define sk_ASN1_STRING_TABLE_delete		sk_ASN1_STRTAB_delete
 #define sk_ASN1_STRING_TABLE_delete_ptr		sk_ASN1_STRTAB_delete_ptr
 #define sk_ASN1_STRING_TABLE_insert		sk_ASN1_STRTAB_insert
 #define sk_ASN1_STRING_TABLE_set_cmp_func	sk_ASN1_STRTAB_set_cmp_func
 #define sk_ASN1_STRING_TABLE_dup		sk_ASN1_STRTAB_dup
 #define sk_ASN1_STRING_TABLE_pop_free		sk_ASN1_STRTAB_pop_free
 #define sk_ASN1_STRING_TABLE_shift		sk_ASN1_STRTAB_shift
 #define sk_ASN1_STRING_TABLE_pop		sk_ASN1_STRTAB_pop
 #define sk_ASN1_STRING_TABLE_sort		sk_ASN1_STRTAB_sort
 /* Hack the names created with DECLARE_STACK_OF(ACCESS_DESCRIPTION) */
 #define sk_ACCESS_DESCRIPTION_new		sk_ACC_DESC_new
 #define sk_ACCESS_DESCRIPTION_new_null		sk_ACC_DESC_new_null
 #define sk_ACCESS_DESCRIPTION_free		sk_ACC_DESC_free
 #define sk_ACCESS_DESCRIPTION_num		sk_ACC_DESC_num
 #define sk_ACCESS_DESCRIPTION_value		sk_ACC_DESC_value
 #define sk_ACCESS_DESCRIPTION_set		sk_ACC_DESC_set
 #define sk_ACCESS_DESCRIPTION_zero		sk_ACC_DESC_zero
 #define sk_ACCESS_DESCRIPTION_push		sk_ACC_DESC_push
 #define sk_ACCESS_DESCRIPTION_unshift		sk_ACC_DESC_unshift
 #define sk_ACCESS_DESCRIPTION_find		sk_ACC_DESC_find
 #define sk_ACCESS_DESCRIPTION_delete		sk_ACC_DESC_delete
 #define sk_ACCESS_DESCRIPTION_delete_ptr	sk_ACC_DESC_delete_ptr
 #define sk_ACCESS_DESCRIPTION_insert		sk_ACC_DESC_insert
 #define sk_ACCESS_DESCRIPTION_set_cmp_func	sk_ACC_DESC_set_cmp_func
 #define sk_ACCESS_DESCRIPTION_dup		sk_ACC_DESC_dup
 #define sk_ACCESS_DESCRIPTION_pop_free		sk_ACC_DESC_pop_free
 #define sk_ACCESS_DESCRIPTION_shift		sk_ACC_DESC_shift
 #define sk_ACCESS_DESCRIPTION_pop		sk_ACC_DESC_pop
 #define sk_ACCESS_DESCRIPTION_sort		sk_ACC_DESC_sort
 /* Hack the names created with DECLARE_STACK_OF(CRYPTO_EX_DATA_FUNCS) */
 #define sk_CRYPTO_EX_DATA_FUNCS_new		sk_CRYPT_EX_DATFNS_new
 #define sk_CRYPTO_EX_DATA_FUNCS_new_null	sk_CRYPT_EX_DATFNS_new_null
 #define sk_CRYPTO_EX_DATA_FUNCS_free		sk_CRYPT_EX_DATFNS_free
 #define sk_CRYPTO_EX_DATA_FUNCS_num		sk_CRYPT_EX_DATFNS_num
 #define sk_CRYPTO_EX_DATA_FUNCS_value		sk_CRYPT_EX_DATFNS_value
 #define sk_CRYPTO_EX_DATA_FUNCS_set		sk_CRYPT_EX_DATFNS_set
 #define sk_CRYPTO_EX_DATA_FUNCS_zero		sk_CRYPT_EX_DATFNS_zero
 #define sk_CRYPTO_EX_DATA_FUNCS_push		sk_CRYPT_EX_DATFNS_push
 #define sk_CRYPTO_EX_DATA_FUNCS_unshift		sk_CRYPT_EX_DATFNS_unshift
 #define sk_CRYPTO_EX_DATA_FUNCS_find		sk_CRYPT_EX_DATFNS_find
 #define sk_CRYPTO_EX_DATA_FUNCS_delete		sk_CRYPT_EX_DATFNS_delete
 #define sk_CRYPTO_EX_DATA_FUNCS_delete_ptr	sk_CRYPT_EX_DATFNS_delete_ptr
 #define sk_CRYPTO_EX_DATA_FUNCS_insert		sk_CRYPT_EX_DATFNS_insert
 #define sk_CRYPTO_EX_DATA_FUNCS_set_cmp_func	sk_CRYPT_EX_DATFNS_set_cmp_func
 #define sk_CRYPTO_EX_DATA_FUNCS_dup		sk_CRYPT_EX_DATFNS_dup
 #define sk_CRYPTO_EX_DATA_FUNCS_pop_free	sk_CRYPT_EX_DATFNS_pop_free
 #define sk_CRYPTO_EX_DATA_FUNCS_shift		sk_CRYPT_EX_DATFNS_shift
 #define sk_CRYPTO_EX_DATA_FUNCS_pop		sk_CRYPT_EX_DATFNS_pop
 #define sk_CRYPTO_EX_DATA_FUNCS_sort		sk_CRYPT_EX_DATFNS_sort
 /* Hack the names created with DECLARE_ASN1_SET_OF(PKCS7_SIGNER_INFO) */
 #define i2d_ASN1_SET_OF_PKCS7_SIGNER_INFO	i2d_ASN1_SET_OF_PKCS7_SIGINF
 #define d2i_ASN1_SET_OF_PKCS7_SIGNER_INFO	d2i_ASN1_SET_OF_PKCS7_SIGINF
 /* Hack the names created with DECLARE_ASN1_SET_OF(PKCS7_RECIP_INFO) */
 #define i2d_ASN1_SET_OF_PKCS7_RECIP_INFO	i2d_ASN1_SET_OF_PKCS7_RECGINF
 #define d2i_ASN1_SET_OF_PKCS7_RECIP_INFO	d2i_ASN1_SET_OF_PKCS7_RECGINF
 /* Hack the names created with DECLARE_ASN1_SET_OF(ACCESS_DESCRIPTION) */
 #define i2d_ASN1_SET_OF_ACCESS_DESCRIPTION	i2d_ASN1_SET_OF_ACC_DESC
 #define d2i_ASN1_SET_OF_ACCESS_DESCRIPTION	d2i_ASN1_SET_OF_ACC_DESC
 /* Hack the names created with DECLARE_PEM_rw(NETSCAPE_CERT_SEQUENCE) */
 #define PEM_read_NETSCAPE_CERT_SEQUENCE		PEM_read_NS_CERT_SEQUENCE
 #define PEM_write_NETSCAPE_CERT_SEQUENCE	PEM_write_NS_CERT_SEQUENCE
 #define PEM_read_bio_NETSCAPE_CERT_SEQUENCE	PEM_read_bio_NS_CERT_SEQUENCE
 #define PEM_write_bio_NETSCAPE_CERT_SEQUENCE	PEM_write_bio_NS_CERT_SEQUENCE
 #define PEM_write_cb_bio_NETSCAPE_CERT_SEQUENCE	PEM_write_cb_bio_NS_CERT_SEQUENCE
 /* Hack the names created with DECLARE_PEM_rw(PKCS8_PRIV_KEY_INFO) */
 #define PEM_read_PKCS8_PRIV_KEY_INFO		PEM_read_P8_PRIV_KEY_INFO
 #define PEM_write_PKCS8_PRIV_KEY_INFO		PEM_write_P8_PRIV_KEY_INFO
 #define PEM_read_bio_PKCS8_PRIV_KEY_INFO	PEM_read_bio_P8_PRIV_KEY_INFO
 #define PEM_write_bio_PKCS8_PRIV_KEY_INFO	PEM_write_bio_P8_PRIV_KEY_INFO
 #define PEM_write_cb_bio_PKCS8_PRIV_KEY_INFO	PEM_wrt_cb_bio_P8_PRIV_KEY_INFO
 /* Hack other PEM names */
 #define PEM_write_bio_PKCS8PrivateKey_nid	PEM_write_bio_PKCS8PrivKey_nid
 #endif /* defined VMS */
 #endif /* ! defined HEADER_VMS_IDHACKS_H */
--- a/apps/CA.pl.in
+++ b/apps/CA.pl.in
@@ -36,6 +36,7 @@
 # default openssl.cnf file has setup as per the following
 # demoCA ... where everything is stored
 $SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"};
 $DAYS="-days 365";
 $REQ="openssl req $SSLEAY_CONFIG";
 $CA="openssl ca $SSLEAY_CONFIG";
@@ -116,6 +117,11 @@ foreach (@ARGV) {
 							"-infiles newreq.pem");
 	    $RET=$?;
 	    print "Signed certificate is in newcert.pem\n";
 	} elsif (/^(-signCA)$/) {
 	    system ("$CA -policy policy_anything -out newcert.pem " .
 					"-extensions v3_ca -infiles newreq.pem");
 	    $RET=$?;
 	    print "Signed CA certificate is in newcert.pem\n";
 	} elsif (/^-signcert$/) {
 	    system ("$X509 -x509toreq -in newreq.pem -signkey newreq.pem " .
 								"-out tmp.pem");
--- a/apps/Makefile.ssl
+++ b/apps/Makefile.ssl
--- a/apps/app_rand.c
+++ b/apps/app_rand.c
@@ -56,7 +56,7 @@
 * [including the GNU Public Licence.]
 */
 /* ====================================================================
- * Copyright (c) 1998-1999 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -109,7 +109,9 @@
 *
 */
 #define NON_MAIN
 #include "apps.h"
 #undef NON_MAIN
 #include <openssl/bio.h>
 #include <openssl/rand.h>
@@ -162,7 +164,7 @@ long app_RAND_load_files(char *name)
 	char *p,*n;
 	int last;
 	long tot=0;
-    int egd;
+	int egd;
 	for (;;)
 		{
@@ -174,9 +176,11 @@ long app_RAND_load_files(char *name)
 		name=p+1;
 		if (*n == '\0') break;
-        egd=RAND_egd(n);
+		egd=RAND_egd(n);
-		if (egd > 0) tot+=egd;
+		if (egd > 0)
-		tot+=RAND_load_file(n,1024L*1024L);
+			tot+=egd;
 		else
 			tot+=RAND_load_file(n,-1);
 		if (last) break;
 		}
 	if (tot > 512)
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -64,6 +64,11 @@
 #define NON_MAIN
 #include "apps.h"
 #undef NON_MAIN
 #include <openssl/err.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/pkcs12.h>
 #include <openssl/safestack.h>
 #ifdef WINDOWS
 #  include "bss_file.c"
@@ -91,8 +96,8 @@ int args_from_file(char *file, int *argc, char **argv[])
 	*argv=NULL;
 	len=(unsigned int)stbuf.st_size;
-	if (buf != NULL) Free(buf);
+	if (buf != NULL) OPENSSL_free(buf);
-	buf=(char *)Malloc(len+1);
+	buf=(char *)OPENSSL_malloc(len+1);
 	if (buf == NULL) return(0);
 	len=fread(buf,1,len,fp);
@@ -102,8 +107,8 @@ int args_from_file(char *file, int *argc, char **argv[])
 	i=0;
 	for (p=buf; *p; p++)
 		if (*p == '\n') i++;
-	if (arg != NULL) Free(arg);
+	if (arg != NULL) OPENSSL_free(arg);
-	arg=(char **)Malloc(sizeof(char *)*(i*2));
+	arg=(char **)OPENSSL_malloc(sizeof(char *)*(i*2));
 	*argv=arg;
 	num=0;
@@ -159,6 +164,14 @@ int str2fmt(char *s)
 		return(FORMAT_PEM);
 	else if ((*s == 'N') || (*s == 'n'))
 		return(FORMAT_NETSCAPE);
 	else if ((*s == 'S') || (*s == 's'))
 		return(FORMAT_SMIME);
 	else if ((*s == '1')
 		|| (strcmp(s,"PKCS12") == 0) || (strcmp(s,"pkcs12") == 0)
 		|| (strcmp(s,"P12") == 0) || (strcmp(s,"p12") == 0))
 		return(FORMAT_PKCS12);
 	else if ((*s == 'E') || (*s == 'e'))
 		return(FORMAT_ENGINE);
 	else
 		return(FORMAT_UNDEF);
 	}
@@ -266,7 +279,7 @@ int chopup_args(ARGS *arg, char *buf, int *argc, char **argv[])
 	if (arg->count == 0)
 		{
 		arg->count=20;
-		arg->data=(char **)Malloc(sizeof(char *)*arg->count);
+		arg->data=(char **)OPENSSL_malloc(sizeof(char *)*arg->count);
 		}
 	for (i=0; i<arg->count; i++)
 		arg->data[i]=NULL;
@@ -285,7 +298,7 @@ int chopup_args(ARGS *arg, char *buf, int *argc, char **argv[])
 		if (num >= arg->count)
 			{
 			arg->count+=20;
-			arg->data=(char **)Realloc(arg->data,
+			arg->data=(char **)OPENSSL_realloc(arg->data,
 				sizeof(char *)*arg->count);
 			if (argc == 0) return(0);
 			}
@@ -414,3 +427,352 @@ static char *app_get_pass(BIO *err, char *arg, int keepbio)
 	if(tmp) *tmp = 0;
 	return BUF_strdup(tpass);
 }
 int add_oid_section(BIO *err, LHASH *conf)
 {	
 	char *p;
 	STACK_OF(CONF_VALUE) *sktmp;
 	CONF_VALUE *cnf;
 	int i;
 	if(!(p=CONF_get_string(conf,NULL,"oid_section"))) return 1;
 	if(!(sktmp = CONF_get_section(conf, p))) {
 		BIO_printf(err, "problem loading oid section %s\n", p);
 		return 0;
 	}
 	for(i = 0; i < sk_CONF_VALUE_num(sktmp); i++) {
 		cnf = sk_CONF_VALUE_value(sktmp, i);
 		if(OBJ_create(cnf->value, cnf->name, cnf->name) == NID_undef) {
 			BIO_printf(err, "problem creating object %s=%s\n",
 							 cnf->name, cnf->value);
 			return 0;
 		}
 	}
 	return 1;
 }
 X509 *load_cert(BIO *err, char *file, int format)
 	{
 	ASN1_HEADER *ah=NULL;
 	BUF_MEM *buf=NULL;
 	X509 *x=NULL;
 	BIO *cert;
 	if ((cert=BIO_new(BIO_s_file())) == NULL)
 		{
 		ERR_print_errors(err);
 		goto end;
 		}
 	if (file == NULL)
 		BIO_set_fp(cert,stdin,BIO_NOCLOSE);
 	else
 		{
 		if (BIO_read_filename(cert,file) <= 0)
 			{
 			perror(file);
 			goto end;
 			}
 		}
 	if 	(format == FORMAT_ASN1)
 		x=d2i_X509_bio(cert,NULL);
 	else if (format == FORMAT_NETSCAPE)
 		{
 		unsigned char *p,*op;
 		int size=0,i;
 		/* We sort of have to do it this way because it is sort of nice
 		 * to read the header first and check it, then
 		 * try to read the certificate */
 		buf=BUF_MEM_new();
 		for (;;)
 			{
 			if ((buf == NULL) || (!BUF_MEM_grow(buf,size+1024*10)))
 				goto end;
 			i=BIO_read(cert,&(buf->data[size]),1024*10);
 			size+=i;
 			if (i == 0) break;
 			if (i < 0)
 				{
 				perror("reading certificate");
 				goto end;
 				}
 			}
 		p=(unsigned char *)buf->data;
 		op=p;
 		/* First load the header */
 		if ((ah=d2i_ASN1_HEADER(NULL,&p,(long)size)) == NULL)
 			goto end;
 		if ((ah->header == NULL) || (ah->header->data == NULL) ||
 			(strncmp(NETSCAPE_CERT_HDR,(char *)ah->header->data,
 			ah->header->length) != 0))
 			{
 			BIO_printf(err,"Error reading header on certificate\n");
 			goto end;
 			}
 		/* header is ok, so now read the object */
 		p=op;
 		ah->meth=X509_asn1_meth();
 		if ((ah=d2i_ASN1_HEADER(&ah,&p,(long)size)) == NULL)
 			goto end;
 		x=(X509 *)ah->data;
 		ah->data=NULL;
 		}
 	else if (format == FORMAT_PEM)
 		x=PEM_read_bio_X509_AUX(cert,NULL,NULL,NULL);
 	else if (format == FORMAT_PKCS12)
 		{
 		PKCS12 *p12 = d2i_PKCS12_bio(cert, NULL);
 		PKCS12_parse(p12, NULL, NULL, &x, NULL);
 		PKCS12_free(p12);
 		p12 = NULL;
 		}
 	else	{
 		BIO_printf(err,"bad input format specified for input cert\n");
 		goto end;
 		}
 end:
 	if (x == NULL)
 		{
 		BIO_printf(err,"unable to load certificate\n");
 		ERR_print_errors(err);
 		}
 	if (ah != NULL) ASN1_HEADER_free(ah);
 	if (cert != NULL) BIO_free(cert);
 	if (buf != NULL) BUF_MEM_free(buf);
 	return(x);
 	}
 EVP_PKEY *load_key(BIO *err, char *file, int format, char *pass)
 	{
 	BIO *key=NULL;
 	EVP_PKEY *pkey=NULL;
 	if (file == NULL)
 		{
 		BIO_printf(err,"no keyfile specified\n");
 		goto end;
 		}
 	key=BIO_new(BIO_s_file());
 	if (key == NULL)
 		{
 		ERR_print_errors(err);
 		goto end;
 		}
 	if (BIO_read_filename(key,file) <= 0)
 		{
 		perror(file);
 		goto end;
 		}
 	if (format == FORMAT_ASN1)
 		{
 		pkey=d2i_PrivateKey_bio(key, NULL);
 		}
 	else if (format == FORMAT_PEM)
 		{
 		pkey=PEM_read_bio_PrivateKey(key,NULL,NULL,pass);
 		}
 	else if (format == FORMAT_PKCS12)
 		{
 		PKCS12 *p12 = d2i_PKCS12_bio(key, NULL);
 		PKCS12_parse(p12, pass, &pkey, NULL, NULL);
 		PKCS12_free(p12);
 		p12 = NULL;
 		}
 	else
 		{
 		BIO_printf(err,"bad input format specified for key\n");
 		goto end;
 		}
 end:
 	if (key != NULL) BIO_free(key);
 	if (pkey == NULL)
 		BIO_printf(err,"unable to load Private Key\n");
 	return(pkey);
 	}
 EVP_PKEY *load_pubkey(BIO *err, char *file, int format)
 	{
 	BIO *key=NULL;
 	EVP_PKEY *pkey=NULL;
 	if (file == NULL)
 		{
 		BIO_printf(err,"no keyfile specified\n");
 		goto end;
 		}
 	key=BIO_new(BIO_s_file());
 	if (key == NULL)
 		{
 		ERR_print_errors(err);
 		goto end;
 		}
 	if (BIO_read_filename(key,file) <= 0)
 		{
 		perror(file);
 		goto end;
 		}
 	if (format == FORMAT_ASN1)
 		{
 		pkey=d2i_PUBKEY_bio(key, NULL);
 		}
 	else if (format == FORMAT_PEM)
 		{
 		pkey=PEM_read_bio_PUBKEY(key,NULL,NULL,NULL);
 		}
 	else
 		{
 		BIO_printf(err,"bad input format specified for key\n");
 		goto end;
 		}
 end:
 	if (key != NULL) BIO_free(key);
 	if (pkey == NULL)
 		BIO_printf(err,"unable to load Public Key\n");
 	return(pkey);
 	}
 STACK_OF(X509) *load_certs(BIO *err, char *file, int format)
 	{
 	BIO *certs;
 	int i;
 	STACK_OF(X509) *othercerts = NULL;
 	STACK_OF(X509_INFO) *allcerts = NULL;
 	X509_INFO *xi;
 	if((certs = BIO_new(BIO_s_file())) == NULL)
 		{
 		ERR_print_errors(err);
 		goto end;
 		}
 	if (file == NULL)
 		BIO_set_fp(certs,stdin,BIO_NOCLOSE);
 	else
 		{
 		if (BIO_read_filename(certs,file) <= 0)
 			{
 			perror(file);
 			goto end;
 			}
 		}
 	if      (format == FORMAT_PEM)
 		{
 		othercerts = sk_X509_new_null();
 		if(!othercerts)
 			{
 			sk_X509_free(othercerts);
 			othercerts = NULL;
 			goto end;
 			}
 		allcerts = PEM_X509_INFO_read_bio(certs, NULL, NULL, NULL);
 		for(i = 0; i < sk_X509_INFO_num(allcerts); i++)
 			{
 			xi = sk_X509_INFO_value (allcerts, i);
 			if (xi->x509)
 				{
 				sk_X509_push(othercerts, xi->x509);
 				xi->x509 = NULL;
 				}
 			}
 		goto end;
 		}
 	else	{
 		BIO_printf(err,"bad input format specified for input cert\n");
 		goto end;
 		}
 end:
 	if (othercerts == NULL)
 		{
 		BIO_printf(err,"unable to load certificates\n");
 		ERR_print_errors(err);
 		}
 	if (allcerts) sk_X509_INFO_pop_free(allcerts, X509_INFO_free);
 	if (certs != NULL) BIO_free(certs);
 	return(othercerts);
 	}
 typedef struct {
 	char *name;
 	unsigned long flag;
 	unsigned long mask;
 } NAME_EX_TBL;
 int set_name_ex(unsigned long *flags, const char *arg)
 {
 	char c;
 	const NAME_EX_TBL *ptbl, ex_tbl[] = {
 		{ "esc_2253", ASN1_STRFLGS_ESC_2253, 0},
 		{ "esc_ctrl", ASN1_STRFLGS_ESC_CTRL, 0},
 		{ "esc_msb", ASN1_STRFLGS_ESC_MSB, 0},
 		{ "use_quote", ASN1_STRFLGS_ESC_QUOTE, 0},
 		{ "utf8", ASN1_STRFLGS_UTF8_CONVERT, 0},
 		{ "ignore_type", ASN1_STRFLGS_IGNORE_TYPE, 0},
 		{ "show_type", ASN1_STRFLGS_SHOW_TYPE, 0},
 		{ "dump_all", ASN1_STRFLGS_DUMP_ALL, 0},
 		{ "dump_nostr", ASN1_STRFLGS_DUMP_UNKNOWN, 0},
 		{ "dump_der", ASN1_STRFLGS_DUMP_DER, 0},
 		{ "compat", XN_FLAG_COMPAT, 0xffffffffL},
 		{ "sep_comma_plus", XN_FLAG_SEP_COMMA_PLUS, XN_FLAG_SEP_MASK},
 		{ "sep_comma_plus_space", XN_FLAG_SEP_CPLUS_SPC, XN_FLAG_SEP_MASK},
 		{ "sep_semi_plus_space", XN_FLAG_SEP_SPLUS_SPC, XN_FLAG_SEP_MASK},
 		{ "sep_multiline", XN_FLAG_SEP_MULTILINE, XN_FLAG_SEP_MASK},
 		{ "dn_rev", XN_FLAG_DN_REV, 0},
 		{ "nofname", XN_FLAG_FN_NONE, XN_FLAG_FN_MASK},
 		{ "sname", XN_FLAG_FN_SN, XN_FLAG_FN_MASK},
 		{ "lname", XN_FLAG_FN_LN, XN_FLAG_FN_MASK},
 		{ "oid", XN_FLAG_FN_OID, XN_FLAG_FN_MASK},
 		{ "space_eq", XN_FLAG_SPC_EQ, 0},
 		{ "dump_unknown", XN_FLAG_DUMP_UNKNOWN_FIELDS, 0},
 		{ "RFC2253", XN_FLAG_RFC2253, 0xffffffffL},
 		{ "oneline", XN_FLAG_ONELINE, 0xffffffffL},
 		{ "multiline", XN_FLAG_MULTILINE, 0xffffffffL},
 		{ NULL, 0, 0}
 	};
 	c = arg[0];
 	if(c == '-') {
 		c = 0;
 		arg++;
 	} else if (c == '+') {
 		c = 1;
 		arg++;
 	} else c = 1;
 	for(ptbl = ex_tbl; ptbl->name; ptbl++) {
 		if(!strcmp(arg, ptbl->name)) {
 			*flags &= ~ptbl->mask;
 			if(c) *flags |= ptbl->flag;
 			else *flags &= ~ptbl->flag;
 			return 1;
 		}
 	}
 	return 0;
 }
 void print_name(BIO *out, char *title, X509_NAME *nm, unsigned long lflags)
 {
 	char buf[256];
 	char mline = 0;
 	int indent = 0;
 	if(title) BIO_puts(out, title);
 	if((lflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
 		mline = 1;
 		indent = 4;
 	}
 	if(lflags == XN_FLAG_COMPAT) {
 		X509_NAME_oneline(nm,buf,256);
 		BIO_puts(out,buf);
 		BIO_puts(out, "\n");
 	} else {
 		if(mline) BIO_puts(out, "\n");
 		X509_NAME_print_ex(out, nm, indent, lflags);
 		BIO_puts(out, "\n");
 	}
 }
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -65,6 +65,8 @@
 #include <openssl/bio.h>
 #include <openssl/crypto.h>
 #include <openssl/x509.h>
 #include <openssl/lhash.h>
 #include <openssl/conf.h>
 int app_RAND_load_file(const char *file, BIO *bio_e, int dont_warn);
 int app_RAND_write_file(const char *file, BIO *bio_e);
@@ -98,7 +100,6 @@ extern BIO *bio_err;
 #else
 #define MAIN(a,v)	PROG(a,v)
 #include <openssl/conf.h>
 extern LHASH *config;
 extern char *default_config_file;
 extern BIO *bio_err;
@@ -144,13 +145,27 @@ void program_name(char *in,char *out,int size);
 int chopup_args(ARGS *arg,char *buf, int *argc, char **argv[]);
 #ifdef HEADER_X509_H
 int dump_cert_text(BIO *out, X509 *x);
 void print_name(BIO *out, char *title, X509_NAME *nm, unsigned long lflags);
 #endif
 int set_name_ex(unsigned long *flags, const char *arg);
 int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2);
 int add_oid_section(BIO *err, LHASH *conf);
 X509 *load_cert(BIO *err, char *file, int format);
 EVP_PKEY *load_key(BIO *err, char *file, int format, char *pass);
 EVP_PKEY *load_pubkey(BIO *err, char *file, int format);
 STACK_OF(X509) *load_certs(BIO *err, char *file, int format);
 #define FORMAT_UNDEF    0
 #define FORMAT_ASN1     1
 #define FORMAT_TEXT     2
 #define FORMAT_PEM      3
 #define FORMAT_NETSCAPE 4
 #define FORMAT_PKCS12   5
 #define FORMAT_SMIME    6
 /* Since this is currently inofficial, let's give it a high number */
 #define FORMAT_ENGINE   127
 #define NETSCAPE_CERT_HDR	"certificate"
 #define APP_PASS_LEN	1024
--- a/apps/asn1pars.c
+++ b/apps/asn1pars.c
@@ -88,7 +88,7 @@ int MAIN(int argc, char **argv)
 	unsigned int length=0;
 	long num,tmplen;
 	BIO *in=NULL,*out=NULL,*b64=NULL, *derout = NULL;
-	int informat,indent=0, noout = 0;
+	int informat,indent=0, noout = 0, dump = 0;
 	char *infile=NULL,*str=NULL,*prog,*oidfile=NULL, *derfile=NULL;
 	unsigned char *tmpbuf;
 	BUF_MEM *buf=NULL;
@@ -108,7 +108,7 @@ int MAIN(int argc, char **argv)
 	argv++;
 	if ((osk=sk_new_null()) == NULL)
 		{
-		BIO_printf(bio_err,"Malloc failure\n");
+		BIO_printf(bio_err,"Memory allocation failure\n");
 		goto end;
 		}
 	while (argc >= 1)
@@ -149,6 +149,16 @@ int MAIN(int argc, char **argv)
 			length= atoi(*(++argv));
 			if (length == 0) goto bad;
 			}
 		else if (strcmp(*argv,"-dump") == 0)
 			{
 			dump= -1;
 			}
 		else if (strcmp(*argv,"-dlimit") == 0)
 			{
 			if (--argc < 1) goto bad;
 			dump= atoi(*(++argv));
 			if (dump <= 0) goto bad;
 			}
 		else if (strcmp(*argv,"-strparse") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -176,6 +186,8 @@ bad:
 		BIO_printf(bio_err," -offset arg   offset into file\n");
 		BIO_printf(bio_err," -length arg   length of section in file\n");
 		BIO_printf(bio_err," -i            indent entries\n");
 		BIO_printf(bio_err," -dump         dump unknown data in hex form\n");
 		BIO_printf(bio_err," -dlimit arg   dump the first arg bytes of unknown data in hex form\n");
 		BIO_printf(bio_err," -oid file     file of extra oid definitions\n");
 		BIO_printf(bio_err," -strparse offset\n");
 		BIO_printf(bio_err,"               a series of these can be used to 'dig' into multiple\n");
@@ -194,6 +206,12 @@ bad:
 		goto end;
 		}
 	BIO_set_fp(out,stdout,BIO_NOCLOSE|BIO_FP_TEXT);
 #ifdef VMS
 	{
 	BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 	out = BIO_push(tmpbio, out);
 	}
 #endif
 	if (oidfile != NULL)
 		{
@@ -293,7 +311,8 @@ bad:
 		}
 	}
 	if (!noout &&
-	    !ASN1_parse(out,(unsigned char *)&(str[offset]),length,indent))
+	    !ASN1_parse_dump(out,(unsigned char *)&(str[offset]),length,
 		    indent,dump))
 		{
 		ERR_print_errors(bio_err);
 		goto end;
@@ -302,7 +321,7 @@ bad:
 end:
 	BIO_free(derout);
 	if (in != NULL) BIO_free(in);
-	if (out != NULL) BIO_free(out);
+	if (out != NULL) BIO_free_all(out);
 	if (b64 != NULL) BIO_free(b64);
 	if (ret != 0)
 		ERR_print_errors(bio_err);
--- a/apps/ca-cert.srl
+++ b/apps/ca-cert.srl
@@ -1 +1 @@
-05
+07
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -74,6 +74,7 @@
 #include <openssl/x509v3.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
 #include <openssl/engine.h>
 #ifndef W_OK
 #  ifdef VMS
@@ -167,6 +168,7 @@ static char *ca_usage[]={
 " -revoke file    - Revoke a certificate (given in file)\n",
 " -extensions ..  - Extension section (override value in config file)\n",
 " -crlexts ..     - CRL extension section (override value in config file)\n",
 " -engine e       - use engine e, possibly a hardware device.\n",
 NULL
 };
@@ -176,7 +178,6 @@ extern int EF_PROTECT_BELOW;
 extern int EF_ALIGNMENT;
 #endif
 static int add_oid_section(LHASH *conf);
 static void lookup_fail(char *name,char *tag);
 static unsigned long index_serial_hash(char **a);
 static int index_serial_cmp(char **a, char **b);
@@ -217,7 +218,8 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
-	char *key=NULL;
+	ENGINE *e = NULL;
 	char *key=NULL,*passargin=NULL;
 	int total=0;
 	int total_done=0;
 	int badops=0;
@@ -263,12 +265,13 @@ int MAIN(int argc, char **argv)
 	long l;
 	const EVP_MD *dgst=NULL;
 	STACK_OF(CONF_VALUE) *attribs=NULL;
-	STACK *cert_sk=NULL;
+	STACK_OF(X509) *cert_sk=NULL;
 	BIO *hex=NULL;
 #undef BSIZE
 #define BSIZE 256
 	MS_STATIC char buf[3][BSIZE];
 	char *randfile=NULL;
 	char *engine = NULL;
 #ifdef EFENCE
 EF_PROTECT_FREE=1;
@@ -334,6 +337,11 @@ EF_ALIGNMENT=0;
 			if (--argc < 1) goto bad;
 			keyfile= *(++argv);
 			}
 		else if (strcmp(*argv,"-passin") == 0)
 			{
 			if (--argc < 1) goto bad;
 			passargin= *(++argv);
 			}
 		else if (strcmp(*argv,"-key") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -415,6 +423,11 @@ EF_ALIGNMENT=0;
 			if (--argc < 1) goto bad;
 			crl_ext= *(++argv);
 			}
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 		else
 			{
 bad:
@@ -435,6 +448,24 @@ bad:
 	ERR_load_crypto_strings();
 	if (engine != NULL)
 		{
 		if((e = ENGINE_by_id(engine)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine \"%s\"\n",
 				engine);
 			goto err;
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			goto err;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 		/* Free our "structural" reference. */
 		ENGINE_free(e);
 		}
 	/*****************************************************************/
 	if (configfile == NULL) configfile = getenv("OPENSSL_CONF");
 	if (configfile == NULL) configfile = getenv("SSLEAY_CONF");
@@ -498,7 +529,7 @@ bad:
 				BIO_free(oid_bio);
 				}
 			}
-		if(!add_oid_section(conf)) 
+		if(!add_oid_section(bio_err,conf)) 
 			{
 			ERR_print_errors(bio_err);
 			goto err;
@@ -527,6 +558,11 @@ bad:
 		lookup_fail(section,ENV_PRIVATE_KEY);
 		goto err;
 		}
 	if(!key && !app_passwd(bio_err, passargin, NULL, &key, NULL))
 		{
 		BIO_printf(bio_err,"Error getting password\n");
 		goto err;
 		}
 	if (BIO_read_filename(in,keyfile) <= 0)
 		{
 		perror(keyfile);
@@ -681,6 +717,12 @@ bad:
 	if (verbose)
 		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE|BIO_FP_TEXT); /* cannot fail */
 #ifdef VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 		TXT_DB_write(out,db);
 		BIO_printf(bio_err,"%d entries loaded from the database\n",
 			db->data->num);
@@ -715,7 +757,15 @@ bad:
 				}
 			}
 		else
 			{
 			BIO_set_fp(Sout,stdout,BIO_NOCLOSE|BIO_FP_TEXT);
 #ifdef VMS
 			{
 			BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 			Sout = BIO_push(tmpbio, Sout);
 			}
 #endif
 			}
 		}
 	if (req)
@@ -808,7 +858,7 @@ bad:
 			{
 			if ((f=BN_bn2hex(serial)) == NULL) goto err;
 			BIO_printf(bio_err,"next serial number is %s\n",f);
-			Free(f);
+			OPENSSL_free(f);
 			}
 		if ((attribs=CONF_get_section(conf,policy)) == NULL)
@@ -817,9 +867,9 @@ bad:
 			goto err;
 			}
-		if ((cert_sk=sk_new_null()) == NULL)
+		if ((cert_sk=sk_X509_new_null()) == NULL)
 			{
-			BIO_printf(bio_err,"Malloc failure\n");
+			BIO_printf(bio_err,"Memory allocation failure\n");
 			goto err;
 			}
 		if (spkac_file != NULL)
@@ -834,9 +884,9 @@ bad:
 				total_done++;
 				BIO_printf(bio_err,"\n");
 				if (!BN_add_word(serial,1)) goto err;
-				if (!sk_push(cert_sk,(char *)x))
+				if (!sk_X509_push(cert_sk,x))
 					{
-					BIO_printf(bio_err,"Malloc failure\n");
+					BIO_printf(bio_err,"Memory allocation failure\n");
 					goto err;
 					}
 				if (outfile)
@@ -858,9 +908,9 @@ bad:
 				total_done++;
 				BIO_printf(bio_err,"\n");
 				if (!BN_add_word(serial,1)) goto err;
-				if (!sk_push(cert_sk,(char *)x))
+				if (!sk_X509_push(cert_sk,x))
 					{
-					BIO_printf(bio_err,"Malloc failure\n");
+					BIO_printf(bio_err,"Memory allocation failure\n");
 					goto err;
 					}
 				}
@@ -877,9 +927,9 @@ bad:
 				total_done++;
 				BIO_printf(bio_err,"\n");
 				if (!BN_add_word(serial,1)) goto err;
-				if (!sk_push(cert_sk,(char *)x))
+				if (!sk_X509_push(cert_sk,x))
 					{
-					BIO_printf(bio_err,"Malloc failure\n");
+					BIO_printf(bio_err,"Memory allocation failure\n");
 					goto err;
 					}
 				}
@@ -896,9 +946,9 @@ bad:
 				total_done++;
 				BIO_printf(bio_err,"\n");
 				if (!BN_add_word(serial,1)) goto err;
-				if (!sk_push(cert_sk,(char *)x))
+				if (!sk_X509_push(cert_sk,x))
 					{
-					BIO_printf(bio_err,"Malloc failure\n");
+					BIO_printf(bio_err,"Memory allocation failure\n");
 					goto err;
 					}
 				}
@@ -907,7 +957,7 @@ bad:
 		 * and a data base and serial number that need
 		 * updating */
-		if (sk_num(cert_sk) > 0)
+		if (sk_X509_num(cert_sk) > 0)
 			{
 			if (!batch)
 				{
@@ -923,7 +973,7 @@ bad:
 					}
 				}
-			BIO_printf(bio_err,"Write out database with %d new entries\n",sk_num(cert_sk));
+			BIO_printf(bio_err,"Write out database with %d new entries\n",sk_X509_num(cert_sk));
 			strncpy(buf[0],serialfile,BSIZE-4);
@@ -955,12 +1005,12 @@ bad:
 		if (verbose)
 			BIO_printf(bio_err,"writing new certificates\n");
-		for (i=0; i<sk_num(cert_sk); i++)
+		for (i=0; i<sk_X509_num(cert_sk); i++)
 			{
 			int k;
 			unsigned char *n;
-			x=(X509 *)sk_value(cert_sk,i);
+			x=sk_X509_value(cert_sk,i);
 			j=x->cert_info->serialNumber->length;
 			p=(char *)x->cert_info->serialNumber->data;
@@ -999,7 +1049,7 @@ bad:
 			write_new_certificate(Sout,x, output_der, notext);
 			}
-		if (sk_num(cert_sk))
+		if (sk_X509_num(cert_sk))
 			{
 			/* Rename the database and the serial file */
 			strncpy(buf[2],serialfile,BSIZE-4);
@@ -1011,7 +1061,7 @@ bad:
 #endif
 			BIO_free(in);
-			BIO_free(out);
+			BIO_free_all(out);
 			in=NULL;
 			out=NULL;
 			if (rename(serialfile,buf[2]) < 0)
@@ -1197,7 +1247,11 @@ bad:
 			X509_free(revcert);
 			strncpy(buf[0],dbfile,BSIZE-4);
 #ifndef VMS
 			strcat(buf[0],".new");
 #else
 			strcat(buf[0],"-new");
 #endif
 			if (BIO_write_filename(out,buf[0]) <= 0)
 				{
 				perror(dbfile);
@@ -1207,7 +1261,11 @@ bad:
 			j=TXT_DB_write(out,db);
 			if (j <= 0) goto err;
 			strncpy(buf[1],dbfile,BSIZE-4);
 #ifndef VMS
 			strcat(buf[1],".old");
 #else
 			strcat(buf[1],"-old");
 #endif
 			if (rename(dbfile,buf[1]) < 0)
 				{
 				BIO_printf(bio_err,"unable to rename %s to %s\n", dbfile, buf[1]);
@@ -1228,12 +1286,12 @@ bad:
 	ret=0;
 err:
 	BIO_free(hex);
-	BIO_free(Cout);
+	BIO_free_all(Cout);
-	BIO_free(Sout);
+	BIO_free_all(Sout);
-	BIO_free(out);
+	BIO_free_all(out);
 	BIO_free(in);
-	sk_pop_free(cert_sk,X509_free);
+	sk_X509_pop_free(cert_sk,X509_free);
 	if (ret) ERR_print_errors(bio_err);
 	app_RAND_write_file(randfile, bio_err);
@@ -1345,7 +1403,7 @@ static int save_serial(char *serialfile, BIGNUM *serial)
 	BIO_puts(out,"\n");
 	ret=1;
 err:
-	if (out != NULL) BIO_free(out);
+	if (out != NULL) BIO_free_all(out);
 	if (ai != NULL) ASN1_INTEGER_free(ai);
 	return(ret);
 	}
@@ -1580,7 +1638,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
 	/* Ok, now we check the 'policy' stuff. */
 	if ((subject=X509_NAME_new()) == NULL)
 		{
-		BIO_printf(bio_err,"Malloc failure\n");
+		BIO_printf(bio_err,"Memory allocation failure\n");
 		goto err;
 		}
@@ -1662,7 +1720,7 @@ again2:
 					}
 				if (j < 0)
 					{
-					BIO_printf(bio_err,"The %s field needed to be the same in the\nCA certificate (%s) and the request (%s)\n",cv->name,((str == NULL)?"NULL":(char *)str->data),((str2 == NULL)?"NULL":(char *)str2->data));
+					BIO_printf(bio_err,"The %s field needed to be the same in the\nCA certificate (%s) and the request (%s)\n",cv->name,((str2 == NULL)?"NULL":(char *)str2->data),((str == NULL)?"NULL":(char *)str->data));
 					goto err;
 					}
 				}
@@ -1678,7 +1736,7 @@ again2:
 					{
 					if (push != NULL)
 						X509_NAME_ENTRY_free(push);
-					BIO_printf(bio_err,"Malloc failure\n");
+					BIO_printf(bio_err,"Memory allocation failure\n");
 					goto err;
 					}
 				}
@@ -1700,7 +1758,7 @@ again2:
 	row[DB_serial]=BN_bn2hex(serial);
 	if ((row[DB_name] == NULL) || (row[DB_serial] == NULL))
 		{
-		BIO_printf(bio_err,"Malloc failure\n");
+		BIO_printf(bio_err,"Memory allocation failure\n");
 		goto err;
 		}
@@ -1841,32 +1899,32 @@ again2:
 		goto err;
 	/* We now just add it to the database */
-	row[DB_type]=(char *)Malloc(2);
+	row[DB_type]=(char *)OPENSSL_malloc(2);
 	tm=X509_get_notAfter(ret);
-	row[DB_exp_date]=(char *)Malloc(tm->length+1);
+	row[DB_exp_date]=(char *)OPENSSL_malloc(tm->length+1);
 	memcpy(row[DB_exp_date],tm->data,tm->length);
 	row[DB_exp_date][tm->length]='\0';
 	row[DB_rev_date]=NULL;
 	/* row[DB_serial] done already */
-	row[DB_file]=(char *)Malloc(8);
+	row[DB_file]=(char *)OPENSSL_malloc(8);
 	/* row[DB_name] done already */
 	if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
 		(row[DB_file] == NULL))
 		{
-		BIO_printf(bio_err,"Malloc failure\n");
+		BIO_printf(bio_err,"Memory allocation failure\n");
 		goto err;
 		}
 	strcpy(row[DB_file],"unknown");
 	row[DB_type][0]='V';
 	row[DB_type][1]='\0';
-	if ((irow=(char **)Malloc(sizeof(char *)*(DB_NUMBER+1))) == NULL)
+	if ((irow=(char **)OPENSSL_malloc(sizeof(char *)*(DB_NUMBER+1))) == NULL)
 		{
-		BIO_printf(bio_err,"Malloc failure\n");
+		BIO_printf(bio_err,"Memory allocation failure\n");
 		goto err;
 		}
@@ -1886,7 +1944,7 @@ again2:
 	ok=1;
 err:
 	for (i=0; i<DB_NUMBER; i++)
-		if (row[i] != NULL) Free(row[i]);
+		if (row[i] != NULL) OPENSSL_free(row[i]);
 	if (CAname != NULL)
 		X509_NAME_free(CAname);
@@ -2100,28 +2158,6 @@ static int check_time_format(char *str)
 	return(ASN1_UTCTIME_check(&tm));
 	}
 static int add_oid_section(LHASH *hconf)
 {	
 	char *p;
 	STACK_OF(CONF_VALUE) *sktmp;
 	CONF_VALUE *cnf;
 	int i;
 	if(!(p=CONF_get_string(hconf,NULL,"oid_section"))) return 1;
 	if(!(sktmp = CONF_get_section(hconf, p))) {
 		BIO_printf(bio_err, "problem loading oid section %s\n", p);
 		return 0;
 	}
 	for(i = 0; i < sk_CONF_VALUE_num(sktmp); i++) {
 		cnf = sk_CONF_VALUE_value(sktmp, i);
 		if(OBJ_create(cnf->value, cnf->name, cnf->name) == NID_undef) {
 			BIO_printf(bio_err, "problem creating object %s=%s\n",
 							 cnf->name, cnf->value);
 			return 0;
 		}
 	}
 	return 1;
 }
 static int do_revoke(X509 *x509, TXT_DB *db)
 {
 	ASN1_UTCTIME *tm=NULL, *revtm=NULL;
@@ -2137,7 +2173,7 @@ static int do_revoke(X509 *x509, TXT_DB *db)
 	BN_free(bn);
 	if ((row[DB_name] == NULL) || (row[DB_serial] == NULL))
 		{
-		BIO_printf(bio_err,"Malloc failure\n");
+		BIO_printf(bio_err,"Memory allocation failure\n");
 		goto err;
 		}
 	/* We have to lookup by serial number because name lookup
@@ -2149,33 +2185,33 @@ static int do_revoke(X509 *x509, TXT_DB *db)
 		BIO_printf(bio_err,"Adding Entry to DB for %s\n", row[DB_name]);
 		/* We now just add it to the database */
-		row[DB_type]=(char *)Malloc(2);
+		row[DB_type]=(char *)OPENSSL_malloc(2);
 		tm=X509_get_notAfter(x509);
-		row[DB_exp_date]=(char *)Malloc(tm->length+1);
+		row[DB_exp_date]=(char *)OPENSSL_malloc(tm->length+1);
 		memcpy(row[DB_exp_date],tm->data,tm->length);
 		row[DB_exp_date][tm->length]='\0';
 		row[DB_rev_date]=NULL;
 		/* row[DB_serial] done already */
-		row[DB_file]=(char *)Malloc(8);
+		row[DB_file]=(char *)OPENSSL_malloc(8);
 		/* row[DB_name] done already */
 		if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
 			(row[DB_file] == NULL))
 			{
-			BIO_printf(bio_err,"Malloc failure\n");
+			BIO_printf(bio_err,"Memory allocation failure\n");
 			goto err;
 			}
 		strcpy(row[DB_file],"unknown");
 		row[DB_type][0]='V';
 		row[DB_type][1]='\0';
-		if ((irow=(char **)Malloc(sizeof(char *)*(DB_NUMBER+1))) == NULL)
+		if ((irow=(char **)OPENSSL_malloc(sizeof(char *)*(DB_NUMBER+1))) == NULL)
 			{
-			BIO_printf(bio_err,"Malloc failure\n");
+			BIO_printf(bio_err,"Memory allocation failure\n");
 			goto err;
 			}
@@ -2218,7 +2254,7 @@ static int do_revoke(X509 *x509, TXT_DB *db)
 		revtm=X509_gmtime_adj(revtm,0);
 		rrow[DB_type][0]='R';
 		rrow[DB_type][1]='\0';
-		rrow[DB_rev_date]=(char *)Malloc(revtm->length+1);
+		rrow[DB_rev_date]=(char *)OPENSSL_malloc(revtm->length+1);
 		memcpy(rrow[DB_rev_date],revtm->data,revtm->length);
 		rrow[DB_rev_date][revtm->length]='\0';
 		ASN1_UTCTIME_free(revtm);
@@ -2228,7 +2264,7 @@ err:
 	for (i=0; i<DB_NUMBER; i++)
 		{
 		if (row[i] != NULL) 
-			Free(row[i]);
+			OPENSSL_free(row[i]);
 		}
 	return(ok);
 }
--- a/apps/ciphers.c
+++ b/apps/ciphers.c
@@ -74,6 +74,7 @@ static char *ciphers_usage[]={
 " -v          - verbose mode, a textual listing of the ciphers in SSLeay\n",
 " -ssl2       - SSL2 mode\n",
 " -ssl3       - SSL3 mode\n",
 " -tls1       - TLS1 mode\n",
 NULL
 };
@@ -107,6 +108,12 @@ int MAIN(int argc, char **argv)
 	if (bio_err == NULL)
 		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
 	STDout=BIO_new_fp(stdout,BIO_NOCLOSE);
 #ifdef VMS
 	{
 	BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 	STDout = BIO_push(tmpbio, STDout);
 	}
 #endif
 	argc--;
 	argv++;
@@ -121,6 +128,10 @@ int MAIN(int argc, char **argv)
 #ifndef NO_SSL3
 		else if (strcmp(*argv,"-ssl3") == 0)
 			meth=SSLv3_client_method();
 #endif
 #ifndef NO_TLS1
 		else if (strcmp(*argv,"-tls1") == 0)
 			meth=TLSv1_client_method();
 #endif
 		else if ((strncmp(*argv,"-h",2) == 0) ||
 			 (strcmp(*argv,"-?") == 0))
@@ -190,7 +201,7 @@ err:
 end:
 	if (ctx != NULL) SSL_CTX_free(ctx);
 	if (ssl != NULL) SSL_free(ssl);
-	if (STDout != NULL) BIO_free(STDout);
+	if (STDout != NULL) BIO_free_all(STDout);
 	EXIT(ret);
 	}
--- a/apps/crl.c
+++ b/apps/crl.c
@@ -104,6 +104,7 @@ int MAIN(int argc, char **argv)
 	int informat,outformat;
 	char *infile=NULL,*outfile=NULL;
 	int hash=0,issuer=0,lastupdate=0,nextupdate=0,noout=0,text=0;
 	int fingerprint = 0;
 	char **pp,buf[256];
 	X509_STORE *store = NULL;
 	X509_STORE_CTX ctx;
@@ -111,6 +112,7 @@ int MAIN(int argc, char **argv)
 	X509_OBJECT xobj;
 	EVP_PKEY *pkey;
 	int do_ver = 0;
 	const EVP_MD *md_alg,*digest=EVP_md5();
 	apps_startup();
@@ -120,7 +122,15 @@ int MAIN(int argc, char **argv)
 	if (bio_out == NULL)
 		if ((bio_out=BIO_new(BIO_s_file())) != NULL)
 			{
 			BIO_set_fp(bio_out,stdout,BIO_NOCLOSE);
 #ifdef VMS
 			{
 			BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 			bio_out = BIO_push(tmpbio, bio_out);
 			}
 #endif
 			}
 	informat=FORMAT_PEM;
 	outformat=FORMAT_PEM;
@@ -183,6 +193,13 @@ int MAIN(int argc, char **argv)
 			nextupdate= ++num;
 		else if (strcmp(*argv,"-noout") == 0)
 			noout= ++num;
 		else if (strcmp(*argv,"-fingerprint") == 0)
 			fingerprint= ++num;
 		else if ((md_alg=EVP_get_digestbyname(*argv + 1)))
 			{
 			/* ok */
 			digest=md_alg;
 			}
 		else
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
@@ -274,6 +291,26 @@ bad:
 					BIO_printf(bio_out,"NONE");
 				BIO_printf(bio_out,"\n");
 				}
 			if (fingerprint == i)
 				{
 				int j;
 				unsigned int n;
 				unsigned char md[EVP_MAX_MD_SIZE];
 				if (!X509_CRL_digest(x,digest,md,&n))
 					{
 					BIO_printf(bio_err,"out of memory\n");
 					goto end;
 					}
 				BIO_printf(bio_out,"%s Fingerprint=",
 						OBJ_nid2sn(EVP_MD_type(digest)));
 				for (j=0; j<(int)n; j++)
 					{
 					BIO_printf(bio_out,"%02X%c",md[j],
 						(j+1 == (int)n)
 						?'\n':':');
 					}
 				}
 			}
 		}
@@ -285,7 +322,15 @@ bad:
 		}
 	if (outfile == NULL)
 		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
 #ifdef VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
@@ -311,8 +356,8 @@ bad:
 	if (!i) { BIO_printf(bio_err,"unable to write CRL\n"); goto end; }
 	ret=0;
 end:
-	BIO_free(out);
+	BIO_free_all(out);
-	BIO_free(bio_out);
+	BIO_free_all(bio_out);
 	bio_out=NULL;
 	X509_CRL_free(x);
 	if(store) {
--- a/apps/crl2p7.c
+++ b/apps/crl2p7.c
@@ -141,7 +141,7 @@ int MAIN(int argc, char **argv)
 		else if (strcmp(*argv,"-certfile") == 0)
 			{
 			if (--argc < 1) goto bad;
-			if(!certflst) certflst = sk_new(NULL);
+			if(!certflst) certflst = sk_new_null();
 			sk_push(certflst,*(++argv));
 			}
 		else
@@ -215,15 +215,15 @@ bad:
 	p7s->contents->type=OBJ_nid2obj(NID_pkcs7_data);
 	if (!ASN1_INTEGER_set(p7s->version,1)) goto end;
-	if ((crl_stack=sk_X509_CRL_new(NULL)) == NULL) goto end;
+	if ((crl_stack=sk_X509_CRL_new_null()) == NULL) goto end;
 	p7s->crl=crl_stack;
 	if (crl != NULL)
 		{
 		sk_X509_CRL_push(crl_stack,crl);
-		crl=NULL; /* now part of p7 for Freeing */
+		crl=NULL; /* now part of p7 for OPENSSL_freeing */
 		}
-	if ((cert_stack=sk_X509_new(NULL)) == NULL) goto end;
+	if ((cert_stack=sk_X509_new_null()) == NULL) goto end;
 	p7s->cert=cert_stack;
 	if(certflst) for(i = 0; i < sk_num(certflst); i++) {
@@ -239,7 +239,15 @@ bad:
 	sk_free(certflst);
 	if (outfile == NULL)
 		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
 #ifdef VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
@@ -266,7 +274,7 @@ bad:
 	ret=0;
 end:
 	if (in != NULL) BIO_free(in);
-	if (out != NULL) BIO_free(out);
+	if (out != NULL) BIO_free_all(out);
 	if (p7 != NULL) PKCS7_free(p7);
 	if (crl != NULL) X509_CRL_free(crl);
@@ -327,7 +335,7 @@ static int add_certs_from_file(STACK_OF(X509) *stack, char *certfile)
 	ret=count;
 end:
- 	/* never need to Free x */
+ 	/* never need to OPENSSL_free x */
 	if (in != NULL) BIO_free(in);
 	if (sk != NULL) sk_X509_INFO_free(sk);
 	return(ret);
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -66,6 +66,7 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/engine.h>
