Prepare for 1.1.0-pre3 release

Reviewed-by: Stephen Henson <steve@openssl.org>
Correct deprecation of OPENSSL_config
2016-02-15 19:37:20 +01:00 · 2016-02-15 16:25:10 +01:00 · 2016-02-15 10:17:12 -05:00 · 2016-02-15 14:16:07 +01:00 · 2016-02-15 12:15:45 +00:00 · 2016-02-15 12:09:58 +00:00
1592 changed files with 67758 additions and 62676 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -10,8 +10,7 @@
 /.dir-locals.el

 # Top level excludes
-/Makefile.bak
-/Makefile
+/Makefile.orig
 /MINFO
 /TABLE
 /*.a
@@ -21,6 +20,10 @@
 /makefile.*
 /out.*
 /tmp.*
+/configdata.pm
+
+# *all* Makefiles
+Makefile

 /test/*.ss
 /test/*.srl
@@ -39,7 +42,9 @@

 # Auto generated headers
 /crypto/buildinf.h
-/crypto/opensslconf.h
+/openssl/include/opensslconf.h
+/crypto/include/internal/*_conf.h
+util/domd

 # Auto generated assembly language source files
 *.s
@@ -73,15 +78,19 @@
 !/crypto/des/times/486-50.sol

 # Misc auto generated files
-include/openssl/opensslconf.h
+/include/openssl/opensslconf.h
 /tools/c_rehash
-lib
+/crypto/**/lib
+/engines/**/lib
+/ssl/**/lib
 Makefile.save
 *.bak
-tags
-TAGS
+/tags
+/TAGS
 cscope.out
 *.d
+/crypto.map
+/ssl.map

 # Windows
 /tmp32
@@ -94,35 +103,35 @@ cscope.out
 /out32dll.dbg
 /inc32
 /MINFO
-ms/bcb.mak
-ms/libeay32.def
-ms/nt.mak
-ms/ntdll.mak
-ms/ssleay32.def
-ms/version32.rc
+/ms/bcb.mak
+/ms/libeay32.def
+/ms/nt.mak
+/ms/ntdll.mak
+/ms/ssleay32.def
+/ms/version32.rc

 # Files created on other branches that are not held in git, and are not
 # needed on this branch
-include/openssl/asn1_mac.h
-include/openssl/des_old.h
-include/openssl/fips.h
-include/openssl/fips_rand.h
-include/openssl/krb5_asn.h
-include/openssl/kssl.h
-include/openssl/pq_compat.h
-include/openssl/ssl23.h
-include/openssl/tmdiff.h
-include/openssl/ui_compat.h
-test/fips_aesavs.c
-test/fips_desmovs.c
-test/fips_dsatest.c
-test/fips_dssvs.c
-test/fips_hmactest.c
-test/fips_randtest.c
-test/fips_rngvs.c
-test/fips_rsagtest.c
-test/fips_rsastest.c
-test/fips_rsavtest.c
-test/fips_shatest.c
-test/fips_test_suite.c
-test/shatest.c
+/include/openssl/asn1_mac.h
+/include/openssl/des_old.h
+/include/openssl/fips.h
+/include/openssl/fips_rand.h
+/include/openssl/krb5_asn.h
+/include/openssl/kssl.h
+/include/openssl/pq_compat.h
+/include/openssl/ssl23.h
+/include/openssl/tmdiff.h
+/include/openssl/ui_compat.h
+/test/fips_aesavs.c
+/test/fips_desmovs.c
+/test/fips_dsatest.c
+/test/fips_dssvs.c
+/test/fips_hmactest.c
+/test/fips_randtest.c
+/test/fips_rngvs.c
+/test/fips_rsagtest.c
+/test/fips_rsastest.c
+/test/fips_rsavtest.c
+/test/fips_shatest.c
+/test/fips_test_suite.c
+/test/shatest.c
--- a/.travis-create-release.sh
+++ b/.travis-create-release.sh
@@ -2,9 +2,11 @@

 # $1 is expected to be $TRAVIS_OS_NAME

+./Configure dist
 if [ "$1" == osx ]; then
-    make -f Makefile.org \
-	 DISTTARVARS="NAME=_srcdist TAR_COMMAND='\$\$(TAR) \$\$(TARFLAGS) -s \"|^|\$\$(NAME)/|\" -T \$\$(TARFILE).list -cvf -' TARFLAGS='-n' TARFILE=_srcdist.tar" SHELL='sh -vx' dist
+    make NAME='_srcdist' TARFLAGS='-n' TARFILE='_srcdist.tar' \
+	 TAR_COMMAND='$(TAR) $(TARFLAGS) -s "|^|$(NAME)/|" -T $(TARFILE).list -cvf -' \
+	 SHELL='sh -vx' tar
 else
-    make -f Makefile.org DISTTARVARS='TARFILE=_srcdist.tar NAME=_srcdist' SHELL='sh -v' dist
+    make TARFILE='_srcdist.tar' NAME='_srcdist' SHELL='sh -v' dist
 fi
--- a/.travis.yml
+++ b/.travis.yml
@@ -28,7 +28,11 @@ env:
    - CONFIG_OPTS=""
    - CONFIG_OPTS="shared"
    - CONFIG_OPTS="no-asm"
-    - CONFIG_OPTS="--debug --strict-warnings"
+    - CONFIG_OPTS="--debug --strict-warnings enable-crypto-mdebug enable-rc5 enable-md2"
+    - CONFIG_OPTS="--unified"
+    - CONFIG_OPTS="--unified shared"
+    - CONFIG_OPTS="--unified no-asm"
+    - CONFIG_OPTS="--unified --debug --strict-warnings enable-crypto-mdebug enable-rc5 enable-md2"

 matrix:
    include:
@@ -37,16 +41,18 @@ matrix:
          env: CONFIG_OPTS="-fsanitize=address"
        - os: linux
          compiler: clang-3.6
-          env: CONFIG_OPTS="no-asm --debug --strict-warnings -fno-sanitize-recover -fsanitize=address -fsanitize=undefined"
+          env: CONFIG_OPTS="no-asm --debug --strict-warnings -fno-sanitize-recover -fsanitize=address -fsanitize=undefined enable-crypto-mdebug enable-rc5 enable-md2"
        - os: linux
          compiler: gcc-5
          env: CONFIG_OPTS="-fsanitize=address"
        - os: linux
          compiler: gcc-5
-          env: CONFIG_OPTS="no-asm --debug --strict-warnings -fno-sanitize-recover -fsanitize=address -fsanitize=undefined"
+          env: CONFIG_OPTS="no-asm --debug --strict-warnings -fno-sanitize-recover -fsanitize=address -fsanitize=undefined enable-crypto-mdebug enable-rc5 enable-md2"
    exclude:
        - os: osx
          compiler: clang-3.6
+        - os: osx
+          compiler: gcc
        - os: osx
          compiler: gcc-5
        - os: osx
@@ -61,11 +67,23 @@ matrix:
          env: CONFIG_OPTS="no-asm"
        - compiler: x86_64-w64-mingw32-gcc
          env: CONFIG_OPTS="no-asm"
+        - compiler: i686-w64-mingw32-gcc
+          env: CONFIG_OPTS="--unified shared"
+        - compiler: x86_64-w64-mingw32-gcc
+          env: CONFIG_OPTS="--unified shared"
+        - compiler: i686-w64-mingw32-gcc
+          env: CONFIG_OPTS="--unified no-asm"
+        - compiler: x86_64-w64-mingw32-gcc
+          env: CONFIG_OPTS="--unified no-asm"
    allow_failures:
        - compiler: i686-w64-mingw32-gcc
-          env: CONFIG_OPTS="--debug --strict-warnings"
+          env: CONFIG_OPTS="--debug --strict-warnings enable-crypto-mdebug enable-rc5 enable-md2"
        - compiler: x86_64-w64-mingw32-gcc
-          env: CONFIG_OPTS="--debug --strict-warnings"
+          env: CONFIG_OPTS="--debug --strict-warnings enable-crypto-mdebug enable-rc5 enable-md2"
+        - compiler: i686-w64-mingw32-gcc
+          env: CONFIG_OPTS="--unified --debug --strict-warnings enable-crypto-mdebug enable-rc5 enable-md2"
+        - compiler: x86_64-w64-mingw32-gcc
+          env: CONFIG_OPTS="--unified --debug --strict-warnings enable-crypto-mdebug enable-rc5 enable-md2"

 before_script:
    - sh .travis-create-release.sh $TRAVIS_OS_NAME
@@ -88,7 +106,7 @@ script:
    - if [ -n "$CROSS_COMPILE" ]; then
          export EXE_SHELL="wine" WINEPREFIX=`pwd`;
      fi
-    - make test
+    - HARNESS_VERBOSE=yes make test
    - cd ..

 notifications:
--- a/288
+++ b/288
@@ -2,7 +2,197 @@
 OpenSSL CHANGES
 _______________

- Changes between 1.0.2e and 1.1.0  [xx XXX xxxx]
+ Changes between 1.0.2f and 1.1.0  [xx XXX xxxx]
+
+  *) The INSTALL_PREFIX Makefile variable has been renamed to
+     DESTDIR.  That makes for less confusion on what this variable
+     is for.  Also, the configuration option --install_prefix is
+     removed.
+     [Richard Levitte]
+
+  *) Heartbeat for TLS has been removed and is disabled by default
+     for DTLS; configure with enable-heartbeats.  Code that uses the
+     old #define's might need to be updated.
+     [Emilia Käsper, Rich Salz]
+
+  *) Rename REF_CHECK to REF_DEBUG.
+     [Rich Salz]
+
+  *) New "unified" build system
+
+     The "unified" build system is aimed to be a common system for all
+     platforms we support.  With it comes new support for VMS.
+
+     This system builds supports building in a differnt directory tree
+     than the source tree.  It produces one Makefile (for unix family
+     or lookalikes), or one descrip.mms (for VMS).
+
+     The source of information to make the Makefile / descrip.mms is
+     small files called 'build.info', holding the necessary
+     information for each directory with source to compile, and a
+     template in Configurations, like unix-Makefile.tmpl or
+     descrip.mms.tmpl.
+
+     We rely heavily on the perl module Text::Template.
+     [Richard Levitte]
+
+  *) Added support for auto-initialisation and de-initialisation of the library.
+     OpenSSL no longer requires explicit init or deinit routines to be called,
+     except in certain circumstances. See the OPENSSL_init_crypto() and
+     OPENSSL_init_ssl() man pages for further information.
+     [Matt Caswell]
+
+  *) The arguments to the DTLSv1_listen function have changed. Specifically the
+     "peer" argument is now expected to be a BIO_ADDR object.
+
+  *) Rewrite of BIO networking library. The BIO library lacked consistent
+     support of IPv6, and adding it required some more extensive
+     modifications.  This introduces the BIO_ADDR and BIO_ADDRINFO types,
+     which hold all types of addresses and chains of address information.
+     It also introduces a new API, with functions like BIO_socket,
+     BIO_connect, BIO_listen, BIO_lookup and a rewrite of BIO_accept.
+     The source/sink BIOs BIO_s_connect, BIO_s_accept and BIO_s_datagram
+     have been adapted accordingly.
+     [Richard Levitte]
+
+  *) RSA_padding_check_PKCS1_type_1 now accepts inputs with and without
+     the leading 0-byte.
+     [Emilia Käsper]
+
+  *) CRIME protection: disable compression by default, even if OpenSSL is
+     compiled with zlib enabled. Applications can still enable compression
+     by calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by
+     using the SSL_CONF library to configure compression.
+     [Emilia Käsper]
+
+  *) The signature of the session callback configured with
+     SSL_CTX_sess_set_get_cb was changed. The read-only input buffer
+     was explicitly marked as 'const unsigned char*' instead of
+     'unsigned char*'.
+     [Emilia Käsper]
+
+  *) Always DPURIFY. Remove the use of uninitialized memory in the
+     RNG, and other conditional uses of DPURIFY. This makes -DPURIFY a no-op.
+     [Emilia Käsper]
+
+  *) Removed many obsolete configuration items, including
+        DES_PTR, DES_RISC1, DES_RISC2, DES_INT
+        MD2_CHAR, MD2_INT, MD2_LONG
+        BF_PTR, BF_PTR2
+        IDEA_SHORT, IDEA_LONG
+        RC2_SHORT, RC2_LONG, RC4_LONG, RC4_CHUNK, RC4_INDEX
+     [Rich Salz, with advice from Andy Polyakov]
+
+  *) Many BN internals have been moved to an internal header file.
+     [Rich Salz with help from Andy Polyakov]
+
+  *) Configuration and writing out the results from it has changed.
+     Files such as Makefile include/openssl/opensslconf.h and are now
+     produced through general templates, such as Makefile.in and
+     crypto/opensslconf.h.in and some help from the perl module
+     Text::Template.
+
+     Also, the center of configuration information is no longer
+     Makefile.  Instead, Configure produces a perl module in
+     configdata.pm which holds most of the config data (in the hash
+     table %config), the target data that comes from the target
+     configuration in one of the Configurations/*.conf files (in
+     %target).
+     [Richard Levitte]
+
+  *) To clarify their intended purposes, the Configure options
+     --prefix and --openssldir change their semantics, and become more
+     straightforward and less interdependent.
+
+     --prefix shall be used exclusively to give the location INSTALLTOP
+     where programs, scripts, libraries, include files and manuals are
+     going to be installed.  The default is now /usr/local.
+
+     --openssldir shall be used exclusively to give the default
+     location OPENSSLDIR where certificates, private keys, CRLs are
+     managed.  This is also where the default openssl.cnf gets
+     installed.
+     If the directory given with this option is a relative path, the
+     values of both the --prefix value and the --openssldir value will
+     be combined to become OPENSSLDIR.
+     The default for --openssldir is INSTALLTOP/ssl.
+
+     Anyone who uses --openssldir to specify where OpenSSL is to be
+     installed MUST change to use --prefix instead.
+     [Richard Levitte]
+
+  *) The GOST engine was out of date and therefore it has been removed. An up
+     to date GOST engine is now being maintained in an external repository.
+     See: https://wiki.openssl.org/index.php/Binaries. Libssl still retains
+     support for GOST ciphersuites (these are only activated if a GOST engine
+     is present).
+     [Matt Caswell]
+
+  *) EGD is no longer supported by default; use enable-egd when
+     configuring.
+     [Ben Kaduk and Rich Salz]
+
+  *) The distribution now has Makefile.in files, which are used to
+     create Makefile's when Configure is run.  *Configure must be run
+     before trying to build now.*
+     [Rich Salz]
+
+  *) The return value for SSL_CIPHER_description() for error conditions
+     has changed.
+     [Rich Salz]
+
+  *) Support for RFC6698/RFC7671 DANE TLSA peer authentication.
+
+     Obtaining and performing DNSSEC validation of TLSA records is
+     the application's responsibility.  The application provides
+     the TLSA records of its choice to OpenSSL, and these are then
+     used to authenticate the peer.
+
+     The TLSA records need not even come from DNS.  They can, for
+     example, be used to implement local end-entity certificate or
+     trust-anchor "pinning", where the "pin" data takes the form
+     of TLSA records, which can augment or replace verification
+     based on the usual WebPKI public certification authorities.
+     [Viktor Dukhovni]
+
+  *) Revert default OPENSSL_NO_DEPRECATED setting.  Instead OpenSSL
+     continues to support deprecated interfaces in default builds.
+     However, applications are strongly advised to compile their
+     source files with -DOPENSSL_API_COMPAT=0x10100000L, which hides
+     the declarations of all interfaces deprecated in 0.9.8, 1.0.0
+     or the 1.1.0 releases.
+
+     In environments in which all applications have been ported to
+     not use any deprecated interfaces OpenSSL's Configure script
+     should be used with the --api=1.1.0 option to entirely remove
+     support for the deprecated features from the library and
+     unconditionally disable them in the installed headers.
+     Essentially the same effect can be achieved with the "no-deprecated"
+     argument to Configure, except that this will always restrict
+     the build to just the latest API, rather than a fixed API
+     version.
+
+     As applications are ported to future revisions of the API,
+     they should update their compile-time OPENSSL_API_COMPAT define
+     accordingly, but in most cases should be able to continue to
+     compile with later releases.
+
+     The OPENSSL_API_COMPAT versions for 1.0.0, and 0.9.8 are
+     0x10000000L and 0x00908000L, respectively.  However those
+     versions did not support the OPENSSL_API_COMPAT feature, and
+     so applications are not typically tested for explicit support
+     of just the undeprecated features of either release.
+     [Viktor Dukhovni]
+
+  *) Add support for setting the minimum and maximum supported protocol.
+     It can bet set via the SSL_set_min_proto_version() and
+     SSL_set_max_proto_version(), or via the SSL_CONF's MinProtocol and
+     MaxProtcol.  It's recommended to use the new APIs to disable
+     protocols instead of disabling individual protocols using
+     SSL_set_options() or SSL_CONF's Protocol.  This change also
+     removes support for disabling TLS 1.2 in the OpenSSL TLS
+     client at compile time by defining OPENSSL_NO_TLS1_2_CLIENT.
+     [Kurt Roeckx]

  *) Support for ChaCha20 and Poly1305 added to libcrypto and libssl.
     [Andy Polyakov]
@@ -21,22 +211,22 @@
     exchange. The LOW ciphers currently doesn't have any ciphers in it.
     [Kurt Roeckx]

-  *) Make EVP_MD_CTX, EVP_MD and HMAC_CTX opaque.  For HMAC_CTX, the
-     following constructors and destructors were added:
+  *) Made EVP_MD_CTX, EVP_MD, EVP_CIPHER_CTX, EVP_CIPHER and HMAC_CTX
+     opaque.  For HMAC_CTX, the following constructors and destructors
+     were added:

        HMAC_CTX *HMAC_CTX_new(void);
        void HMAC_CTX_free(HMAC_CTX *ctx);

-     For EVP_MD, a complete API to create, fill and destroy such
-     methods has been added.  See EVP_MD_meth_new(3) for
-     documentation.
+     For EVP_MD and EVP_CIPHER, complete APIs to create, fill and
+     destroy such methods has been added.  See EVP_MD_meth_new(3) and
+     EVP_CIPHER_meth_new(3) for documentation.

     Additional changes:
-     1) HMAC_CTX_cleanup() and EVP_MD_CTX_cleanup() were removed,
-        HMAC_CTX_init() and EVP_MD_CTX_init() should be called instead
-        to reinitialise and already created structure.  Also,
-        HMAC_CTX_init() and EVP_MD_CTX_init() now return 0 for failure
-        and 1 for success (they previously had the return type void).
+     1) EVP_MD_CTX_cleanup(), EVP_CIPHER_CTX_cleanup() and
+        HMAC_CTX_cleanup() were removed.  HMAC_CTX_reset() and
+        EVP_MD_CTX_reset() should be called instead to reinitialise
+        an already created structure.
     2) For consistency with the majority of our object creators and
        destructors, EVP_MD_CTX_(create|destroy) were renamed to
        EVP_MD_CTX_(new|free).  The old names are retained as macros
@@ -54,7 +244,8 @@

  *) SSL_{CTX_}set_ecdh_auto() has been removed and ECDH is support is
     always enabled now.  If you want to disable the support you should
-     exclude it using the list of supported ciphers.
+     exclude it using the list of supported ciphers. This also means that the
+     "-no_ecdhe" option has been removed from s_server.
     [Kurt Roeckx]

  *) SSL_{CTX}_set_tmp_ecdh() which can set 1 EC curve now internally calls
@@ -83,8 +274,9 @@
  *) The demo files in crypto/threads were moved to demo/threads.
     [Rich Salz]

-  *) Removed obsolete engines: 4758cca, aep, atalla, cswift, nuron and sureware.
-     [Matt Caswell]
+  *) Removed obsolete engines: 4758cca, aep, atalla, cswift, nuron, gmp,
+     and sureware.
+     [Matt Caswell, Rich Salz]

  *) New ASN.1 embed macro.

