Updates for 0.9.7e release.

Fix race condition.
make update
2004-10-25 11:24:39 +00:00 · 2004-10-25 11:15:49 +00:00 · 2004-10-25 00:04:22 +00:00 · 2004-10-20 17:24:06 +00:00 · 2004-10-20 00:54:27 +00:00 · 2004-10-20 00:48:15 +00:00
466 changed files with 28828 additions and 3712 deletions
--- a/.cvsignore
+++ b/.cvsignore
@@ -1,5 +1,5 @@
 openssl.pc
-Makefile.ssl
+Makefile
 MINFO
 makefile.one
 tmp
@@ -14,3 +14,4 @@ cctest.c
 cctest.a
 libcrypto.so.*
 libssl.so.*
+libcrypto.sha1
--- a/223
+++ b/223
@@ -2,6 +2,161 @@
 OpenSSL CHANGES
 _______________

+ Changes between 0.9.7d and 0.9.7e  [25 Oct 2004]
+
+  *) Avoid a race condition when CRLs are checked in a multi threaded 
+     environment. This would happen due to the reordering of the revoked
+     entries during signature checking and serial number lookup. Now the
+     encoding is cached and the serial number sort performed under a lock.
+     Add new STACK function sk_is_sorted().
+     [Steve Henson]
+
+  *) Add Delta CRL to the extension code.
+     [Steve Henson]
+
+  *) Various fixes to s3_pkt.c so alerts are sent properly.
+     [David Holmes <d.holmes@f5.com>]
+
+  *) Reduce the chances of duplicate issuer name and serial numbers (in
+     violation of RFC3280) using the OpenSSL certificate creation utilities.
+     This is done by creating a random 64 bit value for the initial serial
+     number when a serial number file is created or when a self signed
+     certificate is created using 'openssl req -x509'. The initial serial
+     number file is created using 'openssl x509 -next_serial' in CA.pl
+     rather than being initialized to 1.
+     [Steve Henson]
+
+ Changes between 0.9.7c and 0.9.7d  [17 Mar 2004]
+
+  *) Fix null-pointer assignment in do_change_cipher_spec() revealed           
+     by using the Codenomicon TLS Test Tool (CAN-2004-0079)                    
+     [Joe Orton, Steve Henson]   
+
+  *) Fix flaw in SSL/TLS handshaking when using Kerberos ciphersuites
+     (CAN-2004-0112)
+     [Joe Orton, Steve Henson]   
+
+  *) Make it possible to have multiple active certificates with the same
+     subject in the CA index file.  This is done only if the keyword
+     'unique_subject' is set to 'no' in the main CA section (default
+     if 'CA_default') of the configuration file.  The value is saved
+     with the database itself in a separate index attribute file,
+     named like the index file with '.attr' appended to the name.
+     [Richard Levitte]
+
+  *) X509 verify fixes. Disable broken certificate workarounds when 
+     X509_V_FLAGS_X509_STRICT is set. Check CRL issuer has cRLSign set if
+     keyUsage extension present. Don't accept CRLs with unhandled critical
+     extensions: since verify currently doesn't process CRL extensions this
+     rejects a CRL with *any* critical extensions. Add new verify error codes
+     for these cases.
+     [Steve Henson]
+
+  *) When creating an OCSP nonce use an OCTET STRING inside the extnValue.
+     A clarification of RFC2560 will require the use of OCTET STRINGs and 
+     some implementations cannot handle the current raw format. Since OpenSSL
+     copies and compares OCSP nonces as opaque blobs without any attempt at
+     parsing them this should not create any compatibility issues.
+     [Steve Henson]
+
+  *) New md flag EVP_MD_CTX_FLAG_REUSE this allows md_data to be reused when
+     calling EVP_MD_CTX_copy_ex() to avoid calling OPENSSL_malloc(). Without
+     this HMAC (and other) operations are several times slower than OpenSSL
+     < 0.9.7.
+     [Steve Henson]
+
+  *) Print out GeneralizedTime and UTCTime in ASN1_STRING_print_ex().
+     [Peter Sylvester <Peter.Sylvester@EdelWeb.fr>]
+
+  *) Use the correct content when signing type "other".
+     [Steve Henson]
+
+ Changes between 0.9.7b and 0.9.7c  [30 Sep 2003]
+
+  *) Fix various bugs revealed by running the NISCC test suite:
+
+     Stop out of bounds reads in the ASN1 code when presented with
+     invalid tags (CAN-2003-0543 and CAN-2003-0544).
+     
+     Free up ASN1_TYPE correctly if ANY type is invalid (CAN-2003-0545).
+
+     If verify callback ignores invalid public key errors don't try to check
+     certificate signature with the NULL public key.
+
+     [Steve Henson]
+
+  *) New -ignore_err option in ocsp application to stop the server
+     exiting on the first error in a request.
+     [Steve Henson]
+
+  *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
+     if the server requested one: as stated in TLS 1.0 and SSL 3.0
+     specifications.
+     [Steve Henson]
+
+  *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
+     extra data after the compression methods not only for TLS 1.0
+     but also for SSL 3.0 (as required by the specification).
+     [Bodo Moeller; problem pointed out by Matthias Loepfe]
+
+  *) Change X509_certificate_type() to mark the key as exported/exportable
+     when it's 512 *bits* long, not 512 bytes.
+     [Richard Levitte]
+
+  *) Change AES_cbc_encrypt() so it outputs exact multiple of
+     blocks during encryption.
+     [Richard Levitte]
+
+  *) Various fixes to base64 BIO and non blocking I/O. On write 
+     flushes were not handled properly if the BIO retried. On read
+     data was not being buffered properly and had various logic bugs.
+     This also affects blocking I/O when the data being decoded is a
+     certain size.
+     [Steve Henson]
+
+  *) Various S/MIME bugfixes and compatibility changes:
+     output correct application/pkcs7 MIME type if
+     PKCS7_NOOLDMIMETYPE is set. Tolerate some broken signatures.
+     Output CR+LF for EOL if PKCS7_CRLFEOL is set (this makes opening
+     of files as .eml work). Correctly handle very long lines in MIME
+     parser.
+     [Steve Henson]
+
+ Changes between 0.9.7a and 0.9.7b  [10 Apr 2003]
+
+  *) Countermeasure against the Klima-Pokorny-Rosa extension of
+     Bleichbacher's attack on PKCS #1 v1.5 padding: treat
+     a protocol version number mismatch like a decryption error
+     in ssl3_get_client_key_exchange (ssl/s3_srvr.c).
+     [Bodo Moeller]
+
+  *) Turn on RSA blinding by default in the default implementation
+     to avoid a timing attack. Applications that don't want it can call
+     RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING.
+     They would be ill-advised to do so in most cases.
+     [Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller]
+
+  *) Change RSA blinding code so that it works when the PRNG is not
+     seeded (in this case, the secret RSA exponent is abused as
+     an unpredictable seed -- if it is not unpredictable, there
+     is no point in blinding anyway).  Make RSA blinding thread-safe
+     by remembering the creator's thread ID in rsa->blinding and
+     having all other threads use local one-time blinding factors
+     (this requires more computation than sharing rsa->blinding, but
+     avoids excessive locking; and if an RSA object is not shared
+     between threads, blinding will still be very fast).
+     [Bodo Moeller]
+
+  *) Fixed a typo bug that would cause ENGINE_set_default() to set an
+     ENGINE as defaults for all supported algorithms irrespective of
+     the 'flags' parameter. 'flags' is now honoured, so applications
+     should make sure they are passing it correctly.
+     [Geoff Thorpe]
+
+  *) Target "mingw" now allows native Windows code to be generated in
+     the Cygwin environment as well as with the MinGW compiler.
+     [Ulf Moeller] 
+
 Changes between 0.9.7 and 0.9.7a  [19 Feb 2003]

  *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
@@ -85,6 +240,9 @@

 Changes between 0.9.6h and 0.9.7  [31 Dec 2002]

+  [NB: OpenSSL 0.9.6i and later 0.9.6 patch levels were released after
+  OpenSSL 0.9.7.]
+
  *) Fix session ID handling in SSLv2 client code: the SERVER FINISHED
     code (06) was taken as the first octet of the session ID and the last
     octet was ignored consequently. As a result SSLv2 client side session
@@ -1903,6 +2061,71 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
  *) Clean old EAY MD5 hack from e_os.h.
     [Richard Levitte]

+ Changes between 0.9.6l and 0.9.6m  [17 Mar 2004]
+
+  *) Fix null-pointer assignment in do_change_cipher_spec() revealed
+     by using the Codenomicon TLS Test Tool (CAN-2004-0079)
+     [Joe Orton, Steve Henson]
+
+ Changes between 0.9.6k and 0.9.6l  [04 Nov 2003]
+
+  *) Fix additional bug revealed by the NISCC test suite:
+
+     Stop bug triggering large recursion when presented with
+     certain ASN.1 tags (CAN-2003-0851)
+     [Steve Henson]
+
+ Changes between 0.9.6j and 0.9.6k  [30 Sep 2003]
+
+  *) Fix various bugs revealed by running the NISCC test suite:
+
+     Stop out of bounds reads in the ASN1 code when presented with
+     invalid tags (CAN-2003-0543 and CAN-2003-0544).
+     
+     If verify callback ignores invalid public key errors don't try to check
+     certificate signature with the NULL public key.
+
+     [Steve Henson]
+
+  *) In ssl3_accept() (ssl/s3_srvr.c) only accept a client certificate
+     if the server requested one: as stated in TLS 1.0 and SSL 3.0
+     specifications.
+     [Steve Henson]
+
+  *) In ssl3_get_client_hello() (ssl/s3_srvr.c), tolerate additional
+     extra data after the compression methods not only for TLS 1.0
+     but also for SSL 3.0 (as required by the specification).
+     [Bodo Moeller; problem pointed out by Matthias Loepfe]
+
+  *) Change X509_certificate_type() to mark the key as exported/exportable
+     when it's 512 *bits* long, not 512 bytes.
+     [Richard Levitte]
+
+ Changes between 0.9.6i and 0.9.6j  [10 Apr 2003]
+
+  *) Countermeasure against the Klima-Pokorny-Rosa extension of
+     Bleichbacher's attack on PKCS #1 v1.5 padding: treat
+     a protocol version number mismatch like a decryption error
+     in ssl3_get_client_key_exchange (ssl/s3_srvr.c).
+     [Bodo Moeller]
+
+  *) Turn on RSA blinding by default in the default implementation
+     to avoid a timing attack. Applications that don't want it can call
+     RSA_blinding_off() or use the new flag RSA_FLAG_NO_BLINDING.
+     They would be ill-advised to do so in most cases.
+     [Ben Laurie, Steve Henson, Geoff Thorpe, Bodo Moeller]
+
+  *) Change RSA blinding code so that it works when the PRNG is not
+     seeded (in this case, the secret RSA exponent is abused as
+     an unpredictable seed -- if it is not unpredictable, there
+     is no point in blinding anyway).  Make RSA blinding thread-safe
+     by remembering the creator's thread ID in rsa->blinding and
+     having all other threads use local one-time blinding factors
+     (this requires more computation than sharing rsa->blinding, but
+     avoids excessive locking; and if an RSA object is not shared
+     between threads, blinding will still be very fast).
+     [Bodo Moeller]
+
 Changes between 0.9.6h and 0.9.6i  [19 Feb 2003]

  *) In ssl3_get_record (ssl/s3_pkt.c), minimize information leaked
--- a/101
+++ b/101
@@ -10,7 +10,7 @@ use strict;

 # see INSTALL for instructions.

-my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-engine] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
+my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-engine] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [386] [[no-]fips] [debug] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";

 # Options:
 #
@@ -135,26 +135,33 @@ my %table=(
 # Our development configs
 "purify",	"purify gcc:-g -DPURIFY -Wall::(unknown)::-lsocket -lnsl::::",
 "debug",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror::(unknown)::-lefence::::",
-"debug-ben",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::asm/bn86-elf.o asm/co86-elf.o",
+"debug-ben",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -Wall -Wshadow -Werror -pipe::(unknown)::::asm/bn86-elf.o asm/co86-elf.o",
 "debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
 "debug-ben-openbsd-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
-"debug-ben-debug",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::::",
+"debug-ben-debug",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -Wall -Wshadow -Werror -pipe::(unknown)::::::",
 "debug-ben-strict",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::",
+"debug-ben-fips-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_FIPS -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::asm/bn86-elf.o asm/co86-elf.o",
 "debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
 "debug-bodo",	"gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -m486 -pedantic -Wshadow -Wall::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
 "debug-ulf",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -g -O2 -m486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT:::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
-"debug-steve",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -mcpu=i486 -pedantic -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
+"debug-steve",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -mcpu=i486 -pedantic -Wno-long-long -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
 "debug-steve-linux-pseudo64",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DOPENSSL_NO_ASM -g -mcpu=i486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:SIXTY_FOUR_BIT::dlfcn",
-"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-levitte-linux-elf-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wconversion -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-levitte-linux-noasm-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wconversion -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wmissing-prototypes -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wmissing-prototypes -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-levitte-linux-elf-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wmissing-prototypes -Wconversion -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-levitte-linux-noasm-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wmissing-prototypes -Wconversion -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "dist",		"cc:-O::(unknown)::::::",

 # Basic configs that should work on any (32 and less bit) box
 "gcc",		"gcc:-O3::(unknown):::BN_LLONG:::",
 "cc",		"cc:-O::(unknown)::::::",

+####VOS Configurations
+"vos-gcc","gcc:-b hppa1.1-stratus-vos -O3 -Wall -Wuninitialized -D_POSIX_C_SOURCE=200112L -D_BSD::(unknown):VOS:-Wl,-map:BN_LLONG:::::::::::::.so:",
+"debug-vos-gcc","gcc:-b hppa1.1-stratus-vos -O0 -g -Wall -D_POSIX_C_SOURCE=200112L -D_BSD -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG::(unknown):VOS:-Wl,-map:BN_LLONG:::::::::::::.so:",
+"vos-vcc","vcc:-b i386-stratus-vos -O3 -D_POSIX_C_SOURCE=200112L -D_BSD::(unknown):VOS:-Wl,-map::::::::::::::.so:",
+"debug-vos-vcc","vcc:-b i386-stratus-vos -O0 -g -D_POSIX_C_SOURCE=200112L -D_BSD -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG::(unknown):VOS:-Wl,-map::::::::::::::.so:",
+
 #### Solaris x86 with GNU C setups
 # -DOPENSSL_NO_INLINE_ASM switches off inline assembler. We have to do it
 # here because whenever GNU C instantiates an assembler template it
@@ -216,13 +223,13 @@ my %table=(
 "irix-cc", "cc:-O2 -use_readonly_const -DTERMIOS -DB_ENDIAN::(unknown):::BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC2 DES_UNROLL BF_PTR::::::::::dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 #### IRIX 6.x configs
 # Only N32 and N64 ABIs are supported. If you need O32 ABI build, invoke
-# './Configure irix-[g]cc' manually.
+# './Configure irix-cc -o32' manually.
 # -mips4 flag is added by ./config when appropriate.
-"irix-mips3-gcc","gcc:-mabi=n32 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK_LL DES_UNROLL DES_RISC2 DES_PTR BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"irix-mips3-cc", "cc:-n32 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"irix-mips3-gcc","gcc:-mabi=n32 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK_LL DES_UNROLL DES_RISC2 DES_PTR BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared::-mabi=n32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"irix-mips3-cc", "cc:-n32 -mips3 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared::-n32:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # N64 ABI builds.
-"irix64-mips4-gcc","gcc:-mabi=64 -mips4 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"irix64-mips4-cc", "cc:-64 -mips4 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"irix64-mips4-gcc","gcc:-mabi=64 -mips4 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}:dlfcn:irix-shared::-mabi=64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"irix64-mips4-cc", "cc:-64 -mips4 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}:dlfcn:irix-shared::-64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

 #### Unified HP-UX ANSI C configs.
 # Special notes:
@@ -260,6 +267,7 @@ my %table=(
 # 64bit PARISC for GCC without optimization, which seems to make problems.
 # Submitted by <ross.alexander@uk.neceur.com>
 "hpux64-parisc-gcc","gcc:-DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dlfcn:hpux64-shared:-fpic::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux64-parisc2-gcc","gcc:-O3 -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2W.o:::::::::dlfcn:hpux64-shared:-fpic::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

 # IA-64 targets
 "hpux-ia64-cc","cc:-Ae +DD32 +O3 +Olit=all -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o:::::::::dlfcn:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -381,7 +389,7 @@ my %table=(
 "debug-linux-pentium","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentium -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
 "debug-linux-ppro","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentiumpro -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
 "debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
+"debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-aout",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
 "linux-mipsel",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-mips",   "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -390,6 +398,7 @@ my %table=(
 "linux-s390",	"gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-s390x",	"gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-ia64",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-ia64-ecc",   "ecc:-DL_ENDIAN -DTERMIO -O2 -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR BF_PTR2 DES_INT DES_UNROLL:asm/x86_64-gcc.o:::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "NetBSD-sparc",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 "NetBSD-m68",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
@@ -413,7 +422,7 @@ my %table=(
 "qnx6",	"cc:-DL_ENDIAN -DTERMIOS::(unknown)::-lsocket:${x86_gcc_des} ${x86_gcc_opts}:",

 # Linux on ARM
-"linux-elf-arm","gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:::BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-elf-arm","gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",

 # SCO/Caldera targets.
 #
@@ -506,10 +515,8 @@ my %table=(
 "BC-32","bcc32::::WIN32::BN_LLONG DES_PTR RC4_INDEX EXPORT_VAR_AS_FN::::::::::win32",
 "BC-16","bcc:::(unknown):WIN16::BN_LLONG DES_PTR RC4_INDEX SIXTEEN_BIT:::",

-# Mingw32
-# (Note: the real CFLAGS for Windows builds are defined by util/mk1mf.pl
-# and its library files in util/pl/*)
-"Mingw32", "gcc:-DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall:::::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",
+# MinGW
+"mingw", "gcc:-DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -mno-cygwin -Wall:::MINGW32:-mno-cygwin -lwsock32 -lgdi32:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:win32::::.dll",

 # UWIN 
 "UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall:::UWIN::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",
@@ -561,6 +568,8 @@ my %table=(
 "vxworks-ppc405","ccppc:-g -msoft-float -mlongcall -DCPU=PPC405 -I\$(WIND_BASE)/target/h:::VXWORKS:-r:::::",
 "vxworks-ppc750","ccppc:-ansi -nostdinc -DPPC750 -D_REENTRANT -fvolatile -fno-builtin -fno-for-scope -fsigned-char -Wall -msoft-float -mlongcall -DCPU=PPC604 -I\$(WIND_BASE)/target/h \$(DEBUG_FLAG):::VXWORKS:-r:::::",
 "vxworks-ppc750-debug","ccppc:-ansi -nostdinc -DPPC750 -D_REENTRANT -fvolatile -fno-builtin -fno-for-scope -fsigned-char -Wall -msoft-float -mlongcall -DCPU=PPC604 -I\$(WIND_BASE)/target/h -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DDEBUG -g:::VXWORKS:-r:::::",
+"vxworks-ppc860","ccppc:-nostdinc -msoft-float -DCPU=PPC860 -DNO_STRINGS_H -I\$(WIND_BASE)/target/h:::VXWORKS:-r:::::",
+"vxworks-mipsle","ccmips:-B\$(WIND_BASE)/host/\$(WIND_HOST_TYPE)/lib/gcc-lib/ -DL_ENDIAN -EL -Wl,-EL -mips2 -mno-branch-likely -G 0 -fno-builtin -msoft-float -DCPU=MIPS32 -DMIPSEL -DNO_STRINGS_H -I\$(WIND_BASE)/target/h:::VXWORKS:-r::::::::::::::::ranlibmips:",

 ##### Compaq Non-Stop Kernel (Tandem)
 "tandem-c89","c89:-Ww -D__TANDEM -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 -D_TANDEM_SOURCE -DB_ENDIAN::(unknown):::THIRTY_TWO_BIT:::",
@@ -607,7 +616,7 @@ my $threads=0;
 my $no_asm=0;
 my $no_dso=0;
 my @skip=();
-my $Makefile="Makefile.ssl";
+my $Makefile="Makefile";
 my $des_locl="crypto/des/des_locl.h";
 my $des	="crypto/des/des.h";
 my $bn	="crypto/bn/bn.h";
@@ -619,6 +628,7 @@ my $rc2	="crypto/rc2/rc2.h";
 my $bf	="crypto/bf/bf_locl.h";
 my $bn_asm	="bn_asm.o";
 my $des_enc="des_enc.o fcrypt_b.o";
+my $fips_des_enc="fips_des_enc.o";
 my $bf_enc	="bf_enc.o";
 my $cast_enc="c_enc.o";
 my $rc4_enc="rc4_enc.o";
@@ -629,6 +639,8 @@ my $rmd160_obj="";
 my $processor="";
 my $default_ranlib;
 my $perl;
+my $fips=0;
+my $debug=0;

 my $no_ssl2=0;
 my $no_ssl3=0;
@@ -638,10 +650,6 @@ my $no_sha=0;
 my $no_rsa=0;
 my $no_dh=0;

-$default_ranlib= &which("ranlib") or $default_ranlib="true";
-$perl=$ENV{'PERL'} or $perl=&which("perl5") or $perl=&which("perl")
-  or $perl="perl";
-
 &usage if ($#ARGV < 0);

 my $flags;
@@ -737,6 +745,8 @@ PROCESS_ARGS:
 			{ $no_ssl3 = 1; }
 		elsif (/^no-tls1?$/)
 			{ $no_tls1 = 1; }
+		elsif (/^no-fips$/)
+			{ $fips = 0; }
 		elsif (/^no-(.+)$/)
 			{
 			my $algo=$1;
@@ -802,6 +812,14 @@ PROCESS_ARGS:
 			}
 		elsif (/^386$/)
 			{ $processor=386; }
+		elsif (/^fips$/)
+			{
+			$fips=1;
+		        }
+		elsif (/^debug$/)
+			{
+			$debug=1;
+			}
 		elsif (/^rsaref$/)
 			{
 			# No RSAref support any more since it's not needed.
@@ -920,9 +938,14 @@ my $IsWindows=scalar grep /^$target$/,@WinTargets;

 $exe_ext=".exe" if ($target eq "Cygwin");
 $exe_ext=".exe" if ($target eq "DJGPP");
+$exe_ext=".pm" if ($target eq "vos-gcc" or $target eq "debug-vos-gcc" or $target eq "vos-vcc" or $target eq "debug-vos-vcc");
 $openssldir="/usr/local/ssl" if ($openssldir eq "" and $prefix eq "");
 $prefix=$openssldir if $prefix eq "";

+$default_ranlib= &which("ranlib") or $default_ranlib="true";
+$perl=$ENV{'PERL'} or $perl=&which("perl5") or $perl=&which("perl")
+  or $perl="perl";
+
 chop $openssldir if $openssldir =~ /\/$/;
 chop $prefix if $prefix =~ /\/$/;

@@ -1137,12 +1160,20 @@ if ($ranlib eq "")

 $bn_obj = $bn_asm unless $bn_obj ne "";

-$des_obj=$des_enc	unless ($des_obj =~ /\.o$/);
+if ($fips)
+	{
+	$des_obj=$sha1_obj="";
+	$openssl_other_defines.="#define OPENSSL_FIPS\n";
+	}
+$des_obj=$des_enc	unless (!$fips && $des_obj =~ /\.o$/);
+my $fips_des_obj='asm/fips-dx86-elf.o';
+$fips_des_obj=$fips_des_enc unless $processor eq '386';
+my $fips_sha1_obj='asm/sx86-elf.o' if $processor eq '386';
 $bf_obj=$bf_enc		unless ($bf_obj =~ /\.o$/);
 $cast_obj=$cast_enc	unless ($cast_obj =~ /\.o$/);
 $rc4_obj=$rc4_enc	unless ($rc4_obj =~ /\.o$/);
 $rc5_obj=$rc5_enc	unless ($rc5_obj =~ /\.o$/);
-if ($sha1_obj =~ /\.o$/)
+if ($sha1_obj =~ /\.o$/ || $fips_sha1_obj =~ /\.o$/)
 	{
 #	$sha1_obj=$sha1_enc;
 	$cflags.=" -DSHA1_ASM";
@@ -1158,6 +1189,12 @@ if ($rmd160_obj =~ /\.o$/)
 	$cflags.=" -DRMD160_ASM";
 	}

+if ($debug)
+	{
+	$cflags.=" -g";
+	$cflags=~s/-fomit-frame-pointer//;
+	}
+
 # "Stringify" the C flags string.  This permits it to be made part of a string
 # and works as well on command lines.
 $cflags =~ s/([\\\"])/\\\1/g;
@@ -1230,12 +1267,14 @@ while (<IN>)
 	s/^EXE_EXT=.*$/EXE_EXT= $exe_ext/;
 	s/^BN_ASM=.*$/BN_ASM= $bn_obj/;
 	s/^DES_ENC=.*$/DES_ENC= $des_obj/;
+	s/^FIPS_DES_ENC=.*$/FIPS_DES_ENC= $fips_des_obj/;
 	s/^BF_ENC=.*$/BF_ENC= $bf_obj/;
 	s/^CAST_ENC=.*$/CAST_ENC= $cast_obj/;
 	s/^RC4_ENC=.*$/RC4_ENC= $rc4_obj/;
 	s/^RC5_ENC=.*$/RC5_ENC= $rc5_obj/;
 	s/^MD5_ASM_OBJ=.*$/MD5_ASM_OBJ= $md5_obj/;
 	s/^SHA1_ASM_OBJ=.*$/SHA1_ASM_OBJ= $sha1_obj/;
+	s/^FIPS_SHA1_ASM_OBJ=.*$/FIPS_SHA1_ASM_OBJ= $fips_sha1_obj/;
 	s/^RMD160_ASM_OBJ=.*$/RMD160_ASM_OBJ= $rmd160_obj/;
 	s/^PROCESSOR=.*/PROCESSOR= $processor/;
 	s/^RANLIB=.*/RANLIB= $ranlib/;
@@ -1468,7 +1507,7 @@ if($IsWindows) {
 	printf OUT <<EOF;
 #ifndef MK1MF_BUILD
  /* auto-generated by Configure for crypto/cversion.c:
-   * for Unix builds, crypto/Makefile.ssl generates functional definitions;
+   * for Unix builds, crypto/Makefile generates functional definitions;
   * Windows builds (and other mk1mf builds) compile cversion.c with
   * -DMK1MF_BUILD and use definitions added to this file by util/mk1mf.pl. */
  #error "Windows builds (PLATFORM=$target) use mk1mf.pl-created Makefiles"
@@ -1476,7 +1515,7 @@ if($IsWindows) {
 EOF
 	close(OUT);
 } else {
-	my $make_command = "make -f Makefile.ssl PERL=\'$perl\'";
+	my $make_command = "make PERL=\'$perl\'";
 	my $make_targets = "";
 	$make_targets .= " links" if $symlink;
 	$make_targets .= " depend" if $depflags ne "" && $make_depend;
@@ -1567,10 +1606,10 @@ sub which
 	my $path;
 	foreach $path (split /:/, $ENV{PATH})
 		{
-		if (-f "$path/$name" and -x _)
+		if (-f "$path/$name$exe_ext" and -x _)
 			{
-			return "$path/$name" unless ($name eq "perl" and
-			 system("$path/$name -e " . '\'exit($]<5.0);\''));
+			return "$path/$name$exe_ext" unless ($name eq "perl" and
+			 system("$path/$name$exe_ext -e " . '\'exit($]<5.0);\''));
 			}
 		}
 	}
--- a/38
+++ b/38
@@ -52,6 +52,7 @@ OpenSSL  -  Frequently Asked Questions
 * Is OpenSSL thread-safe?
 * I've compiled a program under Windows and it crashes: why?
 * How do I read or write a DER encoded buffer using the ASN1 functions?
+* OpenSSL uses DER but I need BER format: does OpenSSL support BER?
 * I've tried using <M_some_evil_pkcs12_macro> and I get errors why?
 * I've called <some function> and it fails, why?
 * I just get a load of numbers for the error output, what do they mean?
@@ -60,6 +61,7 @@ OpenSSL  -  Frequently Asked Questions
 * Can I use OpenSSL's SSL library with non-blocking I/O?
 * Why doesn't my server application receive a client certificate?
 * Why does compilation fail due to an undefined symbol NID_uniqueIdentifier?
+* I think I've detected a memory leak, is this a bug?

 ===============================================================================

@@ -68,7 +70,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?

 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.7a was released on February 19, 2003.
+OpenSSL 0.9.7e was released on October 25, 2004.

 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
@@ -116,11 +118,14 @@ OpenSSL.  Information on the OpenSSL mailing lists is available from

 * Where can I get a compiled version of OpenSSL?

+You can finder pointers to binary distributions in
+http://www.openssl.org/related/binaries.html .
+
 Some applications that use OpenSSL are distributed in binary form.
 When using such an application, you don't need to install OpenSSL
 yourself; the application will include the required parts (e.g. DLLs).

-If you want to install OpenSSL on a Windows system and you don't have
+If you want to build OpenSSL on a Windows system and you don't have
 a C compiler, read the "Mingw32" section of INSTALL.W32 for information
 on how to obtain and install the free GNU C compiler.

@@ -457,7 +462,7 @@ get the best result from OpenSSL.  A bit more complicated solution is the
 following:

 ----- snip:start -----
-  make DIRS=crypto SDIRS=sha "`grep '^CFLAG=' Makefile.ssl | \
+  make DIRS=crypto SDIRS=sha "`grep '^CFLAG=' Makefile | \
       sed -e 's/ -O[0-9] / -O0 /'`"
  rm `ls crypto/*.o crypto/sha/*.o | grep -v 'sha_dgst\.o'`
  make
@@ -680,6 +685,20 @@ and attempts to free the buffer will have unpredictable results
 because it no longer points to the same address.


+* OpenSSL uses DER but I need BER format: does OpenSSL support BER?
+
+The short answer is yes, because DER is a special case of BER and OpenSSL
+ASN1 decoders can process BER.
+
+The longer answer is that ASN1 structures can be encoded in a number of
+different ways. One set of ways is the Basic Encoding Rules (BER) with various
+permissible encodings. A restriction of BER is the Distinguished Encoding
+Rules (DER): these uniquely specify how a given structure is encoded.
+
+Therefore, because DER is a special case of BER, DER is an acceptable encoding
+for BER.
+
+
 * I've tried using <M_some_evil_pkcs12_macro> and I get errors why?

 This usually happens when you try compiling something using the PKCS#12
@@ -732,6 +751,7 @@ The general answer is to check the config.log file generated when running
 the OpenSSH configure script. It should contain the detailed information
 on why the OpenSSL library was not detected or considered incompatible.

+
 * Can I use OpenSSL's SSL library with non-blocking I/O?

 Yes; make sure to read the SSL_get_error(3) manual page!
@@ -761,5 +781,17 @@ The correct name according to RFC2256 (LDAP) is x500UniqueIdentifier.
 Change your code to use the new name when compiling against OpenSSL 0.9.7.


+* I think I've detected a memory leak, is this a bug?
+
+In most cases the cause of an apparent memory leak is an OpenSSL internal table
+that is allocated when an application starts up. Since such tables do not grow
+in size over time they are harmless.
+
+These internal tables can be freed up when an application closes using various
+functions.  Currently these include: EVP_cleanup(), ERR_remove_state(),
+ERR_free_strings(), ENGINE_cleanup(), CONF_modules_unload() and
+CRYPTO_cleanup_all_ex_data().
+
+
 ===============================================================================

--- a/4
+++ b/4
@@ -123,7 +123,7 @@
     generic configurations "cc" or "gcc" should usually work on 32 bit
     systems.

-     Configure creates the file Makefile.ssl from Makefile.org and
+     Configure creates the file Makefile from Makefile.org and
     defines various macros in crypto/opensslconf.h (generated from
     crypto/opensslconf.h.in).

@@ -159,7 +159,7 @@
     the failure that isn't a problem in OpenSSL itself (like a missing
     or malfunctioning bc).  If it is a problem with OpenSSL itself,
     try removing any compiler optimization flags from the CFLAG line
-     in Makefile.ssl and run "make clean; make". Please send a bug
+     in Makefile and run "make clean; make". Please send a bug
     report to <openssl-bugs@openssl.org>, including the output of
     "make report" in order to be added to the request tracker at
     http://www.openssl.org/support/rt2.html.
--- a/INSTALL.W32
+++ b/INSTALL.W32
@@ -10,13 +10,20 @@

 You need Perl for Win32.  Unless you will build on Cygwin, you will need
 ActiveState Perl, available from http://www.activestate.com/ActivePerl.
- For Cygwin users, there's more info in the Cygwin section.

 and one of the following C compilers:

  * Visual C++
  * Borland C
-  * GNU C (Mingw32 or Cygwin)
+  * GNU C (Cygwin or MinGW)
+
+ If you are compiling from a tarball or a CVS snapshot then the Win32 files
+ may well be not up to date. This may mean that some "tweaking" is required to
+ get it all to work. See the trouble shooting section later on for if (when?)
+ it goes wrong.
+
+ Visual C++
+ ----------

 If you want to compile in the assembly language routines with Visual C++ then
 you will need an assembler. This is worth doing because it will result in
@@ -39,20 +46,13 @@
 http://www.kernel.org/pub/software/devel/nasm/binaries/win32/
 The NASM binary nasmw.exe needs to be installed anywhere on your PATH.

- If you are compiling from a tarball or a CVS snapshot then the Win32 files
- may well be not up to date. This may mean that some "tweaking" is required to
- get it all to work. See the trouble shooting section later on for if (when?)
- it goes wrong.
-
- Visual C++
- ----------
-
- Firstly you should run Configure:
+ Firstly you should run Configure (to build a FIPS-certified variant of
+ OpenSSL, add the option "fips"):

 > perl Configure VC-WIN32

 Next you need to build the Makefiles and optionally the assembly language
- files:
+ files (to build a FIPS-certified variant of OpenSSL, add the argument "fips"):

 - If you are using MASM then run:

@@ -101,10 +101,12 @@
 Borland C++ builder 5
 ---------------------

- * Configure for building with Borland Builder:
+ * Configure for building with Borland Builder (to build a FIPS-certified
+   variant of OpenSSL, add the option "fips"):
   > perl Configure BC-32

- * Create the appropriate makefile
+ * Create the appropriate makefile (to build a FIPS-certified variant of
+   OpenSSL, add the argument "fips")
   > ms\do_nasm

 * Build
@@ -120,62 +122,35 @@
 * Run make:
   > make -f bcb.mak

- GNU C (Mingw32)
- ---------------
-
- To build OpenSSL, you need the Mingw32 package and GNU make.
-
- * Compiler installation:
-
-   Mingw32 is available from <ftp://ftp.xraylith.wisc.edu/pub/khan/
-   gnu-win32/mingw32/gcc-2.95.2/gcc-2.95.2-msvcrt.exe>. Extract it
-   to a directory such as C:\gcc-2.95.2 and add c:\gcc-2.95.2\bin to
-   the PATH environment variable in "System Properties"; or edit and
-   run C:\gcc-2.95.2\mingw32.bat to set the PATH.
-
- * Compile OpenSSL:
-
-   > ms\mingw32
-
-   This will create the library and binaries in out. In case any problems
-   occur, try
-   > ms\mingw32 no-asm
-   instead.
-
-   libcrypto.a and libssl.a are the static libraries. To use the DLLs,
-   link with libeay32.a and libssl32.a instead.
-
-   See troubleshooting if you get error messages about functions not having
-   a number assigned.
-
- * You can now try the tests:
-
-   > cd out
-   > ..\ms\test
-
 GNU C (Cygwin)
 --------------

 Cygwin provides a bash shell and GNU tools environment running
 on NT 4.0, Windows 9x, Windows ME, Windows 2000, and Windows XP.
 Consequently, a make of OpenSSL with Cygwin is closer to a GNU
- bash environment such as Linux than to other W32 makes which are
- based on a single makefile approach. Cygwin implements Posix/Unix
- calls through cygwin1.dll, and is contrasted to Mingw32 which links
- dynamically to msvcrt.dll or crtdll.dll.
+ bash environment such as Linux than to other the other Win32
+ makes.
+
+ Cygwin implements a Posix/Unix runtime system (cygwin1.dll).
+ It is also possible to create Win32 binaries that only use the
+ Microsoft C runtime system (msvcrt.dll or crtdll.dll) using
+ MinGW. MinGW can be used in the Cygwin development environment
+ or in a standalone setup as described in the following section.

 To build OpenSSL using Cygwin:

 * Install Cygwin (see http://cygwin.com/)

- * Install Perl and ensure it is in the path (recent Cygwin perl 
-   (version 5.6.1-2 of the latter has been reported to work) or
-   ActivePerl)
+ * Install Perl and ensure it is in the path. Both Cygwin perl
+   (5.6.1-2 or newer) and ActivePerl work.

 * Run the Cygwin bash shell

 * $ tar zxvf openssl-x.x.x.tar.gz
   $ cd openssl-x.x.x
+
+   To build the Cygwin version of OpenSSL:
+
   $ ./config
   [...]
   $ make
@@ -183,7 +158,16 @@
   $ make test
   $ make install

- This will create a default install in /usr/local/ssl.
+   This will create a default install in /usr/local/ssl.
+
+   To build the MinGW version (native Windows) in Cygwin:
+
+   $ ./Configure mingw
+   [...]
+   $ make
+   [...]
+   $ make test
+   $ make install

 Cygwin Notes:

@@ -196,6 +180,37 @@
 non-fatal error in "make test" but is otherwise harmless.  If
 desired and needed, GNU bc can be built with Cygwin without change.