 #undef BUFSIZE
 #define BUFSIZE	1024*8
@@ -73,26 +74,36 @@
 #undef PROG
 #define PROG	dgst_main
-void do_fp(unsigned char *buf,BIO *f,int sep);
+void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
 		EVP_PKEY *key, unsigned char *sigin, int siglen);
 int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	ENGINE *e = NULL;
 	unsigned char *buf=NULL;
 	int i,err=0;
 	const EVP_MD *md=NULL,*m;
 	BIO *in=NULL,*inp;
 	BIO *bmd=NULL;
 	BIO *out = NULL;
 	const char *name;
 #define PROG_NAME_SIZE  16
 	char pname[PROG_NAME_SIZE];
 	int separator=0;
 	int debug=0;
 	const char *outfile = NULL, *keyfile = NULL;
 	const char *sigfile = NULL, *randfile = NULL;
 	int out_bin = -1, want_pub = 0, do_verify = 0;
 	EVP_PKEY *sigkey = NULL;
 	unsigned char *sigbuf = NULL;
 	int siglen = 0;
 	char *engine=NULL;
 	apps_startup();
-	if ((buf=(unsigned char *)Malloc(BUFSIZE)) == NULL)
+	if ((buf=(unsigned char *)OPENSSL_malloc(BUFSIZE)) == NULL)
 		{
 		BIO_printf(bio_err,"out of memory\n");
 		goto end;
@@ -113,6 +124,48 @@ int MAIN(int argc, char **argv)
 		if ((*argv)[0] != '-') break;
 		if (strcmp(*argv,"-c") == 0)
 			separator=1;
 		else if (strcmp(*argv,"-rand") == 0)
 			{
 			if (--argc < 1) break;
 			randfile=*(++argv);
 			}
 		else if (strcmp(*argv,"-out") == 0)
 			{
 			if (--argc < 1) break;
 			outfile=*(++argv);
 			}
 		else if (strcmp(*argv,"-sign") == 0)
 			{
 			if (--argc < 1) break;
 			keyfile=*(++argv);
 			}
 		else if (strcmp(*argv,"-verify") == 0)
 			{
 			if (--argc < 1) break;
 			keyfile=*(++argv);
 			want_pub = 1;
 			do_verify = 1;
 			}
 		else if (strcmp(*argv,"-prverify") == 0)
 			{
 			if (--argc < 1) break;
 			keyfile=*(++argv);
 			do_verify = 1;
 			}
 		else if (strcmp(*argv,"-signature") == 0)
 			{
 			if (--argc < 1) break;
 			sigfile=*(++argv);
 			}
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) break;
 			engine= *(++argv);
 			}
 		else if (strcmp(*argv,"-hex") == 0)
 			out_bin = 0;
 		else if (strcmp(*argv,"-binary") == 0)
 			out_bin = 1;
 		else if (strcmp(*argv,"-d") == 0)
 			debug=1;
 		else if ((m=EVP_get_digestbyname(&((*argv)[1]))) != NULL)
@@ -126,14 +179,31 @@ int MAIN(int argc, char **argv)
 	if (md == NULL)
 		md=EVP_md5();
 	if(do_verify && !sigfile) {
 		BIO_printf(bio_err, "No signature to verify: use the -signature option\n");
 		err = 1; 
 		goto end;
 	}
 	if ((argc > 0) && (argv[0][0] == '-')) /* bad option */
 		{
 		BIO_printf(bio_err,"unknown option '%s'\n",*argv);
 		BIO_printf(bio_err,"options are\n");
-		BIO_printf(bio_err,"-c   to output the digest with separating colons\n");
+		BIO_printf(bio_err,"-c              to output the digest with separating colons\n");
-		BIO_printf(bio_err,"-d   to output debug info\n");
+		BIO_printf(bio_err,"-d              to output debug info\n");
 		BIO_printf(bio_err,"-hex            output as hex dump\n");
 		BIO_printf(bio_err,"-binary         output in binary form\n");
 		BIO_printf(bio_err,"-sign   file    sign digest using private key in file\n");
 		BIO_printf(bio_err,"-verify file    verify a signature using public key in file\n");
 		BIO_printf(bio_err,"-prverify file  verify a signature using private key in file\n");
 		BIO_printf(bio_err,"-signature file signature to verify\n");
 		BIO_printf(bio_err,"-binary         output in binary form\n");
 		BIO_printf(bio_err,"-engine e       use engine e, possibly a hardware device.\n");
 		BIO_printf(bio_err,"-%3s to use the %s message digest algorithm (default)\n",
 			LN_md5,LN_md5);
 		BIO_printf(bio_err,"-%3s to use the %s message digest algorithm\n",
 			LN_md4,LN_md4);
 		BIO_printf(bio_err,"-%3s to use the %s message digest algorithm\n",
 			LN_md2,LN_md2);
 		BIO_printf(bio_err,"-%3s to use the %s message digest algorithm\n",
@@ -147,7 +217,25 @@ int MAIN(int argc, char **argv)
 		err=1;
 		goto end;
 		}
-	
+
 	if (engine != NULL)
 		{
 		if((e = ENGINE_by_id(engine)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine \"%s\"\n",
 				engine);
 			goto end;
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			goto end;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 		/* Free our "structural" reference. */
 		ENGINE_free(e);
 		}
 	in=BIO_new(BIO_s_file());
 	bmd=BIO_new(BIO_f_md());
 	if (debug)
@@ -163,6 +251,80 @@ int MAIN(int argc, char **argv)
 		goto end;
 		}
 	if(out_bin == -1) {
 		if(keyfile) out_bin = 1;
 		else out_bin = 0;
 	}
 	if(randfile)
 		app_RAND_load_file(randfile, bio_err, 0);
 	if(outfile) {
 		if(out_bin)
 			out = BIO_new_file(outfile, "wb");
 		else    out = BIO_new_file(outfile, "w");
 	} else {
 		out = BIO_new_fp(stdout, BIO_NOCLOSE);
 #ifdef VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 	}
 	if(!out) {
 		BIO_printf(bio_err, "Error opening output file %s\n", 
 					outfile ? outfile : "(stdout)");
 		ERR_print_errors(bio_err);
 		goto end;
 	}
 	if(keyfile) {
 		BIO *keybio;
 		keybio = BIO_new_file(keyfile, "r");
 		if(!keybio) {
 			BIO_printf(bio_err, "Error opening key file %s\n",
 								keyfile);
 			ERR_print_errors(bio_err);
 			goto end;
 		}
 		if(want_pub) 
 			sigkey = PEM_read_bio_PUBKEY(keybio, NULL, NULL, NULL);
 		else sigkey = PEM_read_bio_PrivateKey(keybio, NULL, NULL, NULL);
 		BIO_free(keybio);
 		if(!sigkey) {
 			BIO_printf(bio_err, "Error reading key file %s\n",
 								keyfile);
 			ERR_print_errors(bio_err);
 			goto end;
 		}
 	}
 	if(sigfile && sigkey) {
 		BIO *sigbio;
 		sigbio = BIO_new_file(sigfile, "rb");
 		siglen = EVP_PKEY_size(sigkey);
 		sigbuf = OPENSSL_malloc(siglen);
 		if(!sigbio) {
 			BIO_printf(bio_err, "Error opening signature file %s\n",
 								sigfile);
 			ERR_print_errors(bio_err);
 			goto end;
 		}
 		siglen = BIO_read(sigbio, sigbuf, siglen);
 		BIO_free(sigbio);
 		if(siglen <= 0) {
 			BIO_printf(bio_err, "Error reading signature file %s\n",
 								sigfile);
 			ERR_print_errors(bio_err);
 			goto end;
 		}
 	}
 	/* we use md as a filter, reading from 'in' */
 	BIO_set_md(bmd,md);
 	inp=BIO_push(bmd,in);
@@ -170,7 +332,7 @@ int MAIN(int argc, char **argv)
 	if (argc == 0)
 		{
 		BIO_set_fp(in,stdin,BIO_NOCLOSE);
-		do_fp(buf,inp,separator);
+		do_fp(out, buf,inp,separator, out_bin, sigkey, sigbuf, siglen);
 		}
 	else
 		{
@@ -183,8 +345,9 @@ int MAIN(int argc, char **argv)
 				err++;
 				continue;
 				}
-			printf("%s(%s)= ",name,argv[i]);
+			if(!out_bin) BIO_printf(out, "%s(%s)= ",name,argv[i]);
-			do_fp(buf,inp,separator);
+			do_fp(out, buf,inp,separator, out_bin, sigkey, 
 								sigbuf, siglen);
 			(void)BIO_reset(bmd);
 			}
 		}
@@ -192,14 +355,18 @@ end:
 	if (buf != NULL)
 		{
 		memset(buf,0,BUFSIZE);
-		Free(buf);
+		OPENSSL_free(buf);
 		}
 	if (in != NULL) BIO_free(in);
 	BIO_free_all(out);
 	EVP_PKEY_free(sigkey);
 	if(sigbuf) OPENSSL_free(sigbuf);
 	if (bmd != NULL) BIO_free(bmd);
 	EXIT(err);
 	}
-void do_fp(unsigned char *buf, BIO *bp, int sep)
+void do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
 			EVP_PKEY *key, unsigned char *sigin, int siglen)
 	{
 	int len;
 	int i;
@@ -209,14 +376,44 @@ void do_fp(unsigned char *buf, BIO *bp, int sep)
 		i=BIO_read(bp,(char *)buf,BUFSIZE);
 		if (i <= 0) break;
 		}
-	len=BIO_gets(bp,(char *)buf,BUFSIZE);
+	if(sigin)
 	for (i=0; i<len; i++)
 		{
-		if (sep && (i != 0))
+		EVP_MD_CTX *ctx;
-			putc(':',stdout);
+		BIO_get_md_ctx(bp, &ctx);
-		printf("%02x",buf[i]);
+		i = EVP_VerifyFinal(ctx, sigin, (unsigned int)siglen, key); 
 		if(i > 0) BIO_printf(out, "Verified OK\n");
 		else if(i == 0) BIO_printf(out, "Verification Failure\n");
 		else
 			{
 			BIO_printf(bio_err, "Error Verifying Data\n");
 			ERR_print_errors(bio_err);
 			}
 		return;
 		}
 	if(key)
 		{
 		EVP_MD_CTX *ctx;
 		BIO_get_md_ctx(bp, &ctx);
 		if(!EVP_SignFinal(ctx, buf, (unsigned int *)&len, key)) 
 			{
 			BIO_printf(bio_err, "Error Signing Data\n");
 			ERR_print_errors(bio_err);
 			return;
 			}
 		}
 	else
 		len=BIO_gets(bp,(char *)buf,BUFSIZE);
 	if(binout) BIO_write(out, buf, len);
 	else 
 		{
 		for (i=0; i<len; i++)
 			{
 			if (sep && (i != 0))
 				BIO_printf(out, ":");
 			BIO_printf(out, "%02x",buf[i]);
 			}
 		BIO_printf(out, "\n");
 		}
 	printf("\n");
 	}
--- a/apps/dh.c
+++ b/apps/dh.c
@@ -1,4 +1,5 @@
 /* apps/dh.c */
 /* obsoleted by dhparam.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -68,6 +69,7 @@
 #include <openssl/dh.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/engine.h>
 #undef PROG
 #define PROG	dh_main
@@ -86,11 +88,12 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	ENGINE *e = NULL;
 	DH *dh=NULL;
 	int i,badops=0,text=0;
 	BIO *in=NULL,*out=NULL;
 	int informat,outformat,check=0,noout=0,C=0,ret=1;
-	char *infile,*outfile,*prog;
+	char *infile,*outfile,*prog,*engine;
 	apps_startup();
@@ -98,6 +101,7 @@ int MAIN(int argc, char **argv)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 	engine=NULL;
 	infile=NULL;
 	outfile=NULL;
 	informat=FORMAT_PEM;
@@ -128,6 +132,11 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 		else if (strcmp(*argv,"-check") == 0)
 			check=1;
 		else if (strcmp(*argv,"-text") == 0)
@@ -159,11 +168,30 @@ bad:
 		BIO_printf(bio_err," -text         print a text form of the DH parameters\n");
 		BIO_printf(bio_err," -C            Output C code\n");
 		BIO_printf(bio_err," -noout        no output\n");
 		BIO_printf(bio_err," -engine e     use engine e, possibly a hardware device.\n");
 		goto end;
 		}
 	ERR_load_crypto_strings();
 	if (engine != NULL)
 		{
 		if((e = ENGINE_by_id(engine)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine \"%s\"\n",
 				engine);
 			goto end;
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			goto end;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 		/* Free our "structural" reference. */
 		ENGINE_free(e);
 		}
 	in=BIO_new(BIO_s_file());
 	out=BIO_new(BIO_s_file());
 	if ((in == NULL) || (out == NULL))
@@ -183,7 +211,15 @@ bad:
 			}
 		}
 	if (outfile == NULL)
 		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
 #ifdef VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
@@ -234,8 +270,8 @@ bad:
 			}
 		if (i & DH_CHECK_P_NOT_PRIME)
 			printf("p value is not prime\n");
-		if (i & DH_CHECK_P_NOT_STRONG_PRIME)
+		if (i & DH_CHECK_P_NOT_SAFE_PRIME)
-			printf("p value is not a strong prime\n");
+			printf("p value is not a safe prime\n");
 		if (i & DH_UNABLE_TO_CHECK_GENERATOR)
 			printf("unable to check the generator value\n");
 		if (i & DH_NOT_SUITABLE_GENERATOR)
@@ -250,10 +286,10 @@ bad:
 		len=BN_num_bytes(dh->p);
 		bits=BN_num_bits(dh->p);
-		data=(unsigned char *)Malloc(len);
+		data=(unsigned char *)OPENSSL_malloc(len);
 		if (data == NULL)
 			{
-			perror("Malloc");
+			perror("OPENSSL_malloc");
 			goto end;
 			}
 		l=BN_bn2bin(dh->p,data);
@@ -284,7 +320,7 @@ bad:
 		printf("\tif ((dh->p == NULL) || (dh->g == NULL))\n");
 		printf("\t\treturn(NULL);\n");
 		printf("\treturn(dh);\n\t}\n");
-		Free(data);
+		OPENSSL_free(data);
 		}
@@ -308,7 +344,7 @@ bad:
 	ret=0;
 end:
 	if (in != NULL) BIO_free(in);
-	if (out != NULL) BIO_free(out);
+	if (out != NULL) BIO_free_all(out);
 	if (dh != NULL) DH_free(dh);
 	EXIT(ret);
 	}
--- a/apps/dh1024.pem
+++ b/apps/dh1024.pem
@@ -1,5 +1,10 @@
 -----BEGIN DH PARAMETERS-----
-MIGHAoGBAJf2QmHKtQXdKCjhPx1ottPb0PMTBH9A6FbaWMsTuKG/K3g6TG1Z1fkq
+MIGHAoGBAPSI/VhOSdvNILSd5JEHNmszbDgNRR0PfIizHHxbLY7288kjwEPwpVsY
-/Gz/PWk/eLI9TzFgqVAuPvr3q14a1aZeVUMTgo2oO5/y2UHe6VaJ+trqCTat3xlx
+jY67VYy4XTjTNP18F1dDox0YbN4zISy1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6
-/mNbIK9HA2RgPC3gWfVLZQrY+gz3ASHHR5nXWHEyvpuZm7m3h+irAgEC
+ypUM2Zafq9AKUJsCRtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpL3jHAgEC
 -----END DH PARAMETERS-----
 These are the 1024 bit DH parameters from "Assigned Number for SKIP Protocols"
 (http://www.skip-vpn.org/spec/numbers.html).
 See there for how they were generated.
 Note that g is not a generator, but this is not a problem since p is a safe prime.
--- a/apps/dh2048.pem
+++ b/apps/dh2048.pem
@@ -0,0 +1,12 @@
 -----BEGIN DH PARAMETERS-----
 MIIBCAKCAQEA9kJXtwh/CBdyorrWqULzBej5UxE5T7bxbrlLOCDaAadWoxTpj0BV
 89AHxstDqZSt90xkhkn4DIO9ZekX1KHTUPj1WV/cdlJPPT2N286Z4VeSWc39uK50
 T8X8dryDxUcwYc58yWb/Ffm7/ZFexwGq01uejaClcjrUGvC/RgBYK+X0iP1YTknb
 zSC0neSRBzZrM2w4DUUdD3yIsxx8Wy2O9vPJI8BD8KVbGI2Ou1WMuF040zT9fBdX
 Q6MdGGzeMyEstSr/POGxKUAYEY18hKcKctaGxAMZyAcpesqVDNmWn6vQClCbAkbT
 CD1mpF1Bn5x8vYlLIhkmuquiXsNV6TILOwIBAg==
 -----END DH PARAMETERS-----
 These are the 2048 bit DH parameters from "Assigned Number for SKIP Protocols"
 (http://www.skip-vpn.org/spec/numbers.html).
 See there for how they were generated.
--- a/apps/dh4096.pem
+++ b/apps/dh4096.pem
@@ -0,0 +1,18 @@
 -----BEGIN DH PARAMETERS-----
 MIICCAKCAgEA+hRyUsFN4VpJ1O8JLcCo/VWr19k3BCgJ4uk+d+KhehjdRqNDNyOQ
 l/MOyQNQfWXPeGKmOmIig6Ev/nm6Nf9Z2B1h3R4hExf+zTiHnvVPeRBhjdQi81rt
 Xeoh6TNrSBIKIHfUJWBh3va0TxxjQIs6IZOLeVNRLMqzeylWqMf49HsIXqbcokUS
 Vt1BkvLdW48j8PPv5DsKRN3tloTxqDJGo9tKvj1Fuk74A+Xda1kNhB7KFlqMyN98
 VETEJ6c7KpfOo30mnK30wqw3S8OtaIR/maYX72tGOno2ehFDkq3pnPtEbD2CScxc
 alJC+EL7RPk5c/tgeTvCngvc1KZn92Y//EI7G9tPZtylj2b56sHtMftIoYJ9+ODM
 sccD5Piz/rejE3Ome8EOOceUSCYAhXn8b3qvxVI1ddd1pED6FHRhFvLrZxFvBEM9
 ERRMp5QqOaHJkM+Dxv8Cj6MqrCbfC4u+ZErxodzuusgDgvZiLF22uxMZbobFWyte
 OvOzKGtwcTqO/1wV5gKkzu1ZVswVUQd5Gg8lJicwqRWyyNRczDDoG9jVDxmogKTH
 AaqLulO7R8Ifa1SwF2DteSGVtgWEN8gDpN3RBmmPTDngyF2DHb5qmpnznwtFKdTL
 KWbuHn491xNO25CQWMtem80uKw+pTnisBRF/454n1Jnhub144YRBoN8CAQI=
 -----END DH PARAMETERS-----
 These are the 4096 bit DH parameters from "Assigned Number for SKIP Protocols"
 (http://www.skip-vpn.org/spec/numbers.html).
 See there for how they were generated.
 Note that g is not a generator, but this is not a problem since p is a safe prime.
--- a/apps/dh512.pem
+++ b/apps/dh512.pem
@@ -0,0 +1,9 @@
 -----BEGIN DH PARAMETERS-----
 MEYCQQD1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6ypUM2Zafq9AKUJsCRtMIPWak
 XUGfnHy9iUsiGSa6q6Jew1XpKgVfAgEC
 -----END DH PARAMETERS-----
 These are the 512 bit DH parameters from "Assigned Number for SKIP Protocols"
 (http://www.skip-vpn.org/spec/numbers.html).
 See there for how they were generated.
 Note that g is not a generator, but this is not a problem since p is a safe prime.
--- a/apps/dhparam.c
+++ b/apps/dhparam.c
@@ -55,6 +55,59 @@
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
 /* ====================================================================
 * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@openssl.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */
 #ifndef NO_DH
 #include <stdio.h>
@@ -68,6 +121,11 @@
 #include <openssl/dh.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/engine.h>
 #ifndef NO_DSA
 #include <openssl/dsa.h>
 #endif
 #undef PROG
 #define PROG	dhparam_main
@@ -78,6 +136,7 @@
 * -outform arg - output format - default PEM
 * -in arg	- input file - default stdin
 * -out arg	- output file - default stdout
 * -dsaparam  - read or generate DSA parameters, convert to DH
 * -check	- check the parameters are ok
 * -noout
 * -text
@@ -90,12 +149,16 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	ENGINE *e = NULL;
 	DH *dh=NULL;
 	int i,badops=0,text=0;
 #ifndef NO_DSA
 	int dsaparam=0;
 #endif
 	BIO *in=NULL,*out=NULL;
 	int informat,outformat,check=0,noout=0,C=0,ret=1;
 	char *infile,*outfile,*prog;
-	char *inrand=NULL;
+	char *inrand=NULL,*engine=NULL;
 	int num = 0, g = 0;
 	apps_startup();
@@ -134,10 +197,19 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 		else if (strcmp(*argv,"-check") == 0)
 			check=1;
 		else if (strcmp(*argv,"-text") == 0)
 			text=1;
 #ifndef NO_DSA
 		else if (strcmp(*argv,"-dsaparam") == 0)
 			dsaparam=1;
 #endif
 		else if (strcmp(*argv,"-C") == 0)
 			C=1;
 		else if (strcmp(*argv,"-noout") == 0)
@@ -166,13 +238,17 @@ bad:
 		BIO_printf(bio_err," -outform arg  output format - one of DER PEM\n");
 		BIO_printf(bio_err," -in arg       input file\n");
 		BIO_printf(bio_err," -out arg      output file\n");
 #ifndef NO_DSA
 		BIO_printf(bio_err," -dsaparam     read or generate DSA parameters, convert to DH\n");
 #endif
 		BIO_printf(bio_err," -check        check the DH parameters\n");
 		BIO_printf(bio_err," -text         print a text form of the DH parameters\n");
 		BIO_printf(bio_err," -C            Output C code\n");
 		BIO_printf(bio_err," -2            generate parameters using  2 as the generator value\n");
 		BIO_printf(bio_err," -5            generate parameters using  5 as the generator value\n");
 		BIO_printf(bio_err," numbits       number of bits in to generate (default 512)\n");
-		BIO_printf(bio_err," -rand file:file:...\n");
+		BIO_printf(bio_err," -engine e     use engine e, possibly a hardware device.\n");
 		BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err,"               - load the file (or the files in the directory) into\n");
 		BIO_printf(bio_err,"               the random number generator\n");
 		BIO_printf(bio_err," -noout        no output\n");
@@ -181,8 +257,43 @@ bad:
 	ERR_load_crypto_strings();
-	if(g && !num) num = DEFBITS;
+	if (engine != NULL)
-	else if(num && !g) g = 2;
+		{
 		if((e = ENGINE_by_id(engine)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine \"%s\"\n",
 				engine);
 			goto end;
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			goto end;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 		/* Free our "structural" reference. */
 		ENGINE_free(e);
 		}
 	if (g && !num)
 		num = DEFBITS;
 #ifndef NO_DSA
 	if (dsaparam)
 		{
 		if (g)
 			{
 			BIO_printf(bio_err, "generator may not be chosen for DSA parameters\n");
 			goto end;
 			}
 		}
 	else
 #endif
 		{
 		/* DH parameters */
 		if (num && !g)
 			g = 2;
 		}
 	if(num) {
@@ -194,11 +305,40 @@ bad:
 			BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
 				app_RAND_load_files(inrand));
-		BIO_printf(bio_err,"Generating DH parameters, %d bit long strong prime, generator of %d\n",num,g);
+#ifndef NO_DSA
-		BIO_printf(bio_err,"This is going to take a long time\n");
+		if (dsaparam)
-		dh=DH_generate_parameters(num,g,dh_cb,bio_err);
+			{
 			DSA *dsa;
-		if (dh == NULL) goto end;
+			BIO_printf(bio_err,"Generating DSA parameters, %d bit long prime\n",num);
 			dsa = DSA_generate_parameters(num, NULL, 0, NULL, NULL, dh_cb, bio_err);
 			if (dsa == NULL)
 				{
 				ERR_print_errors(bio_err);
 				goto end;
 				}
 			dh = DSA_dup_DH(dsa);
 			DSA_free(dsa);
 			if (dh == NULL)
 				{
 				ERR_print_errors(bio_err);
 				goto end;
 				}
 			}
 		else
 #endif
 			{
 			BIO_printf(bio_err,"Generating DH parameters, %d bit long safe prime, generator %d\n",num,g);
 			BIO_printf(bio_err,"This is going to take a long time\n");
 			dh=DH_generate_parameters(num,g,dh_cb,bio_err);
 			if (dh == NULL)
 				{
 				ERR_print_errors(bio_err);
 				goto end;
 				}
 			}
 		app_RAND_write_file(NULL, bio_err);
 	} else {
@@ -220,24 +360,56 @@ bad:
 				}
 			}
-		if	(informat == FORMAT_ASN1)
+		if	(informat != FORMAT_ASN1 && informat != FORMAT_PEM)
 			dh=d2i_DHparams_bio(in,NULL);
 		else if (informat == FORMAT_PEM)
 			dh=PEM_read_bio_DHparams(in,NULL,NULL,NULL);
 		else
 			{
 			BIO_printf(bio_err,"bad input format specified\n");
 			goto end;
 			}
-		if (dh == NULL)
+
 #ifndef NO_DSA
 		if (dsaparam)
 			{
-			BIO_printf(bio_err,"unable to load DH parameters\n");
+			DSA *dsa;
-			ERR_print_errors(bio_err);
+			
-			goto end;
+			if (informat == FORMAT_ASN1)
 				dsa=d2i_DSAparams_bio(in,NULL);
 			else /* informat == FORMAT_PEM */
 				dsa=PEM_read_bio_DSAparams(in,NULL,NULL,NULL);
 			if (dsa == NULL)
 				{
 				BIO_printf(bio_err,"unable to load DSA parameters\n");
 				ERR_print_errors(bio_err);
 				goto end;
 				}
 			dh = DSA_dup_DH(dsa);
 			DSA_free(dsa);
 			if (dh == NULL)
 				{
 				ERR_print_errors(bio_err);
 				goto end;
 				}
 			}
-
+		else
 #endif
 			{
 			if (informat == FORMAT_ASN1)
 				dh=d2i_DHparams_bio(in,NULL);
 			else /* informat == FORMAT_PEM */
 				dh=PEM_read_bio_DHparams(in,NULL,NULL,NULL);
 			if (dh == NULL)
 				{
 				BIO_printf(bio_err,"unable to load DH parameters\n");
 				ERR_print_errors(bio_err);
 				goto end;
 				}
 			}
 		/* dh != NULL */
 	}
-
+	
 	out=BIO_new(BIO_s_file());
 	if (out == NULL)
 		{
@@ -245,7 +417,15 @@ bad:
 		goto end;
 		}
 	if (outfile == NULL)
 		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
 #ifdef VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
@@ -255,7 +435,6 @@ bad:
 			}
 		}
 	if (text)
 		{
@@ -271,8 +450,8 @@ bad:
 			}
 		if (i & DH_CHECK_P_NOT_PRIME)
 			printf("p value is not prime\n");
-		if (i & DH_CHECK_P_NOT_STRONG_PRIME)
+		if (i & DH_CHECK_P_NOT_SAFE_PRIME)
-			printf("p value is not a strong prime\n");
+			printf("p value is not a safe prime\n");
 		if (i & DH_UNABLE_TO_CHECK_GENERATOR)
 			printf("unable to check the generator value\n");
 		if (i & DH_NOT_SUITABLE_GENERATOR)
@@ -287,31 +466,35 @@ bad:
 		len=BN_num_bytes(dh->p);
 		bits=BN_num_bits(dh->p);
-		data=(unsigned char *)Malloc(len);
+		data=(unsigned char *)OPENSSL_malloc(len);
 		if (data == NULL)
 			{
-			perror("Malloc");
+			perror("OPENSSL_malloc");
 			goto end;
 			}
 		printf("#ifndef HEADER_DH_H\n"
 		       "#include <openssl/dh.h>\n"
 		       "#endif\n");
 		printf("DH *get_dh%d()\n\t{\n",bits);
 		l=BN_bn2bin(dh->p,data);
-		printf("static unsigned char dh%d_p[]={",bits);
+		printf("\tstatic unsigned char dh%d_p[]={",bits);
 		for (i=0; i<l; i++)
 			{
-			if ((i%12) == 0) printf("\n\t");
+			if ((i%12) == 0) printf("\n\t\t");
 			printf("0x%02X,",data[i]);
 			}
-		printf("\n\t};\n");
+		printf("\n\t\t};\n");
 		l=BN_bn2bin(dh->g,data);
-		printf("static unsigned char dh%d_g[]={",bits);
+		printf("\tstatic unsigned char dh%d_g[]={",bits);
 		for (i=0; i<l; i++)
 			{
-			if ((i%12) == 0) printf("\n\t");
+			if ((i%12) == 0) printf("\n\t\t");
 			printf("0x%02X,",data[i]);
 			}
-		printf("\n\t};\n\n");
+		printf("\n\t\t};\n");
 		printf("DH *get_dh%d()\n\t{\n",bits);
 		printf("\tDH *dh;\n\n");
 		printf("\tif ((dh=DH_new()) == NULL) return(NULL);\n");
 		printf("\tdh->p=BN_bin2bn(dh%d_p,sizeof(dh%d_p),NULL);\n",
@@ -319,9 +502,11 @@ bad:
 		printf("\tdh->g=BN_bin2bn(dh%d_g,sizeof(dh%d_g),NULL);\n",
 			bits,bits);
 		printf("\tif ((dh->p == NULL) || (dh->g == NULL))\n");
-		printf("\t\treturn(NULL);\n");
+		printf("\t\t{ DH_free(dh); return(NULL); }\n");
 		if (dh->length)
 			printf("\tdh->length = %d;\n", dh->length);
 		printf("\treturn(dh);\n\t}\n");
-		Free(data);
+		OPENSSL_free(data);
 		}
@@ -345,11 +530,12 @@ bad:
 	ret=0;
 end:
 	if (in != NULL) BIO_free(in);
-	if (out != NULL) BIO_free(out);
+	if (out != NULL) BIO_free_all(out);
 	if (dh != NULL) DH_free(dh);
 	EXIT(ret);
 	}
 /* dh_cb is identical to dsa_cb in apps/dsaparam.c */
 static void MS_CALLBACK dh_cb(int p, int n, void *arg)
 	{
 	char c='*';
--- a/apps/dsa.c
+++ b/apps/dsa.c
@@ -68,6 +68,7 @@
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/engine.h>
 #undef PROG
 #define PROG	dsa_main
@@ -87,6 +88,7 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	ENGINE *e = NULL;
 	int ret=1;
 	DSA *dsa=NULL;
 	int i,badops=0;
@@ -94,7 +96,7 @@ int MAIN(int argc, char **argv)
 	BIO *in=NULL,*out=NULL;
 	int informat,outformat,text=0,noout=0;
 	int pubin = 0, pubout = 0;
-	char *infile,*outfile,*prog;
+	char *infile,*outfile,*prog,*engine;
 	char *passargin = NULL, *passargout = NULL;
 	char *passin = NULL, *passout = NULL;
 	int modulus=0;
@@ -105,6 +107,7 @@ int MAIN(int argc, char **argv)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 	engine=NULL;
 	infile=NULL;
 	outfile=NULL;
 	informat=FORMAT_PEM;
@@ -145,6 +148,11 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			passargout= *(++argv);
 			}
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 		else if (strcmp(*argv,"-noout") == 0)
 			noout=1;
 		else if (strcmp(*argv,"-text") == 0)
@@ -176,6 +184,7 @@ bad:
 		BIO_printf(bio_err," -passin arg     input file pass phrase source\n");
 		BIO_printf(bio_err," -out arg        output file\n");
 		BIO_printf(bio_err," -passout arg    output file pass phrase source\n");
 		BIO_printf(bio_err," -engine e       use engine e, possibly a hardware device.\n");
 		BIO_printf(bio_err," -des            encrypt PEM output with cbc des\n");
 		BIO_printf(bio_err," -des3           encrypt PEM output with ede cbc des using 168 bit key\n");
 #ifndef NO_IDEA
@@ -189,6 +198,24 @@ bad:
 	ERR_load_crypto_strings();
 	if (engine != NULL)
 		{
 		if((e = ENGINE_by_id(engine)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine \"%s\"\n",
 				engine);
 			goto end;
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			goto end;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 		/* Free our "structural" reference. */
 		ENGINE_free(e);
 		}
 	if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
 		BIO_printf(bio_err, "Error getting passwords\n");
 		goto end;
@@ -233,7 +260,15 @@ bad:
 		}
 	if (outfile == NULL)
 		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
 #ifdef VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
@@ -281,10 +316,10 @@ bad:
 		ret=0;
 end:
 	if(in != NULL) BIO_free(in);
-	if(out != NULL) BIO_free(out);
+	if(out != NULL) BIO_free_all(out);
 	if(dsa != NULL) DSA_free(dsa);
-	if(passin) Free(passin);
+	if(passin) OPENSSL_free(passin);
-	if(passout) Free(passout);
+	if(passout) OPENSSL_free(passout);
 	EXIT(ret);
 	}
 #endif
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -205,7 +205,15 @@ bad:
 			}
 		}
 	if (outfile == NULL)
 		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
 #ifdef VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
@@ -260,10 +268,10 @@ bad:
 		bits_p=BN_num_bits(dsa->p);
 		bits_q=BN_num_bits(dsa->q);
 		bits_g=BN_num_bits(dsa->g);
-		data=(unsigned char *)Malloc(len+20);
+		data=(unsigned char *)OPENSSL_malloc(len+20);
 		if (data == NULL)
 			{
-			perror("Malloc");
+			perror("OPENSSL_malloc");
 			goto end;
 			}
 		l=BN_bn2bin(dsa->p,data);
@@ -303,7 +311,7 @@ bad:
 		printf("\tdsa->g=BN_bin2bn(dsa%d_g,sizeof(dsa%d_g),NULL);\n",
 			bits_p,bits_p);
 		printf("\tif ((dsa->p == NULL) || (dsa->q == NULL) || (dsa->g == NULL))\n");
-		printf("\t\treturn(NULL);\n");
+		printf("\t\t{ DSA_free(dsa); return(NULL); }\n");
 		printf("\treturn(dsa);\n\t}\n");
 		}
@@ -347,7 +355,7 @@ bad:
 	ret=0;
 end:
 	if (in != NULL) BIO_free(in);
-	if (out != NULL) BIO_free(out);
+	if (out != NULL) BIO_free_all(out);
 	if (dsa != NULL) DSA_free(dsa);
 	EXIT(ret);
 	}
--- a/apps/enc.c
+++ b/apps/enc.c
@@ -70,6 +70,7 @@
 #include <openssl/md5.h>
 #endif
 #include <openssl/pem.h>
 #include <openssl/engine.h>
 int set_hex(char *in,unsigned char *out,int size);
 #undef SIZE
@@ -84,6 +85,7 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	ENGINE *e = NULL;
 	static const char magic[]="Salted__";
 	char mbuf[8];	/* should be 1 smaller than magic */
 	char *strbuf=NULL;
@@ -101,6 +103,7 @@ int MAIN(int argc, char **argv)
 	BIO *in=NULL,*out=NULL,*b64=NULL,*benc=NULL,*rbio=NULL,*wbio=NULL;
 #define PROG_NAME_SIZE  16
 	char pname[PROG_NAME_SIZE];
 	char *engine = NULL;
 	apps_startup();
@@ -141,6 +144,11 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			passarg= *(++argv);
 			}
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 		else if	(strcmp(*argv,"-d") == 0)
 			enc=0;
 		else if	(strcmp(*argv,"-p") == 0)
@@ -241,6 +249,7 @@ bad:
 			BIO_printf(bio_err,"%-14s key/iv in hex is the next argument\n","-K/-iv");
 			BIO_printf(bio_err,"%-14s print the iv/key (then exit if -P)\n","-[pP]");
 			BIO_printf(bio_err,"%-14s buffer size\n","-bufsize <n>");
 			BIO_printf(bio_err,"%-14s use engine e, possibly a hardware device.\n","-engine e");
 			BIO_printf(bio_err,"Cipher Types\n");
 			BIO_printf(bio_err,"des     : 56 bit key DES encryption\n");
@@ -314,6 +323,24 @@ bad:
 		argv++;
 		}
 	if (engine != NULL)
 		{
 		if((e = ENGINE_by_id(engine)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine \"%s\"\n",
 				engine);
 			goto end;
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			goto end;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 		/* Free our "structural" reference. */
 		ENGINE_free(e);
 		}
 	if (bufsize != NULL)
 		{
 		unsigned long n;
@@ -343,11 +370,11 @@ bad:
 		if (verbose) BIO_printf(bio_err,"bufsize=%d\n",bsize);
 		}
-	strbuf=Malloc(SIZE);
+	strbuf=OPENSSL_malloc(SIZE);
-	buff=(unsigned char *)Malloc(EVP_ENCODE_LENGTH(bsize));
+	buff=(unsigned char *)OPENSSL_malloc(EVP_ENCODE_LENGTH(bsize));
 	if ((buff == NULL) || (strbuf == NULL))
 		{
-		BIO_printf(bio_err,"Malloc failure %ld\n",(long)EVP_ENCODE_LENGTH(bsize));
+		BIO_printf(bio_err,"OPENSSL_malloc failure %ld\n",(long)EVP_ENCODE_LENGTH(bsize));
 		goto end;
 		}
@@ -416,7 +443,15 @@ bad:
 	if (outf == NULL)
 		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
 #ifdef VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 		}
 	else
 		{
 		if (BIO_write_filename(out,outf) <= 0)
@@ -507,6 +542,14 @@ bad:
 			BIO_printf(bio_err,"invalid hex iv value\n");
 			goto end;
 			}
 		if ((hiv == NULL) && (str == NULL))
 			{
 			/* No IV was explicitly set and no IV was generated
 			 * during EVP_BytesToKey. Hence the IV is undefined,
 			 * making correct decryption impossible. */
 			BIO_printf(bio_err, "iv undefined\n");
 			goto end;
 			}
 		if ((hkey != NULL) && !set_hex(hkey,key,24))
 			{
 			BIO_printf(bio_err,"invalid hex key value\n");
@@ -581,13 +624,13 @@ bad:
 		}
 end:
 	ERR_print_errors(bio_err);
-	if (strbuf != NULL) Free(strbuf);
+	if (strbuf != NULL) OPENSSL_free(strbuf);
-	if (buff != NULL) Free(buff);
+	if (buff != NULL) OPENSSL_free(buff);
 	if (in != NULL) BIO_free(in);
-	if (out != NULL) BIO_free(out);
+	if (out != NULL) BIO_free_all(out);
 	if (benc != NULL) BIO_free(benc);
 	if (b64 != NULL) BIO_free(b64);
-	if(pass) Free(pass);
+	if(pass) OPENSSL_free(pass);
 	EXIT(ret);
 	}
--- a/apps/errstr.c
+++ b/apps/errstr.c
@@ -91,12 +91,18 @@ int MAIN(int argc, char **argv)
 		out=BIO_new(BIO_s_file());
 		if ((out != NULL) && BIO_set_fp(out,stdout,BIO_NOCLOSE))
 			{
 #ifdef VMS
 			{
 			BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 			out = BIO_push(tmpbio, out);
 			}
 #endif
 			lh_node_stats_bio((LHASH *)ERR_get_string_table(),out);
 			lh_stats_bio((LHASH *)ERR_get_string_table(),out);
 			lh_node_usage_stats_bio((LHASH *)
 				ERR_get_string_table(),out);
 			}
-		if (out != NULL) BIO_free(out);
+		if (out != NULL) BIO_free_all(out);
 		argc--;
 		argv++;
 		}
@@ -104,7 +110,10 @@ int MAIN(int argc, char **argv)
 	for (i=1; i<argc; i++)
 		{
 		if (sscanf(argv[i],"%lx",&l))
-			printf("%s\n",ERR_error_string(l,buf));
+			{
 			ERR_error_string_n(l, buf, sizeof buf);
 			printf("%s\n",buf);
 			}
 		else
 			{
 			printf("%s: bad error code\n",argv[i]);
--- a/apps/gendh.c
+++ b/apps/gendh.c
@@ -1,4 +1,5 @@
 /* apps/gendh.c */
 /* obsoleted by dhparam.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -69,6 +70,7 @@
 #include <openssl/dh.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/engine.h>
 #define DEFBITS	512
 #undef PROG
@@ -80,11 +82,13 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	ENGINE *e = NULL;
 	DH *dh=NULL;
 	int ret=1,num=DEFBITS;
 	int g=2;
 	char *outfile=NULL;
 	char *inrand=NULL;
 	char *engine=NULL;
 	BIO *out=NULL;
 	apps_startup();
@@ -109,6 +113,11 @@ int MAIN(int argc, char **argv)
 			g=3; */
 		else if (strcmp(*argv,"-5") == 0)
 			g=5;
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 		else if (strcmp(*argv,"-rand") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -124,15 +133,34 @@ int MAIN(int argc, char **argv)
 bad:
 		BIO_printf(bio_err,"usage: gendh [args] [numbits]\n");
 		BIO_printf(bio_err," -out file - output the key to 'file\n");
-		BIO_printf(bio_err," -2    use 2 as the generator value\n");
+		BIO_printf(bio_err," -2        - use 2 as the generator value\n");
-	/*	BIO_printf(bio_err," -3    use 3 as the generator value\n"); */
+	/*	BIO_printf(bio_err," -3        - use 3 as the generator value\n"); */
-		BIO_printf(bio_err," -5    use 5 as the generator value\n");
+		BIO_printf(bio_err," -5        - use 5 as the generator value\n");
-		BIO_printf(bio_err," -rand file:file:...\n");
+		BIO_printf(bio_err," -engine e - use engine e, possibly a hardware device.\n");
 		BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err,"           - load the file (or the files in the directory) into\n");
 		BIO_printf(bio_err,"             the random number generator\n");
 		goto end;
 		}
 	if (engine != NULL)
 		{
 		if((e = ENGINE_by_id(engine)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine \"%s\"\n",
 				engine);
 			goto end;
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			goto end;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 		/* Free our "structural" reference. */
 		ENGINE_free(e);
 		}
 	out=BIO_new(BIO_s_file());
 	if (out == NULL)
 		{
@@ -141,7 +169,15 @@ bad:
 		}
 	if (outfile == NULL)
 		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
 #ifdef VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
@@ -159,7 +195,7 @@ bad:
 		BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
 			app_RAND_load_files(inrand));
-	BIO_printf(bio_err,"Generating DH parameters, %d bit long strong prime, generator of %d\n",num,g);
+	BIO_printf(bio_err,"Generating DH parameters, %d bit long safe prime, generator %d\n",num,g);
 	BIO_printf(bio_err,"This is going to take a long time\n");
 	dh=DH_generate_parameters(num,g,dh_cb,bio_err);
@@ -173,7 +209,7 @@ bad:
 end:
 	if (ret != 0)
 		ERR_print_errors(bio_err);
-	if (out != NULL) BIO_free(out);
+	if (out != NULL) BIO_free_all(out);
 	if (dh != NULL) DH_free(dh);
 	EXIT(ret);
 	}
--- a/apps/gendsa.c
+++ b/apps/gendsa.c
@@ -68,6 +68,7 @@
 #include <openssl/dsa.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/engine.h>
 #define DEFBITS	512
 #undef PROG
@@ -77,6 +78,7 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	ENGINE *e = NULL;
 	DSA *dsa=NULL;
 	int ret=1;
 	char *outfile=NULL;
@@ -84,6 +86,7 @@ int MAIN(int argc, char **argv)
 	char *passargout = NULL, *passout = NULL;
 	BIO *out=NULL,*in=NULL;
 	EVP_CIPHER *enc=NULL;
 	char *engine=NULL;
 	apps_startup();
@@ -106,6 +109,11 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			passargout= *(++argv);
 			}
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 		else if (strcmp(*argv,"-rand") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -145,7 +153,8 @@ bad:
 #ifndef NO_IDEA
 		BIO_printf(bio_err," -idea     - encrypt the generated key with IDEA in cbc mode\n");
 #endif
-		BIO_printf(bio_err," -rand file:file:...\n");
+		BIO_printf(bio_err," -engine e - use engine e, possibly a hardware device.\n");
 		BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err,"           - load the file (or the files in the directory) into\n");
 		BIO_printf(bio_err,"             the random number generator\n");
 		BIO_printf(bio_err," dsaparam-file\n");
@@ -153,6 +162,24 @@ bad:
 		goto end;
 		}
 	if (engine != NULL)
 		{
 		if((e = ENGINE_by_id(engine)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine \"%s\"\n",
 				engine);
 			goto end;
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			goto end;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 		/* Free our "structural" reference. */
 		ENGINE_free(e);
 		}
 	if(!app_passwd(bio_err, NULL, passargout, NULL, &passout)) {
 		BIO_printf(bio_err, "Error getting password\n");
 		goto end;
@@ -178,7 +205,15 @@ bad:
 	if (out == NULL) goto end;
 	if (outfile == NULL)
 		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
 #ifdef VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
@@ -209,9 +244,9 @@ end:
 	if (ret != 0)
 		ERR_print_errors(bio_err);
 	if (in != NULL) BIO_free(in);
-	if (out != NULL) BIO_free(out);
+	if (out != NULL) BIO_free_all(out);
 	if (dsa != NULL) DSA_free(dsa);
-	if(passout) Free(passout);
+	if(passout) OPENSSL_free(passout);
 	EXIT(ret);
 	}
 #endif
--- a/apps/genrsa.c
+++ b/apps/genrsa.c
@@ -69,6 +69,7 @@
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/engine.h>
 #define DEFBITS	512
 #undef PROG
@@ -80,6 +81,7 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	ENGINE *e = NULL;
 	int ret=1;
 	RSA *rsa=NULL;
 	int i,num=DEFBITS;
@@ -88,6 +90,7 @@ int MAIN(int argc, char **argv)
 	unsigned long f4=RSA_F4;
 	char *outfile=NULL;
 	char *passargout = NULL, *passout = NULL;
 	char *engine=NULL;
 	char *inrand=NULL;
 	BIO *out=NULL;
@@ -114,8 +117,13 @@ int MAIN(int argc, char **argv)
 			}
 		else if (strcmp(*argv,"-3") == 0)
 			f4=3;
-		else if (strcmp(*argv,"-F4") == 0)
+		else if (strcmp(*argv,"-F4") == 0 || strcmp(*argv,"-f4") == 0)
 			f4=RSA_F4;
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 		else if (strcmp(*argv,"-rand") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -154,7 +162,8 @@ bad:
 		BIO_printf(bio_err," -passout arg    output file pass phrase source\n");
 		BIO_printf(bio_err," -f4             use F4 (0x10001) for the E value\n");
 		BIO_printf(bio_err," -3              use 3 for the E value\n");
-		BIO_printf(bio_err," -rand file:file:...\n");
+		BIO_printf(bio_err," -engine e       use engine e, possibly a hardware device.\n");
 		BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err,"                 load the file (or the files in the directory) into\n");
 		BIO_printf(bio_err,"                 the random number generator\n");
 		goto err;
@@ -167,8 +176,34 @@ bad:
 		goto err;
 	}
 	if (engine != NULL)
 		{
 		if((e = ENGINE_by_id(engine)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine \"%s\"\n",
 				engine);
 			goto err;
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			goto err;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 		/* Free our "structural" reference. */
 		ENGINE_free(e);
 		}
 	if (outfile == NULL)
 		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
 #ifdef VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
@@ -178,7 +213,8 @@ bad:
 			}
 		}
-	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL)
+	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
 		&& !RAND_status())
 		{
 		BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
 		}
@@ -212,8 +248,8 @@ bad:
 	ret=0;
 err:
 	if (rsa != NULL) RSA_free(rsa);
-	if (out != NULL) BIO_free(out);
+	if (out != NULL) BIO_free_all(out);
-	if(passout) Free(passout);
+	if(passout) OPENSSL_free(passout);
 	if (ret != 0)
 		ERR_print_errors(bio_err);
 	EXIT(ret);
--- a/apps/makeapps.com
+++ b/apps/makeapps.com
@@ -154,16 +154,16 @@ $! Define The Application Files.