@@ -140,6 +332,12 @@

     [Richard Levitte]

+  *) Revamped memory debug; only -DCRYPTO_MDEBUG and -DCRYPTO_MDEBUG_ABORT
+     are used; the latter aborts on memory leaks (usually checked on exit).
+     Some undocumented "set malloc, etc., hooks" functions were removed
+     and others were changed.  All are now documented.
+     [Rich Salz]
+
  *) In DSA_generate_parameters_ex, if the provided seed is too short,
     return an error
     [Rich Salz and Ismo Puustinen <ismo.puustinen@intel.com>]
@@ -210,6 +408,10 @@
  *) Added HTTP GET support to the ocsp command.
     [Rich Salz]

+  *) Changed default digest for the dgst and enc commands from MD5 to
+     sha256
+     [Rich Salz]
+
  *) RAND_pseudo_bytes has been deprecated. Users should use RAND_bytes instead.
     [Matt Caswell]

@@ -234,7 +436,7 @@

  *) Added support for OCB mode. OpenSSL has been granted a patent license
     compatible with the OpenSSL license for use of OCB. Details are available
-     at https://www.openssl.org/docs/misc/OCB-patent-grant-OpenSSL.pdf. Support
+     at https://www.openssl.org/source/OCB-patent-grant-OpenSSL.pdf. Support
     for OCB can be removed by calling config with no-ocb.
     [Matt Caswell]

@@ -592,6 +794,50 @@
     whose return value is often ignored. 
     [Steve Henson]

+ Changes between 1.0.2e and 1.0.2f [28 Jan 2016]
+  *) DH small subgroups
+
+     Historically OpenSSL only ever generated DH parameters based on "safe"
+     primes. More recently (in version 1.0.2) support was provided for
+     generating X9.42 style parameter files such as those required for RFC 5114
+     support. The primes used in such files may not be "safe". Where an
+     application is using DH configured with parameters based on primes that are
+     not "safe" then an attacker could use this fact to find a peer's private
+     DH exponent. This attack requires that the attacker complete multiple
+     handshakes in which the peer uses the same private DH exponent. For example
+     this could be used to discover a TLS server's private DH exponent if it's
+     reusing the private DH exponent or it's using a static DH ciphersuite.
+
+     OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in
+     TLS. It is not on by default. If the option is not set then the server
+     reuses the same private DH exponent for the life of the server process and
+     would be vulnerable to this attack. It is believed that many popular
+     applications do set this option and would therefore not be at risk.
+
+     The fix for this issue adds an additional check where a "q" parameter is
+     available (as is the case in X9.42 based parameters). This detects the
+     only known attack, and is the only possible defense for static DH
+     ciphersuites. This could have some performance impact.
+
+     Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by
+     default and cannot be disabled. This could have some performance impact.
+
+     This issue was reported to OpenSSL by Antonio Sanso (Adobe).
+     (CVE-2016-0701)
+     [Matt Caswell]
+
+  *) SSLv2 doesn't block disabled ciphers
+
+     A malicious client can negotiate SSLv2 ciphers that have been disabled on
+     the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
+     been disabled, provided that the SSLv2 protocol was not also disabled via
+     SSL_OP_NO_SSLv2.
+
+     This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram
+     and Sebastian Schinzel.
+     (CVE-2015-3197)
+     [Viktor Dukhovni]
+
 Changes between 1.0.2d and 1.0.2e [3 Dec 2015]

  *) BN_mod_exp may produce incorrect results on x86_64
@@ -2542,7 +2788,7 @@

  *) New option -sigopt to dgst utility. Update dgst to use
     EVP_Digest{Sign,Verify}*. These two changes make it possible to use
-     alternative signing paramaters such as X9.31 or PSS in the dgst 
+     alternative signing parameters such as X9.31 or PSS in the dgst 
     utility.
     [Steve Henson]

@@ -3749,7 +3995,7 @@
     unofficial, and the ID has long expired.
     [Bodo Moeller]

-  *) Fix RSA blinding Heisenbug (problems sometimes occured on
+  *) Fix RSA blinding Heisenbug (problems sometimes occurred on
     dual-core machines) and other potential thread-safety issues.
     [Bodo Moeller]

@@ -4764,7 +5010,7 @@
     unofficial, and the ID has long expired.
     [Bodo Moeller]

-  *) Fix RSA blinding Heisenbug (problems sometimes occured on
+  *) Fix RSA blinding Heisenbug (problems sometimes occurred on
     dual-core machines) and other potential thread-safety issues.
     [Bodo Moeller]

@@ -4869,7 +5115,7 @@

  *) Added support for proxy certificates according to RFC 3820.
     Because they may be a security thread to unaware applications,
-     they must be explicitely allowed in run-time.  See
+     they must be explicitly allowed in run-time.  See
     docs/HOWTO/proxy_certificates.txt for further information.
     [Richard Levitte]

@@ -7446,7 +7692,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k

  *) Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't
     reveal whether illegal block cipher padding was found or a MAC
-     verification error occured.  (Neither SSLerr() codes nor alerts
+     verification error occurred.  (Neither SSLerr() codes nor alerts
     are directly visible to potential attackers, but the information
     may leak via logfiles.)

@@ -9853,7 +10099,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
  *) Bugfix: ssl23_get_client_hello did not work properly when called in
     state SSL23_ST_SR_CLNT_HELLO_B, i.e. when the first 7 bytes of
     a SSLv2-compatible client hello for SSLv3 or TLSv1 could be read,
-     but a retry condition occured while trying to read the rest.
+     but a retry condition occurred while trying to read the rest.
     [Bodo Moeller]

  *) The PKCS7_ENC_CONTENT_new() function was setting the content type as
--- a/4
+++ b/4
@@ -22,6 +22,10 @@ current Git or the last snapshot. They should follow our coding style
 warnings using the --strict-warnings flag.  OpenSSL compiles on many varied
 platforms: try to ensure you only use portable features.

+When at all possible, patches should include tests. These can either be
+added to an existing test, or completely new.  Please see test/README for
+information on the test framework.
+
 Our preferred format for patch files is "git format-patch" output. For example
 to provide a patch file containing the last commit in your local git repository
 use the following command:
--- a/Configurations/00-base-templates.conf
+++ b/Configurations/00-base-templates.conf
@@ -0,0 +1,200 @@
+# -*- Mode: perl -*-
+%targets=(
+    BASE => {
+	template	=> 1,
+
+	cflags		=> "",
+	defines		=> [],
+	debug_cflags	=> "",
+	debug_defines	=> [],
+	release_cflags	=> "",
+	release_defines => [],
+	thread_cflags	=> "",
+	thread_defines	=> [],
+
+	apps_extra_src	=> "",
+	cpuid_asm_src	=> "mem_clr.c",
+	bn_asm_src	=> "bn_asm.c",
+	ec_asm_src	=> "",
+	des_asm_src	=> "des_enc.c fcrypt_b.c",
+	aes_asm_src	=> "aes_core.c aes_cbc.c",
+	bf_asm_src	=> "bf_enc.c",
+	md5_asm_src	=> "",
+	cast_asm_src	=> "c_enc.c",
+	rc4_asm_src	=> "rc4_enc.c rc4_skey.c",
+	rmd160_asm_src	=> "",
+	rc5_asm_src	=> "rc5_enc.c",
+	wp_asm_src	=> "wp_block.c",
+	cmll_asm_src	=> "camellia.c cmll_misc.c cmll_cbc.c",
+	modes_asm_src	=> "",
+	padlock_asm_src	=> "",
+	chacha_asm_src	=> "chacha_enc.c",
+	poly1305_asm_src	=> "",
+
+	unistd		=> "<unistd.h>",
+	shared_target	=> "",
+	shared_cflag	=> "",
+	shared_ldflag	=> "",
+	shared_rcflag	=> "",
+	shared_extension	=> "",
+	build_scheme	=> "unixmake",
+	build_file      => "Makefile",
+    },
+
+    x86_asm => {
+	template	=> 1,
+	cpuid_asm_src	=> "x86cpuid.s",
+	bn_asm_src	=> "bn-586.s co-586.s x86-mont.s x86-gf2m.s",
+	ec_asm_src	=> "ecp_nistz256.c ecp_nistz256-x86.s",
+	des_asm_src	=> "des-586.s crypt586.s",
+	aes_asm_src	=> "aes-586.s vpaes-x86.s aesni-x86.s",
+	bf_asm_src	=> "bf-586.s",
+	md5_asm_src	=> "md5-586.s",
+	cast_asm_src	=> "cast-586.s",
+	sha1_asm_src	=> "sha1-586.s sha256-586.s sha512-586.s",
+	rc4_asm_src	=> "rc4-586.s",
+	rmd160_asm_src	=> "rmd-586.s",
+	rc5_asm_src	=> "rc5-586.s",
+	wp_asm_src	=> "wp_block.c wp-mmx.s",
+	cmll_asm_src	=> "cmll-x86.s",
+	modes_asm_src	=> "ghash-x86.s",
+	padlock_asm_src	=> "e_padlock-x86.s",
+	chacha_asm_src	=> "chacha-x86.s",
+	poly1305_asm_src=> "poly1305-x86.s",
+    },
+    x86_elf_asm => {
+	template	=> 1,
+	inherit_from	=> [ "x86_asm" ],
+	perlasm_scheme	=> "elf"
+    },
+    x86_64_asm => {
+	template	=> 1,
+	cpuid_asm_src   => "x86_64cpuid.s",
+	bn_asm_src      => "asm/x86_64-gcc.c x86_64-mont.s x86_64-mont5.s x86_64-gf2m.s rsaz_exp.c rsaz-x86_64.s rsaz-avx2.s",
+	ec_asm_src      => "ecp_nistz256.c ecp_nistz256-x86_64.s",
+	aes_asm_src     => "aes-x86_64.s vpaes-x86_64.s bsaes-x86_64.s aesni-x86_64.s aesni-sha1-x86_64.s aesni-sha256-x86_64.s aesni-mb-x86_64.s",
+	md5_asm_src     => "md5-x86_64.s",
+	sha1_asm_src    => "sha1-x86_64.s sha256-x86_64.s sha512-x86_64.s sha1-mb-x86_64.s sha256-mb-x86_64.s",
+	rc4_asm_src     => "rc4-x86_64.s rc4-md5-x86_64.s",
+	wp_asm_src      => "wp-x86_64.s",
+	cmll_asm_src    => "cmll-x86_64.s cmll_misc.c",
+	modes_asm_src   => "ghash-x86_64.s aesni-gcm-x86_64.s",
+	padlock_asm_src => "e_padlock-x86_64.s",
+	chacha_asm_src	=> "chacha-x86_64.s",
+	poly1305_asm_src=> "poly1305-x86_64.s",
+    },
+    ia64_asm => {
+	template	=> 1,
+	cpuid_asm_src   => "ia64cpuid.s",
+	bn_asm_src      => "bn-ia64.s ia64-mont.s",
+	aes_asm_src     => "aes_core.c aes_cbc.c aes-ia64.s",
+	md5_asm_src     => "md5-ia64.s",
+	sha1_asm_src    => "sha1-ia64.s sha256-ia64.s sha512-ia64.s",
+	rc4_asm_src     => "rc4-ia64.s rc4_skey.c",
+	modes_asm_src   => "ghash-ia64.s",
+	perlasm_scheme	=> "void"
+    },
+    sparcv9_asm => {
+	template	=> 1,
+	cpuid_asm_src   => "sparcv9cap.c sparccpuid.S",
+	bn_asm_src      => "asm/sparcv8plus.S sparcv9-mont.s sparcv9a-mont.s vis3-mont.s sparct4-mont.S sparcv9-gf2m.S",
+	ec_asm_src      => "ecp_nistz256.c ecp_nistz256-sparcv9.S",
+	des_asm_src     => "des_enc-sparc.S fcrypt_b.c dest4-sparcv9.s",
+	aes_asm_src     => "aes_core.c aes_cbc.c aes-sparcv9.s aest4-sparcv9.s",
+	md5_asm_src     => "md5-sparcv9.S",
+	sha1_asm_src    => "sha1-sparcv9.S sha256-sparcv9.S sha512-sparcv9.S",
+	cmll_asm_src    => "camellia.c cmll_misc.c cmll_cbc.c cmllt4-sparcv9.s",
+	modes_asm_src   => "ghash-sparcv9.s",
+	poly1305_asm_src=> "poly1305-sparcv9.S",
+	perlasm_scheme	=> "void"
+    },
+    sparcv8_asm => {
+	template	=> 1,
+	cpuid_asm_src   => "",
+	bn_asm_src      => "asm/sparcv8.S",
+	des_asm_src     => "des_enc-sparc.S fcrypt_b.c",
+	perlasm_scheme	=> "void"
+    },
+    alpha_asm => {
+	template	=> 1,
+	cpuid_asm_src   => "alphacpuid.s",
+	bn_asm_src      => "bn_asm.c alpha-mont.s",
+	sha1_asm_src    => "sha1-alpha.s",
+	modes_asm_src   => "ghash-alpha.s",
+	perlasm_scheme	=> "void"
+    },
+    mips32_asm => {
+	template	=> 1,
+	bn_asm_src      => "bn-mips.s mips-mont.s",
+	aes_asm_src     => "aes_cbc.c aes-mips.S",
+	sha1_asm_src    => "sha1-mips.S sha256-mips.S",
+    },
+    mips64_asm => {
+	inherit_from	=> [ "mips32_asm" ],
+	template	=> 1,
+	sha1_asm_src    => add("sha512-mips.S")
+    },
+    s390x_asm => {
+	template	=> 1,
+	cpuid_asm_src   => "s390xcap.c s390xcpuid.s",
+	bn_asm_src      => "asm/s390x.S s390x-mont.S s390x-gf2m.s",
+	aes_asm_src     => "aes-s390x.S aes-ctr.fake aes-xts.fake",
+	sha1_asm_src    => "sha1-s390x.S sha256-s390x.S sha512-s390x.S",
+	rc4_asm_src     => "rc4-s390x.s",
+	modes_asm_src   => "ghash-s390x.S",
+	chacha_asm_src  => "chacha-s390x.S",
+	poly1305_asm_src=> "poly1305-s390x.S",
+    },
+    armv4_asm => {
+	template	=> 1,
+	cpuid_asm_src   => "armcap.c armv4cpuid.S",
+	bn_asm_src      => "bn_asm.c armv4-mont.S armv4-gf2m.S",
+	ec_asm_src      => "ecp_nistz256.c ecp_nistz256-armv4.S",
+	aes_asm_src     => "aes_cbc.c aes-armv4.S bsaes-armv7.S aesv8-armx.S",
+	sha1_asm_src    => "sha1-armv4-large.S sha256-armv4.S sha512-armv4.S",
+	modes_asm_src   => "ghash-armv4.S ghashv8-armx.S",
+	chacha_asm_src  => "chacha-armv4.S",
+	poly1305_asm_src=> "poly1305-armv4.S", 
+	perlasm_scheme	=> "void"
+    },
+    aarch64_asm => {
+	template	=> 1,
+	cpuid_asm_src   => "armcap.c arm64cpuid.S mem_clr.c",
+	ec_asm_src      => "ecp_nistz256.c ecp_nistz256-armv8.S",
+	bn_asm_src      => "bn_asm.c armv8-mont.S",
+	aes_asm_src     => "aes_core.c aes_cbc.c aesv8-armx.S vpaes-armv8.S",
+	sha1_asm_src    => "sha1-armv8.S sha256-armv8.S sha512-armv8.S",
+	modes_asm_src   => "ghashv8-armx.S",
+	chacha_asm_src  => "chacha-armv8.S",
+	poly1305_asm_src=> "poly1305-armv8.S",
+    },
+    parisc11_asm => {
+	template	=> 1,
+	cpuid_asm_src   => "pariscid.s",
+	bn_asm_src      => "bn_asm.c parisc-mont.s",
+	aes_asm_src     => "aes_core.c aes_cbc.c aes-parisc.s",
+	sha1_asm_src    => "sha1-parisc.s sha256-parisc.s sha512-parisc.s",
+	rc4_asm_src     => "rc4-parisc.s",
+	modes_asm_src   => "ghash-parisc.s",
+	perlasm_scheme	=> "32"
+    },
+    parisc20_64_asm => {
+	template	=> 1,
+	inherit_from	=> [ "parisc11_asm" ],
+	perlasm_scheme	=> "64",
+    },
+    ppc64_asm => {
+	template	=> 1,
+	cpuid_asm_src   => "ppccpuid.s ppccap.c",
+	bn_asm_src      => "bn-ppc.s ppc-mont.s ppc64-mont.s",
+	aes_asm_src     => "aes_core.c aes_cbc.c aes-ppc.s vpaes-ppc.s aesp8-ppc.s",
+	sha1_asm_src    => "sha1-ppc.s sha256-ppc.s sha512-ppc.s sha256p8-ppc.s sha512p8-ppc.s",
+	modes_asm_src   => "ghashp8-ppc.s",
+	chacha_asm_src	=> "chacha-ppc.s",
+	poly1305_asm_src=> "poly1305-ppc.s poly1305-ppcfp.s",
+    },
+    ppc32_asm => {
+	inherit_from	=> [ "ppc64_asm" ],
+	template	=> 1
+    },
+);
--- a/Configurations/10-main.conf
+++ b/Configurations/10-main.conf
--- a/Configurations/90-team.conf
+++ b/Configurations/90-team.conf
@@ -2,29 +2,29 @@
 ## Build configuration targets for openssl-team members
 ##
 ## If you edit this file, run this command before committing
-##	make -f Makefile.org TABLE
+##	make -f Makefile.in TABLE
 ## This file is interpolated by the Configure script.