+ GNU C (MinGW)
+ -------------
+
+ * Compiler installation:
+
+   MinGW is available from http://www.mingw.org. Run the installer and
+   set the MinGW bin directory to the PATH in "System Properties" or
+   autoexec.bat.
+
+ * Compile OpenSSL:
+
+   > ms\mingw32
+
+   This will create the library and binaries in out. In case any problems
+   occur, try
+   > ms\mingw32 no-asm
+   instead.
+   If you want to build a FIPS-certified variant of OpenSSL, add the argument
+   "fips"
+
+   libcrypto.a and libssl.a are the static libraries. To use the DLLs,
+   link with libeay32.a and libssl32.a instead.
+
+   See troubleshooting if you get error messages about functions not having
+   a number assigned.
+
+ * You can now try the tests:
+
+   > cd out
+   > ..\ms\test
+

 Installation
 ------------
@@ -215,7 +230,7 @@
 	$ md c:\openssl\lib
 	$ md c:\openssl\include
 	$ md c:\openssl\include\openssl
-	$ copy /b inc32\*               c:\openssl\include\openssl
+	$ copy /b inc32\openssl\*       c:\openssl\include\openssl
 	$ copy /b out32dll\ssleay32.lib c:\openssl\lib
 	$ copy /b out32dll\libeay32.lib c:\openssl\lib
 	$ copy /b out32dll\ssleay32.dll c:\openssl\bin
--- a/2
+++ b/2
@@ -12,7 +12,7 @@
  ---------------

 /* ====================================================================
- * Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2004 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
--- a/MacOS/GetHTTPS.src/CPStringUtils.cpp
+++ b/MacOS/GetHTTPS.src/CPStringUtils.cpp
@@ -2750,4 +2750,4 @@ void SkipWhiteSpace(char **ioSrcCharPtr,const Boolean inStopAtEOL)
 			}
 		}
 	}
-}
+}
--- a/MacOS/GetHTTPS.src/ErrorHandling.cpp
+++ b/MacOS/GetHTTPS.src/ErrorHandling.cpp
@@ -167,4 +167,4 @@ void ThrowErrorMessageException(void)
 	ThrowDescriptiveException(gErrorMessage);
 }

-#endif
+#endif
--- a/Makefile.org
+++ b/Makefile.org
@@ -78,7 +78,7 @@ MAKEDEPPROG=makedepend
 # gcc, then the driver will automatically translate it to -xarch=v8plus
 # and pass it down to assembler.
 AS=$(CC) -c
-ASFLAGS=$(CFLAG)
+ASFLAG=$(CFLAG)

 # Set BN_ASM to bn_asm.o if you want to use the C version
 BN_ASM= bn_asm.o
@@ -101,6 +101,7 @@ PROCESSOR=

 # Set DES_ENC to des_enc.o if you want to use the C version
 #There are 4 x86 assember options.
+FIPS_DES_ENC= des_enc.o fcrypt_b.o
 DES_ENC= asm/dx86-out.o asm/yx86-out.o
 #DES_ENC= des_enc.o fcrypt_b.o          # C
 #DES_ENC= asm/dx86-elf.o asm/yx86-elf.o # elf
@@ -153,6 +154,7 @@ MD5_ASM_OBJ= asm/mx86-out.o

 # Also need SHA1_ASM defined
 SHA1_ASM_OBJ= asm/sx86-out.o
+FIPS_SHA1_ASM_OBJ= asm/sx86-out.o
 #SHA1_ASM_OBJ= asm/sx86-elf.o       # elf
 #SHA1_ASM_OBJ= asm/sx86-sol.o       # solaris
 #SHA1_ASM_OBJ= asm/sx86-out.o       # a.out, FreeBSD
@@ -173,27 +175,29 @@ LIBKRB5=
 # we might set SHLIB_MARK to '$(SHARED_LIBS)'.
 SHLIB_MARK=

-DIRS=   crypto ssl $(SHLIB_MARK) apps test tools
-SHLIBDIRS= crypto ssl
+DIRS=   crypto fips ssl $(SHLIB_MARK) sigs apps test tools
+SHLIBDIRS= fips crypto ssl

 # dirs in crypto to build
-SDIRS=  \
+SDIRS=  objects \
 	md2 md4 md5 sha mdc2 hmac ripemd \
 	des rc2 rc4 rc5 idea bf cast \
 	bn ec rsa dsa dh dso engine aes \
-	buffer bio stack lhash rand err objects \
+	buffer bio stack lhash rand err \
 	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5

+FDIRS=	sha1 rand des aes dsa rsa dh
+
 # tests to perform.  "alltests" is a special word indicating that all tests
 # should be performed.
 TESTS = alltests

-MAKEFILE= Makefile.ssl
-MAKE=     make -f Makefile.ssl
+MAKEFILE= Makefile

 MANDIR=$(OPENSSLDIR)/man
 MAN1=1
 MAN3=3
+MANSUFFIX=
 SHELL=/bin/sh

 TOP=    .
@@ -201,6 +205,7 @@ ONEDIRS=out tmp
 EDIRS=  times doc bugs util include certs ms shlib mt demos perl sf dep VMS
 WDIRS=  windows
 LIBS=   libcrypto.a libssl.a
+SIGS=	libcrypto.a.sha1
 SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
 SHARED_SSL=libssl$(SHLIB_EXT)
 SHARED_LIBS=
@@ -218,14 +223,32 @@ HEADER=         e_os.h
 # When we're prepared to use shared libraries in the programs we link here
 # we might remove 'clean-shared' from the targets to perform at this stage

-all: Makefile.ssl sub_all openssl.pc
+all: Makefile sub_all openssl.pc
+
+sigs:	$(SIGS)
+libcrypto.a.sha1: libcrypto.a
+	if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
+		$(RANLIB) libcrypto.a; \
+		fips/sha1/fips_standalone_sha1 libcrypto.a > libcrypto.a.sha1; \
+	fi

 sub_all:
 	@for i in $(DIRS); \
 	do \
 	if [ -d "$$i" ]; then \
 		(cd $$i && echo "making all in $$i..." && \
-		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAGS='${ASFLAGS}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all ) || exit 1; \
+		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' FDIRS='$(FDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all ) || exit 1; \
+	else \
+		$(MAKE) $$i; \
+	fi; \
+	done;
+
+sub_target:
+	@for i in $(DIRS); \
+	do \
+	if [ -d "$$i" ]; then \
+		(cd $$i && echo "making $(TARGET) in $$i..." && \
+		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' AS='${AS}' ASFLAG='${ASFLAG}' SDIRS='$(SDIRS)' FDIRS='$(FDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TARGET='$(TARGET)' sub_target ) || exit 1; \
 	else \
 		$(MAKE) $$i; \
 	fi; \
@@ -391,6 +414,7 @@ do_solaris-shared:
 		  set -x; ${CC} ${SHARED_LDFLAGS} -G -dy -z text \
 			-o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			-h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
+			-Wl,-Bsymbolic \
 			$${MINUSZ}allextract lib$$i.a $${MINUSZ}defaultextract \
 			$$libs ${EX_LIBS} -lc ) || exit 1; \
 		libs="-l$$i $$libs"; \
@@ -410,9 +434,10 @@ do_svr3-shared:
 		  find . -name "*.o" -print > allobjs ; \
 		  OBJS= ; export OBJS ; \
 		  for obj in `ar t lib$$i.a` ; do \
-		    OBJS="$${OBJS} `grep $$obj allobjs`" ; \
+		    OBJS="$${OBJS} `grep /$$obj allobjs`" ; \
 		  done ; \
-		  set -x; ${CC}  -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
+		  set -x; ${CC} ${SHARED_LDFLAGS} \
+			-G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			-h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			$${OBJS} $$libs ${EX_LIBS} ) || exit 1; \
 		libs="-l$$i $$libs"; \
@@ -429,13 +454,16 @@ do_svr5-shared:
 			libs="$(LIBKRB5) $$libs"; \
 		fi; \
 		( PATH=/usr/ccs/bin:$$PATH ; export PATH; \
+		  SHARE_FLAG='-G'; \
+		  (${CC} -v 2>&1 | grep gcc) > /dev/null && SHARE_FLAG='-shared'; \
 		  find . -name "*.o" -print > allobjs ; \
 		  OBJS= ; export OBJS ; \
 		  for obj in `ar t lib$$i.a` ; do \
-		    OBJS="$${OBJS} `grep $$obj allobjs`" ; \
+		    OBJS="$${OBJS} `grep /$$obj allobjs`" ; \
 		  done ; \
-		  set -x; ${CC} ${SHARED_LDFLAGS} \
-			-G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
+		  set -x; LD_LIBRARY_PATH=.:$$LD_LIBRARY_PATH \
+			${CC} ${SHARED_LDFLAGS} \
+			$${SHARE_FLAG} -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			-h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			$${OBJS} $$libs ${EX_LIBS} ) || exit 1; \
 		libs="-l$$i $$libs"; \
@@ -451,10 +479,12 @@ do_irix-shared:
 		if [ "${SHLIBDIRS}" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 			libs="$(LIBKRB5) $$libs"; \
 		fi; \
-		( set -x; ${CC} ${SHARED_LDFLAGS} \
+		( WHOLELIB="-all lib$$i.a -notall"; \
+		  (${CC} -v 2>&1 | grep gcc) > /dev/null && WHOLELIB="-Wl,-all,lib$$i.a,-notall"; \
+		  set -x; ${CC} ${SHARED_LDFLAGS} \
 			-shared -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			-Wl,-soname,lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-			-all lib$$i.a $$libs ${EX_LIBS} -lc) || exit 1; \
+			$${WHOLELIB} $$libs ${EX_LIBS} -lc) || exit 1; \
 		libs="-l$$i $$libs"; \
 		done; \
 	fi
@@ -476,7 +506,7 @@ do_hpux-shared:
 		libs="$(LIBKRB5) $$libs"; \
 	fi; \
 	( set -x; /usr/ccs/bin/ld ${SHARED_LDFLAGS} \
- 		+vnocompatwarnings \
+		+vnocompatwarnings \
 		-b -z +s \
 		-o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		+h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
@@ -499,7 +529,7 @@ do_hpux64-shared:
 		libs="$(LIBKRB5) $$libs"; \
 	fi; \
 	( set -x; /usr/ccs/bin/ld ${SHARED_LDFLAGS} \
- 		-b -z \
+		-b -z \
 		-o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		+h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		+forceload lib$$i.a -ldl -lc ) || exit 1; \
@@ -570,7 +600,7 @@ do_reliantunix-shared:
 	libs="-l$$i $$libs"; \
 	done

-openssl.pc: Makefile.ssl
+openssl.pc: Makefile
 	@ ( echo 'prefix=$(INSTALLTOP)'; \
 	    echo 'exec_prefix=$${prefix}'; \
 	    echo 'libdir=$${exec_prefix}/lib'; \
@@ -583,16 +613,16 @@ openssl.pc: Makefile.ssl
 	    echo 'Libs: -L$${libdir} -lssl -lcrypto $(LIBKRB5) $(EX_LIBS)'; \
 	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc

-Makefile.ssl: Makefile.org
-	@echo "Makefile.ssl is older than Makefile.org."
+Makefile: Makefile.org
+	@echo "Makefile is older than Makefile.org."
 	@echo "Reconfigure the source tree (via './config' or 'perl Configure'), please."
 	@false

 libclean:
-	rm -f *.a */lib */*/lib
+	rm -f *.map *.so *.so.* engines/*.so *.a */lib */*/lib

-clean:
-	rm -f shlib/*.o *.o core a.out fluff *.map rehash.time testlog make.log cctest cctest.c
+clean:	libclean
+	rm -f shlib/*.o *.o core a.out fluff rehash.time testlog make.log cctest cctest.c
 	@for i in $(DIRS) ;\
 	do \
 	if [ -d "$$i" ]; then \
@@ -602,7 +632,7 @@ clean:
 	fi; \
 	done;
 	rm -f openssl.pc
-	rm -f *.a *.o speed.* *.map *.so .pure core
+	rm -f speed.* .pure
 	rm -f $(TARFILE)
 	@for i in $(ONEDIRS) ;\
 	do \
@@ -614,7 +644,7 @@ makefile.one: files
 	sh util/do_ms.sh

 files:
-	$(PERL) $(TOP)/util/files.pl Makefile.ssl > $(TOP)/MINFO
+	$(PERL) $(TOP)/util/files.pl Makefile > $(TOP)/MINFO
 	@for i in $(DIRS) ;\
 	do \
 	if [ -d "$$i" ]; then \
@@ -624,19 +654,18 @@ files:
 	done;

 links:
-	@$(TOP)/util/point.sh Makefile.ssl Makefile
 	@$(PERL) $(TOP)/util/mkdir-p.pl include/openssl
 	@$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER)
 	@for i in $(DIRS); do \
 	if [ -d "$$i" ]; then \
 		(cd $$i && echo "making links in $$i..." && \
-		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' links ) || exit 1; \
+		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' links ) || exit 1; \
 	fi; \
 	done;

 gentests:
 	@(cd test && echo "generating dummy tests (if needed)..." && \
-	$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on generate );
+	$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on generate );

 dclean:
 	rm -f *.bak
@@ -650,9 +679,12 @@ dclean:

 rehash: rehash.time
 rehash.time: certs
-	@(OPENSSL="`pwd`/apps/openssl"; OPENSSL_DEBUG_MEMORY=on; \
+	@(OPENSSL="`pwd`/apps/openssl$(EXE_EXT)"; OPENSSL_DEBUG_MEMORY=on; \
 		export OPENSSL OPENSSL_DEBUG_MEMORY; \
-		LD_LIBRARY_PATH="`pwd`"; DYLD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; LIBPATH="`pwd`"; \
+		LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \
+		DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \
+		SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \
+		LIBPATH="`pwd`:$$LIBPATH"; \
 		if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \
 		export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \
 		$(PERL) tools/c_rehash certs)
@@ -662,11 +694,14 @@ test:   tests

 tests: rehash
 	@(cd test && echo "testing..." && \
-	$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on tests );
-	@LD_LIBRARY_PATH="`pwd`"; DYLD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; LIBPATH="`pwd`"; \
-		if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \
-		export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \
-		apps/openssl version -a
+	$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' FIPS_DES_ENC='${FIPS_DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' FIPS_SHA1_ASM_OBJ='${FIPS_SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on tests );
+	@LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \
+	DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \
+	SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \
+	LIBPATH="`pwd`:$$LIBPATH"; \
+	if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \
+	export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \
+	apps/openssl version -a

 report:
 	@$(PERL) util/selftest.pl
@@ -690,13 +725,8 @@ lint:
 	done;

 tags:
-	@for i in $(DIRS) ;\
-	do \
-	if [ -d "$$i" ]; then \
-		(cd $$i && echo "making tags $$i..." && \
-		$(MAKE) SDIRS='${SDIRS}' tags ) || exit 1; \
-	fi; \
-	done;
+	rm -f TAGS
+	find . -name '[^.]*.[ch]' | xargs etags -a

 errors:
 	$(PERL) util/mkerr.pl -recurse -write
@@ -716,11 +746,14 @@ crypto/objects/obj_dat.h: crypto/objects/obj_dat.pl crypto/objects/obj_mac.h
 crypto/objects/obj_mac.h: crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num
 	$(PERL) crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num crypto/objects/obj_mac.h

+apps/openssl-vms.cnf: apps/openssl.cnf
+	$(PERL) VMS/VMSify-conf.pl < apps/openssl.cnf > apps/openssl-vms.cnf
+
 TABLE: Configure
 	(echo 'Output of `Configure TABLE'"':"; \
 	$(PERL) Configure TABLE) > TABLE

-update: depend errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h TABLE
+update: depend errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h apps/openssl-vms.cnf TABLE

 # Build distribution tar-file. As the list of files returned by "find" is
 # pretty long, on several platforms a "too many arguments" error or similar
@@ -757,15 +790,16 @@ dist:
 dist_pem_h:
 	(cd crypto/pem; $(MAKE) CC='${CC}' SDIRS='${SDIRS}' CFLAG='${CFLAG}' pem.h; $(MAKE) clean)

-install: all install_docs
+install: all install_docs install_sw
+
+install_sw:
 	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/lib \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
-		$(INSTALL_PREFIX)$(OPENSSLDIR)/private \
-		$(INSTALL_PREFIX)$(OPENSSLDIR)/lib
+		$(INSTALL_PREFIX)$(OPENSSLDIR)/private
 	@for i in $(EXHEADER) ;\
 	do \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
@@ -783,7 +817,11 @@ install: all install_docs
 		if [ -f "$$i" ]; then \
 		(       echo installing $$i; \
 			cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
-			$(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+			if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
+				: ; \
+			else \
+				$(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+			fi; \
 			chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
 			mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
 		fi; \
@@ -820,7 +858,17 @@ install: all install_docs
 			sed -e '1,/^$$/d' doc/openssl-shared.txt; \
 		fi; \
 	fi
+	@for i in $(SIGS) ;\
+	do \
+		if [ -f "$$i" ]; then \
+		(       echo installing $$i; \
+			cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+			chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+			mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
+		fi; \
+	done;
 	cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig
+	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig/openssl.pc

 install_docs:
 	@$(PERL) $(TOP)/util/mkdir-p.pl \
@@ -837,33 +885,35 @@ install_docs:
 	for i in doc/apps/*.pod; do \
 		fn=`basename $$i .pod`; \
 		if [ "$$fn" = "config" ]; then sec=5; else sec=1; fi; \
-		echo "installing man$$sec/$$fn.$$sec"; \
+		echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
 		(cd `$(PERL) util/dirname.pl $$i`; \
 		sh -c "$$pod2man \
 			--section=$$sec --center=OpenSSL \
 			--release=$(VERSION) `basename $$i`") \
-			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$$sec; \
+			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(PERL) util/extract-names.pl < $$i | \
 			grep -v $$filecase "^$$fn\$$" | \
+			grep -v "[	]" | \
 			(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
 			 while read n; do \
-				$$here/util/point.sh $$fn.$$sec $$n.$$sec; \
+				$$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \
 			 done); \
 	done; \
 	for i in doc/crypto/*.pod doc/ssl/*.pod; do \
 		fn=`basename $$i .pod`; \
 		if [ "$$fn" = "des_modes" ]; then sec=7; else sec=3; fi; \
-		echo "installing man$$sec/$$fn.$$sec"; \
+		echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
 		(cd `$(PERL) util/dirname.pl $$i`; \
 		sh -c "$$pod2man \
 			--section=$$sec --center=OpenSSL \
 			--release=$(VERSION) `basename $$i`") \
-			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$$sec; \
+			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(PERL) util/extract-names.pl < $$i | \
 			grep -v $$filecase "^$$fn\$$" | \
+			grep -v "[	]" | \
 			(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
 			 while read n; do \
-				$$here/util/point.sh $$fn.$$sec $$n.$$sec; \
+				$$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \
 			 done); \
 	done

--- a/43
+++ b/43
@@ -5,6 +5,37 @@
  This file gives a brief overview of the major changes between each OpenSSL
  release. For more details please read the CHANGES file.

+  Major changes between OpenSSL 0.9.7d and OpenSSL 0.9.7e:
+
+      o Fix race condition in CRL checking code.
+      o Fixes to PKCS#7 (S/MIME) code.
+
+  Major changes between OpenSSL 0.9.7c and OpenSSL 0.9.7d:
+
+      o Security: Fix Kerberos ciphersuite SSL/TLS handshaking bug
+      o Security: Fix null-pointer assignment in do_change_cipher_spec()
+      o Allow multiple active certificates with same subject in CA index
+      o Multiple X509 verification fixes
+      o Speed up HMAC and other operations
+
+  Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c:
+
+      o Security: fix various ASN1 parsing bugs.
+      o New -ignore_err option to OCSP utility.
+      o Various interop and bug fixes in S/MIME code.
+      o SSL/TLS protocol fix for unrequested client certificates.
+
+  Major changes between OpenSSL 0.9.7a and OpenSSL 0.9.7b:
+
+      o Security: counter the Klima-Pokorny-Rosa extension of
+        Bleichbacher's attack 
+      o Security: make RSA blinding default.
+      o Configuration: Irix fixes, AIX fixes, better mingw support.
+      o Support for new platforms: linux-ia64-ecc.
+      o Build: shared library support fixes.
+      o ASN.1: treat domainComponent correctly.
+      o Documentation: fixes and additions.
+
  Major changes between OpenSSL 0.9.7 and OpenSSL 0.9.7a:

      o Security: Important security related bugfixes.
@@ -62,6 +93,18 @@
      o SSL/TLS: add callback to retrieve SSL/TLS messages.
      o SSL/TLS: support AES cipher suites (RFC3268).

+  Major changes between OpenSSL 0.9.6j and OpenSSL 0.9.6k:
+
+      o Security: fix various ASN1 parsing bugs.
+      o SSL/TLS protocol fix for unrequested client certificates.
+
+  Major changes between OpenSSL 0.9.6i and OpenSSL 0.9.6j:
+
+      o Security: counter the Klima-Pokorny-Rosa extension of
+        Bleichbacher's attack 
+      o Security: make RSA blinding default.
+      o Build: shared library support fixes.
+
  Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i:

      o Important security related bugfixes.
--- a/35
+++ b/35
@@ -12,8 +12,8 @@ along the whole library path before it bothers looking for .a libraries.  This
 means that -L switches won't matter unless OpenSSL is built with shared
 library support.

-The workaround may be to change the following lines in apps/Makefile.ssl and
-test/Makefile.ssl:
+The workaround may be to change the following lines in apps/Makefile and
+test/Makefile:

  LIBCRYPTO=-L.. -lcrypto
  LIBSSL=-L.. -lssl
@@ -98,3 +98,34 @@ config-line. './Configure aix43-cc shared' is working, but not
 libraries. It's possible to build 64-bit shared libraries by running
 'env OBJECT_MODE=64 make', but we need more elegant solution. Preferably one
 supporting even gcc shared builds. See RT#463 for background information.
+
+* Problems building shared libraries on SCO OpenServer Release 5.0.6
+  with gcc 2.95.3
+
+The symptoms appear when running the test suite, more specifically
+test/ectest, with the following result:
+
+OSSL_LIBPATH="`cd ..; pwd`"; LD_LIBRARY_PATH="$OSSL_LIBPATH:$LD_LIBRARY_PATH"; DYLD_LIBRARY_PATH="$OSSL_LIBPATH:$DYLD_LIBRARY_PATH"; SHLIB_PATH="$OSSL_LIBPATH:$SHLIB_PATH"; LIBPATH="$OSSL_LIBPATH:$LIBPATH"; if [ "debug-sco5-gcc" = "Cygwin" ]; then PATH="${LIBPATH}:$PATH"; fi; export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; ./ectest
+ectest.c:186: ABORT
+
+The cause of the problem seems to be that isxdigit(), called from
+BN_hex2bn(), returns 0 on a perfectly legitimate hex digit.  Further
+investigation shows that any of the isxxx() macros return 0 on any
+input.  A direct look in the information array that the isxxx() use,
+called __ctype, shows that it contains all zeroes...
+
+Taking a look at the newly created libcrypto.so with nm, one can see
+that the variable __ctype is defined in libcrypto's .bss (which
+explains why it is filled with zeroes):
+
+$ nm -Pg libcrypto.so | grep __ctype
+__ctype B 0011659c
+__ctype2 U         
+
+Curiously, __ctype2 is undefined, in spite of being declared in
+/usr/include/ctype.h in exactly the same way as __ctype.
+
+Any information helping to solve this issue would be deeply
+appreciated.
+
+NOTE: building non-shared doesn't come with this problem.
--- a/18
+++ b/18
@@ -1,7 +1,7 @@

- OpenSSL 0.9.7a Feb 19 2003
+ OpenSSL 0.9.7e 25 Oct 2004

- Copyright (c) 1998-2003 The OpenSSL Project
+ Copyright (c) 1998-2004 The OpenSSL Project
 Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
 All rights reserved.

@@ -173,11 +173,17 @@
 textual explanation of what your patch does.

 Note: For legal reasons, contributions from the US can be accepted only
- if a TSA notification and a copy of the patch is sent to crypt@bis.doc.gov;
- see http://www.bis.doc.gov/Encryption/PubAvailEncSourceCodeNofify.html [sic]
- and http://w3.access.gpo.gov/bis/ear/pdf/740.pdf (EAR Section 740.13(e)).
+ if a TSU notification and a copy of the patch are sent to crypt@bis.doc.gov
+ (formerly BXA) with a copy to the ENC Encryption Request Coordinator;
+ please take some time to look at
+    http://www.bis.doc.gov/Encryption/PubAvailEncSourceCodeNofify.html [sic]
+ and
+    http://w3.access.gpo.gov/bis/ear/pdf/740.pdf (EAR Section 740.13(e))
+ for the details. If "your encryption source code is too large to serve as
+ an email attachment", they are glad to receive it by fax instead; hope you
+ have a cheap long-distance plan.

- The preferred format for changes is "diff -u" output. You might
+ Our preferred format for changes is "diff -u" output. You might
 generate it like this:

 # cd openssl-work
--- a/21
+++ b/21
@@ -1,12 +1,19 @@

  OpenSSL STATUS                           Last modified at
-  ______________                           $Date: 2003/02/19 12:33:52 $
+  ______________                           $Date: 2004/03/17 12:01:16 $

  DEVELOPMENT STATE

    o  OpenSSL 0.9.8:  Under development...
+    o  OpenSSL 0.9.7d: Released on March     17th, 2004
+    o  OpenSSL 0.9.7c: Released on September 30th, 2003
+    o  OpenSSL 0.9.7b: Released on April     10th, 2003
    o  OpenSSL 0.9.7a: Released on February  19th, 2003
    o  OpenSSL 0.9.7:  Released on December  31st, 2002
+    o  OpenSSL 0.9.6m: Released on March     17th, 2004
+    o  OpenSSL 0.9.6l: Released on November   4th, 2003
+    o  OpenSSL 0.9.6k: Released on September 30th, 2003
+    o  OpenSSL 0.9.6j: Released on April     10th, 2003
    o  OpenSSL 0.9.6i: Released on February  19th, 2003
    o  OpenSSL 0.9.6h: Released on December   5th, 2002
    o  OpenSSL 0.9.6g: Released on August     9th, 2002
@@ -29,17 +36,7 @@

  RELEASE SHOWSTOPPERS

-    o [2002-11-21]
-      PR 343 mentions that scrubbing memory with 'memset(ptr, 0, n)' may
-      be optimized away in modern compilers.  This is definitely not good
-      and needs to be fixed immediately.  The formula to use is presented
-      in:
-
-      http://online.securityfocus.com/archive/82/297918/2002-10-27/2002-11-02/0
-
-      The problem report that mentions this is:
-
-      https://www.aet.TU-Cottbus.DE/rt2/Ticket/Display.html?id=343
+    o 

  AVAILABLE PATCHES

--- a/311
+++ b/311
@@ -300,31 +300,6 @@ $shared_extension =
 $ranlib       = 
 $arflags      = 

-*** Mingw32
-$cc           = gcc
-$cflags       = -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall
-$unistd       = 
-$thread_cflag = 
-$sys_id       = 
-$lflags       = 
-$bn_ops       = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
-$bn_obj       = 
-$des_obj      = 
-$bf_obj       = 
-$md5_obj      = 
-$sha1_obj     = 
-$cast_obj     = 
-$rc4_obj      = 
-$rmd160_obj   = 
-$rc5_obj      = 
-$dso_scheme   = win32
-$shared_target= 
-$shared_cflag = 
-$shared_ldflag = 
-$shared_extension = 
-$ranlib       = 
-$arflags      = 
-
 *** NetBSD-m68
 $cc           = gcc
 $cflags       = -DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN
@@ -1527,7 +1502,7 @@ $arflags      =

 *** debug-ben
 $cc           = gcc
-$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -pedantic -Wall -Wshadow -Werror -pipe
+$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -Wall -Wshadow -Werror -pipe
 $unistd       = 
 $thread_cflag = (unknown)
 $sys_id       = 
@@ -1552,7 +1527,7 @@ $arflags      =

 *** debug-ben-debug
 $cc           = gcc
-$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe
+$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -Wall -Wshadow -Werror -pipe
 $unistd       = 
 $thread_cflag = (unknown)
 $sys_id       = 
@@ -1575,6 +1550,31 @@ $shared_extension =
 $ranlib       = 
 $arflags      = 

+*** debug-ben-fips-debug
+$cc           = gcc
+$cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_FIPS -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe
+$unistd       = 
+$thread_cflag = (unknown)
+$sys_id       = 
+$lflags       = 
+$bn_ops       = 
+$bn_obj       = asm/bn86-elf.o asm/co86-elf.o
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = 
+$shared_target= 
+$shared_cflag = 
+$shared_ldflag = 
+$shared_extension = 
+$ranlib       = 
+$arflags      = 
+
 *** debug-ben-openbsd
 $cc           = gcc
 $cflags       = -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe
@@ -1677,7 +1677,7 @@ $arflags      =

 *** debug-levitte-linux-elf
 $cc           = gcc
-$cflags       = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -pipe
+$cflags       = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wmissing-prototypes -Wno-long-long -pipe
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -1702,7 +1702,7 @@ $arflags      =

 *** debug-levitte-linux-elf-extreme
 $cc           = gcc
-$cflags       = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wconversion -Wno-long-long -pipe
+$cflags       = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wmissing-prototypes -Wconversion -Wno-long-long -pipe
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -1727,7 +1727,7 @@ $arflags      =

 *** debug-levitte-linux-noasm
 $cc           = gcc
-$cflags       = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -pipe
+$cflags       = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wmissing-prototypes -Wno-long-long -pipe
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -1752,7 +1752,7 @@ $arflags      =

 *** debug-levitte-linux-noasm-extreme
 $cc           = gcc
-$cflags       = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wconversion -Wno-long-long -pipe
+$cflags       = -DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wmissing-prototypes -Wconversion -Wno-long-long -pipe
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
@@ -1818,10 +1818,10 @@ $rc4_obj      = asm/rx86-elf.o
 $rmd160_obj   = asm/rm86-elf.o
 $rc5_obj      = asm/r586-elf.o
 $dso_scheme   = dlfcn
-$shared_target= 
-$shared_cflag = 
+$shared_target= linux-shared
+$shared_cflag = -fPIC
 $shared_ldflag = 
-$shared_extension = 
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 

@@ -2002,12 +2002,12 @@ $arflags      =

 *** debug-steve
 $cc           = gcc
-$cflags       = -DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -mcpu=i486 -pedantic -Wall -Werror -Wshadow -pipe
+$cflags       = -DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -mcpu=i486 -pedantic -Wno-long-long -Wall -Werror -Wshadow -pipe
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
-$lflags       = -rdynamic -ldl
-$bn_ops       = DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
+$lflags       = -ldl
+$bn_ops       = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
 $bn_obj       = asm/bn86-elf.o asm/co86-elf.o
 $des_obj      = asm/dx86-elf.o asm/yx86-elf.o
 $bf_obj       = asm/bx86-elf.o
@@ -2075,6 +2075,56 @@ $shared_extension =
 $ranlib       = 
 $arflags      = 

+*** debug-vos-gcc
+$cc           = gcc
+$cflags       = -b hppa1.1-stratus-vos -O0 -g -Wall -D_POSIX_C_SOURCE=200112L -D_BSD -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG
+$unistd       = 
+$thread_cflag = (unknown)
+$sys_id       = VOS
+$lflags       = -Wl,-map
+$bn_ops       = BN_LLONG
+$bn_obj       = 
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = 
+$shared_target= 
+$shared_cflag = 
+$shared_ldflag = .so
+$shared_extension = 
+$ranlib       = 
+$arflags      = 
+
+*** debug-vos-vcc
+$cc           = vcc
+$cflags       = -b i386-stratus-vos -O0 -g -D_POSIX_C_SOURCE=200112L -D_BSD -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG
+$unistd       = 
+$thread_cflag = (unknown)
+$sys_id       = VOS
+$lflags       = -Wl,-map
+$bn_ops       = 
+$bn_obj       = 
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = 
+$shared_target= 
+$shared_cflag = 
+$shared_ldflag = .so
+$shared_extension = 
+$ranlib       = 
+$arflags      = 
+
 *** dgux-R3-gcc
 $cc           = gcc
 $cflags       = -O3 -fomit-frame-pointer
@@ -2675,6 +2725,31 @@ $shared_extension = .sl.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 

+*** hpux64-parisc2-gcc
+$cc           = gcc
+$cflags       = -O3 -DB_ENDIAN -DMD32_XARRAY
+$unistd       = 
+$thread_cflag = -D_REENTRANT
+$sys_id       = 
+$lflags       = -ldl
+$bn_ops       = SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT
+$bn_obj       = asm/pa-risc2W.o
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = dlfcn
+$shared_target= hpux64-shared
+$shared_cflag = -fpic
+$shared_ldflag = 
+$shared_extension = .sl.$(SHLIB_MAJOR).$(SHLIB_MINOR)
+$ranlib       = 
+$arflags      = 
+
 *** hurd-x86
 $cc           = gcc
 $cflags       = -DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall
@@ -2752,7 +2827,7 @@ $arflags      =

 *** irix-mips3-cc
 $cc           = cc
-$cflags       = -n32 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W
+$cflags       = -n32 -mips3 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W
 $unistd       = 
 $thread_cflag = -D_SGI_MP_SOURCE
 $sys_id       = 
@@ -2770,7 +2845,7 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= irix-shared
 $shared_cflag = 
-$shared_ldflag = 
+$shared_ldflag = -n32
 $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 
@@ -2795,7 +2870,7 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= irix-shared
 $shared_cflag = 
-$shared_ldflag = 
+$shared_ldflag = -mabi=n32
 $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 
@@ -2820,7 +2895,7 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= irix-shared
 $shared_cflag = 
-$shared_ldflag = 
+$shared_ldflag = -64
 $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 
@@ -2845,7 +2920,7 @@ $rc5_obj      =
 $dso_scheme   = dlfcn
 $shared_target= irix-shared
 $shared_cflag = 
-$shared_ldflag = 
+$shared_ldflag = -mabi=64
 $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 
@@ -3006,7 +3081,7 @@ $cflags       = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall
 $unistd       = 
 $thread_cflag = -D_REENTRANT
 $sys_id       = 
-$lflags       = 
+$lflags       = -ldl
 $bn_ops       = BN_LLONG
 $bn_obj       = 
 $des_obj      = 
@@ -3050,6 +3125,31 @@ $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 

+*** linux-ia64-ecc
+$cc           = ecc
+$cflags       = -DL_ENDIAN -DTERMIO -O2 -Wall
+$unistd       = 
+$thread_cflag = -D_REENTRANT
+$sys_id       = 
+$lflags       = -ldl
+$bn_ops       = SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR
+$bn_obj       = asm/ia64.o
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = dlfcn
+$shared_target= linux-shared
+$shared_cflag = -fPIC
+$shared_ldflag = 
+$shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
+$ranlib       = 
+$arflags      = 
+
 *** linux-k6
 $cc           = gcc
 $cflags       = -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -mcpu=k6 -Wall
@@ -3425,6 +3525,31 @@ $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 

+*** mingw
+$cc           = gcc
+$cflags       = -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -mno-cygwin -Wall
+$unistd       = 
+$thread_cflag = 
+$sys_id       = MINGW32
+$lflags       = -mno-cygwin -lwsock32 -lgdi32
+$bn_ops       = BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT
+$bn_obj       = asm/bn86-out.o asm/co86-out.o
+$des_obj      = asm/dx86-out.o asm/yx86-out.o
+$bf_obj       = asm/bx86-out.o
+$md5_obj      = asm/mx86-out.o
+$sha1_obj     = asm/sx86-out.o
+$cast_obj     = asm/cx86-out.o
+$rc4_obj      = asm/rx86-out.o
+$rmd160_obj   = asm/rm86-out.o
+$rc5_obj      = asm/r586-out.o
+$dso_scheme   = win32
+$shared_target= 
+$shared_cflag = 
+$shared_ldflag = 
+$shared_extension = .dll
+$ranlib       = 
+$arflags      = 
+
 *** ncr-scde
 $cc           = cc
 $cflags       = -O6 -Xa -Hoff=BEHAVED -686 -Hwide -Hiw
@@ -4225,6 +4350,81 @@ $shared_extension = .so.$(SHLIB_MAJOR).$(SHLIB_MINOR)
 $ranlib       = 
 $arflags      = 

+*** vos-gcc
+$cc           = gcc
+$cflags       = -b hppa1.1-stratus-vos -O3 -Wall -Wuninitialized -D_POSIX_C_SOURCE=200112L -D_BSD
+$unistd       = 
+$thread_cflag = (unknown)
+$sys_id       = VOS
+$lflags       = -Wl,-map
+$bn_ops       = BN_LLONG
+$bn_obj       = 
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = 
+$shared_target= 
+$shared_cflag = 
+$shared_ldflag = .so
+$shared_extension = 
+$ranlib       = 
+$arflags      = 
+
+*** vos-vcc
+$cc           = vcc
+$cflags       = -b i386-stratus-vos -O3 -D_POSIX_C_SOURCE=200112L -D_BSD
+$unistd       = 
+$thread_cflag = (unknown)
+$sys_id       = VOS
+$lflags       = -Wl,-map
+$bn_ops       = 
+$bn_obj       = 
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = 
+$shared_target= 
+$shared_cflag = 
+$shared_ldflag = .so
+$shared_extension = 
+$ranlib       = 
+$arflags      = 
+
+*** vxworks-mipsle
+$cc           = ccmips
+$cflags       = -B$(WIND_BASE)/host/$(WIND_HOST_TYPE)/lib/gcc-lib/ -DL_ENDIAN -EL -Wl,-EL -mips2 -mno-branch-likely -G 0 -fno-builtin -msoft-float -DCPU=MIPS32 -DMIPSEL -DNO_STRINGS_H -I$(WIND_BASE)/target/h
+$unistd       = 
+$thread_cflag = 
+$sys_id       = VXWORKS
+$lflags       = -r
+$bn_ops       = 
+$bn_obj       = 
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = 
+$shared_target= 
+$shared_cflag = 
+$shared_ldflag = 
+$shared_extension = 
+$ranlib       = ranlibmips
+$arflags      = 
+
 *** vxworks-ppc405
 $cc           = ccppc
 $cflags       = -g -msoft-float -mlongcall -DCPU=PPC405 -I$(WIND_BASE)/target/h
@@ -4299,3 +4499,28 @@ $shared_ldflag =
 $shared_extension = 
 $ranlib       = 
 $arflags      = 
+
+*** vxworks-ppc860
+$cc           = ccppc
+$cflags       = -nostdinc -msoft-float -DCPU=PPC860 -DNO_STRINGS_H -I$(WIND_BASE)/target/h
+$unistd       = 
+$thread_cflag = 
+$sys_id       = VXWORKS
+$lflags       = -r
+$bn_ops       = 
+$bn_obj       = 
+$des_obj      = 
+$bf_obj       = 
+$md5_obj      = 
+$sha1_obj     = 
+$cast_obj     = 
+$rc4_obj      = 
+$rmd160_obj   = 
+$rc5_obj      = 
+$dso_scheme   = 
+$shared_target= 
+$shared_cflag = 
+$shared_ldflag = 
+$shared_extension = 
+$ranlib       = 
+$arflags      = 
--- a/VMS/VMSify-conf.pl
+++ b/VMS/VMSify-conf.pl
@@ -0,0 +1,34 @@
+#! /usr/bin/perl
+
+use strict;
+use warnings;
+
+my @directory_vars = ( "dir", "certs", "crl_dir", "new_certs_dir" );
+my @file_vars = ( "database", "certificate", "serial", "crlnumber",
+		  "crl", "private_key", "RANDFILE" );
+while(<STDIN>) {
+    chomp;
+    foreach my $d (@directory_vars) {
+	if (/^(\s*\#?\s*${d}\s*=\s*)\.\/([^\s\#]*)([\s\#].*)$/) {
+	    $_ = "$1sys\\\$disk:\[.$2$3";
+	} elsif (/^(\s*\#?\s*${d}\s*=\s*)(\w[^\s\#]*)([\s\#].*)$/) {
+	    $_ = "$1sys\\\$disk:\[.$2$3";
+	}
+	s/^(\s*\#?\s*${d}\s*=\s*\$\w+)\/([^\s\#]*)([\s\#].*)$/$1.$2\]$3/;
+	while(/^(\s*\#?\s*${d}\s*=\s*(\$\w+\.|sys\\\$disk:\[\.)[\w\.]+)\/([^\]]*)\](.*)$/) {
+	    $_ = "$1.$3]$4";
+	}
+    }
+    foreach my $f (@file_vars) {
+	s/^(\s*\#?\s*${f}\s*=\s*)\.\/(.*)$/$1sys\\\$disk:\[\/$2/;
+	while(/^(\s*\#?\s*${f}\s*=\s*(\$\w+|sys\\\$disk:\[)[^\/]*)\/(\w+\/[^\s\#]*)([\s\#].*)$/) {
+	    $_ = "$1.$3$4";
+	}
+	if (/^(\s*\#?\s*${f}\s*=\s*(\$\w+|sys\\\$disk:\[)[^\/]*)\/(\w+)([\s\#].*)$/) {
+	    $_ = "$1]$3.$4";
+	} elsif  (/^(\s*\#?\s*${f}\s*=\s*(\$\w+|sys\\\$disk:\[)[^\/]*)\/([^\s\#]*)([\s\#].*)$/) {
+	    $_ = "$1]$3$4";
+	}
+   }
+    print $_,"\n";
+}
--- a/VMS/mkshared.com
+++ b/VMS/mkshared.com
@@ -266,6 +266,14 @@ $             falsesum = falsesum + 1
 $         endif
 $         if plat_entry .eqs. "VMS" then truesum = truesum + 1
 $         if plat_entry .eqs. "!VMS" then falsesum = falsesum + 1
+$         if f$trnlnm("OPENSSL_FIPS") .nes. ""
+$         then
+$           if plat_entry .eqs. "OPENSSL_FIPS" then truesum = truesum + 1
+$           if plat_entry .eqs. "!OPENSSL_FIPS" then falsesum = falsesum + 1
+$         else
+$           if plat_entry .eqs. "OPENSSL_FIPS" then falsesum = falsesum + 1
+$           if plat_entry .eqs. "!OPENSSL_FIPS" then truesum = truesum + 1
+$         endif
 $	  goto loop1
 $       endif
 $     endloop1:
--- a/apps/.cvsignore
+++ b/apps/.cvsignore
@@ -3,3 +3,4 @@ Makefile.save
 der_chop
 der_chop.bak
 CA.pl
+openssl.sha1
--- a/apps/CA.pl.in
+++ b/apps/CA.pl.in
@@ -82,9 +82,6 @@ foreach (@ARGV) {
 		mkdir "${CATOP}/crl", $DIRMODE ;
 		mkdir "${CATOP}/newcerts", $DIRMODE;
 		mkdir "${CATOP}/private", $DIRMODE;
-		open OUT, ">${CATOP}/serial";
-		print OUT "01\n";
-		close OUT;
 		open OUT, ">${CATOP}/index.txt";
 		close OUT;
 	    }
@@ -106,6 +103,10 @@ foreach (@ARGV) {
 		    $RET=$?;
 		}
 	    }
+	    if (! -f "${CATOP}/serial" ) {
+		system ("$X509 -in ${CATOP}/$CACERT -noout "
+			. "-next_serial -out ${CATOP}/serial");
+	    }
 	} elsif (/^-pkcs12$/) {
 	    my $cname = $ARGV[1];
 	    $cname = "My Certificate" unless defined $cname;
--- a/apps/Makefile.ssl
+++ b/apps/Makefile.ssl
@@ -1,5 +1,5 @@
 #
-#  apps/Makefile.ssl
+#  apps/Makefile
 #

 DIR=		apps
@@ -10,10 +10,9 @@ CFLAG=		-g -static
 INSTALL_PREFIX=
 INSTALLTOP=	/usr/local/ssl
 OPENSSLDIR=	/usr/local/ssl
-MAKE=		make -f Makefile.ssl
 MAKEDEPPROG=	makedepend
 MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
-MAKEFILE=	Makefile.ssl
+MAKEFILE=	Makefile
 PERL=		perl
 RM=		rm -f
 # KRB5 stuff
@@ -45,7 +44,7 @@ E_EXE=	verify asn1pars req dgst dh dhparam enc passwd gendh errstr \
 	ca crl rsa rsautl dsa dsaparam \
 	x509 genrsa gendsa s_server s_client speed \
 	s_time version pkcs7 crl2pkcs7 sess_id ciphers nseq pkcs12 \
-	pkcs8 spkac smime rand engine ocsp
+	pkcs8 spkac smime rand engine ocsp prime

 PROGS= $(PROGRAM).c

@@ -61,14 +60,14 @@ E_OBJ=	verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o er
 	rsa.o rsautl.o dsa.o dsaparam.o \
 	x509.o genrsa.o gendsa.o s_server.o s_client.o speed.o \
 	s_time.o $(A_OBJ) $(S_OBJ) $(RAND_OBJ) version.o sess_id.o \
-	ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o engine.o ocsp.o
+	ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o engine.o ocsp.o prime.o

 E_SRC=	verify.c asn1pars.c req.c dgst.c dh.c enc.c passwd.c gendh.c errstr.c ca.c \
 	pkcs7.c crl2p7.c crl.c \
 	rsa.c rsautl.c dsa.c dsaparam.c \
 	x509.c genrsa.c gendsa.c s_server.c s_client.c speed.c \
 	s_time.c $(A_SRC) $(S_SRC) $(RAND_SRC) version.c sess_id.c \
-	ciphers.c nseq.c pkcs12.c pkcs8.c spkac.c smime.c rand.c engine.c ocsp.c
+	ciphers.c nseq.c pkcs12.c pkcs8.c spkac.c smime.c rand.c engine.c ocsp.c prime.c

 SRC=$(E_SRC)

@@ -84,16 +83,17 @@ top:

 all:	exe

-exe:	$(PROGRAM)
+exe:	$(EXE)

 req: sreq.o $(A_OBJ) $(DLIBCRYPTO)
+	LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
 	$(CC) -o req $(CFLAG) sreq.o $(A_OBJ) $(RAND_OBJ) $(PEX_LIBS) $(LIBCRYPTO) $(EX_LIBS)

 sreq.o: req.c 
 	$(CC) -c $(INCLUDES) $(CFLAG) -o sreq.o req.c

 files:
-	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO

 install:
 	@for i in $(EXE); \
@@ -120,7 +120,6 @@ tags:
 tests:

 links:
-	@$(TOP)/util/point.sh Makefile.ssl Makefile

 lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
@@ -142,15 +141,22 @@ $(DLIBSSL):
 $(DLIBCRYPTO):
 	(cd ..; $(MAKE) DIRS=crypto all)