 $!
 $ LIB_FILES = "VERIFY;ASN1PARS;REQ;DGST;DH;DHPARAM;ENC;PASSWD;GENDH;ERRSTR;"+-
 	      "CA;PKCS7;CRL2P7;CRL;"+-
-	      "RSA;DSA;DSAPARAM;"+-
+	      "RSA;RSAUTL;DSA;DSAPARAM;"+-
 	      "X509;GENRSA;GENDSA;S_SERVER;S_CLIENT;SPEED;"+-
 	      "S_TIME;APPS;S_CB;S_SOCKET;APP_RAND;VERSION;SESS_ID;"+-
-	      "CIPHERS;NSEQ;PKCS12;PKCS8;SPKAC;SMIME"
+	      "CIPHERS;NSEQ;PKCS12;PKCS8;SPKAC;SMIME;RAND"
 $ APP_FILES := OPENSSL,'OBJ_DIR'VERIFY.OBJ,ASN1PARS.OBJ,REQ.OBJ,DGST.OBJ,DH.OBJ,DHPARAM.OBJ,ENC.OBJ,PASSWD.OBJ,GENDH.OBJ,ERRSTR.OBJ,-
 	       CA.OBJ,PKCS7.OBJ,CRL2P7.OBJ,CRL.OBJ,-
-	       RSA.OBJ,DSA.OBJ,DSAPARAM.OBJ,-
+	       RSA.OBJ,RSAUTL.OBJ,DSA.OBJ,DSAPARAM.OBJ,-
 	       X509.OBJ,GENRSA.OBJ,GENDSA.OBJ,S_SERVER.OBJ,S_CLIENT.OBJ,SPEED.OBJ,-
 	       S_TIME.OBJ,APPS.OBJ,S_CB.OBJ,S_SOCKET.OBJ,APP_RAND.OBJ,VERSION.OBJ,SESS_ID.OBJ,-
-	       CIPHERS.OBJ,NSEQ.OBJ,PKCS12.OBJ,PKCS8.OBJ,SPKAC.OBJ,SMIME.OBJ
+	       CIPHERS.OBJ,NSEQ.OBJ,PKCS12.OBJ,PKCS8.OBJ,SPKAC.OBJ,SMIME.OBJ,RAND.OBJ
 $ TCPIP_PROGRAMS = ",,"
 $ IF COMPILER .EQS. "VAXC" THEN -
     TCPIP_PROGRAMS = ",OPENSSL,"
@@ -1133,6 +1133,7 @@ $!
 $! Save directory information
 $!
 $ __HERE = F$PARSE(F$PARSE("A.;",F$ENVIRONMENT("PROCEDURE"))-"A.;","[]A.;") - "A.;"
 $ __HERE = F$EDIT(__HERE,"UPCASE")
 $ __TOP = __HERE - "APPS]"
 $ __INCLUDE = __TOP + "INCLUDE.OPENSSL]"
 $!
--- a/apps/nseq.c
+++ b/apps/nseq.c
@@ -119,11 +119,18 @@ int MAIN(int argc, char **argv)
 				 "Can't open output file %s\n", outfile);
 			goto end;
 		}
-	} else out = BIO_new_fp(stdout, BIO_NOCLOSE);
+	} else {
-
+		out = BIO_new_fp(stdout, BIO_NOCLOSE);
 #ifdef VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 	}
 	if (toseq) {
 		seq = NETSCAPE_CERT_SEQUENCE_new();
-		seq->certs = sk_X509_new(NULL);
+		seq->certs = sk_X509_new_null();
 		while((x509 = PEM_read_bio_X509(in, NULL, NULL, NULL))) 
 		    sk_X509_push(seq->certs,x509);
@@ -152,7 +159,7 @@ int MAIN(int argc, char **argv)
 	ret = 0;
 end:
 	BIO_free(in);
-	BIO_free(out);
+	BIO_free_all(out);
 	NETSCAPE_CERT_SEQUENCE_free(seq);
 	EXIT(ret);
--- a/apps/openssl.c
+++ b/apps/openssl.c
@@ -56,13 +56,10 @@
 * [including the GNU Public Licence.]
 */
 #ifndef DEBUG
 #undef DEBUG
 #endif
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
 #define OPENSSL_C /* tells apps.h to use complete apps_startup() */
 #include <openssl/bio.h>
 #include <openssl/crypto.h>
 #include <openssl/lhash.h>
@@ -71,18 +68,11 @@
 #include <openssl/pem.h>
 #include <openssl/ssl.h>
 #define USE_SOCKETS /* needed for the _O_BINARY defs in the MS world */
 #define OPENSSL_C /* tells apps.h to use complete apps_startup() */
 #include "apps.h"
 #include "progs.h"
 #include "s_apps.h"
 #include <openssl/err.h>
 /*
 #ifdef WINDOWS
 #include "bss_file.c"
 #endif
 */
 static unsigned long MS_CALLBACK hash(FUNCTION *a);
 static int MS_CALLBACK cmp(FUNCTION *a,FUNCTION *b);
 static LHASH *prog_init(void );
@@ -90,15 +80,6 @@ static int do_cmd(LHASH *prog,int argc,char *argv[]);
 LHASH *config=NULL;
 char *default_config_file=NULL;
 #ifdef DEBUG
 static void sig_stop(int i)
 	{
 	char *a=NULL;
 	*a='\0';
 	}
 #endif
 /* Make sure there is only one when MONOLITH is defined */
 #ifdef MONOLITH
 BIO *bio_err=NULL;
@@ -120,15 +101,8 @@ int main(int Argc, char *Argv[])
 	arg.data=NULL;
 	arg.count=0;
-#if defined(DEBUG) && !defined(WINDOWS) && !defined(MSDOS)
+	if (getenv("OPENSSL_DEBUG_MEMORY") != NULL)
-#ifdef SIGBUS
+		CRYPTO_malloc_debug_init();
 	signal(SIGBUS,sig_stop);
 #endif
 #ifdef SIGSEGV
 	signal(SIGSEGV,sig_stop);
 #endif
 #endif
 	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
 	apps_startup();
@@ -229,18 +203,12 @@ end:
 		config=NULL;
 		}
 	if (prog != NULL) lh_free(prog);
-	if (arg.data != NULL) Free(arg.data);
+	if (arg.data != NULL) OPENSSL_free(arg.data);
 	ERR_remove_state(0);
 	EVP_cleanup();
 	ERR_free_strings();
-
+	
 #ifdef LEVITTE_DEBUG
 	CRYPTO_push_info("Just to make sure I get a memory leak I can see :-)");
 	(void)Malloc(1024);
 	CRYPTO_pop_info();
 #endif
 	CRYPTO_mem_leaks(bio_err);
 	if (bio_err != NULL)
 		{
@@ -267,6 +235,24 @@ static int do_cmd(LHASH *prog, int argc, char *argv[])
 		{
 		ret=fp->func(argc,argv);
 		}
 	else if ((strncmp(argv[0],"no-",3)) == 0)
 		{
 		BIO *bio_stdout = BIO_new_fp(stdout,BIO_NOCLOSE);
 #ifdef VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		bio_stdout = BIO_push(tmpbio, bio_stdout);
 		}
 #endif
 		f.name=argv[0]+3;
 		ret = (lh_retrieve(prog,&f) != NULL);
 		if (!ret)
 			BIO_printf(bio_stdout, "%s\n", argv[0]);
 		else
 			BIO_printf(bio_stdout, "%s\n", argv[0]+3);
 		BIO_free_all(bio_stdout);
 		goto end;
 		}
 	else if ((strcmp(argv[0],"quit") == 0) ||
 		(strcmp(argv[0],"q") == 0) ||
 		(strcmp(argv[0],"exit") == 0) ||
@@ -289,11 +275,17 @@ static int do_cmd(LHASH *prog, int argc, char *argv[])
 		else /* strcmp(argv[0],LIST_CIPHER_COMMANDS) == 0 */
 			list_type = FUNC_TYPE_CIPHER;
 		bio_stdout = BIO_new_fp(stdout,BIO_NOCLOSE);
 #ifdef VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		bio_stdout = BIO_push(tmpbio, bio_stdout);
 		}
 #endif
 		for (fp=functions; fp->name != NULL; fp++)
 			if (fp->type == list_type)
 				BIO_printf(bio_stdout, "%s\n", fp->name);
-		BIO_free(bio_stdout);
+		BIO_free_all(bio_stdout);
 		ret=0;
 		goto end;
 		}
--- a/apps/passwd.c
+++ b/apps/passwd.c
@@ -1,10 +1,10 @@
 /* apps/passwd.c */
 #if defined NO_MD5 || defined CHARSET_EBCDIC
-# define NO_APR1
+# define NO_MD5CRYPT_1
 #endif
-#if !defined(NO_DES) || !defined(NO_APR1)
+#if !defined(NO_DES) || !defined(NO_MD5CRYPT_1)
 #include <assert.h>
 #include <string.h>
@@ -19,7 +19,7 @@
 #ifndef NO_DES
 # include <openssl/des.h>
 #endif
-#ifndef NO_APR1
+#ifndef NO_MD5CRYPT_1
 # include <openssl/md5.h>
 #endif
@@ -42,10 +42,11 @@ static unsigned const char cov_2char[64]={
 static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
 	char *passwd, BIO *out, int quiet, int table, int reverse,
-	size_t pw_maxlen, int usecrypt, int useapr1);
+	size_t pw_maxlen, int usecrypt, int use1, int useapr1);
-/* -crypt        - standard Unix password algorithm (default, only choice)
+/* -crypt        - standard Unix password algorithm (default)
- * -apr1         - MD5-based password algorithm
+ * -1            - MD5-based password algorithm
 * -apr1         - MD5-based password algorithm, Apache variant
 * -salt string  - salt
 * -in file      - read passwords from file
 * -stdin        - read passwords from stdin
@@ -63,11 +64,12 @@ int MAIN(int argc, char **argv)
 	int in_stdin = 0;
 	char *salt = NULL, *passwd = NULL, **passwds = NULL;
 	char *salt_malloc = NULL, *passwd_malloc = NULL;
 	size_t passwd_malloc_size = 0;
 	int pw_source_defined = 0;
 	BIO *in = NULL, *out = NULL;
 	int i, badopt, opt_done;
 	int passed_salt = 0, quiet = 0, table = 0, reverse = 0;
-	int usecrypt = 0, useapr1 = 0;
+	int usecrypt = 0, use1 = 0, useapr1 = 0;
 	size_t pw_maxlen = 0;
 	apps_startup();
@@ -79,6 +81,12 @@ int MAIN(int argc, char **argv)
 	if (out == NULL)
 		goto err;
 	BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
 #ifdef VMS
 	{
 	BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 	out = BIO_push(tmpbio, out);
 	}
 #endif
 	badopt = 0, opt_done = 0;
 	i = 0;
@@ -86,6 +94,8 @@ int MAIN(int argc, char **argv)
 		{
 		if (strcmp(argv[i], "-crypt") == 0)
 			usecrypt = 1;
 		else if (strcmp(argv[i], "-1") == 0)
 			use1 = 1;
 		else if (strcmp(argv[i], "-apr1") == 0)
 			useapr1 = 1;
 		else if (strcmp(argv[i], "-salt") == 0)
@@ -137,17 +147,17 @@ int MAIN(int argc, char **argv)
 			badopt = 1;
 		}
-	if (!usecrypt && !useapr1) /* use default */
+	if (!usecrypt && !use1 && !useapr1) /* use default */
 		usecrypt = 1;
-	if (usecrypt + useapr1 > 1) /* conflict */
+	if (usecrypt + use1 + useapr1 > 1) /* conflict */
 		badopt = 1;
 	/* reject unsupported algorithms */
 #ifdef NO_DES
 	if (usecrypt) badopt = 1;
 #endif
-#ifdef NO_APR1
+#ifdef NO_MD5CRYPT_1
-	if (useapr1) badopt = 1;
+	if (use1 || useapr1) badopt = 1;
 #endif
 	if (badopt) 
@@ -157,8 +167,9 @@ int MAIN(int argc, char **argv)
 #ifndef NO_DES
 		BIO_printf(bio_err, "-crypt             standard Unix password algorithm (default)\n");
 #endif
-#ifndef NO_APR1
+#ifndef NO_MD5CRYPT_1
-		BIO_printf(bio_err, "-apr1              MD5-based password algorithm\n");
+		BIO_printf(bio_err, "-1                 MD5-based password algorithm\n");
 		BIO_printf(bio_err, "-apr1              MD5-based password algorithm, Apache variant\n");
 #endif
 		BIO_printf(bio_err, "-salt string       use provided salt\n");
 		BIO_printf(bio_err, "-in file           read passwords from file\n");
@@ -190,13 +201,16 @@ int MAIN(int argc, char **argv)
 	if (usecrypt)
 		pw_maxlen = 8;
-	else if (useapr1)
+	else if (use1 || useapr1)
 		pw_maxlen = 256; /* arbitrary limit, should be enough for most passwords */
 	if (passwds == NULL)
 		{
 		/* no passwords on the command line */
-		passwd = passwd_malloc = Malloc(pw_maxlen + 1);
+
 		passwd_malloc_size = pw_maxlen + 2;
 		/* longer than necessary so that we can warn about truncation */
 		passwd = passwd_malloc = OPENSSL_malloc(passwd_malloc_size);
 		if (passwd_malloc == NULL)
 			goto err;
 		}
@@ -208,7 +222,7 @@ int MAIN(int argc, char **argv)
 		passwds = passwds_static;
 		if (in == NULL)
-			if (EVP_read_pw_string(passwd_malloc, pw_maxlen + 1, "Password: ", 0) != 0)
+			if (EVP_read_pw_string(passwd_malloc, passwd_malloc_size, "Password: ", 0) != 0)
 				goto err;
 		passwds[0] = passwd_malloc;
 		}
@@ -222,7 +236,7 @@ int MAIN(int argc, char **argv)
 			{
 			passwd = *passwds++;
 			if (!do_passwd(passed_salt, &salt, &salt_malloc, passwd, out,
-				quiet, table, reverse, pw_maxlen, usecrypt, useapr1))
+				quiet, table, reverse, pw_maxlen, usecrypt, use1, useapr1))
 				goto err;
 			}
 		while (*passwds != NULL);
@@ -251,33 +265,41 @@ int MAIN(int argc, char **argv)
 					}
 				if (!do_passwd(passed_salt, &salt, &salt_malloc, passwd, out,
-					quiet, table, reverse, pw_maxlen, usecrypt, useapr1))
+					quiet, table, reverse, pw_maxlen, usecrypt, use1, useapr1))
 					goto err;
 				}
 			done = (r <= 0);
 			}
 		while (!done);
 		}
 	ret = 0;
 err:
 	ERR_print_errors(bio_err);
 	if (salt_malloc)
-		Free(salt_malloc);
+		OPENSSL_free(salt_malloc);
 	if (passwd_malloc)
-		Free(passwd_malloc);
+		OPENSSL_free(passwd_malloc);
 	if (in)
 		BIO_free(in);
 	if (out)
-		BIO_free(out);
+		BIO_free_all(out);
 	EXIT(ret);
 	}
-#ifndef NO_APR1
+#ifndef NO_MD5CRYPT_1
-/* MD5-based password algorithm compatible to the one found in Apache
+/* MD5-based password algorithm (should probably be available as a library
- * (should probably be available as a library function;
+ * function; then the static buffer would not be acceptable).
- * then the static buffer would not be acceptable) */
+ * For magic string "1", this should be compatible to the MD5-based BSD
-static char *apr1_crypt(const char *passwd, const char *salt)
+ * password algorithm.
 * For 'magic' string "apr1", this is compatible to the MD5-based Apache
 * password algorithm.
 * (Apparently, the Apache password algorithm is identical except that the
 * 'magic' string was changed -- the laziest application of the NIH principle
 * I've ever encountered.)
 */
 static char *md5crypt(const char *passwd, const char *magic, const char *salt)
 	{
 	static char out_buf[6 + 9 + 24 + 2]; /* "$apr1$..salt..$.......md5hash..........\0" */
 	unsigned char buf[MD5_DIGEST_LENGTH];
@@ -287,16 +309,22 @@ static char *apr1_crypt(const char *passwd, const char *salt)
 	size_t passwd_len, salt_len;
 	passwd_len = strlen(passwd);
-	strcpy(out_buf, "$apr1$");
+	out_buf[0] = '$';
 	out_buf[1] = 0;
 	assert(strlen(magic) <= 4); /* "1" or "apr1" */
 	strncat(out_buf, magic, 4);
 	strncat(out_buf, "$", 1);
 	strncat(out_buf, salt, 8);
 	assert(strlen(out_buf) <= 6 + 8); /* "$apr1$..salt.." */
-	salt_out = out_buf + 6;
+	salt_out = out_buf + 2 + strlen(magic);
 	salt_len = strlen(salt_out);
 	assert(salt_len <= 8);
 	MD5_Init(&md);
 	MD5_Update(&md, passwd, passwd_len);
-	MD5_Update(&md, "$apr1$", 6);
+	MD5_Update(&md, "$", 1);
 	MD5_Update(&md, magic, strlen(magic));
 	MD5_Update(&md, "$", 1);
 	MD5_Update(&md, salt_out, salt_len);
 	 {
@@ -380,7 +408,7 @@ static char *apr1_crypt(const char *passwd, const char *salt)
 static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
 	char *passwd, BIO *out,	int quiet, int table, int reverse,
-	size_t pw_maxlen, int usecrypt, int useapr1)
+	size_t pw_maxlen, int usecrypt, int use1, int useapr1)
 	{
 	char *hash = NULL;
@@ -395,7 +423,7 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
 			{
 			if (*salt_malloc_p == NULL)
 				{
-				*salt_p = *salt_malloc_p = Malloc(3);
+				*salt_p = *salt_malloc_p = OPENSSL_malloc(3);
 				if (*salt_malloc_p == NULL)
 					goto err;
 				}
@@ -411,14 +439,14 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
 			}
 #endif /* !NO_DES */
-#ifndef NO_APR1
+#ifndef NO_MD5CRYPT_1
-		if (useapr1)
+		if (use1 || useapr1)
 			{
 			int i;
 			if (*salt_malloc_p == NULL)
 				{
-				*salt_p = *salt_malloc_p = Malloc(9);
+				*salt_p = *salt_malloc_p = OPENSSL_malloc(9);
 				if (*salt_malloc_p == NULL)
 					goto err;
 				}
@@ -429,7 +457,7 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
 				(*salt_p)[i] = cov_2char[(*salt_p)[i] & 0x3f]; /* 6 bits */
 			(*salt_p)[8] = 0;
 			}
-#endif /* !NO_APR1 */
+#endif /* !NO_MD5CRYPT_1 */
 		}
 	assert(*salt_p != NULL);
@@ -448,9 +476,9 @@ static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
 	if (usecrypt)
 		hash = des_crypt(passwd, *salt_p);
 #endif
-#ifndef NO_APR1
+#ifndef NO_MD5CRYPT_1
-	if (useapr1)
+	if (use1 || useapr1)
-		hash = apr1_crypt(passwd, *salt_p);
+		hash = md5crypt(passwd, (use1 ? "1" : "apr1"), *salt_p);
 #endif
 	assert(hash != NULL);
--- a/apps/pca-cert.srl
+++ b/apps/pca-cert.srl
@@ -1 +1 @@
-01
+07
--- a/apps/pem_mail.c
+++ b/apps/pem_mail.c
@@ -1,170 +0,0 @@
 /* apps/pem_mail.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
 * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
 * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
 #ifndef NO_RSA
 #include <stdio.h>
 #include <openssl/rsa.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
 #include "apps.h"
 #undef PROG
 #define PROG	pem_mail_main
 static char *usage[]={
 "usage: pem_mail args\n",
 "\n",
 " -in arg         - input file - default stdin\n",
 " -out arg        - output file - default stdout\n",
 " -cert arg       - the certificate to use\n",
 " -key arg        - the private key to use\n",
 " -MIC           - sign the message\n",
 " -enc arg        - encrypt with one of cbc-des\n",
 NULL
 };
 typedef struct lines_St
 	{
 	char *line;
 	struct lines_st *next;
 	} LINES;
 int main(int argc, char **argv)
 	{
 	FILE *in;
 	RSA *rsa=NULL;
 	EVP_MD_CTX ctx;
 	unsigned int mic=0,i,n;
 	unsigned char buf[1024*15];
 	char *prog,*infile=NULL,*outfile=NULL,*key=NULL;
 	int badops=0;
 	apps_startup();
 	prog=argv[0];
 	argc--;
 	argv++;
 	while (argc >= 1)
 		{
 		if (strcmp(*argv,"-key") == 0)
 			{
 			if (--argc < 1) goto bad;
 			key= *(++argv);
 			}
 		else if (strcmp(*argv,"-in") == 0)
 			{
 			if (--argc < 1) goto bad;
 			infile= *(++argv);
 			}
 		else if (strcmp(*argv,"-out") == 0)
 			{
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
 		else if (strcmp(*argv,"-mic") == 0)
 			mic=1;
 		else
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
 			badops=1;
 			break;
 			}
 		argc--;
 		argv++;
 		}
 	if (badops)
 		{
 bad:
 		BIO_printf(bio_err,"%s [options] <infile >outfile\n",prog);
 		BIO_printf(bio_err,"where options  are\n");
 		EXIT(1);
 		}
 	if (key == NULL)
 		{ BIO_printf(bio_err,"you need to specify a key\n"); EXIT(1); }
 	in=fopen(key,"r");
 	if (in == NULL) { perror(key); EXIT(1); }
 	rsa=PEM_read_RSAPrivateKey(in,NULL,NULL);
 	if (rsa == NULL)
 		{
 		BIO_printf(bio_err,"unable to load Private Key\n");
 		ERR_print_errors(bio_err);
 		EXIT(1);
 		}
 	fclose(in);
 	PEM_SignInit(&ctx,EVP_md5());
 	for (;;)
 		{
 		i=fread(buf,1,1024*10,stdin);
 		if (i <= 0) break;
 		PEM_SignUpdate(&ctx,buf,i);
 		}
 	if (!PEM_SignFinal(&ctx,buf,&n,rsa)) goto err;
 	BIO_printf(bio_err,"%s\n",buf);
 	EXIT(0);
 err:
 	ERR_print_errors(bio_err);
 	EXIT(1);
 	}
 #endif
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -66,6 +66,7 @@
 #include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/pkcs12.h>
 #include <openssl/engine.h>
 #define PROG pkcs12_main
@@ -78,9 +79,10 @@ EVP_CIPHER *enc;
 #define CLCERTS		0x8
 #define CACERTS		0x10
-int get_cert_chain(X509 *cert, STACK_OF(X509) **chain);
+int get_cert_chain (X509 *cert, X509_STORE *store, STACK_OF(X509) **chain);
 int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, int passlen, int options, char *pempass);
-int dump_certs_pkeys_bags(BIO *out, STACK *bags, char *pass, int passlen, int options, char *pempass);
+int dump_certs_pkeys_bags(BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags, char *pass,
 			  int passlen, int options, char *pempass);
 int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bags, char *pass, int passlen, int options, char *pempass);
 int print_attribs(BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst, char *name);
 void hex_prin(BIO *out, unsigned char *buf, int len);
@@ -91,6 +93,7 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 {
    ENGINE *e = NULL;
    char *infile=NULL, *outfile=NULL, *keyname = NULL;	
    char *certfile=NULL;
    BIO *in=NULL, *out = NULL, *inkey = NULL, *certsin = NULL;
@@ -116,6 +119,8 @@ int MAIN(int argc, char **argv)
    char *passargin = NULL, *passargout = NULL, *passarg = NULL;
    char *passin = NULL, *passout = NULL;
    char *inrand = NULL;
    char *CApath = NULL, *CAfile = NULL;
    char *engine=NULL;
    apps_startup();
@@ -195,7 +200,7 @@ int MAIN(int argc, char **argv)
 		} else if (!strcmp (*args, "-caname")) {
 		    if (args[1]) {
 			args++;	
-			if (!canames) canames = sk_new(NULL);
+			if (!canames) canames = sk_new_null();
 			sk_push(canames, *args);
 		    } else badarg = 1;
 		} else if (!strcmp (*args, "-in")) {
@@ -224,6 +229,21 @@ int MAIN(int argc, char **argv)
 			passarg = *args;
 		    	noprompt = 1;
 		    } else badarg = 1;
 		} else if (!strcmp(*args,"-CApath")) {
 		    if (args[1]) {
 			args++;	
 			CApath = *args;
 		    } else badarg = 1;
 		} else if (!strcmp(*args,"-CAfile")) {
 		    if (args[1]) {
 			args++;	
 			CAfile = *args;
 		    } else badarg = 1;
 		} else if (!strcmp(*args,"-engine")) {
 		    if (args[1]) {
 			args++;	
 			engine = *args;
 		    } else badarg = 1;
 		} else badarg = 1;
 	} else badarg = 1;
@@ -237,6 +257,8 @@ int MAIN(int argc, char **argv)
 	BIO_printf (bio_err, "-chain        add certificate chain\n");
 	BIO_printf (bio_err, "-inkey file   private key if not infile\n");
 	BIO_printf (bio_err, "-certfile f   add all certs in f\n");
 	BIO_printf (bio_err, "-CApath arg   - PEM format directory of CA's\n");
 	BIO_printf (bio_err, "-CAfile arg   - PEM format file of CA's\n");
 	BIO_printf (bio_err, "-name \"name\"  use name as friendly name\n");
 	BIO_printf (bio_err, "-caname \"nm\"  use nm as CA friendly name (can be used more than once).\n");
 	BIO_printf (bio_err, "-in  infile   input filename\n");
@@ -265,12 +287,27 @@ int MAIN(int argc, char **argv)
 	BIO_printf (bio_err, "-password p   set import/export password source\n");
 	BIO_printf (bio_err, "-passin p     input file pass phrase source\n");
 	BIO_printf (bio_err, "-passout p    output file pass phrase source\n");
-	BIO_printf(bio_err,  "-rand file:file:...\n");
+	BIO_printf (bio_err, "-engine e     use engine e, possibly a hardware device.\n");
 	BIO_printf(bio_err,  "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 	BIO_printf(bio_err,  "              load the file (or the files in the directory) into\n");
 	BIO_printf(bio_err,  "              the random number generator\n");
    	goto end;
    }
    if (engine != NULL) {
 	if((e = ENGINE_by_id(engine)) == NULL) {
 	    BIO_printf(bio_err,"invalid engine \"%s\"\n", engine);
 	    goto end;
 	}
 	if(!ENGINE_set_default(e, ENGINE_METHOD_ALL)) {
 	    BIO_printf(bio_err,"can't use that engine\n");
 	    goto end;
 	}
 	BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 	/* Free our "structural" reference. */
 	ENGINE_free(e);
    }
    if(passarg) {
 	if(export_cert) passargout = passarg;
 	else passargin = passarg;
@@ -336,8 +373,15 @@ int MAIN(int argc, char **argv)
    CRYPTO_push_info("write files");
 #endif
-    if (!outfile) out = BIO_new_fp(stdout, BIO_NOCLOSE);
+    if (!outfile) {
-    else out = BIO_new_file(outfile, "wb");
+	out = BIO_new_fp(stdout, BIO_NOCLOSE);
 #ifdef VMS
 	{
 	    BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 	    out = BIO_push(tmpbio, out);
 	}
 #endif
    } else out = BIO_new_file(outfile, "wb");
    if (!out) {
 	BIO_printf(bio_err, "Error opening output file %s\n",
 						outfile ? outfile : "<stdout>");
@@ -359,20 +403,22 @@ int MAIN(int argc, char **argv)
    }
    if (export_cert) {
-	EVP_PKEY *key;
+	EVP_PKEY *key = NULL;
-	STACK *bags, *safes;
+	STACK_OF(PKCS12_SAFEBAG) *bags = NULL;
-	PKCS12_SAFEBAG *bag;
+	STACK_OF(PKCS7) *safes = NULL;
-	PKCS8_PRIV_KEY_INFO *p8;
+	PKCS12_SAFEBAG *bag = NULL;
-	PKCS7 *authsafe;
+	PKCS8_PRIV_KEY_INFO *p8 = NULL;
 	PKCS7 *authsafe = NULL;
 	X509 *ucert = NULL;
 	STACK_OF(X509) *certs=NULL;
-	char *catmp;
+	char *catmp = NULL;
 	int i;
 	unsigned char keyid[EVP_MAX_MD_SIZE];
 	unsigned int keyidlen = 0;
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_push_info("process -export_cert");
 	CRYPTO_push_info("reading private key");
 #endif
 	key = PEM_read_bio_PrivateKey(inkey ? inkey : in, NULL, NULL, passin);
 	if (!inkey) (void) BIO_reset(in);
@@ -380,18 +426,28 @@ int MAIN(int argc, char **argv)
 	if (!key) {
 		BIO_printf (bio_err, "Error loading private key\n");
 		ERR_print_errors(bio_err);
-		goto end;
+		goto export_end;
 	}
-	certs = sk_X509_new(NULL);
+#ifdef CRYPTO_MDEBUG
 	CRYPTO_pop_info();
 	CRYPTO_push_info("reading certs from input");
 #endif
 	certs = sk_X509_new_null();
 	/* Load in all certs in input file */
 	if(!cert_load(in, certs)) {
 		BIO_printf(bio_err, "Error loading certificates from input\n");
 		ERR_print_errors(bio_err);
-		goto end;
+		goto export_end;
 	}
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_pop_info();
 	CRYPTO_push_info("reading certs from input 2");
 #endif
 	for(i = 0; i < sk_X509_num(certs); i++) {
 		ucert = sk_X509_value(certs, i);
 		if(X509_check_private_key(ucert, key)) {
@@ -399,41 +455,68 @@ int MAIN(int argc, char **argv)
 			break;
 		}
 	}
 	if(!keyidlen) {
 		ucert = NULL;
 		BIO_printf(bio_err, "No certificate matches private key\n");
-		goto end;
+		goto export_end;
 	}
-	bags = sk_new (NULL);
+#ifdef CRYPTO_MDEBUG
 	CRYPTO_pop_info();
 	CRYPTO_push_info("reading certs from certfile");
 #endif
 	bags = sk_PKCS12_SAFEBAG_new_null ();
 	/* Add any more certificates asked for */
 	if (certsin) {
 		if(!cert_load(certsin, certs)) {
 			BIO_printf(bio_err, "Error loading certificates from certfile\n");
 			ERR_print_errors(bio_err);
-			goto end;
+			goto export_end;
 		}
 	    	BIO_free(certsin);
 	}
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_pop_info();
 	CRYPTO_push_info("building chain");
 #endif
 	/* If chaining get chain from user cert */
 	if (chain) {
        	int vret;
 		STACK_OF(X509) *chain2;
-		vret = get_cert_chain (ucert, &chain2);
+		X509_STORE *store = X509_STORE_new();
 		if (!store)
 			{
 			BIO_printf (bio_err, "Memory allocation error\n");
 			goto export_end;
 			}
 		if (!X509_STORE_load_locations(store, CAfile, CApath))
 			X509_STORE_set_default_paths (store);
 		vret = get_cert_chain (ucert, store, &chain2);
 		X509_STORE_free(store);
 		if (!vret) {
 		    /* Exclude verified certificate */
 		    for (i = 1; i < sk_X509_num (chain2) ; i++) 
 			sk_X509_push(certs, sk_X509_value (chain2, i));
 		}
 		sk_X509_free(chain2);
 		if (vret) {
 			BIO_printf (bio_err, "Error %s getting chain.\n",
 					X509_verify_cert_error_string(vret));
-			goto end;
+			goto export_end;
-		}
+		}			
 		/* Exclude verified certificate */
 		for (i = 1; i < sk_X509_num (chain2) ; i++) 
 				 sk_X509_push(certs, sk_X509_value (chain2, i));
 		sk_X509_free(chain2);
    	}
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_pop_info();
 	CRYPTO_push_info("building bags");
 #endif
 	/* We now have loads of certificates: include them all */
 	for(i = 0; i < sk_X509_num(certs); i++) {
 		X509 *cert = NULL;
@@ -445,59 +528,101 @@ int MAIN(int argc, char **argv)
 			PKCS12_add_localkeyid(bag, keyid, keyidlen);
 		} else if((catmp = sk_shift(canames))) 
 				PKCS12_add_friendlyname(bag, catmp, -1);
-		sk_push(bags, (char *)bag);
+		sk_PKCS12_SAFEBAG_push(bags, bag);
 	}
 	sk_X509_pop_free(certs, X509_free);
-	if (canames) sk_free(canames);
+	certs = NULL;
 	/* ucert is part of certs so it is already freed */
 	ucert = NULL;
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_pop_info();
 	CRYPTO_push_info("encrypting bags");
 #endif
 	if(!noprompt &&
 		EVP_read_pw_string(pass, 50, "Enter Export Password:", 1)) {
 	    BIO_printf (bio_err, "Can't read Password\n");
-	    goto end;
+	    goto export_end;
        }
 	if (!twopass) strcpy(macpass, pass);
 	/* Turn certbags into encrypted authsafe */
 	authsafe = PKCS12_pack_p7encdata(cert_pbe, cpass, -1, NULL, 0,
 								 iter, bags);
-	sk_pop_free(bags, PKCS12_SAFEBAG_free);
+	sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
 	bags = NULL;
 	if (!authsafe) {
 		ERR_print_errors (bio_err);
-		goto end;
+		goto export_end;
 	}
-	safes = sk_new (NULL);
+	safes = sk_PKCS7_new_null ();
-	sk_push (safes, (char *)authsafe);
+	sk_PKCS7_push (safes, authsafe);
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_pop_info();
 	CRYPTO_push_info("building shrouded key bag");
 #endif
 	/* Make a shrouded key bag */
 	p8 = EVP_PKEY2PKCS8 (key);
 	EVP_PKEY_free(key);
 	if(keytype) PKCS8_add_keyusage(p8, keytype);
 	bag = PKCS12_MAKE_SHKEYBAG(key_pbe, cpass, -1, NULL, 0, iter, p8);
 	PKCS8_PRIV_KEY_INFO_free(p8);
 	p8 = NULL;
        if (name) PKCS12_add_friendlyname (bag, name, -1);
 	PKCS12_add_localkeyid (bag, keyid, keyidlen);
-	bags = sk_new(NULL);
+	bags = sk_PKCS12_SAFEBAG_new_null();
-	sk_push (bags, (char *)bag);
+	sk_PKCS12_SAFEBAG_push (bags, bag);
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_pop_info();
 	CRYPTO_push_info("encrypting shrouded key bag");
 #endif
 	/* Turn it into unencrypted safe bag */
 	authsafe = PKCS12_pack_p7data (bags);
-	sk_pop_free(bags, PKCS12_SAFEBAG_free);
+	sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
-	sk_push (safes, (char *)authsafe);
+	bags = NULL;
 	sk_PKCS7_push (safes, authsafe);
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_pop_info();
 	CRYPTO_push_info("building pkcs12");
 #endif
 	p12 = PKCS12_init (NID_pkcs7_data);
 	M_PKCS12_pack_authsafes (p12, safes);
-	sk_pop_free(safes, PKCS7_free);
+	sk_PKCS7_pop_free(safes, PKCS7_free);
 	safes = NULL;
 	PKCS12_set_mac (p12, mpass, -1, NULL, 0, maciter, NULL);
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_pop_info();
 	CRYPTO_push_info("writing pkcs12");
 #endif
 	i2d_PKCS12_bio (out, p12);
 	PKCS12_free(p12);
 	ret = 0;
    export_end:
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_pop_info();
 	CRYPTO_pop_info();
 	CRYPTO_push_info("process -export_cert: freeing");
 #endif
 	if (key) EVP_PKEY_free(key);
 	if (certs) sk_X509_pop_free(certs, X509_free);
 	if (safes) sk_PKCS7_pop_free(safes, PKCS7_free);
 	if (bags) sk_PKCS12_SAFEBAG_pop_free(bags, PKCS12_SAFEBAG_free);
 	if (ucert) X509_free(ucert);
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_pop_info();
 #endif
@@ -528,11 +653,16 @@ int MAIN(int argc, char **argv)
 #ifdef CRYPTO_MDEBUG
    CRYPTO_push_info("verify MAC");
 #endif
-	if (!PKCS12_verify_mac (p12, mpass, -1)) {
+	/* If we enter empty password try no password first */
 	if(!macpass[0] && PKCS12_verify_mac(p12, NULL, 0)) {
 		/* If mac and crypto pass the same set it to NULL too */
 		if(!twopass) cpass = NULL;
 	} else if (!PKCS12_verify_mac(p12, mpass, -1)) {
 	    BIO_printf (bio_err, "Mac verify error: invalid password?\n");
 	    ERR_print_errors (bio_err);
 	    goto end;
-	} else BIO_printf (bio_err, "MAC verified OK\n");
+	}
 	BIO_printf (bio_err, "MAC verified OK\n");
 #ifdef CRYPTO_MDEBUG
    CRYPTO_pop_info();
 #endif
@@ -549,29 +679,32 @@ int MAIN(int argc, char **argv)
 #ifdef CRYPTO_MDEBUG
    CRYPTO_pop_info();
 #endif
    PKCS12_free(p12);
    ret = 0;
-    end:
+ end:
    if (p12) PKCS12_free(p12);
    if(export_cert || inrand) app_RAND_write_file(NULL, bio_err);
 #ifdef CRYPTO_MDEBUG
    CRYPTO_remove_all_info();
 #endif
    BIO_free(in);
-    BIO_free(out);
+    BIO_free_all(out);
-    if(passin) Free(passin);
+    if (canames) sk_free(canames);
-    if(passout) Free(passout);
+    if(passin) OPENSSL_free(passin);
    if(passout) OPENSSL_free(passout);
    EXIT(ret);
 }
 int dump_certs_keys_p12 (BIO *out, PKCS12 *p12, char *pass,
 	     int passlen, int options, char *pempass)
 {
-	STACK *asafes, *bags;
+	STACK_OF(PKCS7) *asafes;
 	STACK_OF(PKCS12_SAFEBAG) *bags;
 	int i, bagnid;
 	PKCS7 *p7;
 	if (!( asafes = M_PKCS12_unpack_authsafes (p12))) return 0;
-	for (i = 0; i < sk_num (asafes); i++) {
+	for (i = 0; i < sk_PKCS7_num (asafes); i++) {
-		p7 = (PKCS7 *) sk_value (asafes, i);
+		p7 = sk_PKCS7_value (asafes, i);
 		bagnid = OBJ_obj2nid (p7->type);
 		if (bagnid == NID_pkcs7_data) {
 			bags = M_PKCS12_unpack_p7data (p7);
@@ -587,23 +720,25 @@ int dump_certs_keys_p12 (BIO *out, PKCS12 *p12, char *pass,
 		if (!bags) return 0;
 	    	if (!dump_certs_pkeys_bags (out, bags, pass, passlen, 
 						 options, pempass)) {
-			sk_pop_free (bags, PKCS12_SAFEBAG_free);
+			sk_PKCS12_SAFEBAG_pop_free (bags, PKCS12_SAFEBAG_free);
 			return 0;
 		}
-		sk_pop_free (bags, PKCS12_SAFEBAG_free);
+		sk_PKCS12_SAFEBAG_pop_free (bags, PKCS12_SAFEBAG_free);
 	}
-	sk_pop_free (asafes, PKCS7_free);
+	sk_PKCS7_pop_free (asafes, PKCS7_free);
 	return 1;
 }
-int dump_certs_pkeys_bags (BIO *out, STACK *bags, char *pass,
+int dump_certs_pkeys_bags (BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags,
-	     int passlen, int options, char *pempass)
+			   char *pass, int passlen, int options, char *pempass)
 {
 	int i;
-	for (i = 0; i < sk_num (bags); i++) {
+	for (i = 0; i < sk_PKCS12_SAFEBAG_num (bags); i++) {
 		if (!dump_certs_pkeys_bag (out,
-			 (PKCS12_SAFEBAG *)sk_value (bags, i), pass, passlen,
+					   sk_PKCS12_SAFEBAG_value (bags, i),
-					 	options, pempass)) return 0;
+					   pass, passlen,
 					   options, pempass))
 		    return 0;
 	}
 	return 1;
 }
@@ -679,15 +814,12 @@ int dump_certs_pkeys_bag (BIO *out, PKCS12_SAFEBAG *bag, char *pass,
 /* Hope this is OK .... */
-int get_cert_chain (X509 *cert, STACK_OF(X509) **chain)
+int get_cert_chain (X509 *cert, X509_STORE *store, STACK_OF(X509) **chain)
 {
 	X509_STORE *store;
 	X509_STORE_CTX store_ctx;
 	STACK_OF(X509) *chn;
 	int i;
 	store = X509_STORE_new ();
 	X509_STORE_set_default_paths (store);
 	X509_STORE_CTX_init(&store_ctx, store, cert, NULL);
 	if (X509_verify_cert(&store_ctx) <= 0) {
 		i = X509_STORE_CTX_get_error (&store_ctx);
@@ -698,7 +830,6 @@ int get_cert_chain (X509 *cert, STACK_OF(X509) **chain)
 	*chain = chn;
 err:
 	X509_STORE_CTX_cleanup(&store_ctx);
 	X509_STORE_free(store);
 	return i;
 }	
@@ -722,10 +853,22 @@ int cert_load(BIO *in, STACK_OF(X509) *sk)
 	int ret;
 	X509 *cert;
 	ret = 0;
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_push_info("cert_load(): reading one cert");
 #endif
 	while((cert = PEM_read_bio_X509(in, NULL, NULL, NULL))) {
 #ifdef CRYPTO_MDEBUG
 		CRYPTO_pop_info();
 #endif
 		ret = 1;
 		sk_X509_push(sk, cert);
 #ifdef CRYPTO_MDEBUG
 		CRYPTO_push_info("cert_load(): reading one cert");
 #endif
 	}
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_pop_info();
 #endif
 	if(ret) ERR_clear_error();
 	return ret;
 }
@@ -763,18 +906,18 @@ int print_attribs (BIO *out, STACK_OF(X509_ATTRIBUTE) *attrlst, char *name)
        			value = uni2asc(av->value.bmpstring->data,
                                	       av->value.bmpstring->length);
 				BIO_printf(out, "%s\n", value);
-				Free(value);
+				OPENSSL_free(value);
 				break;
 				case V_ASN1_OCTET_STRING:
-				hex_prin(out, av->value.bit_string->data,
+				hex_prin(out, av->value.octet_string->data,
-					av->value.bit_string->length);
+					av->value.octet_string->length);
 				BIO_printf(out, "\n");	
 				break;
 				case V_ASN1_BIT_STRING:
-				hex_prin(out, av->value.octet_string->data,
+				hex_prin(out, av->value.bit_string->data,
-					av->value.octet_string->length);
+					av->value.bit_string->length);
 				BIO_printf(out, "\n");	
 				break;
--- a/apps/pkcs7.c
+++ b/apps/pkcs7.c
@@ -67,6 +67,7 @@
 #include <openssl/x509.h>
 #include <openssl/pkcs7.h>
 #include <openssl/pem.h>
 #include <openssl/engine.h>
 #undef PROG
 #define PROG	pkcs7_main
@@ -82,6 +83,7 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	ENGINE *e = NULL;
 	PKCS7 *p7=NULL;
 	int i,badops=0;
 	BIO *in=NULL,*out=NULL;
@@ -89,6 +91,7 @@ int MAIN(int argc, char **argv)
 	char *infile,*outfile,*prog;
 	int print_certs=0,text=0,noout=0;
 	int ret=0;
 	char *engine=NULL;
 	apps_startup();
@@ -132,6 +135,11 @@ int MAIN(int argc, char **argv)
 			text=1;
 		else if (strcmp(*argv,"-print_certs") == 0)
 			print_certs=1;
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 		else
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
@@ -154,11 +162,30 @@ bad:
 		BIO_printf(bio_err," -print_certs  print any certs or crl in the input\n");
 		BIO_printf(bio_err," -text         print full details of certificates\n");
 		BIO_printf(bio_err," -noout        don't output encoded data\n");
 		BIO_printf(bio_err," -engine e     use engine e, possibly a hardware device.\n");
 		EXIT(1);
 		}
 	ERR_load_crypto_strings();
 	if (engine != NULL)
 		{
 		if((e = ENGINE_by_id(engine)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine \"%s\"\n",
 				engine);
 			goto end;
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			goto end;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 		/* Free our "structural" reference. */
 		ENGINE_free(e);
 		}
 	in=BIO_new(BIO_s_file());
 	out=BIO_new(BIO_s_file());
 	if ((in == NULL) || (out == NULL))
@@ -196,7 +223,15 @@ bad:
 		}
 	if (outfile == NULL)
 		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
 #ifdef VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
@@ -280,6 +315,6 @@ bad:
 end:
 	if (p7 != NULL) PKCS7_free(p7);
 	if (in != NULL) BIO_free(in);
-	if (out != NULL) BIO_free(out);
+	if (out != NULL) BIO_free_all(out);
 	EXIT(ret);
 	}
--- a/apps/pkcs8.c
+++ b/apps/pkcs8.c
@@ -62,6 +62,7 @@
 #include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/pkcs12.h>
 #include <openssl/engine.h>
 #include "apps.h"
 #define PROG pkcs8_main
@@ -70,6 +71,7 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 {
 	ENGINE *e = NULL;
 	char **args, *infile = NULL, *outfile = NULL;
 	char *passargin = NULL, *passargout = NULL;
 	BIO *in = NULL, *out = NULL;
@@ -85,9 +87,13 @@ int MAIN(int argc, char **argv)
 	EVP_PKEY *pkey;
 	char pass[50], *passin = NULL, *passout = NULL, *p8pass = NULL;
 	int badarg = 0;
 	char *engine=NULL;
 	if (bio_err == NULL) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
 	informat=FORMAT_PEM;
 	outformat=FORMAT_PEM;
 	ERR_load_crypto_strings();
 	OpenSSL_add_all_algorithms();
 	args = argv + 1;
@@ -138,6 +144,11 @@ int MAIN(int argc, char **argv)
 			if (!args[1]) goto bad;
 			passargout= *(++args);
 			}
 		else if (strcmp(*args,"-engine") == 0)
 			{
 			if (!args[1]) goto bad;
 			engine= *(++args);
 			}
 		else if (!strcmp (*args, "-in")) {
 			if (args[1]) {
 				args++;
@@ -170,9 +181,28 @@ int MAIN(int argc, char **argv)
 		BIO_printf(bio_err, "-nocrypt        use or expect unencrypted private key\n");
 		BIO_printf(bio_err, "-v2 alg         use PKCS#5 v2.0 and cipher \"alg\"\n");
 		BIO_printf(bio_err, "-v1 obj         use PKCS#5 v1.5 and cipher \"alg\"\n");
 		BIO_printf(bio_err," -engine e       use engine e, possibly a hardware device.\n");
 		return (1);
 	}
 	if (engine != NULL)
 		{
 		if((e = ENGINE_by_id(engine)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine \"%s\"\n",
 				engine);
 			return (1);
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			return (1);
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 		/* Free our "structural" reference. */
 		ENGINE_free(e);
 		}
 	if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
 		BIO_printf(bio_err, "Error getting passwords\n");
 		return (1);
@@ -194,8 +224,15 @@ int MAIN(int argc, char **argv)
 				 "Can't open output file %s\n", outfile);
 			return (1);
 		}
-	} else out = BIO_new_fp (stdout, BIO_NOCLOSE);
+	} else {
-
+		out = BIO_new_fp (stdout, BIO_NOCLOSE);
 #ifdef VMS
 		{
 			BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 			out = BIO_push(tmpbio, out);
 		}
 #endif
 	}
 	if (topk8) {
 		if(informat == FORMAT_PEM)
 			pkey = PEM_read_bio_PrivateKey(in, NULL, NULL, passin);
@@ -253,9 +290,9 @@ int MAIN(int argc, char **argv)
 		}
 		PKCS8_PRIV_KEY_INFO_free (p8inf);
 		EVP_PKEY_free(pkey);
-		BIO_free(out);
+		BIO_free_all(out);
-		if(passin) Free(passin);
+		if(passin) OPENSSL_free(passin);
-		if(passout) Free(passout);
+		if(passout) OPENSSL_free(passout);
 		return (0);
 	}
@@ -336,10 +373,10 @@ int MAIN(int argc, char **argv)
 	}
 	EVP_PKEY_free(pkey);
-	BIO_free(out);
+	BIO_free_all(out);
 	BIO_free(in);
-	if(passin) Free(passin);
+	if(passin) OPENSSL_free(passin);
-	if(passout) Free(passout);
+	if(passout) OPENSSL_free(passout);
 	return (0);
 }
--- a/apps/progs.h
+++ b/apps/progs.h
@@ -14,6 +14,7 @@ extern int errstr_main(int argc,char *argv[]);
 extern int ca_main(int argc,char *argv[]);
 extern int crl_main(int argc,char *argv[]);
 extern int rsa_main(int argc,char *argv[]);
 extern int rsautl_main(int argc,char *argv[]);
 extern int dsa_main(int argc,char *argv[]);
 extern int dsaparam_main(int argc,char *argv[]);
 extern int x509_main(int argc,char *argv[]);
@@ -33,6 +34,7 @@ extern int pkcs12_main(int argc,char *argv[]);
 extern int pkcs8_main(int argc,char *argv[]);
 extern int spkac_main(int argc,char *argv[]);
 extern int smime_main(int argc,char *argv[]);
 extern int rand_main(int argc,char *argv[]);
 #define FUNC_TYPE_GENERAL	1
 #define FUNC_TYPE_MD		2
@@ -66,6 +68,9 @@ FUNCTION functions[] = {
 #ifndef NO_RSA
 	{FUNC_TYPE_GENERAL,"rsa",rsa_main},
 #endif
 #ifndef NO_RSA
 	{FUNC_TYPE_GENERAL,"rsautl",rsautl_main},
 #endif
 #ifndef NO_DSA
 	{FUNC_TYPE_GENERAL,"dsa",dsa_main},
 #endif
@@ -103,7 +108,9 @@ FUNCTION functions[] = {
 	{FUNC_TYPE_GENERAL,"pkcs8",pkcs8_main},
 	{FUNC_TYPE_GENERAL,"spkac",spkac_main},
 	{FUNC_TYPE_GENERAL,"smime",smime_main},
 	{FUNC_TYPE_GENERAL,"rand",rand_main},
 	{FUNC_TYPE_MD,"md2",dgst_main},
 	{FUNC_TYPE_MD,"md4",dgst_main},
 	{FUNC_TYPE_MD,"md5",dgst_main},
 	{FUNC_TYPE_MD,"sha",dgst_main},
 	{FUNC_TYPE_MD,"sha1",dgst_main},
--- a/apps/progs.pl
+++ b/apps/progs.pl
@@ -29,7 +29,7 @@ foreach (@ARGV)
 	$str="\t{FUNC_TYPE_GENERAL,\"$_\",${_}_main},\n";
 	if (($_ =~ /^s_/) || ($_ =~ /^ciphers$/))
 		{ print "#if !defined(NO_SOCK) && !(defined(NO_SSL2) && defined(NO_SSL3))\n${str}#endif\n"; } 
-	elsif ( ($_ =~ /^rsa$/) || ($_ =~ /^genrsa$/) ) 
+	elsif ( ($_ =~ /^rsa$/) || ($_ =~ /^genrsa$/) || ($_ =~ /^rsautl$/)) 
 		{ print "#ifndef NO_RSA\n${str}#endif\n";  }
 	elsif ( ($_ =~ /^dsa$/) || ($_ =~ /^gendsa$/) || ($_ =~ /^dsaparam$/))
 		{ print "#ifndef NO_DSA\n${str}#endif\n"; }
@@ -41,7 +41,7 @@ foreach (@ARGV)
 		{ print $str; }
 	}
-foreach ("md2","md5","sha","sha1","mdc2","rmd160")
+foreach ("md2","md4","md5","sha","sha1","mdc2","rmd160")
 	{
 	push(@files,$_);
 	printf "\t{FUNC_TYPE_MD,\"%s\",dgst_main},\n",$_;
--- a/apps/rand.c
+++ b/apps/rand.c
@@ -0,0 +1,177 @@
 /* apps/rand.c */
 #include "apps.h"
 #include <ctype.h>
 #include <stdio.h>
 #include <string.h>
 #include <openssl/bio.h>
 #include <openssl/err.h>
 #include <openssl/rand.h>
 #include <openssl/engine.h>
 #undef PROG
 #define PROG rand_main
 /* -out file         - write to file
 * -rand file:file   - PRNG seed files
 * -base64           - encode output
 * num               - write 'num' bytes
 */
 int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	ENGINE *e = NULL;
 	int i, r, ret = 1;
 	int badopt;
 	char *outfile = NULL;
 	char *inrand = NULL;
 	int base64 = 0;
 	BIO *out = NULL;
 	int num = -1;
 	char *engine=NULL;
 	apps_startup();
 	if (bio_err == NULL)
 		if ((bio_err = BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err, stderr, BIO_NOCLOSE|BIO_FP_TEXT);
 	badopt = 0;
 	i = 0;
 	while (!badopt && argv[++i] != NULL)
 		{
 		if (strcmp(argv[i], "-out") == 0)
 			{
 			if ((argv[i+1] != NULL) && (outfile == NULL))
 				outfile = argv[++i];
 			else
 				badopt = 1;
 			}
 		if (strcmp(argv[i], "-engine") == 0)
 			{
 			if ((argv[i+1] != NULL) && (engine == NULL))
 				engine = argv[++i];
 			else
 				badopt = 1;
 			}
 		else if (strcmp(argv[i], "-rand") == 0)
 			{
 			if ((argv[i+1] != NULL) && (inrand == NULL))
 				inrand = argv[++i];
 			else
 				badopt = 1;
 			}
 		else if (strcmp(argv[i], "-base64") == 0)
 			{
 			if (!base64)
 				base64 = 1;
 			else
 				badopt = 1;
 			}
 		else if (isdigit((unsigned char)argv[i][0]))
 			{
 			if (num < 0)
 				{
 				r = sscanf(argv[i], "%d", &num);
 				if (r == 0 || num < 0)
 					badopt = 1;
 				}
 			else
 				badopt = 1;
 			}
 		else
 			badopt = 1;
 		}
 	if (num < 0)
 		badopt = 1;
 	if (badopt) 
 		{
 		BIO_printf(bio_err, "Usage: rand [options] num\n");
 		BIO_printf(bio_err, "where options are\n");
 		BIO_printf(bio_err, "-out file             - write to file\n");
 		BIO_printf(bio_err," -engine e             - use engine e, possibly a hardware device.\n");
 		BIO_printf(bio_err, "-rand file%cfile%c... - seed PRNG from files\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err, "-base64               - encode output\n");
 		goto err;
 		}
 	if (engine != NULL)
 		{
 		if((e = ENGINE_by_id(engine)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine \"%s\"\n",
 				engine);
 			goto err;
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			goto err;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 		/* Free our "structural" reference. */
 		ENGINE_free(e);
 		}
 	app_RAND_load_file(NULL, bio_err, (inrand != NULL));
 	if (inrand != NULL)
 		BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
 			app_RAND_load_files(inrand));
 	out = BIO_new(BIO_s_file());
 	if (out == NULL)
 		goto err;
 	if (outfile != NULL)
 		r = BIO_write_filename(out, outfile);
 	else
 		{
 		r = BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
 #ifdef VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 		}
 	if (r <= 0)
 		goto err;
 	if (base64)
 		{
 		BIO *b64 = BIO_new(BIO_f_base64());
 		if (b64 == NULL)
 			goto err;
 		out = BIO_push(b64, out);
 		}
 	while (num > 0) 
 		{
 		unsigned char buf[4096];
 		int chunk;
 		chunk = num;
 		if (chunk > sizeof buf)
 			chunk = sizeof buf;
 		r = RAND_bytes(buf, chunk);
 		if (r <= 0)
 			goto err;
 		BIO_write(out, buf, chunk);
 		num -= chunk;
 		}
 	BIO_flush(out);
 	app_RAND_write_file(NULL, bio_err);
 	ret = 0;
 err:
 	ERR_print_errors(bio_err);
 	if (out)
 		BIO_free_all(out);
 	EXIT(ret);
 	}
--- a/apps/req.c
+++ b/apps/req.c
@@ -73,6 +73,7 @@
 #include <openssl/x509v3.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
 #include <openssl/engine.h>
 #define SECTION		"req"
@@ -102,6 +103,7 @@
 * -config file	- Load configuration file.