 %targets = (
    "purify" => {
        cc               => "purify gcc",
-        cflags           => "-g -DPURIFY -Wall",
+        cflags           => "-g -Wall",
        thread_cflag     => "(unknown)",
-        lflags           => "-lsocket -lnsl",
+        ex_libs          => "-lsocket -lnsl",
    },
    "debug" => {
        cc               => "gcc",
-        cflags           => "-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror",
+        cflags           => "-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DOPENSSL_NO_ASM -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror",
        thread_cflag     => "(unknown)",
-        lflags           => "-lefence",
+        ex_libs          => "-lefence",
    },
    "debug-erbridge" => {
        inherit_from     => [ "x86_64_asm" ],
        cc               => "gcc",
-        cflags           => "$gcc_devteam_warn -DBN_DEBUG -DCONF_DEBUG -DCRYPTO_MDEBUG -m64 -DL_ENDIAN -DTERMIO -g",
+        cflags           => "$gcc_devteam_warn -DBN_DEBUG -DCONF_DEBUG -m64 -DL_ENDIAN -DTERMIO -g",
        thread_cflag     => "-D_REENTRANT",
-        lflags           => "-ldl",
-        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
+        ex_libs          => "-ldl",
+        bn_ops           => "SIXTY_FOUR_BIT_LONG",
        perlasm_scheme   => "elf",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
@@ -36,28 +36,28 @@
    "debug-linux-pentium" => {
        inherit_from     => [ "x86_elf_asm" ],
        cc               => "gcc",
-        cflags           => "-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -g -mcpu=pentium -Wall",
+        cflags           => "-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DL_ENDIAN -g -mcpu=pentium -Wall",
        thread_cflag     => "-D_REENTRANT",
-        lflags           => "-ldl",
-        bn_ops           => "BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}",
+        ex_libs          => "-ldl",
+        bn_ops           => "BN_LLONG",
        dso_scheme       => "dlfcn",
    },
    "debug-linux-ppro" => {
        inherit_from     => [ "x86_elf_asm" ],
        cc               => "gcc",
-        cflags           => "-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -g -mcpu=pentiumpro -Wall",
+        cflags           => "-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DL_ENDIAN -g -mcpu=pentiumpro -Wall",
        thread_cflag     => "-D_REENTRANT",
-        lflags           => "-ldl",
-        bn_ops           => "BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}",
+        ex_libs          => "-ldl",
+        bn_ops           => "BN_LLONG",
        dso_scheme       => "dlfcn",
    },
    "debug-linux-elf-noefence" => {
        inherit_from     => [ "x86_elf_asm" ],
        cc               => "gcc",
-        cflags           => "-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -g -march=i486 -Wall",
+        cflags           => "-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DL_ENDIAN -g -march=i486 -Wall",
        thread_cflag     => "-D_REENTRANT",
-        lflags           => "-ldl",
-        bn_ops           => "BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}",
+        ex_libs          => "-ldl",
+        bn_ops           => "BN_LLONG",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
        shared_cflag     => "-fPIC",
@@ -67,22 +67,22 @@
        cc               => "gcc",
        cflags           => "-DAES_EXPERIMENTAL -DL_ENDIAN -O3 -fomit-frame-pointer -Wall",
        thread_cflag     => "-D_REENTRANT",
-        lflags           => "-ldl",
-        bn_ops           => "BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}",
-        cpuid_obj        => "x86cpuid.o",
-        bn_obj           => "bn-586.o co-586.o x86-mont.o",
-        des_obj          => "des-586.o crypt586.o",
-        aes_obj          => "aes_x86core.o aes_cbc.o aesni-x86.o",
-        bf_obj           => "bf-586.o",
-        md5_obj          => "md5-586.o",
-        sha1_obj         => "sha1-586.o sha256-586.o sha512-586.o",
-        cast_obj         => "cast-586.o",
-        rc4_obj          => "rc4-586.o",
-        rmd160_obj       => "rmd-586.o",
-        rc5_obj          => "rc5-586.o",
-        wp_obj           => "wp_block.o wp-mmx.o",
-        modes_obj        => "ghash-x86.o",
-        engines_obj      => "e_padlock-x86.o",
+        ex_libs          => "-ldl",
+        bn_ops           => "BN_LLONG",
+        cpuid_asm_src    => "x86cpuid.s",
+        bn_asm_src       => "bn-586.s co-586.s x86-mont.s",
+        des_asm_src      => "des-586.s crypt586.s",
+        aes_asm_src      => "aes_x86core.s aes_cbc.s aesni-x86.s",
+        bf_asm_src       => "bf-586.s",
+        md5_asm_src      => "md5-586.s",
+        sha1_asm_src     => "sha1-586.s sha256-586.s sha512-586.s",
+        cast_asm_src     => "cast-586.s",
+        rc4_asm_src      => "rc4-586.s",
+        rmd160_asm_src   => "rmd-586.s",
+        rc5_asm_src      => "rc5-586.s",
+        wp_asm_src       => "wp_block.s wp-mmx.s",
+        modes_asm_src    => "ghash-x86.s",
+        padlock_asm_src  => "e_padlock-x86.s",
        perlasm_scheme   => "elf",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
@@ -99,7 +99,7 @@
        cc               => "clang",
        cflags           => "$gcc_devteam_warn -Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wno-error=unused-const-variable -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
        thread_cflag     => "${BSDthreads}",
-        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
+        bn_ops           => "SIXTY_FOUR_BIT_LONG",
        perlasm_scheme   => "elf",
        dso_scheme       => "dlfcn",
        shared_target    => "bsd-gcc-shared",
@@ -112,12 +112,12 @@
        cflags           => "-arch x86_64 -DL_ENDIAN $gcc_devteam_warn -Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wno-error=unused-const-variable -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
        thread_cflag     => "${BSDthreads}",
        sys_id           => "MACOSX",
-        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
+        bn_ops           => "SIXTY_FOUR_BIT_LONG",
        perlasm_scheme   => "macosx",
        dso_scheme       => "dlfcn",
        shared_target    => "darwin-shared",
        shared_cflag     => "-fPIC -fno-common",
        shared_ldflag    => "-arch x86_64 -dynamiclib",
-        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+        shared_extension => ".\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
    },
 );
--- a/Configurations/99-personal-ben.conf
+++ b/Configurations/99-personal-ben.conf
@@ -2,23 +2,23 @@
 ## Personal configuration targets
 ##
 ## If you edit this file, run this command before committing
-##	make -f Makefile.org TABLE
+##	make -f Makefile.in TABLE
 ## This file is interpolated by the Configure script.

 %targets = (
    "debug-ben" => {
        cc               => "gcc",
-        cflags           => "$gcc_devteam_warn -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DDEBUG_SAFESTACK -O2 -pipe",
+        cflags           => "$gcc_devteam_warn -DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -O2 -pipe",
        thread_cflag     => "(unknown)",
    },
    "debug-ben-openbsd" => {
        cc               => "gcc",
-        cflags           => "-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe",
+        cflags           => "-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe",
        thread_cflag     => "(unknown)",
    },
    "debug-ben-openbsd-debug" => {
        cc               => "gcc",
-        cflags           => "-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe",
+        cflags           => "-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe",
        thread_cflag     => "(unknown)",
    },
    "debug-ben-debug" => {
@@ -31,7 +31,7 @@
        cc               => "gcc",
        cflags           => "$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
        thread_cflag     => "${BSDthreads}",
-        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
+        bn_ops           => "SIXTY_FOUR_BIT_LONG",
        perlasm_scheme   => "elf",
        dso_scheme       => "dlfcn",
        shared_target    => "bsd-gcc-shared",
@@ -43,7 +43,7 @@
        cc               => "clang",
        cflags           => "$gcc_devteam_warn -Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
        thread_cflag     => "${BSDthreads}",
-        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
+        bn_ops           => "SIXTY_FOUR_BIT_LONG",
        perlasm_scheme   => "elf",
        dso_scheme       => "dlfcn",
        shared_target    => "bsd-gcc-shared",
@@ -55,7 +55,7 @@
        cc               => "gcc",
        cflags           => "$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -pipe",
        thread_cflag     => "${BSDthreads}",
-        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
+        bn_ops           => "SIXTY_FOUR_BIT_LONG",
        perlasm_scheme   => "elf",
        dso_scheme       => "dlfcn",
        shared_target    => "bsd-gcc-shared",
@@ -69,12 +69,12 @@
    },
    "debug-ben-no-opt" => {
        cc               => "gcc",
-        cflags           => " -Wall -Wmissing-prototypes -Wstrict-prototypes -Wmissing-declarations -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG -Werror -DL_ENDIAN -Wall -g3",
+        cflags           => " -Wall -Wmissing-prototypes -Wstrict-prototypes -Wmissing-declarations -DDEBUG_SAFESTACK -Werror -DL_ENDIAN -Wall -g3",
        thread_cflag     => "(unknown)",
    },
    "debug-ben-strict" => {
        cc               => "gcc",
-        cflags           => "-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe",
+        cflags           => "-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe",
        thread_cflag     => "(unknown)",
    },
    "debug-ben-darwin64" => {
@@ -83,8 +83,8 @@
        cflags           => "$gcc_devteam_warn -Wno-language-extension-token -Wno-extended-offsetof -arch x86_64 -O3 -DL_ENDIAN -DMD32_REG_T=int -Wall",
        thread_cflag     => "-D_REENTRANT",
        sys_id           => "MACOSX",
-        lflags           => "-Wl,-search_paths_first%",
-        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
+        plib_lflags      => "-Wl,-search_paths_first",
+        bn_ops           => "SIXTY_FOUR_BIT_LONG",
        perlasm_scheme   => "macosx",
        dso_scheme       => "dlfcn",
        shared_target    => "darwin-shared",
--- a/Configurations/99-personal-bodo.conf
+++ b/Configurations/99-personal-bodo.conf
@@ -2,17 +2,17 @@
 ## Personal configuration targets
 ##
 ## If you edit this file, run this command before committing
-##	make -f Makefile.org TABLE
+##	make -f Makefile.in TABLE
 ## This file is interpolated by the Configure script.

 %targets = (
    "debug-bodo" => {
        inherit_from     => [ "x86_64_asm" ],
        cc               => "gcc",
-        cflags           => "$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DBN_DEBUG_RAND -DCONF_DEBUG -DBIO_PAIR_DEBUG -m64 -DL_ENDIAN -DTERMIO -g -DMD32_REG_T=int",
+        cflags           => "$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DBN_DEBUG_RAND -DCONF_DEBUG -m64 -DL_ENDIAN -DTERMIO -g -DMD32_REG_T=int",
        thread_cflag     => "-D_REENTRANT",
-        lflags           => "-ldl",
-        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
+        ex_libs          => "-ldl",
+        bn_ops           => "SIXTY_FOUR_BIT_LONG",
        perlasm_scheme   => "elf",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
--- a/Configurations/99-personal-geoff.conf
+++ b/Configurations/99-personal-geoff.conf
@@ -2,16 +2,15 @@
 ## Personal configuration targets
 ##
 ## If you edit this file, run this command before committing
-##	make -f Makefile.org TABLE
+##	make -f Makefile.in TABLE
 ## This file is interpolated by the Configure script.

 %targets = (
    "debug-geoff32" => {
-        inherit_from     => [ "no_asm_filler" ],
        cc               => "gcc",
-        cflags           => "-DBN_DEBUG -DBN_DEBUG_RAND -DBN_STRICT -DPURIFY -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_ASM -DOPENSSL_NO_INLINE_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -O1 -ggdb2 -Wall -Werror -Wundef -pedantic -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wsign-compare -Wmissing-prototypes -Wmissing-declarations -Wno-long-long",
+        cflags           => "-DBN_DEBUG -DBN_DEBUG_RAND -DBN_STRICT -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_ASM -DOPENSSL_NO_INLINE_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -O1 -ggdb2 -Wall -Werror -Wundef -pedantic -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wsign-compare -Wmissing-prototypes -Wmissing-declarations -Wno-long-long",
        thread_cflag     => "-D_REENTRANT",
-        lflags           => "-ldl",
+        ex_libs          => "-ldl",
        bn_ops           => "BN_LLONG",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
@@ -19,12 +18,11 @@
        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
    },
    "debug-geoff64" => {
-        inherit_from     => [ "no_asm_filler" ],
        cc               => "gcc",
-        cflags           => "-DBN_DEBUG -DBN_DEBUG_RAND -DBN_STRICT -DPURIFY -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_ASM -DOPENSSL_NO_INLINE_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -O1 -ggdb2 -Wall -Werror -Wundef -pedantic -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wsign-compare -Wmissing-prototypes -Wmissing-declarations -Wno-long-long",
+        cflags           => "-DBN_DEBUG -DBN_DEBUG_RAND -DBN_STRICT -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_ASM -DOPENSSL_NO_INLINE_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -O1 -ggdb2 -Wall -Werror -Wundef -pedantic -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wsign-compare -Wmissing-prototypes -Wmissing-declarations -Wno-long-long",
        thread_cflag     => "-D_REENTRANT",
-        lflags           => "-ldl",
-        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR",
+        ex_libs          => "-ldl",
+        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHAR",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
        shared_cflag     => "-fPIC",
--- a/Configurations/99-personal-levitte.conf
+++ b/Configurations/99-personal-levitte.conf
@@ -2,59 +2,22 @@
 ## Personal configuration targets
 ##
 ## If you edit this file, run this command before committing
-##	make -f Makefile.org TABLE
+##	make -f Makefile.in TABLE
 ## This file is interpolated by the Configure script.

 %targets = (
    "levitte-linux-elf" => {
-        inherit_from     => [ "x86_elf_asm" ],
-        cc               => "gcc",
-        cflags           => "-DL_ENDIAN -Wall",
-        debug_cflags     => "-DLEVITTE_DEBUG -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG-ggdb -g3",
-        thread_cflag     => "-D_REENTRANT",
-        lflags           => "-ldl",
-        bn_ops           => "BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT",
-        dso_scheme       => "dlfcn",
-        shared_target    => "linux-shared",
-        shared_cflag     => "-fPIC",
-        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+        inherit_from     => [ "linux-elf" ],
+        debug_cflags     => add("-ggdb -g3"),
+        debug_defines    => add(undef, "LEVITTE_DEBUG"),
+        build_scheme     => [ "unified", "unix" ],
+        build_file       => "Makefile",
    },
-    "debug-levitte-linux-noasm" => {
-        inherit_from     => [ "no_asm_filler" ],
-        cc               => "gcc",
-        cflags           => "-DLEVITTE_DEBUG -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -ggdb -g3 -Wall",
-        thread_cflag     => "-D_REENTRANT",
-        lflags           => "-ldl",
-        bn_ops           => "BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT",
-        dso_scheme       => "dlfcn",
-        shared_target    => "linux-shared",
-        shared_cflag     => "-fPIC",
-        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-    },
-    "debug-levitte-linux-elf-extreme" => {
-        inherit_from     => [ "x86_elf_asm" ],
-        cc               => "gcc",
-        cflags           => "-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DL_ENDIAN -DPEDANTIC -ggdb -g3 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe",
-        thread_cflag     => "-D_REENTRANT",
-        lflags           => "-ldl",
-        bn_ops           => "BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT",
-        perlasm_scheme   => "elf",
-        dso_scheme       => "dlfcn",
-        shared_target    => "linux-shared",
-        shared_cflag     => "-fPIC",
-        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-    },
-    "debug-levitte-linux-noasm-extreme" => {
-        inherit_from     => [ "no_asm_filler" ],
-        cc               => "gcc",
-        cflags           => "-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DCRYPTO_MDEBUG -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DPEDANTIC -ggdb -g3 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe",
-        thread_cflag     => "-D_REENTRANT",
-        lflags           => "-ldl",
-        bn_ops           => "BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT",
-        perlasm_scheme   => "void",
-        dso_scheme       => "dlfcn",
-        shared_target    => "linux-shared",
-        shared_cflag     => "-fPIC",
-        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+    "levitte-linux-x86_64" => {
+        inherit_from     => [ "linux-x86_64" ],
+        debug_cflags     => add("-ggdb -g3"),
+        debug_defines    => add(undef, "LEVITTE_DEBUG"),
+        build_scheme     => [ "unified", "unix" ],
+        build_file       => "Makefile",
    },
 );
--- a/Configurations/99-personal-rse.conf
+++ b/Configurations/99-personal-rse.conf
@@ -2,7 +2,7 @@
 ## Personal configuration targets
 ##
 ## If you edit this file, run this command before committing
-##	make -f Makefile.org TABLE
+##	make -f Makefile.in TABLE
 ## This file is interpolated by the Configure script.

 %targets = (
@@ -11,6 +11,6 @@
        cc               => "cc",
        cflags           => "-DL_ENDIAN -pipe -O -g -ggdb3 -Wall",
        thread_cflag     => "(unknown)",
-        bn_ops           => "BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}",
+        bn_ops           => "BN_LLONG",
    },
 );
--- a/Configurations/99-personal-steve.conf
+++ b/Configurations/99-personal-steve.conf
@@ -2,7 +2,7 @@
 ## Personal configuration targets
 ##
 ## If you edit this file, run this command before committing
-##	make -f Makefile.org TABLE
+##	make -f Makefile.in TABLE
 ## This file is interpolated by the Configure script.