-$(PROGRAM): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL)
-	$(RM) $(PROGRAM)
+$(EXE): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL)
+	$(RM) $(EXE)
 	if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
-	  $(CC) -o $(PROGRAM) $(CFLAGS) $(PROGRAM).o $(E_OBJ) $(PEX_LIBS) $(DLIBSSL) $(LIBKRB5) $(DLIBCRYPTO) $(EX_LIBS) ; \
+	  $(CC) -o $(EXE) $(CFLAGS) $(PROGRAM).o $(E_OBJ) $(PEX_LIBS) $(DLIBSSL) $(LIBKRB5) $(DLIBCRYPTO) $(EX_LIBS) ; \
 	else \
-	  $(CC) -o $(PROGRAM) $(CFLAGS) $(PROGRAM).o $(E_OBJ) $(PEX_LIBS) $(LIBSSL) $(LIBKRB5) $(LIBCRYPTO) $(EX_LIBS) ; \
+	  LD_LIBRARY_PATH=..:$$LD_LIBRARY_PATH \
+	  $(CC) -o $(EXE) $(CFLAGS) $(PROGRAM).o $(E_OBJ) $(PEX_LIBS) $(LIBSSL) $(LIBKRB5) $(LIBCRYPTO) $(EX_LIBS) ; \
 	fi
-	-(cd ..; OPENSSL="`pwd`/apps/openssl"; export OPENSSL; \
-		LIBPATH="`pwd`"; LD_LIBRARY_PATH="`pwd`"; DYLD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; \
+	if egrep 'define OPENSSL_FIPS' $(TOP)/include/openssl/opensslconf.h > /dev/null; then \
+		TOP=$(TOP) $(TOP)/fips/openssl_fips_fingerprint $(TOP)/libcrypto.a $(EXE); \
+	fi
+	-(cd ..; OPENSSL="`pwd`/apps/$(EXE)"; export OPENSSL; \
+		LD_LIBRARY_PATH="`pwd`:$$LD_LIBRARY_PATH"; \
+		DYLD_LIBRARY_PATH="`pwd`:$$DYLD_LIBRARY_PATH"; \
+		SHLIB_PATH="`pwd`:$$SHLIB_PATH"; \
+		LIBPATH="`pwd`:$$LIBPATH"; \
 		if [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \
 		export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \
 		$(PERL) tools/c_rehash certs)
@@ -339,21 +345,22 @@ dgst.o: ../include/openssl/crypto.h ../include/openssl/des.h
 dgst.o: ../include/openssl/des_old.h ../include/openssl/dh.h
 dgst.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
 dgst.o: ../include/openssl/engine.h ../include/openssl/err.h
-dgst.o: ../include/openssl/evp.h ../include/openssl/idea.h
-dgst.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-dgst.o: ../include/openssl/md4.h ../include/openssl/md5.h
-dgst.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-dgst.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-dgst.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-dgst.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-dgst.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-dgst.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-dgst.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-dgst.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-dgst.o: ../include/openssl/sha.h ../include/openssl/stack.h
-dgst.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-dgst.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
-dgst.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h dgst.c
+dgst.o: ../include/openssl/evp.h ../include/openssl/hmac.h
+dgst.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+dgst.o: ../include/openssl/md2.h ../include/openssl/md4.h
+dgst.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+dgst.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+dgst.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+dgst.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+dgst.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+dgst.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+dgst.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+dgst.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+dgst.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+dgst.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+dgst.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
+dgst.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+dgst.o: ../include/openssl/x509_vfy.h apps.h dgst.c
 dh.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
 dh.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
 dh.o: ../include/openssl/bn.h ../include/openssl/buffer.h
@@ -632,24 +639,25 @@ openssl.o: ../include/openssl/des.h ../include/openssl/des_old.h
 openssl.o: ../include/openssl/dh.h ../include/openssl/dsa.h
 openssl.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
 openssl.o: ../include/openssl/err.h ../include/openssl/evp.h
-openssl.o: ../include/openssl/idea.h ../include/openssl/kssl.h
-openssl.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-openssl.o: ../include/openssl/md4.h ../include/openssl/md5.h
-openssl.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-openssl.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-openssl.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-openssl.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-openssl.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-openssl.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-openssl.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-openssl.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-openssl.o: ../include/openssl/sha.h ../include/openssl/ssl.h
-openssl.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
-openssl.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-openssl.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-openssl.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
-openssl.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
-openssl.o: ../include/openssl/x509_vfy.h apps.h openssl.c progs.h s_apps.h
+openssl.o: ../include/openssl/fips.h ../include/openssl/idea.h
+openssl.o: ../include/openssl/kssl.h ../include/openssl/lhash.h
+openssl.o: ../include/openssl/md2.h ../include/openssl/md4.h
+openssl.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+openssl.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+openssl.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+openssl.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+openssl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+openssl.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+openssl.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+openssl.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+openssl.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+openssl.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+openssl.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+openssl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+openssl.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+openssl.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+openssl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+openssl.o: openssl.c progs.h s_apps.h
 passwd.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
 passwd.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
 passwd.o: ../include/openssl/bn.h ../include/openssl/buffer.h
@@ -744,6 +752,28 @@ pkcs8.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
 pkcs8.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
 pkcs8.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
 pkcs8.o: ../include/openssl/x509_vfy.h apps.h pkcs8.c
+prime.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+prime.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+prime.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+prime.o: ../include/openssl/cast.h ../include/openssl/conf.h
+prime.o: ../include/openssl/crypto.h ../include/openssl/des.h
+prime.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+prime.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+prime.o: ../include/openssl/engine.h ../include/openssl/err.h
+prime.o: ../include/openssl/evp.h ../include/openssl/idea.h
+prime.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+prime.o: ../include/openssl/md4.h ../include/openssl/md5.h
+prime.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+prime.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+prime.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+prime.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+prime.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+prime.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+prime.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+prime.o: ../include/openssl/sha.h ../include/openssl/stack.h
+prime.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+prime.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+prime.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h prime.c
 rand.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
 rand.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
 rand.o: ../include/openssl/bn.h ../include/openssl/buffer.h
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -126,24 +126,10 @@
 #include <openssl/engine.h>
 #endif

-#ifdef OPENSSL_SYS_WINDOWS
-#define strcasecmp _stricmp
-#else
-#  ifdef NO_STRINGS_H
-    int	strcasecmp();
-#  else
-#    include <strings.h>
-#  endif /* NO_STRINGS_H */
-#endif
-
 #define NON_MAIN
 #include "apps.h"
 #undef NON_MAIN

-#ifdef OPENSSL_SYS_WINDOWS
-#  include "bss_file.c"
-#endif
-
 typedef struct {
 	char *name;
 	unsigned long flag;
@@ -344,44 +330,6 @@ void program_name(char *in, char *out, int size)
 #endif
 #endif

-#ifdef OPENSSL_SYS_WIN32
-int WIN32_rename(char *from, char *to)
-	{
-#ifndef OPENSSL_SYS_WINCE
-	/* Windows rename gives an error if 'to' exists, so delete it
-	 * first and ignore file not found errror
-	 */
-	if((remove(to) != 0) && (errno != ENOENT))
-		return -1;
-#undef rename
-	return rename(from, to);
-#else
-	/* convert strings to UNICODE */
-	{
-	BOOL result = FALSE;
-	WCHAR* wfrom;
-	WCHAR* wto;
-	int i;
-	wfrom = malloc((strlen(from)+1)*2);
-	wto = malloc((strlen(to)+1)*2);
-	if (wfrom != NULL && wto != NULL)
-		{
-		for (i=0; i<(int)strlen(from)+1; i++)
-			wfrom[i] = (short)from[i];
-		for (i=0; i<(int)strlen(to)+1; i++)
-			wto[i] = (short)to[i];
-		result = MoveFile(wfrom, wto);
-		}
-	if (wfrom != NULL)
-		free(wfrom);
-	if (wto != NULL)
-		free(wto);
-	return result;
-	}
-#endif
-	}
-#endif
-
 #ifdef OPENSSL_SYS_VMS
 int VMS_strcasecmp(const char *str1, const char *str2)
 	{
@@ -505,7 +453,7 @@ static int ui_read(UI *ui, UI_STRING *uis)
 			{
 			const char *password =
 				((PW_CB_DATA *)UI_get0_user_data(ui))->password;
-			if (password[0] != '\0')
+			if (password && password[0] != '\0')
 				{
 				UI_set_result(ui, uis, password);
 				return 1;
@@ -529,7 +477,7 @@ static int ui_write(UI *ui, UI_STRING *uis)
 			{
 			const char *password =
 				((PW_CB_DATA *)UI_get0_user_data(ui))->password;
-			if (password[0] != '\0')
+			if (password && password[0] != '\0')
 				return 1;
 			}
 		default:
@@ -1415,14 +1363,631 @@ int load_config(BIO *err, CONF *cnf)
 char *make_config_name()
 	{
 	const char *t=X509_get_default_cert_area();
+	size_t len;
 	char *p;

-	p=OPENSSL_malloc(strlen(t)+strlen(OPENSSL_CONF)+2);
-	strcpy(p,t);
+	len=strlen(t)+strlen(OPENSSL_CONF)+2;
+	p=OPENSSL_malloc(len);
+	BUF_strlcpy(p,t,len);
 #ifndef OPENSSL_SYS_VMS
-	strcat(p,"/");
+	BUF_strlcat(p,"/",len);
 #endif
-	strcat(p,OPENSSL_CONF);
+	BUF_strlcat(p,OPENSSL_CONF,len);

 	return p;
 	}
+
+static unsigned long index_serial_hash(const char **a)
+	{
+	const char *n;
+
+	n=a[DB_serial];
+	while (*n == '0') n++;
+	return(lh_strhash(n));
+	}
+
+static int index_serial_cmp(const char **a, const char **b)
+	{
+	const char *aa,*bb;
+
+	for (aa=a[DB_serial]; *aa == '0'; aa++);
+	for (bb=b[DB_serial]; *bb == '0'; bb++);
+	return(strcmp(aa,bb));
+	}
+
+static int index_name_qual(char **a)
+	{ return(a[0][0] == 'V'); }
+
+static unsigned long index_name_hash(const char **a)
+	{ return(lh_strhash(a[DB_name])); }
+
+int index_name_cmp(const char **a, const char **b)
+	{ return(strcmp(a[DB_name],
+	     b[DB_name])); }
+
+static IMPLEMENT_LHASH_HASH_FN(index_serial_hash,const char **)
+static IMPLEMENT_LHASH_COMP_FN(index_serial_cmp,const char **)
+static IMPLEMENT_LHASH_HASH_FN(index_name_hash,const char **)
+static IMPLEMENT_LHASH_COMP_FN(index_name_cmp,const char **)
+
+#undef BSIZE
+#define BSIZE 256
+
+BIGNUM *load_serial(char *serialfile, int create, ASN1_INTEGER **retai)
+	{
+	BIO *in=NULL;
+	BIGNUM *ret=NULL;
+	MS_STATIC char buf[1024];
+	ASN1_INTEGER *ai=NULL;
+
+	ai=ASN1_INTEGER_new();
+	if (ai == NULL) goto err;
+
+	if ((in=BIO_new(BIO_s_file())) == NULL)
+		{
+		ERR_print_errors(bio_err);
+		goto err;
+		}
+
+	if (BIO_read_filename(in,serialfile) <= 0)
+		{
+		if (!create)
+			{
+			perror(serialfile);
+			goto err;
+			}
+		else
+			{
+			ret=BN_new();
+			if (ret == NULL || !rand_serial(ret, ai))
+				BIO_printf(bio_err, "Out of memory\n");
+			}
+		}
+	else
+		{
+		if (!a2i_ASN1_INTEGER(in,ai,buf,1024))
+			{
+			BIO_printf(bio_err,"unable to load number from %s\n",
+				serialfile);
+			goto err;
+			}
+		ret=ASN1_INTEGER_to_BN(ai,NULL);
+		if (ret == NULL)
+			{
+			BIO_printf(bio_err,"error converting number from bin to BIGNUM\n");
+			goto err;
+			}
+		}
+
+	if (ret && retai)
+		{
+		*retai = ai;
+		ai = NULL;
+		}
+ err:
+	if (in != NULL) BIO_free(in);
+	if (ai != NULL) ASN1_INTEGER_free(ai);
+	return(ret);
+	}
+
+int save_serial(char *serialfile, char *suffix, BIGNUM *serial, ASN1_INTEGER **retai)
+	{
+	char buf[1][BSIZE];
+	BIO *out = NULL;
+	int ret=0;
+	ASN1_INTEGER *ai=NULL;
+	int j;
+
+	if (suffix == NULL)
+		j = strlen(serialfile);
+	else
+		j = strlen(serialfile) + strlen(suffix) + 1;
+	if (j >= BSIZE)
+		{
+		BIO_printf(bio_err,"file name too long\n");
+		goto err;
+		}
+
+	if (suffix == NULL)
+		BUF_strlcpy(buf[0], serialfile, BSIZE);
+	else
+		{
+#ifndef OPENSSL_SYS_VMS
+		j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", serialfile, suffix);
+#else
+		j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", serialfile, suffix);
+#endif
+		}
+#ifdef RL_DEBUG
+	BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[0]);
+#endif
+	out=BIO_new(BIO_s_file());
+	if (out == NULL)
+		{
+		ERR_print_errors(bio_err);
+		goto err;
+		}
+	if (BIO_write_filename(out,buf[0]) <= 0)
+		{
+		perror(serialfile);
+		goto err;
+		}
+
+	if ((ai=BN_to_ASN1_INTEGER(serial,NULL)) == NULL)
+		{
+		BIO_printf(bio_err,"error converting serial to ASN.1 format\n");
+		goto err;
+		}
+	i2a_ASN1_INTEGER(out,ai);
+	BIO_puts(out,"\n");
+	ret=1;
+	if (retai)
+		{
+		*retai = ai;
+		ai = NULL;
+		}
+err:
+	if (out != NULL) BIO_free_all(out);
+	if (ai != NULL) ASN1_INTEGER_free(ai);
+	return(ret);
+	}
+
+int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix)
+	{
+	char buf[5][BSIZE];
+	int i,j;
+	struct stat sb;
+
+	i = strlen(serialfile) + strlen(old_suffix);
+	j = strlen(serialfile) + strlen(new_suffix);
+	if (i > j) j = i;
+	if (j + 1 >= BSIZE)
+		{
+		BIO_printf(bio_err,"file name too long\n");
+		goto err;
+		}
+
+#ifndef OPENSSL_SYS_VMS
+	j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s",
+		serialfile, new_suffix);
+#else
+	j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s",
+		serialfile, new_suffix);
+#endif
+#ifndef OPENSSL_SYS_VMS
+	j = BIO_snprintf(buf[1], sizeof buf[1], "%s.%s",
+		serialfile, old_suffix);
+#else
+	j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s",
+		serialfile, old_suffix);
+#endif
+	if (stat(serialfile,&sb) < 0)
+		{
+		if (errno != ENOENT 
+#ifdef ENOTDIR
+			&& errno != ENOTDIR)
+#endif
+			goto err;
+		}
+	else
+		{
+#ifdef RL_DEBUG
+		BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
+			serialfile, buf[1]);
+#endif
+		if (rename(serialfile,buf[1]) < 0)
+			{
+			BIO_printf(bio_err,
+				"unable to rename %s to %s\n",
+				serialfile, buf[1]);
+			perror("reason");
+			goto err;
+			}
+		}
+#ifdef RL_DEBUG
+	BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
+		buf[0],serialfile);
+#endif
+	if (rename(buf[0],serialfile) < 0)
+		{
+		BIO_printf(bio_err,
+			"unable to rename %s to %s\n",
+			buf[0],serialfile);
+		perror("reason");
+		rename(buf[1],serialfile);
+		goto err;
+		}
+	return 1;
+ err:
+	return 0;
+	}
+
+int rand_serial(BIGNUM *b, ASN1_INTEGER *ai)
+	{
+	BIGNUM *btmp;
+	int ret = 0;
+	if (b)
+		btmp = b;
+	else
+		btmp = BN_new();
+
+	if (!btmp)
+		return 0;
+
+	if (!BN_pseudo_rand(btmp, SERIAL_RAND_BITS, 0, 0))
+		goto error;
+	if (ai && !BN_to_ASN1_INTEGER(btmp, ai))
+		goto error;
+
+	ret = 1;
+	
+	error:
+
+	if (!b)
+		BN_free(btmp);
+	
+	return ret;
+	}
+
+CA_DB *load_index(char *dbfile, DB_ATTR *db_attr)
+	{
+	CA_DB *retdb = NULL;
+	TXT_DB *tmpdb = NULL;
+	BIO *in = BIO_new(BIO_s_file());
+	CONF *dbattr_conf = NULL;
+	char buf[1][BSIZE];
+	long errorline= -1;
+
+	if (in == NULL)
+		{
+		ERR_print_errors(bio_err);
+		goto err;
+		}
+	if (BIO_read_filename(in,dbfile) <= 0)
+		{
+		perror(dbfile);
+		BIO_printf(bio_err,"unable to open '%s'\n",dbfile);
+		goto err;
+		}
+	if ((tmpdb = TXT_DB_read(in,DB_NUMBER)) == NULL)
+		{
+		if (tmpdb != NULL) TXT_DB_free(tmpdb);
+		goto err;
+		}
+
+#ifndef OPENSSL_SYS_VMS
+	BIO_snprintf(buf[0], sizeof buf[0], "%s.attr", dbfile);
+#else
+	BIO_snprintf(buf[0], sizeof buf[0], "%s-attr", dbfile);
+#endif
+	dbattr_conf = NCONF_new(NULL);
+	if (NCONF_load(dbattr_conf,buf[0],&errorline) <= 0)
+		{
+		if (errorline > 0)
+			{
+			BIO_printf(bio_err,
+				"error on line %ld of db attribute file '%s'\n"
+				,errorline,buf[0]);
+			goto err;
+			}
+		else
+			{
+			NCONF_free(dbattr_conf);
+			dbattr_conf = NULL;
+			}
+		}
+
+	if ((retdb = OPENSSL_malloc(sizeof(CA_DB))) == NULL)
+		{
+		fprintf(stderr, "Out of memory\n");
+		goto err;
+		}
+
+	retdb->db = tmpdb;
+	tmpdb = NULL;
+	if (db_attr)
+		retdb->attributes = *db_attr;
+	else
+		{
+		retdb->attributes.unique_subject = 1;
+		}
+
+	if (dbattr_conf)
+		{
+		char *p = NCONF_get_string(dbattr_conf,NULL,"unique_subject");
+		if (p)
+			{
+			BIO_printf(bio_err, "DEBUG[load_index]: unique_subject = \"%s\"\n", p);
+			switch(*p)
+				{
+			case 'f': /* false */
+			case 'F': /* FALSE */
+			case 'n': /* no */
+			case 'N': /* NO */
+				retdb->attributes.unique_subject = 0;
+				break;
+			case 't': /* true */
+			case 'T': /* TRUE */
+			case 'y': /* yes */
+			case 'Y': /* YES */
+			default:
+				retdb->attributes.unique_subject = 1;
+				break;
+				}
+			}
+		}
+
+ err:
+	if (dbattr_conf) NCONF_free(dbattr_conf);
+	if (tmpdb) TXT_DB_free(tmpdb);
+	if (in) BIO_free_all(in);
+	return retdb;
+	}
+
+int index_index(CA_DB *db)
+	{
+	if (!TXT_DB_create_index(db->db, DB_serial, NULL,
+				LHASH_HASH_FN(index_serial_hash),
+				LHASH_COMP_FN(index_serial_cmp)))
+		{
+		BIO_printf(bio_err,
+		  "error creating serial number index:(%ld,%ld,%ld)\n",
+		  			db->db->error,db->db->arg1,db->db->arg2);
+			return 0;
+		}
+
+	if (db->attributes.unique_subject
+		&& !TXT_DB_create_index(db->db, DB_name, index_name_qual,
+			LHASH_HASH_FN(index_name_hash),
+			LHASH_COMP_FN(index_name_cmp)))
+		{
+		BIO_printf(bio_err,"error creating name index:(%ld,%ld,%ld)\n",
+			db->db->error,db->db->arg1,db->db->arg2);
+		return 0;
+		}
+	return 1;
+	}
+
+int save_index(char *dbfile, char *suffix, CA_DB *db)
+	{
+	char buf[3][BSIZE];
+	BIO *out = BIO_new(BIO_s_file());
+	int j;
+
+	if (out == NULL)
+		{
+		ERR_print_errors(bio_err);
+		goto err;
+		}
+
+	j = strlen(dbfile) + strlen(suffix);
+	if (j + 6 >= BSIZE)
+		{
+		BIO_printf(bio_err,"file name too long\n");
+		goto err;
+		}
+
+#ifndef OPENSSL_SYS_VMS
+	j = BIO_snprintf(buf[2], sizeof buf[2], "%s.attr", dbfile);
+#else
+	j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr", dbfile);
+#endif
+#ifndef OPENSSL_SYS_VMS
+	j = BIO_snprintf(buf[1], sizeof buf[1], "%s.attr.%s", dbfile, suffix);
+#else
+	j = BIO_snprintf(buf[1], sizeof buf[1], "%s-attr-%s", dbfile, suffix);
+#endif
+#ifndef OPENSSL_SYS_VMS
+	j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", dbfile, suffix);
+#else
+	j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s", dbfile, suffix);
+#endif
+#ifdef RL_DEBUG
+	BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[0]);
+#endif
+	if (BIO_write_filename(out,buf[0]) <= 0)
+		{
+		perror(dbfile);
+		BIO_printf(bio_err,"unable to open '%s'\n", dbfile);
+		goto err;
+		}
+	j=TXT_DB_write(out,db->db);
+	if (j <= 0) goto err;
+			
+	BIO_free(out);
+
+	out = BIO_new(BIO_s_file());
+#ifdef RL_DEBUG
+	BIO_printf(bio_err, "DEBUG: writing \"%s\"\n", buf[1]);
+#endif
+	if (BIO_write_filename(out,buf[1]) <= 0)
+		{
+		perror(buf[2]);
+		BIO_printf(bio_err,"unable to open '%s'\n", buf[2]);
+		goto err;
+		}
+	BIO_printf(out,"unique_subject = %s\n",
+		db->attributes.unique_subject ? "yes" : "no");
+	BIO_free(out);
+
+	return 1;
+ err:
+	return 0;
+	}
+
+int rotate_index(char *dbfile, char *new_suffix, char *old_suffix)
+	{
+	char buf[5][BSIZE];
+	int i,j;
+	struct stat sb;
+
+	i = strlen(dbfile) + strlen(old_suffix);
+	j = strlen(dbfile) + strlen(new_suffix);
+	if (i > j) j = i;
+	if (j + 6 >= BSIZE)
+		{
+		BIO_printf(bio_err,"file name too long\n");
+		goto err;
+		}
+
+#ifndef OPENSSL_SYS_VMS
+	j = BIO_snprintf(buf[4], sizeof buf[4], "%s.attr", dbfile);
+#else
+	j = BIO_snprintf(buf[4], sizeof buf[4], "%s-attr", dbfile);
+#endif
+#ifndef OPENSSL_SYS_VMS
+	j = BIO_snprintf(buf[2], sizeof buf[2], "%s.attr.%s",
+		dbfile, new_suffix);
+#else
+	j = BIO_snprintf(buf[2], sizeof buf[2], "%s-attr-%s",
+		dbfile, new_suffix);
+#endif
+#ifndef OPENSSL_SYS_VMS
+	j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s",
+		dbfile, new_suffix);
+#else
+	j = BIO_snprintf(buf[0], sizeof buf[0], "%s-%s",
+		dbfile, new_suffix);
+#endif
+#ifndef OPENSSL_SYS_VMS
+	j = BIO_snprintf(buf[1], sizeof buf[1], "%s.%s",
+		dbfile, old_suffix);
+#else
+	j = BIO_snprintf(buf[1], sizeof buf[1], "%s-%s",
+		dbfile, old_suffix);
+#endif
+#ifndef OPENSSL_SYS_VMS
+	j = BIO_snprintf(buf[3], sizeof buf[3], "%s.attr.%s",
+		dbfile, old_suffix);
+#else
+	j = BIO_snprintf(buf[3], sizeof buf[3], "%s-attr-%s",
+		dbfile, old_suffix);
+#endif
+	if (stat(dbfile,&sb) < 0)
+		{
+		if (errno != ENOENT 
+#ifdef ENOTDIR
+			&& errno != ENOTDIR)
+#endif
+			goto err;
+		}
+	else
+		{
+#ifdef RL_DEBUG
+		BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
+			dbfile, buf[1]);
+#endif
+		if (rename(dbfile,buf[1]) < 0)
+			{
+			BIO_printf(bio_err,
+				"unable to rename %s to %s\n",
+				dbfile, buf[1]);
+			perror("reason");
+			goto err;
+			}
+		}
+#ifdef RL_DEBUG
+	BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
+		buf[0],dbfile);
+#endif
+	if (rename(buf[0],dbfile) < 0)
+		{
+		BIO_printf(bio_err,
+			"unable to rename %s to %s\n",
+			buf[0],dbfile);
+		perror("reason");
+		rename(buf[1],dbfile);
+		goto err;
+		}
+	if (stat(buf[4],&sb) < 0)
+		{
+		if (errno != ENOENT 
+#ifdef ENOTDIR
+			&& errno != ENOTDIR)
+#endif
+			goto err;
+		}
+	else
+		{
+#ifdef RL_DEBUG
+		BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
+			buf[4],buf[3]);
+#endif
+		if (rename(buf[4],buf[3]) < 0)
+			{
+			BIO_printf(bio_err,
+				"unable to rename %s to %s\n",
+				buf[4], buf[3]);
+			perror("reason");
+			rename(dbfile,buf[0]);
+			rename(buf[1],dbfile);
+			goto err;
+			}
+		}
+#ifdef RL_DEBUG
+	BIO_printf(bio_err, "DEBUG: renaming \"%s\" to \"%s\"\n",
+		buf[2],buf[4]);
+#endif
+	if (rename(buf[2],buf[4]) < 0)
+		{
+		BIO_printf(bio_err,
+			"unable to rename %s to %s\n",
+			buf[2],buf[4]);
+		perror("reason");
+		rename(buf[3],buf[4]);
+		rename(dbfile,buf[0]);
+		rename(buf[1],dbfile);
+		goto err;
+		}
+	return 1;
+ err:
+	return 0;
+	}
+
+void free_index(CA_DB *db)
+	{
+	if (db)
+		{
+		if (db->db) TXT_DB_free(db->db);
+		OPENSSL_free(db);
+		}
+	}
+
+/* This code MUST COME AFTER anything that uses rename() */
+#ifdef OPENSSL_SYS_WIN32
+int WIN32_rename(char *from, char *to)
+	{
+#ifndef OPENSSL_SYS_WINCE
+	/* Windows rename gives an error if 'to' exists, so delete it
+	 * first and ignore file not found errror
+	 */
+	if((remove(to) != 0) && (errno != ENOENT))
+		return -1;
+#undef rename
+	return rename(from, to);
+#else
+	/* convert strings to UNICODE */
+	{
+	BOOL result = FALSE;
+	WCHAR* wfrom;
+	WCHAR* wto;
+	int i;
+	wfrom = malloc((strlen(from)+1)*2);
+	wto = malloc((strlen(to)+1)*2);
+	if (wfrom != NULL && wto != NULL)
+		{
+		for (i=0; i<(int)strlen(from)+1; i++)
+			wfrom[i] = (short)from[i];
+		for (i=0; i<(int)strlen(to)+1; i++)
+			wto[i] = (short)to[i];
+		result = MoveFile(wfrom, wto);
+		}
+	if (wfrom != NULL)
+		free(wfrom);
+	if (wto != NULL)
+		free(wto);
+	return result;
+	}
+#endif
+	}
+#endif
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -141,12 +141,6 @@ long app_RAND_load_files(char *file); /* `file' is a list of files to read,
 int WIN32_rename(char *oldname,char *newname);
 #endif

-/* VMS below version 7.0 doesn't have strcasecmp() */
-#ifdef OPENSSL_SYS_VMS
-#define strcasecmp(str1,str2) VMS_strcasecmp((str1),(str2))
-int VMS_strcasecmp(const char *str1, const char *str2);
-#endif
-
 #ifndef MONOLITH

 #define MAIN(a,v)	main(a,v)
@@ -154,9 +148,11 @@ int VMS_strcasecmp(const char *str1, const char *str2);
 #ifndef NON_MAIN
 CONF *config=NULL;
 BIO *bio_err=NULL;
+int in_FIPS_mode=0;
 #else
 extern CONF *config;
 extern BIO *bio_err;
+extern int in_FIPS_mode;
 #endif

 #else
@@ -165,6 +161,7 @@ extern BIO *bio_err;
 extern CONF *config;
 extern char *default_config_file;
 extern BIO *bio_err;
+extern int in_FIPS_mode;

 #endif

@@ -287,7 +284,39 @@ char *make_config_name(void);
 /* Functions defined in ca.c and also used in ocsp.c */
 int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold,
 			ASN1_GENERALIZEDTIME **pinvtm, char *str);
-int make_serial_index(TXT_DB *db);
+
+#define DB_type         0
+#define DB_exp_date     1
+#define DB_rev_date     2
+#define DB_serial       3       /* index - unique */
+#define DB_file         4       
+#define DB_name         5       /* index - unique when active and not disabled */
+#define DB_NUMBER       6
+
+#define DB_TYPE_REV	'R'
+#define DB_TYPE_EXP	'E'
+#define DB_TYPE_VAL	'V'
+
+typedef struct db_attr_st
+	{
+	int unique_subject;
+	} DB_ATTR;
+typedef struct ca_db_st
+	{
+	DB_ATTR attributes;
+	TXT_DB *db;
+	} CA_DB;
+
+BIGNUM *load_serial(char *serialfile, int create, ASN1_INTEGER **retai);
+int save_serial(char *serialfile, char *suffix, BIGNUM *serial, ASN1_INTEGER **retai);
+int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix);
+int rand_serial(BIGNUM *b, ASN1_INTEGER *ai);
+CA_DB *load_index(char *dbfile, DB_ATTR *dbattr);
+int index_index(CA_DB *db);
+int save_index(char *dbfile, char *suffix, CA_DB *db);
+int rotate_index(char *dbfile, char *new_suffix, char *old_suffix);
+void free_index(CA_DB *db);
+int index_name_cmp(const char **a, const char **b);

 X509_NAME *do_subject(char *str, long chtype);

@@ -310,4 +339,6 @@ X509_NAME *do_subject(char *str, long chtype);

 #define APP_PASS_LEN	1024

+#define SERIAL_RAND_BITS	64
+
 #endif
--- a/apps/asn1pars.c
+++ b/apps/asn1pars.c
@@ -278,6 +278,7 @@ bad:
 		tmplen=num;
 		for (i=0; i<sk_num(osk); i++)
 			{
+			int typ;
 			ASN1_TYPE *atmp;
 			j=atoi(sk_value(osk,i));
 			if (j == 0)
@@ -296,6 +297,15 @@ bad:
 				ERR_print_errors(bio_err);
 				goto end;
 				}
+			typ = ASN1_TYPE_get(at);
+			if ((typ == V_ASN1_OBJECT)
+				|| (typ == V_ASN1_NULL))
+				{
+				BIO_printf(bio_err, "Can't parse %s type\n",
+					typ == V_ASN1_NULL ? "NULL" : "OBJECT");
+				ERR_print_errors(bio_err);
+				goto end;
+				}
 			/* hmm... this is a little evil but it works */
 			tmpbuf=at->value.asn1_string->data;
 			tmplen=at->value.asn1_string->length;
@@ -304,7 +314,15 @@ bad:
 		num=tmplen;
 		}

-	if (length == 0) length=(unsigned int)num;
+	if (offset >= num)
+		{
+		BIO_printf(bio_err, "Error: offset too large\n");
+		goto end;
+		}
+
+	num -= offset;
+
+	if ((length == 0) || ((long)length > num)) length=(unsigned int)num;
 	if(derout) {
 		if(BIO_write(derout, str + offset, length) != (int)length) {
 			BIO_printf(bio_err, "Error writing output\n");
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -76,16 +76,6 @@
 #include <openssl/ocsp.h>
 #include <openssl/pem.h>

-#ifdef OPENSSL_SYS_WINDOWS
-#define strcasecmp _stricmp
-#else
-#  ifdef NO_STRINGS_H
-    int	strcasecmp();
-#  else
-#    include <strings.h>
-#  endif /* NO_STRINGS_H */
-#endif
-
 #ifndef W_OK
 #  ifdef OPENSSL_SYS_VMS
 #    if defined(__DECC)
@@ -122,6 +112,7 @@
 #define ENV_NEW_CERTS_DIR	"new_certs_dir"
 #define ENV_CERTIFICATE 	"certificate"
 #define ENV_SERIAL		"serial"
+#define ENV_CRLNUMBER		"crlnumber"
 #define ENV_CRL			"crl"
 #define ENV_PRIVATE_KEY		"private_key"
 #define ENV_RANDFILE		"RANDFILE"
@@ -143,18 +134,6 @@

 #define ENV_DATABASE		"database"

-#define DB_type         0
-#define DB_exp_date     1
-#define DB_rev_date     2
-#define DB_serial       3       /* index - unique */
-#define DB_file         4       
-#define DB_name         5       /* index - unique for active */
-#define DB_NUMBER       6
-
-#define DB_TYPE_REV	'R'
-#define DB_TYPE_EXP	'E'
-#define DB_TYPE_VAL	'V'
-
 /* Additional revocation information types */

 #define REV_NONE		0	/* No addditional information */
@@ -211,43 +190,36 @@ extern int EF_ALIGNMENT;
 #endif

 static void lookup_fail(char *name,char *tag);
-static unsigned long index_serial_hash(const char **a);
-static int index_serial_cmp(const char **a, const char **b);
-static unsigned long index_name_hash(const char **a);
-static int index_name_qual(char **a);
-static int index_name_cmp(const char **a,const char **b);
-static BIGNUM *load_serial(char *serialfile);
-static int save_serial(char *serialfile, BIGNUM *serial);
 static int certify(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
-		   const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,TXT_DB *db,
+		   const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,CA_DB *db,
 		   BIGNUM *serial, char *subj, int email_dn, char *startdate,
 		   char *enddate, long days, int batch, char *ext_sect, CONF *conf,
 		   int verbose, unsigned long certopt, unsigned long nameopt,
 		   int default_op, int ext_copy);
 static int certify_cert(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
 			const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,
-			TXT_DB *db, BIGNUM *serial, char *subj, int email_dn,
+			CA_DB *db, BIGNUM *serial, char *subj, int email_dn,
 			char *startdate, char *enddate, long days, int batch,
 			char *ext_sect, CONF *conf,int verbose, unsigned long certopt,
 			unsigned long nameopt, int default_op, int ext_copy,
 			ENGINE *e);
 static int certify_spkac(X509 **xret, char *infile,EVP_PKEY *pkey,X509 *x509,
 			 const EVP_MD *dgst,STACK_OF(CONF_VALUE) *policy,
-			 TXT_DB *db, BIGNUM *serial,char *subj, int email_dn,
+			 CA_DB *db, BIGNUM *serial,char *subj, int email_dn,
 			 char *startdate, char *enddate, long days, char *ext_sect,
 			 CONF *conf, int verbose, unsigned long certopt, 
 			 unsigned long nameopt, int default_op, int ext_copy);
 static int fix_data(int nid, int *type);
 static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext);
 static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
-	STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial,char *subj,
+	STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial,char *subj,
 	int email_dn, char *startdate, char *enddate, long days, int batch,
       	int verbose, X509_REQ *req, char *ext_sect, CONF *conf,
 	unsigned long certopt, unsigned long nameopt, int default_op,
 	int ext_copy);
-static int do_revoke(X509 *x509, TXT_DB *db, int ext, char *extval);
-static int get_certificate_status(const char *ser_status, TXT_DB *db);
-static int do_updatedb(TXT_DB *db);
+static int do_revoke(X509 *x509, CA_DB *db, int ext, char *extval);
+static int get_certificate_status(const char *ser_status, CA_DB *db);
+static int do_updatedb(CA_DB *db);
 static int check_time_format(char *str);
 char *make_revocation_str(int rev_type, char *rev_arg);
 int make_revoked(X509_REVOKED *rev, char *str);
@@ -259,11 +231,6 @@ static char *section=NULL;
 static int preserve=0;
 static int msie_hack=0;

-static IMPLEMENT_LHASH_HASH_FN(index_serial_hash,const char **)
-static IMPLEMENT_LHASH_COMP_FN(index_serial_cmp,const char **)
-static IMPLEMENT_LHASH_HASH_FN(index_name_hash,const char **)
-static IMPLEMENT_LHASH_COMP_FN(index_name_cmp,const char **)
-

 int MAIN(int, char **);

@@ -271,6 +238,7 @@ int MAIN(int argc, char **argv)
 	{
 	ENGINE *e = NULL;
 	char *key=NULL,*passargin=NULL;
+	int create_ser = 0;
 	int free_key = 0;
 	int total=0;
 	int total_done=0;
@@ -300,6 +268,7 @@ int MAIN(int argc, char **argv)
 	char *outfile=NULL;
 	char *outdir=NULL;
 	char *serialfile=NULL;
+	char *crlnumberfile=NULL;
 	char *extensions=NULL;
 	char *extfile=NULL;
 	char *subj=NULL;
@@ -308,6 +277,7 @@ int MAIN(int argc, char **argv)
 	int rev_type = REV_NONE;
 	char *rev_arg = NULL;
 	BIGNUM *serial=NULL;
+	BIGNUM *crlnumber=NULL;
 	char *startdate=NULL;
 	char *enddate=NULL;
 	long days=0;
@@ -320,14 +290,13 @@ int MAIN(int argc, char **argv)
 	X509 *x=NULL;
 	BIO *in=NULL,*out=NULL,*Sout=NULL,*Cout=NULL;
 	char *dbfile=NULL;
-	TXT_DB *db=NULL;
+	CA_DB *db=NULL;
 	X509_CRL *crl=NULL;
 	X509_REVOKED *r=NULL;
 	ASN1_TIME *tmptm;
 	ASN1_INTEGER *tmpser;
 	char **pp,*p,*f;
 	int i,j;
-	long l;
 	const EVP_MD *dgst=NULL;
 	STACK_OF(CONF_VALUE) *attribs=NULL;
 	STACK_OF(X509) *cert_sk=NULL;
@@ -339,6 +308,7 @@ int MAIN(int argc, char **argv)
 	char *engine = NULL;
 #endif
 	char *tofree=NULL;
+	DB_ATTR db_attr;

 #ifdef EFENCE
 EF_PROTECT_FREE=1;
@@ -568,10 +538,6 @@ bad:

 	ERR_load_crypto_strings();

-#ifndef OPENSSL_NO_ENGINE
-	e = setup_engine(bio_err, engine, 0);
-#endif
-
 	/*****************************************************************/
 	tofree=NULL;
 	if (configfile == NULL) configfile = getenv("OPENSSL_CONF");
@@ -579,16 +545,19 @@ bad:
 	if (configfile == NULL)
 		{
 		const char *s=X509_get_default_cert_area();
+		size_t len;

 #ifdef OPENSSL_SYS_VMS
-		tofree=OPENSSL_malloc(strlen(s)+sizeof(CONFIG_FILE));
+		len = strlen(s)+sizeof(CONFIG_FILE);
+		tofree=OPENSSL_malloc(len);
 		strcpy(tofree,s);
 #else
-		tofree=OPENSSL_malloc(strlen(s)+sizeof(CONFIG_FILE)+1);
-		strcpy(tofree,s);
-		strcat(tofree,"/");
+		len = strlen(s)+sizeof(CONFIG_FILE)+1;
+		tofree=OPENSSL_malloc(len);
+		BUF_strlcpy(tofree,s,len);
+		BUF_strlcat(tofree,"/",len);
 #endif
-		strcat(tofree,CONFIG_FILE);
+		BUF_strlcat(tofree,CONFIG_FILE,len);
 		configfile=tofree;
 		}

@@ -613,6 +582,10 @@ bad:
 	if (!load_config(bio_err, conf))
 		goto err;

+#ifndef OPENSSL_NO_ENGINE
+	e = setup_engine(bio_err, engine, 0);
+#endif
+
 	/* Lets get the config section we are using */
 	if (section == NULL)
 		{
@@ -659,6 +632,41 @@ bad:
 	if (randfile == NULL)
 		ERR_clear_error();
 	app_RAND_load_file(randfile, bio_err, 0);
+
+	db_attr.unique_subject = 1;
+	p = NCONF_get_string(conf, section, "unique_subject");
+	if (p)
+		{
+#ifdef RL_DEBUG
+		BIO_printf(bio_err, "DEBUG: unique_subject = \"%s\"\n", p);
+#endif
+		switch(*p)
+			{
+		case 'f': /* false */
+		case 'F': /* FALSE */
+		case 'n': /* no */
+		case 'N': /* NO */
+			db_attr.unique_subject = 0;
+			break;
+		case 't': /* true */
+		case 'T': /* TRUE */
+		case 'y': /* yes */
+		case 'Y': /* YES */
+		default:
+			db_attr.unique_subject = 1;
+			break;
+			}
+		}
+	else
+		ERR_clear_error();
+#ifdef RL_DEBUG
+	if (!p)
+		BIO_printf(bio_err, "DEBUG: unique_subject undefined\n", p);
+#endif
+#ifdef RL_DEBUG
+	BIO_printf(bio_err, "DEBUG: configured unique_subject is %d\n",
+		db_attr.unique_subject);
+#endif
 	
 	in=BIO_new(BIO_s_file());
 	out=BIO_new(BIO_s_file());
@@ -679,17 +687,10 @@ bad:
 			lookup_fail(section,ENV_DATABASE);
 			goto err;
 			}
-		if (BIO_read_filename(in,dbfile) <= 0)
-			{
-			perror(dbfile);
-			BIO_printf(bio_err,"unable to open '%s'\n",dbfile);
-			goto err;
-			}
-		db=TXT_DB_read(in,DB_NUMBER);
+		db = load_index(dbfile,&db_attr);
 		if (db == NULL) goto err;

-		if (!make_serial_index(db))
-			goto err;
+		if (!index_index(db)) goto err;

 		if (get_certificate_status(ser_status,db) != 1)
 			BIO_printf(bio_err,"Error verifying serial %s!\n",
@@ -849,19 +850,13 @@ bad:
 		lookup_fail(section,ENV_DATABASE);
 		goto err;
 		}
-	if (BIO_read_filename(in,dbfile) <= 0)
-		{
-		perror(dbfile);
-		BIO_printf(bio_err,"unable to open '%s'\n",dbfile);
-		goto err;
-		}
-	db=TXT_DB_read(in,DB_NUMBER);
+	db = load_index(dbfile, &db_attr);
 	if (db == NULL) goto err;

 	/* Lets check some fields */
-	for (i=0; i<sk_num(db->data); i++)
+	for (i=0; i<sk_num(db->db->data); i++)
 		{
-		pp=(char **)sk_value(db->data,i);
+		pp=(char **)sk_value(db->db->data,i);
 		if ((pp[DB_type][0] != DB_TYPE_REV) &&
 			(pp[DB_rev_date][0] != '\0'))
 			{
@@ -912,23 +907,13 @@ bad:
 		out = BIO_push(tmpbio, out);
 		}
 #endif
-		TXT_DB_write(out,db);
+		TXT_DB_write(out,db->db);
 		BIO_printf(bio_err,"%d entries loaded from the database\n",
-			db->data->num);
+			db->db->data->num);
 		BIO_printf(bio_err,"generating index\n");
 		}
 	
-	if (!make_serial_index(db))
-		goto err;
-
-	if (!TXT_DB_create_index(db, DB_name, index_name_qual,
-			LHASH_HASH_FN(index_name_hash),
-			LHASH_COMP_FN(index_name_cmp)))
-		{
-		BIO_printf(bio_err,"error creating name index:(%ld,%ld,%ld)\n",
-			db->error,db->arg1,db->arg2);
-		goto err;
-		}
+	if (!index_index(db)) goto err;