 * -key file	- make a request using key in file (or use it for verification).
 * -keyform	- key file format.
 * -rand file(s) - load the file(s) into the PRNG.
 * -newkey	- make a key and a request.
 * -modulus	- print RSA modulus.
 * -x509	- output a self signed X509 structure instead.
@@ -125,7 +127,6 @@ static void MS_CALLBACK req_cb(int p,int n,void *arg);
 #endif
 static int req_check_len(int len,int min,int max);
 static int check_end(char *str, char *end);
 static int add_oid_section(LHASH *conf);
 #ifndef MONOLITH
 static char *default_config_file=NULL;
 static LHASH *config=NULL;
@@ -140,6 +141,7 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	ENGINE *e = NULL;
 #ifndef NO_DSA
 	DSA *dsa_params=NULL;
 #endif
@@ -152,10 +154,12 @@ int MAIN(int argc, char **argv)
 	int informat,outformat,verify=0,noout=0,text=0,keyform=FORMAT_PEM;
 	int nodes=0,kludge=0,newhdr=0;
 	char *infile,*outfile,*prog,*keyfile=NULL,*template=NULL,*keyout=NULL;
 	char *engine=NULL;
 	char *extensions = NULL;
 	char *req_exts = NULL;
 	EVP_CIPHER *cipher=NULL;
 	int modulus=0;
 	char *inrand=NULL;
 	char *passargin = NULL, *passargout = NULL;
 	char *passin = NULL, *passout = NULL;
 	char *p;
@@ -194,6 +198,11 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			outformat=str2fmt(*(++argv));
 			}
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 		else if (strcmp(*argv,"-key") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -239,6 +248,11 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			passargout= *(++argv);
 			}
 		else if (strcmp(*argv,"-rand") == 0)
 			{
 			if (--argc < 1) goto bad;
 			inrand= *(++argv);
 			}
 		else if (strcmp(*argv,"-newkey") == 0)
 			{
 			int is_numeric;
@@ -369,13 +383,16 @@ bad:
 		BIO_printf(bio_err," -verify        verify signature on REQ\n");
 		BIO_printf(bio_err," -modulus       RSA modulus\n");
 		BIO_printf(bio_err," -nodes         don't encrypt the output key\n");
 		BIO_printf(bio_err," -engine e      use engine e, possibly a hardware device.\n");
 		BIO_printf(bio_err," -key file	use the private key contained in file\n");
 		BIO_printf(bio_err," -keyform arg   key file format\n");
 		BIO_printf(bio_err," -keyout arg    file to send the key to\n");
 		BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err,"                load the file (or the files in the directory) into\n");
 		BIO_printf(bio_err,"                the random number generator\n");
 		BIO_printf(bio_err," -newkey rsa:bits generate a new RSA key of 'bits' in size\n");
 		BIO_printf(bio_err," -newkey dsa:file generate a new DSA key, parameters taken from CA in 'file'\n");
-
+		BIO_printf(bio_err," -[digest]      Digest to sign with (md5, sha1, md2, mdc2, md4)\n");
 		BIO_printf(bio_err," -[digest]      Digest to sign with (md5, sha1, md2, mdc2)\n");
 		BIO_printf(bio_err," -config file   request template file.\n");
 		BIO_printf(bio_err," -new           new request.\n");
 		BIO_printf(bio_err," -x509          output a x509 structure instead of a cert. req.\n");
@@ -457,7 +474,7 @@ bad:
 				}
 			}
 		}
-		if(!add_oid_section(req_conf)) goto end;
+		if(!add_oid_section(bio_err, req_conf)) goto end;
 	if ((md_alg == NULL) &&
 		((p=CONF_get_string(req_conf,SECTION,"default_md")) != NULL))
@@ -513,24 +530,55 @@ bad:
 	if ((in == NULL) || (out == NULL))
 		goto end;
-	if (keyfile != NULL)
+	if (engine != NULL)
 		{
-		if (BIO_read_filename(in,keyfile) <= 0)
+		if((e = ENGINE_by_id(engine)) == NULL)
 			{
-			perror(keyfile);
+			BIO_printf(bio_err,"invalid engine \"%s\"\n",
 				engine);
 			goto end;
 			}
-
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 		if (keyform == FORMAT_ASN1)
 			pkey=d2i_PrivateKey_bio(in,NULL);
 		else if (keyform == FORMAT_PEM)
 			{
-			pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,passin);
+			BIO_printf(bio_err,"can't use that engine\n");
 			goto end;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 		/* Free our "structural" reference. */
 		ENGINE_free(e);
 		}
 	if (keyfile != NULL)
 		{
 		if (keyform == FORMAT_ENGINE)
 			{
 			if (!e)
 				{
 				BIO_printf(bio_err,"no engine specified\n");
 				goto end;
 				}
 			pkey = ENGINE_load_private_key(e, keyfile, NULL);
 			}
 		else
 			{
-			BIO_printf(bio_err,"bad input format specified for X509 request\n");
+			if (BIO_read_filename(in,keyfile) <= 0)
-			goto end;
+				{
 				perror(keyfile);
 				goto end;
 				}
 			if (keyform == FORMAT_ASN1)
 				pkey=d2i_PrivateKey_bio(in,NULL);
 			else if (keyform == FORMAT_PEM)
 				{
 				pkey=PEM_read_bio_PrivateKey(in,NULL,NULL,
 					passin);
 				}
 			else
 				{
 				BIO_printf(bio_err,"bad input format specified for X509 request\n");
 				goto end;
 				}
 			}
 		if (pkey == NULL)
@@ -538,12 +586,19 @@ bad:
 			BIO_printf(bio_err,"unable to load Private key\n");
 			goto end;
 			}
                if (EVP_PKEY_type(pkey->type) == EVP_PKEY_DSA)
 			{
 			char *randfile = CONF_get_string(req_conf,SECTION,"RANDFILE");
 			app_RAND_load_file(randfile, bio_err, 0);
                	}
 		}
 	if (newreq && (pkey == NULL))
 		{
 		char *randfile = CONF_get_string(req_conf,SECTION,"RANDFILE");
 		app_RAND_load_file(randfile, bio_err, 0);
 		if (inrand)
 			app_RAND_load_files(inrand);
 		if (newkey <= 0)
 			{
@@ -593,6 +648,12 @@ bad:
 			{
 			BIO_printf(bio_err,"writing new private key to stdout\n");
 			BIO_set_fp(out,stdout,BIO_NOCLOSE);
 #ifdef VMS
 			{
 			BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 			out = BIO_push(tmpbio, out);
 			}
 #endif
 			}
 		else
 			{
@@ -663,16 +724,15 @@ loop:
 	if (newreq || x509)
 		{
 #ifndef NO_DSA
 		if (pkey->type == EVP_PKEY_DSA)
 			digest=EVP_dss1();
 #endif
 		if (pkey == NULL)
 			{
 			BIO_printf(bio_err,"you need to specify a private key\n");
 			goto end;
 			}
 #ifndef NO_DSA
 		if (pkey->type == EVP_PKEY_DSA)
 			digest=EVP_dss1();
 #endif
 		if (req == NULL)
 			{
 			req=X509_REQ_new();
@@ -788,7 +848,15 @@ loop:
 		}
 	if (outfile == NULL)
 		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
 #ifdef VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 		}
 	else
 		{
 		if ((keyout != NULL) && (strcmp(outfile,keyout) == 0))
@@ -874,12 +942,12 @@ end:
 		}
 	if ((req_conf != NULL) && (req_conf != config)) CONF_free(req_conf);
 	BIO_free(in);
-	BIO_free(out);
+	BIO_free_all(out);
 	EVP_PKEY_free(pkey);
 	X509_REQ_free(req);
 	X509_free(x509ss);
-	if(passin) Free(passin);
+	if(passargin && passin) OPENSSL_free(passin);
-	if(passout) Free(passout);
+	if(passargout && passout) OPENSSL_free(passout);
 	OBJ_cleanup();
 #ifndef NO_DSA
 	if (dsa_params != NULL) DSA_free(dsa_params);
@@ -1083,7 +1151,11 @@ static int auto_info(X509_REQ *req, STACK_OF(CONF_VALUE) *dn_sk,
 		 * multiple instances 
 		 */
 		for(p = v->name; *p ; p++) 
 #ifndef CHARSET_EBCDIC
 			if ((*p == ':') || (*p == ',') || (*p == '.')) {
 #else
 			if ((*p == os_toascii[':']) || (*p == os_toascii[',']) || (*p == os_toascii['.'])) {
 #endif
 				p++;
 				if(*p) type = p;
 				break;
@@ -1199,6 +1271,9 @@ start:
 		return(0);
 		}
 	buf[--i]='\0';
 #ifdef CHARSET_EBCDIC
 	ebcdic2ascii(buf, buf, i);
 #endif
 	if(!req_check_len(i, min, max)) goto start;
 	if(!X509_REQ_add1_attr_by_NID(req, nid, MBSTRING_ASC,
@@ -1256,25 +1331,3 @@ static int check_end(char *str, char *end)
 	tmp = str + slen - elen;
 	return strcmp(tmp, end);
 }
 static int add_oid_section(LHASH *conf)
 {	
 	char *p;
 	STACK_OF(CONF_VALUE) *sktmp;
 	CONF_VALUE *cnf;
 	int i;
 	if(!(p=CONF_get_string(conf,NULL,"oid_section"))) return 1;
 	if(!(sktmp = CONF_get_section(conf, p))) {
 		BIO_printf(bio_err, "problem loading oid section %s\n", p);
 		return 0;
 	}
 	for(i = 0; i < sk_CONF_VALUE_num(sktmp); i++) {
 		cnf = sk_CONF_VALUE_value(sktmp, i);
 		if(OBJ_create(cnf->value, cnf->name, cnf->name) == NID_undef) {
 			BIO_printf(bio_err, "problem creating object %s=%s\n",
 							 cnf->name, cnf->value);
 			return 0;
 		}
 	}
 	return 1;
 }
--- a/apps/rsa.c
+++ b/apps/rsa.c
@@ -68,6 +68,7 @@
 #include <openssl/evp.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/engine.h>
 #undef PROG
 #define PROG	rsa_main
@@ -90,9 +91,10 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	ENGINE *e = NULL;
 	int ret=1;
 	RSA *rsa=NULL;
-	int i,badops=0;
+	int i,badops=0, sgckey=0;
 	const EVP_CIPHER *enc=NULL;
 	BIO *in=NULL,*out=NULL;
 	int informat,outformat,text=0,check=0,noout=0;
@@ -100,6 +102,7 @@ int MAIN(int argc, char **argv)
 	char *infile,*outfile,*prog;
 	char *passargin = NULL, *passargout = NULL;
 	char *passin = NULL, *passout = NULL;
 	char *engine=NULL;
 	int modulus=0;
 	apps_startup();
@@ -148,6 +151,13 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			passargout= *(++argv);
 			}
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 		else if (strcmp(*argv,"-sgckey") == 0)
 			sgckey=1;
 		else if (strcmp(*argv,"-pubin") == 0)
 			pubin=1;
 		else if (strcmp(*argv,"-pubout") == 0)
@@ -178,8 +188,8 @@ bad:
 		BIO_printf(bio_err," -inform arg     input format - one of DER NET PEM\n");
 		BIO_printf(bio_err," -outform arg    output format - one of DER NET PEM\n");
 		BIO_printf(bio_err," -in arg         input file\n");
 		BIO_printf(bio_err," -sgckey         Use IIS SGC key format\n");
 		BIO_printf(bio_err," -passin arg     input file pass phrase source\n");
 		BIO_printf(bio_err," -in arg         input file\n");
 		BIO_printf(bio_err," -out arg        output file\n");
 		BIO_printf(bio_err," -passout arg    output file pass phrase source\n");
 		BIO_printf(bio_err," -des            encrypt PEM output with cbc des\n");
@@ -193,11 +203,30 @@ bad:
 		BIO_printf(bio_err," -check          verify key consistency\n");
 		BIO_printf(bio_err," -pubin          expect a public key in input file\n");
 		BIO_printf(bio_err," -pubout         output a public key\n");
 		BIO_printf(bio_err," -engine e       use engine e, possibly a hardware device.\n");
 		goto end;
 		}
 	ERR_load_crypto_strings();
 	if (engine != NULL)
 		{
 		if((e = ENGINE_by_id(engine)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine \"%s\"\n",
 				engine);
 			goto end;
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			goto end;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 		/* Free our "structural" reference. */
 		ENGINE_free(e);
 		}
 	if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
 		BIO_printf(bio_err, "Error getting passwords\n");
 		goto end;
@@ -255,7 +284,7 @@ bad:
 				}
 			}
 		p=(unsigned char *)buf->data;
-		rsa=d2i_Netscape_RSA(NULL,&p,(long)size,NULL);
+		rsa=d2i_RSA_NET(NULL,&p,(long)size,NULL, sgckey);
 		BUF_MEM_free(buf);
 		}
 #endif
@@ -276,7 +305,15 @@ bad:
 		}
 	if (outfile == NULL)
 		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
 #ifdef VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
@@ -345,16 +382,16 @@ bad:
 		int size;
 		i=1;
-		size=i2d_Netscape_RSA(rsa,NULL,NULL);
+		size=i2d_RSA_NET(rsa,NULL,NULL, sgckey);
-		if ((p=(unsigned char *)Malloc(size)) == NULL)
+		if ((p=(unsigned char *)OPENSSL_malloc(size)) == NULL)
 			{
-			BIO_printf(bio_err,"Malloc failure\n");
+			BIO_printf(bio_err,"Memory allocation failure\n");
 			goto end;
 			}
 		pp=p;
-		i2d_Netscape_RSA(rsa,&p,NULL);
+		i2d_RSA_NET(rsa,&p,NULL, sgckey);
 		BIO_write(out,(char *)pp,size);
-		Free(pp);
+		OPENSSL_free(pp);
 		}
 #endif
 	else if (outformat == FORMAT_PEM) {
@@ -375,10 +412,10 @@ bad:
 		ret=0;
 end:
 	if(in != NULL) BIO_free(in);
-	if(out != NULL) BIO_free(out);
+	if(out != NULL) BIO_free_all(out);
 	if(rsa != NULL) RSA_free(rsa);
-	if(passin) Free(passin);
+	if(passin) OPENSSL_free(passin);
-	if(passout) Free(passout);
+	if(passout) OPENSSL_free(passout);
 	EXIT(ret);
 	}
 #else /* !NO_RSA */
--- a/apps/rsa/01.pem
+++ b/apps/rsa/01.pem
@@ -1,15 +0,0 @@
 -----BEGIN CERTIFICATE-----
 MIICTjCCAbsCEGiuFKTJn6nzmiPPLxUZs1owDQYJKoZIhvcNAQEEBQAwXzELMAkG
 A1UEBhMCVVMxIDAeBgNVBAoTF1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMS4wLAYD
 VQQLEyVTZWN1cmUgU2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk4
 MDUxODAwMDAwMFoXDTk5MDUxODIzNTk1OVowdTELMAkGA1UEBhMCVVMxETAPBgNV
 BAgTCE5ldyBZb3JrMREwDwYDVQQHFAhOZXcgWW9yazEeMBwGA1UEChQVSW5kdXN0
 cmlhbCBQcmVzcyBJbmMuMSAwHgYDVQQDFBd3d3cuaW5kdXN0cmlhbHByZXNzLmNv
 bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqiH9xUJNHvqCmaDon27ValJb
 qTLymF3yKKWBxbODLWjX7yKjewoqWhotaEARI6jXPqomU87gFU1tH4r/bgwh3FmU
 MK3qo92XOsvwNAHzXzWRXQNJmm54g2F1RUt00pgYiOximDse1t9RL5POCDEbfX8D
 gugrE/WwkS2FrSoc5/cCAwEAATANBgkqhkiG9w0BAQQFAAN+AIw7fvF0EtEvrNS/
 LYuqAgUw/tH0FLgCkqKLmYYm/yR+Z0hD2eP/UhF+jAwmV8rHtBnaTM7oN23RVW2k
 Cf8soiGfr2PYtfufpXtd7azUFa+WJCWnp0N29EG0BR1JOFC0Q/4dh/X9qulM8luq
 Pjrmw2eSgbdmmdumWAcNPVbV
 -----END CERTIFICATE-----
--- a/apps/rsa/1.txt
+++ b/apps/rsa/1.txt
@@ -1,50 +0,0 @@
 issuer= /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
 subject=/C=US/ST=New York/L=New York/O=Industrial Press Inc./CN=www.industrialpress.com
 Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            68:ae:14:a4:c9:9f:a9:f3:9a:23:cf:2f:15:19:b3:5a
        Signature Algorithm: md5WithRSAEncryption
        Issuer: C=US, O=RSA Data Security, Inc., OU=Secure Server Certification Authority
        Validity
            Not Before: May 18 00:00:00 1998 GMT
            Not After : May 18 23:59:59 1999 GMT
        Subject: C=US, ST=New York, L=New York, O=Industrial Press Inc., CN=www.industrialpress.com
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1024 bit)
                Modulus (1024 bit):
                    00:aa:21:fd:c5:42:4d:1e:fa:82:99:a0:e8:9f:6e:
                    d5:6a:52:5b:a9:32:f2:98:5d:f2:28:a5:81:c5:b3:
                    83:2d:68:d7:ef:22:a3:7b:0a:2a:5a:1a:2d:68:40:
                    11:23:a8:d7:3e:aa:26:53:ce:e0:15:4d:6d:1f:8a:
                    ff:6e:0c:21:dc:59:94:30:ad:ea:a3:dd:97:3a:cb:
                    f0:34:01:f3:5f:35:91:5d:03:49:9a:6e:78:83:61:
                    75:45:4b:74:d2:98:18:88:ec:62:98:3b:1e:d6:df:
                    51:2f:93:ce:08:31:1b:7d:7f:03:82:e8:2b:13:f5:
                    b0:91:2d:85:ad:2a:1c:e7:f7
                Exponent: 65537 (0x10001)
    Signature Algorithm: md5WithRSAEncryption
        8c:3b:7e:f1:74:12:d1:2f:ac:d4:bf:2d:8b:aa:02:05:30:fe:
        d1:f4:14:b8:02:92:a2:8b:99:86:26:ff:24:7e:67:48:43:d9:
        e3:ff:52:11:7e:8c:0c:26:57:ca:c7:b4:19:da:4c:ce:e8:37:
        6d:d1:55:6d:a4:09:ff:2c:a2:21:9f:af:63:d8:b5:fb:9f:a5:
        7b:5d:ed:ac:d4:15:af:96:24:25:a7:a7:43:76:f4:41:b4:05:
        1d:49:38:50:b4:43:fe:1d:87:f5:fd:aa:e9:4c:f2:5b:aa:3e:
        3a:e6:c3:67:92:81:b7:66:99:db:a6:58:07:0d:3d:56:d5
 -----BEGIN CERTIFICATE-----
 MIICTjCCAbsCEGiuFKTJn6nzmiPPLxUZs1owDQYJKoZIhvcNAQEEBQAwXzELMAkG
 A1UEBhMCVVMxIDAeBgNVBAoTF1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMS4wLAYD
 VQQLEyVTZWN1cmUgU2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk4
 MDUxODAwMDAwMFoXDTk5MDUxODIzNTk1OVowdTELMAkGA1UEBhMCVVMxETAPBgNV
 BAgTCE5ldyBZb3JrMREwDwYDVQQHFAhOZXcgWW9yazEeMBwGA1UEChQVSW5kdXN0
 cmlhbCBQcmVzcyBJbmMuMSAwHgYDVQQDFBd3d3cuaW5kdXN0cmlhbHByZXNzLmNv
 bTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAqiH9xUJNHvqCmaDon27ValJb
 qTLymF3yKKWBxbODLWjX7yKjewoqWhotaEARI6jXPqomU87gFU1tH4r/bgwh3FmU
 MK3qo92XOsvwNAHzXzWRXQNJmm54g2F1RUt00pgYiOximDse1t9RL5POCDEbfX8D
 gugrE/WwkS2FrSoc5/cCAwEAATANBgkqhkiG9w0BAQQFAAN+AIw7fvF0EtEvrNS/
 LYuqAgUw/tH0FLgCkqKLmYYm/yR+Z0hD2eP/UhF+jAwmV8rHtBnaTM7oN23RVW2k
 Cf8soiGfr2PYtfufpXtd7azUFa+WJCWnp0N29EG0BR1JOFC0Q/4dh/X9qulM8luq
 Pjrmw2eSgbdmmdumWAcNPVbV
 -----END CERTIFICATE-----
--- a/apps/rsa/SecureServer.pem
+++ b/apps/rsa/SecureServer.pem
@@ -1,47 +0,0 @@
 Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            02:ad:66:7e:4e:45:fe:5e:57:6f:3c:98:19:5e:dd:c0
        Signature Algorithm: md2WithRSAEncryption
        Issuer: C=US, O=RSA Data Security, Inc., OU=Secure Server Certification Authority
        Validity
            Not Before: Nov  9 00:00:00 1994 GMT
            Not After : Jan  7 23:59:59 2010 GMT
        Subject: C=US, O=RSA Data Security, Inc., OU=Secure Server Certification Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1000 bit)
                Modulus (1000 bit):
                    00:92:ce:7a:c1:ae:83:3e:5a:aa:89:83:57:ac:25:
                    01:76:0c:ad:ae:8e:2c:37:ce:eb:35:78:64:54:03:
                    e5:84:40:51:c9:bf:8f:08:e2:8a:82:08:d2:16:86:
                    37:55:e9:b1:21:02:ad:76:68:81:9a:05:a2:4b:c9:
                    4b:25:66:22:56:6c:88:07:8f:f7:81:59:6d:84:07:
                    65:70:13:71:76:3e:9b:77:4c:e3:50:89:56:98:48:
                    b9:1d:a7:29:1a:13:2e:4a:11:59:9c:1e:15:d5:49:
                    54:2c:73:3a:69:82:b1:97:39:9c:6d:70:67:48:e5:
                    dd:2d:d6:c8:1e:7b
                Exponent: 65537 (0x10001)
    Signature Algorithm: md2WithRSAEncryption
        65:dd:7e:e1:b2:ec:b0:e2:3a:e0:ec:71:46:9a:19:11:b8:d3:
        c7:a0:b4:03:40:26:02:3e:09:9c:e1:12:b3:d1:5a:f6:37:a5:
        b7:61:03:b6:5b:16:69:3b:c6:44:08:0c:88:53:0c:6b:97:49:
        c7:3e:35:dc:6c:b9:bb:aa:df:5c:bb:3a:2f:93:60:b6:a9:4b:
        4d:f2:20:f7:cd:5f:7f:64:7b:8e:dc:00:5c:d7:fa:77:ca:39:
        16:59:6f:0e:ea:d3:b5:83:7f:4d:4d:42:56:76:b4:c9:5f:04:
        f8:38:f8:eb:d2:5f:75:5f:cd:7b:fc:e5:8e:80:7c:fc:50
 -----BEGIN CERTIFICATE-----
 MIICNDCCAaECEAKtZn5ORf5eV288mBle3cAwDQYJKoZIhvcNAQECBQAwXzELMAkG
 A1UEBhMCVVMxIDAeBgNVBAoTF1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMS4wLAYD
 VQQLEyVTZWN1cmUgU2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk0
 MTEwOTAwMDAwMFoXDTEwMDEwNzIzNTk1OVowXzELMAkGA1UEBhMCVVMxIDAeBgNV
 BAoTF1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMS4wLAYDVQQLEyVTZWN1cmUgU2Vy
 dmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGbMA0GCSqGSIb3DQEBAQUAA4GJ
 ADCBhQJ+AJLOesGugz5aqomDV6wlAXYMra6OLDfO6zV4ZFQD5YRAUcm/jwjiioII
 0haGN1XpsSECrXZogZoFokvJSyVmIlZsiAeP94FZbYQHZXATcXY+m3dM41CJVphI
 uR2nKRoTLkoRWZweFdVJVCxzOmmCsZc5nG1wZ0jl3S3WyB57AgMBAAEwDQYJKoZI
 hvcNAQECBQADfgBl3X7hsuyw4jrg7HFGmhkRuNPHoLQDQCYCPgmc4RKz0Vr2N6W3
 YQO2WxZpO8ZECAyIUwxrl0nHPjXcbLm7qt9cuzovk2C2qUtN8iD3zV9/ZHuO3ABc
 1/p3yjkWWW8O6tO1g39NTUJWdrTJXwT4OPjr0l91X817/OWOgHz8UA==
 -----END CERTIFICATE-----
--- a/apps/rsa/s.txt
+++ b/apps/rsa/s.txt
@@ -1,49 +0,0 @@
 issuer= /C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
 subject=/C=US/O=RSA Data Security, Inc./OU=Secure Server Certification Authority
 Certificate:
    Data:
        Version: 1 (0x0)
        Serial Number:
            02:ad:66:7e:4e:45:fe:5e:57:6f:3c:98:19:5e:dd:c0
        Signature Algorithm: md2WithRSAEncryption
        Issuer: C=US, O=RSA Data Security, Inc., OU=Secure Server Certification Authority
        Validity
            Not Before: Nov  9 00:00:00 1994 GMT
            Not After : Jan  7 23:59:59 2010 GMT
        Subject: C=US, O=RSA Data Security, Inc., OU=Secure Server Certification Authority
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
            RSA Public Key: (1000 bit)
                Modulus (1000 bit):
                    00:92:ce:7a:c1:ae:83:3e:5a:aa:89:83:57:ac:25:
                    01:76:0c:ad:ae:8e:2c:37:ce:eb:35:78:64:54:03:
                    e5:84:40:51:c9:bf:8f:08:e2:8a:82:08:d2:16:86:
                    37:55:e9:b1:21:02:ad:76:68:81:9a:05:a2:4b:c9:
                    4b:25:66:22:56:6c:88:07:8f:f7:81:59:6d:84:07:
                    65:70:13:71:76:3e:9b:77:4c:e3:50:89:56:98:48:
                    b9:1d:a7:29:1a:13:2e:4a:11:59:9c:1e:15:d5:49:
                    54:2c:73:3a:69:82:b1:97:39:9c:6d:70:67:48:e5:
                    dd:2d:d6:c8:1e:7b
                Exponent: 65537 (0x10001)
    Signature Algorithm: md2WithRSAEncryption
        65:dd:7e:e1:b2:ec:b0:e2:3a:e0:ec:71:46:9a:19:11:b8:d3:
        c7:a0:b4:03:40:26:02:3e:09:9c:e1:12:b3:d1:5a:f6:37:a5:
        b7:61:03:b6:5b:16:69:3b:c6:44:08:0c:88:53:0c:6b:97:49:
        c7:3e:35:dc:6c:b9:bb:aa:df:5c:bb:3a:2f:93:60:b6:a9:4b:
        4d:f2:20:f7:cd:5f:7f:64:7b:8e:dc:00:5c:d7:fa:77:ca:39:
        16:59:6f:0e:ea:d3:b5:83:7f:4d:4d:42:56:76:b4:c9:5f:04:
        f8:38:f8:eb:d2:5f:75:5f:cd:7b:fc:e5:8e:80:7c:fc:50
 -----BEGIN CERTIFICATE-----
 MIICNDCCAaECEAKtZn5ORf5eV288mBle3cAwDQYJKoZIhvcNAQECBQAwXzELMAkG
 A1UEBhMCVVMxIDAeBgNVBAoTF1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMS4wLAYD
 VQQLEyVTZWN1cmUgU2VydmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk0
 MTEwOTAwMDAwMFoXDTEwMDEwNzIzNTk1OVowXzELMAkGA1UEBhMCVVMxIDAeBgNV
 BAoTF1JTQSBEYXRhIFNlY3VyaXR5LCBJbmMuMS4wLAYDVQQLEyVTZWN1cmUgU2Vy
 dmVyIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGbMA0GCSqGSIb3DQEBAQUAA4GJ
 ADCBhQJ+AJLOesGugz5aqomDV6wlAXYMra6OLDfO6zV4ZFQD5YRAUcm/jwjiioII
 0haGN1XpsSECrXZogZoFokvJSyVmIlZsiAeP94FZbYQHZXATcXY+m3dM41CJVphI
 uR2nKRoTLkoRWZweFdVJVCxzOmmCsZc5nG1wZ0jl3S3WyB57AgMBAAEwDQYJKoZI
 hvcNAQECBQADfgBl3X7hsuyw4jrg7HFGmhkRuNPHoLQDQCYCPgmc4RKz0Vr2N6W3
 YQO2WxZpO8ZECAyIUwxrl0nHPjXcbLm7qt9cuzovk2C2qUtN8iD3zV9/ZHuO3ABc
 1/p3yjkWWW8O6tO1g39NTUJWdrTJXwT4OPjr0l91X817/OWOgHz8UA==
 -----END CERTIFICATE-----
--- a/apps/rsautl.c
+++ b/apps/rsautl.c
@@ -0,0 +1,319 @@
 /* rsautl.c */
 /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
 * project 2000.
 */
 /* ====================================================================
 * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    licensing@OpenSSL.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */
 #ifndef NO_RSA
 #include "apps.h"
 #include <string.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/engine.h>
 #define RSA_SIGN 	1
 #define RSA_VERIFY 	2
 #define RSA_ENCRYPT 	3
 #define RSA_DECRYPT 	4
 #define KEY_PRIVKEY	1
 #define KEY_PUBKEY	2
 #define KEY_CERT	3
 static void usage(void);
 #undef PROG
 #define PROG rsautl_main
 int MAIN(int argc, char **);
 int MAIN(int argc, char **argv)
 {
 	ENGINE *e = NULL;
 	BIO *in = NULL, *out = NULL;
 	char *infile = NULL, *outfile = NULL;
 	char *keyfile = NULL;
 	char rsa_mode = RSA_VERIFY, key_type = KEY_PRIVKEY;
 	int keyform = FORMAT_PEM;
 	char need_priv = 0, badarg = 0, rev = 0;
 	char hexdump = 0, asn1parse = 0;
 	X509 *x;
 	EVP_PKEY *pkey = NULL;
 	RSA *rsa = NULL;
 	unsigned char *rsa_in = NULL, *rsa_out = NULL, pad;
 	int rsa_inlen, rsa_outlen = 0;
 	int keysize;
 	char *engine=NULL;
 	int ret = 1;
 	argc--;
 	argv++;
 	if(!bio_err) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
 	ERR_load_crypto_strings();
 	OpenSSL_add_all_algorithms();
 	pad = RSA_PKCS1_PADDING;
 	while(argc >= 1)
 	{
 		if (!strcmp(*argv,"-in")) {
 			if (--argc < 1) badarg = 1;
                        infile= *(++argv);
 		} else if (!strcmp(*argv,"-out")) {
 			if (--argc < 1) badarg = 1;
 			outfile= *(++argv);
 		} else if(!strcmp(*argv, "-inkey")) {
 			if (--argc < 1) badarg = 1;
 			keyfile = *(++argv);
 		} else if(!strcmp(*argv, "-engine")) {
 			if (--argc < 1) badarg = 1;
 			engine = *(++argv);
 		} else if(!strcmp(*argv, "-pubin")) {
 			key_type = KEY_PUBKEY;
 		} else if(!strcmp(*argv, "-certin")) {
 			key_type = KEY_CERT;
 		} 
 		else if(!strcmp(*argv, "-asn1parse")) asn1parse = 1;
 		else if(!strcmp(*argv, "-hexdump")) hexdump = 1;
 		else if(!strcmp(*argv, "-raw")) pad = RSA_NO_PADDING;
 		else if(!strcmp(*argv, "-oaep")) pad = RSA_PKCS1_OAEP_PADDING;
 		else if(!strcmp(*argv, "-ssl")) pad = RSA_SSLV23_PADDING;
 		else if(!strcmp(*argv, "-pkcs")) pad = RSA_PKCS1_PADDING;
 		else if(!strcmp(*argv, "-sign")) {
 			rsa_mode = RSA_SIGN;
 			need_priv = 1;
 		} else if(!strcmp(*argv, "-verify")) rsa_mode = RSA_VERIFY;
 		else if(!strcmp(*argv, "-rev")) rev = 1;
 		else if(!strcmp(*argv, "-encrypt")) rsa_mode = RSA_ENCRYPT;
 		else if(!strcmp(*argv, "-decrypt")) {
 			rsa_mode = RSA_DECRYPT;
 			need_priv = 1;
 		} else badarg = 1;
 		if(badarg) {
 			usage();
 			goto end;
 		}
 		argc--;
 		argv++;
 	}
 	if(need_priv && (key_type != KEY_PRIVKEY)) {
 		BIO_printf(bio_err, "A private key is needed for this operation\n");
 		goto end;
 	}
 	if (engine != NULL)
 		{
 		if((e = ENGINE_by_id(engine)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine \"%s\"\n",
 				engine);
 			goto end;
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			goto end;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 		/* Free our "structural" reference. */
 		ENGINE_free(e);
 		}
 /* FIXME: seed PRNG only if needed */
 	app_RAND_load_file(NULL, bio_err, 0);
 	switch(key_type) {
 		case KEY_PRIVKEY:
 		pkey = load_key(bio_err, keyfile, keyform, NULL);
 		break;
 		case KEY_PUBKEY:
 		pkey = load_pubkey(bio_err, keyfile, keyform);
 		break;
 		case KEY_CERT:
 		x = load_cert(bio_err, keyfile, keyform);
 		if(x) {
 			pkey = X509_get_pubkey(x);
 			X509_free(x);
 		}
 		break;
 	}
 	if(!pkey) {
 		BIO_printf(bio_err, "Error loading key\n");
 		return 1;
 	}
 	rsa = EVP_PKEY_get1_RSA(pkey);
 	EVP_PKEY_free(pkey);
 	if(!rsa) {
 		BIO_printf(bio_err, "Error getting RSA key\n");
 		ERR_print_errors(bio_err);
 		goto end;
 	}
 	if(infile) {
 		if(!(in = BIO_new_file(infile, "rb"))) {
 			BIO_printf(bio_err, "Error Reading Input File\n");
 			ERR_print_errors(bio_err);	
 			goto end;
 		}
 	} else in = BIO_new_fp(stdin, BIO_NOCLOSE);
 	if(outfile) {
 		if(!(out = BIO_new_file(outfile, "wb"))) {
 			BIO_printf(bio_err, "Error Reading Output File\n");
 			ERR_print_errors(bio_err);	
 			goto end;
 		}
 	} else {
 		out = BIO_new_fp(stdout, BIO_NOCLOSE);
 #ifdef VMS
 		{
 		    BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		    out = BIO_push(tmpbio, out);
 		}
 #endif
 	}
 	keysize = RSA_size(rsa);
 	rsa_in = OPENSSL_malloc(keysize * 2);
 	rsa_out = OPENSSL_malloc(keysize);
 	/* Read the input data */
 	rsa_inlen = BIO_read(in, rsa_in, keysize * 2);
 	if(rsa_inlen <= 0) {
 		BIO_printf(bio_err, "Error reading input Data\n");
 		exit(1);
 	}
 	if(rev) {
 		int i;
 		unsigned char ctmp;
 		for(i = 0; i < rsa_inlen/2; i++) {
 			ctmp = rsa_in[i];
 			rsa_in[i] = rsa_in[rsa_inlen - 1 - i];
 			rsa_in[rsa_inlen - 1 - i] = ctmp;
 		}
 	}
 	switch(rsa_mode) {
 		case RSA_VERIFY:
 			rsa_outlen  = RSA_public_decrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad);
 		break;
 		case RSA_SIGN:
 			rsa_outlen  = RSA_private_encrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad);
 		break;
 		case RSA_ENCRYPT:
 			rsa_outlen  = RSA_public_encrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad);
 		break;
 		case RSA_DECRYPT:
 			rsa_outlen  = RSA_private_decrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad);
 		break;
 	}
 	if(rsa_outlen <= 0) {
 		BIO_printf(bio_err, "RSA operation error\n");
 		ERR_print_errors(bio_err);
 		goto end;
 	}
 	ret = 0;
 	if(asn1parse) {
 		if(!ASN1_parse_dump(out, rsa_out, rsa_outlen, 1, -1)) {
 			ERR_print_errors(bio_err);
 		}
 	} else if(hexdump) BIO_dump(out, (char *)rsa_out, rsa_outlen);
 	else BIO_write(out, rsa_out, rsa_outlen);
 	end:
 	RSA_free(rsa);
 	BIO_free(in);
 	BIO_free_all(out);
 	if(rsa_in) OPENSSL_free(rsa_in);
 	if(rsa_out) OPENSSL_free(rsa_out);
 	return ret;
 }
 static void usage()
 {
 	BIO_printf(bio_err, "Usage: rsautl [options]\n");
 	BIO_printf(bio_err, "-in file        input file\n");
 	BIO_printf(bio_err, "-out file       output file\n");
 	BIO_printf(bio_err, "-inkey file     input key\n");
 	BIO_printf(bio_err, "-pubin          input is an RSA public\n");
 	BIO_printf(bio_err, "-certin         input is a certificate carrying an RSA public key\n");
 	BIO_printf(bio_err, "-engine e       use engine e, possibly a hardware device.\n");
 	BIO_printf(bio_err, "-ssl            use SSL v2 padding\n");
 	BIO_printf(bio_err, "-raw            use no padding\n");
 	BIO_printf(bio_err, "-pkcs           use PKCS#1 v1.5 padding (default)\n");
 	BIO_printf(bio_err, "-oaep           use PKCS#1 OAEP\n");
 	BIO_printf(bio_err, "-sign           sign with private key\n");
 	BIO_printf(bio_err, "-verify         verify with public key\n");
 	BIO_printf(bio_err, "-encrypt        encrypt with public key\n");
 	BIO_printf(bio_err, "-decrypt        decrypt with private key\n");
 	BIO_printf(bio_err, "-hexdump        hex dump output\n");
 }
 #endif
--- a/apps/s_apps.h
+++ b/apps/s_apps.h
@@ -84,7 +84,6 @@ typedef fd_mask fd_set;
 #define PORT_STR        "4433"
 #define PROTOCOL        "tcp"
 int do_accept(int acc_sock, int *sock, char **host);
 int do_server(int port, int *ret, int (*cb) (), char *context);
 #ifdef HEADER_X509_H
 int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
@@ -97,17 +96,9 @@ int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
 int set_cert_stuff(char *ctx, char *cert_file, char *key_file);
 #endif
 int init_client(int *sock, char *server, int port);
 int init_client_ip(int *sock,unsigned char ip[4], int port);
 int nbio_init_client_ip(int *sock,unsigned char ip[4], int port);
 int nbio_sock_error(int sock);
 int spawn(int argc, char **argv, int *in, int *out);
 int init_server(int *sock, int port);
 int init_server_long(int *sock, int port,char *ip);
 int should_retry(int i);
 void sock_cleanup(void );
 int extract_port(char *str, short *port_ptr);
 int extract_host_port(char *str,char **host_ptr,unsigned char *ip,short *p);
 int host_ip(char *str, unsigned char ip[4]);
 long MS_CALLBACK bio_dump_cb(BIO *bio, int cmd, const char *argp,
 	int argi, long argl, long ret);
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -1,4 +1,4 @@
-/* apps/s_cb.c */
+/* apps/s_cb.c - callback functions used by s_client, s_server, and s_time */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -79,6 +79,8 @@ typedef unsigned int u_int;
 #include <openssl/ssl.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/rand.h>
 #include <openssl/engine.h>
 #include "s_apps.h"
 #ifdef WINDOWS
@@ -117,6 +119,7 @@ static void sc_usage(void);
 static void print_stuff(BIO *berr,SSL *con,int full);
 static BIO *bio_c_out=NULL;
 static int c_quiet=0;
 static int c_ign_eof=0;
 static void sc_usage(void)
 	{
@@ -143,6 +146,7 @@ static void sc_usage(void)
 #endif
 	BIO_printf(bio_err," -crlf         - convert LF from terminal into CRLF\n");
 	BIO_printf(bio_err," -quiet        - no s_client output\n");
 	BIO_printf(bio_err," -ign_eof      - ignore input eof (default when -quiet)\n");
 	BIO_printf(bio_err," -ssl2         - just use SSLv2\n");
 	BIO_printf(bio_err," -ssl3         - just use SSLv3\n");
 	BIO_printf(bio_err," -tls1         - just use TLSv1\n");
@@ -150,7 +154,8 @@ static void sc_usage(void)
 	BIO_printf(bio_err," -bugs         - Switch on all SSL implementation bug workarounds\n");
 	BIO_printf(bio_err," -cipher       - preferred cipher to use, use the 'openssl ciphers'\n");
 	BIO_printf(bio_err,"                 command to see what is available\n");
-
+	BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 	BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
 	}
 int MAIN(int, char **);
@@ -177,6 +182,9 @@ int MAIN(int argc, char **argv)
 	int prexit = 0;
 	SSL_METHOD *meth=NULL;
 	BIO *sbio;
 	char *inrand=NULL;
 	char *engine_id=NULL;
 	ENGINE *e=NULL;
 #ifdef WINDOWS
 	struct timeval tv;
 #endif
@@ -192,14 +200,15 @@ int MAIN(int argc, char **argv)
 	apps_startup();
 	c_Pause=0;
 	c_quiet=0;
 	c_ign_eof=0;
 	c_debug=0;
 	c_showcerts=0;
 	if (bio_err == NULL)
 		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
-	if (	((cbuf=Malloc(BUFSIZZ)) == NULL) ||
+	if (	((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) ||
-		((sbuf=Malloc(BUFSIZZ)) == NULL))
+		((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL))
 		{
 		BIO_printf(bio_err,"out of memory\n");
 		goto end;
@@ -249,7 +258,12 @@ int MAIN(int argc, char **argv)
 		else if	(strcmp(*argv,"-crlf") == 0)
 			crlf=1;
 		else if	(strcmp(*argv,"-quiet") == 0)
 			{
 			c_quiet=1;
 			c_ign_eof=1;
 			}
 		else if	(strcmp(*argv,"-ign_eof") == 0)
 			c_ign_eof=1;
 		else if	(strcmp(*argv,"-pause") == 0)
 			c_Pause=1;
 		else if	(strcmp(*argv,"-debug") == 0)
@@ -308,6 +322,16 @@ int MAIN(int argc, char **argv)
 		else if (strcmp(*argv,"-nbio") == 0)
 			{ c_nbio=1; }
 #endif
 		else if (strcmp(*argv,"-rand") == 0)
 			{
 			if (--argc < 1) goto bad;
 			inrand= *(++argv);
 			}
 		else if	(strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine_id = *(++argv);
 			}
 		else
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
@@ -324,7 +348,14 @@ bad:
 		goto end;
 		}
-	app_RAND_load_file(NULL, bio_err, 0);
+	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
 		&& !RAND_status())
 		{
 		BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
 		}
 	if (inrand != NULL)
 		BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
 			app_RAND_load_files(inrand));
 	if (bio_c_out == NULL)
 		{
@@ -341,6 +372,30 @@ bad:
 	OpenSSL_add_ssl_algorithms();
 	SSL_load_error_strings();
 	if (engine_id != NULL)
 		{
 		if((e = ENGINE_by_id(engine_id)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine\n");
 			ERR_print_errors(bio_err);
 			goto end;
 			}
 		if (c_debug)
 			{
 			ENGINE_ctrl(e, ENGINE_CTRL_SET_LOGSTREAM,
 				0, bio_err, 0);
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			ERR_print_errors(bio_err);
 			goto end;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine_id);
 		ENGINE_free(e);
 		}
 	ctx=SSL_CTX_new(meth);
 	if (ctx == NULL)
 		{
@@ -515,7 +570,7 @@ re_start:
 					tv.tv_usec = 0;
 					i=select(width,(void *)&readfds,(void *)&writefds,
 						 NULL,&tv);
-					if(!i && (!_kbhit() || !read_tty) ) continue;
+					if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
 				} else 	i=select(width,(void *)&readfds,(void *)&writefds,
 					 NULL,NULL);
 			}
@@ -681,7 +736,7 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240
 			}
 #ifdef WINDOWS
-		else if (_kbhit())
+		else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
 #else
 		else if (FD_ISSET(fileno(stdin),&readfds))
 #endif
@@ -711,13 +766,13 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240
 			else
 				i=read(fileno(stdin),cbuf,BUFSIZZ);
-			if ((!c_quiet) && ((i <= 0) || (cbuf[0] == 'Q')))
+			if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q')))
 				{
 				BIO_printf(bio_err,"DONE\n");
 				goto shut;
 				}
-			if ((!c_quiet) && (cbuf[0] == 'R'))
+			if ((!c_ign_eof) && (cbuf[0] == 'R'))
 				{
 				BIO_printf(bio_err,"RENEGOTIATING\n");
 				SSL_renegotiate(con);
@@ -745,8 +800,8 @@ end:
 	if (con != NULL) SSL_free(con);
 	if (con2 != NULL) SSL_free(con2);
 	if (ctx != NULL) SSL_CTX_free(ctx);
-	if (cbuf != NULL) { memset(cbuf,0,BUFSIZZ); Free(cbuf); }
+	if (cbuf != NULL) { memset(cbuf,0,BUFSIZZ); OPENSSL_free(cbuf); }
-	if (sbuf != NULL) { memset(sbuf,0,BUFSIZZ); Free(sbuf); }
+	if (sbuf != NULL) { memset(sbuf,0,BUFSIZZ); OPENSSL_free(sbuf); }
 	if (bio_c_out != NULL)
 		{
 		BIO_free(bio_c_out);
@@ -873,5 +928,7 @@ static void print_stuff(BIO *bio, SSL *s, int full)
 	BIO_printf(bio,"---\n");
 	if (peer != NULL)
 		X509_free(peer);
 	/* flush, or debugging output gets mixed with http response */
 	BIO_flush(bio);
 	}
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -83,6 +83,8 @@ typedef unsigned int u_int;
 #include <openssl/pem.h>
 #include <openssl/x509.h>
 #include <openssl/ssl.h>
 #include <openssl/rand.h>
 #include <openssl/engine.h>
 #include "s_apps.h"
 #ifdef WINDOWS
@@ -176,6 +178,7 @@ static int s_debug=0;
 static int s_quiet=0;
 static int hack=0;
 static char *engine_id=NULL;
 #ifdef MONOLITH
 static void s_server_init(void)
@@ -198,6 +201,7 @@ static void s_server_init(void)
 	s_debug=0;
 	s_quiet=0;
 	hack=0;
 	engine_id=NULL;
 	}
 #endif
@@ -242,6 +246,8 @@ static void sv_usage(void)
 	BIO_printf(bio_err," -bugs         - Turn on SSL bug compatibility\n");
 	BIO_printf(bio_err," -www          - Respond to a 'GET /' with a status page\n");
 	BIO_printf(bio_err," -WWW          - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
 	BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 	BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
 	}
 static int local_argc=0;
@@ -285,7 +291,7 @@ static int ebcdic_new(BIO *bi)
 {
 	EBCDIC_OUTBUFF *wbuf;
-	wbuf = (EBCDIC_OUTBUFF *)Malloc(sizeof(EBCDIC_OUTBUFF) + 1024);
+	wbuf = (EBCDIC_OUTBUFF *)OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + 1024);
 	wbuf->alloced = 1024;
 	wbuf->buff[0] = '\0';
@@ -299,7 +305,7 @@ static int ebcdic_free(BIO *a)
 {
 	if (a == NULL) return(0);
 	if (a->ptr != NULL)
-		Free(a->ptr);
+		OPENSSL_free(a->ptr);
 	a->ptr=NULL;
 	a->init=0;
 	a->flags=0;
@@ -336,8 +342,8 @@ static int ebcdic_write(BIO *b, char *in, int inl)
 		num = num + num;  /* double the size */
 		if (num < inl)
 			num = inl;
-		Free(wbuf);
+		OPENSSL_free(wbuf);
-		wbuf=(EBCDIC_OUTBUFF *)Malloc(sizeof(EBCDIC_OUTBUFF) + num);
+		wbuf=(EBCDIC_OUTBUFF *)OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + num);
 		wbuf->alloced = num;
 		wbuf->buff[0] = '\0';
@@ -411,6 +417,9 @@ int MAIN(int argc, char *argv[])
 	int no_tmp_rsa=0,no_dhe=0,nocert=0;
 	int state=0;
 	SSL_METHOD *meth=NULL;
 	char *inrand=NULL;
 	char *engine_id=NULL;
 	ENGINE *e=NULL;
 #ifndef NO_DH
 	DH *dh=NULL;
 #endif
@@ -565,6 +574,16 @@ int MAIN(int argc, char *argv[])
 		else if	(strcmp(*argv,"-tls1") == 0)
 			{ meth=TLSv1_server_method(); }
 #endif
 		else if (strcmp(*argv,"-rand") == 0)
 			{
 			if (--argc < 1) goto bad;
 			inrand= *(++argv);
 			}
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine_id= *(++argv);
 			}
 		else
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
@@ -581,7 +600,14 @@ bad:
 		goto end;
 		}
-	app_RAND_load_file(NULL, bio_err, 0);
+	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
 		&& !RAND_status())
 		{
 		BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
 		}
 	if (inrand != NULL)
 		BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
 			app_RAND_load_files(inrand));
 	if (bio_s_out == NULL)
 		{
@@ -609,6 +635,29 @@ bad:
 	SSL_load_error_strings();
 	OpenSSL_add_ssl_algorithms();
 	if (engine_id != NULL)
 		{
 		if((e = ENGINE_by_id(engine_id)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine\n");
 			ERR_print_errors(bio_err);
 			goto end;
 			}
 		if (s_debug)
 			{
 			ENGINE_ctrl(e, ENGINE_CTRL_SET_LOGSTREAM,
 				0, bio_err, 0);
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			ERR_print_errors(bio_err);
 			goto end;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine_id);
 		ENGINE_free(e);
 		}
 	ctx=SSL_CTX_new(meth);
 	if (ctx == NULL)
 		{
@@ -676,7 +725,8 @@ bad:
 #ifndef NO_RSA
 #if 1
-	SSL_CTX_set_tmp_rsa_callback(ctx,tmp_rsa_cb);
+	if (!no_tmp_rsa)
 		SSL_CTX_set_tmp_rsa_callback(ctx,tmp_rsa_cb);
 #else
 	if (!no_tmp_rsa && SSL_CTX_need_tmp_RSA(ctx))
 		{
@@ -766,7 +816,7 @@ static int sv_body(char *hostname, int s, unsigned char *context)
 	struct timeval tv;
 #endif
-	if ((buf=Malloc(bufsize)) == NULL)
+	if ((buf=OPENSSL_malloc(bufsize)) == NULL)
 		{
 		BIO_printf(bio_err,"out of memory\n");
 		goto err;
@@ -1028,7 +1078,7 @@ err:
 	if (buf != NULL)
 		{
 		memset(buf,0,bufsize);
-		Free(buf);
+		OPENSSL_free(buf);
 		}
 	if (ret >= 0)
 		BIO_printf(bio_s_out,"ACCEPT\n");
@@ -1145,7 +1195,7 @@ static int www_body(char *hostname, int s, unsigned char *context)
 	BIO *io,*ssl_bio,*sbio;
 	long total_bytes;
-	buf=Malloc(bufsize);
+	buf=OPENSSL_malloc(bufsize);
 	if (buf == NULL) return(0);
 	io=BIO_new(BIO_f_buffer());
 	ssl_bio=BIO_new(BIO_f_ssl());
@@ -1336,15 +1386,29 @@ static int www_body(char *hostname, int s, unsigned char *context)
 			/* skip the '/' */
 			p= &(buf[5]);
-			dot=0;
+
 			dot = 1;
 			for (e=p; *e != '\0'; e++)
 				{
-				if (e[0] == ' ') break;
+				if (e[0] == ' ')
-				if (	(e[0] == '.') &&
+					break;
-					(strncmp(&(e[-1]),"/../",4) == 0))
+
-					dot=1;
+				switch (dot)
 					{
 				case 1:
 					dot = (e[0] == '.') ? 2 : 0;
 					break;
 				case 2:
 					dot = (e[0] == '.') ? 3 : 0;
 					break;
 				case 3:
 					dot = (e[0] == '/') ? -1 : 0;
 					break;
 					}
 				if (dot == 0)
 					dot = (e[0] == '/') ? 1 : 0;
 				}
-			
+			dot = (dot == 3) || (dot == -1); /* filename contains ".." component */
 			if (*e == '\0')
 				{
@@ -1368,9 +1432,11 @@ static int www_body(char *hostname, int s, unsigned char *context)
 				break;
 				}
 #if 0
 			/* append if a directory lookup */
 			if (e[-1] == '/')
 				strcat(p,"index.html");
 #endif
 			/* if a directory, do the index thang */
 			if (stat(p,&st_buf) < 0)
@@ -1382,7 +1448,13 @@ static int www_body(char *hostname, int s, unsigned char *context)
 				}
 			if (S_ISDIR(st_buf.st_mode))
 				{
 #if 0 /* must check buffer size */
 				strcat(p,"/index.html");
 #else
 				BIO_puts(io,text);
 				BIO_printf(io,"'%s' is a directory\r\n",p);
 				break;
 #endif
 				}
 			if ((file=BIO_new_file(p,"r")) == NULL)
@@ -1474,7 +1546,7 @@ err:
 	if (ret >= 0)
 		BIO_printf(bio_s_out,"ACCEPT\n");
-	if (buf != NULL) Free(buf);
+	if (buf != NULL) OPENSSL_free(buf);
 	if (io != NULL) BIO_free_all(io);
 /*	if (ssl_bio != NULL) BIO_free(ssl_bio);*/
 	return(ret);
--- a/apps/s_socket.c
+++ b/apps/s_socket.c
@@ -1,4 +1,4 @@
-/* apps/s_socket.c */
+/* apps/s_socket.c -  socket-related functions used by s_client and s_server */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -79,16 +79,17 @@ typedef unsigned int u_int;
 #include "s_apps.h"
 #include <openssl/ssl.h>
 #ifdef VMS
 #if (__VMS_VER < 70000000) /* FIONBIO used as a switch to enable ioctl,
 			      and that isn't in VMS < 7.0 */
 #undef FIONBIO
 #endif
 #include <processes.h> /* for vfork() */
 #endif
 static struct hostent *GetHostByName(char *name);
-int sock_init(void );
+#ifdef WINDOWS
 static void sock_cleanup(void);
 #endif
 static int sock_init(void);
 static int init_client_ip(int *sock,unsigned char ip[4], int port);
 static int init_server(int *sock, int port);
 static int init_server_long(int *sock, int port,char *ip);
 static int do_accept(int acc_sock, int *sock, char **host);
 static int host_ip(char *str, unsigned char ip[4]);
 #ifdef WIN16
 #define SOCKET_PROTOCOL	0 /* more microsoft stupidity */
 #else
@@ -131,19 +132,19 @@ static BOOL CALLBACK enumproc(HWND hwnd,LPARAM lParam)
 #endif /* WIN32 */
 #endif /* WINDOWS */
 void sock_cleanup(void)
 	{
 #ifdef WINDOWS
 static void sock_cleanup(void)
 	{
 	if (wsa_init_done)
 		{
 		wsa_init_done=0;
 		WSACancelBlockingCall();
 		WSACleanup();
 		}
 #endif
 	}
 #endif
-int sock_init(void)
+static int sock_init(void)
 	{
 #ifdef WINDOWS
 	if (!wsa_init_done)
@@ -187,7 +188,7 @@ int init_client(int *sock, char *host, int port)
 	return(init_client_ip(sock,ip,port));
 	}
-int init_client_ip(int *sock, unsigned char ip[4], int port)
+static int init_client_ip(int *sock, unsigned char ip[4], int port)
 	{
 	unsigned long addr;
 	struct sockaddr_in them;
@@ -208,9 +209,11 @@ int init_client_ip(int *sock, unsigned char ip[4], int port)
 	s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
 	if (s == INVALID_SOCKET) { perror("socket"); return(0); }
 #ifndef MPE
 	i=0;
 	i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
 	if (i < 0) { perror("keepalive"); return(0); }
 #endif
 	if (connect(s,(struct sockaddr *)&them,sizeof(them)) == -1)
 		{ close(s); perror("connect"); return(0); }
@@ -218,75 +221,6 @@ int init_client_ip(int *sock, unsigned char ip[4], int port)
 	return(1);
 	}
 int nbio_sock_error(int sock)
 	{
 	int j,i;
 	int size;
 	size=sizeof(int);
 	/* Note: under VMS with SOCKETSHR the third parameter is currently
 	 * of type (int *) whereas under other systems it is (void *) if
 	 * you don't have a cast it will choke the compiler: if you do
 	 * have a cast then you can either go for (int *) or (void *).