 %targets = (
@@ -11,8 +11,8 @@
        cc               => "gcc",
        cflags           => "$gcc_devteam_warn -pthread -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -g",
        thread_cflag     => "-D_REENTRANT",
-        lflags           => "-ldl",
-        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
+        ex_libs          => "-ldl",
+        bn_ops           => "SIXTY_FOUR_BIT_LONG",
        perlasm_scheme   => "elf",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
@@ -25,8 +25,9 @@
        cc               => "gcc",
        cflags           => "$gcc_devteam_warn -pthread -m32 -DL_ENDIAN -DCONF_DEBUG -g",
        thread_cflag     => "-D_REENTRANT",
-        lflags           => "-rdynamic -ldl",
-        bn_ops           => "BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}",
+        lflags           => "-rdynamic",
+        ex_libs          => "-ldl",
+        bn_ops           => "BN_LLONG",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
        shared_cflag     => "-fPIC",
@@ -38,8 +39,8 @@
        cc               => "gcc",
        cflags           => "$gcc_devteam_warn -pthread -m64 -O3 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -g",
        thread_cflag     => "-D_REENTRANT",
-        lflags           => "-ldl",
-        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
+        ex_libs          => "-ldl",
+        bn_ops           => "SIXTY_FOUR_BIT_LONG",
        perlasm_scheme   => "elf",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
--- a/Configurations/README
+++ b/Configurations/README
@@ -0,0 +1,621 @@
+Configurations of OpenSSL target platforms
+==========================================
+
+Target configurations are a collection of facts that we know about
+different platforms and their capabilities.  We organise them in a
+hash table, where each entry represent a specific target.
+
+In each table entry, the following keys are significant:
+
+        inherit_from    => Other targets to inherit values from.
+                           Explained further below. [1]
+        template        => Set to 1 if this isn't really a platform
+                           target.  Instead, this target is a template
+                           upon which other targets can be built.
+                           Explained further below.  [1]
+
+        sys_id          => System identity for systems where that
+                           is difficult to determine automatically.
+
+        cc              => The compiler command, usually one of "cc",
+                           "gcc" or "clang".  This command is normally
+                           also used to link object files and
+                           libraries into the final program.
+        cflags          => Flags that are used at all times when
+                           compiling.
+        defines         => As an alternative, macro definitions may be
+                           present here instead of in `cflags'.  If
+                           given here, they MUST be as an array of the
+                           string such as "MACRO=value", or just
+                           "MACRO" for definitions without value.
+        debug_cflags    => Extra compilation flags used when making a
+                           debug build (when Configure receives the
+                           --debug option).  Typically something like
+                           "-g -O0".
+        debug_defines   => Similarly to `debug_cflags', this gets
+                           combined with `defines' during a debug
+                           build.  The value here MUST also be an
+                           array of the same form as for `defines'.
+        release_cflags  => Extra compilation flags used when making a
+                           release build (when Configure receives the
+                           --release option, or doesn't receive the
+                           --debug option).  Typically something like
+                           "-O" or "-O3".
+        release_defines => Similarly to `release_cflags', this gets
+                           combined with `defines' during a release
+                           build.  The value here MUST also be an
+                           array of the same form as for `defines'.
+        thread_cflags   => Extra compilation flags used when
+                           compiling with threading enabled.
+                           Explained further below.  [2]
+        thread_defines  => Similarly to `thread_cflags', this gets
+                           combined with `defines' when threading is
+                           enabled.  The value here MUST also be an
+                           array of the same form as for `defines'.
+        shared_cflag    => Extra compilation flags used when
+                           compiling for shared libraries, typically
+                           something like "-fPIC".
+
+        (linking is a complex thing, see [3] below)
+        ld              => Linker command, usually not defined
+                           (meaning the compiler command is used
+                           instead).
+                           (NOTE: this is here for future use, it's
+                           not implemented yet)
+        lflags          => Flags that are used when linking apps.
+        shared_ldflag   => Flags that are used when linking shared
+                           or dynamic libraries.
+        plib_lflags     => Extra linking flags to appear just before
+                           the libraries on the command line.
+        ex_libs         => Extra libraries that are needed when
+                           linking.
+
+        debug_lflags    => Like debug_cflags, but used when linking.
+        release_lflags  => Like release_cflags, but used when linking.
+
+        ar              => The library archive command, the default is
+                           "ar".
+                           (NOTE: this is here for future use, it's
+                           not implemented yet)
+        arflags         => Flags to be used with the library archive
+                           command.
+
+        ranlib          => The library archive indexing command, the
+                           default is 'ranlib' it it exists.
+
+        unistd          => An alternative header to the typical
+                           '<unistd.h>'.  This is very rarely needed.
+
+        shared_extension => File name extension used for shared
+                            libraries. 
+        obj_extension   => File name extension used for object files.
+                           On unix, this defaults to ".o" (NOTE: this
+                           is here for future use, it's not
+                           implemented yet)
+        exe_extension   => File name extension used for executable
+                           files.  On unix, this defaults to "" (NOTE:
+                           this is here for future use, it's not
+                           implemented yet)
+
+        dso_scheme      => The type of dynamic shared objects to build
+                           for.  This mostly comes into play with
+                           engines, but can be used for other purposes
+                           as well.  Valid values are "DLFCN"
+                           (dlopen() et al), "DLFCN_NO_H" (for systems
+                           that use dlopen() et al but do not have
+                           fcntl.h), "DL" (shl_load() et al), "WIN32"
+                           and "VMS".
+        perlasm_scheme  => The perlasm method used to created the
+                           assembler files used when compiling with
+                           assembler implementations.
+        shared_target   => The shared library building method used.
+                           This is a target found in Makefile.shared.
+        build_scheme    => The scheme used to build up a Makefile.
+                           In its simplest form, the value is a string
+                           with the name of the build scheme.
+                           The value may also take the form of a list
+                           of strings, if the build_scheme is to have
+                           some options.  In this case, the first
+                           string in the list is the name of the build
+                           scheme.
+                           Currently recognised build schemes are
+                           "mk1mf" and "unixmake" and "unified".
+                           For the "unified" build scheme, this item
+                           *must* be an array with the first being the
+                           word "unified" and the second being a word
+                           to identify the platform family.
+
+        multilib        => On systems that support having multiple
+                           implementations of a library (typically a
+                           32-bit and a 64-bit variant), this is used
+                           to have the different variants in different
+                           directories.
+
+        bn_ops          => Building options (was just bignum options
+                           in the earlier history of this option,
+                           hence the name).  This a string of words
+                           that describe properties on the designated
+                           target platform, such as the type of
+                           integers used to build up the bitnum,
+                           different ways to implement certain ciphers
+                           and so on.  To fully comprehend the
+                           meaning, the best is to read the affected
+                           source.
+                           The valid words are:
+
+                           BN_LLONG     use 'unsigned long long' in
+                                        some bignum calculations.
+                                        This has no value when
+                                        SIXTY_FOUR_BIT or
+                                        SIXTY_FOUR_BIT_LONG is given.
+                           RC4_CHAR     makes the basic RC4 unit of
+                                        calculation an unsigned char.
+                           SIXTY_FOUR_BIT       processor registers
+                                                are 64 bits, long is
+                                                32 bits, long long is
+                                                64 bits.
+                           SIXTY_FOUR_BIT_LONG  processor registers
+                                                are 64 bits, long is
+                                                64 bits.
+                           THIRTY_TWO_BIT       processor registers
+                                                are 32 bits.
+                           EXPORT_VAR_AS_FN     for shared libraries,
+                                                export vars as
+                                                accessor functions.
+
+        apps_extra_src  => Extra source to build apps/openssl, as
+                           needed by the target.
+        cpuid_asm_src   => assembler implementation of cpuid code as
+                           well as OPENSSL_cleanse().
+                           Default to mem_clr.c
+        bn_asm_src      => Assembler implementation of core bignum
+                           functions.
+                           Defaults to bn_asm.c
+        ec_asm_src      => Assembler implementation of core EC
+                           functions.
+        des_asm_src     => Assembler implementation of core DES
+                           encryption functions.
+                           Defaults to 'des_enc.c fcrypt_b.c'
+        aes_asm_src     => Assembler implementation of core AES
+                           functions.
+                           Defaults to 'aes_core.c aes_cbc.c'
+        bf_asm_src      => Assembler implementation of core BlowFish
+                           functions.
+                           Defaults to 'bf_enc.c'
+        md5_asm_src     => Assembler implementation of core MD5
+                           functions.
+        sha1_asm_src    => Assembler implementation of core SHA1,
+                           functions, and also possibly SHA256 and
+                           SHA512 ones.
+        cast_asm_src    => Assembler implementation of core CAST
+                           functions.
+                           Defaults to 'c_enc.c'
+        rc4_asm_src     => Assembler implementation of core RC4
+                           functions.
+                           Defaults to 'rc4_enc.c rc4_skey.c'
+        rmd160_asm_src  => Assembler implementation of core RMD160
+                           functions.
+        rc5_asm_src     => Assembler implementation of core RC5
+                           functions.
+                           Defaults to 'rc5_enc.c'
+        wp_asm_src      => Assembler implementation of core WHIRLPOOL
+                           functions.
+        cmll_asm_src    => Assembler implementation of core CAMELLIA
+                           functions.
+                           Defaults to 'camellia.c cmll_misc.c cmll_cbc.c'
+        modes_asm_src   => Assembler implementation of cipher modes,
+                           currently the functions gcm_gmult_4bit and
+                           gcm_ghash_4bit.
+        padlock_asm_src => Assembler implementation of core parts of
+                           the padlock engine.  This is mandatory on
+                           any platform where the padlock engine might
+                           actually be built.
+
+
+[1] as part of the target configuration, one can have a key called
+    'inherit_from' that indicate what other configurations to inherit
+    data from.  These are resolved recursively.
+
+    Inheritance works as a set of default values that can be overriden
+    by corresponding key values in the inheriting configuration.
+
+    Note 1: any configuration table can be used as a template.
+    Note 2: pure templates have the attribute 'template => 1' and
+            cannot be used as build targets.
+
+    If several configurations are given in the 'inherit_from' array,
+    the values of same attribute are concatenated with space
+    separation.  With this, it's possible to have several smaller
+    templates for different configuration aspects that can be combined
+    into a complete configuration.
+
+    instead of a scalar value or an array, a value can be a code block
+    of the form 'sub { /* your code here */ }'.  This code block will
+    be called with the list of inherited values for that key as
+    arguments.  In fact, the concatenation of strings is really done
+    by using 'sub { join(" ",@_) }' on the list of inherited values.
+
+    An example:
+
+        "foo" => {
+                template => 1,
+                haha => "ha ha",
+                hoho => "ho",
+                ignored => "This should not appear in the end result",
+        },
+        "bar" => {
+                template => 1,
+                haha => "ah",
+                hoho => "haho",
+                hehe => "hehe"
+        },
+        "laughter" => {
+                inherit_from => [ "foo", "bar" ],
+                hehe => sub { join(" ",(@_,"!!!")) },
+                ignored => "",
+        }
+
+        The entry for "laughter" will become as follows after processing:
+
+        "laughter" => {
+                haha => "ha ha ah",
+                hoho => "ho haho",
+                hehe => "hehe !!!",
+                ignored => ""
+        }
+
+[2] OpenSSL is built with threading capabilities unless the user
+    specifies 'no-threads'.  The value of the key 'thread_cflags' may
+    be "(unknown)", in which case the user MUST give some compilation
+    flags to Configure.
+
+[3] OpenSSL has three types of things to link from object files or
+    static libraries:
+
+    - shared libraries; that would be libcrypto and libssl.
+    - shared objects (sometimes called dynamic libraries);  that would
+      be the engines.
+    - applications; those are apps/openssl and all the test apps.
+
+    Very roughly speaking, linking is done like this (words in braces
+    represent the configuration settings documented at the beginning
+    of this file):
+
+    shared libraries:
+        {ld} $(CFLAGS) {shared_ldflag} -shared -o libfoo.so \
+            -Wl,--whole-archive libfoo.a -Wl,--no-whole-archive \
+            {plib_lflags} -lcrypto {ex_libs}
+
+    shared objects:
+        {ld} $(CFLAGS) {shared_ldflag} -shared -o libeng.so \
+            blah1.o blah2.o {plib_lflags} -lcrypto {ex_libs}
+
+    applications:
+        {ld} $(CFLAGS) {lflags} -o app \
+            app1.o utils.o {plib_lflags} -lssl -lcrypto {ex_libs}
+
+
+Historically, the target configurations came in form of a string with
+values separated by colons.  This use is deprecated.  The string form
+looked like this:
+
+   "target" => "{cc}:{cflags}:{unistd}:{thread_cflag}:{sys_id}:{lflags}:{bn_ops}:{cpuid_obj}:{bn_obj}:{ec_obj}:{des_obj}:{aes_obj}:{bf_obj}:{md5_obj}:{sha1_obj}:{cast_obj}:{rc4_obj}:{rmd160_obj}:{rc5_obj}:{wp_obj}:{cmll_obj}:{modes_obj}:{padlock_obj}:{perlasm_scheme}:{dso_scheme}:{shared_target}:{shared_cflag}:{shared_ldflag}:{shared_extension}:{ranlib}:{arflags}:{multilib}"
+
+
+Build info files
+================
+
+The build.info files that are spread over the source tree contain the
+minimum information needed to build and distribute OpenSSL.  It uses a
+simple and yet fairly powerful language to determine what needs to be
+built, from what sources, and other relationships between files.
+
+For every build.info file, all file references are relative to the
+directory of the build.info file for source files, and the
+corresponding build directory for built files if the build tree
+differs from the source tree.
+
+When processed, every line is processed with the perl module
+Text::Template, using the delimiters "{-" and "-}".  The hashes
+%config and %target are passed to the perl fragments, along with
+$sourcedir and $builddir, which are the locations of the source
+directory for the current build.info file and the corresponding build
+directory, all relative to the top of the build tree.
+
+To begin with, things to be built are declared by setting specific
+variables:
+
+    PROGRAMS=foo bar
+    LIBS=libsomething
+    ENGINES=libeng
+    SCRIPTS=myhack
+    EXTRA=file1 file2
+
+Note that the files mentioned for PROGRAMS, LIBS and ENGINES *must* be
+without extensions.  The build file templates will figure them out.
+
+For each thing to be built, it is then possible to say what sources
+they are built from:
+
+    PROGRAMS=foo bar
+    SOURCE[foo]=foo.c common.c
+    SOURCE[bar]=bar.c extra.c common.c
+
+It's also possible to tell some other dependencies:
+
+    DEPEND[foo]=libsomething
+    DEPEND[libbar]=libsomethingelse
+
+(it could be argued that 'libsomething' and 'libsomethingelse' are
+source as well.  However, the files given through SOURCE are expected
+to be located in the source tree while files given through DEPEND are
+expected to be located in the build tree)
+
+For some libraries, we maintain files with public symbols and their
+slot in a transfer vector (important on some platforms).  It can be
+declared like this:
+
+    ORDINALS[libcrypto]=crypto
+
+The value is not the name of the file in question, but rather the
+argument to util/mkdef.pl that indicates which file to use.
+
+One some platforms, shared libraries come with a name that's different
+from their static counterpart.  That's declared as follows:
+
+    SHARED_NAME[libfoo]=cygfoo-{- $config{shlibver} -}
+
+The example is from Cygwin, which has a required naming convention.
+
+Sometimes, it makes sense to rename an output file, for example a
+library:
+
+    RENAME[libfoo]=libbar
+
+That lines has "libfoo" get renamed to "libbar".  While it makes no
+sense at all to just have a rename like that (why not just use
+"libbar" everywhere?), it does make sense when it can be used
+conditionally.  See a little further below for an example.
+
+For any file to be built, it's also possible to tell what extra
+include paths the build of their source files should use:
+
+    INCLUDE[foo]=include
+
+It's possible to have raw build file lines, between BEGINRAW and
+ENDRAW lines as follows:
+
+    BEGINRAW[Makefile(unix)]
+    haha.h: {- $builddir -}/Makefile
+        echo "/* haha */" > haha.h
+    ENDRAW[Makefile(unix)]
+
+The word withing square brackets is the build_file configuration item
+or the build_file configuration item followed by the second word in the
+build_scheme configuration item for the configured target within
+parenthesis as shown above.  For example, with the following relevant
+configuration items:
+
+   build_file   => "build.ninja"
+   build_scheme => [ "unified", "unix" ]
+
+... these lines will be considered:
+
+   BEGINRAW[build.ninja]
+   build haha.h: echo "/* haha */" > haha.h
+   ENDRAW[build.ninja]
+
+   BEGINRAW[build.ninja(unix)]
+   build hoho.h: echo "/* hoho */" > hoho.h
+   ENDRAW[build.ninja(unix)]