 	/*****************************************************************/
 	/* Update the db file for expired certificates */
@@ -951,62 +936,9 @@ bad:
 			}
 	    	else
 			{
-			out = BIO_new(BIO_s_file());
-			if (out == NULL)
-				{
-				ERR_print_errors(bio_err);
-				goto err;
-				}
-
-#ifndef OPENSSL_SYS_VMS
-			j = BIO_snprintf(buf[0], sizeof buf[0], "%s.new", dbfile);
-#else
-			j = BIO_snprintf(buf[0], sizeof buf[0], "%s-new", dbfile);
-#endif
-			if (j < 0 || j >= sizeof buf[0])
-				{
-				BIO_printf(bio_err, "file name too long\n");
-				goto err;
-				}
-			if (BIO_write_filename(out,buf[0]) <= 0)
-		  		{
-		    		perror(dbfile);
-		    		BIO_printf(bio_err,"unable to open '%s'\n",
-									dbfile);
-		    		goto err;
-		  		}
-			j=TXT_DB_write(out,db);
-			if (j <= 0) goto err;
-			
-			BIO_free(out);
-			out = NULL;
-#ifndef OPENSSL_SYS_VMS
-			j = BIO_snprintf(buf[1], sizeof buf[1], "%s.old", dbfile);
-#else
-			j = BIO_snprintf(buf[1], sizeof buf[1], "%s-old", dbfile);
-#endif
-			if (j < 0 || j >= sizeof buf[1])
-				{
-				BIO_printf(bio_err, "file name too long\n");
-				goto err;
-				}
-			if (rename(dbfile,buf[1]) < 0)
-		  		{
-		    		BIO_printf(bio_err,
-						"unable to rename %s to %s\n",
-						dbfile, buf[1]);
-		    		perror("reason");
-		    		goto err;
-		  		}
-			if (rename(buf[0],dbfile) < 0)
-				{
-		    		BIO_printf(bio_err,
-						"unable to rename %s to %s\n",
-						buf[0],dbfile);
-		    		perror("reason");
-		    		rename(buf[1],dbfile);
-		    		goto err;
-		  		}
+			if (!save_index(dbfile,"new",db)) goto err;
+				
+			if (!rotate_index(dbfile,"new","old")) goto err;
 				
 			if (verbose) BIO_printf(bio_err,
 				"Done. %d entries marked as expired\n",i); 
@@ -1167,7 +1099,7 @@ bad:
 			goto err;
 			}

-		if ((serial=load_serial(serialfile)) == NULL)
+		if ((serial=load_serial(serialfile, create_ser, NULL)) == NULL)
 			{
 			BIO_printf(bio_err,"error while loading serial number\n");
 			goto err;
@@ -1301,38 +1233,9 @@ bad:

 			BIO_printf(bio_err,"Write out database with %d new entries\n",sk_X509_num(cert_sk));

-			if(strlen(serialfile) > BSIZE-5 || strlen(dbfile) > BSIZE-5)
-				{
-				BIO_printf(bio_err,"file name too long\n");
-				goto err;
-				}
+			if (!save_serial(serialfile,"new",serial,NULL)) goto err;

-			strcpy(buf[0],serialfile);
-
-#ifdef OPENSSL_SYS_VMS
-			strcat(buf[0],"-new");
-#else
-			strcat(buf[0],".new");
-#endif
-
-			if (!save_serial(buf[0],serial)) goto err;
-
-			strcpy(buf[1],dbfile);
-
-#ifdef OPENSSL_SYS_VMS
-			strcat(buf[1],"-new");
-#else
-			strcat(buf[1],".new");
-#endif
-
-			if (BIO_write_filename(out,buf[1]) <= 0)
-				{
-				perror(dbfile);
-				BIO_printf(bio_err,"unable to open '%s'\n",dbfile);
-				goto err;
-				}
-			l=TXT_DB_write(out,db);
-			if (l <= 0) goto err;
+			if (!save_index(dbfile, "new", db)) goto err;
 			}
 	
 		if (verbose)
@@ -1340,7 +1243,7 @@ bad:
 		for (i=0; i<sk_X509_num(cert_sk); i++)
 			{
 			int k;
-			unsigned char *n;
+			char *n;

 			x=sk_X509_value(cert_sk,i);

@@ -1356,15 +1259,19 @@ bad:
 			strcpy(buf[2],outdir);

 #ifndef OPENSSL_SYS_VMS
-			strcat(buf[2],"/");
+			BUF_strlcat(buf[2],"/",sizeof(buf[2]));
 #endif

-			n=(unsigned char *)&(buf[2][strlen(buf[2])]);
+			n=(char *)&(buf[2][strlen(buf[2])]);
 			if (j > 0)
 				{
 				for (k=0; k<j; k++)
 					{
-					sprintf((char *)n,"%02X",(unsigned char)*(p++));
+					if (n >= &(buf[2][sizeof(buf[2])]))
+						break;
+					BIO_snprintf(n,
+						     &buf[2][0] + sizeof(buf[2]) - n,
+						     "%02X",(unsigned char)*(p++));
 					n+=2;
 					}
 				}
@@ -1390,59 +1297,10 @@ bad:
 		if (sk_X509_num(cert_sk))
 			{
 			/* Rename the database and the serial file */
-			strncpy(buf[2],serialfile,BSIZE-4);
-			buf[2][BSIZE-4]='\0';
+			if (!rotate_serial(serialfile,"new","old")) goto err;

-#ifdef OPENSSL_SYS_VMS
-			strcat(buf[2],"-old");
-#else
-			strcat(buf[2],".old");
-#endif
+			if (!rotate_index(dbfile,"new","old")) goto err;

-			BIO_free(in);
-			BIO_free_all(out);
-			in=NULL;
-			out=NULL;
-			if (rename(serialfile,buf[2]) < 0)
-				{
-				BIO_printf(bio_err,"unable to rename %s to %s\n",
-					serialfile,buf[2]);
-				perror("reason");
-				goto err;
-				}
-			if (rename(buf[0],serialfile) < 0)
-				{
-				BIO_printf(bio_err,"unable to rename %s to %s\n",
-					buf[0],serialfile);
-				perror("reason");
-				rename(buf[2],serialfile);
-				goto err;
-				}
-
-			strncpy(buf[2],dbfile,BSIZE-4);
-			buf[2][BSIZE-4]='\0';
-
-#ifdef OPENSSL_SYS_VMS
-			strcat(buf[2],"-old");
-#else
-			strcat(buf[2],".old");
-#endif
-
-			if (rename(dbfile,buf[2]) < 0)
-				{
-				BIO_printf(bio_err,"unable to rename %s to %s\n",
-					dbfile,buf[2]);
-				perror("reason");
-				goto err;
-				}
-			if (rename(buf[1],dbfile) < 0)
-				{
-				BIO_printf(bio_err,"unable to rename %s to %s\n",
-					buf[1],dbfile);
-				perror("reason");
-				rename(buf[2],dbfile);
-				goto err;
-				}
 			BIO_printf(bio_err,"Data Base Updated\n");
 			}
 		}
@@ -1473,6 +1331,14 @@ bad:
 				}
 			}

+		if ((crlnumberfile=NCONF_get_string(conf,section,ENV_CRLNUMBER))
+			!= NULL)
+			if ((crlnumber=load_serial(crlnumberfile,0,NULL)) == NULL)
+				{
+				BIO_printf(bio_err,"error while loading CRL number\n");
+				goto err;
+				}
+
 		if (!crldays && !crlhours)
 			{
 			if (!NCONF_get_number(conf,section,
@@ -1501,9 +1367,9 @@ bad:

 		ASN1_TIME_free(tmptm);

-		for (i=0; i<sk_num(db->data); i++)
+		for (i=0; i<sk_num(db->db->data); i++)
 			{
-			pp=(char **)sk_value(db->data,i);
+			pp=(char **)sk_value(db->db->data,i);
 			if (pp[DB_type][0] == DB_TYPE_REV)
 				{
 				if ((r=X509_REVOKED_new()) == NULL) goto err;
@@ -1549,14 +1415,24 @@ bad:

 		/* Add any extensions asked for */

-		if (crl_ext)
+		if (crl_ext || crlnumberfile != NULL)
 			{
 			X509V3_CTX crlctx;
 			X509V3_set_ctx(&crlctx, x509, NULL, NULL, crl, 0);
 			X509V3_set_nconf(&crlctx, conf);

-			if (!X509V3_EXT_CRL_add_nconf(conf, &crlctx,
-				crl_ext, crl)) goto err;
+			if (crl_ext)
+				if (!X509V3_EXT_CRL_add_nconf(conf, &crlctx,
+					crl_ext, crl)) goto err;
+			if (crlnumberfile != NULL)
+				{
+				tmpser = BN_to_ASN1_INTEGER(crlnumber, NULL);
+				if (!tmpser) goto err;
+				X509_CRL_add1_ext_i2d(crl,NID_crl_number,tmpser,0,0);
+				ASN1_INTEGER_free(tmpser);
+				crl_v2 = 1;
+				if (!BN_add_word(crlnumber,1)) goto err;
+				}
 			}
 		if (crl_ext || crl_v2)
 			{
@@ -1564,9 +1440,17 @@ bad:
 				goto err; /* version 2 CRL */
 			}

+		
+		if (crlnumberfile != NULL)	/* we have a CRL number that need updating */
+			if (!save_serial(crlnumberfile,"new",crlnumber,NULL)) goto err;
+
 		if (!X509_CRL_sign(crl,pkey,dgst)) goto err;

 		PEM_write_bio_X509_CRL(Sout,crl);
+
+		if (crlnumberfile != NULL)	/* Rename the crlnumber file */
+			if (!rotate_serial(crlnumberfile,"new","old")) goto err;
+
 		}
 	/*****************************************************************/
 	if (dorevoke)
@@ -1587,50 +1471,10 @@ bad:
 			if (j <= 0) goto err;
 			X509_free(revcert);

-			if(strlen(dbfile) > BSIZE-5)
-				{
-				BIO_printf(bio_err,"filename too long\n");
-				goto err;
-				}
+			if (!save_index(dbfile, "new", db)) goto err;
+
+			if (!rotate_index(dbfile, "new", "old")) goto err;

-			strcpy(buf[0],dbfile);
-#ifndef OPENSSL_SYS_VMS
-			strcat(buf[0],".new");
-#else
-			strcat(buf[0],"-new");
-#endif
-			if (BIO_write_filename(out,buf[0]) <= 0)
-				{
-				perror(dbfile);
-				BIO_printf(bio_err,"unable to open '%s'\n",dbfile);
-				goto err;
-				}
-			j=TXT_DB_write(out,db);
-			if (j <= 0) goto err;
-			BIO_free_all(out);
-			out = NULL;
-			BIO_free_all(in);
-			in = NULL;
-			strncpy(buf[1],dbfile,BSIZE-4);
-			buf[1][BSIZE-4]='\0';
-#ifndef OPENSSL_SYS_VMS
-			strcat(buf[1],".old");
-#else
-			strcat(buf[1],"-old");
-#endif
-			if (rename(dbfile,buf[1]) < 0)
-				{
-				BIO_printf(bio_err,"unable to rename %s to %s\n", dbfile, buf[1]);
-				perror("reason");
-				goto err;
-				}
-			if (rename(buf[0],dbfile) < 0)
-				{
-				BIO_printf(bio_err,"unable to rename %s to %s\n", buf[0],dbfile);
-				perror("reason");
-				rename(buf[1],dbfile);
-				goto err;
-				}
 			BIO_printf(bio_err,"Data Base Updated\n"); 
 			}
 		}
@@ -1652,7 +1496,7 @@ err:
 	if (free_key && key)
 		OPENSSL_free(key);
 	BN_free(serial);
-	TXT_DB_free(db);
+	free_index(db);
 	EVP_PKEY_free(pkey);
 	X509_free(x509);
 	X509_CRL_free(crl);
@@ -1667,106 +1511,8 @@ static void lookup_fail(char *name, char *tag)
 	BIO_printf(bio_err,"variable lookup failed for %s::%s\n",name,tag);
 	}

-static unsigned long index_serial_hash(const char **a)
-	{
-	const char *n;
-
-	n=a[DB_serial];
-	while (*n == '0') n++;
-	return(lh_strhash(n));
-	}
-
-static int index_serial_cmp(const char **a, const char **b)
-	{
-	const char *aa,*bb;
-
-	for (aa=a[DB_serial]; *aa == '0'; aa++);
-	for (bb=b[DB_serial]; *bb == '0'; bb++);
-	return(strcmp(aa,bb));
-	}
-
-static unsigned long index_name_hash(const char **a)
-	{ return(lh_strhash(a[DB_name])); }
-
-static int index_name_qual(char **a)
-	{ return(a[0][0] == 'V'); }
-
-static int index_name_cmp(const char **a, const char **b)
-	{ return(strcmp(a[DB_name],
-	     b[DB_name])); }
-
-static BIGNUM *load_serial(char *serialfile)
-	{
-	BIO *in=NULL;
-	BIGNUM *ret=NULL;
-	MS_STATIC char buf[1024];
-	ASN1_INTEGER *ai=NULL;
-
-	if ((in=BIO_new(BIO_s_file())) == NULL)
-		{
-		ERR_print_errors(bio_err);
-		goto err;
-		}
-
-	if (BIO_read_filename(in,serialfile) <= 0)
-		{
-		perror(serialfile);
-		goto err;
-		}
-	ai=ASN1_INTEGER_new();
-	if (ai == NULL) goto err;
-	if (!a2i_ASN1_INTEGER(in,ai,buf,1024))
-		{
-		BIO_printf(bio_err,"unable to load number from %s\n",
-			serialfile);
-		goto err;
-		}
-	ret=ASN1_INTEGER_to_BN(ai,NULL);
-	if (ret == NULL)
-		{
-		BIO_printf(bio_err,"error converting number from bin to BIGNUM\n");
-		goto err;
-		}
-err:
-	if (in != NULL) BIO_free(in);
-	if (ai != NULL) ASN1_INTEGER_free(ai);
-	return(ret);
-	}
-
-static int save_serial(char *serialfile, BIGNUM *serial)
-	{
-	BIO *out;
-	int ret=0;
-	ASN1_INTEGER *ai=NULL;
-
-	out=BIO_new(BIO_s_file());
-	if (out == NULL)
-		{
-		ERR_print_errors(bio_err);
-		goto err;
-		}
-	if (BIO_write_filename(out,serialfile) <= 0)
-		{
-		perror(serialfile);
-		goto err;
-		}
-
-	if ((ai=BN_to_ASN1_INTEGER(serial,NULL)) == NULL)
-		{
-		BIO_printf(bio_err,"error converting serial to ASN.1 format\n");
-		goto err;
-		}
-	i2a_ASN1_INTEGER(out,ai);
-	BIO_puts(out,"\n");
-	ret=1;
-err:
-	if (out != NULL) BIO_free_all(out);
-	if (ai != NULL) ASN1_INTEGER_free(ai);
-	return(ret);
-	}
-
 static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
-	     const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db,
+	     const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db,
 	     BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate,
 	     long days, int batch, char *ext_sect, CONF *lconf, int verbose,
 	     unsigned long certopt, unsigned long nameopt, int default_op,
@@ -1828,7 +1574,7 @@ err:
 	}

 static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
-	     const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db,
+	     const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db,
 	     BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate,
 	     long days, int batch, char *ext_sect, CONF *lconf, int verbose,
 	     unsigned long certopt, unsigned long nameopt, int default_op,
@@ -1882,7 +1628,7 @@ err:
 	}

 static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
-	     STACK_OF(CONF_VALUE) *policy, TXT_DB *db, BIGNUM *serial, char *subj,
+	     STACK_OF(CONF_VALUE) *policy, CA_DB *db, BIGNUM *serial, char *subj,
 	     int email_dn, char *startdate, char *enddate, long days, int batch,
 	     int verbose, X509_REQ *req, char *ext_sect, CONF *lconf,
 	     unsigned long certopt, unsigned long nameopt, int default_op,
@@ -1900,7 +1646,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509, const EVP_MD *dgst,
 	int ok= -1,i,j,last,nid;
 	char *p;
 	CONF_VALUE *cv;
-	char *row[DB_NUMBER],**rrow,**irow=NULL;
+	char *row[DB_NUMBER],**rrow=NULL,**irow=NULL;
 	char buf[25];

 	tmptm=ASN1_UTCTIME_new();
@@ -2137,15 +1883,19 @@ again2:
 		goto err;
 		}

-	rrow=TXT_DB_get_by_index(db,DB_name,row);
-	if (rrow != NULL)
+	if (db->attributes.unique_subject)
 		{
-		BIO_printf(bio_err,"ERROR:There is already a certificate for %s\n",
-			row[DB_name]);
+		rrow=TXT_DB_get_by_index(db->db,DB_name,row);
+		if (rrow != NULL)
+			{
+			BIO_printf(bio_err,
+				"ERROR:There is already a certificate for %s\n",
+				row[DB_name]);
+			}
 		}
-	else
+	if (rrow == NULL)
 		{
-		rrow=TXT_DB_get_by_index(db,DB_serial,row);
+		rrow=TXT_DB_get_by_index(db->db,DB_serial,row);
 		if (rrow != NULL)
 			{
 			BIO_printf(bio_err,"ERROR:Serial number %s has already been issued,\n",
@@ -2193,7 +1943,7 @@ again2:

 #ifdef X509_V3
 	/* Make it an X509 v3 certificate. */
-	if (!X509_set_version(x509,2)) goto err;
+	if (!X509_set_version(ret,2)) goto err;
 #endif

 	if (BN_to_ASN1_INTEGER(serial,ci->serialNumber) == NULL)
@@ -2352,7 +2102,7 @@ again2:
 		BIO_printf(bio_err,"Memory allocation failure\n");
 		goto err;
 		}
-	strcpy(row[DB_file],"unknown");
+	BUF_strlcpy(row[DB_file],"unknown",8);
 	row[DB_type][0]='V';
 	row[DB_type][1]='\0';

@@ -2369,10 +2119,10 @@ again2:
 		}
 	irow[DB_NUMBER]=NULL;

-	if (!TXT_DB_insert(db,irow))
+	if (!TXT_DB_insert(db->db,irow))
 		{
 		BIO_printf(bio_err,"failed to update database\n");
-		BIO_printf(bio_err,"TXT_DB error number %ld\n",db->error);
+		BIO_printf(bio_err,"TXT_DB error number %ld\n",db->db->error);
 		goto err;
 		}
 	ok=1;
@@ -2423,7 +2173,7 @@ static void write_new_certificate(BIO *bp, X509 *x, int output_der, int notext)
 	}

 static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
-	     const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, TXT_DB *db,
+	     const EVP_MD *dgst, STACK_OF(CONF_VALUE) *policy, CA_DB *db,
 	     BIGNUM *serial, char *subj, int email_dn, char *startdate, char *enddate,
 	     long days, char *ext_sect, CONF *lconf, int verbose, unsigned long certopt,
 	     unsigned long nameopt, int default_op, int ext_copy)
@@ -2602,7 +2352,7 @@ static int check_time_format(char *str)
 	return(ASN1_UTCTIME_check(&tm));
 	}

-static int do_revoke(X509 *x509, TXT_DB *db, int type, char *value)
+static int do_revoke(X509 *x509, CA_DB *db, int type, char *value)
 	{
 	ASN1_UTCTIME *tm=NULL;
 	char *row[DB_NUMBER],**rrow,**irow;
@@ -2627,10 +2377,10 @@ static int do_revoke(X509 *x509, TXT_DB *db, int type, char *value)
 	/* We have to lookup by serial number because name lookup
 	 * skips revoked certs
 	 */
-	rrow=TXT_DB_get_by_index(db,DB_serial,row);
+	rrow=TXT_DB_get_by_index(db->db,DB_serial,row);
 	if (rrow == NULL)
 		{
-		BIO_printf(bio_err,"Adding Entry to DB for %s\n", row[DB_name]);
+		BIO_printf(bio_err,"Adding Entry with serial number %s to DB for %s\n", row[DB_serial], row[DB_name]);

 		/* We now just add it to the database */
 		row[DB_type]=(char *)OPENSSL_malloc(2);
@@ -2653,7 +2403,7 @@ static int do_revoke(X509 *x509, TXT_DB *db, int type, char *value)
 			BIO_printf(bio_err,"Memory allocation failure\n");
 			goto err;
 			}
-		strcpy(row[DB_file],"unknown");
+		BUF_strlcpy(row[DB_file],"unknown",8);
 		row[DB_type][0]='V';
 		row[DB_type][1]='\0';

@@ -2670,10 +2420,10 @@ static int do_revoke(X509 *x509, TXT_DB *db, int type, char *value)
 			}
 		irow[DB_NUMBER]=NULL;

-		if (!TXT_DB_insert(db,irow))
+		if (!TXT_DB_insert(db->db,irow))
 			{
 			BIO_printf(bio_err,"failed to update database\n");
-			BIO_printf(bio_err,"TXT_DB error number %ld\n",db->error);
+			BIO_printf(bio_err,"TXT_DB error number %ld\n",db->db->error);
 			goto err;
 			}

@@ -2718,7 +2468,7 @@ err:
 	return(ok);
 	}

-static int get_certificate_status(const char *serial, TXT_DB *db)
+static int get_certificate_status(const char *serial, CA_DB *db)
 	{
 	char *row[DB_NUMBER],**rrow;
 	int ok=-1,i;
@@ -2759,7 +2509,7 @@ static int get_certificate_status(const char *serial, TXT_DB *db)
 	ok=1;

 	/* Search for the certificate */
-	rrow=TXT_DB_get_by_index(db,DB_serial,row);
+	rrow=TXT_DB_get_by_index(db->db,DB_serial,row);
 	if (rrow == NULL)
 		{
 		BIO_printf(bio_err,"Serial %s not present in db.\n",
@@ -2806,7 +2556,7 @@ err:
 	return(ok);
 	}

-static int do_updatedb (TXT_DB *db)
+static int do_updatedb (CA_DB *db)
 	{
 	ASN1_UTCTIME	*a_tm = NULL;
 	int i, cnt = 0;
@@ -2832,9 +2582,9 @@ static int do_updatedb (TXT_DB *db)
 	else
 		a_y2k = 0;

-	for (i = 0; i < sk_num(db->data); i++)
+	for (i = 0; i < sk_num(db->db->data); i++)
 		{
-		rrow = (char **) sk_value(db->data, i);
+		rrow = (char **) sk_value(db->db->data, i);

 		if (rrow[DB_type][0] == 'V')
 		 	{
@@ -2977,16 +2727,16 @@ char *make_revocation_str(int rev_type, char *rev_arg)

 	if (!str) return NULL;

-	strcpy(str, (char *)revtm->data);
+	BUF_strlcpy(str, (char *)revtm->data, i);
 	if (reason)
 		{
-		strcat(str, ",");
-		strcat(str, reason);
+		BUF_strlcat(str, ",", i);
+		BUF_strlcat(str, reason, i);
 		}
 	if (other)
 		{
-		strcat(str, ",");
-		strcat(str, other);
+		BUF_strlcat(str, ",", i);
+		BUF_strlcat(str, other, i);
 		}
 	ASN1_UTCTIME_free(revtm);
 	return str;
@@ -3321,17 +3071,3 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold, ASN1_G

 	return ret;
 	}
-
-int make_serial_index(TXT_DB *db)
-	{
-	if (!TXT_DB_create_index(db, DB_serial, NULL,
-				LHASH_HASH_FN(index_serial_hash),
-				LHASH_COMP_FN(index_serial_cmp)))
-		{
-		BIO_printf(bio_err,
-		  "error creating serial number index:(%ld,%ld,%ld)\n",
-		  			db->error,db->arg1,db->arg2);
-			return 0;
-		}
-	return 1;
-	}
--- a/apps/crl.c
+++ b/apps/crl.c
@@ -81,6 +81,7 @@ static char *crl_usage[]={
 " -in arg         - input file - default stdin\n",
 " -out arg        - output file - default stdout\n",
 " -hash           - print hash value\n",
+" -fingerprint    - print the crl fingerprint\n",
 " -issuer         - print issuer DN\n",
 " -lastupdate     - lastUpdate field\n",
 " -nextupdate     - nextUpdate field\n",
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -66,6 +66,7 @@
 #include <openssl/objects.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
+#include <openssl/hmac.h>

 #undef BUFSIZE
 #define BUFSIZE	1024*8
@@ -73,9 +74,11 @@
 #undef PROG
 #define PROG	dgst_main

+static HMAC_CTX hmac_ctx;
+
 int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
 	  EVP_PKEY *key, unsigned char *sigin, int siglen, const char *title,
-	  const char *file);
+	  const char *file,BIO *bmd,const char *hmac_key);

 int MAIN(int, char **);

@@ -103,6 +106,7 @@ int MAIN(int argc, char **argv)
 #ifndef OPENSSL_NO_ENGINE
 	char *engine=NULL;
 #endif
+	char *hmac_key=NULL;

 	apps_startup();

@@ -181,6 +185,12 @@ int MAIN(int argc, char **argv)
 			out_bin = 1;
 		else if (strcmp(*argv,"-d") == 0)
 			debug=1;
+		else if (!strcmp(*argv,"-hmac"))
+			{
+			if (--argc < 1)
+				break;
+			hmac_key=*++argv;
+			}
 		else if ((m=EVP_get_digestbyname(&((*argv)[1]))) != NULL)
 			md=m;
 		else
@@ -235,7 +245,7 @@ int MAIN(int argc, char **argv)
 		}

 #ifndef OPENSSL_NO_ENGINE
-        e = setup_engine(bio_err, engine, 0);
+	e = setup_engine(bio_err, engine, 0);
 #endif

 	in=BIO_new(BIO_s_file());
@@ -318,18 +328,22 @@ int MAIN(int argc, char **argv)
 			goto end;
 		}
 	}
-		
-

 	/* we use md as a filter, reading from 'in' */
-	BIO_set_md(bmd,md);
+	if (!BIO_set_md(bmd,md))
+		{
+		BIO_printf(bio_err, "Error setting digest %s\n", pname);
+		ERR_print_errors(bio_err);
+		goto end;
+		}
+		
 	inp=BIO_push(bmd,in);

 	if (argc == 0)
 		{
 		BIO_set_fp(in,stdin,BIO_NOCLOSE);
 		err=do_fp(out, buf,inp,separator, out_bin, sigkey, sigbuf,
-			  siglen,"","(stdin)");
+			  siglen,"","(stdin)",bmd,hmac_key);
 		}
 	else
 		{
@@ -347,13 +361,15 @@ int MAIN(int argc, char **argv)
 				}
 			if(!out_bin)
 				{
-				tmp=tofree=OPENSSL_malloc(strlen(name)+strlen(argv[i])+5);
-				sprintf(tmp,"%s(%s)= ",name,argv[i]);
+				size_t len = strlen(name)+strlen(argv[i])+(hmac_key ? 5 : 0)+5;
+				tmp=tofree=OPENSSL_malloc(len);
+				BIO_snprintf(tmp,len,"%s%s(%s)= ",
+							 hmac_key ? "HMAC-" : "",name,argv[i]);
 				}
 			else
 				tmp="";
 			r=do_fp(out,buf,inp,separator,out_bin,sigkey,sigbuf,
-				siglen,tmp,argv[i]);
+				siglen,tmp,argv[i],bmd,hmac_key);
 			if(r)
 			    err=r;
 			if(tofree)
@@ -378,11 +394,21 @@ end:

 int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
 	  EVP_PKEY *key, unsigned char *sigin, int siglen, const char *title,
-	  const char *file)
+	  const char *file,BIO *bmd,const char *hmac_key)
 	{
-	int len;
+	unsigned int len;
 	int i;
+	EVP_MD_CTX *md_ctx;

+	if (hmac_key)
+		{
+		EVP_MD *md;
+
+		BIO_get_md(bmd,&md);
+		HMAC_Init(&hmac_ctx,hmac_key,strlen(hmac_key),md);
+		BIO_get_md_ctx(bmd,&md_ctx);
+		BIO_set_md_ctx(bmd,&hmac_ctx.md_ctx);
+		}
 	for (;;)
 		{
 		i=BIO_read(bp,(char *)buf,BUFSIZE);
@@ -425,6 +451,11 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
 			return 1;
 			}
 		}
+	else if(hmac_key)
+		{
+		HMAC_Final(&hmac_ctx,buf,&len);
+		HMAC_CTX_cleanup(&hmac_ctx);
+		}
 	else
 		len=BIO_gets(bp,(char *)buf,BUFSIZE);

@@ -432,7 +463,7 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
 	else 
 		{
 		BIO_write(out,title,strlen(title));
-		for (i=0; i<len; i++)
+		for (i=0; (unsigned int)i<len; i++)
 			{
 			if (sep && (i != 0))
 				BIO_printf(out, ":");
@@ -440,6 +471,10 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
 			}
 		BIO_printf(out, "\n");
 		}
+	if (hmac_key)
+		{
+		BIO_set_md_ctx(bmd,md_ctx);
+		}
 	return 0;
 	}

--- a/apps/enc.c
+++ b/apps/enc.c
@@ -114,6 +114,7 @@ int MAIN(int argc, char **argv)
 	unsigned char salt[PKCS5_SALT_LEN];
 	char *str=NULL, *passarg = NULL, *pass = NULL;
 	char *hkey=NULL,*hiv=NULL,*hsalt = NULL;
+	char *md=NULL;
 	int enc=1,printkey=0,i,base64=0;
 	int debug=0,olb64=0,nosalt=0;
 	const EVP_CIPHER *cipher=NULL,*c;
@@ -124,6 +125,7 @@ int MAIN(int argc, char **argv)
 #ifndef OPENSSL_NO_ENGINE
 	char *engine = NULL;
 #endif
+	const EVP_MD *dgst=NULL;

 	apps_startup();

@@ -253,6 +255,11 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			hiv= *(++argv);
 			}
+		else if (strcmp(*argv,"-md") == 0)
+			{
+			if (--argc < 1) goto bad;
+			md= *(++argv);
+			}
 		else if	((argv[0][0] == '-') &&
 			((c=EVP_get_cipherbyname(&(argv[0][1]))) != NULL))
 			{
@@ -271,8 +278,10 @@ bad:
 			BIO_printf(bio_err,"%-14s encrypt\n","-e");
 			BIO_printf(bio_err,"%-14s decrypt\n","-d");
 			BIO_printf(bio_err,"%-14s base64 encode/decode, depending on encryption flag\n","-a/-base64");
-			BIO_printf(bio_err,"%-14s key is the next argument\n","-k");
-			BIO_printf(bio_err,"%-14s key is the first line of the file argument\n","-kfile");
+			BIO_printf(bio_err,"%-14s passphrase is the next argument\n","-k");
+			BIO_printf(bio_err,"%-14s passphrase is the first line of the file argument\n","-kfile");
+			BIO_printf(bio_err,"%-14s the next argument is the md to use to create a key\n","-md");
+			BIO_printf(bio_err,"%-14s   from a passphrase.  One of md2, md5, sha or sha1\n","");
 			BIO_printf(bio_err,"%-14s key/iv in hex is the next argument\n","-K/-iv");
 			BIO_printf(bio_err,"%-14s print the iv/key (then exit if -P)\n","-[pP]");
 			BIO_printf(bio_err,"%-14s buffer size\n","-bufsize <n>");
@@ -296,6 +305,20 @@ bad:
        e = setup_engine(bio_err, engine, 0);
 #endif

+	if (md && (dgst=EVP_get_digestbyname(md)) == NULL)
+		{
+		BIO_printf(bio_err,"%s is an unsupported message digest type\n",md);
+		goto end;
+		}
+
+	if (dgst == NULL)
+		{
+		if (in_FIPS_mode)
+			dgst = EVP_sha1();
+		else
+			dgst = EVP_md5();
+		}
+
 	if (bufsize != NULL)
 		{
 		unsigned long n;
@@ -373,9 +396,9 @@ bad:
 			{
 			char buf[200];

-			sprintf(buf,"enter %s %s password:",
-				OBJ_nid2ln(EVP_CIPHER_nid(cipher)),
-				(enc)?"encryption":"decryption");
+			BIO_snprintf(buf,sizeof buf,"enter %s %s password:",
+				     OBJ_nid2ln(EVP_CIPHER_nid(cipher)),
+				     (enc)?"encryption":"decryption");
 			strbuf[0]='\0';
 			i=EVP_read_pw_string((char *)strbuf,SIZE,buf,enc);
 			if (i == 0)
@@ -483,7 +506,7 @@ bad:
 				sptr = salt;
 			}

-			EVP_BytesToKey(cipher,EVP_md5(),sptr,
+			EVP_BytesToKey(cipher,dgst,sptr,
 				(unsigned char *)str,
 				strlen(str),1,key,iv);
 			/* zero the complete buffer or the string
--- a/apps/engine.c
+++ b/apps/engine.c
@@ -122,8 +122,8 @@ static int append_buf(char **buf, const char *s, int *size, int step)
 		return 0;

 	if (**buf != '\0')
-		strcat(*buf, ", ");
-	strcat(*buf, s);
+		BUF_strlcat(*buf, ", ", *size);
+	BUF_strlcat(*buf, s, *size);

 	return 1;
 	}
@@ -520,4 +520,10 @@ end:
 	apps_shutdown();
 	OPENSSL_EXIT(ret);
 	}
+#else
+
+# if PEDANTIC
+static void *dummy=&dummy;
+# endif
+
 #endif
--- a/apps/makeapps.com
+++ b/apps/makeapps.com
@@ -142,13 +142,13 @@ $ LIB_FILES = "VERIFY;ASN1PARS;REQ;DGST;DH;DHPARAM;ENC;PASSWD;GENDH;ERRSTR;"+-
 	      "RSA;RSAUTL;DSA;DSAPARAM;"+-
 	      "X509;GENRSA;GENDSA;S_SERVER;S_CLIENT;SPEED;"+-
 	      "S_TIME;APPS;S_CB;S_SOCKET;APP_RAND;VERSION;SESS_ID;"+-
-	      "CIPHERS;NSEQ;PKCS12;PKCS8;SPKAC;SMIME;RAND;ENGINE;OCSP"
+	      "CIPHERS;NSEQ;PKCS12;PKCS8;SPKAC;SMIME;RAND;ENGINE;OCSP;PRIME"
 $ APP_FILES := OPENSSL,'OBJ_DIR'VERIFY.OBJ,ASN1PARS.OBJ,REQ.OBJ,DGST.OBJ,DH.OBJ,DHPARAM.OBJ,ENC.OBJ,PASSWD.OBJ,GENDH.OBJ,ERRSTR.OBJ,-
 	       CA.OBJ,PKCS7.OBJ,CRL2P7.OBJ,CRL.OBJ,-
 	       RSA.OBJ,RSAUTL.OBJ,DSA.OBJ,DSAPARAM.OBJ,-
 	       X509.OBJ,GENRSA.OBJ,GENDSA.OBJ,S_SERVER.OBJ,S_CLIENT.OBJ,SPEED.OBJ,-
 	       S_TIME.OBJ,APPS.OBJ,S_CB.OBJ,S_SOCKET.OBJ,APP_RAND.OBJ,VERSION.OBJ,SESS_ID.OBJ,-
-	       CIPHERS.OBJ,NSEQ.OBJ,PKCS12.OBJ,PKCS8.OBJ,SPKAC.OBJ,SMIME.OBJ,RAND.OBJ,ENGINE.OBJ,OCSP.OBJ
+	       CIPHERS.OBJ,NSEQ.OBJ,PKCS12.OBJ,PKCS8.OBJ,SPKAC.OBJ,SMIME.OBJ,RAND.OBJ,ENGINE.OBJ,OCSP.OBJ,PRIME.OBJ
 $ TCPIP_PROGRAMS = ",,"
 $ IF COMPILER .EQS. "VAXC" THEN -
     TCPIP_PROGRAMS = ",OPENSSL,"
@@ -679,7 +679,7 @@ $     IF ARCH.EQS."VAX" .AND. F$TRNLNM("DECC$CC_DEFAULT").NES."/DECC" -
 	 THEN CC = "CC/DECC"
 $     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/STANDARD=ANSI89" + -
           "/NOLIST/PREFIX=ALL" + -
-	   "/INCLUDE=(SYS$DISK:[-])" + CCEXTRAFLAGS
+	   "/INCLUDE=(SYS$DISK:[-],SYS$DISK:[-.CRYPTO])" + CCEXTRAFLAGS
 $!
 $!    Define The Linker Options File Name.
 $!
@@ -711,7 +711,7 @@ $	EXIT
 $     ENDIF
 $     IF F$TRNLNM("DECC$CC_DEFAULT").EQS."/DECC" THEN CC = "CC/VAXC"
 $     CC = CC + "/''CC_OPTIMIZE'/''DEBUGGER'/NOLIST" + -
-	   "/INCLUDE=(SYS$DISK:[-])" + CCEXTRAFLAGS
+	   "/INCLUDE=(SYS$DISK:[-],SYS$DISK:[-.CRYPTO])" + CCEXTRAFLAGS
 $     CCDEFS = CCDEFS + ",""VAXC"""
 $!
 $!    Define <sys> As SYS$COMMON:[SYSLIB]
@@ -743,7 +743,7 @@ $!    Use GNU C...
 $!
 $     IF F$TYPE(GCC) .EQS. "" THEN GCC := GCC
 $     CC = GCC+"/NOCASE_HACK/''GCC_OPTIMIZE'/''DEBUGGER'/NOLIST" + -
-	   "/INCLUDE=(SYS$DISK:[-])" + CCEXTRAFLAGS
+	   "/INCLUDE=(SYS$DISK:[-],SYS$DISK:[-.CRYPTO])" + CCEXTRAFLAGS
 $!
 $!    Define The Linker Options File Name.
 $!
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -68,19 +68,6 @@
 /* Maximum leeway in validity period: default 5 minutes */
 #define MAX_VALIDITY_PERIOD	(5 * 60)

-/* CA index.txt definitions */
-#define DB_type         0
-#define DB_exp_date     1
-#define DB_rev_date     2
-#define DB_serial       3       /* index - unique */
-#define DB_file         4       
-#define DB_name         5       /* index - unique for active */
-#define DB_NUMBER       6
-
-#define DB_TYPE_REV	'R'
-#define DB_TYPE_EXP	'E'
-#define DB_TYPE_VAL	'V'
-
 static int add_ocsp_cert(OCSP_REQUEST **req, X509 *cert, X509 *issuer,
 				STACK_OF(OCSP_CERTID) *ids);
 static int add_ocsp_serial(OCSP_REQUEST **req, char *serial, X509 *issuer,
@@ -89,12 +76,12 @@ static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
 				STACK *names, STACK_OF(OCSP_CERTID) *ids,
 				long nsec, long maxage);

-static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, TXT_DB *db,
+static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db,
 			X509 *ca, X509 *rcert, EVP_PKEY *rkey,
 			STACK_OF(X509) *rother, unsigned long flags,
 			int nmin, int ndays);

-static char **lookup_serial(TXT_DB *db, ASN1_INTEGER *ser);
+static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser);
 static BIO *init_responder(char *port);
 static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio, char *port);
 static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp);
@@ -136,13 +123,14 @@ int MAIN(int argc, char **argv)
 	int accept_count = -1;
 	int badarg = 0;
 	int i;
+	int ignore_err = 0;
 	STACK *reqnames = NULL;
 	STACK_OF(OCSP_CERTID) *ids = NULL;

 	X509 *rca_cert = NULL;
 	char *ridx_filename = NULL;
 	char *rca_filename = NULL;
-	TXT_DB *rdb = NULL;
+	CA_DB *rdb = NULL;
 	int nmin = 0, ndays = -1;

 	if (bio_err == NULL) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
@@ -195,6 +183,8 @@ int MAIN(int argc, char **argv)
 				}
 			else badarg = 1;
 			}
+		else if (!strcmp(*args, "-ignore_err"))
+			ignore_err = 1;
 		else if (!strcmp(*args, "-noverify"))
 			noverify = 1;
 		else if (!strcmp(*args, "-nonce"))
@@ -524,7 +514,7 @@ int MAIN(int argc, char **argv)
 		BIO_printf (bio_err, "-serial n          serial number to check\n");
 		BIO_printf (bio_err, "-signer file       certificate to sign OCSP request with\n");
 		BIO_printf (bio_err, "-signkey file      private key to sign OCSP request with\n");
-		BIO_printf (bio_err, "-sign_certs file   additional certificates to include in signed request\n");
+		BIO_printf (bio_err, "-sign_other file   additional certificates to include in signed request\n");
 		BIO_printf (bio_err, "-no_certs          don't include any certificates in signed request\n");
 		BIO_printf (bio_err, "-req_text          print text form of request\n");
 		BIO_printf (bio_err, "-resp_text         print text form of response\n");
@@ -544,10 +534,10 @@ int MAIN(int argc, char **argv)
 		BIO_printf (bio_err, "-validity_period n maximum validity discrepancy in seconds\n");
 		BIO_printf (bio_err, "-status_age n      maximum status age in seconds\n");
 		BIO_printf (bio_err, "-noverify          don't verify response at all\n");
-		BIO_printf (bio_err, "-verify_certs file additional certificates to search for signer\n");
+		BIO_printf (bio_err, "-verify_other file additional certificates to search for signer\n");
 		BIO_printf (bio_err, "-trust_other       don't verify additional certificates\n");
 		BIO_printf (bio_err, "-no_intern         don't search certificates contained in response for signer\n");
-		BIO_printf (bio_err, "-no_sig_verify     don't check signature on response\n");
+		BIO_printf (bio_err, "-no_signature_verify don't check signature on response\n");
 		BIO_printf (bio_err, "-no_cert_verify    don't check signing certificate\n");
 		BIO_printf (bio_err, "-no_chain          don't chain verify response\n");
 		BIO_printf (bio_err, "-no_cert_checks    don't do additional checks on signing certificate\n");
@@ -697,22 +687,9 @@ int MAIN(int argc, char **argv)

 	if (ridx_filename && !rdb)
 		{
-		BIO *db_bio = NULL;
-		db_bio = BIO_new_file(ridx_filename, "r");
-		if (!db_bio)
-			{
-			BIO_printf(bio_err, "Error opening index file %s\n", ridx_filename);
-			goto end;
-			}
-		rdb = TXT_DB_read(db_bio, DB_NUMBER);
-		BIO_free(db_bio);
-		if (!rdb)
-			{
-			BIO_printf(bio_err, "Error reading index file %s\n", ridx_filename);
-			goto end;
-			}
-		if (!make_serial_index(rdb))
-			goto end;
+		rdb = load_index(ridx_filename, NULL);
+		if (!rdb) goto end;
+		if (!index_index(rdb)) goto end;
 		}

 	if (rdb)
@@ -809,6 +786,8 @@ int MAIN(int argc, char **argv)
 		{
 		BIO_printf(out, "Responder Error: %s (%ld)\n",
 				OCSP_response_status_str(i), i);
+		if (ignore_err)
+			goto redo_accept;
 		ret = 0;
 		goto end;
 		}
@@ -894,7 +873,7 @@ end:
 	X509_free(cert);
 	X509_free(rsigner);
 	X509_free(rca_cert);
-	TXT_DB_free(rdb);
+	free_index(rdb);
 	BIO_free_all(cbio);
 	BIO_free_all(acbio);
 	BIO_free(out);
@@ -1036,7 +1015,7 @@ static int print_ocsp_summary(BIO *out, OCSP_BASICRESP *bs, OCSP_REQUEST *req,
 	}


-static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, TXT_DB *db,
+static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, CA_DB *db,
 			X509 *ca, X509 *rcert, EVP_PKEY *rkey,
 			STACK_OF(X509) *rother, unsigned long flags,
 			int nmin, int ndays)
@@ -1128,7 +1107,7 @@ static int make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req, TXT_DB *d