 	 */
 	i=getsockopt(sock,SOL_SOCKET,SO_ERROR,(char *)&j,(void *)&size);
 	if (i < 0)
 		return(1);
 	else
 		return(j);
 	}
 int nbio_init_client_ip(int *sock, unsigned char ip[4], int port)
 	{
 	unsigned long addr;
 	struct sockaddr_in them;
 	int s,i;
 	if (!sock_init()) return(0);
 	memset((char *)&them,0,sizeof(them));
 	them.sin_family=AF_INET;
 	them.sin_port=htons((unsigned short)port);
 	addr=	(unsigned long)
 		((unsigned long)ip[0]<<24L)|
 		((unsigned long)ip[1]<<16L)|
 		((unsigned long)ip[2]<< 8L)|
 		((unsigned long)ip[3]);
 	them.sin_addr.s_addr=htonl(addr);
 	if (*sock <= 0)
 		{
 #ifdef FIONBIO
 		unsigned long l=1;
 #endif
 		s=socket(AF_INET,SOCK_STREAM,SOCKET_PROTOCOL);
 		if (s == INVALID_SOCKET) { perror("socket"); return(0); }
 		i=0;
 		i=setsockopt(s,SOL_SOCKET,SO_KEEPALIVE,(char *)&i,sizeof(i));
 		if (i < 0) { perror("keepalive"); return(0); }
 		*sock=s;
 #ifdef FIONBIO
 		BIO_socket_ioctl(s,FIONBIO,&l);
 #endif
 		}
 	else
 		s= *sock;
 	i=connect(s,(struct sockaddr *)&them,sizeof(them));
 	if (i == INVALID_SOCKET)
 		{
 		if (BIO_sock_should_retry(i))
 			return(-1);
 		else
 			return(0);
 		}
 	else
 		return(1);
 	}
 int do_server(int port, int *ret, int (*cb)(), char *context)
 	{
 	int sock;
@@ -309,7 +243,7 @@ int do_server(int port, int *ret, int (*cb)(), char *context)
 			return(0);
 			}
 		i=(*cb)(name,sock, context);
-		if (name != NULL) Free(name);
+		if (name != NULL) OPENSSL_free(name);
 		SHUTDOWN2(sock);
 		if (i < 0)
 			{
@@ -319,7 +253,7 @@ int do_server(int port, int *ret, int (*cb)(), char *context)
 		}
 	}
-int init_server_long(int *sock, int port, char *ip)
+static int init_server_long(int *sock, int port, char *ip)
 	{
 	int ret=0;
 	struct sockaddr_in server;
@@ -369,12 +303,12 @@ err:
 	return(ret);
 	}
-int init_server(int *sock, int port)
+static int init_server(int *sock, int port)
 	{
 	return(init_server_long(sock, port, NULL));
 	}
-int do_accept(int acc_sock, int *sock, char **host)
+static int do_accept(int acc_sock, int *sock, char **host)
 	{
 	int ret,i;
 	struct hostent *h1,*h2;
@@ -440,9 +374,9 @@ redoit:
 		}
 	else
 		{
-		if ((*host=(char *)Malloc(strlen(h1->h_name)+1)) == NULL)
+		if ((*host=(char *)OPENSSL_malloc(strlen(h1->h_name)+1)) == NULL)
 			{
-			perror("Malloc");
+			perror("OPENSSL_malloc");
 			return(0);
 			}
 		strcpy(*host,h1->h_name);
@@ -490,7 +424,7 @@ err:
 	return(0);
 	}
-int host_ip(char *str, unsigned char ip[4])
+static int host_ip(char *str, unsigned char ip[4])
 	{
 	unsigned int in[4]; 
 	int i;
@@ -606,69 +540,3 @@ static struct hostent *GetHostByName(char *name)
 		return(ret);
 		}
 	}
 #ifndef MSDOS
 int spawn(int argc, char **argv, int *in, int *out)
 	{
 	int pid;
 #define CHILD_READ	p1[0]
 #define CHILD_WRITE	p2[1]
 #define PARENT_READ	p2[0]
 #define PARENT_WRITE	p1[1]
 	int p1[2],p2[2];
 	if ((pipe(p1) < 0) || (pipe(p2) < 0)) return(-1);
 #ifdef VMS
 	if ((pid=vfork()) == 0)
 #else
 	if ((pid=fork()) == 0)
 #endif
 		{ /* child */
 		if (dup2(CHILD_WRITE,fileno(stdout)) < 0)
 			perror("dup2");
 		if (dup2(CHILD_WRITE,fileno(stderr)) < 0)
 			perror("dup2");
 		if (dup2(CHILD_READ,fileno(stdin)) < 0)
 			perror("dup2");
 		close(CHILD_READ); 
 		close(CHILD_WRITE);
 		close(PARENT_READ);
 		close(PARENT_WRITE);
 		execvp(argv[0],argv);
 		perror("child");
 		exit(1);
 		}
 	/* parent */
 	*in= PARENT_READ;
 	*out=PARENT_WRITE;
 	close(CHILD_READ);
 	close(CHILD_WRITE);
 	return(pid);
 	}
 #endif /* MSDOS */
 #ifdef undef
 	/* Turn on synchronous sockets so that we can do a WaitForMultipleObjects
 	 * on sockets */
 	{
 	SOCKET s;
 	int optionValue = SO_SYNCHRONOUS_NONALERT;
 	int err;
 	err = setsockopt( 
 	    INVALID_SOCKET, 
 	    SOL_SOCKET, 
 	    SO_OPENTYPE, 
 	    (char *)&optionValue, 
 	    sizeof(optionValue));
 	if (err != NO_ERROR) {
 	/* failed for some reason... */
 		BIO_printf(bio_err, "failed to setsockopt(SO_OPENTYPE, SO_SYNCHRONOUS_ALERT) - %d\n",
 			WSAGetLastError());
 		}
 	}
 #endif
--- a/apps/server.pem
+++ b/apps/server.pem
@@ -1,17 +1,17 @@
 issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
-subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit)
+subject= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Server test cert (512 bit)
 -----BEGIN CERTIFICATE-----
-MIIB6TCCAVICAQQwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCQVUxEzARBgNV
+MIIB6TCCAVICAQYwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCQVUxEzARBgNV
 BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYD
-VQQDExJUZXN0IENBICgxMDI0IGJpdCkwHhcNOTgwNjI5MjM1MjQwWhcNMDAwNjI4
+VQQDExJUZXN0IENBICgxMDI0IGJpdCkwHhcNMDAxMDE2MjIzMTAzWhcNMDMwMTE0
-MjM1MjQwWjBjMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEaMBgG
+MjIzMTAzWjBjMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEaMBgG
 A1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxIzAhBgNVBAMTGlNlcnZlciB0ZXN0IGNl
 cnQgKDUxMiBiaXQpMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBAJ+zw4Qnlf8SMVIP
 Fe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVDTGiXav6ooKXfX3j/7tdkuD8Ey2//
-Kv7+ue0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQCVvvfkGSe2GHgDFfmOua4Isjb9
+Kv7+ue0CAwEAATANBgkqhkiG9w0BAQQFAAOBgQCT0grFQeZaqYb5EYfk20XixZV4
-JVhImWMASiOClkZlMESDJjsszg/6+d/W+8TrbObhazpl95FivXBVucbj9dudh7AO
+GmyAbXMftG1Eo7qGiMhYzRwGNWxEYojf5PZkYZXvSqZ/ZXHXa4g59jK/rJNnaVGM
-IZu1h1MAPlyknc9Ud816vz3FejB4qqUoaXjnlkrIgEbr/un7jSS86WOe0hRhwHkJ
+k+xIX8mxQvlV0n5O9PIha5BX5teZnkHKgL8aKKLKW1BK7YTngsfSzzaeame5iKfz
-FUGcPZf9ND22Etc+AQ==
+itAE+OjGF+PFKbwX8Q==
 -----END CERTIFICATE-----
 -----BEGIN RSA PRIVATE KEY-----
 MIIBPAIBAAJBAJ+zw4Qnlf8SMVIPFe9GEcStgOY2Ww/dgNdhjeD8ckUJNP5VZkVD
--- a/apps/sess_id.c
+++ b/apps/sess_id.c
@@ -206,7 +206,15 @@ bad:
 			}
 		if (outfile == NULL)
 			{
 			BIO_set_fp(out,stdout,BIO_NOCLOSE);
 #ifdef VMS
 			{
 			BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 			out = BIO_push(tmpbio, out);
 			}
 #endif
 			}
 		else
 			{
 			if (BIO_write_filename(out,outfile) <= 0)
@@ -262,7 +270,7 @@ bad:
 		}
 	ret=0;
 end:
-	if (out != NULL) BIO_free(out);
+	if (out != NULL) BIO_free_all(out);
 	if (x != NULL) SSL_SESSION_free(x);
 	EXIT(ret);
 	}
--- a/apps/smime.c
+++ b/apps/smime.c
@@ -64,12 +64,10 @@
 #include <openssl/crypto.h>
 #include <openssl/pem.h>
 #include <openssl/err.h>
 #include <openssl/engine.h>
 #undef PROG
 #define PROG smime_main
 static X509 *load_cert(char *file);
 static EVP_PKEY *load_key(char *file, char *pass);
 static STACK_OF(X509) *load_certs(char *file);
 static X509_STORE *setup_verify(char *CAfile, char *CApath);
 static int save_certs(char *signerfile, STACK_OF(X509) *signers);
@@ -84,13 +82,14 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 {
 	ENGINE *e = NULL;
 	int operation = 0;
 	int ret = 0;
 	char **args;
 	char *inmode = "r", *outmode = "w";
 	char *infile = NULL, *outfile = NULL;
 	char *signerfile = NULL, *recipfile = NULL;
-	char *certfile = NULL, *keyfile = NULL;
+	char *certfile = NULL, *keyfile = NULL, *contfile=NULL;
 	EVP_CIPHER *cipher = NULL;
 	PKCS7 *p7 = NULL;
 	X509_STORE *store = NULL;
@@ -105,8 +104,10 @@ int MAIN(int argc, char **argv)
 	char *passargin = NULL, *passin = NULL;
 	char *inrand = NULL;
 	int need_rand = 0;
-	args = argv + 1;
+	int informat = FORMAT_SMIME, outformat = FORMAT_SMIME;
 	char *engine=NULL;
 	args = argv + 1;
 	ret = 1;
 	while (!badarg && *args && *args[0] == '-') {
@@ -143,6 +144,8 @@ int MAIN(int argc, char **argv)
 				flags |= PKCS7_NOATTR;
 		else if (!strcmp (*args, "-nodetach")) 
 				flags &= ~PKCS7_DETACHED;
 		else if (!strcmp (*args, "-nosmimecap"))
 				flags |= PKCS7_NOSMIMECAP;
 		else if (!strcmp (*args, "-binary"))
 				flags |= PKCS7_BINARY;
 		else if (!strcmp (*args, "-nosigs"))
@@ -153,6 +156,11 @@ int MAIN(int argc, char **argv)
 				inrand = *args;
 			} else badarg = 1;
 			need_rand = 1;
 		} else if (!strcmp(*args,"-engine")) {
 			if (args[1]) {
 				args++;
 				engine = *args;
 			} else badarg = 1;
 		} else if (!strcmp(*args,"-passin")) {
 			if (args[1]) {
 				args++;
@@ -208,11 +216,26 @@ int MAIN(int argc, char **argv)
 				args++;
 				infile = *args;
 			} else badarg = 1;
 		} else if (!strcmp (*args, "-inform")) {
 			if (args[1]) {
 				args++;
 				informat = str2fmt(*args);
 			} else badarg = 1;
 		} else if (!strcmp (*args, "-outform")) {
 			if (args[1]) {
 				args++;
 				outformat = str2fmt(*args);
 			} else badarg = 1;
 		} else if (!strcmp (*args, "-out")) {
 			if (args[1]) {
 				args++;
 				outfile = *args;
 			} else badarg = 1;
 		} else if (!strcmp (*args, "-content")) {
 			if (args[1]) {
 				args++;
 				contfile = *args;
 			} else badarg = 1;
 		} else badarg = 1;
 		args++;
 	}
@@ -264,21 +287,44 @@ int MAIN(int argc, char **argv)
 		BIO_printf (bio_err, "-signer file   signer certificate file\n");
 		BIO_printf (bio_err, "-recip  file   recipient certificate file for decryption\n");
 		BIO_printf (bio_err, "-in file       input file\n");
 		BIO_printf (bio_err, "-inform arg    input format SMIME (default), PEM or DER\n");
 		BIO_printf (bio_err, "-inkey file    input private key (if not signer or recipient)\n");
 		BIO_printf (bio_err, "-out file      output file\n");
 		BIO_printf (bio_err, "-outform arg   output format SMIME (default), PEM or DER\n");
 		BIO_printf (bio_err, "-content file  supply or override content for detached signature\n");
 		BIO_printf (bio_err, "-to addr       to address\n");
 		BIO_printf (bio_err, "-from ad       from address\n");
 		BIO_printf (bio_err, "-subject s     subject\n");
 		BIO_printf (bio_err, "-text          include or delete text MIME headers\n");
 		BIO_printf (bio_err, "-CApath dir    trusted certificates directory\n");
 		BIO_printf (bio_err, "-CAfile file   trusted certificates file\n");
-		BIO_printf(bio_err,  "-rand file:file:...\n");
+		BIO_printf (bio_err, "-engine e      use engine e, possibly a hardware device.\n");
 		BIO_printf (bio_err, "-passin arg    input file pass phrase source\n");
 		BIO_printf(bio_err,  "-rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err,  "               load the file (or the files in the directory) into\n");
 		BIO_printf(bio_err,  "               the random number generator\n");
 		BIO_printf (bio_err, "cert.pem       recipient certificate(s) for encryption\n");
 		goto end;
 	}
 	if (engine != NULL)
 		{
 		if((e = ENGINE_by_id(engine)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine \"%s\"\n",
 				engine);
 			goto end;
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			goto end;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 		/* Free our "structural" reference. */
 		ENGINE_free(e);
 		}
 	if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
 		BIO_printf(bio_err, "Error getting password\n");
 		goto end;
@@ -295,9 +341,12 @@ int MAIN(int argc, char **argv)
 	if(operation != SMIME_SIGN) flags &= ~PKCS7_DETACHED;
-	if(flags & PKCS7_BINARY) {
+	if(operation & SMIME_OP) {
-		if(operation & SMIME_OP) inmode = "rb";
+		if(flags & PKCS7_BINARY) inmode = "rb";
-		else outmode = "rb";
+		if(outformat == FORMAT_ASN1) outmode = "wb";
 	} else {
 		if(flags & PKCS7_BINARY) outmode = "wb";
 		if(informat == FORMAT_ASN1) inmode = "rb";
 	}
 	if(operation == SMIME_ENCRYPT) {
@@ -309,12 +358,9 @@ int MAIN(int argc, char **argv)
 			goto end;
 #endif
 		}
 #ifdef CRYPTO_MDEBUG
 		CRYPTO_push_info("load encryption certificates");
 #endif		
 		encerts = sk_X509_new_null();
 		while (*args) {
-			if(!(cert = load_cert(*args))) {
+			if(!(cert = load_cert(bio_err,*args,FORMAT_PEM))) {
 				BIO_printf(bio_err, "Can't read recipient certificate file %s\n", *args);
 				goto end;
 			}
@@ -322,50 +368,29 @@ int MAIN(int argc, char **argv)
 			cert = NULL;
 			args++;
 		}
 #ifdef CRYPTO_MDEBUG
 		CRYPTO_pop_info();
 #endif		
 	}
 	if(signerfile && (operation == SMIME_SIGN)) {
-#ifdef CRYPTO_MDEBUG
+		if(!(signer = load_cert(bio_err,signerfile,FORMAT_PEM))) {
 		CRYPTO_push_info("load signer certificate");
 #endif		
 		if(!(signer = load_cert(signerfile))) {
 			BIO_printf(bio_err, "Can't read signer certificate file %s\n", signerfile);
 			goto end;
 		}
 #ifdef CRYPTO_MDEBUG
 		CRYPTO_pop_info();
 #endif		
 	}
 	if(certfile) {
-#ifdef CRYPTO_MDEBUG
+		if(!(other = load_certs(bio_err,certfile,FORMAT_PEM))) {
 		CRYPTO_push_info("load other certfiles");
 #endif		
 		if(!(other = load_certs(certfile))) {
 			BIO_printf(bio_err, "Can't read certificate file %s\n", certfile);
 			ERR_print_errors(bio_err);
 			goto end;
 		}
 #ifdef CRYPTO_MDEBUG
 		CRYPTO_pop_info();
 #endif		
 	}
 	if(recipfile && (operation == SMIME_DECRYPT)) {
-#ifdef CRYPTO_MDEBUG
+		if(!(recip = load_cert(bio_err,recipfile,FORMAT_PEM))) {
 		CRYPTO_push_info("load recipient certificate");
 #endif		
 		if(!(recip = load_cert(recipfile))) {
 			BIO_printf(bio_err, "Can't read recipient certificate file %s\n", recipfile);
 			ERR_print_errors(bio_err);
 			goto end;
 		}
 #ifdef CRYPTO_MDEBUG
 		CRYPTO_pop_info();
 #endif		
 	}
 	if(operation == SMIME_DECRYPT) {
@@ -375,22 +400,13 @@ int MAIN(int argc, char **argv)
 	} else keyfile = NULL;
 	if(keyfile) {
-#ifdef CRYPTO_MDEBUG
+		if(!(key = load_key(bio_err,keyfile, FORMAT_PEM, passin))) {
 		CRYPTO_push_info("load keyfile");
 #endif		
 		if(!(key = load_key(keyfile, passin))) {
 			BIO_printf(bio_err, "Can't read recipient certificate file %s\n", keyfile);
 			ERR_print_errors(bio_err);
 			goto end;
 		}
 #ifdef CRYPTO_MDEBUG
 		CRYPTO_pop_info();
 #endif		
 	}
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_push_info("open input files");
 #endif		
 	if (infile) {
 		if (!(in = BIO_new_file(infile, inmode))) {
 			BIO_printf (bio_err,
@@ -398,64 +414,57 @@ int MAIN(int argc, char **argv)
 			goto end;
 		}
 	} else in = BIO_new_fp(stdin, BIO_NOCLOSE);
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_pop_info();
 #endif		
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_push_info("open output files");
 #endif		
 	if (outfile) {
 		if (!(out = BIO_new_file(outfile, outmode))) {
 			BIO_printf (bio_err,
 				 "Can't open output file %s\n", outfile);
 			goto end;
 		}
-	} else out = BIO_new_fp(stdout, BIO_NOCLOSE);
+	} else {
-#ifdef CRYPTO_MDEBUG
+		out = BIO_new_fp(stdout, BIO_NOCLOSE);
-	CRYPTO_pop_info();
+#ifdef VMS
-#endif		
+		{
 		    BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		    out = BIO_push(tmpbio, out);
 		}
 #endif
 	}
 	if(operation == SMIME_VERIFY) {
 #ifdef CRYPTO_MDEBUG
 		CRYPTO_push_info("setup_verify");
 #endif		
 		if(!(store = setup_verify(CAfile, CApath))) goto end;
 #ifdef CRYPTO_MDEBUG
 		CRYPTO_pop_info();
 #endif		
 	}
 	ret = 3;
 	if(operation == SMIME_ENCRYPT) {
 #ifdef CRYPTO_MDEBUG
 		CRYPTO_push_info("PKCS7_encrypt");
 #endif		
 		p7 = PKCS7_encrypt(encerts, in, cipher, flags);
 #ifdef CRYPTO_MDEBUG
 		CRYPTO_pop_info();
 #endif		
 	} else if(operation == SMIME_SIGN) {
 #ifdef CRYPTO_MDEBUG
 		CRYPTO_push_info("PKCS7_sign");
 #endif		
 		p7 = PKCS7_sign(signer, key, other, in, flags);
 		BIO_reset(in);
 #ifdef CRYPTO_MDEBUG
 		CRYPTO_pop_info();
 #endif		
 	} else {
-#ifdef CRYPTO_MDEBUG
+		if(informat == FORMAT_SMIME) 
-		CRYPTO_push_info("SMIME_read_PKCS7");
+			p7 = SMIME_read_PKCS7(in, &indata);
-#endif		
+		else if(informat == FORMAT_PEM) 
-		if(!(p7 = SMIME_read_PKCS7(in, &indata))) {
+			p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL);
 		else if(informat == FORMAT_ASN1) 
 			p7 = d2i_PKCS7_bio(in, NULL);
 		else {
 			BIO_printf(bio_err, "Bad input format for PKCS#7 file\n");
 			goto end;
 		}
 		if(!p7) {
 			BIO_printf(bio_err, "Error reading S/MIME message\n");
 			goto end;
 		}
-#ifdef CRYPTO_MDEBUG
+		if(contfile) {
-		CRYPTO_pop_info();
+			BIO_free(indata);
-#endif		
+			if(!(indata = BIO_new_file(contfile, "rb"))) {
 				BIO_printf(bio_err, "Can't read content file %s\n", contfile);
 				goto end;
 			}
 		}
 	}
 	if(!p7) {
@@ -465,45 +474,25 @@ int MAIN(int argc, char **argv)
 	ret = 4;
 	if(operation == SMIME_DECRYPT) {
 #ifdef CRYPTO_MDEBUG
 		CRYPTO_push_info("PKCS7_decrypt");
 #endif		
 		if(!PKCS7_decrypt(p7, key, recip, out, flags)) {
 			BIO_printf(bio_err, "Error decrypting PKCS#7 structure\n");
 			goto end;
 		}
 #ifdef CRYPTO_MDEBUG
 		CRYPTO_pop_info();
 #endif		
 	} else if(operation == SMIME_VERIFY) {
 		STACK_OF(X509) *signers;
 #ifdef CRYPTO_MDEBUG
 		CRYPTO_push_info("PKCS7_verify");
 #endif		
 		if(PKCS7_verify(p7, other, store, indata, out, flags)) {
 			BIO_printf(bio_err, "Verification Successful\n");
 		} else {
 			BIO_printf(bio_err, "Verification Failure\n");
 			goto end;
 		}
 #ifdef CRYPTO_MDEBUG
 		CRYPTO_pop_info();
 		CRYPTO_push_info("PKCS7_get0_signers");
 #endif		
 		signers = PKCS7_get0_signers(p7, other, flags);
 #ifdef CRYPTO_MDEBUG
 		CRYPTO_pop_info();
 		CRYPTO_push_info("save_certs");
 #endif		
 		if(!save_certs(signerfile, signers)) {
 			BIO_printf(bio_err, "Error writing signers to %s\n",
 								signerfile);
 			ret = 5;
 			goto end;
 		}
 #ifdef CRYPTO_MDEBUG
 		CRYPTO_pop_info();
 #endif		
 		sk_X509_free(signers);
 	} else if(operation == SMIME_PK7OUT) {
 		PEM_write_bio_PKCS7(out, p7);
@@ -511,13 +500,19 @@ int MAIN(int argc, char **argv)
 		if(to) BIO_printf(out, "To: %s\n", to);
 		if(from) BIO_printf(out, "From: %s\n", from);
 		if(subject) BIO_printf(out, "Subject: %s\n", subject);
-		SMIME_write_PKCS7(out, p7, in, flags);
+		if(outformat == FORMAT_SMIME) 
 			SMIME_write_PKCS7(out, p7, in, flags);
 		else if(outformat == FORMAT_PEM) 
 			PEM_write_bio_PKCS7(out,p7);
 		else if(outformat == FORMAT_ASN1) 
 			i2d_PKCS7_bio(out,p7);
 		else {
 			BIO_printf(bio_err, "Bad output format for PKCS#7 file\n");
 			goto end;
 		}
 	}
 	ret = 0;
 end:
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_remove_all_info();
 #endif
 	if (need_rand)
 		app_RAND_write_file(NULL, bio_err);
 	if(ret) ERR_print_errors(bio_err);
@@ -531,72 +526,18 @@ end:
 	PKCS7_free(p7);
 	BIO_free(in);
 	BIO_free(indata);
-	BIO_free(out);
+	BIO_free_all(out);
-	if(passin) Free(passin);
+	if(passin) OPENSSL_free(passin);
 	return (ret);
 }
 static X509 *load_cert(char *file)
 {
 	BIO *in;
 	X509 *cert;
 	if(!(in = BIO_new_file(file, "r"))) return NULL;
 	cert = PEM_read_bio_X509(in, NULL, NULL,NULL);
 	BIO_free(in);
 	return cert;
 }
 static EVP_PKEY *load_key(char *file, char *pass)
 {
 	BIO *in;
 	EVP_PKEY *key;
 	if(!(in = BIO_new_file(file, "r"))) return NULL;
 	key = PEM_read_bio_PrivateKey(in, NULL,NULL,pass);
 	BIO_free(in);
 	return key;
 }
 static STACK_OF(X509) *load_certs(char *file)
 {
 	BIO *in;
 	int i;
 	STACK_OF(X509) *othercerts;
 	STACK_OF(X509_INFO) *allcerts;
 	X509_INFO *xi;
 	if(!(in = BIO_new_file(file, "r"))) return NULL;
 	othercerts = sk_X509_new(NULL);
 	if(!othercerts) return NULL;
 	allcerts = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL);
 	for(i = 0; i < sk_X509_INFO_num(allcerts); i++) {
 		xi = sk_X509_INFO_value (allcerts, i);
 		if (xi->x509) {
 			sk_X509_push(othercerts, xi->x509);
 			xi->x509 = NULL;
 		}
 	}
 	sk_X509_INFO_pop_free(allcerts, X509_INFO_free);
 	BIO_free(in);
 	return othercerts;
 }
 static X509_STORE *setup_verify(char *CAfile, char *CApath)
 {
 	X509_STORE *store;
 	X509_LOOKUP *lookup;
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_push_info("X509_STORE_new");
 #endif	
 	if(!(store = X509_STORE_new())) goto end;
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_pop_info();
 	CRYPTO_push_info("X509_STORE_add_lookup(...file)");
 #endif	
 	lookup=X509_STORE_add_lookup(store,X509_LOOKUP_file());
 	if (lookup == NULL) goto end;
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_pop_info();
 	CRYPTO_push_info("X509_LOOKUP_load_file");
 #endif	
 	if (CAfile) {
 		if(!X509_LOOKUP_load_file(lookup,CAfile,X509_FILETYPE_PEM)) {
 			BIO_printf(bio_err, "Error loading file %s\n", CAfile);
@@ -604,25 +545,14 @@ static X509_STORE *setup_verify(char *CAfile, char *CApath)
 		}
 	} else X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT);
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_pop_info();
 	CRYPTO_push_info("X509_STORE_add_lookup(...hash_dir)");
 #endif	
 	lookup=X509_STORE_add_lookup(store,X509_LOOKUP_hash_dir());
 	if (lookup == NULL) goto end;
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_pop_info();
 	CRYPTO_push_info("X509_LOOKUP_add_dir");
 #endif	
 	if (CApath) {
 		if(!X509_LOOKUP_add_dir(lookup,CApath,X509_FILETYPE_PEM)) {
 			BIO_printf(bio_err, "Error loading directory %s\n", CApath);
 			goto end;
 		}
 	} else X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT);
 #ifdef CRYPTO_MDEBUG
 	CRYPTO_pop_info();
 #endif	
 	ERR_clear_error();
 	return store;
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -81,17 +81,27 @@
 #include <openssl/crypto.h>
 #include <openssl/rand.h>
 #include <openssl/err.h>
 #include <openssl/engine.h>
-#if !defined(MSDOS) && (!defined(VMS) || defined(__DECC))
+#if defined(__FreeBSD__) || defined(__NetBSD__) || defined(__OpenBSD__)
-#define TIMES
+# define USE_TOD
 #elif !defined(MSDOS) && (!defined(VMS) || defined(__DECC))
 # define TIMES
 #endif
 #if !defined(_UNICOS) && !defined(__OpenBSD__) && !defined(sgi) && !defined(__FreeBSD__) && !(defined(__bsdi) || defined(__bsdi__)) && !defined(_AIX) && !defined(MPE) && !defined(__NetBSD__)
 # define TIMEB
 #endif
 #ifndef _IRIX
-#include <time.h>
+# include <time.h>
 #endif
 #ifdef TIMES
-#include <sys/types.h>
+# include <sys/types.h>
-#include <sys/times.h>
+# include <sys/times.h>
 #endif
 #ifdef USE_TOD
 # include <sys/time.h>
 # include <sys/resource.h>
 #endif
 /* Depending on the VMS version, the tms structure is perhaps defined.
@@ -102,10 +112,14 @@
 #undef TIMES
 #endif
-#ifndef TIMES
+#ifdef TIMEB
 #include <sys/timeb.h>
 #endif
 #if !defined(TIMES) && !defined(TIMEB) && !defined(USE_TOD)
 #error "It seems neither struct tms nor struct timeb is supported in this platform!"