+
+See the documentation further up for more information on configuration
+items.
+
+Finally, you can have some simple conditional use of the build.info
+information, looking like this:
+
+    IF[1]
+     something
+    ELSIF[2]
+     something other
+    ELSE
+     something else
+    ENDIF
+
+The expression in square brackets is interpreted as a string in perl,
+and will be seen as true if perl thinks it is, otherwise false.  For
+example, the above would have "something" used, since 1 is true.
+
+Together with the use of Text::Template, this can be used as
+conditions based on something in the passed variables, for example:
+
+    IF[{- $config{no_shared} -}]
+      LIBS=libcrypto
+      SOURCE[libcrypto]=...
+    ELSE
+      LIBS=libfoo
+      SOURCE[libfoo]=...
+    ENDIF
+
+or:
+
+    # VMS has a cultural standard where all libraries are prefixed.
+    # For OpenSSL, the choice is 'ossl_'
+    IF[{- $config{target} =~ /^vms/ -}]
+     RENAME[libcrypto]=ossl_libcrypto
+     RENAME[libssl]=ossl_libssl
+    ENDIF
+
+
+Build-file programming with the "unified" build system
+======================================================
+
+"Build files" are called "Makefile" on Unix-like operating systems,
+"descrip.mms" for MMS on VMS, "makefile" for nmake on Windows, etc.
+
+To use the "unified" build system, the target configuration needs to
+set the three items 'build_scheme', 'build_file' and 'build_command'.
+In the rest of this section, we will assume that 'build_scheme' is set
+to "unified" (see the configurations documentation above for the
+details).
+
+For any name given by 'build_file', the "unified" system expects a
+template file in Configurations/ named like the build file, with
+".tmpl" appended, or in case of possible ambiguity, a combination of
+the second 'build_scheme' list item and the 'build_file' name.  For
+example, if 'build_file' is set to "Makefile", the template could be
+Configurations/Makefile.tmpl or Configurations/unix-Makefile.tmpl.
+In case both Configurations/unix-Makefile.tmpl and
+Configurations/Makefile.tmpl are present, the former takes
+precedence.
+
+The build-file template is processed with the perl module
+Text::Template, using "{-" and "-}" as delimiters that enclose the
+perl code fragments that generate configuration-dependent content.
+Those perl fragments have access to all the hash variables from
+configdata.pem.
+
+The build-file template is expected to define at least the following
+perl functions in a perl code fragment enclosed with "{-" and "-}".
+They are all expected to return a string with the lines they produce.
+
+    src2dep     - function that produces build file lines to get the
+                  dependencies for an object file into a dependency
+                  file.
+
+                  It's called like this:
+
+                        src2dep(obj => "PATH/TO/objectfile",
+                                srcs => [ "PATH/TO/sourcefile", ... ],
+                                deps => [ "dep1", ... ],
+                                incs => [ "INCL/PATH", ... ]);
+
+                  'obj' has the dependent object file as well as
+                  object file the dependencies are for; it's *without*
+                  extension, src2dep() is expected to add that.
+                  'srcs' has the list of source files to build the
+                  object file, with the first item being the source
+                  file that directly corresponds to the object file.
+                  'deps' is a list of explicit dependencies.  'incs'
+                  is a list of include file directories.
+
+    src2obj     - function that produces build file lines to build an
+                  object file from source files and associated data.
+
+                  It's called like this:
+
+                        src2obj(obj => "PATH/TO/objectfile",
+                                srcs => [ "PATH/TO/sourcefile", ... ],
+                                deps => [ "dep1", ... ],
+                                incs => [ "INCL/PATH", ... ]);
+
+                  'obj' has the intended object file *without*
+                  extension, src2obj() is expected to add that.
+                  'srcs' has the list of source files to build the
+                  object file, with the first item being the source
+                  file that directly corresponds to the object file.
+                  'deps' is a list of explicit dependencies.  'incs'
+                  is a list of include file directories.
+
+    obj2lib     - function that produces build file lines to build a
+                  static library file ("libfoo.a" in Unix terms) from
+                  object files.
+
+                  called like this:
+
+                        obj2lib(lib => "PATH/TO/libfile",
+                                objs => [ "PATH/TO/objectfile", ... ]);
+
+                  'lib' has the intended library file name *without*
+                  extension, obj2lib is expected to add that.  'objs'
+                  has the list of object files (also *without*
+                  extension) to build this library.
+
+    libobj2shlib - function that produces build file lines to build a
+                  shareable object library file ("libfoo.so" in Unix
+                  terms) from the corresponding static library file
+                  or object files.
+
+                  called like this:
+
+                        libobj2shlib(shlib => "PATH/TO/shlibfile",
+                                     lib => "PATH/TO/libfile",
+                                     objs => [ "PATH/TO/objectfile", ... ],
+                                     deps => [ "PATH/TO/otherlibfile", ... ],
+                                     ordinals => [ "word", "/PATH/TO/ordfile" ]);
+
+                  'lib' has the intended library file name *without*
+                  extension, libobj2shlib is expected to add that.
+                  'shlib' has the correcponding shared library name
+                  *without* extension.  'deps' has the list of other
+                  libraries (also *without* extension) this library
+                  needs to be linked with.  'objs' has the list of
+                  object files (also *without* extension) to build
+                  this library.  'ordinals' MAY be present, and when
+                  it is, its value is an array where the word is
+                  "crypto" or "ssl" and the file is one of the ordinal
+                  files util/libeay.num or util/ssleay.num in the
+                  source directory.
+
+                  This function has a choice; it can use the
+                  corresponding static library as input to make the
+                  shared library, or the list of object files.
+
+    obj2dynlib  - function that produces build file lines to build a
+                  dynamically loadable library file ("libfoo.so" on
+                  Unix) from object files.
+
+                  called like this:
+
+                        obj2dynlib(lib => "PATH/TO/libfile",
+                                   objs => [ "PATH/TO/objectfile", ... ],
+                                   deps => [ "PATH/TO/otherlibfile",
+                                   ... ]);
+
+                  This is almost the same as libobj2shlib, but the
+                  intent is to build a shareable library that can be
+                  loaded in runtime (a "plugin"...).  The differences
+                  are subtle, one of the most visible ones is that the
+                  resulting shareable library is produced from object
+                  files only.
+
+    obj2bin     - function that produces build file lines to build an
+                  executable file from object files.
+
+                  called like this:
+
+                        obj2bin(bin => "PATH/TO/binfile",
+                                objs => [ "PATH/TO/objectfile", ... ],
+                                deps => [ "PATH/TO/libfile", ... ]);
+
+                  'bin' has the intended executable file name
+                  *without* extension, obj2bin is expected to add
+                  that.  'objs' has the list of object files (also
+                  *without* extension) to build this library.  'deps'
+                  has the list of library files (also *without*
+                  extension) that the programs needs to be linked
+                  with.
+
+    in2script   - function that produces build file lines to build a
+                  script file from some input.
+
+                  called like this:
+
+                        in2script(script => "PATH/TO/scriptfile",
+                                  sources => [ "PATH/TO/infile", ... ]);
+
+                  'script' has the intended script file name.
+                  'sources' has the list of source files to build the
+                  resulting script from.
+
+In all cases, file file paths are relative to the build tree top, and
+the build file actions run with the build tree top as current working
+directory.
+
+Make sure to end the section with these functions with a string that
+you thing is apropriate for the resulting build file.  If nothing
+else, end it like this:
+
+      "";       # Make sure no lingering values end up in the Makefile
+    -}
--- a/Configurations/README.design
+++ b/Configurations/README.design
@@ -0,0 +1,550 @@
+Design document for the unified scheme data
+===========================================
+
+How are things connected?
+-------------------------
+
+The unified scheme takes all its data from the build.info files seen
+throughout the source tree.  These files hold the minimum information
+needed to build end product files from diverse sources.  See the
+section on build.info files below.
+
+From the information in build.info files, Configure builds up an
+information database as a hash table called %unified_info, which is
+stored in configdata.pm, found at the top of the build tree (which may
+or may not be the same as the source tree).
+
+Configurations/common.tmpl uses the data from %unified_info to
+generate the rules for building end product files as well as
+intermediary files with the help of a few functions found in the
+build-file templates.  See the section on build-file templates further
+down for more information.
+
+build.info files
+----------------
+
+As mentioned earlier, build.info files are meant to hold the minimum
+information needed to build output files, and therefore only (with a
+few possible exceptions [1]) have information about end products (such
+as scripts, library files and programs) and source files (such as C
+files, C header files, assembler files, etc).  Intermediate files such
+as object files are rarely directly refered to in build.info files (and
+when they are, it's always with the file name extension .o), they are
+infered by Configure.  By the same rule of minimalism, end product
+file name extensions (such as .so, .a, .exe, etc) are never mentioned
+in build.info.  Their file name extensions will be infered by the
+build-file templates, adapted for the platform they are meant for (see
+sections on %unified_info and build-file templates further down).
+
+The variables PROGRAMS, LIBS, ENGINES and SCRIPTS are used to declare
+end products.
+
+The variables SOURCE, DEPEND, INCLUDE and ORDINALS are indexed by a
+produced file, and their values are the source used to produce that
+particular produced file, extra dependencies, include directories
+needed, and ordinal files (explained further below.
+
+All their values in all the build.info throughout the source tree are
+collected together and form a set of programs, libraries, engines and
+scripts to be produced, source files, dependencies, etc etc etc.
+
+Let's have a pretend example, a very limited contraption of OpenSSL,
+composed of the program 'apps/openssl', the libraries 'libssl' and
+'libcrypto', an engine 'engines/ossltest' and their sources and
+dependencies.
+
+    # build.info
+    LIBS=libcrypto libssl
+    ORDINALS[libcrypto]=crypto
+    ORDINALS[libssl]=ssl
+    INCLUDE[libcrypto]=include
+    INCLUDE[libssl]=include
+    DEPEND[libssl]=libcrypto
+
+This is the top directory build.info file, and it tells us that two
+libraries are to be built, there are some ordinals to be used to
+declare what symbols in those libraries are seen as public, the
+include directory 'include/' shall be used throughout when building
+anything that will end up in each library, and that the library
+'libssl' depend on the library 'libcrypto' to function properly.
+
+    # apps/build.info
+    PROGRAMS=openssl
+    SOURCE[openssl]=openssl.c
+    INCLUDE[openssl]=.. ../include
+    DEPEND[openssl]=../libssl
+
+This is the build.info file in 'apps/', one may notice that all file
+paths mentioned are relative to the directory the build.info file is
+located in.  This one tells us that there's a program to be built
+called 'apps/openssl' (the file name extension will depend on the
+platform and is therefore not mentioned in the build.info file).  It's
+built from one source file, 'apps/openssl.c', and building it requires
+the use of '.' and 'include' include directories (both are declared
+from the point of view of the 'apps/' directory), and that the program
+depends on the library 'libssl' to function properly.
+
+    # crypto/build.info
+    LIBS=../libcrypto
+    SOURCE[../libcrypto]=aes.c evp.c cversion.c
+    DEPEND[cversion.o]=buildinf.h
+    
+    BEGINRAW[Makefile(unix)]
+    crypto/buildinf.h : Makefile
+    	perl util/mkbuildinf.h "$(CC) $(CFLAGS)" "$(PLATFORM)" \
+    	    > crypto/buildinf.h
+    ENDRAW[Makefile(unix)]
+
+This is the build.info file in 'crypto', and it tells us a little more
+about what's needed to produce 'libcrypto'.  LIBS is used again to
+declare that 'libcrypto' is to be produced.  This declaration is
+really unnecessary as it's already mentioned in the top build.info
+file, but can make the info file easier to understand.  This is to
+show that duplicate information isn't an issue.
+
+This build.info file informs us that 'libcrypto' is built from a few
+source files, 'crypto/aes.c', 'crypto/evp.c' and 'crypto/cversion.c'.
+It also shows us that building the object file inferred from
+'crypto/cversion.c' depends on 'crypto/buildinf.h'.  Finally, it 
+also shows the possibility to include raw build-file statements in a
+build.info file, in this case showing how 'buildinf.h' is built on
+Unix-like operating systems.
+
+Two things are worth an extra note:
+
+'DEPEND[cversion.o]' mentiones an object file.  DEPEND indexes is the
+only location where it's valid to mention them
+
+Lines in 'BEGINRAW'..'ENDRAW' sections must always mention files as
+seen from the top directory, no exception.
+
+    # ssl/build.info
+    LIBS=../libssl
+    SOURCE[../libssl]=tls.c
+
+This is the build.info file in 'ssl/', and it tells us that the
+library 'libssl' is built from the source file 'ssl/tls.c'.
+
+    # engines/build.info
+    ENGINES=libossltest
+    SOURCE[libossltest]=e_ossltest.c
+    DEPEND[libossltest]=../libcrypto
+    INCLUDE[libossltest]=../include
+
+This is the build.info file in 'engines/', telling us that an engine
+called 'engines/libossltest' shall be built, that it's source is
+'engines/e_ossltest.c' and that the include directory 'include/' may
+be used when building anything that will be part of this engine.
+Finally, the engine 'engines/libossltest' depends on the library
+'libcrypto' to function properly.
+
+When Configure digests these build.info files, the accumulated
+information comes down to this:
+
+    LIBS=libcrypto libssl
+    ORDINALS[libcrypto]=crypto
+    SOURCE[libcrypto]=crypto/aes.c crypto/evp.c crypto/cversion.c
+    DEPEND[crypto/cversion.o]=crypto/buildinf.h
+    INCLUDE[libcrypto]=include
+    ORDINALS[libssl]=ssl
+    SOURCE[libssl]=ssl/tls.c
+    INCLUDE[libssl]=include
+    DEPEND[libssl]=libcrypto
+    
+    PROGRAMS=apps/openssl
+    SOURCE[apps/openssl]=apps/openssl.c
+    INCLUDE[apps/openssl]=. include
+    DEPEND[apps/openssl]=libssl
+
+    ENGINES=engines/libossltest
+    SOURCE[engines/libossltest]=engines/e_ossltest.c
+    DEPEND[engines/libossltest]=libcrypto
+    INCLUDE[engines/libossltest]=include
+    
+    BEGINRAW[Makefile(unix)]
+    crypto/buildinf.h : Makefile
+    	perl util/mkbuildinf.h "$(CC) $(CFLAGS)" "$(PLATFORM)" \
+    	    > crypto/buildinf.h
+    ENDRAW[Makefile(unix)]
+
+
+A few notes worth mentioning:
+
+LIBS may be used to declare routine libraries only.
+
+PROGRAMS may be used to declare programs only.
+
+ENGINES may be used to declare engines only.
+
+The indexes for SOURCE, INCLUDE and ORDINALS must only be end product
+files, such as libraries, programs or engines.  The values of SOURCE
+variables must only be source files (possibly generated)
+
+DEPEND shows a relationship between different end product files, such
+as a program depending on a library, or between an object file and
+some extra source file.
+
+When Configure processes the build.info files, it will take it as
+truth without question, and will therefore perform very few checks.
+If the build tree is separate from the source tree, it will assume
+that all built files and up in the build directory and that all source
+files are to be found in the source tree, if they can be found there.
+Configure will assume that source files that can't be found in the
+source tree (such as 'crypto/bildinf.h' in the example above) are
+generated and will be found in the build tree.
+
+
+The %unified_info database
+--------------------------
+
+The information in all the build.info get digested by Configure and
+collected into the %unified_info database, divided into the following
+indexes:
+
+  depends   => a hash table containing 'file' => [ 'dependency' ... ]
+               pairs.  These are directly inferred from the DEPEND
+               variables in build.info files.
+
+  engines   => a list of engines.  These are directly inferred from
+               the ENGINES variable in build.info files.
+
+  includes  => a hash table containing 'file' => [ 'include' ... ]
+               pairs.  These are directly inferred from the INCLUDE
+               variables in build.info files.
+
+  libraries => a list of libraries.  These are directly inferred from
+               the LIBS variable in build.info files.
+
+  ordinals  => a hash table containing 'file' => [ 'word', 'ordfile' ]
+               pairs.  'file' and 'word' are directly inferred from
+               the ORDINALS variables in build.info files, while the
+               file 'ofile' comes from internal knowledge in
+               Configure.
+
+  programs  => a list of programs.  These are directly inferred from
+               the PROGRAMS variable in build.info files.
+
+  rawlines  => a list of build-file lines.  These are a direct copy of
+               the BEGINRAW..ENDRAW lines in build.info files.  Note:
+               only the BEGINRAW..ENDRAW section for the current
+               platform are copied, the rest are ignored.
+
+  scripts   => a list of scripts.  There are directly inferred from
+               the SCRIPTS variable in build.info files.
+
+  sources   => a hash table containing 'file' => [ 'sourcefile' ... ]
+               pairs.  These are indirectly inferred from the SOURCE
+               variables in build.info files.  Object files are
+               mentioned in this hash table, with source files from
+               SOURCE variables, and AS source files for programs and
+               libraries.
+
+As an example, here is how the build.info files example from the
+section above would be digested into a %unified_info table:
+
+    our %unified_info = (
+        "depends" =>
+            {
+                "apps/openssl" =>
+                    [
+                        "libssl",
+                    ],
+                "crypto/cversion.o" =>
+                    [
+                        "crypto/buildinf.h",
+                    ],
+                "engines/libossltest" =>
+                    [
+                        "libcrypto",
+                    ],
+                "libssl" =>
+                    [
+                        "libcrypto",
+                    ],
+            },
+        "engines" =>
+            [
+                "engines/libossltest",
+            ],
+        "includes" =>
+            {
+                "apps/openssl" =>
+                    [
+                        ".",
+                        "include",
+                    ],
+                "engines/libossltest" =>
+                    [
+                        "include"
+                    ],
+                "libcrypto" =>
+                    [
+                        "include",
+                    ],
+                "libssl" =>
+                    [
+                        "include",
+                    ],
+            }
+        "libraries" =>
+            [
+                "libcrypto",
+                "libssl",
+            ],
+        "ordinals" =>
+            {
+                "libcrypto" =>
+                    [
+                        "crypto",
+                        "util/libeay.num",
+                    ],
+                "libssl" =>
+                    [