 	}

-static char **lookup_serial(TXT_DB *db, ASN1_INTEGER *ser)
+static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser)
 	{
 	int i;
 	BIGNUM *bn = NULL;
@@ -1141,7 +1120,7 @@ static char **lookup_serial(TXT_DB *db, ASN1_INTEGER *ser)
 		itmp = BN_bn2hex(bn);
 	row[DB_serial] = itmp;
 	BN_free(bn);
-	rrow=TXT_DB_get_by_index(db,DB_serial,row);
+	rrow=TXT_DB_get_by_index(db->db,DB_serial,row);
 	OPENSSL_free(itmp);
 	return rrow;
 	}
--- a/apps/openssl-vms.cnf
+++ b/apps/openssl-vms.cnf
@@ -3,8 +3,13 @@
 # This is mostly being used for generation of certificate requests.
 #

+# This definition stops the following lines choking if HOME isn't
+# defined.
+HOME			= .
 RANDFILE		= $ENV::HOME/.rnd
-oid_file		= $ENV::HOME/.oid
+
+# Extra OBJECT IDENTIFIER info:
+#oid_file		= $ENV::HOME/.oid
 oid_section		= new_oids

 # To use this configuration file with the "-extfile" option of the
@@ -29,22 +34,35 @@ default_ca	= CA_default		# The default ca section
 ####################################################################
 [ CA_default ]

-dir		= sys\$disk:[.demoCA	# Where everything is kept
+dir		= sys\$disk:[.demoCA		# Where everything is kept
 certs		= $dir.certs]		# Where the issued certs are kept
 crl_dir		= $dir.crl]		# Where the issued crl are kept
 database	= $dir]index.txt	# database index file.
-new_certs_dir	= $dir.newcerts]	# default place for new certs.
+#unique_subject	= no			# Set to 'no' to allow creation of
+					# several ctificates with same subject.
+new_certs_dir	= $dir.newcerts]		# default place for new certs.

 certificate	= $dir]cacert.pem 	# The CA certificate
-serial		= $dir]serial.		# The current serial number
+serial		= $dir]serial. 		# The current serial number
+#crlnumber	= $dir]crlnumber.	# the current crl number must be
+					# commented out to leave a V1 CRL
 crl		= $dir]crl.pem 		# The current CRL
 private_key	= $dir.private]cakey.pem# The private key
 RANDFILE	= $dir.private].rand	# private random number file

 x509_extensions	= usr_cert		# The extentions to add to the cert

+# Comment out the following two lines for the "traditional"
+# (and highly broken) format.
+name_opt 	= ca_default		# Subject Name options
+cert_opt 	= ca_default		# Certificate field options
+
+# Extension copying option: use with caution.
+# copy_extensions = copy
+
 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
 # so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
 # crl_extensions	= crl_ext

 default_days	= 365			# how long to certify for
@@ -86,16 +104,19 @@ distinguished_name	= req_distinguished_name
 attributes		= req_attributes
 x509_extensions	= v3_ca	# The extentions to add to the self signed cert

-# This sets the permitted types in a DirectoryString. There are several
-# options. 
+# Passwords for private keys if not present they will be prompted for
+# input_password = secret
+# output_password = secret
+
+# This sets a mask for permitted string types. There are several options. 
 # default: PrintableString, T61String, BMPString.
 # pkix	 : PrintableString, BMPString.
 # utf8only: only UTF8Strings.
-# nobmp : PrintableString, T61String (no BMPStrings).
+# nombstr : PrintableString, T61String (no BMPStrings or UTF8Strings).
 # MASK:XXXX a literal mask value.
 # WARNING: current versions of Netscape crash on BMPStrings or UTF8Strings
 # so use this option with caution!
-dirstring_type = nobmp
+string_mask = nombstr

 # req_extensions = v3_req # The extensions to add to a certificate request

@@ -124,7 +145,7 @@ commonName			= Common Name (eg, YOUR name)
 commonName_max			= 64

 emailAddress			= Email Address
-emailAddress_max		= 40
+emailAddress_max		= 64

 # SET-ex3			= SET extension number 3

@@ -172,6 +193,9 @@ authorityKeyIdentifier=keyid,issuer:always
 # This stuff is for subjectAltName and issuerAltname.
 # Import the email address.
 # subjectAltName=email:copy
+# An alternative to produce certificates that aren't
+# deprecated according to PKIX.
+# subjectAltName=email:move

 # Copy subject details
 # issuerAltName=issuer:copy
--- a/apps/openssl.c
+++ b/apps/openssl.c
@@ -129,6 +129,7 @@
 #include "progs.h"
 #include "s_apps.h"
 #include <openssl/err.h>
+#include <openssl/fips.h>

 /* The LHASH callbacks ("hash" & "cmp") have been replaced by functions with the
 * base prototypes (we cast each variable inside the function to the required
@@ -147,6 +148,7 @@ char *default_config_file=NULL;
 #ifdef MONOLITH
 CONF *config=NULL;
 BIO *bio_err=NULL;
+int in_FIPS_mode=0;
 #endif


@@ -163,7 +165,7 @@ static void lock_dbg_cb(int mode, int type, const char *file, int line)
 		goto err;
 		}

-	if (type < 0 || type > CRYPTO_NUM_LOCKS)
+	if (type < 0 || type >= CRYPTO_NUM_LOCKS)
 		{
 		errstr = "type out of bounds";
 		goto err;
@@ -227,10 +229,31 @@ int main(int Argc, char *Argv[])
 	char **argv,*p;
 	LHASH *prog=NULL;
 	long errline;
- 
+
 	arg.data=NULL;
 	arg.count=0;

+	in_FIPS_mode = 0;
+
+#ifdef OPENSSL_FIPS
+	if(getenv("OPENSSL_FIPS")) {
+#if defined(_WIN32)
+		char filename[MAX_PATH] = "";
+		GetModuleFileName( NULL, filename, MAX_PATH) ;
+		p = filename;
+#else
+		p = Argv[0];
+#endif
+		if (!FIPS_mode_set(1,p)) {
+			ERR_load_crypto_strings();
+			ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
+			exit(1);
+		}
+		in_FIPS_mode = 1;
+		if (getenv("OPENSSL_FIPS_MD5"))
+			FIPS_allow_md5(1);
+		}
+#endif
 	if (bio_err == NULL)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -38,10 +38,14 @@ dir		= ./demoCA		# Where everything is kept
 certs		= $dir/certs		# Where the issued certs are kept
 crl_dir		= $dir/crl		# Where the issued crl are kept
 database	= $dir/index.txt	# database index file.
+#unique_subject	= no			# Set to 'no' to allow creation of
+					# several ctificates with same subject.
 new_certs_dir	= $dir/newcerts		# default place for new certs.

 certificate	= $dir/cacert.pem 	# The CA certificate
 serial		= $dir/serial 		# The current serial number
+#crlnumber	= $dir/crlnumber	# the current crl number must be
+					# commented out to leave a V1 CRL
 crl		= $dir/crl.pem 		# The current CRL
 private_key	= $dir/private/cakey.pem# The private key
 RANDFILE	= $dir/private/.rand	# private random number file
@@ -58,6 +62,7 @@ cert_opt 	= ca_default		# Certificate field options

 # Extensions to add to a CRL. Note: Netscape communicator chokes on V2 CRLs
 # so this is commented out by default to leave a V1 CRL.
+# crlnumber must also be commented out to leave a V1 CRL.
 # crl_extensions	= crl_ext

 default_days	= 365			# how long to certify for
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -557,7 +557,7 @@ int MAIN(int argc, char **argv)
 	    BIO_printf (bio_err, "Can't read Password\n");
 	    goto export_end;
        }
-	if (!twopass) strcpy(macpass, pass);
+	if (!twopass) BUF_strlcpy(macpass, pass, sizeof macpass);
 	/* Turn certbags into encrypted authsafe */
 	authsafe = PKCS12_pack_p7encdata(cert_pbe, cpass, -1, NULL, 0,
 								 iter, bags);
@@ -658,7 +658,7 @@ int MAIN(int argc, char **argv)
    CRYPTO_pop_info();
 #endif

-    if (!twopass) strcpy(macpass, pass);
+    if (!twopass) BUF_strlcpy(macpass, pass, sizeof macpass);

    if (options & INFO) BIO_printf (bio_err, "MAC Iteration %ld\n", p12->mac->iter ? ASN1_INTEGER_get (p12->mac->iter) : 1);
    if(macver) {
--- a/apps/pkcs7.c
+++ b/apps/pkcs7.c
@@ -102,6 +102,9 @@ int MAIN(int argc, char **argv)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);

+	if (!load_config(bio_err, NULL))
+		goto end;
+
 	infile=NULL;
 	outfile=NULL;
 	informat=FORMAT_PEM;
--- a/apps/pkcs8.c
+++ b/apps/pkcs8.c
@@ -1,6 +1,6 @@
 /* pkcs8.c */
 /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
- * project 1999.
+ * project 1999-2004.
 */
 /* ====================================================================
 * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
@@ -68,7 +68,7 @@
 int MAIN(int, char **);

 int MAIN(int argc, char **argv)
-{
+	{
 	ENGINE *e = NULL;
 	char **args, *infile = NULL, *outfile = NULL;
 	char *passargin = NULL, *passargout = NULL;
@@ -100,43 +100,70 @@ int MAIN(int argc, char **argv)
 	ERR_load_crypto_strings();
 	OpenSSL_add_all_algorithms();
 	args = argv + 1;
-	while (!badarg && *args && *args[0] == '-') {
-		if (!strcmp(*args,"-v2")) {
-			if (args[1]) {
+	while (!badarg && *args && *args[0] == '-')
+		{
+		if (!strcmp(*args,"-v2"))
+			{
+			if (args[1])
+				{
 				args++;
 				cipher=EVP_get_cipherbyname(*args);
-				if(!cipher) {
+				if (!cipher)
+					{
 					BIO_printf(bio_err,
 						 "Unknown cipher %s\n", *args);
 					badarg = 1;
+					}
 				}
-			} else badarg = 1;
-		} else if (!strcmp(*args,"-v1")) {
-			if (args[1]) {
+			else
+				badarg = 1;
+			}
+		else if (!strcmp(*args,"-v1"))
+			{
+			if (args[1])
+				{
 				args++;
 				pbe_nid=OBJ_txt2nid(*args);
-				if(pbe_nid == NID_undef) {
+				if (pbe_nid == NID_undef)
+					{
 					BIO_printf(bio_err,
 						 "Unknown PBE algorithm %s\n", *args);
 					badarg = 1;
+					}
 				}
-			} else badarg = 1;
-		} else if (!strcmp(*args,"-inform")) {
-			if (args[1]) {
+			else
+				badarg = 1;
+			}
+		else if (!strcmp(*args,"-inform"))
+			{
+			if (args[1])
+				{
 				args++;
 				informat=str2fmt(*args);
-			} else badarg = 1;
-		} else if (!strcmp(*args,"-outform")) {
-			if (args[1]) {
+				}
+			else badarg = 1;
+			}
+		else if (!strcmp(*args,"-outform"))
+			{
+			if (args[1])
+				{
 				args++;
 				outformat=str2fmt(*args);
-			} else badarg = 1;
-		} else if (!strcmp (*args, "-topk8")) topk8 = 1;
-		else if (!strcmp (*args, "-noiter")) iter = 1;
-		else if (!strcmp (*args, "-nocrypt")) nocrypt = 1;
-		else if (!strcmp (*args, "-nooct")) p8_broken = PKCS8_NO_OCTET;
-		else if (!strcmp (*args, "-nsdb")) p8_broken = PKCS8_NS_DB;
-		else if (!strcmp (*args, "-embed")) p8_broken = PKCS8_EMBEDDED_PARAM;
+				}
+			else badarg = 1;
+			}
+		else if (!strcmp (*args, "-topk8"))
+			topk8 = 1;
+		else if (!strcmp (*args, "-noiter"))
+			iter = 1;
+		else if (!strcmp (*args, "-nocrypt"))
+			nocrypt = 1;
+		else if (!strcmp (*args, "-nooct"))
+			p8_broken = PKCS8_NO_OCTET;
+		else if (!strcmp (*args, "-nsdb"))
+			p8_broken = PKCS8_NS_DB;
+		else if (!strcmp (*args, "-embed"))
+			p8_broken = PKCS8_EMBEDDED_PARAM;
 		else if (!strcmp(*args,"-passin"))
 			{
 			if (!args[1]) goto bad;
@@ -154,21 +181,30 @@ int MAIN(int argc, char **argv)
 			engine= *(++args);
 			}
 #endif
-		else if (!strcmp (*args, "-in")) {
-			if (args[1]) {
+		else if (!strcmp (*args, "-in"))
+			{
+			if (args[1])
+				{
 				args++;
 				infile = *args;
-			} else badarg = 1;
-		} else if (!strcmp (*args, "-out")) {
-			if (args[1]) {
+				}
+			else badarg = 1;
+			}
+		else if (!strcmp (*args, "-out"))
+			{
+			if (args[1])
+				{
 				args++;
 				outfile = *args;
-			} else badarg = 1;
-		} else badarg = 1;
+				}
+			else badarg = 1;
+			}
+		else badarg = 1;
 		args++;
-	}
+		}

-	if (badarg) {
+	if (badarg)
+		{
 		bad:
 		BIO_printf(bio_err, "Usage pkcs8 [options]\n");
 		BIO_printf(bio_err, "where options are\n");
@@ -189,148 +225,199 @@ int MAIN(int argc, char **argv)
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," -engine e       use engine e, possibly a hardware device.\n");
 #endif
-		return (1);
-	}
+		return 1;
+		}

 #ifndef OPENSSL_NO_ENGINE
        e = setup_engine(bio_err, engine, 0);
 #endif

-	if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
+	if (!app_passwd(bio_err, passargin, passargout, &passin, &passout))
+		{
 		BIO_printf(bio_err, "Error getting passwords\n");
-		return (1);
-	}
+		return 1;
+		}

-	if ((pbe_nid == -1) && !cipher) pbe_nid = NID_pbeWithMD5AndDES_CBC;
+	if ((pbe_nid == -1) && !cipher)
+		pbe_nid = NID_pbeWithMD5AndDES_CBC;

-	if (infile) {
-		if (!(in = BIO_new_file(infile, "rb"))) {
+	if (infile)
+		{
+		if (!(in = BIO_new_file(infile, "rb")))
+			{
 			BIO_printf(bio_err,
 				 "Can't open input file %s\n", infile);
 			return (1);
+			}
 		}
-	} else in = BIO_new_fp (stdin, BIO_NOCLOSE);
+	else
+		in = BIO_new_fp (stdin, BIO_NOCLOSE);

-	if (outfile) {
-		if (!(out = BIO_new_file (outfile, "wb"))) {
+	if (outfile)
+		{
+		if (!(out = BIO_new_file (outfile, "wb")))
+			{
 			BIO_printf(bio_err,
 				 "Can't open output file %s\n", outfile);
 			return (1);
+			}
 		}
-	} else {
+	else
+		{
 		out = BIO_new_fp (stdout, BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
-		{
+			{
 			BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 			out = BIO_push(tmpbio, out);
-		}
+			}
 #endif
-	}
+		}
 	if (topk8)
 		{
 		BIO_free(in); /* Not needed in this section */
 		pkey = load_key(bio_err, infile, informat, 1,
 			passin, e, "key");
-		if (!pkey) {
-			return (1);
-		}
-		if (!(p8inf = EVP_PKEY2PKCS8_broken(pkey, p8_broken))) {
-			BIO_printf(bio_err, "Error converting key\n", outfile);
-			ERR_print_errors(bio_err);
-			return (1);
-		}
-		if(nocrypt) {
-			if(outformat == FORMAT_PEM) 
-				PEM_write_bio_PKCS8_PRIV_KEY_INFO(out, p8inf);
-			else if(outformat == FORMAT_ASN1)
-				i2d_PKCS8_PRIV_KEY_INFO_bio(out, p8inf);
-			else {
-				BIO_printf(bio_err, "Bad format specified for key\n");
-				return (1);
+		if (!pkey)
+			{
+			BIO_free_all(out);
+			return 1;
 			}
-		} else {
-			if(passout) p8pass = passout;
-			else {
+		if (!(p8inf = EVP_PKEY2PKCS8_broken(pkey, p8_broken)))
+			{
+			BIO_printf(bio_err, "Error converting key\n");
+			ERR_print_errors(bio_err);
+			EVP_PKEY_free(pkey);
+			BIO_free_all(out);
+			return 1;
+			}
+		if (nocrypt)
+			{
+			if (outformat == FORMAT_PEM) 
+				PEM_write_bio_PKCS8_PRIV_KEY_INFO(out, p8inf);
+			else if (outformat == FORMAT_ASN1)
+				i2d_PKCS8_PRIV_KEY_INFO_bio(out, p8inf);
+			else
+				{
+				BIO_printf(bio_err, "Bad format specified for key\n");
+				PKCS8_PRIV_KEY_INFO_free(p8inf);
+				EVP_PKEY_free(pkey);
+				BIO_free_all(out);
+				return (1);
+				}
+			}
+		else
+			{
+			if (passout)
+				p8pass = passout;
+			else
+				{
 				p8pass = pass;
 				if (EVP_read_pw_string(pass, sizeof pass, "Enter Encryption Password:", 1))
+					{
+					PKCS8_PRIV_KEY_INFO_free(p8inf);
+					EVP_PKEY_free(pkey);
+					BIO_free_all(out);
 					return (1);
-			}
+					}
+				}
 			app_RAND_load_file(NULL, bio_err, 0);
 			if (!(p8 = PKCS8_encrypt(pbe_nid, cipher,
 					p8pass, strlen(p8pass),
-					NULL, 0, iter, p8inf))) {
-				BIO_printf(bio_err, "Error encrypting key\n",
-								 outfile);
+					NULL, 0, iter, p8inf)))
+				{
+				BIO_printf(bio_err, "Error encrypting key\n");
 				ERR_print_errors(bio_err);
+				PKCS8_PRIV_KEY_INFO_free(p8inf);
+				EVP_PKEY_free(pkey);
+				BIO_free_all(out);
 				return (1);
-			}
+				}
 			app_RAND_write_file(NULL, bio_err);
-			if(outformat == FORMAT_PEM) 
+			if (outformat == FORMAT_PEM) 
 				PEM_write_bio_PKCS8(out, p8);
-			else if(outformat == FORMAT_ASN1)
+			else if (outformat == FORMAT_ASN1)
 				i2d_PKCS8_bio(out, p8);
-			else {
+			else
+				{
 				BIO_printf(bio_err, "Bad format specified for key\n");
+				PKCS8_PRIV_KEY_INFO_free(p8inf);
+				EVP_PKEY_free(pkey);
+				BIO_free_all(out);
 				return (1);
-			}
+				}
 			X509_SIG_free(p8);
-		}
+			}
+
 		PKCS8_PRIV_KEY_INFO_free (p8inf);
 		EVP_PKEY_free(pkey);
 		BIO_free_all(out);
-		if(passin) OPENSSL_free(passin);
-		if(passout) OPENSSL_free(passout);
+		if (passin)
+			OPENSSL_free(passin);
+		if (passout)
+			OPENSSL_free(passout);
 		return (0);
-	}
+		}

-	if(nocrypt) {
-		if(informat == FORMAT_PEM) 
+	if (nocrypt)
+		{
+		if (informat == FORMAT_PEM) 
 			p8inf = PEM_read_bio_PKCS8_PRIV_KEY_INFO(in,NULL,NULL, NULL);
-		else if(informat == FORMAT_ASN1)
+		else if (informat == FORMAT_ASN1)
 			p8inf = d2i_PKCS8_PRIV_KEY_INFO_bio(in, NULL);
-		else {
+		else
+			{
 			BIO_printf(bio_err, "Bad format specified for key\n");
 			return (1);
+			}
 		}
-	} else {
-		if(informat == FORMAT_PEM) 
+	else
+		{
+		if (informat == FORMAT_PEM) 
 			p8 = PEM_read_bio_PKCS8(in, NULL, NULL, NULL);
-		else if(informat == FORMAT_ASN1)
+		else if (informat == FORMAT_ASN1)
 			p8 = d2i_PKCS8_bio(in, NULL);
-		else {
+		else
+			{
 			BIO_printf(bio_err, "Bad format specified for key\n");
 			return (1);
-		}
+			}

-		if (!p8) {
-			BIO_printf (bio_err, "Error reading key\n", outfile);
+		if (!p8)
+			{
+			BIO_printf (bio_err, "Error reading key\n");
 			ERR_print_errors(bio_err);
 			return (1);
-		}
-		if(passin) p8pass = passin;
-		else {
+			}
+		if (passin)
+			p8pass = passin;
+		else
+			{
 			p8pass = pass;
 			EVP_read_pw_string(pass, sizeof pass, "Enter Password:", 0);
-		}
+			}
 		p8inf = PKCS8_decrypt(p8, p8pass, strlen(p8pass));
 		X509_SIG_free(p8);
-	}
+		}

-	if (!p8inf) {
-		BIO_printf(bio_err, "Error decrypting key\n", outfile);
+	if (!p8inf)
+		{
+		BIO_printf(bio_err, "Error decrypting key\n");
 		ERR_print_errors(bio_err);
 		return (1);
-	}
+		}

-	if (!(pkey = EVP_PKCS82PKEY(p8inf))) {
-		BIO_printf(bio_err, "Error converting key\n", outfile);
+	if (!(pkey = EVP_PKCS82PKEY(p8inf)))
+		{
+		BIO_printf(bio_err, "Error converting key\n");
 		ERR_print_errors(bio_err);
 		return (1);
-	}
+		}
 	
-	if (p8inf->broken) {
+	if (p8inf->broken)
+		{
 		BIO_printf(bio_err, "Warning: broken key encoding: ");
-		switch (p8inf->broken) {
+		switch (p8inf->broken)
+			{
 			case PKCS8_NO_OCTET:
 			BIO_printf(bio_err, "No Octet String in PrivateKey\n");
 			break;
@@ -350,21 +437,24 @@ int MAIN(int argc, char **argv)
 	}
 	
 	PKCS8_PRIV_KEY_INFO_free(p8inf);
-	if(outformat == FORMAT_PEM) 
+	if (outformat == FORMAT_PEM) 
 		PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, NULL, passout);
-	else if(outformat == FORMAT_ASN1)
+	else if (outformat == FORMAT_ASN1)
 		i2d_PrivateKey_bio(out, pkey);
-	else {
+	else
+		{
 		BIO_printf(bio_err, "Bad format specified for key\n");
 			return (1);
-	}
+		}

 	end:
 	EVP_PKEY_free(pkey);
 	BIO_free_all(out);
 	BIO_free(in);
-	if(passin) OPENSSL_free(passin);
-	if(passout) OPENSSL_free(passout);
+	if (passin)
+		OPENSSL_free(passin);
+	if (passout)
+		OPENSSL_free(passout);

 	return (0);
-}
+	}
--- a/apps/prime.c
+++ b/apps/prime.c
@@ -0,0 +1,118 @@
+/* ====================================================================
+ * Copyright (c) 2004 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ *
+ */
+
+#include <string.h>
+
+#include "apps.h"
+#include <openssl/bn.h>
+
+
+#undef PROG
+#define PROG prime_main
+
+int MAIN(int argc, char **argv)
+    {
+    int hex=0;
+    int checks=20;
+    BIGNUM *bn=NULL;
+    BIO *bio_out=NULL;
+
+    apps_startup();
+
+    if (bio_err == NULL)
+	if ((bio_err=BIO_new(BIO_s_file())) != NULL)
+	    BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
+
+    if (bio_out == NULL)
+	if ((bio_out=BIO_new(BIO_s_file())) != NULL)
+	    {
+	    BIO_set_fp(bio_out,stdout,BIO_NOCLOSE);
+#ifdef OPENSSL_SYS_VMS
+	    {
+	    BIO *tmpbio = BIO_new(BIO_f_linebuffer());
+	    bio_out = BIO_push(tmpbio, bio_out);
+	    }
+#endif
+	    }
+
+    --argc;
+    ++argv;
+    while (argc >= 1 && **argv == '-')
+	{
+	if(!strcmp(*argv,"-hex"))
+	    hex=1;
+	else if(!strcmp(*argv,"-checks"))
+	    if(--argc < 1)
+		goto bad;
+	    else
+		checks=atoi(*++argv);
+	else
+	    {
+	    BIO_printf(bio_err,"Unknown option '%s'\n",*argv);
+	bad:
+	    BIO_printf(bio_err,"options are\n");
+	    BIO_printf(bio_err,"%-14s hex\n","-hex");
+	    BIO_printf(bio_err,"%-14s number of checks\n","-checks <n>");
+	    exit(1);
+	    }
+	--argc;
+	++argv;
+	}
+
+    if(hex)
+	BN_hex2bn(&bn,argv[0]);
+    else
+	BN_dec2bn(&bn,argv[0]);
+
+    BN_print(bio_out,bn);
+    BIO_printf(bio_out," is %sprime\n",
+	       BN_is_prime(bn,checks,NULL,NULL,NULL) ? "" : "not ");
+
+    return 0;
+    }
--- a/apps/progs.h
+++ b/apps/progs.h
@@ -35,6 +35,7 @@ extern int pkcs8_main(int argc,char *argv[]);
 extern int spkac_main(int argc,char *argv[]);
 extern int smime_main(int argc,char *argv[]);
 extern int rand_main(int argc,char *argv[]);
+extern int prime_main(int argc,char *argv[]);
 #ifndef OPENSSL_NO_ENGINE
 extern int engine_main(int argc,char *argv[]);
 #endif
@@ -115,6 +116,7 @@ FUNCTION functions[] = {
 	{FUNC_TYPE_GENERAL,"spkac",spkac_main},
 	{FUNC_TYPE_GENERAL,"smime",smime_main},
 	{FUNC_TYPE_GENERAL,"rand",rand_main},
+	{FUNC_TYPE_GENERAL,"prime",prime_main},
 #ifndef OPENSSL_NO_ENGINE
 	{FUNC_TYPE_GENERAL,"engine",engine_main},
 #endif
--- a/apps/req.c
+++ b/apps/req.c
@@ -824,14 +824,16 @@ loop:
 			if ((x509ss=X509_new()) == NULL) goto end;

 			/* Set version to V3 */
-			if(!X509_set_version(x509ss, 2)) goto end;
+			if(extensions && !X509_set_version(x509ss, 2)) goto end;
 			if (serial)
 				{
 				if (!X509_set_serialNumber(x509ss, serial)) goto end;
 				}
 			else
 				{
-				if (!ASN1_INTEGER_set(X509_get_serialNumber(x509ss),0L)) goto end;
+				if (!rand_serial(NULL,
+					X509_get_serialNumber(x509ss)))
+						goto end;
 				}

 			if (!X509_set_issuer_name(x509ss, X509_REQ_get_subject_name(req))) goto end;
@@ -1223,34 +1225,34 @@ start:		for (;;)
 				}
 			/* If OBJ not recognised ignore it */
 			if ((nid=OBJ_txt2nid(type)) == NID_undef) goto start;
-
-			if(strlen(v->name) > sizeof buf-9)
+			if (BIO_snprintf(buf,sizeof buf,"%s_default",v->name)
+				>= sizeof buf)
 			   {
 			   BIO_printf(bio_err,"Name '%s' too long\n",v->name);
 			   return 0;
 			   }

-			sprintf(buf,"%s_default",v->name);
 			if ((def=NCONF_get_string(req_conf,dn_sect,buf)) == NULL)
 				{
 				ERR_clear_error();
 				def="";
 				}
-			sprintf(buf,"%s_value",v->name);
+				
+			BIO_snprintf(buf,sizeof buf,"%s_value",v->name);
 			if ((value=NCONF_get_string(req_conf,dn_sect,buf)) == NULL)
 				{
 				ERR_clear_error();
 				value=NULL;
 				}

-			sprintf(buf,"%s_min",v->name);
+			BIO_snprintf(buf,sizeof buf,"%s_min",v->name);
 			if (!NCONF_get_number(req_conf,dn_sect,buf, &n_min))
 				{
 				ERR_clear_error();
 				n_min = -1;
 				}

-			sprintf(buf,"%s_max",v->name);
+			BIO_snprintf(buf,sizeof buf,"%s_max",v->name);
 			if (!NCONF_get_number(req_conf,dn_sect,buf, &n_max))
 				{
 				ERR_clear_error();
@@ -1288,13 +1290,13 @@ start2:			for (;;)
 				if ((nid=OBJ_txt2nid(type)) == NID_undef)
 					goto start2;

-				if(strlen(v->name) > sizeof buf-9)
+				if (BIO_snprintf(buf,sizeof buf,"%s_default",type)
+					>= sizeof buf)
 				   {
 				   BIO_printf(bio_err,"Name '%s' too long\n",v->name);
 				   return 0;
 				   }

-				sprintf(buf,"%s_default",type);
 				if ((def=NCONF_get_string(req_conf,attr_sect,buf))
 					== NULL)
 					{
@@ -1303,7 +1305,7 @@ start2:			for (;;)
 					}
 				
 				
-				sprintf(buf,"%s_value",type);
+				BIO_snprintf(buf,sizeof buf,"%s_value",type);
 				if ((value=NCONF_get_string(req_conf,attr_sect,buf))
 					== NULL)
 					{
@@ -1311,11 +1313,11 @@ start2:			for (;;)
 					value=NULL;
 					}

-				sprintf(buf,"%s_min",type);
+				BIO_snprintf(buf,sizeof buf,"%s_min",type);
 				if (!NCONF_get_number(req_conf,attr_sect,buf, &n_min))
 					n_min = -1;

-				sprintf(buf,"%s_max",type);
+				BIO_snprintf(buf,sizeof buf,"%s_max",type);
 				if (!NCONF_get_number(req_conf,attr_sect,buf, &n_max))
 					n_max = -1;

@@ -1397,9 +1399,8 @@ start:
 	(void)BIO_flush(bio_err);
 	if(value != NULL)
 		{
-		OPENSSL_assert(strlen(value) < sizeof buf-2);
-		strcpy(buf,value);
-		strcat(buf,"\n");
+		BUF_strlcpy(buf,value,sizeof buf);
+		BUF_strlcat(buf,"\n",sizeof buf);
 		BIO_printf(bio_err,"%s\n",value);
 		}
 	else
@@ -1421,8 +1422,8 @@ start:
 		{
 		if ((def == NULL) || (def[0] == '\0'))
 			return(1);
-		strcpy(buf,def);
-		strcat(buf,"\n");
+		BUF_strlcpy(buf,def,sizeof buf);
+		BUF_strlcat(buf,"\n",sizeof buf);
 		}
 	else if ((buf[0] == '.') && (buf[1] == '\n')) return(1);

@@ -1456,9 +1457,8 @@ start:
 	(void)BIO_flush(bio_err);
 	if (value != NULL)
 		{
-		OPENSSL_assert(strlen(value) < sizeof buf-2);
-		strcpy(buf,value);
-		strcat(buf,"\n");
+		BUF_strlcpy(buf,value,sizeof buf);
+		BUF_strlcat(buf,"\n",sizeof buf);
 		BIO_printf(bio_err,"%s\n",value);
 		}
 	else
@@ -1480,8 +1480,8 @@ start:
 		{
 		if ((def == NULL) || (def[0] == '\0'))
 			return(1);
-		strcpy(buf,def);
-		strcat(buf,"\n");
+		BUF_strlcpy(buf,def,sizeof buf);
+		BUF_strlcat(buf,"\n",sizeof buf);
 		}
 	else if ((buf[0] == '.') && (buf[1] == '\n')) return(1);

--- a/apps/rsautl.c
+++ b/apps/rsautl.c
@@ -97,6 +97,7 @@ int MAIN(int argc, char **argv)
 	EVP_PKEY *pkey = NULL;
 	RSA *rsa = NULL;
 	unsigned char *rsa_in = NULL, *rsa_out = NULL, pad;
+	char *passargin = NULL, *passin = NULL;
 	int rsa_inlen, rsa_outlen = 0;
 	int keysize;

@@ -124,6 +125,9 @@ int MAIN(int argc, char **argv)
 		} else if(!strcmp(*argv, "-inkey")) {
 			if (--argc < 1) badarg = 1;
 			keyfile = *(++argv);
+		} else if (!strcmp(*argv,"-passin")) {
+			if (--argc < 1) badarg = 1;
+			passargin= *(++argv);
 		} else if (strcmp(*argv,"-keyform") == 0) {
 			if (--argc < 1) badarg = 1;
 			keyform=str2fmt(*(++argv));
@@ -169,6 +173,10 @@ int MAIN(int argc, char **argv)
 #ifndef OPENSSL_NO_ENGINE
        e = setup_engine(bio_err, engine, 0);
 #endif
+	if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
+		BIO_printf(bio_err, "Error getting password\n");
+		goto end;
+	}

 /* FIXME: seed PRNG only if needed */
 	app_RAND_load_file(NULL, bio_err, 0);
@@ -176,7 +184,7 @@ int MAIN(int argc, char **argv)
 	switch(key_type) {
 		case KEY_PRIVKEY:
 		pkey = load_key(bio_err, keyfile, keyform, 0,
-			NULL, e, "Private Key");
+			passin, e, "Private Key");
 		break;

 		case KEY_PUBKEY:
@@ -290,6 +298,7 @@ int MAIN(int argc, char **argv)
 	BIO_free_all(out);
 	if(rsa_in) OPENSSL_free(rsa_in);
 	if(rsa_out) OPENSSL_free(rsa_out);
+	if(passin) OPENSSL_free(passin);
 	return ret;
 }

@@ -313,6 +322,7 @@ static void usage()
 	BIO_printf(bio_err, "-hexdump        hex dump output\n");
 #ifndef OPENSSL_NO_ENGINE
 	BIO_printf(bio_err, "-engine e       use engine e, possibly a hardware device.\n");
+	BIO_printf (bio_err, "-passin arg    pass phrase source\n");
 #endif

 }
--- a/apps/s_apps.h
+++ b/apps/s_apps.h
@@ -112,6 +112,14 @@
 #include <sys/types.h>
 #include <openssl/opensslconf.h>

+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
+#include <conio.h>
+#endif
+
+#ifdef OPENSSL_SYS_MSDOS
+#define _kbhit kbhit
+#endif
+
 #if defined(OPENSSL_SYS_VMS) && !defined(FD_SET)
 /* VAX C does not defined fd_set and friends, but it's actually quite simple */
 /* These definitions are borrowed from SOCKETSHR.	/Richard Levitte */
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -136,10 +136,6 @@ typedef unsigned int u_int;
 #include <openssl/rand.h>
 #include "s_apps.h"

-#ifdef OPENSSL_SYS_WINDOWS
-#include <conio.h>
-#endif
-
 #ifdef OPENSSL_SYS_WINCE
 /* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */
 #ifdef fileno
@@ -221,7 +217,7 @@ static void sc_usage(void)
 	BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
 	BIO_printf(bio_err,"                 for those protocols that support it, where\n");
 	BIO_printf(bio_err,"                 'prot' defines which one to assume.  Currently,\n");
-	BIO_printf(bio_err,"                 only \"smtp\" is supported.\n");
+	BIO_printf(bio_err,"                 only \"smtp\" and \"pop3\" are supported.\n");
 #ifndef OPENSSL_NO_ENGINE
 	BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
 #endif
@@ -251,7 +247,7 @@ int MAIN(int argc, char **argv)
 	int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
 	SSL_CTX *ctx=NULL;
 	int ret=1,in_init=1,i,nbio_test=0;
-	int smtp_starttls = 0;
+	int starttls_proto = 0;
 	int prexit = 0, vflags = 0;
 	SSL_METHOD *meth=NULL;
 	BIO *sbio;
@@ -260,7 +256,7 @@ int MAIN(int argc, char **argv)
 	char *engine_id=NULL;
 	ENGINE *e=NULL;
 #endif
-#ifdef OPENSSL_SYS_WINDOWS
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
 	struct timeval tv;
 #endif

@@ -415,7 +411,9 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			++argv;
 			if (strcmp(*argv,"smtp") == 0)
-				smtp_starttls = 1;
+				starttls_proto = 1;
+			else if (strcmp(*argv,"pop3") == 0)
+				starttls_proto = 2;
 			else
 				goto bad;
 			}
@@ -587,12 +585,18 @@ re_start:
 	sbuf_off=0;

 	/* This is an ugly hack that does a lot of assumptions */
-	if (smtp_starttls)
+	if (starttls_proto == 1)
 		{
 		BIO_read(sbio,mbuf,BUFSIZZ);
 		BIO_printf(sbio,"STARTTLS\r\n");
 		BIO_read(sbio,sbuf,BUFSIZZ);
 		}
+	if (starttls_proto == 2)
+		{
+		BIO_read(sbio,mbuf,BUFSIZZ);
+		BIO_printf(sbio,"STLS\r\n");
+		BIO_read(sbio,sbuf,BUFSIZZ);
+		}

 	for (;;)
 		{
@@ -613,11 +617,11 @@ re_start:
 				print_stuff(bio_c_out,con,full_log);
 				if (full_log > 0) full_log--;

-				if (smtp_starttls)
+				if (starttls_proto)
 					{
 					BIO_printf(bio_err,"%s",mbuf);
 					/* We don't need to know any more */
-					smtp_starttls = 0;
+					starttls_proto = 0;
 					}

 				if (reconnect)
@@ -636,7 +640,7 @@ re_start:

 		if (!ssl_pending)
 			{
-#ifndef OPENSSL_SYS_WINDOWS
+#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS)
 			if (tty_on)
 				{
 				if (read_tty)  FD_SET(fileno(stdin),&readfds);
@@ -663,8 +667,8 @@ re_start:
 			 * will choke the compiler: if you do have a cast then
 			 * you can either go for (int *) or (void *).
 			 */
-#ifdef OPENSSL_SYS_WINDOWS
-			/* Under Windows we make the assumption that we can
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
+                        /* Under Windows/DOS we make the assumption that we can
 			 * always write to the tty: therefore if we need to
 			 * write to the tty we just fall through. Otherwise
 			 * we timeout the select every second and see if there
@@ -678,7 +682,7 @@ re_start:
 					tv.tv_usec = 0;
 					i=select(width,(void *)&readfds,(void *)&writefds,
 						 NULL,&tv);
-#ifdef OPENSSL_SYS_WINCE
+#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
 					if(!i && (!_kbhit() || !read_tty) ) continue;
 #else
 					if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
@@ -847,8 +851,8 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240
 				}
 			}

-#ifdef OPENSSL_SYS_WINDOWS
-#ifdef OPENSSL_SYS_WINCE
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
+#if defined(OPENSSL_SYS_WINCE) || defined(OPENSSL_SYS_MSDOS)
 		else if (_kbhit())
 #else
 		else if ((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -140,10 +140,6 @@ typedef unsigned int u_int;
 #include <openssl/rand.h>
 #include "s_apps.h"

-#ifdef OPENSSL_SYS_WINDOWS
-#include <conio.h>
-#endif
-
 #ifdef OPENSSL_SYS_WINCE
 /* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */
 #ifdef fileno
@@ -917,7 +913,7 @@ static int sv_body(char *hostname, int s, unsigned char *context)
 	unsigned long l;
 	SSL *con=NULL;
 	BIO *sbio;
-#ifdef OPENSSL_SYS_WINDOWS
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
 	struct timeval tv;
 #endif

@@ -991,7 +987,7 @@ static int sv_body(char *hostname, int s, unsigned char *context)
 		if (!read_from_sslcon)
 			{
 			FD_ZERO(&readfds);
-#ifndef OPENSSL_SYS_WINDOWS
+#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS)
 			FD_SET(fileno(stdin),&readfds);
 #endif
 			FD_SET(s,&readfds);
@@ -1001,8 +997,8 @@ static int sv_body(char *hostname, int s, unsigned char *context)
 			 * the compiler: if you do have a cast then you can either
 			 * go for (int *) or (void *).
 			 */
-#ifdef OPENSSL_SYS_WINDOWS
-			/* Under Windows we can't select on stdin: only
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
+                        /* Under DOS (non-djgpp) and Windows we can't select on stdin: only
 			 * on sockets. As a workaround we timeout the select every
 			 * second and check for any keypress. In a proper Windows
 			 * application we wouldn't do this because it is inefficient.
@@ -1263,7 +1259,13 @@ static int init_ssl_connection(SSL *con)
 	if (SSL_ctrl(con,SSL_CTRL_GET_FLAGS,0,NULL) &
 		TLS1_FLAGS_TLS_PADDING_BUG)
 		BIO_printf(bio_s_out,"Peer has incorrect TLSv1 block padding\n");
-
+#ifndef OPENSSL_NO_KRB5
+	if (con->kssl_ctx->client_princ != NULL)
+		{
+		BIO_printf(bio_s_out,"Kerberos peer principal is %s\n",
+			con->kssl_ctx->client_princ);
+		}
+#endif /* OPENSSL_NO_KRB5 */
 	return(1);
 	}