 #endif
 #if defined(sun) || defined(__ultrix)
 #define _POSIX_SOURCE
 #include <limits.h>
@@ -121,6 +135,9 @@
 #ifndef NO_MDC2
 #include <openssl/mdc2.h>
 #endif
 #ifndef NO_MD4
 #include <openssl/md4.h>
 #endif
 #ifndef NO_MD5
 #include <openssl/md5.h>
 #endif
@@ -178,7 +195,7 @@
 #define BUFSIZE	((long)1024*8+1)
 int run=0;
-static double Time_F(int s);
+static double Time_F(int s, int usertime);
 static void print_message(char *s,long num,int length);
 static void pkey_print_message(char *str,char *str2,long num,int bits,int sec);
 #ifdef SIGALRM
@@ -202,39 +219,91 @@ static SIGRETTYPE sig_done(int sig)
 #define START	0
 #define STOP	1
-static double Time_F(int s)
+static double Time_F(int s, int usertime)
 	{
 	double ret;
 #ifdef TIMES
 	static struct tms tstart,tend;
-	if (s == START)
+#ifdef USE_TOD
-		{
+	if(usertime)
-		times(&tstart);
+	    {
-		return(0);
+		static struct rusage tstart,tend;
 		if (s == START)
 			{
 			getrusage(RUSAGE_SELF,&tstart);
 			return(0);
 			}
 		else
 			{
 			long i;
 			getrusage(RUSAGE_SELF,&tend);
 			i=(long)tend.ru_utime.tv_usec-(long)tstart.ru_utime.tv_usec;
 			ret=((double)(tend.ru_utime.tv_sec-tstart.ru_utime.tv_sec))
 			  +((double)i)/1000000.0;
 			return((ret < 0.001)?0.001:ret);
 			}
 		}
 	else
 		{
-		times(&tend);
+		static struct timeval tstart,tend;
-		ret=((double)(tend.tms_utime-tstart.tms_utime))/HZ;
+		long i;
 		return((ret < 1e-3)?1e-3:ret);
 		}
 #else /* !times() */
 	static struct timeb tstart,tend;
 	long i;
-	if (s == START)
+		if (s == START)
-		{
+			{
-		ftime(&tstart);
+			gettimeofday(&tstart,NULL);
-		return(0);
+			return(0);
 			}
 		else
 			{
 			gettimeofday(&tend,NULL);
 			i=(long)tend.tv_usec-(long)tstart.tv_usec;
 			ret=((double)(tend.tv_sec-tstart.tv_sec))+((double)i)/1000000.0;
 			return((ret < 0.001)?0.001:ret);
 			}
 		}
 #else  /* ndef USE_TOD */
 # ifdef TIMES
 	if (usertime)
 		{
 		static struct tms tstart,tend;
 		if (s == START)
 			{
 			times(&tstart);
 			return(0);
 			}
 		else
 			{
 			times(&tend);
 			ret=((double)(tend.tms_utime-tstart.tms_utime))/HZ;
 			return((ret < 1e-3)?1e-3:ret);
 			}
 		}
 # endif /* times() */
 # if defined(TIMES) && defined(TIMEB)
 	else
 # endif
 # ifdef TIMEB
 		{
-		ftime(&tend);
+		static struct timeb tstart,tend;
-		i=(long)tend.millitm-(long)tstart.millitm;
+		long i;
-		ret=((double)(tend.time-tstart.time))+((double)i)/1000.0;
+
-		return((ret < 0.001)?0.001:ret);
+		if (s == START)
 			{
 			ftime(&tstart);
 			return(0);
 			}
 		else
 			{
 			ftime(&tend);
 			i=(long)tend.millitm-(long)tstart.millitm;
 			ret=((double)(tend.time-tstart.time))+((double)i)/1000.0;
 			return((ret < 0.001)?0.001:ret);
 			}
 		}
 # endif
 #endif
 	}
@@ -242,21 +311,25 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	ENGINE *e;
 	unsigned char *buf=NULL,*buf2=NULL;
 	int mret=1;
-#define ALGOR_NUM	14
+#define ALGOR_NUM	15
 #define SIZE_NUM	5
 #define RSA_NUM		4
 #define DSA_NUM		3
 	long count,rsa_count;
 	int i,j,k;
-	unsigned rsa_num,rsa_num2;
+	unsigned rsa_num;
 #ifndef NO_MD2
 	unsigned char md2[MD2_DIGEST_LENGTH];
 #endif
 #ifndef NO_MDC2
 	unsigned char mdc2[MDC2_DIGEST_LENGTH];
 #endif
 #ifndef NO_MD4
 	unsigned char md4[MD4_DIGEST_LENGTH];
 #endif
 #ifndef NO_MD5
 	unsigned char md5[MD5_DIGEST_LENGTH];
 	unsigned char hmac[MD5_DIGEST_LENGTH];
@@ -298,23 +371,24 @@ int MAIN(int argc, char **argv)
 #endif
 #define	D_MD2		0
 #define	D_MDC2		1
-#define	D_MD5		2
+#define	D_MD4		2
-#define	D_HMAC		3
+#define	D_MD5		3
-#define	D_SHA1		4
+#define	D_HMAC		4
-#define D_RMD160	5
+#define	D_SHA1		5
-#define	D_RC4		6
+#define D_RMD160	6
-#define	D_CBC_DES	7
+#define	D_RC4		7
-#define	D_EDE3_DES	8
+#define	D_CBC_DES	8
-#define	D_CBC_IDEA	9
+#define	D_EDE3_DES	9
-#define	D_CBC_RC2	10
+#define	D_CBC_IDEA	10
-#define	D_CBC_RC5	11
+#define	D_CBC_RC2	11
-#define	D_CBC_BF	12
+#define	D_CBC_RC5	12
-#define	D_CBC_CAST	13
+#define	D_CBC_BF	13
 #define	D_CBC_CAST	14
 	double d,results[ALGOR_NUM][SIZE_NUM];
 	static int lengths[SIZE_NUM]={8,64,256,1024,8*1024};
 	long c[ALGOR_NUM][SIZE_NUM];
 	static char *names[ALGOR_NUM]={
-		"md2","mdc2","md5","hmac(md5)","sha1","rmd160","rc4",
+		"md2","mdc2","md4","md5","hmac(md5)","sha1","rmd160","rc4",
 		"des cbc","des ede3","idea cbc",
 		"rc2 cbc","rc5-32/12 cbc","blowfish cbc","cast cbc"};
 #define	R_DSA_512	0
@@ -345,6 +419,11 @@ int MAIN(int argc, char **argv)
 	int dsa_doit[DSA_NUM];
 	int doit[ALGOR_NUM];
 	int pr_header=0;
 	int usertime=1;
 #ifndef TIMES
 	usertime=-1;
 #endif
 	apps_startup();
 	memset(results, 0, sizeof(results));
@@ -362,7 +441,7 @@ int MAIN(int argc, char **argv)
 		rsa_key[i]=NULL;
 #endif
-	if ((buf=(unsigned char *)Malloc((int)BUFSIZE)) == NULL)
+	if ((buf=(unsigned char *)OPENSSL_malloc((int)BUFSIZE)) == NULL)
 		{
 		BIO_printf(bio_err,"out of memory\n");
 		goto end;
@@ -370,7 +449,7 @@ int MAIN(int argc, char **argv)
 #ifndef NO_DES
 	buf_as_des_cblock = (des_cblock *)buf;
 #endif
-	if ((buf2=(unsigned char *)Malloc((int)BUFSIZE)) == NULL)
+	if ((buf2=(unsigned char *)OPENSSL_malloc((int)BUFSIZE)) == NULL)
 		{
 		BIO_printf(bio_err,"out of memory\n");
 		goto end;
@@ -391,6 +470,39 @@ int MAIN(int argc, char **argv)
 	argv++;
 	while (argc)
 		{
 		if	((argc > 0) && (strcmp(*argv,"-elapsed") == 0))
 			usertime = 0;
 		else
 		if	((argc > 0) && (strcmp(*argv,"-engine") == 0))
 			{
 			argc--;
 			argv++;
 			if(argc == 0)
 				{
 				BIO_printf(bio_err,"no engine given\n");
 				goto end;
 				}
 			if((e = ENGINE_by_id(*argv)) == NULL)
 				{
 				BIO_printf(bio_err,"invalid engine \"%s\"\n",
 					*argv);
 				goto end;
 				}
 			if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 				{
 				BIO_printf(bio_err,"can't use that engine\n");
 				goto end;
 				}
 			BIO_printf(bio_err,"engine \"%s\" set.\n", *argv);
 			/* Free our "structural" reference. */
 			ENGINE_free(e);
 			/* It will be increased again further down.  We just
 			   don't want speed to confuse an engine with an
 			   algorithm, especially when none is given (which
 			   means all of them should be run) */
 			j--;
 			}
 		else
 #ifndef NO_MD2
 		if	(strcmp(*argv,"md2") == 0) doit[D_MD2]=1;
 		else
@@ -399,6 +511,10 @@ int MAIN(int argc, char **argv)
 			if (strcmp(*argv,"mdc2") == 0) doit[D_MDC2]=1;
 		else
 #endif
 #ifndef NO_MD4
 			if (strcmp(*argv,"md4") == 0) doit[D_MD4]=1;
 		else
 #endif
 #ifndef NO_MD5
 			if (strcmp(*argv,"md5") == 0) doit[D_MD5]=1;
 		else
@@ -434,7 +550,7 @@ int MAIN(int argc, char **argv)
 #ifdef RSAref
 			if (strcmp(*argv,"rsaref") == 0) 
 			{
-			RSA_set_default_method(RSA_PKCS1_RSAref());
+			RSA_set_default_openssl_method(RSA_PKCS1_RSAref());
 			j--;
 			}
 		else
@@ -442,7 +558,7 @@ int MAIN(int argc, char **argv)
 #ifndef RSA_NULL
 			if (strcmp(*argv,"openssl") == 0) 
 			{
-			RSA_set_default_method(RSA_PKCS1_SSLeay());
+			RSA_set_default_openssl_method(RSA_PKCS1_SSLeay());
 			j--;
 			}
 		else
@@ -510,8 +626,34 @@ int MAIN(int argc, char **argv)
 		else
 #endif
 			{
-			BIO_printf(bio_err,"bad value, pick one of\n");
+			BIO_printf(bio_err,"Error: bad option or value\n");
-			BIO_printf(bio_err,"md2      mdc2	md5      hmac      sha1    rmd160\n");
+			BIO_printf(bio_err,"\n");
 			BIO_printf(bio_err,"Available values:\n");
 #ifndef NO_MD2
 			BIO_printf(bio_err,"md2      ");
 #endif
 #ifndef NO_MDC2
 			BIO_printf(bio_err,"mdc2     ");
 #endif
 #ifndef NO_MD4
 			BIO_printf(bio_err,"md4      ");
 #endif
 #ifndef NO_MD5
 			BIO_printf(bio_err,"md5      ");
 #ifndef NO_HMAC
 			BIO_printf(bio_err,"hmac     ");
 #endif
 #endif
 #ifndef NO_SHA1
 			BIO_printf(bio_err,"sha1     ");
 #endif
 #ifndef NO_RIPEMD160
 			BIO_printf(bio_err,"rmd160");
 #endif
 #if !defined(NO_MD2) || !defined(NO_MDC2) || !defined(NO_MD4) || !defined(NO_MD5) || !defined(NO_SHA1) || !defined(NO_RIPEMD160)
 			BIO_printf(bio_err,"\n");
 #endif
 #ifndef NO_IDEA
 			BIO_printf(bio_err,"idea-cbc ");
 #endif
@@ -524,20 +666,49 @@ int MAIN(int argc, char **argv)
 #ifndef NO_BF
 			BIO_printf(bio_err,"bf-cbc");
 #endif
-#if !defined(NO_IDEA) && !defined(NO_RC2) && !defined(NO_BF) && !defined(NO_RC5)
+#if !defined(NO_IDEA) || !defined(NO_RC2) || !defined(NO_BF) || !defined(NO_RC5)
 			BIO_printf(bio_err,"\n");
 #endif
 			BIO_printf(bio_err,"des-cbc  des-ede3 ");
 #ifndef NO_RC4
 			BIO_printf(bio_err,"rc4");
 #endif
 			BIO_printf(bio_err,"\n");
 #ifndef NO_RSA
-			BIO_printf(bio_err,"\nrsa512   rsa1024  rsa2048  rsa4096\n");
+			BIO_printf(bio_err,"rsa512   rsa1024  rsa2048  rsa4096\n");
 #endif
 #ifndef NO_DSA
-			BIO_printf(bio_err,"\ndsa512   dsa1024  dsa2048\n");
+			BIO_printf(bio_err,"dsa512   dsa1024  dsa2048\n");
 #endif
-			BIO_printf(bio_err,"idea     rc2      des      rsa    blowfish\n");
+
 #ifndef NO_IDEA
 			BIO_printf(bio_err,"idea     ");
 #endif
 #ifndef NO_RC2
 			BIO_printf(bio_err,"rc2      ");
 #endif
 #ifndef NO_DES
 			BIO_printf(bio_err,"des      ");
 #endif
 #ifndef NO_RSA
 			BIO_printf(bio_err,"rsa      ");
 #endif
 #ifndef NO_BF
 			BIO_printf(bio_err,"blowfish");
 #endif
 #if !defined(NO_IDEA) || !defined(NO_RC2) || !defined(NO_DES) || !defined(NO_RSA) || !defined(NO_BF)
 			BIO_printf(bio_err,"\n");
 #endif
 			BIO_printf(bio_err,"\n");
 			BIO_printf(bio_err,"Available options:\n");
 #ifdef TIMES
 			BIO_printf(bio_err,"-elapsed        measure time in real time instead of CPU user time.\n");
 #endif
 			BIO_printf(bio_err,"-engine e       use engine e, possibly a hardware device.\n");
 			goto end;
 			}
 		argc--;
@@ -557,10 +728,13 @@ int MAIN(int argc, char **argv)
 	for (i=0; i<ALGOR_NUM; i++)
 		if (doit[i]) pr_header++;
-#ifndef TIMES
+	if (usertime == 0)
-	BIO_printf(bio_err,"To get the most accurate results, try to run this\n");
+		BIO_printf(bio_err,"You have chosen to measure elapsed time instead of user CPU time.\n");
-	BIO_printf(bio_err,"program when this computer is idle.\n");
+	if (usertime <= 0)
-#endif
+		{
 		BIO_printf(bio_err,"To get the most accurate results, try to run this\n");
 		BIO_printf(bio_err,"program when this computer is idle.\n");
 		}
 #ifndef NO_RSA
 	for (i=0; i<RSA_NUM; i++)
@@ -624,14 +798,15 @@ int MAIN(int argc, char **argv)
 	do	{
 		long i;
 		count*=2;
-		Time_F(START);
+		Time_F(START,usertime);
 		for (i=count; i; i--)
 			des_ecb_encrypt(buf_as_des_cblock,buf_as_des_cblock,
 				&(sch[0]),DES_ENCRYPT);
-		d=Time_F(STOP);
+		d=Time_F(STOP,usertime);
 		} while (d <3);
 	c[D_MD2][0]=count/10;
 	c[D_MDC2][0]=count/10;
 	c[D_MD4][0]=count;
 	c[D_MD5][0]=count;
 	c[D_HMAC][0]=count;
 	c[D_SHA1][0]=count;
@@ -649,6 +824,7 @@ int MAIN(int argc, char **argv)
 		{
 		c[D_MD2][i]=c[D_MD2][0]*4*lengths[0]/lengths[i];
 		c[D_MDC2][i]=c[D_MDC2][0]*4*lengths[0]/lengths[i];
 		c[D_MD4][i]=c[D_MD4][0]*4*lengths[0]/lengths[i];
 		c[D_MD5][i]=c[D_MD5][0]*4*lengths[0]/lengths[i];
 		c[D_HMAC][i]=c[D_HMAC][0]*4*lengths[0]/lengths[i];
 		c[D_SHA1][i]=c[D_SHA1][0]*4*lengths[0]/lengths[i];
@@ -689,6 +865,7 @@ int MAIN(int argc, char **argv)
 		}
 #endif
 #ifndef NO_DSA
 	dsa_c[R_DSA_512][0]=count/1000;
 	dsa_c[R_DSA_512][1]=count/1000/2;
 	for (i=1; i<DSA_NUM; i++)
@@ -706,6 +883,7 @@ int MAIN(int argc, char **argv)
 				}
 			}				
 		}
 #endif
 #define COND(d)	(count < (d))
 #define COUNT(d) (d)
@@ -725,10 +903,10 @@ int MAIN(int argc, char **argv)
 		for (j=0; j<SIZE_NUM; j++)
 			{
 			print_message(names[D_MD2],c[D_MD2][j],lengths[j]);
-			Time_F(START);
+			Time_F(START,usertime);
 			for (count=0,run=1; COND(c[D_MD2][j]); count++)
 				MD2(buf,(unsigned long)lengths[j],&(md2[0]));
-			d=Time_F(STOP);
+			d=Time_F(STOP,usertime);
 			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
 				count,names[D_MD2],d);
 			results[D_MD2][j]=((double)count)/d*lengths[j];
@@ -741,10 +919,10 @@ int MAIN(int argc, char **argv)
 		for (j=0; j<SIZE_NUM; j++)
 			{
 			print_message(names[D_MDC2],c[D_MDC2][j],lengths[j]);
-			Time_F(START);
+			Time_F(START,usertime);
 			for (count=0,run=1; COND(c[D_MDC2][j]); count++)
 				MDC2(buf,(unsigned long)lengths[j],&(mdc2[0]));
-			d=Time_F(STOP);
+			d=Time_F(STOP,usertime);
 			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
 				count,names[D_MDC2],d);
 			results[D_MDC2][j]=((double)count)/d*lengths[j];
@@ -752,16 +930,33 @@ int MAIN(int argc, char **argv)
 		}
 #endif
 #ifndef NO_MD4
 	if (doit[D_MD4])
 		{
 		for (j=0; j<SIZE_NUM; j++)
 			{
 			print_message(names[D_MD4],c[D_MD4][j],lengths[j]);
 			Time_F(START,usertime);
 			for (count=0,run=1; COND(c[D_MD4][j]); count++)
 				MD4(&(buf[0]),(unsigned long)lengths[j],&(md4[0]));
 			d=Time_F(STOP,usertime);
 			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
 				count,names[D_MD4],d);
 			results[D_MD4][j]=((double)count)/d*lengths[j];
 			}
 		}
 #endif
 #ifndef NO_MD5
 	if (doit[D_MD5])
 		{
 		for (j=0; j<SIZE_NUM; j++)
 			{
 			print_message(names[D_MD5],c[D_MD5][j],lengths[j]);
-			Time_F(START);
+			Time_F(START,usertime);
 			for (count=0,run=1; COND(c[D_MD5][j]); count++)
 				MD5(&(buf[0]),(unsigned long)lengths[j],&(md5[0]));
-			d=Time_F(STOP);
+			d=Time_F(STOP,usertime);
 			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
 				count,names[D_MD5],d);
 			results[D_MD5][j]=((double)count)/d*lengths[j];
@@ -779,14 +974,14 @@ int MAIN(int argc, char **argv)
 		for (j=0; j<SIZE_NUM; j++)
 			{
 			print_message(names[D_HMAC],c[D_HMAC][j],lengths[j]);
-			Time_F(START);
+			Time_F(START,usertime);
 			for (count=0,run=1; COND(c[D_HMAC][j]); count++)
 				{
 				HMAC_Init(&hctx,NULL,0,NULL);
                                HMAC_Update(&hctx,buf,lengths[j]);
                                HMAC_Final(&hctx,&(hmac[0]),NULL);
 				}
-			d=Time_F(STOP);
+			d=Time_F(STOP,usertime);
 			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
 				count,names[D_HMAC],d);
 			results[D_HMAC][j]=((double)count)/d*lengths[j];
@@ -799,10 +994,10 @@ int MAIN(int argc, char **argv)
 		for (j=0; j<SIZE_NUM; j++)
 			{
 			print_message(names[D_SHA1],c[D_SHA1][j],lengths[j]);
-			Time_F(START);
+			Time_F(START,usertime);
 			for (count=0,run=1; COND(c[D_SHA1][j]); count++)
 				SHA1(buf,(unsigned long)lengths[j],&(sha[0]));
-			d=Time_F(STOP);
+			d=Time_F(STOP,usertime);
 			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
 				count,names[D_SHA1],d);
 			results[D_SHA1][j]=((double)count)/d*lengths[j];
@@ -815,10 +1010,10 @@ int MAIN(int argc, char **argv)
 		for (j=0; j<SIZE_NUM; j++)
 			{
 			print_message(names[D_RMD160],c[D_RMD160][j],lengths[j]);
-			Time_F(START);
+			Time_F(START,usertime);
 			for (count=0,run=1; COND(c[D_RMD160][j]); count++)
 				RIPEMD160(buf,(unsigned long)lengths[j],&(rmd160[0]));
-			d=Time_F(STOP);
+			d=Time_F(STOP,usertime);
 			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
 				count,names[D_RMD160],d);
 			results[D_RMD160][j]=((double)count)/d*lengths[j];
@@ -831,11 +1026,11 @@ int MAIN(int argc, char **argv)
 		for (j=0; j<SIZE_NUM; j++)
 			{
 			print_message(names[D_RC4],c[D_RC4][j],lengths[j]);
-			Time_F(START);
+			Time_F(START,usertime);
 			for (count=0,run=1; COND(c[D_RC4][j]); count++)
 				RC4(&rc4_ks,(unsigned int)lengths[j],
 					buf,buf);
-			d=Time_F(STOP);
+			d=Time_F(STOP,usertime);
 			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
 				count,names[D_RC4],d);
 			results[D_RC4][j]=((double)count)/d*lengths[j];
@@ -848,11 +1043,11 @@ int MAIN(int argc, char **argv)
 		for (j=0; j<SIZE_NUM; j++)
 			{
 			print_message(names[D_CBC_DES],c[D_CBC_DES][j],lengths[j]);
-			Time_F(START);
+			Time_F(START,usertime);
 			for (count=0,run=1; COND(c[D_CBC_DES][j]); count++)
 				des_ncbc_encrypt(buf,buf,lengths[j],sch,
 						 &iv,DES_ENCRYPT);
-			d=Time_F(STOP);
+			d=Time_F(STOP,usertime);
 			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
 				count,names[D_CBC_DES],d);
 			results[D_CBC_DES][j]=((double)count)/d*lengths[j];
@@ -864,12 +1059,12 @@ int MAIN(int argc, char **argv)
 		for (j=0; j<SIZE_NUM; j++)
 			{
 			print_message(names[D_EDE3_DES],c[D_EDE3_DES][j],lengths[j]);
-			Time_F(START);
+			Time_F(START,usertime);
 			for (count=0,run=1; COND(c[D_EDE3_DES][j]); count++)
 				des_ede3_cbc_encrypt(buf,buf,lengths[j],
 						     sch,sch2,sch3,
 						     &iv,DES_ENCRYPT);
-			d=Time_F(STOP);
+			d=Time_F(STOP,usertime);
 			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
 				count,names[D_EDE3_DES],d);
 			results[D_EDE3_DES][j]=((double)count)/d*lengths[j];
@@ -882,12 +1077,12 @@ int MAIN(int argc, char **argv)
 		for (j=0; j<SIZE_NUM; j++)
 			{
 			print_message(names[D_CBC_IDEA],c[D_CBC_IDEA][j],lengths[j]);
-			Time_F(START);
+			Time_F(START,usertime);
 			for (count=0,run=1; COND(c[D_CBC_IDEA][j]); count++)
 				idea_cbc_encrypt(buf,buf,
 					(unsigned long)lengths[j],&idea_ks,
 					iv,IDEA_ENCRYPT);
-			d=Time_F(STOP);
+			d=Time_F(STOP,usertime);
 			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
 				count,names[D_CBC_IDEA],d);
 			results[D_CBC_IDEA][j]=((double)count)/d*lengths[j];
@@ -900,12 +1095,12 @@ int MAIN(int argc, char **argv)
 		for (j=0; j<SIZE_NUM; j++)
 			{
 			print_message(names[D_CBC_RC2],c[D_CBC_RC2][j],lengths[j]);
-			Time_F(START);
+			Time_F(START,usertime);
 			for (count=0,run=1; COND(c[D_CBC_RC2][j]); count++)
 				RC2_cbc_encrypt(buf,buf,
 					(unsigned long)lengths[j],&rc2_ks,
 					iv,RC2_ENCRYPT);
-			d=Time_F(STOP);
+			d=Time_F(STOP,usertime);
 			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
 				count,names[D_CBC_RC2],d);
 			results[D_CBC_RC2][j]=((double)count)/d*lengths[j];
@@ -918,12 +1113,12 @@ int MAIN(int argc, char **argv)
 		for (j=0; j<SIZE_NUM; j++)
 			{
 			print_message(names[D_CBC_RC5],c[D_CBC_RC5][j],lengths[j]);
-			Time_F(START);
+			Time_F(START,usertime);
 			for (count=0,run=1; COND(c[D_CBC_RC5][j]); count++)
 				RC5_32_cbc_encrypt(buf,buf,
 					(unsigned long)lengths[j],&rc5_ks,
 					iv,RC5_ENCRYPT);
-			d=Time_F(STOP);
+			d=Time_F(STOP,usertime);
 			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
 				count,names[D_CBC_RC5],d);
 			results[D_CBC_RC5][j]=((double)count)/d*lengths[j];
@@ -936,12 +1131,12 @@ int MAIN(int argc, char **argv)
 		for (j=0; j<SIZE_NUM; j++)
 			{
 			print_message(names[D_CBC_BF],c[D_CBC_BF][j],lengths[j]);
-			Time_F(START);
+			Time_F(START,usertime);
 			for (count=0,run=1; COND(c[D_CBC_BF][j]); count++)
 				BF_cbc_encrypt(buf,buf,
 					(unsigned long)lengths[j],&bf_ks,
 					iv,BF_ENCRYPT);
-			d=Time_F(STOP);
+			d=Time_F(STOP,usertime);
 			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
 				count,names[D_CBC_BF],d);
 			results[D_CBC_BF][j]=((double)count)/d*lengths[j];
@@ -954,12 +1149,12 @@ int MAIN(int argc, char **argv)
 		for (j=0; j<SIZE_NUM; j++)
 			{
 			print_message(names[D_CBC_CAST],c[D_CBC_CAST][j],lengths[j]);
-			Time_F(START);
+			Time_F(START,usertime);
 			for (count=0,run=1; COND(c[D_CBC_CAST][j]); count++)
 				CAST_cbc_encrypt(buf,buf,
 					(unsigned long)lengths[j],&cast_ks,
 					iv,CAST_ENCRYPT);
-			d=Time_F(STOP);
+			d=Time_F(STOP,usertime);
 			BIO_printf(bio_err,"%ld %s's in %.2fs\n",
 				count,names[D_CBC_CAST],d);
 			results[D_CBC_CAST][j]=((double)count)/d*lengths[j];
@@ -974,49 +1169,73 @@ int MAIN(int argc, char **argv)
 		int ret;
 		if (!rsa_doit[j]) continue;
 		ret=RSA_sign(NID_md5_sha1, buf,36, buf2, &rsa_num, rsa_key[j]);
-		pkey_print_message("private","rsa",rsa_c[j][0],rsa_bits[j],
+		if (ret == 0)
 			RSA_SECONDS);
 /*		RSA_blinding_on(rsa_key[j],NULL); */
 		Time_F(START);
 		for (count=0,run=1; COND(rsa_c[j][0]); count++)
 			{
-			ret=RSA_sign(NID_md5_sha1, buf,36, buf2, &rsa_num,
+			BIO_printf(bio_err,"RSA sign failure.  No RSA sign will be done.\n");
-								 rsa_key[j]);
+			ERR_print_errors(bio_err);
-			if (ret <= 0)
+			rsa_count=1;
-				{
+			}
-				BIO_printf(bio_err,"RSA private encrypt failure\n");
+		else
-				ERR_print_errors(bio_err);
+			{
-				count=1;
+			pkey_print_message("private","rsa",
-				break;
+				rsa_c[j][0],rsa_bits[j],
-				}
+				RSA_SECONDS);
 /*			RSA_blinding_on(rsa_key[j],NULL); */
 			Time_F(START,usertime);
 			for (count=0,run=1; COND(rsa_c[j][0]); count++)
 				{
 				ret=RSA_sign(NID_md5_sha1, buf,36, buf2,
 					&rsa_num, rsa_key[j]);
 				if (ret == 0)
 					{
 					BIO_printf(bio_err,
 						"RSA sign failure\n");
 					ERR_print_errors(bio_err);
 					count=1;
 					break;
 					}
 				}
 			d=Time_F(STOP,usertime);
 			BIO_printf(bio_err,
 				"%ld %d bit private RSA's in %.2fs\n",
 				count,rsa_bits[j],d);
 			rsa_results[j][0]=d/(double)count;
 			rsa_count=count;
 			}
 		d=Time_F(STOP);
 		BIO_printf(bio_err,"%ld %d bit private RSA's in %.2fs\n",
 			count,rsa_bits[j],d);
 		rsa_results[j][0]=d/(double)count;
 		rsa_count=count;
 #if 1
 		ret=RSA_verify(NID_md5_sha1, buf,36, buf2, rsa_num, rsa_key[j]);
-		pkey_print_message("public","rsa",rsa_c[j][1],rsa_bits[j],
+		if (ret <= 0)
 			RSA_SECONDS);
 		Time_F(START);
 		for (count=0,run=1; COND(rsa_c[j][1]); count++)
 			{
-			ret=RSA_verify(NID_md5_sha1, buf,36, buf2, rsa_num,
+			BIO_printf(bio_err,"RSA verify failure.  No RSA verify will be done.\n");
-								rsa_key[j]);
+			ERR_print_errors(bio_err);
-			if (ret <= 0)
+			rsa_doit[j] = 0;
-				{
+			}
-				BIO_printf(bio_err,"RSA verify failure\n");
+		else
-				ERR_print_errors(bio_err);
+			{
-				count=1;
+			pkey_print_message("public","rsa",
-				break;
+				rsa_c[j][1],rsa_bits[j],
-				}
+				RSA_SECONDS);
 			Time_F(START,usertime);
 			for (count=0,run=1; COND(rsa_c[j][1]); count++)
 				{
 				ret=RSA_verify(NID_md5_sha1, buf,36, buf2,
 					rsa_num, rsa_key[j]);
 				if (ret == 0)
 					{
 					BIO_printf(bio_err,
 						"RSA verify failure\n");
 					ERR_print_errors(bio_err);
 					count=1;
 					break;
 					}
 				}
 			d=Time_F(STOP,usertime);
 			BIO_printf(bio_err,
 				"%ld %d bit public RSA's in %.2fs\n",
 				count,rsa_bits[j],d);
 			rsa_results[j][1]=d/(double)count;
 			}
 		d=Time_F(STOP);
 		BIO_printf(bio_err,"%ld %d bit public RSA's in %.2fs\n",
 			count,rsa_bits[j],d);
 		rsa_results[j][1]=d/(double)count;
 #endif
 		if (rsa_count <= 1)
@@ -1030,57 +1249,85 @@ int MAIN(int argc, char **argv)
 	RAND_pseudo_bytes(buf,20);
 #ifndef NO_DSA
 	if (RAND_status() != 1)
 		{
 		RAND_seed(rnd_seed, sizeof rnd_seed);
 		rnd_fake = 1;
 		}
 	for (j=0; j<DSA_NUM; j++)
 		{
 		unsigned int kk;
 		int ret;
 		if (!dsa_doit[j]) continue;
 		DSA_generate_key(dsa_key[j]);
 /*		DSA_sign_setup(dsa_key[j],NULL); */
-		rsa_num=DSA_sign(EVP_PKEY_DSA,buf,20,buf2,
+		ret=DSA_sign(EVP_PKEY_DSA,buf,20,buf2,
 			&kk,dsa_key[j]);
-		pkey_print_message("sign","dsa",dsa_c[j][0],dsa_bits[j],
+		if (ret == 0)
 			DSA_SECONDS);
 		Time_F(START);
 		for (count=0,run=1; COND(dsa_c[j][0]); count++)
 			{
-			rsa_num=DSA_sign(EVP_PKEY_DSA,buf,20,buf2,
+			BIO_printf(bio_err,"DSA sign failure.  No DSA sign will be done.\n");
-				&kk,dsa_key[j]);
+			ERR_print_errors(bio_err);
-			if (rsa_num == 0)
+			rsa_count=1;
-				{
+			}
-				BIO_printf(bio_err,"DSA sign failure\n");
+		else
-				ERR_print_errors(bio_err);
+			{
-				count=1;
+			pkey_print_message("sign","dsa",
-				break;
+				dsa_c[j][0],dsa_bits[j],
-				}
+				DSA_SECONDS);
 			Time_F(START,usertime);
 			for (count=0,run=1; COND(dsa_c[j][0]); count++)
 				{
 				ret=DSA_sign(EVP_PKEY_DSA,buf,20,buf2,
 					&kk,dsa_key[j]);
 				if (ret == 0)
 					{
 					BIO_printf(bio_err,
 						"DSA sign failure\n");
 					ERR_print_errors(bio_err);
 					count=1;
 					break;
 					}
 				}
 			d=Time_F(STOP,usertime);
 			BIO_printf(bio_err,"%ld %d bit DSA signs in %.2fs\n",
 				count,dsa_bits[j],d);
 			dsa_results[j][0]=d/(double)count;
 			rsa_count=count;
 			}
 		d=Time_F(STOP);
 		BIO_printf(bio_err,"%ld %d bit DSA signs in %.2fs\n",
 			count,dsa_bits[j],d);
 		dsa_results[j][0]=d/(double)count;
 		rsa_count=count;
-		rsa_num2=DSA_verify(EVP_PKEY_DSA,buf,20,buf2,
+		ret=DSA_verify(EVP_PKEY_DSA,buf,20,buf2,
 			kk,dsa_key[j]);
-		pkey_print_message("verify","dsa",dsa_c[j][1],dsa_bits[j],
+		if (ret <= 0)
 			DSA_SECONDS);
 		Time_F(START);
 		for (count=0,run=1; COND(dsa_c[j][1]); count++)
 			{
-			rsa_num2=DSA_verify(EVP_PKEY_DSA,buf,20,buf2,
+			BIO_printf(bio_err,"DSA verify failure.  No DSA verify will be done.\n");
-				kk,dsa_key[j]);
+			ERR_print_errors(bio_err);
-			if (rsa_num2 == 0)
+			dsa_doit[j] = 0;
-				{
+			}
-				BIO_printf(bio_err,"DSA verify failure\n");
+		else
-				ERR_print_errors(bio_err);
+			{
-				count=1;
+			pkey_print_message("verify","dsa",
-				break;
+				dsa_c[j][1],dsa_bits[j],
-				}
+				DSA_SECONDS);
 			Time_F(START,usertime);
 			for (count=0,run=1; COND(dsa_c[j][1]); count++)
 				{
 				ret=DSA_verify(EVP_PKEY_DSA,buf,20,buf2,
 					kk,dsa_key[j]);
 				if (ret <= 0)
 					{
 					BIO_printf(bio_err,
 						"DSA verify failure\n");
 					ERR_print_errors(bio_err);
 					count=1;
 					break;
 					}
 				}
 			d=Time_F(STOP,usertime);
 			BIO_printf(bio_err,"%ld %d bit DSA verify in %.2fs\n",
 				count,dsa_bits[j],d);
 			dsa_results[j][1]=d/(double)count;
 			}
 		d=Time_F(STOP);
 		BIO_printf(bio_err,"%ld %d bit DSA verify in %.2fs\n",
 			count,dsa_bits[j],d);
 		dsa_results[j][1]=d/(double)count;
 		if (rsa_count <= 1)
 			{
@@ -1089,6 +1336,7 @@ int MAIN(int argc, char **argv)
 				dsa_doit[j]=0;
 			}
 		}
 	if (rnd_fake) RAND_cleanup();
 #endif
 	fprintf(stdout,"%s\n",SSLeay_version(SSLEAY_VERSION));
@@ -1167,8 +1415,9 @@ int MAIN(int argc, char **argv)
 #endif
 	mret=0;
 end:
-	if (buf != NULL) Free(buf);
+	ERR_print_errors(bio_err);
-	if (buf2 != NULL) Free(buf2);
+	if (buf != NULL) OPENSSL_free(buf);
 	if (buf2 != NULL) OPENSSL_free(buf2);
 #ifndef NO_RSA
 	for (i=0; i<RSA_NUM; i++)
 		if (rsa_key[i] != NULL)
--- a/apps/spkac.c
+++ b/apps/spkac.c
@@ -63,10 +63,13 @@
 #include <time.h>
 #include "apps.h"
 #include <openssl/bio.h>
 #include <openssl/conf.h>
 #include <openssl/err.h>
 #include <openssl/evp.h>
 #include <openssl/lhash.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #include <openssl/engine.h>
 #undef PROG
 #define PROG	spkac_main
@@ -79,6 +82,7 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	ENGINE *e = NULL;
 	int i,badops=0, ret = 1;
 	BIO *in = NULL,*out = NULL, *key = NULL;
 	int verify=0,noout=0,pubkey=0;
@@ -89,6 +93,7 @@ int MAIN(int argc, char **argv)
 	LHASH *conf = NULL;
 	NETSCAPE_SPKI *spki = NULL;
 	EVP_PKEY *pkey = NULL;
 	char *engine=NULL;
 	apps_startup();
@@ -134,6 +139,11 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			spksect= *(++argv);
 			}
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 		else if (strcmp(*argv,"-noout") == 0)
 			noout=1;
 		else if (strcmp(*argv,"-pubkey") == 0)
@@ -159,6 +169,7 @@ bad:
 		BIO_printf(bio_err," -noout         don't print SPKAC\n");
 		BIO_printf(bio_err," -pubkey        output public key\n");
 		BIO_printf(bio_err," -verify        verify SPKAC signature\n");
 		BIO_printf(bio_err," -engine e      use engine e, possibly a hardware device.\n");
 		goto end;
 		}
@@ -168,6 +179,24 @@ bad:
 		goto end;
 	}
 	if (engine != NULL)
 		{
 		if((e = ENGINE_by_id(engine)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine \"%s\"\n",
 				engine);
 			goto end;
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			goto end;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 		/* Free our "structural" reference. */
 		ENGINE_free(e);
 		}
 	if(keyfile) {
 		if(strcmp(keyfile, "-")) key = BIO_new_file(keyfile, "r");
 		else key = BIO_new_fp(stdin, BIO_NOCLOSE);
@@ -190,7 +219,15 @@ bad:
 		spkstr = NETSCAPE_SPKI_b64_encode(spki);
 		if (outfile) out = BIO_new_file(outfile, "w");
-		else out = BIO_new_fp(stdout, BIO_NOCLOSE);
+		else {
 			out = BIO_new_fp(stdout, BIO_NOCLOSE);
 #ifdef VMS
 			{
 			    BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 			    out = BIO_push(tmpbio, out);
 			}
 #endif
 		}
 		if(!out) {
 			BIO_printf(bio_err, "Error opening output file\n");
@@ -198,7 +235,7 @@ bad:
 			goto end;
 		}
 		BIO_printf(out, "SPKAC=%s\n", spkstr);
-		Free(spkstr);
+		OPENSSL_free(spkstr);
 		ret = 0;
 		goto end;
 	}
@@ -239,7 +276,15 @@ bad:
 	}
 	if (outfile) out = BIO_new_file(outfile, "w");
-	else out = BIO_new_fp(stdout, BIO_NOCLOSE);
+	else {
 		out = BIO_new_fp(stdout, BIO_NOCLOSE);
 #ifdef VMS
 		{
 		    BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		    out = BIO_push(tmpbio, out);
 		}
 #endif
 	}
 	if(!out) {
 		BIO_printf(bio_err, "Error opening output file\n");
@@ -266,9 +311,9 @@ end:
 	CONF_free(conf);
 	NETSCAPE_SPKI_free(spki);
 	BIO_free(in);
-	BIO_free(out);
+	BIO_free_all(out);
 	BIO_free(key);
 	EVP_PKEY_free(pkey);
-	if(passin) Free(passin);
+	if(passin) OPENSSL_free(passin);
 	EXIT(ret);
 	}
--- a/apps/testdsa.h
+++ b/apps/testdsa.h
@@ -1,4 +1,5 @@
 /* NOCW */
 /* used by apps/speed.c */
 DSA *get_dsa512(void );
 DSA *get_dsa1024(void );
 DSA *get_dsa2048(void );
@@ -146,3 +147,5 @@ DSA *get_dsa2048()
 	return(dsa);
 	}
 static const char rnd_seed[] = "string to make the random number generator think it has entropy";
 static int rnd_fake = 0;
--- a/apps/testrsa.h
+++ b/apps/testrsa.h
@@ -1,4 +1,5 @@
 /* apps/testrsa.h */
 /* used by apps/speed.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
--- a/apps/tkca
+++ b/apps/tkca
@@ -1,66 +0,0 @@
 #!/usr/local/bin/perl5
 #
 # This is only something I'm playing with, it does not work :-)
 #
 use Tk;
 my $main=MainWindow->new();
 my $f=$main->Frame(-relief => "ridge", -borderwidth => 2);
 $f->pack(-fill => 'x');
 my $ff=$f->Frame;
 $ff->pack(-fill => 'x');
 my $l=$ff->Label(-text => "TkCA - SSLeay",
 	-relief => "ridge", -borderwidth => 2);
 $l->pack(-fill => 'x', -ipady => 5);
 my $l=$ff->Button(-text => "Certify");
 $l->pack(-fill => 'x', -ipady => 5);
 my $l=$ff->Button(-text => "Review");
 $l->pack(-fill => 'x', -ipady => 5);
 my $l=$ff->Button(-text => "Revoke");
 $l->pack(-fill => 'x', -ipady => 5);
 my $l=$ff->Button(-text => "Generate CRL");
 $l->pack(-fill => 'x', -ipady => 5);
 my($db)=&load_db("demoCA/index.txt");
 MainLoop;
 sub load_db
 	{
 	my(%ret);
 	my($file)=@_;
 	my(*IN);
 	my(%db_serial,%db_name,@f,@db_s);
 	$ret{'serial'}=\%db_serial;
 	$ret{'name'}=\%db_name;
 	open(IN,"<$file") || die "unable to open $file:$!\n";
 	while (<IN>)
 		{
 		chop;
 		s/([^\\])\t/\1\t\t/g;
 		my(@f)=split(/\t\t/);
 		die "wrong number of fields in $file, line $.\n"
 			if ($#f != 5);
 		my(%f);
 		$f{'type'}=$f[0];
 		$f{'exp'}=$f[1];
 		$f{'rev'}=$f[2];
 		$f{'serial'}=$f[3];
 		$f{'file'}=$f[4];
 		$f{'name'}=$f[5];
 		die "serial number $f{'serial'} appears twice (line $.)\n"
 			if (defined($db{$f{'serial'}}))
 		$db_serial{$f{'serial'}}=\%f;
 		$db_name{$f{'name'}}.=$f{'serial'}." ";
 		}
 	return \%ret;
 	}
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -65,26 +65,29 @@
 #include <openssl/x509.h>
 #include <openssl/x509v3.h>
 #include <openssl/pem.h>
 #include <openssl/engine.h>
 #undef PROG
 #define PROG	verify_main
 static int MS_CALLBACK cb(int ok, X509_STORE_CTX *ctx);
-static int check(X509_STORE *ctx,char *file, STACK_OF(X509)*other, int purpose);
+static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, int purpose);
 static STACK_OF(X509) *load_untrusted(char *file);
-static int v_verbose=0;
+static int v_verbose=0, issuer_checks = 0;
 int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	ENGINE *e = NULL;
 	int i,ret=1;
 	int purpose = -1;
 	char *CApath=NULL,*CAfile=NULL;
-	char *untfile = NULL;
+	char *untfile = NULL, *trustfile = NULL;
-	STACK_OF(X509) *untrusted = NULL;
+	STACK_OF(X509) *untrusted = NULL, *trusted = NULL;
 	X509_STORE *cert_ctx=NULL;
 	X509_LOOKUP *lookup=NULL;
 	char *engine=NULL;
 	cert_ctx=X509_STORE_new();
 	if (cert_ctx == NULL) goto end;
@@ -132,8 +135,20 @@ int MAIN(int argc, char **argv)
 				if (argc-- < 1) goto end;
 				untfile= *(++argv);
 				}
 			else if (strcmp(*argv,"-trusted") == 0)
 				{
 				if (argc-- < 1) goto end;
 				trustfile= *(++argv);
 				}
 			else if (strcmp(*argv,"-engine") == 0)
 				{
 				if (--argc < 1) goto end;
 				engine= *(++argv);
 				}
 			else if (strcmp(*argv,"-help") == 0)
 				goto end;
 			else if (strcmp(*argv,"-issuer_checks") == 0)
 				issuer_checks=1;
 			else if (strcmp(*argv,"-verbose") == 0)
 				v_verbose=1;
 			else if (argv[0][0] == '-')
@@ -147,6 +162,24 @@ int MAIN(int argc, char **argv)
 			break;
 		}
 	if (engine != NULL)
 		{
 		if((e = ENGINE_by_id(engine)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine \"%s\"\n",
 				engine);
 			goto end;
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			goto end;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 		/* Free our "structural" reference. */
 		ENGINE_free(e);
 		}
 	lookup=X509_STORE_add_lookup(cert_ctx,X509_LOOKUP_file());
 	if (lookup == NULL) abort();
 	if (CAfile) {
@@ -179,14 +212,22 @@ int MAIN(int argc, char **argv)
 		}
 	}
-	if (argc < 1) check(cert_ctx, NULL, untrusted, purpose);
+	if(trustfile) {
 		if(!(trusted = load_untrusted(trustfile))) {
 			BIO_printf(bio_err, "Error loading untrusted file %s\n", trustfile);
 			ERR_print_errors(bio_err);
 			goto end;
 		}
 	}
 	if (argc < 1) check(cert_ctx, NULL, untrusted, trusted, purpose);
 	else
 		for (i=0; i<argc; i++)
-			check(cert_ctx,argv[i], untrusted, purpose);
+			check(cert_ctx,argv[i], untrusted, trusted, purpose);
 	ret=0;
 end:
 	if (ret == 1) {
-		BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] cert1 cert2 ...\n");
+		BIO_printf(bio_err,"usage: verify [-verbose] [-CApath path] [-CAfile file] [-purpose purpose] [-engine e] cert1 cert2 ...\n");
 		BIO_printf(bio_err,"recognized usages:\n");
 		for(i = 0; i < X509_PURPOSE_get_count(); i++) {
 			X509_PURPOSE *ptmp;
@@ -197,10 +238,11 @@ end:
 	}
 	if (cert_ctx != NULL) X509_STORE_free(cert_ctx);
 	sk_X509_pop_free(untrusted, X509_free);
 	sk_X509_pop_free(trusted, X509_free);
 	EXIT(ret);
 	}
-static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, int purpose)
+static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, STACK_OF(X509) *tchain, int purpose)
 	{
 	X509 *x=NULL;
 	BIO *in=NULL;
@@ -242,7 +284,10 @@ static int check(X509_STORE *ctx, char *file, STACK_OF(X509) *uchain, int purpos
 		goto end;
 		}
 	X509_STORE_CTX_init(csc,ctx,x,uchain);
 	if(tchain) X509_STORE_CTX_trusted_stack(csc, tchain);
 	if(purpose >= 0) X509_STORE_CTX_set_purpose(csc, purpose);
 	if(issuer_checks)
 		X509_STORE_CTX_set_flags(csc, X509_V_FLAG_CB_ISSUER_CHECK);
 	i=X509_verify_cert(csc);
 	X509_STORE_CTX_free(csc);
--- a/apps/winrand.c
+++ b/apps/winrand.c
@@ -0,0 +1,149 @@
 /* apps/winrand.c */
 /* ====================================================================
 * Copyright (c) 1998-2000 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    openssl-core@openssl.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */
 /* Usage: winrand [filename]
 *
 * Collects entropy from mouse movements and other events and writes
 * random data to filename or .rnd
 */
 #include <windows.h>
 #include <openssl/opensslv.h>
 #include <openssl/rand.h>
 LRESULT CALLBACK WndProc(HWND, UINT, WPARAM, LPARAM);
 const char *filename;
 int WINAPI WinMain(HINSTANCE hInstance, HINSTANCE hPrevInstance,
        PSTR cmdline, int iCmdShow)
 	{
 	static char appname[] = "OpenSSL";
 	HWND hwnd;
 	MSG msg;
 	WNDCLASSEX wndclass;
        char buffer[200];
        if (cmdline[0] == '\0')
                filename = RAND_file_name(buffer, sizeof buffer);
        else
                filename = cmdline;
        RAND_load_file(filename, -1);
 	wndclass.cbSize = sizeof(wndclass);
 	wndclass.style = CS_HREDRAW | CS_VREDRAW;
 	wndclass.lpfnWndProc = WndProc;
 	wndclass.cbClsExtra = 0;
 	wndclass.cbWndExtra = 0;
 	wndclass.hInstance = hInstance;
 	wndclass.hIcon = LoadIcon(NULL, IDI_APPLICATION);
 	wndclass.hCursor = LoadCursor(NULL, IDC_ARROW);
 	wndclass.hbrBackground = (HBRUSH) GetStockObject(WHITE_BRUSH);
 	wndclass.lpszMenuName = NULL;
        wndclass.lpszClassName = appname;
 	wndclass.hIconSm = LoadIcon(NULL, IDI_APPLICATION);
 	RegisterClassEx(&wndclass);
        hwnd = CreateWindow(appname, OPENSSL_VERSION_TEXT,
 		WS_OVERLAPPEDWINDOW, CW_USEDEFAULT, CW_USEDEFAULT,
 		CW_USEDEFAULT, CW_USEDEFAULT, NULL, NULL, hInstance, NULL);
 	ShowWindow(hwnd, iCmdShow);
 	UpdateWindow(hwnd);
 	while (GetMessage(&msg, NULL, 0, 0))
 		{
 		TranslateMessage(&msg);
 		DispatchMessage(&msg);
 		}
 	return msg.wParam;
 	}
 LRESULT CALLBACK WndProc(HWND hwnd, UINT iMsg, WPARAM wParam, LPARAM lParam)
 	{
        HDC hdc;
 	PAINTSTRUCT ps;
        RECT rect;
        char buffer[200];
        static int seeded = 0;
 	switch (iMsg)
 		{
 	case WM_PAINT:
 		hdc = BeginPaint(hwnd, &ps);
 		GetClientRect(hwnd, &rect);
                DrawText(hdc, "Seeding the PRNG. Please move the mouse!", -1,
 			&rect, DT_SINGLELINE | DT_CENTER | DT_VCENTER);
 		EndPaint(hwnd, &ps);
 		return 0;
        case WM_DESTROY:
                PostQuitMessage(0);
                return 0;
                }
        if (RAND_event(iMsg, wParam, lParam) == 1 && seeded == 0)
                {
                seeded = 1;
                if (RAND_write_file(filename) <= 0)
                        MessageBox(hwnd, "Couldn't write random file!",
 				"OpenSSL", MB_OK | MB_ICONERROR);
                PostQuitMessage(0);
                }
 	return DefWindowProc(hwnd, iMsg, wParam, lParam);
 	}
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -73,6 +73,7 @@
 #include <openssl/x509v3.h>
 #include <openssl/objects.h>
 #include <openssl/pem.h>
 #include <openssl/engine.h>
 #undef PROG
 #define PROG x509_main
@@ -81,8 +82,6 @@
 #define	POSTFIX	".srl"
 #define DEF_DAYS	30
 #define CERT_HDR	"certificate"
 static char *x509_usage[]={
 "usage: x509 args\n",
 " -inform arg     - input format - default PEM (one of DER, NET or PEM)\n",
@@ -97,6 +96,7 @@ static char *x509_usage[]={
 " -hash           - print hash value\n",
 " -subject        - print subject DN\n",
 " -issuer         - print issuer DN\n",
 " -email          - print email address(es)\n",
 " -startdate      - notBefore field\n",
 " -enddate        - notAfter field\n",
 " -purpose        - print out certificate purposes\n",
@@ -113,6 +113,8 @@ static char *x509_usage[]={
 " -addreject arg  - reject certificate for a given purpose\n",
 " -setalias arg   - set certificate alias\n",
 " -days arg       - How long till expiry of a signed certificate - def 30 days\n",
 " -checkend arg   - check whether the cert expires in the next arg seconds\n",
 "                   exit 1 if so, 0 if not\n",
 " -signkey arg    - self sign cert with arg\n",
 " -x509toreq      - output a certification request object\n",
 " -req            - input is a certificate request, sign and output.\n",
@@ -126,13 +128,13 @@ static char *x509_usage[]={
 " -md2/-md5/-sha1/-mdc2 - digest to use\n",
 " -extfile        - configuration file with X509V3 extensions to add\n",
 " -extensions     - section from config file with X509V3 extensions to add\n",
-" -crlext         - delete extensions before signing and input certificate\n",
+" -clrext         - delete extensions before signing and input certificate\n",
 " -nameopt arg    - various certificate name options\n",
 " -engine e       - use engine e, possibly a hardware device.\n",
 NULL
 };
 static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx);
 static EVP_PKEY *load_key(char *file, int format, char *passin);
 static X509 *load_cert(char *file, int format);
 static int sign (X509 *x, EVP_PKEY *pkey,int days,int clrext, const EVP_MD *digest,
 						LHASH *conf, char *section);
 static int x509_certify (X509_STORE *ctx,char *CAfile,const EVP_MD *digest,
@@ -145,6 +147,7 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	ENGINE *e = NULL;
 	int ret=1;
 	X509_REQ *req=NULL;
 	X509 *x=NULL,*xca=NULL;
@@ -159,7 +162,7 @@ int MAIN(int argc, char **argv)
 	char *CAkeyfile=NULL,*CAserial=NULL;
 	char *alias=NULL;
 	int text=0,serial=0,hash=0,subject=0,issuer=0,startdate=0,enddate=0;
-	int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0;
+	int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0;
 	int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
 	int C=0;
 	int x509req=0,days=DEF_DAYS,modulus=0,pubkey=0;
@@ -173,6 +176,9 @@ int MAIN(int argc, char **argv)
 	LHASH *extconf = NULL;
 	char *extsect = NULL, *extfile = NULL, *passin = NULL, *passargin = NULL;
 	int need_rand = 0;
 	int checkend=0,checkoffset=0;
 	unsigned long nmflag = 0;
 	char *engine=NULL;
 	reqfile=0;
@@ -181,6 +187,12 @@ int MAIN(int argc, char **argv)
 	if (bio_err == NULL)
 		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
 	STDout=BIO_new_fp(stdout,BIO_NOCLOSE);
 #ifdef VMS
 	{
 	BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 	STDout = BIO_push(tmpbio, STDout);
 	}
 #endif
 	informat=FORMAT_PEM;
 	outformat=FORMAT_PEM;
@@ -289,24 +301,26 @@ int MAIN(int argc, char **argv)
 		else if (strcmp(*argv,"-addtrust") == 0)
 			{
 			if (--argc < 1) goto bad;
-			if(!(objtmp = OBJ_txt2obj(*(++argv), 0))) {
+			if (!(objtmp = OBJ_txt2obj(*(++argv), 0)))
 				{
 				BIO_printf(bio_err,
 					"Invalid trust object value %s\n", *argv);
 				goto bad;
-			}
+				}
-			if(!trust) trust = sk_ASN1_OBJECT_new_null();
+			if (!trust) trust = sk_ASN1_OBJECT_new_null();
 			sk_ASN1_OBJECT_push(trust, objtmp);