+                        "ssl",
+                        "util/ssleay.num",
+                    ],
+            },
+        "programs" =>
+            [
+                "apps/openssl",
+            ],
+        "rawlines" =>
+            [
+                "crypto/buildinf.h : Makefile",
+                "	perl util/mkbuildinf.h \"\$(CC) \$(CFLAGS)\" \"\$(PLATFORM)\" \\"
+                "	    > crypto/buildinf.h"
+            ],
+        "sources" =>
+            {
+                "apps/openssl" =>
+                    [
+                        "apps/openssl.o",
+                    ],
+                "apps/openssl.o" =>
+                    [
+                        "apps/openssl.c",
+                    ],
+                "crypto/aes.o" =>
+                    [
+                        "crypto/aes.c",
+                    ],
+                "crypto/cversion.o" =>
+                    [
+                        "crypto/cversion.c",
+                    ],
+                "crypto/evp.o" =>
+                    [
+                        "crypto/evp.c",
+                    ],
+                "engines/e_ossltest.o" =>
+                    [
+                        "engines/e_ossltest.c",
+                    ],
+                "engines/libossltest" =>
+                    [
+                        "engines/e_ossltest.o",
+                    ],
+                "libcrypto" =>
+                    [
+                        "crypto/aes.c",
+                        "crypto/cversion.c",
+                        "crypto/evp.c",
+                    ],
+                "libssl" =>
+                    [
+                        "ssl/tls.c",
+                    ],
+                "ssl/tls.o" =>
+                    [
+                        "ssl/tls.c",
+                    ],
+            },
+    );
+
+As can be seen, everything in %unified_info is fairly simple nuggest
+of information.  Still, it tells us that to build all programs, we
+must build 'apps/openssl', and to build the latter, we will need to
+build all its sources ('apps/openssl.o' in this case) and all the
+other things it depends on (such as 'libssl').  All those dependencies
+need to be built as well, using the same logic, so to build 'libssl',
+we need to build 'ssl/tls.o' as well as 'libcrypto', and to build the
+latter...
+
+
+Build-file templates
+--------------------
+
+Build-file templates are essentially build-files (such as Makefile on
+Unix) with perl code fragments mixed in.  Those perl code fragment
+will generate all the configuration dependent data, including all the
+rules needed to build end product files and intermediary files alike.
+At a minimum, there must be a perl code fragment that defines a set of
+functions that are used to generates specific build-file rules, to
+build static libraries from object files, to build shared libraries
+from static libraries, to programs from object files and libraries,
+etc.
+
+    src2dep     - function that produces build file lines to get the
+                  dependencies for an object file into a dependency
+                  file.
+
+                  It's called like this:
+
+                        src2dep(obj => "PATH/TO/objectfile",
+                                srcs => [ "PATH/TO/sourcefile", ... ],
+                                incs => [ "INCL/PATH", ... ]);
+
+                  'obj' has the dependent object file as well as
+                  object file the dependencies are for; it's *without*
+                  extension, src2dep() is expected to add that.
+                  'srcs' has the list of source files to build the
+                  object file, with the first item being the source
+                  file that directly corresponds to the object file.
+                  'incs' is a list of include file directories.
+
+    src2obj     - function that produces build file lines to build an
+                  object file from source files and associated data.
+
+                  It's called like this:
+
+                        src2obj(obj => "PATH/TO/objectfile",
+                                srcs => [ "PATH/TO/sourcefile", ... ],
+                                deps => [ "dep1", ... ],
+                                incs => [ "INCL/PATH", ... ]);
+
+                  'obj' has the intended object file *without*
+                  extension, src2obj() is expected to add that.
+                  'srcs' has the list of source files to build the
+                  object file, with the first item being the source
+                  file that directly corresponds to the object file.
+                  'deps' is a list of dependencies.  'incs' is a list
+                  of include file directories.
+
+    obj2lib     - function that produces build file lines to build a
+                  static library file ("libfoo.a" in Unix terms) from
+                  object files.
+
+                  called like this:
+
+                        obj2lib(lib => "PATH/TO/libfile",
+                                objs => [ "PATH/TO/objectfile", ... ]);
+
+                  'lib' has the intended library file name *without*
+                  extension, obj2lib is expected to add that.  'objs'
+                  has the list of object files (also *without*
+                  extension) to build this library.
+
+    libobj2shlib - function that produces build file lines to build a
+                  shareable object library file ("libfoo.so" in Unix
+                  terms) from the corresponding static library file
+                  or object files.
+
+                  called like this:
+
+                        libobj2shlib(shlib => "PATH/TO/shlibfile",
+                                     lib => "PATH/TO/libfile",
+                                     objs => [ "PATH/TO/objectfile", ... ],
+                                     deps => [ "PATH/TO/otherlibfile", ... ],
+                                     ordinals => [ "word", "/PATH/TO/ordfile" ]);
+
+                  'lib' has the intended library file name *without*
+                  extension, libobj2shlib is expected to add that.
+                  'shlib' has the correcponding shared library name
+                  *without* extension.  'deps' has the list of other
+                  libraries (also *without* extension) this library
+                  needs to be linked with.  'objs' has the list of
+                  object files (also *without* extension) to build
+                  this library.  'ordinals' MAY be present, and when
+                  it is, its value is an array where the word is
+                  "crypto" or "ssl" and the file is one of the ordinal
+                  files util/libeay.num or util/ssleay.num in the
+                  source directory.
+
+                  This function has a choice; it can use the
+                  corresponding static library as input to make the
+                  shared library, or the list of object files.
+
+    obj2dynlib  - function that produces build file lines to build a
+                  dynamically loadable library file ("libfoo.so" on
+                  Unix) from object files.
+
+                  called like this:
+
+                        obj2dynlib(lib => "PATH/TO/libfile",
+                                   objs => [ "PATH/TO/objectfile", ... ],
+                                   deps => [ "PATH/TO/otherlibfile",
+                                   ... ]);
+
+                  This is almost the same as libobj2shlib, but the
+                  intent is to build a shareable library that can be
+                  loaded in runtime (a "plugin"...).  The differences
+                  are subtle, one of the most visible ones is that the
+                  resulting shareable library is produced from object
+                  files only.
+
+    obj2bin     - function that produces build file lines to build an
+                  executable file from object files.
+
+                  called like this:
+
+                        obj2bin(bin => "PATH/TO/binfile",
+                                objs => [ "PATH/TO/objectfile", ... ],
+                                deps => [ "PATH/TO/libfile", ... ]);
+
+                  'bin' has the intended executable file name
+                  *without* extension, obj2bin is expected to add
+                  that.  'objs' has the list of object files (also
+                  *without* extension) to build this library.  'deps'
+                  has the list of library files (also *without*
+                  extension) that the programs needs to be linked
+                  with.
+
+    in2script   - function that produces build file lines to build a
+                  script file from some input.
+
+                  called like this:
+
+                        in2script(script => "PATH/TO/scriptfile",
+                                  sources => [ "PATH/TO/infile", ... ]);
+
+                  'script' has the intended script file name.
+                  'sources' has the list of source files to build the
+                  resulting script from.
+
+Along with the build-file templates is the driving engine
+Configurations/common.tmpl, which looks through all the information in
+%unified_info and generates all the rulesets to build libraries,
+programs and all intermediate files, using the rule generating
+functions defined in the build-file template.
+
+As an example with the smaller build.info set we've seen as an
+example, producing the rules to build 'libssl' would result in the
+following calls:
+
+    # Note: libobj2shlib will only be called if shared libraries are
+    # to be produced.
+    # Note 2: libobj2shlib gets both the name of the static library
+    # and the names of all the object files that go into it.  It's up
+    # to the implementation to decide which to use as input.
+    libobj2shlib(shlib => "libssl",
+                 lib => "libssl",
+                 objs => [ "ssl/tls.o" ],
+                 deps => [ "libcrypto" ]
+                 ordinals => [ "ssl", "util/ssleay.num" ]);
+
+    obj2lib(lib => "libssl"
+            objs => [ "ssl/tls.o" ]);
+
+    # Note 3: common.tmpl peals off the ".o" extension, as the
+    # platform at hand may have a different one.
+    src2obj(obj => "ssl/tls"
+            srcs => [ "ssl/tls.c" ],
+            deps => [ ],
+            incs => [ "include" ]);
+
+    src2dep(obj => "ssl/tls"
+            srcs => [ "ssl/tls.c" ],
+            incs => [ "include" ]);
+
+The returned strings from all those calls are then concatenated
+together and written to the resulting build-file.
--- a/Configurations/common.tmpl
+++ b/Configurations/common.tmpl
@@ -0,0 +1,119 @@
+{- # -*- Mode: perl -*-
+
+     my $a;
+
+ # resolvedepends and reducedepends work in tandem to make sure
+ # there are no duplicate dependencies and that they are in the
+ # right order.  This is especially used to sort the list of
+ # libraries that a build depends on.
+ sub resolvedepends {
+     my $thing = shift;
+     my @listsofar = @_;    # to check if we're looping
+     my @list = @{$unified_info{depends}->{$thing}};
+     my @newlist = ();
+     if (scalar @list) {
+         foreach my $item (@list) {
+             # It's time to break off when the dependency list starts looping
+             next if grep { $_ eq $item } @listsofar;
+             push @newlist, $item, resolvedepends($item, @listsofar, $item);
+         }
+     }
+     @newlist;
+ }
+ sub reducedepends {
+     my @list = @_;
+     my @newlist = ();
+     while (@list) {
+         my $item = shift @list;
+         push @newlist, $item
+             unless grep { $item eq $_ } @list;
+     }
+     @newlist;
+ }
+
+ # doobj is responsible for producing all the recipes that build
+ # object files as well as dependency files.
+ sub doobj {
+     my $obj = shift;
+     (my $obj_no_o = $obj) =~ s|\.o$||;
+     my $bin = shift;
+     if (@{$unified_info{sources}->{$obj}}) {
+         $OUT .= src2obj(obj => $obj_no_o,
+                         srcs => $unified_info{sources}->{$obj},
+                         deps => [ reducedepends(resolvedepends($obj)) ],
+                         incs => [ @{$unified_info{includes}->{$bin}},
+                                   @{$unified_info{includes}->{$obj}} ]);
+         $OUT .= src2dep(obj => $obj_no_o,
+                         srcs => $unified_info{sources}->{$obj},
+                         deps => [ reducedepends(resolvedepends($obj)) ],
+                         incs => [ @{$unified_info{includes}->{$bin}},
+                                   @{$unified_info{includes}->{$obj}} ]);
+     }
+ }
+
+ # dolib is responsible for building libraries.  It will call
+ # libobj2shlib is shared libraries are produced, and obj2lib in all
+ # cases.  It also makes sure all object files for the library are
+ # built.
+ sub dolib {
+     my $lib = shift;
+     if (!$config{no_shared}) {
+         my %ordinals =
+             $unified_info{ordinals}->{$lib}
+             ? (ordinals => $unified_info{ordinals}->{$lib}) : ();
+         $OUT .= libobj2shlib(shlib => $unified_info{sharednames}->{$lib},
+                              lib => $lib,
+                              objs => [ map { (my $x = $_) =~ s|\.o$||; $x }
+                                        @{$unified_info{sources}->{$lib}} ],
+                              deps => [ reducedepends(resolvedepends($lib)) ],
+                              %ordinals);
+     }
+     $OUT .= obj2lib(lib => $lib,
+                     objs => [ map { (my $x = $_) =~ s|\.o$||; $x }
+                               @{$unified_info{sources}->{$lib}} ]);
+     map { doobj($_, $lib, intent => "lib") } @{$unified_info{sources}->{$lib}};
+ }
+
+ # doengine is responsible for building engines.  It will call
+ # obj2dynlib, and also makes sure all object files for the library
+ # are built.
+ sub doengine {
+     my $lib = shift;
+     $OUT .= obj2dynlib(lib => $lib,
+                        objs => [ map { (my $x = $_) =~ s|\.o$||; $x }
+                                  @{$unified_info{sources}->{$lib}} ],
+                        deps => [ resolvedepends($lib) ]);
+     map { doobj($_, $lib, intent => "lib") } @{$unified_info{sources}->{$lib}};
+ }
+
+ # dobin is responsible for building programs.  It will call obj2bin,
+ # and also makes sure all object files for the library are built.
+ sub dobin {
+     my $bin = shift;
+     my $deps = [ reducedepends(resolvedepends($bin)) ];
+     $OUT .= obj2bin(bin => $bin,
+                     objs => [ map { (my $x = $_) =~ s|\.o$||; $x }
+                               @{$unified_info{sources}->{$bin}} ],
+                     deps => $deps);
+     map { doobj($_, $bin, intent => "bin") } @{$unified_info{sources}->{$bin}};
+ }
+
+ # dobin is responsible for building scripts from templates.  It will
+ # call in2script.
+ sub doscript {
+     my $script = shift;
+     $OUT .= in2script(script => $script,
+                       sources => $unified_info{sources}->{$script});
+ }
+
+ # Build all known libraries, engines, programs and scripts.
+ # Everything else will be handled as a consequence.
+ map { dolib($_) } @{$unified_info{libraries}};
+ map { doengine($_) } @{$unified_info{engines}};
+ map { dobin($_) } @{$unified_info{programs}};
+ map { doscript($_) } @{$unified_info{scripts}};
+
+ # Finally, should there be any applicable BEGINRAW/ENDRAW sections,
+ # they are added here.
+ $OUT .= $_."\n" foreach(@{$unified_info{rawlines}});
+-}
--- a/Configurations/descrip.mms.tmpl
+++ b/Configurations/descrip.mms.tmpl
@@ -0,0 +1,639 @@
+## descrip.mms to build OpenSSL on OpenVMS
+##
+## {- join("\n## ", @autowarntext) -}
+{-
+  use File::Spec::Functions qw/:DEFAULT abs2rel rel2abs/;
+
+  # Our prefix, claimed when speaking with the VSI folks Tuesday
+  # January 26th 2016
+  our $osslprefix = 'OSSL$';
+  (our $osslprefix_q = $osslprefix) =~ s/\$/\\\$/;
+
+  our $sourcedir = $config{sourcedir};
+  our $builddir = $config{builddir};
+  sub sourcefile {
+      catfile($sourcedir, @_);
+  }
+  sub buildfile {
+      catfile($builddir, @_);
+  }
+  sub sourcedir {
+      catdir($sourcedir, @_);
+  }
+  sub builddir {
+      catdir($builddir, @_);
+  }
+  sub tree {
+      (my $x = shift) =~ s|\]$|...]|;
+      $x
+  }
+  sub move {
+      my $f = catdir(@_);
+      my $b = abs2rel(rel2abs("."),rel2abs($f));
+      $sourcedir = catdir($b,$sourcedir)
+          if !file_name_is_absolute($sourcedir);
+      $builddir = catdir($b,$builddir)
+          if !file_name_is_absolute($builddir);
+      "";
+  }
+
+  # This is a horrible hack, but is needed because recursive inclusion of files
+  # in different directories does not work well with HP C.
+  my $sd = sourcedir("crypto", "async", "arch");
+  foreach (grep /\[\.crypto\.async\.arch\].*\.o$/, keys %{$unified_info{sources}}) {
+      (my $x = $_) =~ s|\.o$|.OBJ|;
+      $unified_info{before}->{$x}
+          = qq(arch = F\$PARSE("$sd","A.;",,,"SYNTAX_ONLY") - "A.;"
+        define arch 'arch');
+      $unified_info{after}->{$x}
+          = qq(deassign arch);
+  }
+  my $sd1 = sourcedir("ssl","record");
+  my $sd2 = sourcedir("ssl","statem");
+  $unified_info{before}->{"[.crypto.ct]ct_lib.OBJ"}
+      = $unified_info{before}->{"[.test]heartbeat_test.OBJ"}
+      = $unified_info{before}->{"[.test]ssltest.OBJ"}
+      = qq(record = F\$PARSE("$sd1","A.;",,,"SYNTAX_ONLY") - "A.;"
+        define record 'record'
+        statem = F\$PARSE("$sd2","A.;",,,"SYNTAX_ONLY") - "A.;"
+        define statem 'statem');
+  $unified_info{after}->{"[.crypto.ct]ct_lib.OBJ"}
+      = $unified_info{after}->{"[.test]heartbeat_test.OBJ"}
+      = $unified_info{after}->{"[.test]ssltest.OBJ"}
+      = qq(deassign statem
+        deassign record);
+  foreach (grep /^\[\.ssl\.(?:record|statem)\].*\.o$/, keys %{$unified_info{sources}}) {
+      (my $x = $_) =~ s|\.o$|.OBJ|;
+      $unified_info{before}->{$x}
+          = qq(record = F\$PARSE("$sd1","A.;",,,"SYNTAX_ONLY") - "A.;"
+        define record 'record'
+        statem = F\$PARSE("$sd2","A.;",,,"SYNTAX_ONLY") - "A.;"
+        define statem 'statem');
+      $unified_info{after}->{$x}
+          = qq(deassign statem
+        deassign record);
+  }
+  #use Data::Dumper;
+  #print STDERR "DEBUG: before:\n", Dumper($unified_info{before});
+  #print STDERR "DEBUG: after:\n", Dumper($unified_info{after});
+  "";
+-}
+PLATFORM={- $config{target} -}
+OPTIONS={- $config{options} -}
+CONFIGURE_ARGS=({- join(", ",quotify_l(@{$config{perlargv}})) -})
+SRCDIR={- $config{sourcedir} -}
+BUILDDIR={- $config{builddir} -}
+
+VERSION={- $config{version} -}
+MAJOR={- $config{major} -}
+MINOR={- $config{minor} -}
+SHLIB_VERSION_NUMBER={- $config{shlib_version_number} -}
+SHLIB_VERSION_HISTORY={- $config{shlib_version_history} -}
+SHLIB_MAJOR={- $config{shlib_major} -}
+SHLIB_MINOR={- $config{shlib_minor} -}
+SHLIB_TARGET={- $target{shared_target} -}
+
+EXE_EXT=.EXE
+LIB_EXT=.OLB
+SHLIB_EXT=.EXE
+OBJ_EXT=.OBJ
+DEP_EXT=.MMS
+
+LIBS={- join(", ", map { "-\n\t".$_.".OLB" } @{$unified_info{libraries}}) -}
+SHLIBS={- join(" ", map { $_."\$(SHLIB_EXT)" } map { $unified_info{sharednames}->{$_} || () } @{$unified_info{libraries}}) -}
+ENGINES={- join(", ", map { "-\n\t".$_.".EXE" } @{$unified_info{engines}}) -}
+PROGRAMS={- join(", ", map { "-\n\t".$_.".EXE" } grep { !m|^\[\.test\]| } @{$unified_info{programs}}) -}
+TESTPROGS={- join(", ", map { "-\n\t".$_.".EXE" } grep { m|^\[\.test\]| } @{$unified_info{programs}}) -}
+SCRIPTS={- join(", ", map { "-\n\t".$_ } @{$unified_info{scripts}}) -}
+
+# DESTDIR is for package builders so that they can configure for, say,
+# SYS$COMMON:[OPENSSL] and yet have everything installed in STAGING:[USER].
+# In that case, configure with --prefix=SYS$COMMON:[OPENSSL] and then run
+# MMS with /MACROS=(DESTDIR=STAGING:[USER]).  The result will end up in
+# STAGING:[USER.OPENSSL].
+# Normally it is left empty.
+DESTDIR=
+
+# Do not edit this manually. Use Configure --prefix=DIR to change this!
+INSTALLTOP={- catdir($config{prefix}) || "SYS\$COMMON:[OPENSSL-\$(MAJOR).\$(MINOR)]" -}
+# This is the standard central area to store certificates, private keys...
+OPENSSLDIR={- catdir($config{openssldir}) ||
+              $config{prefix} ? catdir($config{prefix},"SSL")
+                              : "SYS\$COMMON:[SSL]" -}
+# Where installed engines reside
+ENGINESDIR={- $osslprefix -}ENGINES:
+
+CC= {- $target{cc} -}
+CFLAGS= /DEFINE=({- join(",", @{$config{defines}},"OPENSSLDIR=\"\"\"\$(OPENSSLDIR)\"\"\"","ENGINESDIR=\"\"\"\$(ENGINESDIR)\"\"\"") -}) {- $config{cflags} -}
+DEPFLAG= /DEFINE=({- join(",", @{$config{depdefines}}) -})
+LDFLAGS= {- $config{lflags} -}
+EX_LIBS= {- $config{ex_libs} ? ",".$config{ex_libs} : "" -}
+
+PERL={- $config{perl} -}
+
+# We let the C compiler driver to take care of .s files. This is done in
+# order to be excused from maintaining a separate set of architecture
+# dependent assembler flags. E.g. if you throw -mcpu=ultrasparc at SPARC
+# gcc, then the driver will automatically translate it to -xarch=v8plus
+# and pass it down to assembler.
+AS={- $target{as} -}
+ASFLAG={- $target{asflags} -}
+
+# .FIRST and .LAST are special targets with MMS and MMK.
+# The defines in there are for C.  includes that look like
+# this:
+#