--- a/apps/s_socket.c
+++ b/apps/s_socket.c
@@ -389,7 +389,7 @@ redoit:
 			perror("OPENSSL_malloc");
 			return(0);
 			}
-		strcpy(*host,h1->h_name);
+		BUF_strlcpy(*host,h1->h_name,strlen(h1->h_name)+1);

 		h2=GetHostByName(*host);
 		if (h2 == NULL)
--- a/apps/s_time.c
+++ b/apps/s_time.c
@@ -502,7 +502,7 @@ int MAIN(int argc, char **argv)

 		if (s_www_path != NULL)
 			{
-			sprintf(buf,"GET %s HTTP/1.0\r\n\r\n",s_www_path);
+			BIO_snprintf(buf,sizeof buf,"GET %s HTTP/1.0\r\n\r\n",s_www_path);
 			SSL_write(scon,buf,strlen(buf));
 			while ((i=SSL_read(scon,buf,sizeof(buf))) > 0)
 				bytes_read+=i;
@@ -557,7 +557,7 @@ next:

 	if (s_www_path != NULL)
 		{
-		sprintf(buf,"GET %s HTTP/1.0\r\n\r\n",s_www_path);
+		BIO_snprintf(buf,sizeof buf,"GET %s HTTP/1.0\r\n\r\n",s_www_path);
 		SSL_write(scon,buf,strlen(buf));
 		while (SSL_read(scon,buf,sizeof(buf)) > 0)
 			;
@@ -595,7 +595,7 @@ next:

 		if (s_www_path)
 			{
-			sprintf(buf,"GET %s HTTP/1.0\r\n\r\n",s_www_path);
+			BIO_snprintf(buf,sizeof buf,"GET %s HTTP/1.0\r\n\r\n",s_www_path);
 			SSL_write(scon,buf,strlen(buf));
 			while ((i=SSL_read(scon,buf,sizeof(buf))) > 0)
 				bytes_read+=i;
--- a/apps/smime.c
+++ b/apps/smime.c
@@ -168,6 +168,10 @@ int MAIN(int argc, char **argv)
 				flags |= PKCS7_BINARY;
 		else if (!strcmp (*args, "-nosigs"))
 				flags |= PKCS7_NOSIGS;
+		else if (!strcmp (*args, "-nooldmime"))
+				flags |= PKCS7_NOOLDMIMETYPE;
+		else if (!strcmp (*args, "-crlfeol"))
+				flags |= PKCS7_CRLFEOL;
 		else if (!strcmp (*args, "-crl_check"))
 				store_flags |= X509_V_FLAG_CRL_CHECK;
 		else if (!strcmp (*args, "-crl_check_all"))
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -773,6 +773,7 @@ int MAIN(int argc, char **argv)
 			{
 			dsa_doit[R_DSA_512]=1;
 			dsa_doit[R_DSA_1024]=1;
+			dsa_doit[R_DSA_2048]=1;
 			}
 		else
 #endif
@@ -1006,6 +1007,9 @@ int MAIN(int argc, char **argv)
 	c[D_CBC_RC5][0]=count;
 	c[D_CBC_BF][0]=count;
 	c[D_CBC_CAST][0]=count;
+	c[D_CBC_128_AES][0]=count;
+	c[D_CBC_192_AES][0]=count;
+	c[D_CBC_256_AES][0]=count;

 	for (i=1; i<SIZE_NUM; i++)
 		{
@@ -1031,6 +1035,9 @@ int MAIN(int argc, char **argv)
 		c[D_CBC_RC5][i]=c[D_CBC_RC5][i-1]*l0/l1;
 		c[D_CBC_BF][i]=c[D_CBC_BF][i-1]*l0/l1;
 		c[D_CBC_CAST][i]=c[D_CBC_CAST][i-1]*l0/l1;
+		c[D_CBC_128_AES][i]=c[D_CBC_128_AES][i-1]*l0/l1;
+		c[D_CBC_192_AES][i]=c[D_CBC_192_AES][i-1]*l0/l1;
+		c[D_CBC_256_AES][i]=c[D_CBC_256_AES][i-1]*l0/l1;
 		}
 #ifndef OPENSSL_NO_RSA
 	rsa_c[R_RSA_512][0]=count/2000;
@@ -1388,6 +1395,7 @@ int MAIN(int argc, char **argv)
 					EVP_DecryptInit_ex(&ctx,evp_cipher,NULL,key16,iv);
 				else
 					EVP_EncryptInit_ex(&ctx,evp_cipher,NULL,key16,iv);
+				EVP_CIPHER_CTX_set_padding(&ctx, 0);

 				Time_F(START);
 				if(decrypt)
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -168,7 +168,7 @@ int MAIN(int argc, char **argv)
 	char *CAkeyfile=NULL,*CAserial=NULL;
 	char *alias=NULL;
 	int text=0,serial=0,hash=0,subject=0,issuer=0,startdate=0,enddate=0;
-	int ocspid=0;
+	int next_serial=0,ocspid=0;
 	int noout=0,sign_flag=0,CA_flag=0,CA_createserial=0,email=0;
 	int trustout=0,clrtrust=0,clrreject=0,aliasout=0,clrext=0;
 	int C=0;
@@ -358,12 +358,6 @@ int MAIN(int argc, char **argv)
 			if (--argc < 1) goto bad;
 			if (!set_name_ex(&nmflag, *(++argv))) goto bad;
 			}
-		else if (strcmp(*argv,"-setalias") == 0)
-			{
-			if (--argc < 1) goto bad;
-			alias= *(++argv);
-			trustout = 1;
-			}
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(*argv,"-engine") == 0)
 			{
@@ -377,6 +371,8 @@ int MAIN(int argc, char **argv)
 			email= ++num;
 		else if (strcmp(*argv,"-serial") == 0)
 			serial= ++num;
+		else if (strcmp(*argv,"-next_serial") == 0)
+			next_serial= ++num;
 		else if (strcmp(*argv,"-modulus") == 0)
 			modulus= ++num;
 		else if (strcmp(*argv,"-pubkey") == 0)
@@ -597,12 +593,16 @@ bad:
 		if ((x=X509_new()) == NULL) goto end;
 		ci=x->cert_info;

-		if (sno)
+		if (sno == NULL)
 			{
-			if (!X509_set_serialNumber(x, sno))
+			sno = ASN1_INTEGER_new();
+			if (!sno || !rand_serial(NULL, sno))
 				goto end;
 			}
-		else if (!ASN1_INTEGER_set(X509_get_serialNumber(x),0)) goto end;
+
+		if (!X509_set_serialNumber(x, sno)) 
+			goto end;
+
 		if (!X509_set_issuer_name(x,req->req_info->subject)) goto end;
 		if (!X509_set_subject_name(x,req->req_info->subject)) goto end;

@@ -623,7 +623,7 @@ bad:
 		if (xca == NULL) goto end;
 		}

-	if (!noout || text)
+	if (!noout || text || next_serial)
 		{
 		OBJ_create("2.99999.3",
 			"SET.ex3","SET x509v3 extension 3");
@@ -697,6 +697,24 @@ bad:
 				i2a_ASN1_INTEGER(STDout,x->cert_info->serialNumber);
 				BIO_printf(STDout,"\n");
 				}
+			else if (next_serial == i)
+				{
+				BIGNUM *bnser;
+				ASN1_INTEGER *ser;
+				ser = X509_get_serialNumber(x);
+				bnser = ASN1_INTEGER_to_BN(ser, NULL);
+				if (!bnser)
+					goto end;
+				if (!BN_add_word(bnser, 1))
+					goto end;
+				ser = BN_to_ASN1_INTEGER(bnser, NULL);
+				if (!ser)
+					goto end;
+				BN_free(bnser);
+				i2a_ASN1_INTEGER(out, ser);
+				ASN1_INTEGER_free(ser);
+				BIO_puts(out, "\n");
+				}
 			else if (email == i) 
 				{
 				int j;
@@ -1028,105 +1046,44 @@ end:
 	OPENSSL_EXIT(ret);
 	}

-static ASN1_INTEGER *load_serial(char *CAfile, char *serialfile, int create)
+static ASN1_INTEGER *x509_load_serial(char *CAfile, char *serialfile, int create)
 	{
 	char *buf = NULL, *p;
-	MS_STATIC char buf2[1024];
-	ASN1_INTEGER *bs = NULL, *bs2 = NULL;
-	BIO *io = NULL;
+	ASN1_INTEGER *bs = NULL;
 	BIGNUM *serial = NULL;
+	size_t len;

-	buf=OPENSSL_malloc( ((serialfile == NULL)
-			?(strlen(CAfile)+strlen(POSTFIX)+1)
-			:(strlen(serialfile)))+1);
+	len = ((serialfile == NULL)
+		?(strlen(CAfile)+strlen(POSTFIX)+1)
+		:(strlen(serialfile)))+1;
+	buf=OPENSSL_malloc(len);
 	if (buf == NULL) { BIO_printf(bio_err,"out of mem\n"); goto end; }
 	if (serialfile == NULL)
 		{
-		strcpy(buf,CAfile);
+		BUF_strlcpy(buf,CAfile,len);
 		for (p=buf; *p; p++)
 			if (*p == '.')
 				{
 				*p='\0';
 				break;
 				}
-		strcat(buf,POSTFIX);
+		BUF_strlcat(buf,POSTFIX,len);
 		}
 	else
-		strcpy(buf,serialfile);
-	serial=BN_new();
-	bs=ASN1_INTEGER_new();
-	if ((serial == NULL) || (bs == NULL))
-		{
-		ERR_print_errors(bio_err);
-		goto end;
-		}
+		BUF_strlcpy(buf,serialfile,len);

-	io=BIO_new(BIO_s_file());
-	if (io == NULL)
-		{
-		ERR_print_errors(bio_err);
-		goto end;
-		}
-	
-	if (BIO_read_filename(io,buf) <= 0)
-		{
-		if (!create)
-			{
-			perror(buf);
-			goto end;
-			}
-		else
-			{
-			ASN1_INTEGER_set(bs,1);
-			BN_one(serial);
-			}
-		}
-	else 
-		{
-		if (!a2i_ASN1_INTEGER(io,bs,buf2,sizeof buf2))
-			{
-			BIO_printf(bio_err,"unable to load serial number from %s\n",buf);
-			ERR_print_errors(bio_err);
-			goto end;
-			}
-		else
-			{
-			serial=BN_bin2bn(bs->data,bs->length,serial);
-			if (serial == NULL)
-				{
-				BIO_printf(bio_err,"error converting bin 2 bn");
-				goto end;
-				}
-			}
-		}
+	serial = load_serial(buf, create, NULL);
+	if (serial == NULL) goto end;

 	if (!BN_add_word(serial,1))
 		{ BIO_printf(bio_err,"add_word failure\n"); goto end; }
-	if (!(bs2 = BN_to_ASN1_INTEGER(serial, NULL)))
-		{ BIO_printf(bio_err,"error converting bn 2 asn1_integer\n"); goto end; }
-	if (BIO_write_filename(io,buf) <= 0)
-		{
-		BIO_printf(bio_err,"error attempting to write serial number file\n");
-		perror(buf);
-		goto end;
-		}
-	i2a_ASN1_INTEGER(io,bs2);
-	BIO_puts(io,"\n");

-	BIO_free(io);
+	if (!save_serial(buf, NULL, serial, &bs)) goto end;
+
+ end:
 	if (buf) OPENSSL_free(buf);
-	ASN1_INTEGER_free(bs2);
 	BN_free(serial);
-	io=NULL;
 	return bs;
-
-	end:
-	if (buf) OPENSSL_free(buf);
-	BIO_free(io);
-	ASN1_INTEGER_free(bs);
-	BN_free(serial);
-	return NULL;
-
 	}

 static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
@@ -1148,10 +1105,10 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
 		goto end;
 		}
 	if (sno) bs = sno;
-	else if (!(bs = load_serial(CAfile, serialfile, create)))
+	else if (!(bs = x509_load_serial(CAfile, serialfile, create)))
 		goto end;

-	if (!X509_STORE_add_cert(ctx,x)) goto end;
+/*	if (!X509_STORE_add_cert(ctx,x)) goto end;*/

 	/* NOTE: this certificate can/should be self signed, unless it was
 	 * a certificate request in which case it is not. */
--- a/bugs/SSLv3
+++ b/bugs/SSLv3
@@ -29,7 +29,7 @@ RC4-MD5, but a re-connect tries to use DES-CBC-SHA.  So netscape, when
 doing a re-connect, always takes the first cipher in the cipher list.

 If we accept a netscape connection, demand a client cert, have a
-non-self-sighed CA which does not have it's CA in netscape, and the
+non-self-signed CA which does not have it's CA in netscape, and the
 browser has a cert, it will crash/hang.  Works for 3.x and 4.xbeta

 Netscape browsers do not really notice the server sending a
--- a/certs/eng1.pem
+++ b/certs/eng1.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID3TCCAsWgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBqDELMAkGA1UEBhMCQ0Ex
+CzAJBgNVBAgTAk9OMRAwDgYDVQQHEwdUb3JvbnRvMRgwFgYDVQQKEw9CYW5rRW5n
+aW5lIEluYy4xKTAnBgNVBAsTIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IERpdmlz
+aW9uMRMwEQYDVQQDEwpiYW5rZW5naW5lMSAwHgYJKoZIhvcNAQkBFhFjYUBiYW5r
+ZW5naW5lLmNvbTAeFw05ODAxMDEwMDAwMDBaFw0zODAxMTcwMDAwMDBaMIGoMQsw
+CQYDVQQGEwJDQTELMAkGA1UECBMCT04xEDAOBgNVBAcTB1Rvcm9udG8xGDAWBgNV
+BAoTD0JhbmtFbmdpbmUgSW5jLjEpMCcGA1UECxMgQ2VydGlmaWNhdGlvbiBBdXRo
+b3JpdHkgRGl2aXNpb24xEzARBgNVBAMTCmJhbmtlbmdpbmUxIDAeBgkqhkiG9w0B
+CQEWEWNhQGJhbmtlbmdpbmUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEA14LoTUAl1/hEy+Kh1kLHiBdW2zD3V4IhM7xxTVKsYsIH56nr69ATTIxU
+P36eRzeZ137qt1AxHFjDCidk3m1Ul6l59ProPexdslLLM2npM3f2cteg+toyiYiS
+EJKjyzIu1xF1j9qzGkymSY/4DsXLZNk9FaczxMk/Ooc6Os1M3AverL4VG4rYIb6f
+eR32cIKJ9Q1fGuyKk7ipq1XQfPW8a8TgZdbHbe7U9Gk3iasGMHHvpR9Ep3mGbgdT
+uQ98SBEuIwe1BUCGg/MXpVy48MNXfAMotBgGw4pl9yqSjMni2FB+E9Q9DHFs2RgX
+MqzKuo8zcPxKx2kZ6Arj8+27dw2clQIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0G
+CSqGSIb3DQEBBQUAA4IBAQBauupHX9EhpC/r57d6b5kkeWvognxIP9//TO4iw3qb
+zIXEkPXmJmwVzlzoKJWqiya+aw19SP0+G6CzsFOBo/9ehmz+hZ8bhYX4MjlWzX5u
+Tnkhz172j9fOBUmrTVPkcRIs6zjCD5PQAGoBPP1/Zdy2N36lZ0U7lg07Opirj/yJ
+PSJeM2j0fwIFAroiVckvdT0BVwB6S/cPaAQGPghbbr1YGSmYrMriSv825ILJUfxz
+rJYunGR9FiY9Ob7+jwJwiZMS4CxSPktutxr/3hOvr1+ALS7IcVakhhA3PuZAJbdH
+FRclR9qMM8aBnBZmf+Uv3K3uhT+UBzzY654U9Yi1JYnA
+-----END CERTIFICATE-----
--- a/certs/eng2.pem
+++ b/certs/eng2.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID3TCCAsWgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBqDELMAkGA1UEBhMCQ0Ex
+CzAJBgNVBAgTAk9OMRAwDgYDVQQHEwdUb3JvbnRvMRgwFgYDVQQKEw9DZXJ0RW5n
+aW5lIEluYy4xKTAnBgNVBAsTIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IERpdmlz
+aW9uMRMwEQYDVQQDEwpjZXJ0ZW5naW5lMSAwHgYJKoZIhvcNAQkBFhFjYUBjZXJ0
+ZW5naW5lLmNvbTAeFw05ODAxMDEwMDAwMDBaFw0zODAxMTcwMDAwMDBaMIGoMQsw
+CQYDVQQGEwJDQTELMAkGA1UECBMCT04xEDAOBgNVBAcTB1Rvcm9udG8xGDAWBgNV
+BAoTD0NlcnRFbmdpbmUgSW5jLjEpMCcGA1UECxMgQ2VydGlmaWNhdGlvbiBBdXRo
+b3JpdHkgRGl2aXNpb24xEzARBgNVBAMTCmNlcnRlbmdpbmUxIDAeBgkqhkiG9w0B
+CQEWEWNhQGNlcnRlbmdpbmUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEA7aTXURShaeVt9u/dP3Q2dVib3jTCZvEyc6yfpGgaYWewXWuP4HOSfI4h
+GZblbpl+dzJc6RjhR+pguIRtbT5FJB8SJGjRqoujBEOQOxtVtc2fjM9Dqh0iOvMW
+WS6buxHG55GVrHAQaO5HXEScKQBa9ZyNmpSXPTEBrDMej1OAGOkc524/TZrgFPF4
+AiJLLkxCcP8NuzUKlW3WzNMSSoCtjkUKy4wjSLlAWCFM0T9Df6/+Z8ZUQTzHoKCD
+ncH5Qnynd7DlOwKQ2JwwxRhYGiGVTUN0GUq7qA11kW3+vnbFesKQXoF6o2PVx9s2
+YXviI2NXXUjZ0pVnsnFCc45Pm8XojwIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0G
+CSqGSIb3DQEBBQUAA4IBAQBP/aHOKJ00Akzc9HWM1X30hlWZFBaQi4pqD4Uhk8+p
+KzzwFP5DRLBOz8TYBbtdXrS6hxVMr2sqWmhVkuyepWhHZazKGyHY/y0FbOXsewAV
+1QxxSyx7ve89pCKv4/w0rQcP916iHc8Y/TCpmz7eITa3GId+8H/XTaBi8GBp9X9O
+w8m25FmEB1NT+eJwefvfdKowjy4tSorKdW/eJspxNuTSRGmUy8G71W5dYvgpAlx6
+mdnHyzxEGvRYNNI2bS0ifXgbEFNWqSas9q34ea5KOpkJu8T/KyXfSb6rPOsBSb0t
+wMowwGtCVH2C4Lw/8zo0EjhMpTOsPaub408PrZ+NQ2bl
+-----END CERTIFICATE-----
--- a/certs/eng3.pem
+++ b/certs/eng3.pem
@@ -0,0 +1,34 @@
+-----BEGIN CERTIFICATE-----
+MIIF3TCCA8WgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBqDELMAkGA1UEBhMCQ0Ex
+CzAJBgNVBAgTAk9OMRAwDgYDVQQHEwdUb3JvbnRvMRgwFgYDVQQKEw9Gb3J0RW5n
+aW5lIEluYy4xKTAnBgNVBAsTIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IERpdmlz
+aW9uMRMwEQYDVQQDEwpmb3J0ZW5naW5lMSAwHgYJKoZIhvcNAQkBFhFjYUBmb3J0
+ZW5naW5lLmNvbTAeFw05ODAxMDEwMDAwMDBaFw0zODAxMTcwMDAwMDBaMIGoMQsw
+CQYDVQQGEwJDQTELMAkGA1UECBMCT04xEDAOBgNVBAcTB1Rvcm9udG8xGDAWBgNV
+BAoTD0ZvcnRFbmdpbmUgSW5jLjEpMCcGA1UECxMgQ2VydGlmaWNhdGlvbiBBdXRo
+b3JpdHkgRGl2aXNpb24xEzARBgNVBAMTCmZvcnRlbmdpbmUxIDAeBgkqhkiG9w0B
+CQEWEWNhQGZvcnRlbmdpbmUuY29tMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
+CgKCAgEAyr7GbpwDxx1v3EYbo0gcO+ligEhlDqG2e7u/AbWGoVAqc8+q6auUJUtz
+4i7oh0yNadu1o9kpXW+znkgO0zlrgjGskqqMO1ooppzTJdFy/P8gR6x1Iuv3kWtX
+OuzwPPEjv09LWlhyJsN+oU4ztTVf07I0Q9zYupcoDQ58XKRheI9KdDB2DYSmxywA
+WSLQwIeG0Qa7gvokeQlpkgkEC7viEecJ3752KXBJHnh7As51mxnlpmG6sDy67Eli
+HDw5tHETRqbtnscGBjskGQBqR5xt7+QnnthZrN8HJHDoa9zgGephwizhkL44lXLF
+YK9W5XhFbblw2c+mAcHkokRiwD7CPeIoyD2a/Jcw3n5hegKTlNhd4BFGVF6JR7gF
+OFk2QfHXit5uthsij9Xhl7WAgQUqLgggD9MphqPf4nY66OZUJV9ZsmB+Qfp8UizB
+0WAOegactKVyRqHtRa+KIEXQXNtZgjcmMk9CYkP0nIbKtgKXaH6+9VMHNOryCnFE
+7pSsuPUkypncFWCHGSeiFO3w4w4J4csltxBADQzxfRu5KZnlToQN7bVpI/Q31tVX
+E5bjrJcq6Oj/OTqZ3ID+OqbkUdAg0ggjRKcTgxnLHd/AbMzJ6PsclDDf7cLs0WSl
+xMxQR/z5bNST1rNtT9rsiv2TOhfvCBxO9AOjBioO8PLO032HTNECAwEAAaMQMA4w
+DAYDVR0TBAUwAwEB/zANBgkqhkiG9w0BAQUFAAOCAgEAVyBpPWfT2VOyvVpslGKx
+8h0+CWP8cilygGRtZJ5dAJzc//1REAHdvK+TgZ4Foz3dqHhXI+RNN0FpzuWaYMjW
+ZTS0kAmcOQuGY1Oo4PGlPHI21pNz29oFDTJr0ZmLBJ4JKVsE2soJg55jdk9MZHA7
+K//7HH9RsmrWZOE5DZDlrxp6+naixhMwnlPKKisIy9GNZUPqGdUWABMdB/BUVVNl
+NU5TtWpIXUClMd8a+eoKcItBeYXowkHOBpinPkDX3clFDIUfWiw0Ro08s8SrrFqR
+8Szwbrj52Xv1RM56oGqCjnkvJctxihODV7NcpxoAFjIZokDom0q6zPrrTUsLFQov
+Plovc3w5hmALiDMshaTvE1nm3Psn4yQ+FlRE8epTZrQiIGypZkZC6lcz0mYawueW
+cThYWGFhVG4ktQzOjjNRsNxopW+W7cF1zQTxiWUDnxIKSj7gtdQ2jiubxEEhfVag
+r8DMtAccNVTZVURpGi56TptOOuotrTqqC+2GviW4hlxvdvmuQN0OlXlUwzz2Trxc
+FamNnuA54lZw/8arLtxsFmHrcnPw53+1spumLD0S5UkxHNu40h6LIVpZz3H+0rLz
+uFofTfiyMjcfK2AyHQTgUCbsrvgNuLDQUbyFGVchdFUkhztX3DhEVnxnnrpY4BVj
+QdTqWIvw7lGlSuDCjxEQAOc=
+-----END CERTIFICATE-----
--- a/certs/eng4.pem
+++ b/certs/eng4.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID3TCCAsWgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBqDELMAkGA1UEBhMCQ0Ex
+CzAJBgNVBAgTAk9OMRAwDgYDVQQHEwdUb3JvbnRvMRgwFgYDVQQKEw9NYWlsRW5n
+aW5lIEluYy4xKTAnBgNVBAsTIENlcnRpZmljYXRpb24gQXV0aG9yaXR5IERpdmlz
+aW9uMRMwEQYDVQQDEwptYWlsZW5naW5lMSAwHgYJKoZIhvcNAQkBFhFjYUBtYWls
+ZW5naW5lLmNvbTAeFw05ODAxMDEwMDAwMDBaFw0zODAxMTcwMDAwMDBaMIGoMQsw
+CQYDVQQGEwJDQTELMAkGA1UECBMCT04xEDAOBgNVBAcTB1Rvcm9udG8xGDAWBgNV
+BAoTD01haWxFbmdpbmUgSW5jLjEpMCcGA1UECxMgQ2VydGlmaWNhdGlvbiBBdXRo
+b3JpdHkgRGl2aXNpb24xEzARBgNVBAMTCm1haWxlbmdpbmUxIDAeBgkqhkiG9w0B
+CQEWEWNhQG1haWxlbmdpbmUuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIB
+CgKCAQEAqXmfsU+lx+NFmn6tN17RTOyaddHqLnr/3rzEDIyT9TN+tF9TG7jmK7lJ
+Jrj5arQ3nTFaLF8JuND2U1z/cLPw6/TX+1tE3v3CNUDSjaisyUDiUyp3TE8hMMMz
+zfZQn0JsGgNhhWxqyzjhRQGtKL4+xtn8VsF/8zGgZYke7nlmVKz/FslDFTnNoodL
+BAEGiu9JQS9qqpbSs20NdZ6LXPL2A4iTjnsNFBW3jIMVIn/JVVyaycU7ue2oFviD
+vLNpkVZcR7A+jjIdIumOc5VSF0y7y74cQC5YwkR2mLK7UBYDK6NCY3ta/C4M8NsM
+0FpmvRl0+A1ivZtVwqI98dxDtp7HeQIDAQABoxAwDjAMBgNVHRMEBTADAQH/MA0G
+CSqGSIb3DQEBBQUAA4IBAQAjfNn5BCzxylBDakFQGWKE/P43PRibMOEzfd7+DzbY
+WIekoz3i00DwoH3b6j4gwlDJRAOq4dF6/Pt/uBOHDo/op+ef+9ErmKPd+ehXN9h3
+7QbccTgz7DtVwA4iRlDRLru+JuXzT+OsCHuFZMOLJ+KD2JAGh3W68JjdcLkrlcpt
+AU0wc5aOHPPfEBdIah8y8QtNzXRVzoBt8zzvgCARkXxTS2u/9QaXR1hML0JtDgQS
+SdZ6Kd8SN6yzqxD+buYD5sOfJmjBF/n3lqFHNMHnnGXy2TAXZtIAWzffU3A0cGPB
+N6FZ026a86HbF1X4k+xszhbJu/ikczyuWnCJIg3fTYSD
+-----END CERTIFICATE-----
--- a/certs/eng5.pem
+++ b/certs/eng5.pem
@@ -0,0 +1,23 @@
+-----BEGIN CERTIFICATE-----
+MIID6TCCAtGgAwIBAgIBADANBgkqhkiG9w0BAQUFADCBrjELMAkGA1UEBhMCQ0Ex
+CzAJBgNVBAgTAk9OMRAwDgYDVQQHEwdUb3JvbnRvMRowGAYDVQQKExFUcmFkZXJF
+bmdpbmUgSW5jLjEpMCcGA1UECxMgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkgRGl2
+aXNpb24xFTATBgNVBAMTDHRyYWRlcmVuZ2luZTEiMCAGCSqGSIb3DQEJARYTY2FA
+dHJhZGVyZW5naW5lLmNvbTAeFw05ODAxMDEwMDAwMDBaFw0zODAxMTcwMDAwMDBa
+MIGuMQswCQYDVQQGEwJDQTELMAkGA1UECBMCT04xEDAOBgNVBAcTB1Rvcm9udG8x
+GjAYBgNVBAoTEVRyYWRlckVuZ2luZSBJbmMuMSkwJwYDVQQLEyBDZXJ0aWZpY2F0
+aW9uIEF1dGhvcml0eSBEaXZpc2lvbjEVMBMGA1UEAxMMdHJhZGVyZW5naW5lMSIw
+IAYJKoZIhvcNAQkBFhNjYUB0cmFkZXJlbmdpbmUuY29tMIIBIjANBgkqhkiG9w0B
+AQEFAAOCAQ8AMIIBCgKCAQEAzyX5QE+5SN+zgNn1v3zp9HmP4hQOWW8WuEVItZVP
+9bt/xj5NeJd1kyPL/SqnF2qHcL3o/74r0Ga55aKHniwKYgQTlp5ELGfQ568QQeN9
+xNIHtUXeStI9zCNZyZC+4YqObdMR/ivKA/WsLfUVMl2lV5JzJJz1BOE0gKEYiEyz
+gIq5oLzkP/mOXoHRvWSZD2D0eHYIO7ovV2epVFK7g7p+dC4QoeIUEli+GF/Myg88
+dV/qmi+Sybck2RLPXa8Nh27/ETVQ7kE1Eafmx7EyCqIhG+5lwJAy3HwHUBwAYuzj
+iuZz5lD8aQmr8SKuvy3eOH9SVN5wh3YBlrNGwTStkESVLwIDAQABoxAwDjAMBgNV
+HRMEBTADAQH/MA0GCSqGSIb3DQEBBQUAA4IBAQAWOPAUhZd3x9EQiFJcuxFTMd9q
+axgcriCzJsM6D96sYGko9xTeLhX/lr1bliVYI5AlupoLXAdMzGHJkOgaTirKjQXr
+F9nymDdUWKe3TmwGob5016nQlH7qRKvGO3hka0rOGRK2U/2JT/4Qp8iH/DFi6cyM
+uP0q8n64SAkxZXLzUuFQXqf7U/SNjzb9XJQEIAdjp7eYd3Qb4jDsDcX0FrKMF1aV
+r0dCDnS7am7WTXPYCDGdSkPgEHEtLYIYH3lZp5sKdVZ9wl4F0WNFkRWRUr7AXPjw
+50uLmUNmKCd8JZLMGA1TRNSTi7U9EcrWt0OkMWm74T2WVnAgNsDv2WrWsGfj
+-----END CERTIFICATE-----
--- a/certs/expired/vsign3.pem
+++ b/certs/expired/vsign3.pem
@@ -0,0 +1,18 @@
+subject=/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
+notBefore=Jan 29 00:00:00 1996 GMT
+notAfter=Jan  7 23:59:59 2004 GMT
+-----BEGIN CERTIFICATE-----
+MIICPTCCAaYCEQDknv3zOugOz6URPhmkJAIyMA0GCSqGSIb3DQEBAgUAMF8xCzAJ
+BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xh
+c3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05
+NjAxMjkwMDAwMDBaFw0wNDAxMDcyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYD
+VQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMgUHJp
+bWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOB
+jQAwgYkCgYEAyVxZnvIbigEUtBDfBEDb41evakVAj4QMC9Ez2dkRz+4CWB8l9yqo
+RAWq7AMfeH+ek7maAKojfdashaJjRcdyJ8z0TMZ1cdI5709C8HXfCpDGjiBvmA/4
+rCNfcCk2pMmG57GaIMtTpYXnPb59mv4kRTPcdhXtD6JxZExlLoFoRacCAwEAATAN
+BgkqhkiG9w0BAQIFAAOBgQBhcOwvP579K+ZoVCGwZ3kIDCCWMYoNer62Jt95LCJp
+STbjl3diYaIy13pUITa6Ask05yXaRDWw0lyAXbOU+Pms7qRgdSoflUkjsUp89LNH
+ciFbfperVKxi513srpvSybIk+4Kt6WcVS7qqpvCXoPawl1cAyAw8CaCCBLpB2veZ
+pA==
+-----END CERTIFICATE-----
--- a/certs/vsign3.pem
+++ b/certs/vsign3.pem
@@ -1,18 +1,17 @@
 subject=/C=US/O=VeriSign, Inc./OU=Class 3 Public Primary Certification Authority
 notBefore=Jan 29 00:00:00 1996 GMT
-notAfter=Jan  7 23:59:59 2004 GMT
+notAfter=Aug  1 23:59:59 2028 GMT
 -----BEGIN CERTIFICATE-----
-MIICPTCCAaYCEQDknv3zOugOz6URPhmkJAIyMA0GCSqGSIb3DQEBAgUAMF8xCzAJ
-BgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xh
-c3MgMyBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05
-NjAxMjkwMDAwMDBaFw0wNDAxMDcyMzU5NTlaMF8xCzAJBgNVBAYTAlVTMRcwFQYD
-VQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMyBQdWJsaWMgUHJp
-bWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0BAQEFAAOB
-jQAwgYkCgYEAyVxZnvIbigEUtBDfBEDb41evakVAj4QMC9Ez2dkRz+4CWB8l9yqo
-RAWq7AMfeH+ek7maAKojfdashaJjRcdyJ8z0TMZ1cdI5709C8HXfCpDGjiBvmA/4
-rCNfcCk2pMmG57GaIMtTpYXnPb59mv4kRTPcdhXtD6JxZExlLoFoRacCAwEAATAN
-BgkqhkiG9w0BAQIFAAOBgQBhcOwvP579K+ZoVCGwZ3kIDCCWMYoNer62Jt95LCJp
-STbjl3diYaIy13pUITa6Ask05yXaRDWw0lyAXbOU+Pms7qRgdSoflUkjsUp89LNH
-ciFbfperVKxi513srpvSybIk+4Kt6WcVS7qqpvCXoPawl1cAyAw8CaCCBLpB2veZ
-pA==
+MIICPDCCAaUCEHC65B0Q2Sk0tjjKewPMur8wDQYJKoZIhvcNAQECBQAwXzELMAkG
+A1UEBhMCVVMxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFz
+cyAzIFB1YmxpYyBQcmltYXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MB4XDTk2
+MDEyOTAwMDAwMFoXDTI4MDgwMTIzNTk1OVowXzELMAkGA1UEBhMCVVMxFzAVBgNV
+BAoTDlZlcmlTaWduLCBJbmMuMTcwNQYDVQQLEy5DbGFzcyAzIFB1YmxpYyBQcmlt
+YXJ5IENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIGfMA0GCSqGSIb3DQEBAQUAA4GN
+ADCBiQKBgQDJXFme8huKARS0EN8EQNvjV69qRUCPhAwL0TPZ2RHP7gJYHyX3KqhE
+BarsAx94f56TuZoAqiN91qyFomNFx3InzPRMxnVx0jnvT0Lwdd8KkMaOIG+YD/is
+I19wKTakyYbnsZogy1Olhec9vn2a/iRFM9x2Fe0PonFkTGUugWhFpwIDAQABMA0G
+CSqGSIb3DQEBAgUAA4GBALtMEivPLCYATxQT3ab7/AoRhIzzKBxnki98tsX63/Do
+lbwdj2wsqFHMc9ikwFPwTtYmwHYBV4GSXiHx0bH/59AhWM1pF+NEHJwZRDmJXNyc
+AA9WjQKZ7aKQRUzkuxCkPfAyAw7xzvjoyVGM5mKf5p/AfbdynMk2OmufTqj/ZA1k
 -----END CERTIFICATE-----
--- a/44
+++ b/44
@@ -23,6 +23,7 @@
 PREFIX=""
 SUFFIX=""
 TEST="false"
+EXE=""

 # pick up any command line args to config
 for i
@@ -134,7 +135,7 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
 	HPUXVER=`echo ${RELEASE}|sed -e 's/[^.]*.[0B]*//'`
 	case "$HPUXVER" in
 	    1[0-9].*)	# HPUX 10 and 11 targets are unified
-		echo "${MACHINE}-hp-hpux10"; exit 0
+		echo "${MACHINE}-hp-hpux1x"; exit 0
 		;;
 	    *)
 		echo "${MACHINE}-hp-hpux"; exit 0
@@ -288,6 +289,14 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
 	echo "${MACHINE}-whatever-sysv4"; exit 0
 	;;

+    VOS:*:*:i786)
+     echo "i386-stratus-vos"; exit 0
+     ;;
+
+    VOS:*:*:*)
+     echo "hppa1.1-stratus-vos"; exit 0
+     ;;
+
    *:4*:R4*:m88k)
 	echo "${MACHINE}-whatever-sysv4"; exit 0
 	;;
@@ -410,9 +419,10 @@ if [ "$SYSTEM" = "HP-UX" ];then
  GCC_BITS="32"
  if [ $GCCVER -ge 30 ]; then
    # PA64 support only came in with gcc 3.0.x.
-    # We look for the preprocessor symbol __LP64__ indicating
-    # 64bit bit long and pointer.  sizeof(int) == 32 on HPUX64.
-    if gcc -v -E -x c /dev/null 2>&1 | grep __LP64__ > /dev/null; then
+    # We check if the preprocessor symbol __LP64__ is defined...
+    if echo "__LP64__" | gcc -v -E -x c - 2>/dev/null | grep "^__LP64__" 2>&1 > /dev/null; then
+      : # __LP64__ has slipped through, it therefore is not defined
+    else
      GCC_BITS="64"
    fi
  fi
@@ -458,7 +468,7 @@ if [ "${SYSTEM}-${MACHINE}" = "Linux-alpha" ]; then
 fi

 if [ "${SYSTEM}" = "AIX" ]; then	# favor vendor cc over gcc
-    (cc) 2>&1 | grep -iv "command not found" > /dev/null && CC=cc
+    (cc) 2>&1 | grep -iv "not found" > /dev/null && CC=cc
 fi

 CCVER=${CCVER:-0}
@@ -473,7 +483,7 @@ echo Operating system: $GUESSOS
 # more time that I want to waste at the moment
 case "$GUESSOS" in
  mips2-sgi-irix)
-	CPU=`(hinv -t cpu) 2>/dev/null | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'`
+	CPU=`(hinv -t cpu) 2>/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'`
 	CPU=${CPU:-0}
 	if [ $CPU -ge 4000 ]; then
 		options="$options -mips2"
@@ -481,7 +491,7 @@ case "$GUESSOS" in
 	OUT="irix-$CC"
 	;;
  mips3-sgi-irix)
-	CPU=`(hinv -t cpu) 2>/dev/null | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'`
+	CPU=`(hinv -t cpu) 2>/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'`
 	CPU=${CPU:-0}
 	if [ $CPU -ge 5000 ]; then
 		options="$options -mips4"
@@ -497,7 +507,7 @@ case "$GUESSOS" in
 	  echo "         You have about 5 seconds to press Ctrl-C to abort."
 	  (stty -icanon min 0 time 50; read waste) < /dev/tty
 	fi
-        CPU=`(hinv -t cpu) 2>/dev/null | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'`
+        CPU=`(hinv -t cpu) 2>/dev/null | head -1 | sed 's/^CPU:[^R]*R\([0-9]*\).*/\1/'`
        CPU=${CPU:-0}
        if [ $CPU -ge 5000 ]; then
                options="$options -mips4"
@@ -678,6 +688,10 @@ EOF
  *-*-UnixWare21*) OUT="unixware-2.1" ;;
  *-*-Unixware20*) OUT="unixware-2.0" ;;
  *-*-Unixware21*) OUT="unixware-2.1" ;;
+  *-*-vos)
+	options="$options no-threads no-shared no-asm no-dso"
+	EXE=".pm"
+	OUT="vos-$CC" ;;
  BS2000-siemens-sysv4) OUT="BS2000-OSD" ;;
  RM*-siemens-sysv4) OUT="ReliantUNIX" ;;
  *-siemens-sysv4) OUT="SINIX" ;;
@@ -685,7 +699,7 @@ EOF
 	if [ $CC = "gcc" ];
 	then
 	  if [ $GCC_BITS = "64" ]; then
-	    OUT="hpux64-parisc-gcc"
+	    OUT="hpux64-parisc2-gcc"
 	  else
 	    OUT="hpux-parisc-gcc"
 	  fi
@@ -700,7 +714,7 @@ EOF
 	if   [ $CPU_VERSION -ge 768 ]; then	# IA-64 CPU
 	     echo "WARNING! 64-bit ABI is the default configured ABI on HP-UXi."
 	     echo "         If you wish to build 32-bit library, the you have to"
-	     echo "         invoke './Configure hpux-ia32-cc' *manually*."
+	     echo "         invoke './Configure hpux-ia64-cc' *manually*."
 	     if [ "$TEST" = "false" ]; then
 		echo "         You have about 5 seconds to press Ctrl-C to abort."
 		(stty -icanon min 0 time 50; read waste) < /dev/tty
@@ -805,8 +819,8 @@ fi

 if [ ".$PERL" = . ] ; then
 	for i in . `echo $PATH | sed 's/:/ /g'`; do
-		if [ -f "$i/perl5" ] ; then
-			PERL="$i/perl5"
+		if [ -f "$i/perl5$EXE" ] ; then
+			PERL="$i/perl5$EXE"
 			break;
 		fi;
 	done
@@ -814,9 +828,9 @@ fi

 if [ ".$PERL" = . ] ; then
 	for i in . `echo $PATH | sed 's/:/ /g'`; do
-		if [ -f "$i/perl" ] ; then
-			if "$i/perl" -e 'exit($]<5.0)'; then
-				PERL="$i/perl"
+		if [ -f "$i/perl$EXE" ] ; then
+			if "$i/perl$EXE" -e 'exit($]<5.0)'; then
+				PERL="$i/perl$EXE"
 				break;
 			fi;
 		fi;
--- a/crypto/Makefile.ssl
+++ b/crypto/Makefile.ssl
@@ -11,10 +11,9 @@ CFLAG=		-g
 INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=	/usr/local/ssl
-MAKE=           make -f Makefile.ssl
 MAKEDEPPROG=	makedepend
 MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
-MAKEFILE=       Makefile.ssl
+MAKEFILE=       Makefile
 RM=             rm -f
 AR=		ar r

@@ -36,25 +35,25 @@ GENERAL=Makefile README crypto-lib.com install.com

 LIB= $(TOP)/libcrypto.a
 SHARED_LIB= libcrypto$(SHLIB_EXT)
-LIBSRC=	cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c o_time.c
-LIBOBJ= cryptlib.o mem.o mem_clr.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o o_time.o
+LIBSRC=	cryptlib.c mem.c mem_clr.c mem_dbg.c cversion.c ex_data.c tmdiff.c cpt_err.c ebcdic.c uid.c o_time.c o_str.c
+LIBOBJ= cryptlib.o mem.o mem_clr.o mem_dbg.o cversion.o ex_data.o tmdiff.o cpt_err.o ebcdic.o uid.o o_time.o o_str.o

 SRC= $(LIBSRC)

 EXHEADER= crypto.h tmdiff.h opensslv.h opensslconf.h ebcdic.h symhacks.h \
 	ossl_typ.h
-HEADER=	cryptlib.h buildinf.h md32_common.h o_time.h $(EXHEADER)
+HEADER=	cryptlib.h buildinf.h md32_common.h o_time.h o_str.h $(EXHEADER)

 ALL=    $(GENERAL) $(SRC) $(HEADER)

 top:
 	@(cd ..; $(MAKE) DIRS=$(DIR) all)

-all: buildinf.h lib subdirs shared
+all: shared

-buildinf.h: ../Makefile.ssl
+buildinf.h: ../Makefile
 	( echo "#ifndef MK1MF_BUILD"; \
-	echo '  /* auto-generated by crypto/Makefile.ssl for crypto/cversion.c */'; \
+	echo '  /* auto-generated by crypto/Makefile for crypto/cversion.c */'; \
 	echo '  #define CFLAGS "$(CC) $(CFLAG)"'; \
 	echo '  #define PLATFORM "$(PLATFORM)"'; \
 	echo "  #define DATE \"`LC_ALL=C LC_TIME=C date`\""; \
@@ -73,7 +72,7 @@ subdirs:
 	done;

 files:
-	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
 	@for i in $(SDIRS) ;\
 	do \
 	(cd $$i && echo "making 'files' in crypto/$$i..." && \
@@ -81,11 +80,9 @@ files:
 	done;

 links:
-	@$(TOP)/util/point.sh Makefile.ssl Makefile
 	@$(PERL) $(TOP)/util/mklink.pl ../include/openssl $(EXHEADER)
 	@$(PERL) $(TOP)/util/mklink.pl ../test $(TEST)
 	@$(PERL) $(TOP)/util/mklink.pl ../apps $(APPS)
-	@$(TOP)/util/point.sh Makefile.ssl Makefile
 	@for i in $(SDIRS); do \
 	(cd $$i && echo "making links in crypto/$$i..." && \
 	$(MAKE) CC='$(CC)' INCLUDES='${INCLUDES}' CFLAG='${CFLAG}' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' AR='${AR}' PERL='${PERL}' links ); \
@@ -96,7 +93,7 @@ lib:	$(LIBOBJ)
 	$(RANLIB) $(LIB) || echo Never mind.
 	@touch lib

-shared:
+shared: buildinf.h lib subdirs
 	if [ -n "$(SHARED_LIBS)" ]; then \
 		(cd ..; $(MAKE) $(SHARED_LIB)); \
 	fi
@@ -203,6 +200,8 @@ mem_dbg.o: ../include/openssl/err.h ../include/openssl/lhash.h
 mem_dbg.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
 mem_dbg.o: ../include/openssl/safestack.h ../include/openssl/stack.h
 mem_dbg.o: ../include/openssl/symhacks.h cryptlib.h mem_dbg.c
+o_str.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h o_str.c
+o_str.o: o_str.h
 o_time.o: ../include/openssl/e_os2.h ../include/openssl/opensslconf.h o_time.c
 o_time.o: o_time.h
 tmdiff.o: ../e_os.h ../include/openssl/bio.h ../include/openssl/buffer.h
--- a/crypto/aes/Makefile.ssl
+++ b/crypto/aes/Makefile.ssl
@@ -11,10 +11,9 @@ CFLAG=-g
 INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=	/usr/local/ssl
-MAKE=		make -f Makefile.ssl
 MAKEDEPPROG=	makedepend
 MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
-MAKEFILE=	Makefile.ssl
+MAKEFILE=	Makefile
 AR=		ar r