 			trustout = 1;
 			}
 		else if (strcmp(*argv,"-addreject") == 0)
 			{
 			if (--argc < 1) goto bad;
-			if(!(objtmp = OBJ_txt2obj(*(++argv), 0))) {
+			if (!(objtmp = OBJ_txt2obj(*(++argv), 0)))
 				{
 				BIO_printf(bio_err,
 					"Invalid reject object value %s\n", *argv);
 				goto bad;
-			}
+				}
-			if(!reject) reject = sk_ASN1_OBJECT_new_null();
+			if (!reject) reject = sk_ASN1_OBJECT_new_null();
 			sk_ASN1_OBJECT_push(reject, objtmp);
 			trustout = 1;
 			}
@@ -316,14 +330,26 @@ int MAIN(int argc, char **argv)
 			alias= *(++argv);
 			trustout = 1;
 			}
 		else if (strcmp(*argv,"-nameopt") == 0)
 			{
 			if (--argc < 1) goto bad;
 			if (!set_name_ex(&nmflag, *(++argv))) goto bad;
 			}
 		else if (strcmp(*argv,"-setalias") == 0)
 			{
 			if (--argc < 1) goto bad;
 			alias= *(++argv);
 			trustout = 1;
 			}
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 		else if (strcmp(*argv,"-C") == 0)
 			C= ++num;
 		else if (strcmp(*argv,"-email") == 0)
 			email= ++num;
 		else if (strcmp(*argv,"-serial") == 0)
 			serial= ++num;
 		else if (strcmp(*argv,"-modulus") == 0)
@@ -353,6 +379,12 @@ int MAIN(int argc, char **argv)
 			startdate= ++num;
 		else if (strcmp(*argv,"-enddate") == 0)
 			enddate= ++num;
 		else if (strcmp(*argv,"-checkend") == 0)
 			{
 			if (--argc < 1) goto bad;
 			checkoffset=atoi(*(++argv));
 			checkend=1;
 			}
 		else if (strcmp(*argv,"-noout") == 0)
 			noout= ++num;
 		else if (strcmp(*argv,"-trustout") == 0)
@@ -365,8 +397,15 @@ int MAIN(int argc, char **argv)
 			aliasout= ++num;
 		else if (strcmp(*argv,"-CAcreateserial") == 0)
 			CA_createserial= ++num;
-		else if (strcmp(*argv,"-crlext") == 0)
+		else if (strcmp(*argv,"-clrext") == 0)
 			clrext = 1;
 #if 1 /* stay backwards-compatible with 0.9.5; this should go away soon */
 		else if (strcmp(*argv,"-crlext") == 0)
 			{
 			BIO_printf(bio_err,"use -clrext instead of -crlext\n");
 			clrext = 1;
 			}
 #endif
 		else if ((md_alg=EVP_get_digestbyname(*argv + 1)))
 			{
 			/* ok */
@@ -390,15 +429,34 @@ bad:
 		goto end;
 		}
 	if (engine != NULL)
 		{
 		if((e = ENGINE_by_id(engine)) == NULL)
 			{
 			BIO_printf(bio_err,"invalid engine \"%s\"\n",
 				engine);
 			goto end;
 			}
 		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
 			{
 			BIO_printf(bio_err,"can't use that engine\n");
 			goto end;
 			}
 		BIO_printf(bio_err,"engine \"%s\" set.\n", engine);
 		/* Free our "structural" reference. */
 		ENGINE_free(e);
 		}
 	if (need_rand)
 		app_RAND_load_file(NULL, bio_err, 0);
 	ERR_load_crypto_strings();
-	if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
+	if (!app_passwd(bio_err, passargin, NULL, &passin, NULL))
 		{
 		BIO_printf(bio_err, "Error getting password\n");
 		goto end;
-	}
+		}
 	if (!X509_STORE_set_default_paths(ctx))
 		{
@@ -414,10 +472,12 @@ bad:
 		goto end;
 		}
-	if (extfile) {
+	if (extfile)
 		{
 		long errorline;
 		X509V3_CTX ctx2;
-		if (!(extconf=CONF_load(NULL,extfile,&errorline))) {
+		if (!(extconf=CONF_load(NULL,extfile,&errorline)))
 			{
 			if (errorline <= 0)
 				BIO_printf(bio_err,
 					"error loading the config file '%s'\n",
@@ -427,19 +487,20 @@ bad:
 				       "error on line %ld of config file '%s'\n"
 							,errorline,extfile);
 			goto end;
-		}
+			}
-		if(!extsect && !(extsect = CONF_get_string(extconf, "default",
+		if (!extsect && !(extsect = CONF_get_string(extconf, "default",
 					 "extensions"))) extsect = "default";
 		X509V3_set_ctx_test(&ctx2);
 		X509V3_set_conf_lhash(&ctx2, extconf);
-		if(!X509V3_EXT_add_conf(extconf, &ctx2, extsect, NULL)) {
+		if (!X509V3_EXT_add_conf(extconf, &ctx2, extsect, NULL))
 			{
 			BIO_printf(bio_err,
 				"Error Loading extension section %s\n",
 								 extsect);
 			ERR_print_errors(bio_err);
 			goto end;
-                }
+			}
-	} 
+		}
 	if (reqfile)
@@ -467,13 +528,18 @@ bad:
 			if (BIO_read_filename(in,infile) <= 0)
 				{
 				perror(infile);
 				BIO_free(in);
 				goto end;
 				}
 			}
 		req=PEM_read_bio_X509_REQ(in,NULL,NULL,NULL);
 		BIO_free(in);
-		if (req == NULL) { perror(infile); goto end; }
+		if (req == NULL)
 			{
 			ERR_print_errors(bio_err);
 			goto end;
 			}
 		if (	(req->req_info == NULL) ||
 			(req->req_info->pubkey == NULL) ||
@@ -504,9 +570,8 @@ bad:
 			}
 		else
 			BIO_printf(bio_err,"Signature ok\n");
-		
+
-		X509_NAME_oneline(req->req_info->subject,buf,256);
+		print_name(bio_err, "subject=", X509_REQ_get_subject_name(req), nmflag);
 		BIO_printf(bio_err,"subject=%s\n",buf);
 		if ((x=X509_new()) == NULL) goto end;
 		ci=x->cert_info;
@@ -523,12 +588,12 @@ bad:
 		EVP_PKEY_free(pkey);
 		}
 	else
-		x=load_cert(infile,informat);
+		x=load_cert(bio_err,infile,informat);
 	if (x == NULL) goto end;
 	if (CA_flag)
 		{
-		xca=load_cert(CAfile,CAformat);
+		xca=load_cert(bio_err,CAfile,CAformat);
 		if (xca == NULL) goto end;
 		}
@@ -544,7 +609,15 @@ bad:
 			goto end;
 			}
 		if (outfile == NULL)
 			{
 			BIO_set_fp(out,stdout,BIO_NOCLOSE);
 #ifdef VMS
 			{
 			BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 			out = BIO_push(tmpbio, out);
 			}
 #endif
 			}
 		else
 			{
 			if (BIO_write_filename(out,outfile) <= 0)
@@ -555,24 +628,28 @@ bad:
 			}
 		}
-	if(alias) X509_alias_set1(x, (unsigned char *)alias, -1);
+	if (alias) X509_alias_set1(x, (unsigned char *)alias, -1);
-	if(clrtrust) X509_trust_clear(x);
+	if (clrtrust) X509_trust_clear(x);
-	if(clrreject) X509_reject_clear(x);
+	if (clrreject) X509_reject_clear(x);
-	if(trust) {
+	if (trust)
-		for(i = 0; i < sk_ASN1_OBJECT_num(trust); i++) {
+		{
 		for (i = 0; i < sk_ASN1_OBJECT_num(trust); i++)
 			{
 			objtmp = sk_ASN1_OBJECT_value(trust, i);
 			X509_add1_trust_object(x, objtmp);
 			}
 		}
 	}
-	if(reject) {
+	if (reject)
-		for(i = 0; i < sk_ASN1_OBJECT_num(reject); i++) {
+		{
 		for (i = 0; i < sk_ASN1_OBJECT_num(reject); i++)
 			{
 			objtmp = sk_ASN1_OBJECT_value(reject, i);
 			X509_add1_reject_object(x, objtmp);
 			}
 		}
 	}
 	if (num)
 		{
@@ -580,15 +657,13 @@ bad:
 			{
 			if (issuer == i)
 				{
-				X509_NAME_oneline(X509_get_issuer_name(x),
+				print_name(STDout, "issuer= ",
-					buf,256);
+					X509_get_issuer_name(x), nmflag);
 				BIO_printf(STDout,"issuer= %s\n",buf);
 				}
 			else if (subject == i) 
 				{
-				X509_NAME_oneline(X509_get_subject_name(x),
+				print_name(STDout, "subject= ",
-					buf,256);
+					X509_get_subject_name(x), nmflag);
 				BIO_printf(STDout,"subject=%s\n",buf);
 				}
 			else if (serial == i)
 				{
@@ -596,11 +671,20 @@ bad:
 				i2a_ASN1_INTEGER(STDout,x->cert_info->serialNumber);
 				BIO_printf(STDout,"\n");
 				}
 			else if (email == i) 
 				{
 				int j;
 				STACK *emlst;
 				emlst = X509_get1_email(x);
 				for (j = 0; j < sk_num(emlst); j++)
 					BIO_printf(STDout, "%s\n", sk_value(emlst, j));
 				X509_email_free(emlst);
 				}
 			else if (aliasout == i)
 				{
 				unsigned char *alstr;
 				alstr = X509_alias_get0(x, NULL);
-				if(alstr) BIO_printf(STDout,"%s\n", alstr);
+				if (alstr) BIO_printf(STDout,"%s\n", alstr);
 				else BIO_puts(STDout,"<No Alias>\n");
 				}
 			else if (hash == i)
@@ -612,7 +696,7 @@ bad:
 				X509_PURPOSE *ptmp;
 				int j;
 				BIO_printf(STDout, "Certificate purposes:\n");
-				for(j = 0; j < X509_PURPOSE_get_count(); j++)
+				for (j = 0; j < X509_PURPOSE_get_count(); j++)
 					{
 					ptmp = X509_PURPOSE_get0(j);
 					purpose_print(STDout, x, ptmp);
@@ -675,7 +759,7 @@ bad:
 				BIO_printf(STDout,"/* issuer :%s */\n",buf);
 				z=i2d_X509(x,NULL);
-				m=Malloc(z);
+				m=OPENSSL_malloc(z);
 				d=(unsigned char *)m;
 				z=i2d_X509_NAME(X509_get_subject_name(x),&d);
@@ -713,7 +797,7 @@ bad:
 				if (y%16 != 0) BIO_printf(STDout,"\n");
 				BIO_printf(STDout,"};\n");
-				Free(m);
+				OPENSSL_free(m);
 				}
 			else if (text == i)
 				{
@@ -758,7 +842,8 @@ bad:
 				BIO_printf(bio_err,"Getting Private key\n");
 				if (Upkey == NULL)
 					{
-					Upkey=load_key(keyfile,keyformat, passin);
+					Upkey=load_key(bio_err,
 						keyfile,keyformat, passin);
 					if (Upkey == NULL) goto end;
 					}
 #ifndef NO_DSA
@@ -775,7 +860,8 @@ bad:
 				BIO_printf(bio_err,"Getting CA Private Key\n");
 				if (CAkeyfile != NULL)
 					{
-					CApkey=load_key(CAkeyfile,CAkeyformat, passin);
+					CApkey=load_key(bio_err,
 						CAkeyfile,CAkeyformat, passin);
 					if (CApkey == NULL) goto end;
 					}
 #ifndef NO_DSA
@@ -801,14 +887,17 @@ bad:
 					}
 				else
 					{
-					pk=load_key(keyfile,FORMAT_PEM, passin);
+					pk=load_key(bio_err,
 						keyfile,FORMAT_PEM, passin);
 					if (pk == NULL) goto end;
 					}
 				BIO_printf(bio_err,"Generating certificate request\n");
 #ifndef NO_DSA
 		                if (pk->type == EVP_PKEY_DSA)
 		                        digest=EVP_dss1();
 #endif
 				rq=X509_to_X509_REQ(x,pk,digest);
 				EVP_PKEY_free(pk);
@@ -827,6 +916,23 @@ bad:
 			}
 		}
 	if (checkend)
 		{
 		time_t tnow=time(NULL);
 		if (ASN1_UTCTIME_cmp_time_t(X509_get_notAfter(x), tnow+checkoffset) == -1)
 			{
 			BIO_printf(out,"Certificate will expire\n");
 			ret=1;
 			}
 		else
 			{
 			BIO_printf(out,"Certificate will not expire\n");
 			ret=0;
 			}
 		goto end;
 		}
 	if (noout)
 		{
 		ret=0;
@@ -835,16 +941,18 @@ bad:
 	if 	(outformat == FORMAT_ASN1)
 		i=i2d_X509_bio(out,x);
-	else if (outformat == FORMAT_PEM) {
+	else if (outformat == FORMAT_PEM)
-		if(trustout) i=PEM_write_bio_X509_AUX(out,x);
+		{
 		if (trustout) i=PEM_write_bio_X509_AUX(out,x);
 		else i=PEM_write_bio_X509(out,x);
-	} else if (outformat == FORMAT_NETSCAPE)
+		}
 	else if (outformat == FORMAT_NETSCAPE)
 		{
 		ASN1_HEADER ah;
 		ASN1_OCTET_STRING os;
-		os.data=(unsigned char *)CERT_HDR;
+		os.data=(unsigned char *)NETSCAPE_CERT_HDR;
-		os.length=strlen(CERT_HDR);
+		os.length=strlen(NETSCAPE_CERT_HDR);
 		ah.header= &os;
 		ah.data=(char *)x;
 		ah.meth=X509_asn1_meth();
@@ -856,7 +964,8 @@ bad:
 		BIO_printf(bio_err,"bad output format specified for outfile\n");
 		goto end;
 		}
-	if (!i) {
+	if (!i)
 		{
 		BIO_printf(bio_err,"unable to write certificate\n");
 		ERR_print_errors(bio_err);
 		goto end;
@@ -867,8 +976,8 @@ end:
 		app_RAND_write_file(NULL, bio_err);
 	OBJ_cleanup();
 	CONF_free(extconf);
-	BIO_free(out);
+	BIO_free_all(out);
-	BIO_free(STDout);
+	BIO_free_all(STDout);
 	X509_STORE_free(ctx);
 	X509_REQ_free(req);
 	X509_free(x);
@@ -878,7 +987,7 @@ end:
 	X509_REQ_free(rq);
 	sk_ASN1_OBJECT_pop_free(trust, ASN1_OBJECT_free);
 	sk_ASN1_OBJECT_pop_free(reject, ASN1_OBJECT_free);
-	if(passin) Free(passin);
+	if (passin) OPENSSL_free(passin);
 	EXIT(ret);
 	}
@@ -900,7 +1009,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
 	EVP_PKEY_free(upkey);
 	X509_STORE_CTX_init(&xsc,ctx,x,NULL);
-	buf=Malloc(EVP_PKEY_size(pkey)*2+
+	buf=OPENSSL_malloc(EVP_PKEY_size(pkey)*2+
 		((serialfile == NULL)
 			?(strlen(CAfile)+strlen(POSTFIX)+1)
 			:(strlen(serialfile)))+1);
@@ -1005,17 +1114,19 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
 	if (X509_gmtime_adj(X509_get_notAfter(x),(long)60*60*24*days) == NULL)
 		goto end;
-	if(clrext) {
+	if (clrext)
-		while(X509_get_ext_count(x) > 0) X509_delete_ext(x, 0);
+		{
-	}
+		while (X509_get_ext_count(x) > 0) X509_delete_ext(x, 0);
 		}
-	if(conf) {
+	if (conf)
 		{
 		X509V3_CTX ctx2;
 		X509_set_version(x,2); /* version 3 certificate */
                X509V3_set_ctx(&ctx2, xca, x, NULL, NULL, 0);
                X509V3_set_conf_lhash(&ctx2, conf);
-                if(!X509V3_EXT_add_conf(conf, &ctx2, section, x)) goto end;
+                if (!X509V3_EXT_add_conf(conf, &ctx2, section, x)) goto end;
-	}
+		}
 	if (!X509_sign(x,pkey,digest)) goto end;
 	ret=1;
@@ -1023,16 +1134,15 @@ end:
 	X509_STORE_CTX_cleanup(&xsc);
 	if (!ret)
 		ERR_print_errors(bio_err);
-	if (buf != NULL) Free(buf);
+	if (buf != NULL) OPENSSL_free(buf);
 	if (bs != NULL) ASN1_INTEGER_free(bs);
 	if (io != NULL)	BIO_free(io);
 	if (serial != NULL) BN_free(serial);
-	return(ret);
+	return ret;
 	}
 static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx)
 	{
 	char buf[256];
 	int err;
 	X509 *err_cert;
@@ -1041,7 +1151,7 @@ static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx)
 	 * final ok == 1 calls to this function */
 	err=X509_STORE_CTX_get_error(ctx);
 	if (err == X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT)
-		return(1);
+		return 1;
 	/* BAD we should have gotten an error.  Normally if everything
 	 * worked X509_STORE_CTX_get_error(ctx) will still be set to
@@ -1049,147 +1159,19 @@ static int MS_CALLBACK callb(int ok, X509_STORE_CTX *ctx)
 	if (ok)
 		{
 		BIO_printf(bio_err,"error with certificate to be certified - should be self signed\n");
-		return(0);
+		return 0;
 		}
 	else
 		{
 		err_cert=X509_STORE_CTX_get_current_cert(ctx);
-		X509_NAME_oneline(X509_get_subject_name(err_cert),buf,256);
+		print_name(bio_err, NULL, X509_get_subject_name(err_cert),0);
 		BIO_printf(bio_err,"%s\n",buf);
 		BIO_printf(bio_err,"error with certificate - error %d at depth %d\n%s\n",
 			err,X509_STORE_CTX_get_error_depth(ctx),
 			X509_verify_cert_error_string(err));
-		return(1);
+		return 1;
 		}
 	}
 static EVP_PKEY *load_key(char *file, int format, char *passin)
 	{
 	BIO *key=NULL;
 	EVP_PKEY *pkey=NULL;
 	if (file == NULL)
 		{
 		BIO_printf(bio_err,"no keyfile specified\n");
 		goto end;
 		}
 	key=BIO_new(BIO_s_file());
 	if (key == NULL)
 		{
 		ERR_print_errors(bio_err);
 		goto end;
 		}
 	if (BIO_read_filename(key,file) <= 0)
 		{
 		perror(file);
 		goto end;
 		}
 	if (format == FORMAT_ASN1)
 		{
 		pkey=d2i_PrivateKey_bio(key, NULL);
 		}
 	else if (format == FORMAT_PEM)
 		{
 		pkey=PEM_read_bio_PrivateKey(key,NULL,NULL,passin);
 		}
 	else
 		{
 		BIO_printf(bio_err,"bad input format specified for key\n");
 		goto end;
 		}
 end:
 	if (key != NULL) BIO_free(key);
 	if (pkey == NULL)
 		BIO_printf(bio_err,"unable to load Private Key\n");
 	return(pkey);
 	}
 static X509 *load_cert(char *file, int format)
 	{
 	ASN1_HEADER *ah=NULL;
 	BUF_MEM *buf=NULL;
 	X509 *x=NULL;
 	BIO *cert;
 	if ((cert=BIO_new(BIO_s_file())) == NULL)
 		{
 		ERR_print_errors(bio_err);
 		goto end;
 		}
 	if (file == NULL)
 		BIO_set_fp(cert,stdin,BIO_NOCLOSE);
 	else
 		{
 		if (BIO_read_filename(cert,file) <= 0)
 			{
 			perror(file);
 			goto end;
 			}
 		}
 	if 	(format == FORMAT_ASN1)
 		x=d2i_X509_bio(cert,NULL);
 	else if (format == FORMAT_NETSCAPE)
 		{
 		unsigned char *p,*op;
 		int size=0,i;
 		/* We sort of have to do it this way because it is sort of nice
 		 * to read the header first and check it, then
 		 * try to read the certificate */
 		buf=BUF_MEM_new();
 		for (;;)
 			{
 			if ((buf == NULL) || (!BUF_MEM_grow(buf,size+1024*10)))
 				goto end;
 			i=BIO_read(cert,&(buf->data[size]),1024*10);
 			size+=i;
 			if (i == 0) break;
 			if (i < 0)
 				{
 				perror("reading certificate");
 				goto end;
 				}
 			}
 		p=(unsigned char *)buf->data;
 		op=p;
 		/* First load the header */
 		if ((ah=d2i_ASN1_HEADER(NULL,&p,(long)size)) == NULL)
 			goto end;
 		if ((ah->header == NULL) || (ah->header->data == NULL) ||
 			(strncmp(CERT_HDR,(char *)ah->header->data,
 			ah->header->length) != 0))
 			{
 			BIO_printf(bio_err,"Error reading header on certificate\n");
 			goto end;
 			}
 		/* header is ok, so now read the object */
 		p=op;
 		ah->meth=X509_asn1_meth();
 		if ((ah=d2i_ASN1_HEADER(&ah,&p,(long)size)) == NULL)
 			goto end;
 		x=(X509 *)ah->data;
 		ah->data=NULL;
 		}
 	else if (format == FORMAT_PEM)
 		x=PEM_read_bio_X509_AUX(cert,NULL,NULL,NULL);
 	else	{
 		BIO_printf(bio_err,"bad input format specified for input cert\n");
 		goto end;
 		}
 end:
 	if (x == NULL)
 		{
 		BIO_printf(bio_err,"unable to load certificate\n");
 		ERR_print_errors(bio_err);
 		}
 	if (ah != NULL) ASN1_HEADER_free(ah);
 	if (cert != NULL) BIO_free(cert);
 	if (buf != NULL) BUF_MEM_free(buf);
 	return(x);
 	}
 /* self sign */
 static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const EVP_MD *digest, 
 						LHASH *conf, char *section)
@@ -1213,21 +1195,23 @@ static int sign(X509 *x, EVP_PKEY *pkey, int days, int clrext, const EVP_MD *dig
 		goto err;
 	if (!X509_set_pubkey(x,pkey)) goto err;
-	if(clrext) {
+	if (clrext)
-		while(X509_get_ext_count(x) > 0) X509_delete_ext(x, 0);
+		{
-	}
+		while (X509_get_ext_count(x) > 0) X509_delete_ext(x, 0);
-	if(conf) {
+		}
 	if (conf)
 		{
 		X509V3_CTX ctx;
 		X509_set_version(x,2); /* version 3 certificate */
                X509V3_set_ctx(&ctx, x, x, NULL, NULL, 0);
                X509V3_set_conf_lhash(&ctx, conf);
-                if(!X509V3_EXT_add_conf(conf, &ctx, section, x)) goto err;
+                if (!X509V3_EXT_add_conf(conf, &ctx, section, x)) goto err;
-	}
+		}
 	if (!X509_sign(x,pkey,digest)) goto err;
-	return(1);
+	return 1;
 err:
 	ERR_print_errors(bio_err);
-	return(0);
+	return 0;
 	}
 static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt)
@@ -1236,13 +1220,14 @@ static int purpose_print(BIO *bio, X509 *cert, X509_PURPOSE *pt)
 	char *pname;
 	id = X509_PURPOSE_get_id(pt);
 	pname = X509_PURPOSE_get0_name(pt);
-	for(i = 0; i < 2; i++) {
+	for (i = 0; i < 2; i++)
 		{
 		idret = X509_check_purpose(cert, id, i);
 		BIO_printf(bio, "%s%s : ", pname, i ? " CA" : ""); 
-		if(idret == 1) BIO_printf(bio, "Yes\n");
+		if (idret == 1) BIO_printf(bio, "Yes\n");
 		else if (idret == 0) BIO_printf(bio, "No\n");
 		else BIO_printf(bio, "Yes (WARNING code=%d)\n", idret);
-	}
+		}
 	return 1;
 }
--- a/certs/expired/rsa-ssca.pem
+++ b/certs/expired/rsa-ssca.pem
--- a/180
+++ b/180
@@ -49,10 +49,18 @@ if [ "x$XREL" != "x" ]; then
 		echo "whatever-whatever-sco5"; exit 0
 		;;
 	    4.2MP)
-		if [ "x$VERSION" = "x2.1.1" ]; then
+		if [ "x$VERSION" = "x2.01" ]; then
 		    echo "${MACHINE}-whatever-unixware201"; exit 0
 		elif [ "x$VERSION" = "x2.02" ]; then
 		    echo "${MACHINE}-whatever-unixware202"; exit 0
 		elif [ "x$VERSION" = "x2.03" ]; then
 		    echo "${MACHINE}-whatever-unixware203"; exit 0
 		elif [ "x$VERSION" = "x2.1.1" ]; then
 		    echo "${MACHINE}-whatever-unixware211"; exit 0
 		elif [ "x$VERSION" = "x2.1.2" ]; then
 		    echo "${MACHINE}-whatever-unixware212"; exit 0
 		elif [ "x$VERSION" = "x2.1.3" ]; then
 		    echo "${MACHINE}-whatever-unixware213"; exit 0
 		else
 		    echo "${MACHINE}-whatever-unixware2"; exit 0
 		fi
@@ -60,6 +68,11 @@ if [ "x$XREL" != "x" ]; then
 	    4.2)
 		echo "whatever-whatever-unixware1"; exit 0
 		;;
     OpenUNIX)
 		if [ "`echo x$VERSION | sed -e 's/\..*//'`" = "x8" ]; then
 		    echo "${MACHINE}-unknown-OpenUNIX${VERSION}"; exit 0
 		fi
 		;;
 	    5)
 		if [ "`echo x$VERSION | sed -e 's/\..*//'`" = "x7" ]; then
 		    echo "${MACHINE}-sco-unixware7"; exit 0
@@ -71,10 +84,22 @@ fi
 # Now we simply scan though... In most cases, the SYSTEM info is enough
 #
 case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
    MPE/iX:*)
 	MACHINE=`echo "$MACHINE" | sed -e 's/-/_/g'`
 	echo "parisc-hp-MPE/iX"; exit 0
 	;;
    A/UX:*)
 	echo "m68k-apple-aux3"; exit 0
 	;;
    AIX:[3456789]:4:*)
 	echo "${MACHINE}-ibm-aix43"; exit 0
 	;;
    AIX:*:[56789]:*)
 	echo "${MACHINE}-ibm-aix43"; exit 0
 	;;
    AIX:*)
 	echo "${MACHINE}-ibm-aix"; exit 0
 	;;
@@ -164,7 +189,7 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
        ;;
    NetBSD:*:*:*386*)
-        echo "`sysctl -n hw.model | sed 's,.*\(.\)86-class.*,i\186,'`-whateve\r-netbsd"; exit 0
+        echo "`(/usr/sbin/sysctl -n hw.model || /sbin/sysctl -n hw.model) | sed 's,.*\(.\)86-class.*,i\186,'`-whatever-netbsd"; exit 0
 	;;
    NetBSD:*)
@@ -175,17 +200,35 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
 	echo "${MACHINE}-whatever-openbsd"; exit 0
 	;;
    OpenUNIX:*)
 	echo "${MACHINE}-unknown-OpenUNIX${VERSION}"; exit 0
 	;;
    OSF1:*:*:*alpha*)
-	echo "${MACHINE}-dec-osf"; exit 0
+	OSFMAJOR=`echo ${RELEASE}| sed -e 's/^V\([0-9]*\)\..*$/\1/'`
 	case "$OSFMAJOR" in
 	    4|5)
 		echo "${MACHINE}-dec-tru64"; exit 0
 		;;
 	    1|2|3)
 		echo "${MACHINE}-dec-osf"; exit 0
 		;;
 	    *)
 		echo "${MACHINE}-dec-osf"; exit 0
 		;;
 	esac
 	;;
    QNX:*)
-	case "$VERSION" in
+	case "$RELEASE" in
-	    423)
+	    4*)
-		echo "${MACHINE}-qssl-qnx32"
+		echo "${MACHINE}-whatever-qnx4"
 		;;
 	    6*)
 		echo "${MACHINE}-whatever-qnx6"
 		;;
 	    *)
-		echo "${MACHINE}-qssl-qnx"
+		echo "${MACHINE}-whatever-qnx"
 		;;
 	esac
 	exit 0
@@ -199,8 +242,12 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
 	echo "ppc-apple-rhapsody"; exit 0
 	;;
    Darwin:*)
 	echo "ppc-apple-darwin"; exit 0
 	;;
    SunOS:5.*)
-	echo "${MACHINE}-sun-solaris2"; exit 0
+	echo "${MACHINE}-whatever-solaris2"; exit 0
 	;;
    SunOS:*)
@@ -247,6 +294,14 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
 	echo "${MACHINE}-v11-${SYSTEM}"; exit 0;
 	;;
    NEWS-OS:4.*)
 	echo "mips-sony-newsos4"; exit 0;
 	;;
    CYGWIN*)
 	echo "${MACHINE}-whatever-cygwin32"; exit 0
 	;;
 esac
 #
@@ -385,10 +440,16 @@ case "$GUESSOS" in
 	;;
  mips4-sgi-irix64)
 	echo "WARNING! If you wish to build 64-bit library, then you have to"
-	echo "         invoke './Configre irix64-mips4-$CC' *manually*."
+	echo "         invoke './Configure irix64-mips4-$CC' *manually*."
-	echo "         Type Ctrl-C if you don't want to continue."
+	echo "         Type return if you want to continue, Ctrl-C to abort."
 	read waste < /dev/tty
-	options="$options -mips4"
+        CPU=`(hinv -t cpu) 2>/dev/null | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'`
        CPU=${CPU:-0}
        if [ $CPU -ge 5000 ]; then
                options="$options -mips4"
        else
                options="$options -mips3"
        fi
 	OUT="irix-mips3-$CC"
 	;;
  alpha-*-linux2)
@@ -405,40 +466,60 @@ case "$GUESSOS" in
 	    esac
 	fi
 	;;
-  mips-*-linux?) OUT="linux-mips" ;;
+  mips-*-linux?)
          cat >dummy.c <<EOF
 #include <stdio.h>  /* for printf() prototype */
        int main (argc, argv) int argc; char *argv[]; {
 #ifdef __MIPSEB__
  printf ("linux-%s\n", argv[1]);
 #endif
 #ifdef __MIPSEL__
  printf ("linux-%sel\n", argv[1]);
 #endif
  return 0;
 }
 EOF
 	${CC} -o dummy dummy.c && OUT=`./dummy ${MACHINE}`
 	rm dummy dummy.c
 	;;
  ppc-*-linux2) OUT="linux-ppc" ;;
  m68k-*-linux*) OUT="linux-m68k" ;;
  ia64-*-linux?) OUT="linux-ia64" ;;
  ppc-apple-rhapsody) OUT="rhapsody-ppc-cc" ;;
  ppc-apple-darwin) OUT="darwin-ppc-cc" ;;
  sparc64-*-linux2)
 	#Before we can uncomment following lines we have to wait at least
 	#till 64-bit glibc for SPARC is operational:-(
 	#echo "WARNING! If you wish to build 64-bit library, then you have to"
 	#echo "         invoke './Configure linux64-sparcv9' *manually*."
-	#echo "         Type Ctrl-C if you don't want to continue."
+	#echo "         Type return if you want to continue, Ctrl-C to abort."
 	#read waste < /dev/tty
 	OUT="linux-sparcv9" ;;
  sparc-*-linux2)
-	KARCH=`awk '/type/{print$3}' /proc/cpuinfo`
+	KARCH=`awk '/^type/{print$3}' /proc/cpuinfo`
 	case ${KARCH:-sun4} in
 	sun4u*)	OUT="linux-sparcv9" ;;
 	sun4m)	OUT="linux-sparcv8" ;;
 	sun4d)	OUT="linux-sparcv8" ;;
 	*)	OUT="linux-sparcv7" ;;
 	esac ;;
  arm*-*-linux2) OUT="linux-elf-arm" ;;
  s390-*-linux2) OUT="linux-s390" ;;
  *-*-linux2) OUT="linux-elf" ;;
  *-*-linux1) OUT="linux-aout" ;;
-  sun4u*-sun-solaris2)
+  sun4u*-*-solaris2)
 	ISA64=`(isalist) 2>/dev/null | grep sparcv9`
 	if [ "$ISA64" != "" -a "$CC" = "cc" -a $CCVER -ge 50 ]; then
 		echo "WARNING! If you wish to build 64-bit library, then you have to"
 		echo "         invoke './Configure solaris64-sparcv9-cc' *manually*."
-		echo "         Type Ctrl-C if you don't want to continue."
+		echo "         Type return if you want to continue, Ctrl-C to abort."
 		read waste < /dev/tty
 	fi
 	OUT="solaris-sparcv9-$CC" ;;
-  sun4m-sun-solaris2)	OUT="solaris-sparcv8-$CC" ;;
+  sun4m-*-solaris2)	OUT="solaris-sparcv8-$CC" ;;
-  sun4d-sun-solaris2)	OUT="solaris-sparcv8-$CC" ;;
+  sun4d-*-solaris2)	OUT="solaris-sparcv8-$CC" ;;
-  sun4*-sun-solaris2)	OUT="solaris-sparcv7-$CC" ;;
+  sun4*-*-solaris2)	OUT="solaris-sparcv7-$CC" ;;
-  *86*-sun-solaris2) OUT="solaris-x86-$CC" ;;
+  *86*-*-solaris2) OUT="solaris-x86-$CC" ;;
  *-*-sunos4) OUT="sunos-$CC" ;;
  alpha*-*-freebsd*) OUT="FreeBSD-alpha" ;;
  *-freebsd[3-9]*) OUT="FreeBSD-elf" ;;
@@ -451,13 +532,24 @@ case "$GUESSOS" in
  pmax*-*-openbsd) OUT="OpenBSD-mips" ;;
  *-*-openbsd) OUT="OpenBSD" ;;
  *86*-*-bsdi4) OUT="bsdi-elf-gcc" ;;
-  *-*-osf) OUT="alpha-cc" ;;
+  *-*-osf) OUT="alphaold-cc" ;;
  *-*-tru64) OUT="alpha-cc" ;;
  *-*-OpenUNIX*)
 	if [ "$CC" = "gcc" ]; then
 	  OUT="OpenUNIX-8-gcc" 
 	else    
 	  OUT="OpenUNIX-8" 
 	fi
 	;;
  *-*-unixware7) OUT="unixware-7" ;;
  *-*-UnixWare7) OUT="unixware-7" ;;
  *-*-Unixware7) OUT="unixware-7" ;;
-  *-*-unixware[1-2]*) OUT="unixware-2.0" ;;
+  *-*-unixware20*) OUT="unixware-2.0" ;;
-  *-*-UnixWare[1-2]*) OUT="unixware-2.0" ;;
+  *-*-unixware21*) OUT="unixware-2.1" ;;
-  *-*-Unixware[1-2]*) OUT="unixware-2.0" ;;
+  *-*-UnixWare20*) OUT="unixware-2.0" ;;
  *-*-UnixWare21*) OUT="unixware-2.1" ;;
  *-*-Unixware20*) OUT="unixware-2.0" ;;
  *-*-Unixware21*) OUT="unixware-2.1" ;;
  BS2000-siemens-sysv4) OUT="BS2000-OSD" ;;
  RM*-siemens-sysv4) OUT="ReliantUNIX" ;;
  *-siemens-sysv4) OUT="SINIX" ;;
@@ -467,14 +559,33 @@ case "$GUESSOS" in
  # these are all covered by the catchall below
  # *-aix) OUT="aix-$CC" ;;
  # *-dgux) OUT="dgux" ;;
  mips-sony-newsos4) OUT="newsos4-gcc" ;;
  *-*-cygwin32) OUT="CygWin32"
 		options="$options no-threads no-asm" ;;
  *) OUT=`echo $GUESSOS | awk -F- '{print $3}'`;;
 esac
 # NB: This atalla support has been superceded by the ENGINE support
 # That contains its own header and definitions anyway. Support can
 # be enabled or disabled on any supported platform without external
 # headers, eg. by adding the "hw-atalla" switch to ./config or
 # perl Configure
 #
 # See whether we can compile Atalla support
-if [ -f /usr/include/atasi.h ]
+#if [ -f /usr/include/atasi.h ]
-then
+#then
-  options="$options -DATALLA"
+#  options="$options -DATALLA"
-fi
+#fi
 #get some basic shared lib support (behnke@trustcenter.de)
 case "$OUT" in
   solaris-*-gcc)
 	if  [ "$SHARED" = "true" ] 
 	 then
 	  options="$options -DPIC -fPIC"
        fi
     ;;
 esac
 # gcc < 2.8 does not support -mcpu=ultrasparc
 if [ "$OUT" = solaris-sparcv9-gcc -a $GCCVER -lt 28 ]
@@ -490,23 +601,12 @@ then
  sleep 5
  OUT=linux-sparcv8
 fi
 # To start with $OUT is never i86pc-sun-solaris2. Secondly why
 # ban *all* assembler implementation if it can't stand only one,
 # SHA-0 implementation.
 #if [ "$OUT" = "i86pc-sun-solaris2" ]
 #then
 #  ASM=`as -V /dev/null 2>&1`
 #  case "$ASM" in
 #    GNU*) ;;
 #    *) options="$options no-asm" ; echo "WARNING: You need the GNU assembler to use OpenSSL assembler code." ; echo "Sun as is not supported on Solaris x86." ;;
 #  esac
 #fi
 case "$GUESSOS" in
  i386-*) options="$options 386" ;;
 esac
-for i in bf cast des dh dsa hmac md2 md5 mdc2 rc2 rc4 rc5 ripemd rsa sha
+for i in bf cast des dh dsa hmac idea md2 md5 mdc2 rc2 rc4 rc5 ripemd rsa sha
 do
  if [ ! -d crypto/$i ]
  then
--- a/crypto/Makefile.ssl
+++ b/crypto/Makefile.ssl
@@ -27,20 +27,20 @@ LIBS=
 SDIRS=	md2 md5 sha mdc2 hmac ripemd \
 	des rc2 rc4 rc5 idea bf cast \
-	bn rsa dsa dh \
+	bn rsa dsa dh dso engine \
 	buffer bio stack lhash rand err objects \
 	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp
 GENERAL=Makefile README crypto-lib.com install.com
 LIB= $(TOP)/libcrypto.a
-LIBSRC=	cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c
+LIBSRC=	cryptlib.c mem.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c
-LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o
+LIBOBJ= cryptlib.o mem.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o
 SRC= $(LIBSRC)
-EXHEADER= crypto.h tmdiff.h opensslv.h opensslconf.h ebcdic.h
+EXHEADER= crypto.h tmdiff.h opensslv.h opensslconf.h ebcdic.h symhacks.h
-HEADER=	cryptlib.h buildinf.h $(EXHEADER)
+HEADER=	cryptlib.h buildinf.h md32_common.h $(EXHEADER)
 ALL=    $(GENERAL) $(SRC) $(HEADER)
@@ -90,7 +90,8 @@ links:
 lib:	$(LIBOBJ)
 	$(AR) $(LIB) $(LIBOBJ)
-	$(RANLIB) $(LIB)
+	@echo You may get an error following this line.  Please ignore.
 	- $(RANLIB) $(LIB)
 	@touch lib
 libs:
@@ -155,41 +156,48 @@ dclean:
 # DO NOT DELETE THIS LINE -- make depend depends on it.
-cpt_err.o: ../include/openssl/crypto.h ../include/openssl/err.h
+cpt_err.o: ../include/openssl/bio.h ../include/openssl/crypto.h
 cpt_err.o: ../include/openssl/err.h ../include/openssl/lhash.h
 cpt_err.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
-cpt_err.o: ../include/openssl/stack.h
+cpt_err.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 cryptlib.o: ../include/openssl/bio.h ../include/openssl/buffer.h
 cryptlib.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
 cryptlib.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-cryptlib.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+cryptlib.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
-cryptlib.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+cryptlib.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
-cryptlib.o: cryptlib.h
+cryptlib.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h
 cversion.o: ../include/openssl/bio.h ../include/openssl/buffer.h
 cversion.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
 cversion.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-cversion.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+cversion.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
-cversion.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+cversion.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
-cversion.o: buildinf.h cryptlib.h
+cversion.o: ../include/openssl/stack.h ../include/openssl/symhacks.h buildinf.h
 cversion.o: cryptlib.h
 ex_data.o: ../include/openssl/bio.h ../include/openssl/buffer.h
 ex_data.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
 ex_data.o: ../include/openssl/e_os2.h ../include/openssl/err.h
 ex_data.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
 ex_data.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
-ex_data.o: ../include/openssl/stack.h cryptlib.h
+ex_data.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h
 mem.o: ../include/openssl/bio.h ../include/openssl/buffer.h
 mem.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
 mem.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-mem.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+mem.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
-mem.o: ../include/openssl/safestack.h ../include/openssl/stack.h cryptlib.h
+mem.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
 mem.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h
 mem_dbg.o: ../include/openssl/bio.h ../include/openssl/buffer.h
 mem_dbg.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
 mem_dbg.o: ../include/openssl/e_os2.h ../include/openssl/err.h
 mem_dbg.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
 mem_dbg.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
-mem_dbg.o: ../include/openssl/stack.h cryptlib.h
+mem_dbg.o: ../include/openssl/stack.h ../include/openssl/symhacks.h cryptlib.h
 tmdiff.o: ../include/openssl/bio.h ../include/openssl/buffer.h
 tmdiff.o: ../include/openssl/crypto.h ../include/openssl/e_os.h
 tmdiff.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-tmdiff.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+tmdiff.o: ../include/openssl/lhash.h ../include/openssl/opensslconf.h
-tmdiff.o: ../include/openssl/safestack.h ../include/openssl/stack.h
+tmdiff.o: ../include/openssl/opensslv.h ../include/openssl/safestack.h
 tmdiff.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 tmdiff.o: ../include/openssl/tmdiff.h cryptlib.h
 uid.o: ../include/openssl/crypto.h ../include/openssl/opensslv.h
 uid.o: ../include/openssl/safestack.h ../include/openssl/stack.h
 uid.o: ../include/openssl/symhacks.h
--- a/crypto/asn1/Makefile.ssl
+++ b/crypto/asn1/Makefile.ssl
--- a/crypto/asn1/a_bitstr.c
+++ b/crypto/asn1/a_bitstr.c
@@ -70,13 +70,27 @@ int ASN1_BIT_STRING_set(ASN1_BIT_STRING *x, unsigned char *d, int len)
 { return M_ASN1_BIT_STRING_set(x, d, len); }
 int i2d_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp)
 {
 	int len, ret;
 	len = i2c_ASN1_BIT_STRING(a, NULL);	
 	ret=ASN1_object_size(0,len,V_ASN1_BIT_STRING);
 	if(pp) {
 		ASN1_put_object(pp,0,len,V_ASN1_BIT_STRING,V_ASN1_UNIVERSAL);
 		i2c_ASN1_BIT_STRING(a, pp);	
 	}
 	return ret;
 }
 int i2c_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp)
 	{
-	int ret,j,r,bits,len;
+	int ret,j,bits,len;
 	unsigned char *p,*d;
 	if (a == NULL) return(0);
 	len=a->length;
 	ret=1+len;
 	if (pp == NULL) return(ret);
 	if (len > 0)
 		{
@@ -104,36 +118,27 @@ int i2d_ASN1_BIT_STRING(ASN1_BIT_STRING *a, unsigned char **pp)
 		}
 	else
 		bits=0;
 	ret=1+len;
 	r=ASN1_object_size(0,ret,V_ASN1_BIT_STRING);
 	if (pp == NULL) return(r);
 	p= *pp;
 	ASN1_put_object(&p,0,ret,V_ASN1_BIT_STRING,V_ASN1_UNIVERSAL);
 	*(p++)=(unsigned char)bits;
 	d=a->data;
 	memcpy(p,d,len);
 	p+=len;
 	if (len > 0) p[-1]&=(0xff<<bits);
 	*pp=p;
-	return(r);
+	return(ret);
 	}
 /* Convert DER encoded ASN1 BIT_STRING to ASN1_BIT_STRING structure */
 ASN1_BIT_STRING *d2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, unsigned char **pp,
 	     long length)
-	{
+{
-	ASN1_BIT_STRING *ret=NULL;
+	unsigned char *p;
 	unsigned char *p,*s;
 	long len;
 	int inf,tag,xclass;
 	int i;
-
+	int inf,tag,xclass;
-	if ((a == NULL) || ((*a) == NULL))
+	ASN1_BIT_STRING *ret;
 		{
 		if ((ret=M_ASN1_BIT_STRING_new()) == NULL) return(NULL);
 		}
 	else
 		ret=(*a);
 	p= *pp;
 	inf=ASN1_get_object(&p,&len,&tag,&xclass,length);
@@ -149,7 +154,30 @@ ASN1_BIT_STRING *d2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, unsigned char **pp,
 		goto err;
 		}
 	if (len < 1) { i=ASN1_R_STRING_TOO_SHORT; goto err; }
 	ret = c2i_ASN1_BIT_STRING(a, &p, len);
 	if(ret) *pp = p;
 	return ret;
 err:
 	ASN1err(ASN1_F_D2I_ASN1_BIT_STRING,i);
 	return(NULL);
 }
 ASN1_BIT_STRING *c2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, unsigned char **pp,
 	     long len)
 	{
 	ASN1_BIT_STRING *ret=NULL;
 	unsigned char *p,*s;
 	int i;
 	if ((a == NULL) || ((*a) == NULL))
 		{
 		if ((ret=M_ASN1_BIT_STRING_new()) == NULL) return(NULL);
 		}
 	else
 		ret=(*a);
 	p= *pp;
 	i= *(p++);
 	/* We do this to preserve the settings.  If we modify
 	 * the settings, via the _set_bit function, we will recalculate
@@ -159,7 +187,7 @@ ASN1_BIT_STRING *d2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, unsigned char **pp,
 	if (len-- > 1) /* using one because of the bits left byte */
 		{
-		s=(unsigned char *)Malloc((int)len);
+		s=(unsigned char *)OPENSSL_malloc((int)len);
 		if (s == NULL)
 			{
 			i=ERR_R_MALLOC_FAILURE;
@@ -173,7 +201,7 @@ ASN1_BIT_STRING *d2i_ASN1_BIT_STRING(ASN1_BIT_STRING **a, unsigned char **pp,
 		s=NULL;
 	ret->length=(int)len;
-	if (ret->data != NULL) Free(ret->data);
+	if (ret->data != NULL) OPENSSL_free(ret->data);
 	ret->data=s;
 	ret->type=V_ASN1_BIT_STRING;
 	if (a != NULL) (*a)=ret;
@@ -204,14 +232,14 @@ int ASN1_BIT_STRING_set_bit(ASN1_BIT_STRING *a, int n, int value)
 		{
 		if (!value) return(1); /* Don't need to set */
 		if (a->data == NULL)
-			c=(unsigned char *)Malloc(w+1);
+			c=(unsigned char *)OPENSSL_malloc(w+1);
 		else
-			c=(unsigned char *)Realloc(a->data,w+1);
+			c=(unsigned char *)OPENSSL_realloc(a->data,w+1);
 		if (c == NULL) return(0);
 		if (w+1-a->length > 0) memset(c+a->length, 0, w+1-a->length);
 		a->data=c;
 		a->length=w+1;
-		c[w]=0;
+	}
 		}
 	a->data[w]=((a->data[w])&iv)|v;
 	while ((a->length > 0) && (a->data[a->length-1] == 0))
 		a->length--;
--- a/crypto/asn1/a_bytes.c
+++ b/crypto/asn1/a_bytes.c
@@ -111,7 +111,7 @@ ASN1_STRING *d2i_ASN1_type_bytes(ASN1_STRING **a, unsigned char **pp,
 	if (len != 0)
 		{
-		s=(unsigned char *)Malloc((int)len+1);
+		s=(unsigned char *)OPENSSL_malloc((int)len+1);
 		if (s == NULL)
 			{
 			i=ERR_R_MALLOC_FAILURE;
@@ -124,7 +124,7 @@ ASN1_STRING *d2i_ASN1_type_bytes(ASN1_STRING **a, unsigned char **pp,
 	else
 		s=NULL;
-	if (ret->data != NULL) Free(ret->data);
+	if (ret->data != NULL) OPENSSL_free(ret->data);
 	ret->length=(int)len;
 	ret->data=s;
 	ret->type=tag;
@@ -218,8 +218,8 @@ ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, unsigned char **pp, long length,
 			{
 			if ((ret->length < len) || (ret->data == NULL))
 				{
-				if (ret->data != NULL) Free(ret->data);
+				if (ret->data != NULL) OPENSSL_free(ret->data);
-				s=(unsigned char *)Malloc((int)len + 1);
+				s=(unsigned char *)OPENSSL_malloc((int)len + 1);
 				if (s == NULL)
 					{
 					i=ERR_R_MALLOC_FAILURE;
@@ -235,7 +235,7 @@ ASN1_STRING *d2i_ASN1_bytes(ASN1_STRING **a, unsigned char **pp, long length,
 		else
 			{
 			s=NULL;
-			if (ret->data != NULL) Free(ret->data);
+			if (ret->data != NULL) OPENSSL_free(ret->data);
 			}
 		ret->length=(int)len;
@@ -310,14 +310,14 @@ static int asn1_collate_primitive(ASN1_STRING *a, ASN1_CTX *c)
 	if (!asn1_Finish(c)) goto err;
 	a->length=num;
-	if (a->data != NULL) Free(a->data);
+	if (a->data != NULL) OPENSSL_free(a->data);
 	a->data=(unsigned char *)b.data;
 	if (os != NULL) ASN1_STRING_free(os);
 	return(1);
 err:
 	ASN1err(ASN1_F_ASN1_COLLATE_PRIMITIVE,c->error);
 	if (os != NULL) ASN1_STRING_free(os);
-	if (b.data != NULL) Free(b.data);
+	if (b.data != NULL) OPENSSL_free(b.data);
 	return(0);
 	}
--- a/crypto/asn1/a_digest.c
+++ b/crypto/asn1/a_digest.c
@@ -77,14 +77,14 @@ int ASN1_digest(int (*i2d)(), const EVP_MD *type, char *data,
 	unsigned char *str,*p;
 	i=i2d(data,NULL);
-	if ((str=(unsigned char *)Malloc(i)) == NULL) return(0);
+	if ((str=(unsigned char *)OPENSSL_malloc(i)) == NULL) return(0);
 	p=str;
 	i2d(data,&p);
 	EVP_DigestInit(&ctx,type);
 	EVP_DigestUpdate(&ctx,str,i);
 	EVP_DigestFinal(&ctx,md,len);
-	Free(str);
+	OPENSSL_free(str);
 	return(1);
 	}
--- a/crypto/asn1/a_dup.c
+++ b/crypto/asn1/a_dup.c
@@ -71,13 +71,13 @@ char *ASN1_dup(int (*i2d)(), char *(*d2i)(), char *x)
 	if (x == NULL) return(NULL);
 	i=(long)i2d(x,NULL);
-	b=(unsigned char *)Malloc((unsigned int)i+10);
+	b=(unsigned char *)OPENSSL_malloc((unsigned int)i+10);
 	if (b == NULL)
 		{ ASN1err(ASN1_F_ASN1_DUP,ERR_R_MALLOC_FAILURE); return(NULL); }
 	p= b;
 	i=i2d(x,&p);
 	p= b;
 	ret=d2i(NULL,&p,i);
-	Free(b);
+	OPENSSL_free(b);
 	return(ret);
 	}
--- a/crypto/asn1/a_enum.c
+++ b/crypto/asn1/a_enum.c
@@ -71,88 +71,28 @@ ASN1_ENUMERATED *ASN1_ENUMERATED_new(void)
 void ASN1_ENUMERATED_free(ASN1_ENUMERATED *x)
 { M_ASN1_ENUMERATED_free(x); }
 int i2d_ASN1_ENUMERATED(ASN1_ENUMERATED *a, unsigned char **pp)
-	{
+{
-	int pad=0,ret,r,i,t;
+	int len, ret;
-	unsigned char *p,*n,pb=0;
+	if(!a) return 0;
-
+	len = i2c_ASN1_INTEGER(a, NULL);	
-	if ((a == NULL) || (a->data == NULL)) return(0);
+	ret=ASN1_object_size(0,len,V_ASN1_ENUMERATED);
-	t=a->type;
+	if(pp) {
-	if (a->length == 0)
+		ASN1_put_object(pp,0,len,V_ASN1_ENUMERATED,V_ASN1_UNIVERSAL);
-		ret=1;
+		i2c_ASN1_INTEGER(a, pp);	
 	else
 		{
 		ret=a->length;
 		i=a->data[0];
 		if ((t == V_ASN1_ENUMERATED) && (i > 127)) {
 			pad=1;
 			pb=0;
 		} else if(t == V_ASN1_NEG_ENUMERATED) {
 			if(i>128) {
 				pad=1;
 				pb=0xFF;
 			} else if(i == 128) {
 				for(i = 1; i < a->length; i++) if(a->data[i]) {
 						pad=1;
 						pb=0xFF;
 						break;
 				}
 			}
 		}
 		ret+=pad;
 		}
 	r=ASN1_object_size(0,ret,V_ASN1_ENUMERATED);
 	if (pp == NULL) return(r);
 	p= *pp;
 	ASN1_put_object(&p,0,ret,V_ASN1_ENUMERATED,V_ASN1_UNIVERSAL);
 	if (pad) *(p++)=pb;
 	if (a->length == 0)
 		*(p++)=0;
 	else if (t == V_ASN1_ENUMERATED)
 		{
 		memcpy(p,a->data,(unsigned int)a->length);
 		p+=a->length;
 		}
 	else {
 		/* Begin at the end of the encoding */
 		n=a->data + a->length - 1;
 		p += a->length - 1;
 		i = a->length;
 		/* Copy zeros to destination as long as source is zero */
 		while(!*n) {
 			*(p--) = 0;
 			n--;
 			i--;
 		}
 		/* Complement and increment next octet */
 		*(p--) = ((*(n--)) ^ 0xff) + 1;
 		i--;
 		/* Complement any octets left */
 		for(;i > 0; i--) *(p--) = *(n--) ^ 0xff;
 		p += a->length;
 	}
 	*pp=p;
 	return(r);
 	}
 	return ret;
 }
 ASN1_ENUMERATED *d2i_ASN1_ENUMERATED(ASN1_ENUMERATED **a, unsigned char **pp,
 	     long length)
-	{
+{
-	ASN1_ENUMERATED *ret=NULL;
+	unsigned char *p;
 	unsigned char *p,*to,*s;
 	long len;
 	int inf,tag,xclass;
 	int i;
-
+	int inf,tag,xclass;
-	if ((a == NULL) || ((*a) == NULL))
+	ASN1_ENUMERATED *ret;
 		{
 		if ((ret=M_ASN1_ENUMERATED_new()) == NULL) return(NULL);
 		ret->type=V_ASN1_ENUMERATED;
 		}
 	else
 		ret=(*a);
 	p= *pp;
 	inf=ASN1_get_object(&p,&len,&tag,&xclass,length);
@@ -167,70 +107,17 @@ ASN1_ENUMERATED *d2i_ASN1_ENUMERATED(ASN1_ENUMERATED **a, unsigned char **pp,
 		i=ASN1_R_EXPECTING_AN_ENUMERATED;
 		goto err;
 		}
-
+	ret = c2i_ASN1_INTEGER(a, &p, len);
-	/* We must Malloc stuff, even for 0 bytes otherwise it
+	if(ret) {
-	 * signifies a missing NULL parameter. */
+		ret->type = (V_ASN1_NEG & ret->type) | V_ASN1_ENUMERATED;
-	s=(unsigned char *)Malloc((int)len+1);
+		*pp = p;
 	if (s == NULL)
 		{
 		i=ERR_R_MALLOC_FAILURE;
 		goto err;
 		}
 	to=s;
 	if(!len) {
 		/* Strictly speaking this is an illegal ENUMERATED but we
 		 * tolerate it.