+#    #include <openssl/foo.h>
+#    #include "internal/bar.h"
+#
+# will use the logical names to find the files.  Expecting
+# DECompHP C to find files in subdirectories of whatever was
+# given with /INCLUDE is a fantasy, unfortunately.
+NODEBUG=@
+.FIRST :
+        $(NODEBUG) openssl_inc1 = F$PARSE("[.include.openssl]","A.;",,,"syntax_only") - "A.;"
+        $(NODEBUG) openssl_inc2 = F$PARSE("{- catdir($config{sourcedir},"[.include.openssl]") -}","a.;",,,"SYNTAX_ONLY") - "A.;"
+        $(NODEBUG) internal_inc1 = F$PARSE("[.crypto.include.internal]","A.;",,,"SYNTAX_ONLY") - "A.;"
+        $(NODEBUG) internal_inc2 = F$PARSE("{- catdir($config{sourcedir},"[.include.internal]") -}","A.;",,,"SYNTAX_ONLY") - "A.;"
+        $(NODEBUG) internal_inc3 = F$PARSE("{- catdir($config{sourcedir},"[.crypto.include.internal]") -}","A.;",,,"SYNTAX_ONLY") - "A.;"
+        $(NODEBUG) DEFINE openssl 'openssl_inc1','openssl_inc2'
+        $(NODEBUG) DEFINE internal 'internal_inc1','internal_inc2','internal_inc3'
+        $(NODEBUG) staging_dir = "$(DESTDIR)"
+        $(NODEBUG) IF staging_dir .NES. "" THEN -
+                staging_dir = F$PARSE("A.;",staging_dir,"[]",,"SYNTAX_ONLY") - "A.;"
+        $(NODEBUG) !
+        $(NODEBUG) ! Installation logical names
+        $(NODEBUG) !
+        $(NODEBUG) installtop_dev = F$PARSE(staging_dir,"$(INSTALLTOP)",,"DEVICE","SYNTAX_ONLY")
+        $(NODEBUG) ! Because there are no routines to merge directories, we have to
+        $(NODEBUG) ! do it ourselves
+        $(NODEBUG) IF staging_dir .NES. "" THEN -
+                staging_dir = F$PARSE(staging_dir,"[000000]",,"DIRECTORY","SYNTAX_ONLY")
+        $(NODEBUG) installtop_dir = F$PARSE("$(INSTALLTOP)","[000000]",,"DIRECTORY","SYNTAX_ONLY")
+        $(NODEBUG) IF staging_dir .NES. "" .AND. staging_dir .NES. "[000000]" THEN -
+                installtop_dir = staging_dir - "]" + "." + (installtop_dir - "[")
+        $(NODEBUG) installtop_dir = installtop_dir - "]" + ".]"
+        $(NODEBUG) DEFINE ossl_installroot 'installtop_dev''installtop_dir'
+        $(NODEBUG) !
+        $(NODEBUG) datatop = F$PARSE("$(OPENSSLDIR)","[000000]A.;",,,"SYNTAX_ONLY") -
+                - "]A.;" + ".]"
+        $(NODEBUG) IF "$(DESTDIR)" .EQS. "" THEN -
+                DEFINE ossl_dataroot 'datatop'
+        $(NODEBUG) !
+        $(NODEBUG) ! Figure out the architecture
+        $(NODEBUG) !
+        $(NODEBUG) arch == f$edit( f$getsyi( "arch_name"), "upcase")
+        $(NODEBUG) !
+        $(NODEBUG) ! Set up logical names for the libraries, so LINK and
+        $(NODEBUG) ! running programs can use them.
+        $(NODEBUG) !
+        $(NODEBUG) {- join("\n\t\$(NODEBUG) ", map { "DEFINE ".uc($_)." 'F\$ENV(\"DEFAULT\")'".uc($_)."\$(SHLIB_EXT)" } map { $unified_info{sharednames}->{$_} || () } @{$unified_info{libraries}}) || "!" -}
+
+.LAST :
+        $(NODEBUG) {- join("\n\t\$(NODEBUG) ", map { "DEASSIGN ".uc($_) } map { $unified_info{sharednames}->{$_} || () } @{$unified_info{libraries}}) || "!" -}
+        $(NODEBUG) IF "$(DESTDIR)" .EQS. "" THEN DEASSIGN ossl_dataroot
+        $(NODEBUG) DEASSIGN ossl_installroot
+        $(NODEBUG) DEASSIGN internal
+        $(NODEBUG) DEASSIGN openssl
+.DEFAULT :
+        @ ! MMS cannot handle no actions...
+
+# The main targets ###################################################
+
+all : descrip.mms, build_libs, build_engines, build_apps
+
+build_libs : $(LIBS)
+build_engines : $(ENGINES)
+build_apps : $(PROGRAMS), $(SCRIPTS)
+build_tests : $(TESTPROGS)
+
+test tests : build_apps, build_engines, build_tests, rehash
+        SET DEFAULT [.test]{- move("test") -}
+        DEFINE SRCTOP {- sourcedir() -}
+        DEFINE BLDTOP {- builddir() -}
+        $(PERL) {- sourcefile("test", "run_tests.pl") -} $(TESTS)
+        DEASSIGN BLDTOP
+        DEASSIGN SRCTOP
+        SET DEFAULT [-]{- move("..") -}
+
+list-tests :
+        @ TOP=$(SRCDIR) PERL=$(PERL) $(PERL) {- catfile($config{sourcedir},"test", "run_tests.pl") -} list
+
+# Because VMS wants the generation number (or *) to delete files, we can't
+# use $(LIBS), $(PROGRAMS) and $(TESTPROGS) directly.
+libclean :
+        - DELETE []OSSL$LIB*.OLB;*,OSSL$LIB*.LIS;*
+        - DELETE [.crypto...]*.OBJ;*,*.LIS;*
+        - DELETE [.ssl...]*.OBJ;*,*.LIS;*
+        - DELETE [.engines...]*.OBJ;*,*.LIS;*
+        - DELETE []CXX$DEMANGLER_DB.;*
+
+install : install_sw install_docs
+
+uninstall : uninstall_docs uninstall_sw
+
+clean : libclean
+        - DELETE []OSSL$LIB*.EXE;*,OSSL$LIB*.MAP;*,OSSL$LIB*.OPT;*
+        - DELETE [.engines...]LIB*.EXE;*,LIB*.MAP;*,LIB*.OPT;*
+        - DELETE [.apps]*.EXE;*,*.MAP;*,*.OPT;*
+        - DELETE [.apps]*.OBJ;*,*.LIS;*
+        - DELETE [.test]*.EXE;*,*.MAP;*,*.OPT;*
+        - DELETE [.test]*.OBJ;*,*.LIS;*
+        - DELETE [.test]*.LOG;*
+        - DELETE []*.MAP;*
+
+DCLEAN_CMD=$(PERL) -pe "if (/^# DO NOT DELETE.*/) { exit(0); }"
+dclean :
+        $(DCLEAN_CMD) < descrip.mms > descrip.mms.new
+        RENAME descrip.mms.new descrip.mms
+        PURGE descrip.mms
+
+{- our @deps = map { (my $x = $_) =~ s|\.o$|\$(DEP_EXT)|; $x; }
+               grep { $unified_info{sources}->{$_}->[0] =~ /\.c$/ }
+               keys %{$unified_info{sources}};
+   ""; -}
+depend : {- join(",-\n\t", @deps); -}
+        $(DCLEAN_CMD) < descrip.mms > descrip.mms.new
+        OPEN/APPEND DESCRIP descrip.mms.new
+        WRITE DESCRIP "# DO NOT DELETE THIS LINE -- make depend depends on it."
+        {- join("\n\t", map { "TYPE $_ /OUTPUT=DESCRIP:" } @deps); -}
+        CLOSE DESCRIP
+        RENAME descrip.mms.new descrip.mms
+        PURGE descrip.mms
+
+# Install helper targets #############################################
+
+install_sw : all install_dev install_engines install_runtime install_config
+        @ WRITE SYS$OUTPUT ""
+        @ WRITE SYS$OUTPUT "######################################################################"
+        @ WRITE SYS$OUTPUT ""
+        @ WRITE SYS$OUTPUT "Installation complete"
+        @ WRITE SYS$OUTPUT ""
+        @ IF "$(DESTDIR)" .NES. "" THEN EXIT 1
+        @ WRITE SYS$OUTPUT "Run @$(INSTALLTOP)openssl_startup to set up logical names"
+        @ WRITE SYS$OUTPUT "then run @$(INSTALLTOP)openssl_setup to define commands"
+        @ WRITE SYS$OUTPUT ""
+
+uninstall_sw : uninstall_dev uninstall_engines uninstall_runtime uninstall_config
+
+install_docs : install_man_docs install_html_docs
+
+uninstall_docs : uninstall_man_docs uninstall_html_docs
+
+install_dev : check_INSTALLTOP
+        @ WRITE SYS$OUTPUT "*** Installing development files"
+        @ ! Install header files
+        CREATE/DIR ossl_installroot:[include.openssl]
+        COPY/PROT=W:R openssl:*.h ossl_installroot:[include.openssl]
+        @ ! Install libraries
+        CREATE/DIR ossl_installroot:['arch'.LIB]
+        {- join("\n        ",
+                map { "COPY/PROT=W:R $_.OLB ossl_installroot:['arch'.LIB]" }
+                @{$unified_info{libraries}}) -}
+        @ {- output_off() if $config{no_shared}; "" -} !
+        {- join("\n        ",
+                map { "COPY/PROT=W:RE $_.EXE ossl_installroot:['arch'.LIB]" }
+                map { $unified_info{sharednames}->{$_} || () }
+                @{$unified_info{libraries}}) -}
+        @ {- output_on() if $config{no_shared}; "" -} !
+
+install_runtime : check_INSTALLTOP
+        @ WRITE SYS$OUTPUT "*** Installing runtime files"
+        @ ! Install the main program
+        CREATE/DIR ossl_installroot:['arch'.EXE]
+        COPY/PROT=W:RE [.APPS]openssl.EXE ossl_installroot:['arch'.EXE]
+        @ ! Install scripts
+        CREATE/DIR ossl_installroot:[EXE]
+        COPY/PROT=W:RE [.APPS]CA.pl ossl_installroot:[EXE]
+        COPY/PROT=W:RE [.TOOLS]c_rehash. ossl_installroot:[EXE]c_rehash.pl
+        @ ! Install configuration file
+        COPY/PROT=W:RE {- sourcefile("apps", "openssl-vms.cnf") -} -
+                ossl_installroot:[000000]openssl.cnf
+
+install_engines : check_INSTALLTOP
+        @ {- output_off() if $config{no_shared}; "" -} !
+        @ WRITE SYS$OUTPUT "*** Installing engines"
+        CREATE/DIR ossl_installroot:['arch'.ENGINES]
+        COPY/PROT=W:RE [.ENGINES]*.EXE ossl_installroot:['arch'.ENGINES]
+        @ {- output_on() if $config{no_shared}; "" -} !
+
+install_config : [.VMS]openssl_startup.com [.VMS]openssl_shutdown.com -
+                 check_INSTALLTOP
+        IF "$(DESTDIR)" .EQS. "" THEN -
+                IF F$SEARCH("OSSL_DATAROOT:[000000]CERTS.DIR;1") .EQS. "" THEN -
+                CREATE/DIR/PROT=(S:RWED,O:RWE,G:RE,W:RE) OSSL_DATAROOT:[CERTS]
+        IF "$(DESTDIR)" .EQS. "" THEN -
+                IF F$SEARCH("OSSL_DATAROOT:[000000]PRIVATE.DIR;1") .EQS. "" THEN -
+                CREATE/DIR/PROT=(S:RWED,O:RWE,G:,W:) OSSL_DATAROOT:[PRIVATE]
+        CREATE/DIR ossl_installroot:[SYS$STARTUP]
+        COPY/PROT=W:RE -
+                [.VMS]openssl_startup.com,openssl_shutdown.com -
+                ossl_installroot:[SYS$STARTUP]
+        COPY/PROT=W:RE -
+                {- sourcefile("VMS", "openssl_utils.com") -} -
+                ossl_installroot:[SYS$STARTUP]
+
+[.VMS]openssl_startup.com : vmsconfig.pm
+        CREATE/DIR [.VMS]
+        $(PERL) "-I." "-Mvmsconfig" {- sourcefile("util", "dofile.pl") -} -
+                {- sourcefile("VMS", "openssl_startup.com.in") -} -
+                > [.VMS]openssl_startup.com
+
+[.VMS]openssl_shutdown.com : vmsconfig.pm
+        CREATE/DIR [.VMS]
+        $(PERL) "-I." "-Mvmsconfig" {- sourcefile("util", "dofile.pl") -} -
+                {- sourcefile("VMS", "openssl_shutdown.com.in") -} -
+                > [.VMS]openssl_shutdown.com
+
+vmsconfig.pm : descrip.mms
+        OPEN/WRITE/SHARE=READ CONFIG []vmsconfig.pm
+        WRITE CONFIG "package vmsconfig;"
+        WRITE CONFIG "use strict; use warnings;"
+        WRITE CONFIG "use Exporter;"
+        WRITE CONFIG "our @ISA = qw(Exporter);"
+        WRITE CONFIG "our @EXPORT = qw(%config %target %withargs %unified_info);"
+        WRITE CONFIG "our %config = ("
+        WRITE CONFIG "  target => '{- $config{target} -}',"
+        WRITE CONFIG "  version => '$(MAJOR).$(MINOR)',"
+        WRITE CONFIG "  no_shared => '","{- $config{no_shared} -}","',"
+        WRITE CONFIG "  INSTALLTOP => '$(INSTALLTOP)',"
+        WRITE CONFIG "  OPENSSLDIR => '$(OPENSSLDIR)',"
+        WRITE CONFIG "  pointersize => '","{- $target{pointersize} -}","',"
+        WRITE CONFIG "  shared_libs => ["
+        {- join("\n        ", map { "WRITE CONFIG \"    '$_'," } map { $unified_info{sharednames}->{$_} || () } @{$unified_info{libraries}}) || "\@ !" -}
+        WRITE CONFIG "  ],"
+        WRITE CONFIG ");"
+        WRITE CONFIG "our %target = ();"
+        WRITE CONFIG "our %withargs = ();"
+        WRITE CONFIG "our %unified_info = ();"
+        WRITE CONFIG "1;"
+        CLOSE CONFIG
+
+check_INSTALLTOP :
+        @ IF "$(INSTALLTOP)" .EQS. "" THEN -
+                WRITE SYS$ERROR "INSTALLTOP should not be empty"
+        @ IF "$(INSTALLTOP)" .EQS. "" THEN -
+                EXIT %x10000002
+
+# Helper targets #####################################################
+
+rehash : [.apps]openssl.exe, copy-certs
+        !MCR [.apps]openssl.exe rehash {- builddir("certs", "demo") -}
+        $(PERL) [.tools]c_rehash. [.certs.demo]
+
+copy-certs :
+        @ IF F$SEARCH("{- buildfile("certs.dir") -}") .EQS. "" THEN -
+             CREATE/DIR {- builddir("certs") -}
+        -@ IF "{- sourcedir("certs") -}" .NES. "{- builddir("certs") -}" THEN -
+             COPY {- tree(sourcedir("certs")) -}*.* {- tree(builddir("certs")) -}
+
+# Developer targets ##################################################
+
+debug_logicals :
+        SH LOGICAL/PROC openssl,internal,ossl_installroot
+        IF "$(DESTDIR)" .EQS. "" THEN -
+                SH LOGICAL/PROC ossl_dataroot
+
+# Building targets ###################################################
+
+descrip.mms : {- sourcefile("Configurations", "descrip.mms.tmpl") -} $(SRCDIR)Configure ! $(SRCDIR)config.com
+        @ WRITE SYS$OUTPUT "descrip.mms is older than $?."
+        @ WRITE SYS$OUTPUT "Reconfiguring..."
+        perl $(SRCDIR)Configure reconf
+        @ WRITE SYS$OUTPUT "*************************************************"
+        @ WRITE SYS$OUTPUT "***                                           ***"
+        @ WRITE SYS$OUTPUT "***   Please run the same mms command again   ***"
+        @ WRITE SYS$OUTPUT "***                                           ***"
+        @ WRITE SYS$OUTPUT "*************************************************"
+        @ exit %10000000
+
+{-
+  use File::Basename;
+  use File::Spec::Functions qw/abs2rel rel2abs catfile catdir/;
+  sub src2dep {
+      my %args = @_;
+      my $dep = $args{obj};
+      my $deps = join(", -\n\t\t", @{$args{srcs}}, @{$args{deps}});
+
+      # Because VMS C isn't very good at combining a /INCLUDE path with
+      # #includes having a relative directory (like '#include "../foo.h"),
+      # the best choice is to move to the first source file's intended
+      # directory before compiling, and make sure to write the object file
+      # in the correct position (important when the object tree is other
+      # than the source tree).
+      my $forward = dirname($args{srcs}->[0]);
+      my $backward = abs2rel(rel2abs("."), rel2abs($forward));
+      my $depd = abs2rel(rel2abs(dirname($dep)), rel2abs($forward));
+      my $depn = basename($dep);
+      my $srcs =
+          join(", ",
+               map { abs2rel(rel2abs($_), rel2abs($forward)) } @{$args{srcs}});
+      my $incs =
+          "/INCLUDE=(".join(",",
+                            map {
+                               file_name_is_absolute($_)
+                               ? $_ : catdir($backward,$_)
+                            } @{$args{incs}}).")";
+      my $before = $unified_info{before}->{$dep.".OBJ"} || "\@ !";
+      my $after = $unified_info{after}->{$dep.".OBJ"} || "\@ !";
+
+      return <<"EOF";
+$dep.MMS : $deps
+        ${before}
+        SET DEFAULT $forward
+        \$(CC) \$(CFLAGS)${incs} /MMS=(TARGET=.OBJ)/OBJECT=${depd}${depn}.MMS $srcs
+        SET DEFAULT $backward
+        ${after}
+        - PURGE $dep.MMS
+EOF
+  }
+  sub src2obj {
+      my %args = @_;
+      my $obj = $args{obj};
+      my $deps = join(", -\n\t\t", @{$args{srcs}}, @{$args{deps}});
+
+      # Because VMS C isn't very good at combining a /INCLUDE path with
+      # #includes having a relative directory (like '#include "../foo.h"),
+      # the best choice is to move to the first source file's intended
+      # directory before compiling, and make sure to write the object file
+      # in the correct position (important when the object tree is other
+      # than the source tree).
+      my $forward = dirname($args{srcs}->[0]);
+      my $backward = abs2rel(rel2abs("."), rel2abs($forward));
+      my $objd = abs2rel(rel2abs(dirname($obj)), rel2abs($forward));
+      my $objn = basename($obj);
+      my $srcs =
+          join(", ",
+               map { abs2rel(rel2abs($_), rel2abs($forward)) } @{$args{srcs}});
+      my $incs =
+          "/INCLUDE=(".join(",",
+                            map {
+                               file_name_is_absolute($_)
+                               ? $_ : catdir($backward,$_)
+                            } @{$args{incs}}).")";
+      my $before = $unified_info{before}->{$obj.".OBJ"} || "\@ !";
+      my $after = $unified_info{after}->{$obj.".OBJ"} || "\@ !";
+
+      return <<"EOF";
+$obj.OBJ : $deps
+        ${before}
+        SET DEFAULT $forward
+        \$(CC) \$(CFLAGS)${incs} /OBJECT=${objd}${objn}.OBJ /REPOSITORY=$backward $srcs
+        SET DEFAULT $backward
+        ${after}
+        - PURGE $obj.OBJ
+EOF
+  }
+  sub libobj2shlib {
+      my %args = @_;
+      my $lib = $args{lib};
+      my $shlib = $args{shlib};
+      my $libd = dirname($lib);
+      my $libn = basename($lib);
+      (my $mkdef_key = $libn) =~ s/^${osslprefix_q}lib//i;
+      my @deps = map {
+          $config{no_shared} ? $_.".OLB"
+              : $unified_info{sharednames}->{$_}.".EXE"; } @{$args{deps}};
+      my $deps = join(", -\n\t\t", @deps);
+      my $shlib_target = $config{no_shared} ? "" : $target{shared_target};
+      my $ordinalsfile = defined($args{ordinals}) ? $args{ordinals}->[1] : "";
+      my $engine_opt = abs2rel(rel2abs(catfile($config{sourcedir},
+                                               "VMS", "engine.opt")),
+                               rel2abs($config{builddir}));
+      my $mkdef_pl = abs2rel(rel2abs(catfile($config{sourcedir},
+                                             "util", "mkdef.pl")),
+                             rel2abs($config{builddir}));
+      my $translatesyms_pl = abs2rel(rel2abs(catfile($config{sourcedir},
+                                                     "VMS", "translatesyms.pl")),
+                                     rel2abs($config{builddir}));
+      # The "[]" hack is because in .OPT files, each line inherits the
+      # previous line's file spec as default, so if no directory spec
+      # is present in the current line and the previous line has one that
+      # doesn't apply, you're in for a surprise.
+      my $write_opt =
+          join("\n\t", map { my $x = $_ =~ /\[/ ? $_ : "[]".$_;
+                             $x =~ s|(\.EXE)|$1/SHARE|;
+                             $x =~ s|(\.LIB)|$1/LIB|;
+                             "WRITE OPT_FILE \"$x\"" } @deps)
+          || "\@ !";
+      return <<"EOF";
+$shlib.EXE : $lib.OLB $deps $ordinalsfile
+        IF "$mkdef_key" .EQS. "ssl" .OR. "$mkdef_key" .EQS. "crypto" THEN -
+           \$(PERL) $mkdef_pl "$mkdef_key" "VMS" > $shlib.SYMVEC-tmp
+        IF "$mkdef_key" .EQS. "ssl" .OR. "$mkdef_key" .EQS. "crypto" THEN -
+           \$(PERL) $translatesyms_pl \$(BUILDDIR)CXX\$DEMANGLER_DB. < $shlib.SYMVEC-tmp > $shlib.SYMVEC
+        OPEN/WRITE/SHARE=READ OPT_FILE $shlib.OPT
+        WRITE OPT_FILE "IDENTIFICATION=""V$config{version}"""
+        IF "$mkdef_key" .NES. "ssl" .AND. "$mkdef_key" .NES. "crypto" THEN -
+           TYPE $engine_opt /OUTPUT=OPT_FILE:
+        IF "$mkdef_key" .EQS. "ssl" .OR. "$mkdef_key" .EQS. "crypto" THEN -
+           TYPE $shlib.SYMVEC /OUTPUT=OPT_FILE:
+        WRITE OPT_FILE "$lib.OLB/LIBRARY"
+        $write_opt ! Comment to protect from empty line
+        CLOSE OPT_FILE
+        LINK /MAP=$shlib.MAP /FULL/SHARE=$shlib.EXE $shlib.OPT/OPT \$(EX_LIBS)
+        - DELETE $shlib.SYMVEC;*
+        - PURGE $shlib.EXE,$shlib.OPT,$shlib.MAP
+EOF
+  }
+  sub obj2dynlib {
+      my %args = @_;
+      my $lib = $args{lib};
+      my $libd = dirname($lib);
+      my $libn = basename($lib);
+      (my $libn_nolib = $libn) =~ s/^lib//;
+      my @objs = map { "$_.OBJ" } @{$args{objs}};
+      my @deps = map {
+          $config{no_shared} ? $_.".OLB"
+              : $unified_info{sharednames}->{$_}.".EXE"; } @{$args{deps}};
+      my $deps = join(", -\n\t\t", @objs, @deps);
+      my $shlib_target = $config{no_shared} ? "" : $target{shared_target};
+      my $engine_opt = abs2rel(rel2abs(catfile($config{sourcedir},
+                                               "VMS", "engine.opt")),
+                               rel2abs($config{builddir}));
+      # The "[]" hack is because in .OPT files, each line inherits the
+      # previous line's file spec as default, so if no directory spec
+      # is present in the current line and the previous line has one that
+      # doesn't apply, you're in for a surprise.
+      my $write_opt =
+          join(",-\"\n\t", map { my $x = $_ =~ /\[/ ? $_ : "[]".$_;
+                                 "WRITE OPT_FILE \"$x" } @objs).
+          "\"\n\t".
+          join("\n\t", map { my $x = $_ =~ /\[/ ? $_ : "[]".$_;
+                             $x =~ s|(\.EXE)|$1/SHARE|;
+                             $x =~ s|(\.LIB)|$1/LIB|;
+                             "WRITE OPT_FILE \"$x\"" } @deps)
+          || "\@ !";
+      return <<"EOF";
+$lib.EXE : $deps
+        OPEN/WRITE/SHARE=READ OPT_FILE $lib.OPT
+        TYPE $engine_opt /OUTPUT=OPT_FILE:
+        $write_opt
+        CLOSE OPT_FILE
+        LINK /MAP=$lib.MAP /FULL/SHARE=$lib.EXE $lib.OPT/OPT \$(EX_LIBS)
+        - PURGE $lib.EXE,$lib.OPT,$lib.MAP
+EOF
+  }
+  sub obj2lib {
+      my %args = @_;
+      my $lib = $args{lib};
+      my $objs = join(", -\n\t\t", map { $_.".OBJ" } (@{$args{objs}}));
+      my $fill_lib = join("\n\t", (map { "LIBRARY/REPLACE $lib.OLB $_.OBJ" }
+                                    @{$args{objs}}));
+      return <<"EOF";
+$lib.OLB : $objs
+        LIBRARY/CREATE/OBJECT $lib
+        $fill_lib
+        - PURGE $lib.OLB
+EOF
+  }
+  sub obj2bin {
+      my %args = @_;
+      my $bin = $args{bin};
+      my $bind = dirname($bin);
+      my $binn = basename($bin);
+      my @objs = map { "$_.OBJ" } @{$args{objs}};
+      my @deps = map {
+          $config{no_shared} ? $_.".OLB"
+              : $unified_info{sharednames}->{$_}.".EXE"; } @{$args{deps}};
+      my $deps = join(", -\n\t\t", @objs, @deps);
+      # The "[]" hack is because in .OPT files, each line inherits the
+      # previous line's file spec as default, so if no directory spec
+      # is present in the current line and the previous line has one that
+      # doesn't apply, you're in for a surprise.
+      my $write_opt =