 # CFLAGS= -mpentiumpro $(INCLUDES) $(CFLAG) -O3 -fexpensive-optimizations -funroll-loops -fforce-addr
@@ -49,10 +48,9 @@ lib:	$(LIBOBJ)
 $(LIBOBJ): $(LIBSRC)

 files:
-	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO

 links:
-	@$(TOP)/util/point.sh Makefile.ssl Makefile
 	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
 	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
@@ -91,7 +89,8 @@ aes_cbc.o: ../../include/openssl/opensslconf.h aes_cbc.c aes_locl.h
 aes_cfb.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
 aes_cfb.o: ../../include/openssl/opensslconf.h aes_cfb.c aes_locl.h
 aes_core.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
-aes_core.o: ../../include/openssl/opensslconf.h aes_core.c aes_locl.h
+aes_core.o: ../../include/openssl/fips.h ../../include/openssl/opensslconf.h
+aes_core.o: aes_core.c aes_locl.h
 aes_ctr.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
 aes_ctr.o: ../../include/openssl/opensslconf.h aes_ctr.c aes_locl.h
 aes_ecb.o: ../../include/openssl/aes.h ../../include/openssl/e_os2.h
--- a/crypto/aes/aes.h
+++ b/crypto/aes/aes.h
@@ -52,6 +52,8 @@
 #ifndef HEADER_AES_H
 #define HEADER_AES_H

+#include <openssl/e_os2.h>
+
 #ifdef OPENSSL_NO_AES
 #error AES is disabled.
 #endif
@@ -64,6 +66,10 @@
 #define AES_MAXNR 14
 #define AES_BLOCK_SIZE 16

+#if defined(OPENSSL_FIPS)
+#define FIPS_AES_SIZE_T	int
+#endif
+
 #ifdef  __cplusplus
 extern "C" {
 #endif
@@ -95,12 +101,21 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
 void AES_cfb128_encrypt(const unsigned char *in, unsigned char *out,
 	const unsigned long length, const AES_KEY *key,
 	unsigned char *ivec, int *num, const int enc);
+void AES_cfb1_encrypt(const unsigned char *in, unsigned char *out,
+	const unsigned long length, const AES_KEY *key,
+	unsigned char *ivec, int *num, const int enc);
+void AES_cfb8_encrypt(const unsigned char *in, unsigned char *out,
+	const unsigned long length, const AES_KEY *key,
+	unsigned char *ivec, int *num, const int enc);
+void AES_cfbr_encrypt_block(const unsigned char *in,unsigned char *out,
+			    const int nbits,const AES_KEY *key,
+			    unsigned char *ivec,const int enc);
 void AES_ofb128_encrypt(const unsigned char *in, unsigned char *out,
 	const unsigned long length, const AES_KEY *key,
 	unsigned char *ivec, int *num);
 void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
 	const unsigned long length, const AES_KEY *key,
-	unsigned char counter[AES_BLOCK_SIZE],
+	unsigned char ivec[AES_BLOCK_SIZE],
 	unsigned char ecount_buf[AES_BLOCK_SIZE],
 	unsigned int *num);

--- a/crypto/aes/aes_cbc.c
+++ b/crypto/aes/aes_cbc.c
@@ -72,7 +72,7 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,

 	if (AES_ENCRYPT == enc) {
 		while (len >= AES_BLOCK_SIZE) {
-			for(n=0; n < sizeof tmp; ++n)
+			for(n=0; n < AES_BLOCK_SIZE; ++n)
 				tmp[n] = in[n] ^ ivec[n];
 			AES_encrypt(tmp, out, key);
 			memcpy(ivec, out, AES_BLOCK_SIZE);
@@ -86,12 +86,12 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
 			for(n=len; n < AES_BLOCK_SIZE; ++n)
 				tmp[n] = ivec[n];
 			AES_encrypt(tmp, tmp, key);
-			memcpy(out, tmp, len);
-			memcpy(ivec, tmp, sizeof tmp);
+			memcpy(out, tmp, AES_BLOCK_SIZE);
+			memcpy(ivec, tmp, AES_BLOCK_SIZE);
 		}			
 	} else {
 		while (len >= AES_BLOCK_SIZE) {
-			memcpy(tmp, in, sizeof tmp);
+			memcpy(tmp, in, AES_BLOCK_SIZE);
 			AES_decrypt(in, out, key);
 			for(n=0; n < AES_BLOCK_SIZE; ++n)
 				out[n] ^= ivec[n];
@@ -101,11 +101,11 @@ void AES_cbc_encrypt(const unsigned char *in, unsigned char *out,
 			out += AES_BLOCK_SIZE;
 		}
 		if (len) {
-			memcpy(tmp, in, sizeof tmp);
+			memcpy(tmp, in, AES_BLOCK_SIZE);
 			AES_decrypt(tmp, tmp, key);
 			for(n=0; n < len; ++n)
-				out[n] ^= ivec[n];
-			memcpy(ivec, tmp, sizeof tmp);
+				out[n] = tmp[n] ^ ivec[n];
+			memcpy(ivec, tmp, AES_BLOCK_SIZE);
 		}			
 	}
 }
--- a/crypto/aes/aes_cfb.c
+++ b/crypto/aes/aes_cfb.c
@@ -155,3 +155,96 @@ void AES_cfb128_encrypt(const unsigned char *in, unsigned char *out,
 	*num=n;
 }

+/* This expects a single block of size nbits for both in and out. Note that
+   it corrupts any extra bits in the last byte of out */
+/* Untested, once it is working, it will be optimised */
+void AES_cfbr_encrypt_block(const unsigned char *in,unsigned char *out,
+			    const int nbits,const AES_KEY *key,
+			    unsigned char *ivec,const int enc)
+    {
+    int n;
+    unsigned char ovec[AES_BLOCK_SIZE*2];
+
+    assert(in && out && key && ivec);
+    if(enc)
+	{
+	/* construct the new IV */
+	AES_encrypt(ivec,ovec,key);
+	/* encrypt the input */
+	for(n=0 ; n < (nbits+7)/8 ; ++n)
+	    out[n]=in[n]^ovec[n];
+	/* fill in the first half of the new IV with the current IV */
+	memcpy(ovec,ivec,AES_BLOCK_SIZE);
+	/* and put the ciphertext in the second half */
+	memcpy(ovec+AES_BLOCK_SIZE,out,(nbits+7)/8);
+	/* shift ovec left most of the bits... */
+	memmove(ovec,ovec+nbits/8,AES_BLOCK_SIZE+(nbits%8 ? 1 : 0));
+	/* now the remaining bits */
+	if(nbits%8 != 0)
+	    for(n=0 ; n < AES_BLOCK_SIZE ; ++n)
+		{
+		ovec[n]<<=nbits%8;
+		ovec[n]|=ovec[n+1]>>(8-nbits%8);
+		}
+	/* finally, move it back into place */
+	memcpy(ivec,ovec,AES_BLOCK_SIZE);
+	}
+    else
+	{
+	/* construct the new IV in the first half of ovec */
+	AES_encrypt(ivec,ovec,key);
+	/* decrypt the input */
+	for(n=0 ; n < (nbits+7)/8 ; ++n)
+	    out[n]=in[n]^ovec[n];
+	/* fill in the first half of the new IV with the current IV */
+	memcpy(ovec,ivec,AES_BLOCK_SIZE);
+	/* append the ciphertext */
+	memcpy(ovec+AES_BLOCK_SIZE,in,(nbits+7)/8);
+	/* shift ovec left most of the bits... */
+	memmove(ovec,ovec+nbits/8,AES_BLOCK_SIZE+(nbits%8 ? 1 : 0));
+	/* now the remaining bits */
+	if(nbits%8 != 0)
+	    for(n=0 ; n < AES_BLOCK_SIZE ; ++n)
+		{
+		ovec[n]<<=nbits%8;
+		ovec[n]|=ovec[n+1]>>(8-nbits%8);
+		}
+	/* finally, move it back into place */
+	memcpy(ivec,ovec,AES_BLOCK_SIZE);
+	}
+    /* it is not necessary to cleanse ovec, since the IV is not secret */
+    }
+
+/* N.B. This expects the input to be packed, MS bit first */
+void AES_cfb1_encrypt(const unsigned char *in, unsigned char *out,
+		      const unsigned long length, const AES_KEY *key,
+		      unsigned char *ivec, int *num, const int enc)
+    {
+    unsigned int n;
+    unsigned char c[1],d[1];
+
+    assert(in && out && key && ivec && num);
+    assert(*num == 0);
+
+    memset(out,0,(length+7)/8);
+    for(n=0 ; n < length ; ++n)
+	{
+	c[0]=(in[n/8]&(1 << (7-n%8))) ? 0x80 : 0;
+	AES_cfbr_encrypt_block(c,d,1,key,ivec,enc);
+	out[n/8]=(out[n/8]&~(1 << (7-n%8)))|((d[0]&0x80) >> (n%8));
+	}
+    }
+
+void AES_cfb8_encrypt(const unsigned char *in, unsigned char *out,
+		      const unsigned long length, const AES_KEY *key,
+		      unsigned char *ivec, int *num, const int enc)
+    {
+    unsigned int n;
+
+    assert(in && out && key && ivec && num);
+    assert(*num == 0);
+
+    for(n=0 ; n < length ; ++n)
+	AES_cfbr_encrypt_block(&in[n],&out[n],8,key,ivec,enc);
+    }
+
--- a/crypto/aes/aes_core.c
+++ b/crypto/aes/aes_core.c
@@ -37,8 +37,11 @@

 #include <stdlib.h>
 #include <openssl/aes.h>
+#include <openssl/fips.h>
 #include "aes_locl.h"

+#ifndef OPENSSL_FIPS
+
 /*
 Te0[x] = S [x].[02, 01, 01, 03];
 Te1[x] = S [x].[03, 02, 01, 01];
@@ -1255,3 +1258,4 @@ void AES_decrypt(const unsigned char *in, unsigned char *out,
 	PUTU32(out + 12, s3);
 }

+#endif /* ndef OPENSSL_FIPS */
--- a/crypto/aes/aes_ctr.c
+++ b/crypto/aes/aes_ctr.c
@@ -59,39 +59,44 @@
 #include <openssl/aes.h>
 #include "aes_locl.h"

-/* NOTE: CTR mode is big-endian.  The rest of the AES code
+/* NOTE: the IV/counter CTR mode is big-endian.  The rest of the AES code
 * is endian-neutral. */

-/* increment counter (128-bit int) by 2^64 */
+/* increment counter (128-bit int) by 1 */
 static void AES_ctr128_inc(unsigned char *counter) {
 	unsigned long c;

-	/* Grab 3rd dword of counter and increment */
-#ifdef L_ENDIAN
-	c = GETU32(counter + 8);
-	c++;
-	PUTU32(counter + 8, c);
-#else
-	c = GETU32(counter + 4);
-	c++;
-	PUTU32(counter + 4, c);
-#endif
+	/* Grab bottom dword of counter and increment */
+	c = GETU32(counter + 12);
+	c++;	c &= 0xFFFFFFFF;
+	PUTU32(counter + 12, c);
+
+	/* if no overflow, we're done */
+	if (c)
+		return;
+
+	/* Grab 1st dword of counter and increment */
+	c = GETU32(counter +  8);
+	c++;	c &= 0xFFFFFFFF;
+	PUTU32(counter +  8, c);
+
+	/* if no overflow, we're done */
+	if (c)
+		return;
+
+	/* Grab 2nd dword of counter and increment */
+	c = GETU32(counter +  4);
+	c++;	c &= 0xFFFFFFFF;
+	PUTU32(counter +  4, c);

 	/* if no overflow, we're done */
 	if (c)
 		return;

 	/* Grab top dword of counter and increment */
-#ifdef L_ENDIAN
-	c = GETU32(counter + 12);
-	c++;
-	PUTU32(counter + 12, c);
-#else
 	c = GETU32(counter +  0);
-	c++;
+	c++;	c &= 0xFFFFFFFF;
 	PUTU32(counter +  0, c);
-#endif
-
 }

 /* The input encrypted as though 128bit counter mode is being
@@ -100,10 +105,16 @@ static void AES_ctr128_inc(unsigned char *counter) {
 * encrypted counter is kept in ecount_buf.  Both *num and
 * ecount_buf must be initialised with zeros before the first
 * call to AES_ctr128_encrypt().
+ *
+ * This algorithm assumes that the counter is in the x lower bits
+ * of the IV (ivec), and that the application has full control over
+ * overflow and the rest of the IV.  This implementation takes NO
+ * responsability for checking that the counter doesn't overflow
+ * into the rest of the IV when incremented.
 */
 void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,
 	const unsigned long length, const AES_KEY *key,
-	unsigned char counter[AES_BLOCK_SIZE],
+	unsigned char ivec[AES_BLOCK_SIZE],
 	unsigned char ecount_buf[AES_BLOCK_SIZE],
 	unsigned int *num) {

@@ -117,8 +128,8 @@ void AES_ctr128_encrypt(const unsigned char *in, unsigned char *out,

 	while (l--) {
 		if (n == 0) {
-			AES_encrypt(counter, ecount_buf, key);
-			AES_ctr128_inc(counter);
+			AES_encrypt(ivec, ecount_buf, key);
+ 			AES_ctr128_inc(ivec);
 		}
 		*(out++) = *(in++) ^ ecount_buf[n];
 		n = (n+1) % AES_BLOCK_SIZE;
--- a/crypto/aes/aes_locl.h
+++ b/crypto/aes/aes_locl.h
@@ -62,7 +62,7 @@
 #include <stdlib.h>
 #include <string.h>

-#if defined(_MSC_VER) && !defined(OPENSSL_SYS_WINCE)
+#if defined(_MSC_VER) && !defined(_M_IA64) && !defined(OPENSSL_SYS_WINCE)
 # define SWAP(x) (_lrotl(x, 8) & 0x00ff00ff | _lrotr(x, 8) & 0xff00ff00)
 # define GETU32(p) SWAP(*((u32 *)(p)))
 # define PUTU32(ct, st) { *((u32 *)(ct)) = SWAP((st)); }
--- a/crypto/asn1/Makefile.ssl
+++ b/crypto/asn1/Makefile.ssl
@@ -10,10 +10,9 @@ CFLAG=-g
 INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
-MAKE=		make -f Makefile.ssl
 MAKEDEPPROG=	makedepend
 MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
-MAKEFILE=	Makefile.ssl
+MAKEFILE=	Makefile
 AR=		ar r

 CFLAGS= $(INCLUDES) $(CFLAG)
@@ -74,10 +73,9 @@ lib:	$(LIBOBJ)
 	@touch lib

 files:
-	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO

 links:
-	@$(TOP)/util/point.sh Makefile.ssl Makefile
 	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
 	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
--- a/crypto/asn1/a_gentm.c
+++ b/crypto/asn1/a_gentm.c
@@ -208,6 +208,7 @@ ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s,
 	char *p;
 	struct tm *ts;
 	struct tm data;
+	size_t len = 20; 

 	if (s == NULL)
 		s=M_ASN1_GENERALIZEDTIME_new();
@@ -219,17 +220,17 @@ ASN1_GENERALIZEDTIME *ASN1_GENERALIZEDTIME_set(ASN1_GENERALIZEDTIME *s,
 		return(NULL);

 	p=(char *)s->data;
-	if ((p == NULL) || (s->length < 16))
+	if ((p == NULL) || ((size_t)s->length < len))
 		{
-		p=OPENSSL_malloc(20);
+		p=OPENSSL_malloc(len);
 		if (p == NULL) return(NULL);
 		if (s->data != NULL)
 			OPENSSL_free(s->data);
 		s->data=(unsigned char *)p;
 		}

-	sprintf(p,"%04d%02d%02d%02d%02d%02dZ",ts->tm_year + 1900,
-		ts->tm_mon+1,ts->tm_mday,ts->tm_hour,ts->tm_min,ts->tm_sec);
+	BIO_snprintf(p,len,"%04d%02d%02d%02d%02d%02dZ",ts->tm_year + 1900,
+		     ts->tm_mon+1,ts->tm_mday,ts->tm_hour,ts->tm_min,ts->tm_sec);
 	s->length=strlen(p);
 	s->type=V_ASN1_GENERALIZEDTIME;
 #ifdef CHARSET_EBCDIC_not
--- a/crypto/asn1/a_int.c
+++ b/crypto/asn1/a_int.c
@@ -64,7 +64,26 @@ ASN1_INTEGER *ASN1_INTEGER_dup(ASN1_INTEGER *x)
 { return M_ASN1_INTEGER_dup(x);}

 int ASN1_INTEGER_cmp(ASN1_INTEGER *x, ASN1_INTEGER *y)
-{ return M_ASN1_INTEGER_cmp(x,y);}
+	{ 
+	int neg, ret;
+	/* Compare signs */
+	neg = x->type & V_ASN1_NEG;
+	if (neg != (y->type & V_ASN1_NEG))
+		{
+		if (neg)
+			return -1;
+		else
+			return 1;
+		}
+
+	ret = ASN1_STRING_cmp(x, y);
+
+	if (neg)
+		return -ret;
+	else
+		return ret;
+	}
+	

 /* 
 * This converts an ASN1 INTEGER into its content encoding.
--- a/crypto/asn1/a_mbstr.c
+++ b/crypto/asn1/a_mbstr.c
@@ -145,14 +145,14 @@ int ASN1_mbstring_ncopy(ASN1_STRING **out, const unsigned char *in, int len,

 	if((minsize > 0) && (nchar < minsize)) {
 		ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ASN1_R_STRING_TOO_SHORT);
-		sprintf(strbuf, "%ld", minsize);
+		BIO_snprintf(strbuf, sizeof strbuf, "%ld", minsize);
 		ERR_add_error_data(2, "minsize=", strbuf);
 		return -1;
 	}

 	if((maxsize > 0) && (nchar > maxsize)) {
 		ASN1err(ASN1_F_ASN1_MBSTRING_COPY, ASN1_R_STRING_TOO_LONG);
-		sprintf(strbuf, "%ld", maxsize);
+		BIO_snprintf(strbuf, sizeof strbuf, "%ld", maxsize);
 		ERR_add_error_data(2, "maxsize=", strbuf);
 		return -1;
 	}
@@ -296,7 +296,7 @@ static int in_utf8(unsigned long value, void *arg)

 static int out_utf8(unsigned long value, void *arg)
 {
-	long *outlen;
+	int *outlen;
 	outlen = arg;
 	*outlen += UTF8_putc(NULL, -1, value);
 	return 1;
--- a/crypto/asn1/a_strex.c
+++ b/crypto/asn1/a_strex.c
@@ -3,7 +3,7 @@
 * project 2000.
 */
 /* ====================================================================
- * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 2000-2004 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
@@ -279,13 +279,13 @@ static int do_dump(unsigned long lflags, char_io *io_ch, void *arg, ASN1_STRING
 * otherwise it is the number of bytes per character
 */

-const static char tag2nbyte[] = {
+const static signed char tag2nbyte[] = {
 	-1, -1, -1, -1, -1,	/* 0-4 */
 	-1, -1, -1, -1, -1,	/* 5-9 */
 	-1, -1, 0, -1,		/* 10-13 */
 	-1, -1, -1, -1,		/* 15-17 */
 	-1, 1, 1,		/* 18-20 */
-	-1, 1, -1,-1,		/* 21-24 */
+	-1, 1, 1, 1,		/* 21-24 */
 	-1, 1, -1,		/* 25-27 */
 	4, -1, 2		/* 28-30 */
 };
@@ -553,7 +553,12 @@ int ASN1_STRING_to_UTF8(unsigned char **out, ASN1_STRING *in)
 	if((type < 0) || (type > 30)) return -1;
 	mbflag = tag2nbyte[type];
 	if(mbflag == -1) return -1;
-	mbflag |= MBSTRING_FLAG;
+	if (mbflag == 0)
+		mbflag = MBSTRING_UTF8;
+	else if (mbflag == 4)
+		mbflag = MBSTRING_UNIV;
+	else		
+		mbflag |= MBSTRING_FLAG;
 	stmp.data = NULL;
 	ret = ASN1_mbstring_copy(&str, in->data, in->length, mbflag, B_ASN1_UTF8STRING);
 	if(ret < 0) return ret;
--- a/crypto/asn1/a_strnid.c
+++ b/crypto/asn1/a_strnid.c
@@ -143,7 +143,7 @@ ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out, const unsigned char *in,
 /* Now the tables and helper functions for the string table:
 */

-/* size limits: this stuff is taken straight from RFC2459 */
+/* size limits: this stuff is taken straight from RFC3280 */

 #define ub_name				32768
 #define ub_common_name			64
@@ -153,6 +153,8 @@ ASN1_STRING *ASN1_STRING_set_by_NID(ASN1_STRING **out, const unsigned char *in,
 #define ub_organization_unit_name	64
 #define ub_title			64
 #define ub_email_address		128
+#define ub_serial_number		64
+

 /* This table must be kept in NID order */

@@ -170,9 +172,11 @@ static ASN1_STRING_TABLE tbl_standard[] = {
 {NID_givenName,			1, ub_name, DIRSTRING_TYPE, 0},
 {NID_surname,			1, ub_name, DIRSTRING_TYPE, 0},
 {NID_initials,			1, ub_name, DIRSTRING_TYPE, 0},
+{NID_serialNumber,		1, ub_serial_number, B_ASN1_PRINTABLESTRING, STABLE_NO_MASK},
 {NID_friendlyName,		-1, -1, B_ASN1_BMPSTRING, STABLE_NO_MASK},
 {NID_name,			1, ub_name, DIRSTRING_TYPE, 0},
 {NID_dnQualifier,		-1, -1, B_ASN1_PRINTABLESTRING, STABLE_NO_MASK},
+{NID_domainComponent,		1, -1, B_ASN1_IA5STRING, STABLE_NO_MASK},
 {NID_ms_csp_name,		-1, -1, B_ASN1_BMPSTRING, STABLE_NO_MASK}
 };

@@ -249,4 +253,38 @@ static void st_free(ASN1_STRING_TABLE *tbl)
 	if(tbl->flags & STABLE_FLAGS_MALLOC) OPENSSL_free(tbl);
 }

+
 IMPLEMENT_STACK_OF(ASN1_STRING_TABLE)
+
+#ifdef STRING_TABLE_TEST
+
+main()
+{
+	ASN1_STRING_TABLE *tmp;
+	int i, last_nid = -1;
+
+	for (tmp = tbl_standard, i = 0;
+		i < sizeof(tbl_standard)/sizeof(ASN1_STRING_TABLE); i++, tmp++)
+		{
+			if (tmp->nid < last_nid)
+				{
+				last_nid = 0;
+				break;
+				}
+			last_nid = tmp->nid;
+		}
+
+	if (last_nid != 0)
+		{
+		printf("Table order OK\n");
+		exit(0);
+		}
+
+	for (tmp = tbl_standard, i = 0;
+		i < sizeof(tbl_standard)/sizeof(ASN1_STRING_TABLE); i++, tmp++)
+			printf("Index %d, NID %d, Name=%s\n", i, tmp->nid,
+							OBJ_nid2ln(tmp->nid));
+
+}
+
+#endif
--- a/crypto/asn1/a_time.c
+++ b/crypto/asn1/a_time.c
@@ -128,6 +128,7 @@ ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZE
 	{
 	ASN1_GENERALIZEDTIME *ret;
 	char *str;
+	int newlen;

 	if (!ASN1_TIME_check(t)) return NULL;

@@ -150,12 +151,14 @@ ASN1_GENERALIZEDTIME *ASN1_TIME_to_generalizedtime(ASN1_TIME *t, ASN1_GENERALIZE
 	/* grow the string */
 	if (!ASN1_STRING_set(ret, NULL, t->length + 2))
 		return NULL;
+	/* ASN1_STRING_set() allocated 'len + 1' bytes. */
+	newlen = t->length + 2 + 1;
 	str = (char *)ret->data;
 	/* Work out the century and prepend */
-	if (t->data[0] >= '5') strcpy(str, "19");
-	else strcpy(str, "20");
+	if (t->data[0] >= '5') BUF_strlcpy(str, "19", newlen);
+	else BUF_strlcpy(str, "20", newlen);

-	BUF_strlcat(str, (char *)t->data, t->length+3);	/* Include space for a '\0' */
+	BUF_strlcat(str, (char *)t->data, newlen);

 	return ret;
 	}
--- a/crypto/asn1/a_utctm.c
+++ b/crypto/asn1/a_utctm.c
@@ -188,6 +188,7 @@ ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t)
 	char *p;
 	struct tm *ts;
 	struct tm data;
+	size_t len = 20;

 	if (s == NULL)
 		s=M_ASN1_UTCTIME_new();
@@ -199,17 +200,17 @@ ASN1_UTCTIME *ASN1_UTCTIME_set(ASN1_UTCTIME *s, time_t t)
 		return(NULL);

 	p=(char *)s->data;
-	if ((p == NULL) || (s->length < 14))
+	if ((p == NULL) || ((size_t)s->length < len))
 		{
-		p=OPENSSL_malloc(20);
+		p=OPENSSL_malloc(len);
 		if (p == NULL) return(NULL);
 		if (s->data != NULL)
 			OPENSSL_free(s->data);
 		s->data=(unsigned char *)p;
 		}

-	sprintf(p,"%02d%02d%02d%02d%02d%02dZ",ts->tm_year%100,
-		ts->tm_mon+1,ts->tm_mday,ts->tm_hour,ts->tm_min,ts->tm_sec);
+	BIO_snprintf(p,len,"%02d%02d%02d%02d%02d%02dZ",ts->tm_year%100,
+		     ts->tm_mon+1,ts->tm_mday,ts->tm_hour,ts->tm_min,ts->tm_sec);
 	s->length=strlen(p);
 	s->type=V_ASN1_UTCTIME;
 #ifdef CHARSET_EBCDIC_not
--- a/crypto/asn1/asn1.h
+++ b/crypto/asn1/asn1.h
@@ -132,7 +132,7 @@ extern "C" {
 #define B_ASN1_NUMERICSTRING	0x0001
 #define B_ASN1_PRINTABLESTRING	0x0002
 #define B_ASN1_T61STRING	0x0004
-#define B_ASN1_TELETEXSTRING	0x0008
+#define B_ASN1_TELETEXSTRING	0x0004
 #define B_ASN1_VIDEOTEXSTRING	0x0008
 #define B_ASN1_IA5STRING	0x0010
 #define B_ASN1_GRAPHICSTRING	0x0020
--- a/crypto/asn1/asn1_lib.c
+++ b/crypto/asn1/asn1_lib.c
@@ -104,10 +104,12 @@ int ASN1_get_object(unsigned char **pp, long *plength, int *ptag, int *pclass,
 			l<<=7L;
 			l|= *(p++)&0x7f;
 			if (--max == 0) goto err;
+			if (l > (INT_MAX >> 7L)) goto err;
 			}
 		l<<=7L;
 		l|= *(p++)&0x7f;
 		tag=(int)l;
+		if (--max == 0) goto err;
 		}
 	else
 		{ 
@@ -412,8 +414,8 @@ void asn1_add_error(unsigned char *address, int offset)
 	{
 	char buf1[DECIMAL_SIZE(address)+1],buf2[DECIMAL_SIZE(offset)+1];

-	sprintf(buf1,"%lu",(unsigned long)address);
-	sprintf(buf2,"%d",offset);
+	BIO_snprintf(buf1,sizeof buf1,"%lu",(unsigned long)address);
+	BIO_snprintf(buf2,sizeof buf2,"%d",offset);
 	ERR_add_error_data(4,"address=",buf1," offset=",buf2);
 	}

--- a/crypto/asn1/asn1_par.c
+++ b/crypto/asn1/asn1_par.c
@@ -83,11 +83,11 @@ static int asn1_print_info(BIO *bp, int tag, int xclass, int constructed,

 	p=str;
 	if ((xclass & V_ASN1_PRIVATE) == V_ASN1_PRIVATE)
-		sprintf(str,"priv [ %d ] ",tag);
+		BIO_snprintf(str,sizeof str,"priv [ %d ] ",tag);
 	else if ((xclass & V_ASN1_CONTEXT_SPECIFIC) == V_ASN1_CONTEXT_SPECIFIC)
-		sprintf(str,"cont [ %d ]",tag);
+		BIO_snprintf(str,sizeof str,"cont [ %d ]",tag);
 	else if ((xclass & V_ASN1_APPLICATION) == V_ASN1_APPLICATION)
-		sprintf(str,"appl [ %d ]",tag);
+		BIO_snprintf(str,sizeof str,"appl [ %d ]",tag);
 	else p = ASN1_tag2str(tag);

 	if (p2 != NULL)
--- a/crypto/asn1/asn_moid.c
+++ b/crypto/asn1/asn_moid.c
@@ -87,9 +87,14 @@ static int oid_module_init(CONF_IMODULE *md, const CONF *cnf)
 			}
 		}
 	return 1;
-}
+	}
+
+static void oid_module_finish(CONF_IMODULE *md)
+	{
+	OBJ_cleanup();
+	}

 void ASN1_add_oid_module(void)
 	{
-	CONF_module_add("oid_section", oid_module_init, 0);
+	CONF_module_add("oid_section", oid_module_init, oid_module_finish);
 	}
--- a/crypto/asn1/p5_pbev2.c
+++ b/crypto/asn1/p5_pbev2.c
@@ -1,6 +1,6 @@
 /* p5_pbev2.c */
 /* Written by Dr Stephen N Henson (shenson@bigfoot.com) for the OpenSSL
- * project 1999.
+ * project 1999-2004.
 */
 /* ====================================================================
 * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
@@ -113,7 +113,8 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
 	if(!(scheme->parameter = ASN1_TYPE_new())) goto merr;

 	/* Create random IV */
-	if (RAND_pseudo_bytes(iv, EVP_CIPHER_iv_length(cipher)) < 0)
+	if (EVP_CIPHER_iv_length(cipher) &&
+		RAND_pseudo_bytes(iv, EVP_CIPHER_iv_length(cipher)) < 0)
 		goto err;

 	EVP_CIPHER_CTX_init(&ctx);
@@ -123,6 +124,7 @@ X509_ALGOR *PKCS5_pbe2_set(const EVP_CIPHER *cipher, int iter,
 	if(EVP_CIPHER_param_to_asn1(&ctx, scheme->parameter) < 0) {
 		ASN1err(ASN1_F_PKCS5_PBE2_SET,
 					ASN1_R_ERROR_SETTING_CIPHER_PARAMS);
+		EVP_CIPHER_CTX_cleanup(&ctx);
 		goto err;
 	}
 	EVP_CIPHER_CTX_cleanup(&ctx);
--- a/crypto/asn1/t_pkey.c
+++ b/crypto/asn1/t_pkey.c
@@ -139,9 +139,9 @@ int RSA_print(BIO *bp, const RSA *x, int off)
 		}

 	if (x->d == NULL)
-		sprintf(str,"Modulus (%d bit):",BN_num_bits(x->n));
+		BIO_snprintf(str,sizeof str,"Modulus (%d bit):",BN_num_bits(x->n));
 	else
-		strcpy(str,"modulus:");
+		BUF_strlcpy(str,"modulus:",sizeof str);
 	if (!print(bp,str,x->n,m,off)) goto err;
 	s=(x->d == NULL)?"Exponent:":"publicExponent:";
 	if (!print(bp,s,x->e,m,off)) goto err;
--- a/crypto/asn1/tasn_dec.c
+++ b/crypto/asn1/tasn_dec.c
@@ -691,6 +691,7 @@ static int asn1_d2i_ex_primitive(ASN1_VALUE **pval, unsigned char **in, long inl

 int asn1_ex_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char *free_cont, const ASN1_ITEM *it)
 {
+	ASN1_VALUE **opval = NULL;
 	ASN1_STRING *stmp;
 	ASN1_TYPE *typ = NULL;
 	int ret = 0;
@@ -705,6 +706,7 @@ int asn1_ex_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char
 			*pval = (ASN1_VALUE *)typ;
 		} else typ = (ASN1_TYPE *)*pval;
 		if(utype != typ->type) ASN1_TYPE_set(typ, utype, NULL);
+		opval = pval;
 		pval = (ASN1_VALUE **)&typ->value.ptr;
 	}
 	switch(utype) {
@@ -796,7 +798,12 @@ int asn1_ex_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype, char

 	ret = 1;
 	err:
-	if(!ret) ASN1_TYPE_free(typ);
+	if(!ret)
+		{
+		ASN1_TYPE_free(typ);
+		if (opval)
+			*opval = NULL;
+		}
 	return ret;
 }

--- a/crypto/asn1/x_cinf.c
+++ b/crypto/asn1/x_cinf.c
@@ -1,201 +0,0 @@
-/* crypto/asn1/x_cinf.c */
-/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
- * All rights reserved.
- *
- * This package is an SSL implementation written
- * by Eric Young (eay@cryptsoft.com).
- * The implementation was written so as to conform with Netscapes SSL.
- * 
- * This library is free for commercial and non-commercial use as long as
- * the following conditions are aheared to.  The following conditions
- * apply to all code found in this distribution, be it the RC4, RSA,
- * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
- * included with this distribution is covered by the same copyright terms
- * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- * 
- * Copyright remains Eric Young's, and as such any Copyright notices in
- * the code are not to be removed.
- * If this package is used in a product, Eric Young should be given attribution
- * as the author of the parts of the library used.
- * This can be in the form of a textual message at program startup or
- * in documentation (online or textual) provided with the package.
- * 
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- * 3. All advertising materials mentioning features or use of this software
- *    must display the following acknowledgement:
- *    "This product includes cryptographic software written by
- *     Eric Young (eay@cryptsoft.com)"
- *    The word 'cryptographic' can be left out if the rouines from the library
- *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from 
- *    the apps directory (application code) you must include an acknowledgement:
- *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- * 
- * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
- * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
- * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
- * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
- * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
- * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
- * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
- * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
- * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
- * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
- * SUCH DAMAGE.
- * 
- * The licence and distribution terms for any publically available version or
- * derivative of this code cannot be changed.  i.e. this code cannot simply be
- * copied and put under another distribution licence
- * [including the GNU Public Licence.]
- */
-
-#include <stdio.h>
-#include "cryptlib.h"
-#include <openssl/asn1_mac.h>
-#include <openssl/x509.h>
-
-int i2d_X509_CINF(X509_CINF *a, unsigned char **pp)
-	{
-	int v1=0,v2=0;
-	M_ASN1_I2D_vars(a);
-
-	M_ASN1_I2D_len_EXP_opt(a->version,i2d_ASN1_INTEGER,0,v1);
-	M_ASN1_I2D_len(a->serialNumber,		i2d_ASN1_INTEGER);
-	M_ASN1_I2D_len(a->signature,		i2d_X509_ALGOR);
-	M_ASN1_I2D_len(a->issuer,		i2d_X509_NAME);
-	M_ASN1_I2D_len(a->validity,		i2d_X509_VAL);
-	M_ASN1_I2D_len(a->subject,		i2d_X509_NAME);
-	M_ASN1_I2D_len(a->key,			i2d_X509_PUBKEY);
-	M_ASN1_I2D_len_IMP_opt(a->issuerUID,	i2d_ASN1_BIT_STRING);
-	M_ASN1_I2D_len_IMP_opt(a->subjectUID,	i2d_ASN1_BIT_STRING);
-	M_ASN1_I2D_len_EXP_SEQUENCE_opt_type(X509_EXTENSION,a->extensions,
-					     i2d_X509_EXTENSION,3,
-					     V_ASN1_SEQUENCE,v2);
-
-	M_ASN1_I2D_seq_total();
-
-	M_ASN1_I2D_put_EXP_opt(a->version,i2d_ASN1_INTEGER,0,v1);
-	M_ASN1_I2D_put(a->serialNumber,		i2d_ASN1_INTEGER);
-	M_ASN1_I2D_put(a->signature,		i2d_X509_ALGOR);
-	M_ASN1_I2D_put(a->issuer,		i2d_X509_NAME);
-	M_ASN1_I2D_put(a->validity,		i2d_X509_VAL);
-	M_ASN1_I2D_put(a->subject,		i2d_X509_NAME);
-	M_ASN1_I2D_put(a->key,			i2d_X509_PUBKEY);
-	M_ASN1_I2D_put_IMP_opt(a->issuerUID,	i2d_ASN1_BIT_STRING,1);
-	M_ASN1_I2D_put_IMP_opt(a->subjectUID,	i2d_ASN1_BIT_STRING,2);
-	M_ASN1_I2D_put_EXP_SEQUENCE_opt_type(X509_EXTENSION,a->extensions,
-					     i2d_X509_EXTENSION,3,
-					     V_ASN1_SEQUENCE,v2);
-
-	M_ASN1_I2D_finish();
-	}
-
-X509_CINF *d2i_X509_CINF(X509_CINF **a, unsigned char **pp, long length)
-	{
-	int ver=0;
-	M_ASN1_D2I_vars(a,X509_CINF *,X509_CINF_new);
-
-	M_ASN1_D2I_Init();
-	M_ASN1_D2I_start_sequence();
-	/* we have the optional version field */
-	if (M_ASN1_next == (V_ASN1_CONTEXT_SPECIFIC | V_ASN1_CONSTRUCTED | 0))
-		{
-		M_ASN1_D2I_get_EXP_opt(ret->version,d2i_ASN1_INTEGER,0);
-		if (ret->version->data != NULL)
-			ver=ret->version->data[0];
-		}
-	else
-		{
-		if (ret->version != NULL)
-			{
-			M_ASN1_INTEGER_free(ret->version);
-			ret->version=NULL;
-			}
-		}
-	M_ASN1_D2I_get(ret->serialNumber,d2i_ASN1_INTEGER);
-	M_ASN1_D2I_get(ret->signature,d2i_X509_ALGOR);
-	M_ASN1_D2I_get(ret->issuer,d2i_X509_NAME);
-	M_ASN1_D2I_get(ret->validity,d2i_X509_VAL);
-	M_ASN1_D2I_get(ret->subject,d2i_X509_NAME);
-	M_ASN1_D2I_get(ret->key,d2i_X509_PUBKEY);
-	if (ver >= 1) /* version 2 extensions */
-		{
-		if (ret->issuerUID != NULL)
-			{
-			M_ASN1_BIT_STRING_free(ret->issuerUID);
-			ret->issuerUID=NULL;
-			}
-		if (ret->subjectUID != NULL)
-			{
-			M_ASN1_BIT_STRING_free(ret->subjectUID);
-			ret->subjectUID=NULL;
-			}
-		M_ASN1_D2I_get_IMP_opt(ret->issuerUID,d2i_ASN1_BIT_STRING,  1,
-			V_ASN1_BIT_STRING);
-		M_ASN1_D2I_get_IMP_opt(ret->subjectUID,d2i_ASN1_BIT_STRING, 2,
-			V_ASN1_BIT_STRING);
-		}
-/* Note: some broken certificates include extensions but don't set
- * the version number properly. By bypassing this check they can
- * be parsed.
- */
-
-#ifdef VERSION_EXT_CHECK
-	if (ver >= 2) /* version 3 extensions */
-#endif
-		{
-		if (ret->extensions != NULL)
-			while (sk_X509_EXTENSION_num(ret->extensions))
-				X509_EXTENSION_free(
-				      sk_X509_EXTENSION_pop(ret->extensions));
-		M_ASN1_D2I_get_EXP_set_opt_type(X509_EXTENSION,ret->extensions,
-						d2i_X509_EXTENSION,
-						X509_EXTENSION_free,3,
-						V_ASN1_SEQUENCE);
-		}
-	M_ASN1_D2I_Finish(a,X509_CINF_free,ASN1_F_D2I_X509_CINF);
-	}
-
-X509_CINF *X509_CINF_new(void)
-	{
-	X509_CINF *ret=NULL;
-	ASN1_CTX c;
-
-	M_ASN1_New_Malloc(ret,X509_CINF);
-	ret->version=NULL;
-	M_ASN1_New(ret->serialNumber,M_ASN1_INTEGER_new);
-	M_ASN1_New(ret->signature,X509_ALGOR_new);
-	M_ASN1_New(ret->issuer,X509_NAME_new);
-	M_ASN1_New(ret->validity,X509_VAL_new);
-	M_ASN1_New(ret->subject,X509_NAME_new);
-	M_ASN1_New(ret->key,X509_PUBKEY_new);
-	ret->issuerUID=NULL;
-	ret->subjectUID=NULL;
-	ret->extensions=NULL;
-	return(ret);
-	M_ASN1_New_Error(ASN1_F_X509_CINF_NEW);
-	}
-
-void X509_CINF_free(X509_CINF *a)
-	{
-	if (a == NULL) return;
-	M_ASN1_INTEGER_free(a->version);
-	M_ASN1_INTEGER_free(a->serialNumber);
-	X509_ALGOR_free(a->signature);
-	X509_NAME_free(a->issuer);
-	X509_VAL_free(a->validity);
-	X509_NAME_free(a->subject);
-	X509_PUBKEY_free(a->key);
-	M_ASN1_BIT_STRING_free(a->issuerUID);
-	M_ASN1_BIT_STRING_free(a->subjectUID);
-	sk_X509_EXTENSION_pop_free(a->extensions,X509_EXTENSION_free);
-	OPENSSL_free(a);
-	}
-
--- a/crypto/asn1/x_crl.c
+++ b/crypto/asn1/x_crl.c
@@ -63,8 +63,6 @@

 static int X509_REVOKED_cmp(const X509_REVOKED * const *a,
 				const X509_REVOKED * const *b);
-static int X509_REVOKED_seq_cmp(const X509_REVOKED * const *a,
-				const X509_REVOKED * const *b);

 ASN1_SEQUENCE(X509_REVOKED) = {
 	ASN1_SIMPLE(X509_REVOKED,serialNumber, ASN1_INTEGER),
@@ -72,43 +70,28 @@ ASN1_SEQUENCE(X509_REVOKED) = {
 	ASN1_SEQUENCE_OF_OPT(X509_REVOKED,extensions, X509_EXTENSION)
 } ASN1_SEQUENCE_END(X509_REVOKED)