 		 */
 		ret->type=V_ASN1_ENUMERATED;
 	} else if (*p & 0x80) /* a negative number */
 		{
 		ret->type=V_ASN1_NEG_ENUMERATED;
 		if ((*p == 0xff) && (len != 1)) {
 			p++;
 			len--;
 		}
 		i = len;
 		p += i - 1;
 		to += i - 1;
 		while((!*p) && i) {
 			*(to--) = 0;
 			i--;
 			p--;
 		}
 		if(!i) {
 			*s = 1;
 			s[len] = 0;
 			p += len;
 			len++;
 		} else {
 			*(to--) = (*(p--) ^ 0xff) + 1;
 			i--;
 			for(;i > 0; i--) *(to--) = *(p--) ^ 0xff;
 			p += len;
 		}
 	} else {
 		ret->type=V_ASN1_ENUMERATED;
 		if ((*p == 0) && (len != 1))
 			{
 			p++;
 			len--;
 			}
 		memcpy(s,p,(int)len);
 		p+=len;
 	}
-
+	return ret;
 	if (ret->data != NULL) Free(ret->data);
 	ret->data=s;
 	ret->length=(int)len;
 	if (a != NULL) (*a)=ret;
 	*pp=p;
 	return(ret);
 err:
 	ASN1err(ASN1_F_D2I_ASN1_ENUMERATED,i);
 	if ((ret != NULL) && ((a == NULL) || (*a != ret)))
 		M_ASN1_ENUMERATED_free(ret);
 	return(NULL);
-	}
+
 }
 int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v)
 	{
@@ -242,8 +129,8 @@ int ASN1_ENUMERATED_set(ASN1_ENUMERATED *a, long v)
 	if (a->length < (sizeof(long)+1))
 		{
 		if (a->data != NULL)
-			Free(a->data);
+			OPENSSL_free(a->data);
-		if ((a->data=(unsigned char *)Malloc(sizeof(long)+1)) != NULL)
+		if ((a->data=(unsigned char *)OPENSSL_malloc(sizeof(long)+1)) != NULL)
 			memset((char *)a->data,0,sizeof(long)+1);
 		}
 	if (a->data == NULL)
@@ -318,7 +205,7 @@ ASN1_ENUMERATED *BN_to_ASN1_ENUMERATED(BIGNUM *bn, ASN1_ENUMERATED *ai)
 	else ret->type=V_ASN1_ENUMERATED;
 	j=BN_num_bits(bn);
 	len=((j == 0)?0:((j/8)+1));
-	ret->data=(unsigned char *)Malloc(len+4);
+	ret->data=(unsigned char *)OPENSSL_malloc(len+4);
 	ret->length=BN_bn2bin(bn,ret->data);
 	return(ret);
 err:
@@ -332,6 +219,6 @@ BIGNUM *ASN1_ENUMERATED_to_BN(ASN1_ENUMERATED *ai, BIGNUM *bn)
 	if ((ret=BN_bin2bn(ai->data,ai->length,bn)) == NULL)
 		ASN1err(ASN1_F_ASN1_ENUMERATED_TO_BN,ASN1_R_BN_LIB);
-	if(ai->type == V_ASN1_NEG_ENUMERATED) bn->neg = 1;
+	else if(ai->type == V_ASN1_NEG_ENUMERATED) ret->neg = 1;
 	return(ret);
 	}
--- a/crypto/asn1/a_gentm.c
+++ b/crypto/asn1/a_gentm.c
@@ -212,10 +212,10 @@ ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s,
 	p=(char *)s->data;
 	if ((p == NULL) || (s->length < 16))
 		{
-		p=Malloc(20);
+		p=OPENSSL_malloc(20);
 		if (p == NULL) return(NULL);
 		if (s->data != NULL)
-			Free(s->data);
+			OPENSSL_free(s->data);
 		s->data=(unsigned char *)p;
 		}
--- a/crypto/asn1/a_hdr.c
+++ b/crypto/asn1/a_hdr.c
@@ -115,5 +115,5 @@ void ASN1_HEADER_free(ASN1_HEADER *a)
 	M_ASN1_OCTET_STRING_free(a->header);
 	if (a->meth != NULL)
 		a->meth->destroy(a->data);
-	Free(a);
+	OPENSSL_free(a);
 	}
--- a/crypto/asn1/a_i2d_fp.c
+++ b/crypto/asn1/a_i2d_fp.c
@@ -86,7 +86,7 @@ int ASN1_i2d_bio(int (*i2d)(), BIO *out, unsigned char *x)
 	int i,j=0,n,ret=1;
 	n=i2d(x,NULL);
-	b=(char *)Malloc(n);
+	b=(char *)OPENSSL_malloc(n);
 	if (b == NULL)
 		{
 		ASN1err(ASN1_F_ASN1_I2D_BIO,ERR_R_MALLOC_FAILURE);
@@ -108,6 +108,6 @@ int ASN1_i2d_bio(int (*i2d)(), BIO *out, unsigned char *x)
 		j+=i;
 		n-=i;
 		}
-	Free(b);
+	OPENSSL_free(b);
 	return(ret);
 	}
--- a/crypto/asn1/a_int.c
+++ b/crypto/asn1/a_int.c
@@ -72,8 +72,23 @@ ASN1_INTEGER *ASN1_INTEGER_dup(ASN1_INTEGER *x)
 int ASN1_INTEGER_cmp(ASN1_INTEGER *x, ASN1_INTEGER *y)
 { return M_ASN1_INTEGER_cmp(x,y);}
 /* Output ASN1 INTEGER including tag+length */
 int i2d_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp)
 {
 	int len, ret;
 	if(!a) return 0;
 	len = i2c_ASN1_INTEGER(a, NULL);	
 	ret=ASN1_object_size(0,len,V_ASN1_INTEGER);
 	if(pp) {
 		ASN1_put_object(pp,0,len,V_ASN1_INTEGER,V_ASN1_UNIVERSAL);
 		i2c_ASN1_INTEGER(a, pp);	
 	}
 	return ret;
 }
 /* 
- * This converts an ASN1 INTEGER into its DER encoding.
+ * This converts an ASN1 INTEGER into its content encoding.
 * The internal representation is an ASN1_STRING whose data is a big endian
 * representation of the value, ignoring the sign. The sign is determined by
 * the type: V_ASN1_INTEGER for positive and V_ASN1_NEG_INTEGER for negative. 
@@ -97,23 +112,23 @@ int ASN1_INTEGER_cmp(ASN1_INTEGER *x, ASN1_INTEGER *y)
 * followed by optional zeros isn't padded.
 */
-int i2d_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp)
+int i2c_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp)
 	{
-	int pad=0,ret,r,i,t;
+	int pad=0,ret,i,neg;
 	unsigned char *p,*n,pb=0;
 	if ((a == NULL) || (a->data == NULL)) return(0);
-	t=a->type;
+	neg=a->type & V_ASN1_NEG;
 	if (a->length == 0)
 		ret=1;
 	else
 		{
 		ret=a->length;
 		i=a->data[0];
-		if ((t == V_ASN1_INTEGER) && (i > 127)) {
+		if (!neg && (i > 127)) {
 			pad=1;
 			pb=0;
-		} else if(t == V_ASN1_NEG_INTEGER) {
+		} else if(neg) {
 			if(i>128) {
 				pad=1;
 				pb=0xFF;
@@ -131,14 +146,12 @@ int i2d_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp)
 		}
 		ret+=pad;
 		}
-	r=ASN1_object_size(0,ret,V_ASN1_INTEGER);
+	if (pp == NULL) return(ret);
 	if (pp == NULL) return(r);
 	p= *pp;
 	ASN1_put_object(&p,0,ret,V_ASN1_INTEGER,V_ASN1_UNIVERSAL);
 	if (pad) *(p++)=pb;
 	if (a->length == 0) *(p++)=0;
-	else if (t == V_ASN1_INTEGER) memcpy(p,a->data,(unsigned int)a->length);
+	else if (!neg) memcpy(p,a->data,(unsigned int)a->length);
 	else {
 		/* Begin at the end of the encoding */
 		n=a->data + a->length - 1;
@@ -157,30 +170,22 @@ int i2d_ASN1_INTEGER(ASN1_INTEGER *a, unsigned char **pp)
 		for(;i > 0; i--) *(p--) = *(n--) ^ 0xff;
 	}
-	*pp+=r;
+	*pp+=ret;
-	return(r);
+	return(ret);
 	}
 /* Convert DER encoded ASN1 INTEGER to ASN1_INTEGER structure */
 ASN1_INTEGER *d2i_ASN1_INTEGER(ASN1_INTEGER **a, unsigned char **pp,
 	     long length)
-	{
+{
-	ASN1_INTEGER *ret=NULL;
+	unsigned char *p;
 	unsigned char *p,*to,*s, *pend;
 	long len;
 	int inf,tag,xclass;
 	int i;
-
+	int inf,tag,xclass;
-	if ((a == NULL) || ((*a) == NULL))
+	ASN1_INTEGER *ret;
 		{
 		if ((ret=M_ASN1_INTEGER_new()) == NULL) return(NULL);
 		ret->type=V_ASN1_INTEGER;
 		}
 	else
 		ret=(*a);
 	p= *pp;
 	inf=ASN1_get_object(&p,&len,&tag,&xclass,length);
 	pend = p + len;
 	if (inf & 0x80)
 		{
 		i=ASN1_R_BAD_OBJECT_HEADER;
@@ -192,10 +197,39 @@ ASN1_INTEGER *d2i_ASN1_INTEGER(ASN1_INTEGER **a, unsigned char **pp,
 		i=ASN1_R_EXPECTING_AN_INTEGER;
 		goto err;
 		}
 	ret = c2i_ASN1_INTEGER(a, &p, len);
 	if(ret) *pp = p;
 	return ret;
 err:
 	ASN1err(ASN1_F_D2I_ASN1_INTEGER,i);
 	return(NULL);
-	/* We must Malloc stuff, even for 0 bytes otherwise it
+}
 /* Convert just ASN1 INTEGER content octets to ASN1_INTEGER structure */
 ASN1_INTEGER *c2i_ASN1_INTEGER(ASN1_INTEGER **a, unsigned char **pp,
 	     long len)
 	{
 	ASN1_INTEGER *ret=NULL;
 	unsigned char *p,*to,*s, *pend;
 	int i;
 	if ((a == NULL) || ((*a) == NULL))
 		{
 		if ((ret=M_ASN1_INTEGER_new()) == NULL) return(NULL);
 		ret->type=V_ASN1_INTEGER;
 		}
 	else
 		ret=(*a);
 	p= *pp;
 	pend = p + len;
 	/* We must OPENSSL_malloc stuff, even for 0 bytes otherwise it
 	 * signifies a missing NULL parameter. */
-	s=(unsigned char *)Malloc((int)len+1);
+	s=(unsigned char *)OPENSSL_malloc((int)len+1);
 	if (s == NULL)
 		{
 		i=ERR_R_MALLOC_FAILURE;
@@ -248,7 +282,7 @@ ASN1_INTEGER *d2i_ASN1_INTEGER(ASN1_INTEGER **a, unsigned char **pp,
 		memcpy(s,p,(int)len);
 	}
-	if (ret->data != NULL) Free(ret->data);
+	if (ret->data != NULL) OPENSSL_free(ret->data);
 	ret->data=s;
 	ret->length=(int)len;
 	if (a != NULL) (*a)=ret;
@@ -261,6 +295,7 @@ err:
 	return(NULL);
 	}
 /* This is a version of d2i_ASN1_INTEGER that ignores the sign bit of
 * ASN1 integers: some broken software can encode a positive INTEGER
 * with its MSB set as negative (it doesn't add a padding zero).
@@ -297,9 +332,9 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, unsigned char **pp,
 		goto err;
 		}
-	/* We must Malloc stuff, even for 0 bytes otherwise it
+	/* We must OPENSSL_malloc stuff, even for 0 bytes otherwise it
 	 * signifies a missing NULL parameter. */
-	s=(unsigned char *)Malloc((int)len+1);
+	s=(unsigned char *)OPENSSL_malloc((int)len+1);
 	if (s == NULL)
 		{
 		i=ERR_R_MALLOC_FAILURE;
@@ -317,7 +352,7 @@ ASN1_INTEGER *d2i_ASN1_UINTEGER(ASN1_INTEGER **a, unsigned char **pp,
 		p+=len;
 	}
-	if (ret->data != NULL) Free(ret->data);
+	if (ret->data != NULL) OPENSSL_free(ret->data);
 	ret->data=s;
 	ret->length=(int)len;
 	if (a != NULL) (*a)=ret;
@@ -340,8 +375,8 @@ int ASN1_INTEGER_set(ASN1_INTEGER *a, long v)
 	if (a->length < (sizeof(long)+1))
 		{
 		if (a->data != NULL)
-			Free(a->data);
+			OPENSSL_free(a->data);
-		if ((a->data=(unsigned char *)Malloc(sizeof(long)+1)) != NULL)
+		if ((a->data=(unsigned char *)OPENSSL_malloc(sizeof(long)+1)) != NULL)
 			memset((char *)a->data,0,sizeof(long)+1);
 		}
 	if (a->data == NULL)
@@ -416,7 +451,7 @@ ASN1_INTEGER *BN_to_ASN1_INTEGER(BIGNUM *bn, ASN1_INTEGER *ai)
 	else ret->type=V_ASN1_INTEGER;
 	j=BN_num_bits(bn);
 	len=((j == 0)?0:((j/8)+1));
-	ret->data=(unsigned char *)Malloc(len+4);
+	ret->data=(unsigned char *)OPENSSL_malloc(len+4);
 	ret->length=BN_bn2bin(bn,ret->data);
 	return(ret);
 err:
@@ -430,6 +465,9 @@ BIGNUM *ASN1_INTEGER_to_BN(ASN1_INTEGER *ai, BIGNUM *bn)
 	if ((ret=BN_bin2bn(ai->data,ai->length,bn)) == NULL)
 		ASN1err(ASN1_F_ASN1_INTEGER_TO_BN,ASN1_R_BN_LIB);
-	if(ai->type == V_ASN1_NEG_INTEGER) bn->neg = 1;
+	else if(ai->type == V_ASN1_NEG_INTEGER) ret->neg = 1;
 	return(ret);
 	}
 IMPLEMENT_STACK_OF(ASN1_INTEGER)
 IMPLEMENT_ASN1_SET_OF(ASN1_INTEGER)
--- a/crypto/asn1/a_mbstr.c
+++ b/crypto/asn1/a_mbstr.c
@@ -92,6 +92,7 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
 {
 	int str_type;
 	int ret;
 	char free_out;
 	int outform, outlen;
 	ASN1_STRING *dest;
 	unsigned char *p;
@@ -180,14 +181,16 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
 	}
 	if(!out) return str_type;
 	if(*out) {
 		free_out = 0;
 		dest = *out;
 		if(dest->data) {
 			dest->length = 0;
-			Free(dest->data);
+			OPENSSL_free(dest->data);
 			dest->data = NULL;
 		}
 		dest->type = str_type;
 	} else {
 		free_out = 1;
 		dest = ASN1_STRING_type_new(str_type);
 		if(!dest) {
 			ASN1err(ASN1_F_ASN1_MBSTRING_COPY,
@@ -228,8 +231,8 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,
 		cpyfunc = cpy_utf8;
 		break;
 	}
-	if(!(p = Malloc(outlen + 1))) {
+	if(!(p = OPENSSL_malloc(outlen + 1))) {
-		ASN1_STRING_free(dest);
+		if(free_out) ASN1_STRING_free(dest);
 		ASN1err(ASN1_F_ASN1_MBSTRING_COPY,ERR_R_MALLOC_FAILURE);
 		return -1;
 	}
@@ -258,8 +261,8 @@ static int traverse_string(const unsigned char *p, int len, int inform,
 			value |= *p++;
 			len -= 2;
 		} else if(inform == MBSTRING_UNIV) {
-			value = *p++ << 24;
+			value = ((unsigned long)*p++) << 24;
-			value |= *p++ << 16;
+			value |= ((unsigned long)*p++) << 16;
 			value |= *p++ << 8;
 			value |= *p++;
 			len -= 4;
@@ -382,9 +385,16 @@ static int is_printable(unsigned long value)
 	/* Note: we can't use 'isalnum' because certain accented 
 	 * characters may count as alphanumeric in some environments.
 	 */
 #ifndef CHARSET_EBCDIC
 	if((ch >= 'a') && (ch <= 'z')) return 1;
 	if((ch >= 'A') && (ch <= 'Z')) return 1;
 	if((ch >= '0') && (ch <= '9')) return 1;
 	if ((ch == ' ') || strchr("'()+,-./:=?", ch)) return 1;
 #else /*CHARSET_EBCDIC*/
 	if((ch >= os_toascii['a']) && (ch <= os_toascii['z'])) return 1;
 	if((ch >= os_toascii['A']) && (ch <= os_toascii['Z'])) return 1;
 	if((ch >= os_toascii['0']) && (ch <= os_toascii['9'])) return 1;
 	if ((ch == os_toascii[' ']) || strchr("'()+,-./:=?", os_toebcdic[ch])) return 1;
 #endif /*CHARSET_EBCDIC*/
 	return 0;
 }
--- a/crypto/asn1/a_object.c
+++ b/crypto/asn1/a_object.c
@@ -65,11 +65,12 @@
 int i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp)
 	{
 	unsigned char *p;
 	int objsize;
 	if ((a == NULL) || (a->data == NULL)) return(0);
-	if (pp == NULL)
+	objsize = ASN1_object_size(0,a->length,V_ASN1_OBJECT);
-		return(ASN1_object_size(0,a->length,V_ASN1_OBJECT));
+	if (pp == NULL) return objsize;
 	p= *pp;
 	ASN1_put_object(&p,0,a->length,V_ASN1_OBJECT,V_ASN1_UNIVERSAL);
@@ -77,7 +78,7 @@ int i2d_ASN1_OBJECT(ASN1_OBJECT *a, unsigned char **pp)
 	p+=a->length;
 	*pp=p;
-	return(a->length);
+	return(objsize);
 	}
 int a2d_ASN1_OBJECT(unsigned char *out, int olen, const char *buf, int num)
@@ -190,24 +191,13 @@ int i2a_ASN1_OBJECT(BIO *bp, ASN1_OBJECT *a)
 ASN1_OBJECT *d2i_ASN1_OBJECT(ASN1_OBJECT **a, unsigned char **pp,
 	     long length)
-	{
+{
 	ASN1_OBJECT *ret=NULL;
 	unsigned char *p;
 	long len;
 	int tag,xclass;
 	int inf,i;
-
+	ASN1_OBJECT *ret = NULL;
 	/* only the ASN1_OBJECTs from the 'table' will have values
 	 * for ->sn or ->ln */
 	if ((a == NULL) || ((*a) == NULL) ||
 		!((*a)->flags & ASN1_OBJECT_FLAG_DYNAMIC))
 		{
 		if ((ret=ASN1_OBJECT_new()) == NULL) return(NULL);
 		}
 	else	ret=(*a);
 	p= *pp;
 	inf=ASN1_get_object(&p,&len,&tag,&xclass,length);
 	if (inf & 0x80)
 		{
@@ -220,10 +210,36 @@ ASN1_OBJECT *d2i_ASN1_OBJECT(ASN1_OBJECT **a, unsigned char **pp,
 		i=ASN1_R_EXPECTING_AN_OBJECT;
 		goto err;
 		}
 	ret = c2i_ASN1_OBJECT(a, &p, len);
 	if(ret) *pp = p;
 	return ret;
 err:
 	ASN1err(ASN1_F_D2I_ASN1_OBJECT,i);
 	if ((ret != NULL) && ((a == NULL) || (*a != ret)))
 		ASN1_OBJECT_free(ret);
 	return(NULL);
 }
 ASN1_OBJECT *c2i_ASN1_OBJECT(ASN1_OBJECT **a, unsigned char **pp,
 	     long len)
 	{
 	ASN1_OBJECT *ret=NULL;
 	unsigned char *p;
 	int i;
 	/* only the ASN1_OBJECTs from the 'table' will have values
 	 * for ->sn or ->ln */
 	if ((a == NULL) || ((*a) == NULL) ||
 		!((*a)->flags & ASN1_OBJECT_FLAG_DYNAMIC))
 		{
 		if ((ret=ASN1_OBJECT_new()) == NULL) return(NULL);
 		}
 	else	ret=(*a);
 	p= *pp;
 	if ((ret->data == NULL) || (ret->length < len))
 		{
-		if (ret->data != NULL) Free(ret->data);
+		if (ret->data != NULL) OPENSSL_free(ret->data);
-		ret->data=(unsigned char *)Malloc(len ? (int)len : 1);
+		ret->data=(unsigned char *)OPENSSL_malloc(len ? (int)len : 1);
 		ret->flags|=ASN1_OBJECT_FLAG_DYNAMIC_DATA;
 		if (ret->data == NULL)
 			{ i=ERR_R_MALLOC_FAILURE; goto err; }
@@ -249,7 +265,7 @@ ASN1_OBJECT *ASN1_OBJECT_new(void)
 	{
 	ASN1_OBJECT *ret;
-	ret=(ASN1_OBJECT *)Malloc(sizeof(ASN1_OBJECT));
+	ret=(ASN1_OBJECT *)OPENSSL_malloc(sizeof(ASN1_OBJECT));
 	if (ret == NULL)
 		{
 		ASN1err(ASN1_F_ASN1_OBJECT_NEW,ERR_R_MALLOC_FAILURE);
@@ -270,19 +286,19 @@ void ASN1_OBJECT_free(ASN1_OBJECT *a)
 	if (a->flags & ASN1_OBJECT_FLAG_DYNAMIC_STRINGS)
 		{
 #ifndef CONST_STRICT /* disable purely for compile-time strict const checking. Doing this on a "real" compile will cause memory leaks */
-		if (a->sn != NULL) Free((void *)a->sn);
+		if (a->sn != NULL) OPENSSL_free((void *)a->sn);
-		if (a->ln != NULL) Free((void *)a->ln);
+		if (a->ln != NULL) OPENSSL_free((void *)a->ln);
 #endif
 		a->sn=a->ln=NULL;
 		}
 	if (a->flags & ASN1_OBJECT_FLAG_DYNAMIC_DATA)
 		{
-		if (a->data != NULL) Free(a->data);
+		if (a->data != NULL) OPENSSL_free(a->data);
 		a->data=NULL;
 		a->length=0;
 		}
 	if (a->flags & ASN1_OBJECT_FLAG_DYNAMIC)
-		Free(a);
+		OPENSSL_free(a);
 	}
 ASN1_OBJECT *ASN1_OBJECT_create(int nid, unsigned char *data, int len,
--- a/crypto/asn1/a_set.c
+++ b/crypto/asn1/a_set.c
@@ -116,7 +116,7 @@ int i2d_ASN1_SET(STACK *a, unsigned char **pp, int (*func)(), int ex_tag,
 		}
        pStart  = p; /* Catch the beg of Setblobs*/
-        rgSetBlob = (MYBLOB *)Malloc( sk_num(a) * sizeof(MYBLOB)); /* In this array
+        rgSetBlob = (MYBLOB *)OPENSSL_malloc( sk_num(a) * sizeof(MYBLOB)); /* In this array
 we will store the SET blobs */
        for (i=0; i<sk_num(a); i++)
@@ -133,7 +133,7 @@ SetBlob
 /* Now we have to sort the blobs. I am using a simple algo.
    *Sort ptrs *Copy to temp-mem *Copy from temp-mem to user-mem*/
        qsort( rgSetBlob, sk_num(a), sizeof(MYBLOB), SetBlobCmp);
-        pTempMem = Malloc(totSize);
+        pTempMem = OPENSSL_malloc(totSize);
 /* Copy to temp mem */
        p = pTempMem;
@@ -145,20 +145,20 @@ SetBlob
 /* Copy back to user mem*/
        memcpy(pStart, pTempMem, totSize);
-        Free(pTempMem);
+        OPENSSL_free(pTempMem);
-        Free(rgSetBlob);
+        OPENSSL_free(rgSetBlob);
        return(r);
        }
 STACK *d2i_ASN1_SET(STACK **a, unsigned char **pp, long length,
-	     char *(*func)(), void (*free_func)(), int ex_tag, int ex_class)
+	     char *(*func)(), void (*free_func)(void *), int ex_tag, int ex_class)
 	{
 	ASN1_CTX c;
 	STACK *ret=NULL;
 	if ((a == NULL) || ((*a) == NULL))
-		{ if ((ret=sk_new(NULL)) == NULL) goto err; }
+		{ if ((ret=sk_new_null()) == NULL) goto err; }
 	else
 		ret=(*a);
--- a/crypto/asn1/a_sign.c
+++ b/crypto/asn1/a_sign.c
@@ -108,9 +108,9 @@ int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2,
 			}
 		}
 	inl=i2d(data,NULL);
-	buf_in=(unsigned char *)Malloc((unsigned int)inl);
+	buf_in=(unsigned char *)OPENSSL_malloc((unsigned int)inl);
 	outll=outl=EVP_PKEY_size(pkey);
-	buf_out=(unsigned char *)Malloc((unsigned int)outl);
+	buf_out=(unsigned char *)OPENSSL_malloc((unsigned int)outl);
 	if ((buf_in == NULL) || (buf_out == NULL))
 		{
 		outl=0;
@@ -129,7 +129,7 @@ int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2,
 		ASN1err(ASN1_F_ASN1_SIGN,ERR_R_EVP_LIB);
 		goto err;
 		}
-	if (signature->data != NULL) Free(signature->data);
+	if (signature->data != NULL) OPENSSL_free(signature->data);
 	signature->data=buf_out;
 	buf_out=NULL;
 	signature->length=outl;
@@ -141,8 +141,8 @@ int ASN1_sign(int (*i2d)(), X509_ALGOR *algor1, X509_ALGOR *algor2,
 err:
 	memset(&ctx,0,sizeof(ctx));
 	if (buf_in != NULL)
-		{ memset((char *)buf_in,0,(unsigned int)inl); Free(buf_in); }
+		{ memset((char *)buf_in,0,(unsigned int)inl); OPENSSL_free(buf_in); }
 	if (buf_out != NULL)
-		{ memset((char *)buf_out,0,outll); Free(buf_out); }
+		{ memset((char *)buf_out,0,outll); OPENSSL_free(buf_out); }
 	return(outl);
 	}
--- a/crypto/asn1/a_strex.c
+++ b/crypto/asn1/a_strex.c
@@ -0,0 +1,533 @@
 /* a_strex.c */
 /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
 * project 2000.
 */
 /* ====================================================================
 * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    licensing@OpenSSL.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */
 #include <stdio.h>
 #include <string.h>
 #include <openssl/crypto.h>
 #include <openssl/x509.h>
 #include <openssl/asn1.h>
 #include "charmap.h"
 /* ASN1_STRING_print_ex() and X509_NAME_print_ex().
 * Enhanced string and name printing routines handling
 * multibyte characters, RFC2253 and a host of other
 * options.
 */
 #define CHARTYPE_BS_ESC		(ASN1_STRFLGS_ESC_2253 | CHARTYPE_FIRST_ESC_2253 | CHARTYPE_LAST_ESC_2253)
 /* Three IO functions for sending data to memory, a BIO and
 * and a FILE pointer.
 */
 int send_mem_chars(void *arg, const void *buf, int len)
 {
 	unsigned char **out = arg;
 	if(!out) return 1;
 	memcpy(*out, buf, len);
 	*out += len;
 	return 1;
 }
 int send_bio_chars(void *arg, const void *buf, int len)
 {
 	if(!arg) return 1;
 	if(BIO_write(arg, buf, len) != len) return 0;
 	return 1;
 }
 int send_fp_chars(void *arg, const void *buf, int len)
 {
 	if(!arg) return 1;
 	if(fwrite(buf, 1, len, arg) != (unsigned int)len) return 0;
 	return 1;
 }
 typedef int char_io(void *arg, const void *buf, int len);
 /* This function handles display of
 * strings, one character at a time.
 * It is passed an unsigned long for each
 * character because it could come from 2 or even
 * 4 byte forms.
 */
 static int do_esc_char(unsigned long c, unsigned char flags, char *do_quotes, char_io *io_ch, void *arg)
 {
 	unsigned char chflgs, chtmp;
 	char tmphex[11];
 	if(c > 0xffff) {
 		BIO_snprintf(tmphex, 11, "\\W%08lX", c);
 		if(!io_ch(arg, tmphex, 10)) return -1;
 		return 10;
 	}
 	if(c > 0xff) {
 		BIO_snprintf(tmphex, 11, "\\U%04lX", c);
 		if(!io_ch(arg, tmphex, 6)) return -1;
 		return 6;
 	}
 	chtmp = (unsigned char)c;
 	if(chtmp > 0x7f) chflgs = flags & ASN1_STRFLGS_ESC_MSB;
 	else chflgs = char_type[chtmp] & flags;
 	if(chflgs & CHARTYPE_BS_ESC) {
 		/* If we don't escape with quotes, signal we need quotes */
 		if(chflgs & ASN1_STRFLGS_ESC_QUOTE) {
 			if(do_quotes) *do_quotes = 1;
 			if(!io_ch(arg, &chtmp, 1)) return -1;
 			return 1;
 		}
 		if(!io_ch(arg, "\\", 1)) return -1;
 		if(!io_ch(arg, &chtmp, 1)) return -1;
 		return 2;
 	}
 	if(chflgs & (ASN1_STRFLGS_ESC_CTRL|ASN1_STRFLGS_ESC_MSB)) {
 		BIO_snprintf(tmphex, 11, "\\%02X", chtmp);
 		if(!io_ch(arg, tmphex, 3)) return -1;
 		return 3;
 	}
 	if(!io_ch(arg, &chtmp, 1)) return -1;
 	return 1;
 }
 #define BUF_TYPE_WIDTH_MASK	0x7
 #define BUF_TYPE_CONVUTF8	0x8
 /* This function sends each character in a buffer to
 * do_esc_char(). It interprets the content formats
 * and converts to or from UTF8 as appropriate.
 */
 static int do_buf(unsigned char *buf, int buflen,
 			int type, unsigned char flags, char *quotes, char_io *io_ch, void *arg)
 {
 	int i, outlen, len;
 	unsigned char orflags, *p, *q;
 	unsigned long c;
 	p = buf;
 	q = buf + buflen;
 	outlen = 0;
 	while(p != q) {
 		if(p == buf) orflags = CHARTYPE_FIRST_ESC_2253;
 		else orflags = 0;
 		switch(type & BUF_TYPE_WIDTH_MASK) {
 			case 4:
 			c = ((unsigned long)*p++) << 24;
 			c |= ((unsigned long)*p++) << 16;
 			c |= ((unsigned long)*p++) << 8;
 			c |= *p++;
 			break;
 			case 2:
 			c = ((unsigned long)*p++) << 8;
 			c |= *p++;
 			break;
 			case 1:
 			c = *p++;
 			break;
 			case 0:
 			i = UTF8_getc(p, buflen, &c);
 			if(i < 0) return -1;	/* Invalid UTF8String */
 			p += i;
 			break;
 		}
 		if (p == q) orflags = CHARTYPE_LAST_ESC_2253;
 		if(type & BUF_TYPE_CONVUTF8) {
 			unsigned char utfbuf[6];
 			int utflen;
 			utflen = UTF8_putc(utfbuf, 6, c);
 			for(i = 0; i < utflen; i++) {
 				/* We don't need to worry about setting orflags correctly
 				 * because if utflen==1 its value will be correct anyway 
 				 * otherwise each character will be > 0x7f and so the 
 				 * character will never be escaped on first and last.
 				 */
 				len = do_esc_char(utfbuf[i], (unsigned char)(flags | orflags), quotes, io_ch, arg);
 				if(len < 0) return -1;
 				outlen += len;
 			}
 		} else {
 			len = do_esc_char(c, (unsigned char)(flags | orflags), quotes, io_ch, arg);
 			if(len < 0) return -1;
 			outlen += len;
 		}
 	}
 	return outlen;
 }
 /* This function hex dumps a buffer of characters */
 static int do_hex_dump(char_io *io_ch, void *arg, unsigned char *buf, int buflen)
 {
 	const static char hexdig[] = "0123456789ABCDEF";
 	unsigned char *p, *q;
 	char hextmp[2];
 	if(arg) {
 		p = buf;
 		q = buf + buflen;
 		while(p != q) {
 			hextmp[0] = hexdig[*p >> 4];
 			hextmp[1] = hexdig[*p & 0xf];
 			if(!io_ch(arg, hextmp, 2)) return -1;
 			p++;
 		}
 	}
 	return buflen << 1;
 }
 /* "dump" a string. This is done when the type is unknown,
 * or the flags request it. We can either dump the content
 * octets or the entire DER encoding. This uses the RFC2253
 * #01234 format.
 */
 int do_dump(unsigned long lflags, char_io *io_ch, void *arg, ASN1_STRING *str)
 {
 	/* Placing the ASN1_STRING in a temp ASN1_TYPE allows
 	 * the DER encoding to readily obtained
 	 */
 	ASN1_TYPE t;
 	unsigned char *der_buf, *p;
 	int outlen, der_len;
 	if(!io_ch(arg, "#", 1)) return -1;
 	/* If we don't dump DER encoding just dump content octets */
 	if(!(lflags & ASN1_STRFLGS_DUMP_DER)) {
 		outlen = do_hex_dump(io_ch, arg, str->data, str->length);
 		if(outlen < 0) return -1;
 		return outlen + 1;
 	}
 	t.type = str->type;
 	t.value.ptr = (char *)str;
 	der_len = i2d_ASN1_TYPE(&t, NULL);
 	der_buf = OPENSSL_malloc(der_len);
 	if(!der_buf) return -1;
 	p = der_buf;
 	i2d_ASN1_TYPE(&t, &p);
 	outlen = do_hex_dump(io_ch, arg, der_buf, der_len);
 	OPENSSL_free(der_buf);
 	if(outlen < 0) return -1;
 	return outlen + 1;
 }
 /* Lookup table to convert tags to character widths,
 * 0 = UTF8 encoded, -1 is used for non string types
 * otherwise it is the number of bytes per character
 */
 const static char tag2nbyte[] = {
 	-1, -1, -1, -1, -1,	/* 0-4 */
 	-1, -1, -1, -1, -1,	/* 5-9 */
 	-1, -1, 0, -1,		/* 10-13 */
 	-1, -1, -1, -1,		/* 15-17 */
 	-1, 1, 1,		/* 18-20 */
 	-1, 1, -1,-1,		/* 21-24 */
 	-1, 1, -1,		/* 25-27 */
 	4, -1, 2		/* 28-30 */
 };
 #define ESC_FLAGS (ASN1_STRFLGS_ESC_2253 | \
 		  ASN1_STRFLGS_ESC_QUOTE | \
 		  ASN1_STRFLGS_ESC_CTRL | \
 		  ASN1_STRFLGS_ESC_MSB)
 /* This is the main function, print out an
 * ASN1_STRING taking note of various escape
 * and display options. Returns number of
 * characters written or -1 if an error
 * occurred.
 */
 static int do_print_ex(char_io *io_ch, void *arg, unsigned long lflags, ASN1_STRING *str)
 {
 	int outlen, len;
 	int type;
 	char quotes;
 	unsigned char flags;
 	quotes = 0;
 	/* Keep a copy of escape flags */
 	flags = (unsigned char)(lflags & ESC_FLAGS);
 	type = str->type;
 	outlen = 0;
 	if(lflags & ASN1_STRFLGS_SHOW_TYPE) {
 		const char *tagname;
 		tagname = ASN1_tag2str(type);
 		outlen += strlen(tagname);
 		if(!io_ch(arg, tagname, outlen) || !io_ch(arg, ":", 1)) return -1; 
 		outlen++;
 	}
 	/* Decide what to do with type, either dump content or display it */
 	/* Dump everything */
 	if(lflags & ASN1_STRFLGS_DUMP_ALL) type = -1;
 	/* Ignore the string type */
 	else if(lflags & ASN1_STRFLGS_IGNORE_TYPE) type = 1;
 	else {
 		/* Else determine width based on type */
 		if((type > 0) && (type < 31)) type = tag2nbyte[type];
 		else type = -1;
 		if((type == -1) && !(lflags & ASN1_STRFLGS_DUMP_UNKNOWN)) type = 1;
 	}
 	if(type == -1) {
 		len = do_dump(lflags, io_ch, arg, str);
 		if(len < 0) return -1;
 		outlen += len;
 		return outlen;
 	}
 	if(lflags & ASN1_STRFLGS_UTF8_CONVERT) {
 		/* Note: if string is UTF8 and we want
 		 * to convert to UTF8 then we just interpret
 		 * it as 1 byte per character to avoid converting
 		 * twice.
 		 */
 		if(!type) type = 1;
 		else type |= BUF_TYPE_CONVUTF8;
 	}
 	len = do_buf(str->data, str->length, type, flags, &quotes, io_ch, NULL);
 	if(outlen < 0) return -1;
 	outlen += len;
 	if(quotes) outlen += 2;
 	if(!arg) return outlen;
 	if(quotes && !io_ch(arg, "\"", 1)) return -1;
 	do_buf(str->data, str->length, type, flags, NULL, io_ch, arg);
 	if(quotes && !io_ch(arg, "\"", 1)) return -1;
 	return outlen;
 }
 /* Used for line indenting: print 'indent' spaces */
 static int do_indent(char_io *io_ch, void *arg, int indent)
 {
 	int i;
 	for(i = 0; i < indent; i++)
 			if(!io_ch(arg, " ", 1)) return 0;
 	return 1;
 }
 static int do_name_ex(char_io *io_ch, void *arg, X509_NAME *n,
 				int indent, unsigned long flags)
 {
 	int i, prev = -1, orflags, cnt;
 	int fn_opt, fn_nid;
 	ASN1_OBJECT *fn;
 	ASN1_STRING *val;
 	X509_NAME_ENTRY *ent;
 	char objtmp[80];
 	const char *objbuf;
 	int outlen, len;
 	char *sep_dn, *sep_mv, *sep_eq;
 	int sep_dn_len, sep_mv_len, sep_eq_len;
 	if(indent < 0) indent = 0;
 	outlen = indent;
 	if(!do_indent(io_ch, arg, indent)) return -1;
 	switch (flags & XN_FLAG_SEP_MASK)
 	{
 		case XN_FLAG_SEP_MULTILINE:
 		sep_dn = "\n";
 		sep_dn_len = 1;
 		sep_mv = " + ";
 		sep_mv_len = 3;
 		break;
 		case XN_FLAG_SEP_COMMA_PLUS:
 		sep_dn = ",";
 		sep_dn_len = 1;
 		sep_mv = "+";
 		sep_mv_len = 1;
 		indent = 0;
 		break;
 		case XN_FLAG_SEP_CPLUS_SPC:
 		sep_dn = ", ";
 		sep_dn_len = 2;
 		sep_mv = " + ";
 		sep_mv_len = 3;
 		indent = 0;
 		break;
 		case XN_FLAG_SEP_SPLUS_SPC:
 		sep_dn = "; ";
 		sep_dn_len = 2;
 		sep_mv = " + ";
 		sep_mv_len = 3;
 		indent = 0;
 		break;
 		default:
 		return -1;
 	}
 	if(flags & XN_FLAG_SPC_EQ) {
 		sep_eq = " = ";
 		sep_eq_len = 3;
 	} else {
 		sep_eq = "=";
 		sep_eq_len = 1;
 	}
 	fn_opt = flags & XN_FLAG_FN_MASK;
 	cnt = X509_NAME_entry_count(n);	
 	for(i = 0; i < cnt; i++) {
 		if(flags & XN_FLAG_DN_REV)
 				ent = X509_NAME_get_entry(n, cnt - i - 1);
 		else ent = X509_NAME_get_entry(n, i);
 		if(prev != -1) {
 			if(prev == ent->set) {
 				if(!io_ch(arg, sep_mv, sep_mv_len)) return -1;
 				outlen += sep_mv_len;
 			} else {
 				if(!io_ch(arg, sep_dn, sep_dn_len)) return -1;
 				outlen += sep_dn_len;
 				if(!do_indent(io_ch, arg, indent)) return -1;
 				outlen += indent;
 			}
 		}
 		prev = ent->set;
 		fn = X509_NAME_ENTRY_get_object(ent);
 		val = X509_NAME_ENTRY_get_data(ent);
 		fn_nid = OBJ_obj2nid(fn);
 		if(fn_opt != XN_FLAG_FN_NONE) {
 			int objlen;
 			if((fn_opt == XN_FLAG_FN_OID) || (fn_nid==NID_undef) ) {
 				OBJ_obj2txt(objtmp, 80, fn, 1);
 				objbuf = objtmp;
 			} else {
 				if(fn_opt == XN_FLAG_FN_SN) 
 					objbuf = OBJ_nid2sn(fn_nid);
 				else if(fn_opt == XN_FLAG_FN_LN)
 					objbuf = OBJ_nid2ln(fn_nid);
 				else objbuf = "";
 			}
 			objlen = strlen(objbuf);
 			if(!io_ch(arg, objbuf, objlen)) return -1;
 			if(!io_ch(arg, sep_eq, sep_eq_len)) return -1;
 			outlen += objlen + sep_eq_len;
 		}
 		/* If the field name is unknown then fix up the DER dump
 		 * flag. We might want to limit this further so it will
 		 * DER dump on anything other than a few 'standard' fields.
 		 */
 		if((fn_nid == NID_undef) && (flags & XN_FLAG_DUMP_UNKNOWN_FIELDS)) 
 					orflags = ASN1_STRFLGS_DUMP_ALL;
 		else orflags = 0;
 		len = do_print_ex(io_ch, arg, flags | orflags, val);
 		if(len < 0) return -1;
 		outlen += len;
 	}
 	return outlen;
 }
 /* Wrappers round the main functions */
 int X509_NAME_print_ex(BIO *out, X509_NAME *nm, int indent, unsigned long flags)
 {
 	return do_name_ex(send_bio_chars, out, nm, indent, flags);
 }
 int X509_NAME_print_ex_fp(FILE *fp, X509_NAME *nm, int indent, unsigned long flags)
 {
 	return do_name_ex(send_fp_chars, fp, nm, indent, flags);
 }
 int ASN1_STRING_print_ex(BIO *out, ASN1_STRING *str, unsigned long flags)
 {
 	return do_print_ex(send_bio_chars, out, flags, str);
 }
 int ASN1_STRING_print_ex_fp(FILE *fp, ASN1_STRING *str, unsigned long flags)
 {
 	return do_print_ex(send_fp_chars, fp, flags, str);
 }
 /* Utility function: convert any string type to UTF8, returns number of bytes
 * in output string or a negative error code
 */
 int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in)
 {
 	ASN1_STRING stmp, *str = &stmp;
 	int mbflag, type, ret;
 	if(!*out || !in) return -1;
 	type = in->type;
 	if((type < 0) || (type > 30)) return -1;
 	mbflag = tag2nbyte[type];
 	if(mbflag == -1) return -1;
 	mbflag |= MBSTRING_FLAG;
 	stmp.data = NULL;
 	ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING);
 	if(ret < 0) return ret;
 	if(out) *out = stmp.data;
 	return stmp.length;
 }
--- a/crypto/asn1/a_strnid.c
+++ b/crypto/asn1/a_strnid.c
@@ -65,8 +65,9 @@
 static STACK_OF(ASN1_STRING_TABLE) *stable = NULL;
 static void st_free(ASN1_STRING_TABLE *tbl);
-static int sk_table_cmp(ASN1_STRING_TABLE **a, ASN1_STRING_TABLE **b);
+static int sk_table_cmp(const ASN1_STRING_TABLE * const *a,
-static int table_cmp(ASN1_STRING_TABLE *a, ASN1_STRING_TABLE *b);
+			const ASN1_STRING_TABLE * const *b);
 static int table_cmp(const void *a, const void *b);
 /* This is the global mask for the mbstring functions: this is use to
@@ -104,9 +105,9 @@ int ASN1_STRING_set_default_mask_asc(char *p)
 		mask = strtoul(p + 5, &end, 0);
 		if(*end) return 0;
 	} else if(!strcmp(p, "nombstr"))
-			 mask = ~(B_ASN1_BMPSTRING|B_ASN1_UTF8STRING);
+		mask = ~((unsigned long)(B_ASN1_BMPSTRING|B_ASN1_UTF8STRING));
 	else if(!strcmp(p, "pkix"))
-			mask = ~B_ASN1_T61STRING;
+			mask = ~((unsigned long)B_ASN1_T61STRING);
 	else if(!strcmp(p, "utf8only")) mask = B_ASN1_UTF8STRING;
 	else if(!strcmp(p, "default"))
 	    mask = 0xFFFFFFFFL;
@@ -132,7 +133,7 @@ ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out, const unsigned char *in,
 	if(tbl) {
 		mask = tbl->mask;
 		if(!(tbl->flags & STABLE_NO_MASK)) mask &= global_mask;
-		ret = ASN1_mbstring_ncopy(out, in, inlen, inform, tbl->mask,
+		ret = ASN1_mbstring_ncopy(out, in, inlen, inform, mask,
 					tbl->minsize, tbl->maxsize);
 	} else ret = ASN1_mbstring_copy(out, in, inlen, inform, DIRSTRING_TYPE & global_mask);
 	if(ret <= 0) return NULL;
@@ -173,14 +174,16 @@ static ASN1_STRING_TABLE tbl_standard[] = {
 {NID_dnQualifier,		-1, -1, B_ASN1_PRINTABLESTRING, STABLE_NO_MASK}
 };
-static int sk_table_cmp(ASN1_STRING_TABLE **a, ASN1_STRING_TABLE **b)
+static int sk_table_cmp(const ASN1_STRING_TABLE * const *a,
 			const ASN1_STRING_TABLE * const *b)
 {
 	return (*a)->nid - (*b)->nid;
 }
-static int table_cmp(ASN1_STRING_TABLE *a, ASN1_STRING_TABLE *b)
+static int table_cmp(const void *a, const void *b)
 {
-	return a->nid - b->nid;
+	const ASN1_STRING_TABLE *sa = a, *sb = b;
 	return sa->nid - sb->nid;
 }
 ASN1_STRING_TABLE *ASN1_STRING_TABLE_get(int nid)
@@ -192,7 +195,7 @@ ASN1_STRING_TABLE *ASN1_STRING_TABLE_get(int nid)
 	ttmp = (ASN1_STRING_TABLE *) OBJ_bsearch((char *)&fnd,
 					(char *)tbl_standard, 
 			sizeof(tbl_standard)/sizeof(ASN1_STRING_TABLE),
-			sizeof(ASN1_STRING_TABLE), (int(*)())table_cmp);
+			sizeof(ASN1_STRING_TABLE), table_cmp);
 	if(ttmp) return ttmp;
 	if(!stable) return NULL;
 	idx = sk_ASN1_STRING_TABLE_find(stable, &fnd);
@@ -213,7 +216,7 @@ int ASN1_STRING_TABLE_add(int nid,
 		return 0;
 	}
 	if(!(tmp = ASN1_STRING_TABLE_get(nid))) {
-		tmp = Malloc(sizeof(ASN1_STRING_TABLE));
+		tmp = OPENSSL_malloc(sizeof(ASN1_STRING_TABLE));
 		if(!tmp) {
 			ASN1err(ASN1_F_ASN1_STRING_TABLE_ADD,
 							ERR_R_MALLOC_FAILURE);
@@ -241,7 +244,7 @@ void ASN1_STRING_TABLE_cleanup(void)
 static void st_free(ASN1_STRING_TABLE *tbl)
 {
-	if(tbl->flags & STABLE_FLAGS_MALLOC) Free(tbl);
+	if(tbl->flags & STABLE_FLAGS_MALLOC) OPENSSL_free(tbl);
 }
 IMPLEMENT_STACK_OF(ASN1_STRING_TABLE)
--- a/Show More
+++ b/Show More