-/* The X509_CRL_INFO structure needs a bit of customisation. This is actually
- * mirroring the old behaviour: its purpose is to allow the use of
- * sk_X509_REVOKED_find to lookup revoked certificates. Unfortunately
- * this will zap the original order and the signature so we keep a copy
- * of the original positions and reorder appropriately before encoding.
- *
- * Might want to see if there's a better way of doing this later...
+/* The X509_CRL_INFO structure needs a bit of customisation.
+ * Since we cache the original encoding the signature wont be affected by
+ * reordering of the revoked field.
 */
 static int crl_inf_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it)
 {
 	X509_CRL_INFO *a = (X509_CRL_INFO *)*pval;
-	int i;
-	int (*old_cmp)(const X509_REVOKED * const *,
-			const X509_REVOKED * const *);

 	if(!a || !a->revoked) return 1;
 	switch(operation) {
-
-		/* Save original order */
+		/* Just set cmp function here. We don't sort because that
+		 * would affect the output of X509_CRL_print().
+		 */
 		case ASN1_OP_D2I_POST:
-		for (i=0; i<sk_X509_REVOKED_num(a->revoked); i++)
-			sk_X509_REVOKED_value(a->revoked,i)->sequence=i;
 		sk_X509_REVOKED_set_cmp_func(a->revoked,X509_REVOKED_cmp);
 		break;
-
-		/* Restore original order */
-		case ASN1_OP_I2D_PRE:
-		old_cmp=sk_X509_REVOKED_set_cmp_func(a->revoked,X509_REVOKED_seq_cmp);
-		sk_X509_REVOKED_sort(a->revoked);
-		sk_X509_REVOKED_set_cmp_func(a->revoked,old_cmp);
-		break;
 	}
 	return 1;
 }


-ASN1_SEQUENCE_cb(X509_CRL_INFO, crl_inf_cb) = {
+ASN1_SEQUENCE_enc(X509_CRL_INFO, enc, crl_inf_cb) = {
 	ASN1_OPT(X509_CRL_INFO, version, ASN1_INTEGER),
 	ASN1_SIMPLE(X509_CRL_INFO, sig_alg, X509_ALGOR),
 	ASN1_SIMPLE(X509_CRL_INFO, issuer, X509_NAME),
@@ -116,7 +99,7 @@ ASN1_SEQUENCE_cb(X509_CRL_INFO, crl_inf_cb) = {
 	ASN1_OPT(X509_CRL_INFO, nextUpdate, ASN1_TIME),
 	ASN1_SEQUENCE_OF_OPT(X509_CRL_INFO, revoked, X509_REVOKED),
 	ASN1_EXP_SEQUENCE_OF_OPT(X509_CRL_INFO, extensions, X509_EXTENSION, 0)
-} ASN1_SEQUENCE_END_cb(X509_CRL_INFO, X509_CRL_INFO)
+} ASN1_SEQUENCE_END_enc(X509_CRL_INFO, X509_CRL_INFO)

 ASN1_SEQUENCE_ref(X509_CRL, 0, CRYPTO_LOCK_X509_CRL) = {
 	ASN1_SIMPLE(X509_CRL, crl, X509_CRL_INFO),
@@ -137,12 +120,6 @@ static int X509_REVOKED_cmp(const X509_REVOKED * const *a,
 		(ASN1_STRING *)(*b)->serialNumber));
 	}

-static int X509_REVOKED_seq_cmp(const X509_REVOKED * const *a,
-				const X509_REVOKED * const *b)
-	{
-	return((*a)->sequence-(*b)->sequence);
-	}
-
 int X509_CRL_add0_revoked(X509_CRL *crl, X509_REVOKED *rev)
 {
 	X509_CRL_INFO *inf;
--- a/crypto/asn1/x_long.c
+++ b/crypto/asn1/x_long.c
@@ -104,7 +104,12 @@ static int long_i2c(ASN1_VALUE **pval, unsigned char *cont, int *putype, const A
 	long ltmp;
 	unsigned long utmp;
 	int clen, pad, i;
-	ltmp = *(long *)pval;
+	/* this exists to bypass broken gcc optimization */
+	char *cp = (char *)pval;
+
+	/* use memcpy, because we may not be long aligned */
+	memcpy(&ltmp, cp, sizeof(long));
+
 	if(ltmp == it->size) return -1;
 	/* Convert the long to positive: we subtract one if negative so
 	 * we can cleanly handle the padding if only the MSB of the leading
@@ -136,6 +141,7 @@ static int long_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype,
 	int neg, i;
 	long ltmp;
 	unsigned long utmp = 0;
+	char *cp = (char *)pval;
 	if(len > sizeof(long)) {
 		ASN1err(ASN1_F_LONG_C2I, ASN1_R_INTEGER_TOO_LARGE_FOR_LONG);
 		return 0;
@@ -158,6 +164,6 @@ static int long_c2i(ASN1_VALUE **pval, unsigned char *cont, int len, int utype,
 		ASN1err(ASN1_F_LONG_C2I, ASN1_R_INTEGER_TOO_LARGE_FOR_LONG);
 		return 0;
 	}
-	*(long *)pval = ltmp;
+	memcpy(cp, &ltmp, sizeof(long));
 	return 1;
 }
--- a/crypto/bf/Makefile.ssl
+++ b/crypto/bf/Makefile.ssl
@@ -11,10 +11,9 @@ CFLAG=-g
 INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
-MAKE=		make -f Makefile.ssl
 MAKEDEPPROG=	makedepend
 MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
-MAKEFILE=	Makefile.ssl
+MAKEFILE=	Makefile
 AR=		ar r

 BF_ENC=		bf_enc.o
@@ -22,6 +21,7 @@ BF_ENC=		bf_enc.o
 #DES_ENC=	bx86-elf.o

 CFLAGS= $(INCLUDES) $(CFLAG)
+ASFLAGS= $(INCLUDES) $(ASFLAG)

 GENERAL=Makefile
 TEST=bftest.c
@@ -64,10 +64,9 @@ asm/bx86unix.cpp: asm/bf-586.pl ../perlasm/x86asm.pl ../perlasm/cbc.pl
 	(cd asm; $(PERL) bf-586.pl cpp $(PROCESSOR) >bx86unix.cpp)

 files:
-	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO

 links:
-	@$(TOP)/util/point.sh Makefile.ssl Makefile
 	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
 	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
--- a/crypto/bio/Makefile.ssl
+++ b/crypto/bio/Makefile.ssl
@@ -10,10 +10,9 @@ CFLAG=-g
 INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
-MAKE=		make -f Makefile.ssl
 MAKEDEPPROG=	makedepend
 MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
-MAKEFILE=	Makefile.ssl
+MAKEFILE=	Makefile
 AR=		ar r

 CFLAGS= $(INCLUDES) $(CFLAG)
@@ -54,10 +53,9 @@ lib:	$(LIBOBJ)
 	@touch lib

 files:
-	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO

 links:
-	@$(TOP)/util/point.sh Makefile.ssl Makefile
 	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
 	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
--- a/crypto/bio/b_dump.c
+++ b/crypto/bio/b_dump.c
@@ -104,38 +104,41 @@ int BIO_dump_indent(BIO *bio, const char *s, int len, int indent)
 	for(i=0;i<rows;i++)
 		{
 		buf[0]='\0';	/* start with empty string */
-		strcpy(buf,str);
-		sprintf(tmp,"%04x - ",i*dump_width);
-		strcat(buf,tmp);
+		BUF_strlcpy(buf,str,sizeof buf);
+		BIO_snprintf(tmp,sizeof tmp,"%04x - ",i*dump_width);
+		BUF_strlcat(buf,tmp,sizeof buf);
 		for(j=0;j<dump_width;j++)
 			{
 			if (((i*dump_width)+j)>=len)
 				{
-				strcat(buf,"   ");
+				BUF_strlcat(buf,"   ",sizeof buf);
 				}
 			else
 				{
 				ch=((unsigned char)*(s+i*dump_width+j)) & 0xff;
-				sprintf(tmp,"%02x%c",ch,j==7?'-':' ');
-				strcat(buf,tmp);
+				BIO_snprintf(tmp,sizeof tmp,"%02x%c",ch,
+					 j==7?'-':' ');
+				BUF_strlcat(buf,tmp,sizeof buf);
 				}
 			}
-		strcat(buf,"  ");
+		BUF_strlcat(buf,"  ",sizeof buf);
 		for(j=0;j<dump_width;j++)
 			{
 			if (((i*dump_width)+j)>=len)
 				break;
 			ch=((unsigned char)*(s+i*dump_width+j)) & 0xff;
 #ifndef CHARSET_EBCDIC
-			sprintf(tmp,"%c",((ch>=' ')&&(ch<='~'))?ch:'.');
+			BIO_snprintf(tmp,sizeof tmp,"%c",
+				 ((ch>=' ')&&(ch<='~'))?ch:'.');
 #else
-			sprintf(tmp,"%c",((ch>=os_toascii[' '])&&(ch<=os_toascii['~']))
-				? os_toebcdic[ch]
-				: '.');
+			BIO_snprintf(tmp,sizeof tmp,"%c",
+				 ((ch>=os_toascii[' '])&&(ch<=os_toascii['~']))
+				 ? os_toebcdic[ch]
+				 : '.');
 #endif
-			strcat(buf,tmp);
+			BUF_strlcat(buf,tmp,sizeof buf);
 			}
-		strcat(buf,"\n");
+		BUF_strlcat(buf,"\n",sizeof buf);
 		/* if this is the last call then update the ddt_dump thing so that
 		 * we will move the selection point in the debug window 
 		 */
@@ -144,7 +147,8 @@ int BIO_dump_indent(BIO *bio, const char *s, int len, int indent)
 #ifdef TRUNCATE
 	if (trunc > 0)
 		{
-		sprintf(buf,"%s%04x - <SPACES/NULS>\n",str,len+trunc);
+		BIO_snprintf(buf,sizeof buf,"%s%04x - <SPACES/NULS>\n",str,
+			 len+trunc);
 		ret+=BIO_write(bio,(char *)buf,strlen(buf));
 		}
 #endif
--- a/crypto/bio/b_print.c
+++ b/crypto/bio/b_print.c
@@ -378,7 +378,7 @@ _dopr(
            case 'p':
                value = (long)va_arg(args, void *);
                fmtint(sbuffer, buffer, &currlen, maxlen,
-                    value, 16, min, max, flags);
+                    value, 16, min, max, flags|DP_F_NUM);
                break;
            case 'n': /* XXX */
                if (cflags == DP_C_SHORT) {
@@ -482,8 +482,9 @@ fmtint(
    int flags)
 {
    int signvalue = 0;
+    char *prefix = "";
    unsigned LLONG uvalue;
-    char convert[DECIMAL_SIZE(value)+1];
+    char convert[DECIMAL_SIZE(value)+3];
    int place = 0;
    int spadlen = 0;
    int zpadlen = 0;
@@ -501,6 +502,10 @@ fmtint(
        else if (flags & DP_F_SPACE)
            signvalue = ' ';
    }
+    if (flags & DP_F_NUM) {
+	if (base == 8) prefix = "0";
+	if (base == 16) prefix = "0x";
+    }
    if (flags & DP_F_UP)
        caps = 1;
    do {
@@ -514,7 +519,7 @@ fmtint(
    convert[place] = 0;

    zpadlen = max - place;
-    spadlen = min - OSSL_MAX(max, place) - (signvalue ? 1 : 0);
+    spadlen = min - OSSL_MAX(max, place) - (signvalue ? 1 : 0) - strlen(prefix);
    if (zpadlen < 0)
        zpadlen = 0;
    if (spadlen < 0)
@@ -536,6 +541,12 @@ fmtint(
    if (signvalue)
        doapr_outch(sbuffer, buffer, currlen, maxlen, signvalue);

+    /* prefix */
+    while (*prefix) {
+	doapr_outch(sbuffer, buffer, currlen, maxlen, *prefix);
+	prefix++;
+    }
+
    /* zeros */
    if (zpadlen > 0) {
        while (zpadlen > 0) {
@@ -565,12 +576,12 @@ abs_val(LDOUBLE value)
 }

 static LDOUBLE
-pow10(int exp)
+pow10(int in_exp)
 {
    LDOUBLE result = 1;
-    while (exp) {
+    while (in_exp) {
        result *= 10;
-        exp--;
+        in_exp--;
    }
    return result;
 }
@@ -630,7 +641,7 @@ fmtfp(
       multiplying by a factor of 10 */
    fracpart = roundv((pow10(max)) * (ufvalue - intpart));

-    if (fracpart >= pow10(max)) {
+    if (fracpart >= (long)pow10(max)) {
        intpart++;
        fracpart -= (long)pow10(max);
    }
@@ -641,8 +652,8 @@ fmtfp(
            (caps ? "0123456789ABCDEF"
              : "0123456789abcdef")[intpart % 10];
        intpart = (intpart / 10);
-    } while (intpart && (iplace < sizeof iplace));
-    if (iplace == sizeof iplace)
+    } while (intpart && (iplace < sizeof iconvert));
+    if (iplace == sizeof iconvert)
        iplace--;
    iconvert[iplace] = 0;

@@ -653,7 +664,7 @@ fmtfp(
              : "0123456789abcdef")[fracpart % 10];
        fracpart = (fracpart / 10);
    } while (fplace < max);
-    if (fplace == sizeof fplace)
+    if (fplace == sizeof fconvert)
        fplace--;
    fconvert[fplace] = 0;

@@ -692,7 +703,7 @@ fmtfp(
     * Decimal point. This should probably use locale to find the correct
     * char to print out.
     */
-    if (max > 0) {
+    if (max > 0 || (flags & DP_F_NUM)) {
        doapr_outch(sbuffer, buffer, currlen, maxlen, '.');

        while (fplace > 0)
@@ -825,5 +836,5 @@ int BIO_vsnprintf(char *buf, size_t n, const char *format, va_list args)
 		 * had the buffer been large enough.) */
 		return -1;
 	else
-		return (retlen <= INT_MAX) ? retlen : -1;
+		return (retlen <= INT_MAX) ? (int)retlen : -1;
 	}
--- a/crypto/bio/b_sock.c
+++ b/crypto/bio/b_sock.c
@@ -709,12 +709,12 @@ int BIO_accept(int sock, char **addr)
 			}
 		*addr=p;
 		}
-	sprintf(*addr,"%d.%d.%d.%d:%d",
-		(unsigned char)(l>>24L)&0xff,
-		(unsigned char)(l>>16L)&0xff,
-		(unsigned char)(l>> 8L)&0xff,
-		(unsigned char)(l     )&0xff,
-		port);
+	BIO_snprintf(*addr,24,"%d.%d.%d.%d:%d",
+		     (unsigned char)(l>>24L)&0xff,
+		     (unsigned char)(l>>16L)&0xff,
+		     (unsigned char)(l>> 8L)&0xff,
+		     (unsigned char)(l     )&0xff,
+		     port);
 end:
 	return(ret);
 	}
--- a/crypto/bio/bf_buff.c
+++ b/crypto/bio/bf_buff.c
@@ -494,6 +494,7 @@ static int buffer_gets(BIO *b, char *buf, int size)
 			if (i <= 0)
 				{
 				BIO_copy_next_retry(b);
+				*buf='\0';
 				if (i < 0) return((num > 0)?num:i);
 				if (i == 0) return(num);
 				}
--- a/crypto/bio/bio.h
+++ b/crypto/bio/bio.h
@@ -347,6 +347,7 @@ typedef struct bio_f_buffer_ctx_struct
 #define BIO_C_NWRITE0				145
 #define BIO_C_NWRITE				146
 #define BIO_C_RESET_READ_REQUEST		147
+#define BIO_C_SET_MD_CTX			148


 #define BIO_set_app_data(s,arg)		BIO_set_ex_data(s,0,arg)
--- a/crypto/bio/bio_cb.c
+++ b/crypto/bio/bio_cb.c
@@ -70,55 +70,61 @@ long MS_CALLBACK BIO_debug_callback(BIO *bio, int cmd, const char *argp,
 	MS_STATIC char buf[256];
 	char *p;
 	long r=1;
+	size_t p_maxlen;

 	if (BIO_CB_RETURN & cmd)
 		r=ret;

-	sprintf(buf,"BIO[%08lX]:",(unsigned long)bio);
+	BIO_snprintf(buf,sizeof buf,"BIO[%08lX]:",(unsigned long)bio);
 	p= &(buf[14]);
+	p_maxlen = sizeof buf - 14;
 	switch (cmd)
 		{
 	case BIO_CB_FREE:
-		sprintf(p,"Free - %s\n",bio->method->name);
+		BIO_snprintf(p,p_maxlen,"Free - %s\n",bio->method->name);
 		break;
 	case BIO_CB_READ:
 		if (bio->method->type & BIO_TYPE_DESCRIPTOR)
-			sprintf(p,"read(%d,%d) - %s fd=%d\n",bio->num,argi,bio->method->name,bio->num);
+			BIO_snprintf(p,p_maxlen,"read(%d,%d) - %s fd=%d\n",
+				 bio->num,argi,bio->method->name,bio->num);
 		else
-			sprintf(p,"read(%d,%d) - %s\n",bio->num,argi,bio->method->name);
+			BIO_snprintf(p,p_maxlen,"read(%d,%d) - %s\n",
+				 bio->num,argi,bio->method->name);
 		break;
 	case BIO_CB_WRITE:
 		if (bio->method->type & BIO_TYPE_DESCRIPTOR)
-			sprintf(p,"write(%d,%d) - %s fd=%d\n",bio->num,argi,bio->method->name,bio->num);
+			BIO_snprintf(p,p_maxlen,"write(%d,%d) - %s fd=%d\n",
+				 bio->num,argi,bio->method->name,bio->num);
 		else
-			sprintf(p,"write(%d,%d) - %s\n",bio->num,argi,bio->method->name);
+			BIO_snprintf(p,p_maxlen,"write(%d,%d) - %s\n",
+				 bio->num,argi,bio->method->name);
 		break;
 	case BIO_CB_PUTS:
-		sprintf(p,"puts() - %s\n",bio->method->name);
+		BIO_snprintf(p,p_maxlen,"puts() - %s\n",bio->method->name);
 		break;
 	case BIO_CB_GETS:
-		sprintf(p,"gets(%d) - %s\n",argi,bio->method->name);
+		BIO_snprintf(p,p_maxlen,"gets(%d) - %s\n",argi,bio->method->name);
 		break;
 	case BIO_CB_CTRL:
-		sprintf(p,"ctrl(%d) - %s\n",argi,bio->method->name);
+		BIO_snprintf(p,p_maxlen,"ctrl(%d) - %s\n",argi,bio->method->name);
 		break;
 	case BIO_CB_RETURN|BIO_CB_READ:
-		sprintf(p,"read return %ld\n",ret);
+		BIO_snprintf(p,p_maxlen,"read return %ld\n",ret);
 		break;
 	case BIO_CB_RETURN|BIO_CB_WRITE:
-		sprintf(p,"write return %ld\n",ret);
+		BIO_snprintf(p,p_maxlen,"write return %ld\n",ret);
 		break;
 	case BIO_CB_RETURN|BIO_CB_GETS:
-		sprintf(p,"gets return %ld\n",ret);
+		BIO_snprintf(p,p_maxlen,"gets return %ld\n",ret);
 		break;
 	case BIO_CB_RETURN|BIO_CB_PUTS:
-		sprintf(p,"puts return %ld\n",ret);
+		BIO_snprintf(p,p_maxlen,"puts return %ld\n",ret);
 		break;
 	case BIO_CB_RETURN|BIO_CB_CTRL:
-		sprintf(p,"ctrl return %ld\n",ret);
+		BIO_snprintf(p,p_maxlen,"ctrl return %ld\n",ret);
 		break;
 	default:
-		sprintf(p,"bio callback - unknown type (%d)\n",cmd);
+		BIO_snprintf(p,p_maxlen,"bio callback - unknown type (%d)\n",cmd);
 		break;
 		}

--- a/crypto/bio/bss_bio.c
+++ b/crypto/bio/bss_bio.c
@@ -1,4 +1,57 @@
 /* crypto/bio/bss_bio.c  -*- Mode: C; c-file-style: "eay" -*- */
+/* ====================================================================
+ * Copyright (c) 1998-2003 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */

 /* Special method for a BIO where the other endpoint is also a BIO
 * of this kind, handled by the same thread (i.e. the "peer" is actually
@@ -502,7 +555,7 @@ static long bio_ctrl(BIO *bio, int cmd, long num, void *ptr)
 		break;
 		
 	case BIO_C_DESTROY_BIO_PAIR:
-		/* Effects both BIOs in the pair -- call just once!
+		/* Affects both BIOs in the pair -- call just once!
 		 * Or let BIO_free(bio1); BIO_free(bio2); do the job. */
 		bio_destroy_pair(bio);
 		ret = 1;
--- a/crypto/bio/bss_conn.c
+++ b/crypto/bio/bss_conn.c
@@ -521,8 +521,8 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr)
 				char buf[16];
 				unsigned char *p = ptr;

-				sprintf(buf,"%d.%d.%d.%d",
-					p[0],p[1],p[2],p[3]);
+				BIO_snprintf(buf,sizeof buf,"%d.%d.%d.%d",
+					     p[0],p[1],p[2],p[3]);
 				if (data->param_hostname != NULL)
 					OPENSSL_free(data->param_hostname);
 				data->param_hostname=BUF_strdup(buf);
@@ -532,7 +532,7 @@ static long conn_ctrl(BIO *b, int cmd, long num, void *ptr)
 				{
 				char buf[DECIMAL_SIZE(int)+1];

-				sprintf(buf,"%d",*(int *)ptr);
+				BIO_snprintf(buf,sizeof buf,"%d",*(int *)ptr);
 				if (data->param_port != NULL)
 					OPENSSL_free(data->param_port);
 				data->param_port=BUF_strdup(buf);
--- a/crypto/bio/bss_file.c
+++ b/crypto/bio/bss_file.c
@@ -213,18 +213,37 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr)
 		b->shutdown=(int)num&BIO_CLOSE;
 		b->ptr=(char *)ptr;
 		b->init=1;
-#if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WINDOWS)
+		{
+#if defined(OPENSSL_SYS_WINDOWS)
+		int fd = fileno((FILE*)ptr);
+		if (num & BIO_FP_TEXT)
+			_setmode(fd,_O_TEXT);
+		else
+			_setmode(fd,_O_BINARY);
+#elif defined(OPENSSL_SYS_MSDOS)
+		int fd = fileno((FILE*)ptr);
 		/* Set correct text/binary mode */
 		if (num & BIO_FP_TEXT)
-			_setmode(fileno((FILE *)ptr),_O_TEXT);
+			_setmode(fd,_O_TEXT);
+		/* Dangerous to set stdin/stdout to raw (unless redirected) */
 		else
-			_setmode(fileno((FILE *)ptr),_O_BINARY);
+			{
+			if (fd == STDIN_FILENO || fd == STDOUT_FILENO)
+				{
+				if (isatty(fd) <= 0)
+					_setmode(fd,_O_BINARY);
+				}
+			else
+				_setmode(fd,_O_BINARY);
+			}
 #elif defined(OPENSSL_SYS_OS2)
+		int fd = fileno((FILE*)ptr);
 		if (num & BIO_FP_TEXT)
-			setmode(fileno((FILE *)ptr), O_TEXT);
+			setmode(fd, O_TEXT);
 		else
-			setmode(fileno((FILE *)ptr), O_BINARY);
+			setmode(fd, O_BINARY);
 #endif
+		}
 		break;
 	case BIO_C_SET_FILENAME:
 		file_free(b);
@@ -232,15 +251,15 @@ static long MS_CALLBACK file_ctrl(BIO *b, int cmd, long num, void *ptr)
 		if (num & BIO_FP_APPEND)
 			{
 			if (num & BIO_FP_READ)
-				strcpy(p,"a+");
-			else	strcpy(p,"a");
+				BUF_strlcpy(p,"a+",sizeof p);
+			else	BUF_strlcpy(p,"a",sizeof p);
 			}
 		else if ((num & BIO_FP_READ) && (num & BIO_FP_WRITE))
-			strcpy(p,"r+");
+			BUF_strlcpy(p,"r+",sizeof p);
 		else if (num & BIO_FP_WRITE)
-			strcpy(p,"w");
+			BUF_strlcpy(p,"w",sizeof p);
 		else if (num & BIO_FP_READ)
-			strcpy(p,"r");
+			BUF_strlcpy(p,"r",sizeof p);
 		else
 			{
 			BIOerr(BIO_F_FILE_CTRL,BIO_R_BAD_FOPEN_MODE);
--- a/crypto/bn/Makefile.ssl
+++ b/crypto/bn/Makefile.ssl
@@ -11,10 +11,9 @@ CFLAG=-g
 INSTALL_PREFIX=
 OPENSSLDIR=     /usr/local/ssl
 INSTALLTOP=/usr/local/ssl
-MAKE=		make -f Makefile.ssl
 MAKEDEPPROG=	makedepend
 MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
-MAKEFILE=	Makefile.ssl
+MAKEFILE=	Makefile
 AR=		ar r

 BN_ASM=		bn_asm.o
@@ -22,6 +21,7 @@ BN_ASM=		bn_asm.o
 #BN_ASM=	bn86-elf.o

 CFLAGS= $(INCLUDES) $(CFLAG)
+ASFLAGS= $(INCLUDES) $(ASFLAG)

 GENERAL=Makefile
 TEST=bntest.c exptest.c
@@ -119,11 +119,13 @@ asm/ia64-cpp.o:	asm/ia64.S

 asm/x86_64-gcc.o: asm/x86_64-gcc.c

+asm/pa-risc2W.o: asm/pa-risc2W.s
+	/usr/ccs/bin/as -o asm/pa-risc2W.o asm/pa-risc2W.s
+
 files:
-	$(PERL) $(TOP)/util/files.pl Makefile.ssl >> $(TOP)/MINFO
+	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO

 links:
-	@$(TOP)/util/point.sh Makefile.ssl Makefile
 	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
 	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
 	@$(PERL) $(TOP)/util/mklink.pl ../../apps $(APPS)
--- a/crypto/bn/asm/bn-586.pl
+++ b/crypto/bn/asm/bn-586.pl
@@ -11,7 +11,7 @@ require "x86asm.pl";
 &bn_div_words("bn_div_words");
 &bn_add_words("bn_add_words");
 &bn_sub_words("bn_sub_words");
-&bn_sub_part_words("bn_sub_part_words");
+#&bn_sub_part_words("bn_sub_part_words");

 &asm_finish();

--- a/crypto/bn/asm/ia64.S
+++ b/crypto/bn/asm/ia64.S
@@ -1,6 +1,6 @@
 .explicit
 .text
-.ident	"ia64.S, Version 2.0"
+.ident	"ia64.S, Version 2.1"
 .ident	"IA-64 ISA artwork by Andy Polyakov <appro@fy.chalmers.se>"

 //
@@ -35,7 +35,7 @@
 // What does it mean? You might ratiocinate that the original code
 // should run just faster... Because sum of latencies is smaller...
 // Wrong! Note that getf latency increased. This means that if a loop is
-// scheduled for lower latency (and they are), then it will suffer from
+// scheduled for lower latency (as they were), then it will suffer from
 // stall condition and the code will therefore turn anti-scalable, e.g.
 // original bn_mul_words spun at 5*n or 2.5 times slower than expected
 // on Itanium2! What to do? Reschedule loops for Itanium2? But then
@@ -145,6 +145,12 @@
 //	-Drum=nop.m in command line.
 //

+#if defined(_HPUX_SOURCE) && !defined(_LP64)
+#define	ADDP	addp4
+#else
+#define	ADDP	add
+#endif
+
 #if 1
 //
 // bn_[add|sub]_words routines.
@@ -178,27 +184,12 @@ bn_add_words:
 	brp.loop.imp	.L_bn_add_words_ctop,.L_bn_add_words_cend-16
 					}
 	.body
-{ .mib;
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
-	addp4		r14=0,r32		// rp
-#else
-	mov		r14=r32			// rp
-#endif
+{ .mib;	ADDP		r14=0,r32		// rp
 	mov		r9=pr		};;
-{ .mii;
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
-	addp4		r15=0,r33		// ap
-#else
-	mov		r15=r33			// ap
-#endif
+{ .mii;	ADDP		r15=0,r33		// ap
 	mov		ar.lc=r10
 	mov		ar.ec=6		}
-{ .mib;
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
-	addp4		r16=0,r34		// bp
-#else
-	mov		r16=r34			// bp
-#endif
+{ .mib;	ADDP		r16=0,r34		// bp
 	mov		pr.rot=1<<16	};;

 .L_bn_add_words_ctop:
@@ -246,27 +237,12 @@ bn_sub_words:
 	brp.loop.imp	.L_bn_sub_words_ctop,.L_bn_sub_words_cend-16
 					}
 	.body
-{ .mib;
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
-	addp4		r14=0,r32		// rp
-#else
-	mov		r14=r32			// rp
-#endif
+{ .mib;	ADDP		r14=0,r32		// rp
 	mov		r9=pr		};;
-{ .mii;
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
-	addp4		r15=0,r33		// ap
-#else
-	mov		r15=r33			// ap
-#endif
+{ .mii;	ADDP		r15=0,r33		// ap
 	mov		ar.lc=r10
 	mov		ar.ec=6		}
-{ .mib;
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
-	addp4		r16=0,r34		// bp
-#else
-	mov		r16=r34			// bp
-#endif
+{ .mib;	ADDP		r16=0,r34		// bp
 	mov		pr.rot=1<<16	};;

 .L_bn_sub_words_ctop:
@@ -332,16 +308,10 @@ bn_mul_words:

 #ifndef XMA_TEMPTATION

-{ .mii;
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
-	addp4		r14=0,r32	// rp
-	addp4		r15=0,r33	// ap
-#else
-	mov		r14=r32		// rp
-	mov		r15=r33		// ap
-#endif
+{ .mmi;	ADDP		r14=0,r32	// rp
+	ADDP		r15=0,r33	// ap
 	mov		ar.lc=r10	}
-{ .mii;	mov		r40=0	// serves as r35 at first (p27)
+{ .mmi;	mov		r40=0		// serves as r35 at first (p27)
 	mov		ar.ec=13	};;

 // This loop spins in 2*(n+12) ticks. It's scheduled for data in Itanium
@@ -424,89 +394,64 @@ bn_mul_words:
 .global	bn_mul_add_words#
 .proc	bn_mul_add_words#
 .align	64
-//.skip	0	// makes the loop split at 64-byte boundary
+.skip	48	// makes the loop body aligned at 64-byte boundary
 bn_mul_add_words:
 	.prologue
 	.fframe	0
 	.save	ar.pfs,r2
-{ .mii;	alloc		r2=ar.pfs,4,12,0,16
-	cmp4.le		p6,p0=r34,r0	};;
-{ .mfb;	mov		r8=r0			// return value
+	.save	ar.lc,r3
+	.save	pr,r9
+{ .mmi;	alloc		r2=ar.pfs,4,4,0,8
+	cmp4.le		p6,p0=r34,r0
+	mov		r3=ar.lc	};;
+{ .mib;	mov		r8=r0		// return value
+	sub		r10=r34,r0,1
 (p6)	br.ret.spnt.many	b0	};;

-	.save	ar.lc,r3
-{ .mii;	sub	r10=r34,r0,1
-	mov	r3=ar.lc
-	mov	r9=pr			};;
-
 	.body
-{ .mib;	setf.sig	f8=r35	// w
-	mov		pr.rot=0x800001<<16
-			// ------^----- serves as (p50) at first (p27)
+{ .mib;	setf.sig	f8=r35		// w
+	mov		r9=pr
 	brp.loop.imp	.L_bn_mul_add_words_ctop,.L_bn_mul_add_words_cend-16
 					}
-{ .mii;
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
-	addp4		r14=0,r32	// rp
-	addp4		r15=0,r33	// ap
-#else
-	mov		r14=r32		// rp
-	mov		r15=r33		// ap
-#endif
+{ .mmi;	ADDP		r14=0,r32	// rp
+	ADDP		r15=0,r33	// ap
 	mov		ar.lc=r10	}
-{ .mii;	mov		r40=0	// serves as r35 at first (p27)
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
-	addp4		r18=0,r32	// rp copy
-#else
-	mov		r18=r32		// rp copy
-#endif
-	mov		ar.ec=15	};;
+{ .mii;	ADDP		r16=0,r32	// rp copy
+	mov		pr.rot=0x2001<<16
+			// ------^----- serves as (p40) at first (p27)
+	mov		ar.ec=11	};;

-// This loop spins in 3*(n+14) ticks on Itanium and should spin in
-// 2*(n+14) on "wider" IA-64 implementations (to be verified with new
-// <EFBFBD>-architecture manuals as they become available). As usual it's
-// possible to compress the epilogue, down to 10 in this case, at the
-// cost of scalability. Compressed (and therefore non-scalable) loop
-// running at 3*(n+11) would buy you ~10% on Itanium but take ~35%
-// from "wider" IA-64 so let it be scalable! Special attention was
-// paid for having the loop body split at 64-byte boundary. ld8 is
-// scheduled for L1 cache as the data is more than likely there.
-// Indeed, bn_mul_words has put it there a moment ago:-)
+// This loop spins in 3*(n+10) ticks on Itanium and in 2*(n+10) on
+// Itanium 2. Yes, unlike previous versions it scales:-) Previous
+// version was peforming *all* additions in IALU and was starving
+// for those even on Itanium 2. In this version one addition is
+// moved to FPU and is folded with multiplication. This is at cost
+// of propogating the result from previous call to this subroutine
+// to L2 cache... In other words negligible even for shorter keys.
+// *Overall* performance improvement [over previous version] varies
+// from 11 to 22 percent depending on key length.
 .L_bn_mul_add_words_ctop:
-{ .mfi;	(p25)	getf.sig	r36=f52			// low
-	(p21)	xmpy.lu		f48=f37,f8
-	(p28)	cmp.ltu		p54,p50=r41,r39	}
-{ .mfi;	(p16)	ldf8		f32=[r15],8
-	(p21)	xmpy.hu		f40=f37,f8
-	(p28)	add		r45=r45,r41	};;
-{ .mii;	(p25)	getf.sig	r32=f44			// high
-	.pred.rel	"mutex",p50,p54
-	(p50)	add		r40=r38,r35		// (p27)
-	(p54)	add		r40=r38,r35,1	}	// (p27)
-{ .mfb;	(p28)	cmp.ltu.unc	p60,p0=r45,r41
-	(p0)	nop.f		0x0
-	(p0)	nop.b		0x0		}
-{ .mii;	(p27)	ld8		r44=[r18],8
-	(p62)	cmp.eq.or	p61,p0=-1,r46
-	(p62)	add		r46=1,r46	}
-{ .mfb;	(p30)	st8		[r14]=r47,8
-	(p0)	nop.f		0x0
+.pred.rel	"mutex",p40,p42
+{ .mfi;	(p23)	getf.sig	r36=f45			// low
+	(p20)	xma.lu		f42=f36,f8,f50		// low
+	(p40)	add		r39=r39,r35	}	// (p27)
+{ .mfi;	(p16)	ldf8		f32=[r15],8		// *(ap++)
+	(p20)	xma.hu		f36=f36,f8,f50		// high
+	(p42)	add		r39=r39,r35,1	};;	// (p27)
+{ .mmi;	(p24)	getf.sig	r32=f40			// high
+	(p16)	ldf8		f46=[r16],8		// *(rp1++)
+	(p40)	cmp.ltu		p41,p39=r39,r35	}	// (p27)
+{ .mib;	(p26)	st8		[r14]=r39,8		// *(rp2++)
+	(p42)	cmp.leu		p41,p39=r39,r35		// (p27)
 	br.ctop.sptk	.L_bn_mul_add_words_ctop};;
 .L_bn_mul_add_words_cend:

-{ .mii;	nop.m		0x0
-.pred.rel	"mutex",p53,p57
-(p53)	add		r8=r38,r0
-(p57)	add		r8=r38,r0,1	}
-{ .mfb;	nop.m	0x0
-	nop.f	0x0
-	nop.b	0x0			};;
-{ .mii;
-(p63)	add		r8=1,r8
-	mov		pr=r9,0x1ffff
-	mov		ar.lc=r3	}
-{ .mfb;	rum		1<<5		// clear um.mfh
-	nop.f		0x0
+{ .mmi;	.pred.rel	"mutex",p40,p42
+(p40)	add		r8=r35,r0
+(p42)	add		r8=r35,r0,1
+	mov		pr=r9,0x1ffff	}
+{ .mib;	rum		1<<5		// clear um.mfh
+	mov		ar.lc=r3
 	br.ret.sptk.many	b0	};;
 .endp	bn_mul_add_words#
 #endif
@@ -527,7 +472,8 @@ bn_sqr_words:
 	sxt4		r34=r34		};;
 { .mii;	cmp.le		p6,p0=r34,r0
 	mov		r8=r0		}	// return value
-{ .mfb;	nop.f		0x0
+{ .mfb;	ADDP		r32=0,r32
+	nop.f		0x0
 (p6)	br.ret.spnt.many	b0	};;

 	.save	ar.lc,r3
@@ -536,11 +482,7 @@ bn_sqr_words:
 	mov	r9=pr			};;

 	.body
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
-{ .mii; addp4		r32=0,r32
-	addp4		r33=0,r33	};;
-#endif
-{ .mib;
+{ .mib;	ADDP		r33=0,r33
 	mov		pr.rot=1<<16
 	brp.loop.imp	.L_bn_sqr_words_ctop,.L_bn_sqr_words_cend-16
 					}
@@ -605,7 +547,7 @@ bn_sqr_comba8:
 	.prologue
 	.fframe	0
 	.save	ar.pfs,r2
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
+#if defined(_HPUX_SOURCE) && !defined(_LP64)
 { .mii;	alloc	r2=ar.pfs,2,1,0,0
 	addp4	r33=0,r33
 	addp4	r32=0,r32		};;
@@ -631,6 +573,10 @@ bn_sqr_comba8:
 // clause in Itanium <EFBFBD>-architecture manual? Comments are welcomed and
 // highly appreciated.
 //
+// On Itanium 2 it takes ~190 ticks. This is because of stalls on
+// result from getf.sig. I do nothing about it at this point for
+// reasons depicted below.
+//
 // However! It should be noted that even 160 ticks is darn good result
 // as it's over 10 (yes, ten, spelled as t-e-n) times faster than the
 // C version (compiled with gcc with inline assembler). I really
@@ -673,7 +619,7 @@ bn_mul_comba8:
 	.prologue
 	.fframe	0
 	.save	ar.pfs,r2
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
+#if defined(_HPUX_SOURCE) && !defined(_LP64)
 { .mii;	alloc	r2=ar.pfs,3,0,0,0
 	addp4	r33=0,r33
 	addp4	r34=0,r34		};;
@@ -1231,7 +1177,7 @@ bn_sqr_comba4:
 	.prologue
 	.fframe	0
 	.save	ar.pfs,r2
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
+#if defined(_HPUX_SOURCE) && !defined(_LP64)
 { .mii;	alloc   r2=ar.pfs,2,1,0,0
 	addp4	r32=0,r32
 	addp4	r33=0,r33		};;
@@ -1264,7 +1210,7 @@ bn_mul_comba4:
 	.prologue
 	.fframe	0
 	.save	ar.pfs,r2
-#if defined(_HPUX_SOURCE) && defined(_ILP32)
+#if defined(_HPUX_SOURCE) && !defined(_LP64)
 { .mii;	alloc   r2=ar.pfs,3,0,0,0
 	addp4	r33=0,r33
 	addp4	r34=0,r34		};;
@@ -1448,8 +1394,8 @@ bn_mul_comba4:
 #define	I	r21

 #if 0
-// Some preprocessors (most notably HP-UX) apper to be allergic to
-// macros enclosed to parenthesis as these three will be.
+// Some preprocessors (most notably HP-UX) appear to be allergic to
+// macros enclosed to parenthesis [as these three were].
 #define	cont	p16
 #define	break	p0	// p20
 #define	equ	p24
@@ -1581,9 +1527,18 @@ bn_div_words:
 // output:	f8 = (int)(a/b)
 // clobbered:	f8,f9,f10,f11,pred
 pred=p15
-// This procedure is essentially Intel code and therefore is
-// copyrighted to Intel Corporation (I suppose...). It's sligtly
-// modified for specific needs.
+// One can argue that this snippet is copyrighted to Intel
+// Corporation, as it's essentially identical to one of those
+// found in "Divide, Square Root and Remainder" section at
+// http://www.intel.com/software/products/opensource/libraries/num.htm.
+// Yes, I admit that the referred code was used as template,
+// but after I realized that there hardly is any other instruction
+// sequence which would perform this operation. I mean I figure that
+// any independent attempt to implement high-performance division
+// will result in code virtually identical to the Intel code. It
+// should be noted though that below division kernel is 1 cycle
+// faster than Intel one (note commented splits:-), not to mention
+// original prologue (rather lack of one) and epilogue.
 .align	32
 .skip	16
 .L_udiv64_32_b6:
--- a/crypto/bn/asm/x86_64-gcc.c
+++ b/crypto/bn/asm/x86_64-gcc.c
@@ -142,7 +142,7 @@ void bn_sqr_words(BN_ULONG *r, BN_ULONG *a, int n)
 BN_ULONG bn_div_words(BN_ULONG h, BN_ULONG l, BN_ULONG d)
 {	BN_ULONG ret,waste;

-	asm ("divq	%3"
+	asm ("divq	%4"
 		: "=a"(ret),"=d"(waste)
 		: "a"(l),"d"(h),"g"(d)
 		: "cc");
--- a/crypto/bn/bn.h
+++ b/crypto/bn/bn.h
@@ -248,6 +248,8 @@ typedef struct bn_blinding_st
 	BIGNUM *A;
 	BIGNUM *Ai;
 	BIGNUM *mod; /* just a reference */
+	unsigned long thread_id; /* added in OpenSSL 0.9.6j and 0.9.7b;
+				  * used only by crypto/rsa/rsa_eay.c, rsa_lib.c */
 	} BN_BLINDING;

 /* Used for montgomery multiplication */
--- a/crypto/bn/bn_lcl.h
+++ b/crypto/bn/bn_lcl.h
@@ -433,19 +433,18 @@ void bn_sqr_comba4(BN_ULONG *r,const BN_ULONG *a);
 int bn_cmp_words(const BN_ULONG *a,const BN_ULONG *b,int n);
 int bn_cmp_part_words(const BN_ULONG *a, const BN_ULONG *b,
 	int cl, int dl);
-#if 0
-/* bn_mul.c rollback <appro> */
-void bn_mul_recursive(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,int n2,
-	int dna,int dnb,BN_ULONG *t);
-void bn_mul_part_recursive(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,
-	int n,int tna,int tnb,BN_ULONG *t);
-#endif
-void bn_sqr_recursive(BN_ULONG *r,const BN_ULONG *a, int n2, BN_ULONG *t);
-void bn_mul_low_normal(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b, int n);
+#ifdef BN_RECURSION
+void bn_mul_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int n2,
+	BN_ULONG *t);
+void bn_mul_part_recursive(BN_ULONG *r, BN_ULONG *a, BN_ULONG *b, int tn,
+	int n, BN_ULONG *t);
 void bn_mul_low_recursive(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,int n2,
 	BN_ULONG *t);
 void bn_mul_high(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b,BN_ULONG *l,int n2,
 	BN_ULONG *t);
+void bn_sqr_recursive(BN_ULONG *r,const BN_ULONG *a, int n2, BN_ULONG *t);
+#endif
+void bn_mul_low_normal(BN_ULONG *r,BN_ULONG *a,BN_ULONG *b, int n);

 #ifdef  __cplusplus
 }
--- a/Show More
+++ b/Show More