+          join(",-\"\n\t", map { my $x = $_ =~ /\[/ ? $_ : "[]".$_;
+                                 "WRITE OPT_FILE \"$x" } @objs).
+          "\"\n\t".
+          join("\n\t", map { my $x = $_ =~ /\[/ ? $_ : "[]".$_;
+                             $x =~ s|(\.EXE)|$1/SHARE|;
+                             $x =~ s|(\.OLB)|$1/LIB|;
+                             "WRITE OPT_FILE \"$x\"" } @deps)
+          || "\@ !";
+      return <<"EOF";
+$bin.EXE : $deps
+        OPEN/WRITE/SHARE=READ OPT_FILE $bin.OPT
+        $write_opt
+        CLOSE OPT_FILE
+        LINK/EXEC=$bin.EXE \$(LDFLAGS) $bin.OPT/OPT \$(EX_LIBS)
+        - PURGE $bin.EXE,$bin.OPT
+EOF
+  }
+  sub in2script {
+      my %args = @_;
+      my $script = $args{script};
+      return "" if grep { $_ eq $script } @{$args{sources}}; # No overwrite!
+      my $sources = join(" ", @{$args{sources}});
+      my $dofile = abs2rel(rel2abs(catfile($config{sourcedir},
+                                           "util", "dofile.pl")),
+                           rel2abs($config{builddir}));
+      return <<"EOF";
+$script : $sources
+        \$(PERL) "-I\$(BUILDDIR)" "-Mconfigdata" $dofile -
+	    "-o$target{build_file}" $sources > $script
+        SET FILE/PROT=(S:RWED,O:RWED,G:RE,W:RE) $script
+        PURGE $script
+EOF
+  }
+  ""    # Important!  This becomes part of the template result.
+-}
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -0,0 +1,894 @@
+##
+## Makefile for OpenSSL
+##
+## {- join("\n## ", @autowarntext) -}
+{-
+     sub windowsdll { $config{target} =~ /^(?:Cygwin|mingw)/ }
+     sub shlib_ext { $target{shared_extension} || ".so" }
+     sub shlib_ext_simple { (my $x = $target{shared_extension})
+                                =~ s/\.\$\(SHLIB_MAJOR\)\.\$\(SHLIB_MINOR\)//;
+                            $x }
+-}
+PLATFORM={- $config{target} -}
+OPTIONS={- $config{options} -}
+CONFIGURE_ARGS=({- join(", ",quotify_l(@{$config{perlargv}})) -})
+SRCDIR={- $config{sourcedir} -}
+BLDDIR={- $config{builddir} -}
+
+VERSION={- $config{version} -}
+MAJOR={- $config{major} -}
+MINOR={- $config{minor} -}
+SHLIB_VERSION_NUMBER={- $config{shlib_version_number} -}
+SHLIB_VERSION_HISTORY={- $config{shlib_version_history} -}
+SHLIB_MAJOR={- $config{shlib_major} -}
+SHLIB_MINOR={- $config{shlib_minor} -}
+SHLIB_TARGET={- $target{shared_target} -}
+
+EXE_EXT={- $target{exe_extension} || "" -}
+LIB_EXT={- $target{lib_extension} || ".a" -}
+SHLIB_EXT={- shlib_ext() -}
+SHLIB_EXT_SIMPLE={- shlib_ext_simple() -}
+OBJ_EXT={- $target{obj_extension} || ".o" -}
+DEP_EXT={- $target{dep_extension} || ".d" -}
+
+LIBS={- join(" ", map { $_."\$(LIB_EXT)" } @{$unified_info{libraries}}) -}
+SHLIBS={- join(" ", map { $_."\$(SHLIB_EXT)" } map { $unified_info{sharednames}->{$_} || () } @{$unified_info{libraries}}) -}
+ENGINES={- join(" ", map { $_."\$(SHLIB_EXT_SIMPLE)" } @{$unified_info{engines}}) -}
+PROGRAMS={- join(" ", map { $_."\$(EXE_EXT)" } grep { !m|^test/| } @{$unified_info{programs}}) -}
+TESTPROGS={- join(" ", map { $_."\$(EXE_EXT)" } grep { m|^test/| } @{$unified_info{programs}}) -}
+SCRIPTS={- join(" ", @{$unified_info{scripts}}) -}
+BIN_SCRIPTS=$(BLDDIR)/tools/c_rehash
+MISC_SCRIPTS=$(SRCDIR)/tools/c_hash $(SRCDIR)/tools/c_info \
+	     $(SRCDIR)/tools/c_issuer $(SRCDIR)/tools/c_name \
+	     $(BLDDIR)/apps/CA.pl $(SRCDIR)/apps/tsget
+
+# DESTDIR is for package builders so that they can configure for, say,
+# /usr/ and yet have everything installed to /tmp/somedir/usr/.
+# Normally it is left empty.
+DESTDIR=
+
+# Do not edit these manually. Use Configure with --prefix or --openssldir
+# to change this!  Short explanation in the top comment in Configure
+INSTALLTOP={- # $prefix is used in the OPENSSLDIR perl snippet
+	      #
+	      our $prefix = $config{prefix} || "/usr/local";
+              $prefix -}
+OPENSSLDIR={- #
+	      # The logic here is that if no --openssldir was given,
+	      # OPENSSLDIR will get the value from $prefix plus "/ssl".
+	      # If --openssldir was given and the value is an absolute
+	      # path, OPENSSLDIR will get its value without change.
+	      # If the value from --openssldir is a relative path,
+	      # OPENSSLDIR will get $prefix with the --openssldir
+	      # value appended as a subdirectory.
+	      #
+              use File::Spec::Functions;
+              our $openssldir =
+                  $config{openssldir} ?
+                      (file_name_is_absolute($config{openssldir}) ?
+                           $config{openssldir}
+                           : catdir($prefix, $config{openssldir}))
+                      : catdir($prefix, "ssl");
+              $openssldir -}
+LIBDIR={- #
+          # if $prefix/lib$target{multilib} is not an existing
+          # directory, then assume that it's not searched by linker
+          # automatically, in which case adding $target{multilib} suffix
+          # causes more grief than we're ready to tolerate, so don't...
+          our $multilib =
+              -d "$prefix/lib$target{multilib}" ? $target{multilib} : "";
+          our $libdir = $config{libdir} || "lib$multilib";
+          $libdir -}
+ENGINESDIR={- use File::Spec::Functions;
+              catdir($prefix,$libdir,"engines") -}
+
+MANDIR=$(INSTALLTOP)/share/man
+HTMLDIR=$(INSTALLTOP)/share/doc/$(BASENAME)/html
+
+# MANSUFFIX is for the benefit of anyone who may want to have a suffix
+# appended after the manpage file section number.  "ssl" is popular,
+# resulting in files such as config.5ssl rather than config.5.
+MANSUFFIX=
+HTMLSUFFIX=html
+
+
+
+CROSS_COMPILE= {- $config{cross_compile_prefix} -}
+CC= $(CROSS_COMPILE){- $target{cc} -}
+CFLAGS={- our $cflags2 = join(" ",(map { "-D".$_} @{$config{defines}}),"-DOPENSSLDIR=\"\\\"\$(OPENSSLDIR)\\\"\"","-DENGINESDIR=\"\\\"\$(ENGINESDIR)\\\"\"") -} {- $config{cflags} -}
+CFLAGS_Q={- $cflags2 =~ s|([\\"])|\\$1|g; $cflags2 -} {- $config{cflags} -}
+DEPFLAGS= {- join(" ",map { "-D".$_} @{$config{depdefines}}) -}
+LDFLAGS= {- $config{lflags} -}
+PLIB_LDFLAGS= {- $config{plib_lflags} -}
+EX_LIBS= {- $config{ex_libs} -}
+SHARED_LDFLAGS={- $target{shared_ldflag}
+                  # Unlike other OSes (like Solaris, Linux, Tru64,
+                  # IRIX) BSD run-time linkers (tested OpenBSD, NetBSD
+                  # and FreeBSD) "demand" RPATH set on .so objects.
+                  # Apparently application RPATH is not global and
+                  # does not apply to .so linked with other .so.
+                  # Problem manifests itself when libssl.so fails to
+                  # load libcrypto.so. One can argue that we should
+                  # engrave this into Makefile.shared rules or into
+                  # BSD-* config lines above. Meanwhile let's try to
+                  # be cautious and pass -rpath to linker only when
+                  # $prefix is not /usr.
+                  . ($config{target} =~ m|^BSD-| && $prefix !~ m|^/usr/.*$|
+                     ? " -Wl,-rpath,\$\$(LIBRPATH)" : "") -}
+SHARED_RCFLAGS={- $target{shared_rcflag} -}
+
+PERL={- $config{perl} -}
+
+ARFLAGS= {- $target{arflags} -}
+AR=$(CROSS_COMPILE){- $target{ar} || "ar" -} $(ARFLAGS) r
+RANLIB= {- $target{ranlib} -}
+NM= $(CROSS_COMPILE){- $target{nm} || "nm" -}
+RM= rm -f
+TAR= {- $target{tar} || "tar" -}
+TARFLAGS= {- $target{tarflags} -}
+
+BASENAME=       openssl
+NAME=           $(BASENAME)-$(VERSION)
+TARFILE=        ../$(NAME).tar
+
+# We let the C compiler driver to take care of .s files. This is done in
+# order to be excused from maintaining a separate set of architecture
+# dependent assembler flags. E.g. if you throw -mcpu=ultrasparc at SPARC
+# gcc, then the driver will automatically translate it to -xarch=v8plus
+# and pass it down to assembler.
+AS=$(CC) -c
+ASFLAG=$(CFLAGS)
+PERLASM_SCHEME= {- $target{perlasm_scheme} -}
+
+# For x86 assembler: Set PROCESSOR to 386 if you want to support
+# the 80386.
+PROCESSOR= {- $config{processor} -}
+
+# The main targets ###################################################
+
+all: build_libs build_engines build_apps link-utils
+
+# The pkg-config files depend on the libraries as well as Makefile
+build_libs: libcrypto.pc libssl.pc openssl.pc
+build_engines: $(ENGINES)
+build_apps: $(PROGRAMS) $(SCRIPTS)
+build_tests: $(TESTPROGS)
+
+test tests: build_tests build_apps build_engines rehash
+	( cd test; \
+	  SRCTOP=../$(SRCDIR) \
+	  BLDTOP=../$(BLDDIR) \
+	    $(PERL) ../$(SRCDIR)/test/run_tests.pl $(TESTS) )
+
+list-tests:
+	@TOP=$(SRCDIR) PERL=$(PERL) $(PERL) $(SRCDIR)/test/run_tests.pl list
+
+libclean:
+	-rm -f `find $(BLDDIR) -name '*$(LIB_EXT)' -o -name '*$(SHLIB_EXT)'`
+
+install: install_sw install_ssldirs install_docs
+
+uninstall: uninstall_docs uninstall_sw
+
+clean: libclean
+	rm -f $(PROGRAMS) $(TESTPROGS)
+	rm -f `find $(BLDDIR) -name '*$(DEP_EXT)'`
+	rm -f `find $(BLDDIR) -name '*$(OBJ_EXT)'`
+	rm -f $(BLDDIR)/core $(BLDDIR)/rehash.time
+	rm -f $(BLDDIR)/tags $(BLDDIR)/TAGS
+	rm -f $(BLDDIR)/openssl.pc $(BLDDIR)/libcrypto.pc $(BLDDIR)/libssl.pc
+	-rm -f `find $(BLDDIR) -type l`
+	rm -f $(TARFILE)
+
+DCLEAN_CMD=sed -e '/^DO NOT DELETE.*/,$$d'
+dclean:
+	$(DCLEAN_CMD) < Makefile >Makefile.new
+	mv -f Makefile.new Makefile
+
+DEPS={- join(" ", map { (my $x = $_) =~ s|\.o$|\$(DEP_EXT)|; $x; }
+                  grep { $unified_info{sources}->{$_}->[0] =~ /\.c$/ }
+                  keys %{$unified_info{sources}}); -}
+depend: $(DEPS)
+	( $(DCLEAN_CMD) < Makefile; \
+	  echo '# DO NOT DELETE THIS LINE -- make depend depends on it.'; \
+	  echo; \
+	  cat `find . -name '*$(DEP_EXT)'` ) > Makefile.new
+	mv -f Makefile.new Makefile
+
+# Install helper targets #############################################
+
+install_sw: all install_dev install_engines install_runtime
+
+uninstall_sw: uninstall_dev uninstall_engines uninstall_runtime
+
+install_docs: install_man_docs install_html_docs
+
+uninstall_docs: uninstall_man_docs uninstall_html_docs
+
+install_ssldirs:
+	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(OPENSSLDIR)/certs
+	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(OPENSSLDIR)/private
+
+install_dev:
+	@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
+	@echo "*** Installing development files"
+	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/include/openssl
+	@set -e; for i in $(SRCDIR)/include/openssl/*.h \
+			  $(BLDDIR)/include/openssl/*.h; do \
+		fn=`basename $$i`; \
+		echo "install $$i -> $(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn"; \
+		cp $$i $(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn; \
+		chmod 644 $(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn; \
+	done
+	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)
+	@set -e; for l in $(LIBS); do \
+		fn=`basename $$l`; \
+		echo "install $$l -> $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn"; \
+		cp $$l $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.new; \
+		$(RANLIB) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.new; \
+		chmod 644 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.new; \
+		mv -f $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.new \
+		      $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn; \
+	done
+	@ : {- output_off() if $config{no_shared}; "" -}
+	@set -e; for s in $(SHLIBS); do \
+		fn=`basename $$s`; \
+		echo "install $$s -> $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn"; \
+		cp $$s $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.new; \
+		chmod 644 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.new; \
+		mv -f $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.new \
+		      $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn; \
+		if [ "$(SHLIB_EXT)" != "$(SHLIB_EXT_SIMPLE)" ]; then \
+			echo "link $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn2 -> $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn"; \
+			fn2=`basename $$fn $(SHLIB_EXT)`$(SHLIB_EXT_SIMPLE); \
+			ln -sf $$fn $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn2; \
+		fi; \
+		: {- output_off() unless windowsdll(); "" -}; \
+		echo "install $$s.a -> $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.a"; \
+		cp $$s.a $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.a.new; \
+		chmod 644 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.a.new; \
+		mv -f $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.a.new \
+		      $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.a; \
+		: {- output_on() unless windowsdll(); "" -}; \
+	done
+	@ : {- output_on() if $config{no_shared}; "" -}
+	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
+	@echo "install libcrypto.pc -> $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libcrypto.pc"
+	@cp libcrypto.pc $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
+	@chmod 644 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libcrypto.pc
+	@echo "install libssl.pc -> $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libssl.pc"
+	@cp libssl.pc $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
+	@chmod 644 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libssl.pc
+	@echo "install openssl.pc -> $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/openssl.pc"
+	@cp openssl.pc $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
+	@chmod 644 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/openssl.pc
+
+uninstall_dev:
+	@echo "*** Uninstalling development files"
+	@set -e; for i in $(SRCDIR)/include/openssl/*.h \
+			  $(BLDDIR)/include/openssl/*.h; do \
+		fn=`basename $$i`; \
+		echo "$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn"; \
+		$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn; \
+	done
+	@set -e; for l in $(LIBS); do \
+		fn=`basename $$l`; \
+		echo "$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn"; \
+		$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn; \
+	done
+	@set -e; for s in $(SHLIBS); do \
+		fn=`basename $$s`; \
+		if [ "$(SHLIB_EXT)" != "$(SHLIB_EXT_SIMPLE)" ]; then \
+			fn2=`basename $$fn $(SHLIB_EXT)`$(SHLIB_EXT_SIMPLE); \
+			echo "$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn2"; \
+			$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn2; \
+		fi; \
+		echo "$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn"; \
+		$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn; \
+		: {- output_off() unless windowsdll(); "" -}; \
+		echo "$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.a"; \
+		$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.a; \
+		: {- output_on() unless windowsdll(); "" -}; \
+	done
+	@echo "$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libcrypto.pc"
+	@$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libcrypto.pc
+	@echo "$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libssl.pc"
+	@$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libssl.pc
+	@echo "$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/openssl.pc"
+	@$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/openssl.pc
+
+install_engines:
+	@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
+	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines/
+	@echo "*** Installing engines"
+	@set -e; for e in $(ENGINES); do \
+		fn=`basename $$e`; \
+		echo "install $$e -> $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
+		cp $$e $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines/$$fn.new; \
+		chmod 755 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines/$$fn.new; \
+		mv -f $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines/$$fn.new \
+		      $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines/$$fn; \
+	done
+
+uninstall_engines:
+	@echo "*** Uninstalling engines"
+	@set -e; for e in $(ENGINES); do \
+		fn=`basename $$e`; \
+		echo "$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
+		$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines/$$fn; \
+	done
+
+install_runtime:
+	@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
+	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/bin
+	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(OPENSSLDIR)/misc
+	@echo "*** Installing runtime files"
+	: {- output_off() unless windowsdll(); "" -};
+	@set -e; for s in $(SHLIBS); do \
+		fn=`basename $$i`; \
+		echo "install $$s -> $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
+		cp $$s $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \
+		chmod 644 $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \
+		mv -f $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new \
+		      $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
+	done
+	: {- output_on() unless windowsdll(); "" -};
+	@set -e; for x in $(PROGRAMS); do \
+		fn=`basename $$x`; \
+		echo "install $$x -> $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
+		cp $$x $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \
+		chmod 755 $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \
+		mv -f $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new \
+		      $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
+	done
+	@set -e; for x in $(BIN_SCRIPTS); do \
+		fn=`basename $$x`; \
+		echo "install $$x -> $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
+		cp $$x $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \
+		chmod 755 $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \
+		mv -f $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new \
+		      $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
+	done
+	@set -e; for x in $(MISC_SCRIPTS); do \
+		fn=`basename $$x`; \
+		echo "install $$x -> $(DESTDIR)$(OPENSSLDIR)/misc/$$fn"; \
+		cp $$x $(DESTDIR)$(OPENSSLDIR)/misc/$$fn.new; \
+		chmod 755 $(DESTDIR)$(OPENSSLDIR)/misc/$$fn.new; \
+		mv -f $(DESTDIR)$(OPENSSLDIR)/misc/$$fn.new \
+		      $(DESTDIR)$(OPENSSLDIR)/misc/$$fn; \
+	done
+	@echo "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl.cnf"
+	@cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new
+	@chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new
+	@mv -f  $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new $(DESTDIR)$(OPENSSLDIR)/openssl.cnf
+
+uninstall_runtime:
+	@echo "*** Uninstalling runtime files"
+	@set -e; for x in $(PROGRAMS); \
+	do  \
+		fn=`basename $$x`; \
+		echo "$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
+		$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
+	done;
+	@set -e; for x in $(BIN_SCRIPTS); \
+	do  \
+		fn=`basename $$x`; \
+		echo "$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
+		$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
+	done
+	@set -e; for x in $(MISC_SCRIPTS); \
+	do  \
+		fn=`basename $$x`; \
+		echo "$(RM) $(DESTDIR)$(OPENSSLDIR)/misc/$$fn"; \
+		$(RM) $(DESTDIR)$(OPENSSLDIR)/misc/$$fn; \
+	done
+	: {- output_off() unless windowsdll(); "" -};
+	@set -e; for s in $(SHLIBS); do \
+		fn=`basename $$i`; \
+		echo "$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
+		$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
+	done
+	: {- output_on() unless windowsdll(); "" -};
+	$(RM) $(DESTDIR)$(OPENSSLDIR)/openssl.cnf
+
+# A method to extract all names from a .pod file
+# The first sed extracts everything between "=head1 NAME" and the next =head1
+# The second sed joins all the lines into one
+# The third sed removes the description and turns all commas into spaces
+# Voilà, you have a space separated list of names!
+EXTRACT_NAMES=sed -e '1,/^=head1  *NAME *$$/d;/^=head1/,$$d' | \
+              sed -e ':a;{N;s/\n/ /;ba}' | \
+              sed -e 's/ - .*$$//;s/,/ /g'
+PROCESS_PODS=\
+	set -e; \
+	here=`cd $(SRCDIR); pwd`; \
+	point=$$here/util/point.sh; \
+	for ds in apps:1 crypto:3 ssl:3; do \
+	    defdir=`echo $$ds | cut -f1 -d:`; \
+	    defsec=`echo $$ds | cut -f2 -d:`; \
+	    for p in $(SRCDIR)/doc/$$defdir/*.pod; do \
+		SEC=`sed -ne 's/^=for  *comment  *openssl_manual_section: *\([0-9]\) *$$/\1/p' $$p`; \
+		[ -z "$$SEC" ] && SEC=$$defsec; \
+		fn=`basename $$p .pod`; \
+		NAME=`echo $$fn | tr [a-z] [A-Z]`; \
+		suf=`eval "echo $$OUTSUFFIX"`; \
+		top=`eval "echo $$OUTTOP"`; \
+		$(PERL) $(SRCDIR)/util/mkdir-p.pl $$top/man$$SEC; \
+		echo "install $$p -> $$top/man$$SEC/$$fn$$suf"; \
+		cat $$p | eval "$$GENERATE" \
+			>  $$top/man$$SEC/$$fn$$suf; \
+		names=`cat $$p | $(EXTRACT_NAMES)`; \
+		( cd $$top/man$$SEC; \
+		  for n in $$names; do \
+		      comp_n="$$n"; \
+		      comp_fn="$$fn"; \
+		      case "$(PLATFORM)" in DJGPP|Cygwin*|mingw*|darwin*-*-cc) \
+			  comp_n=`echo "$$n" | tr [A-Z] [a-z]`; \
+			  comp_fn=`echo "$$fn" | tr [A-Z] [a-z]`; \
+			  ;; \
+		      esac; \
+		      if [ "$$comp_n" != "$$comp_fn" ]; then \
+			  echo "link $$top/man$$SEC/$$n$$suf -> $$top/man$$SEC/$$fn$$suf"; \
+			  PLATFORM=$(PLATFORM) $$point $$fn$$suf $$n$$suf; \
+		      fi; \
+		  done ); \
+	    done; \
+	done
+UNINSTALL_DOCS=\
+	set -e; \
+	here=`cd $(SRCDIR); pwd`; \
+	for ds in apps:1 crypto:3 ssl:3; do \
+	    defdir=`echo $$ds | cut -f1 -d:`; \
+	    defsec=`echo $$ds | cut -f2 -d:`; \
+	    for p in $(SRCDIR)/doc/$$defdir/*.pod; do \
+		SEC=`sed -ne 's/^=for  *comment  *openssl_manual_section: *\([0-9]\) *$$/\1/p' $$p`; \
+		[ -z "$$SEC" ] && SEC=$$defsec; \
+		fn=`basename $$p .pod`; \
+		suf=`eval "echo $$OUTSUFFIX"`; \
+		top=`eval "echo $$OUTTOP"`; \
+		echo "$(RM) $$top/man$$SEC/$$fn$$suf"; \
+	        $(RM) $$top/man$$SEC/$$fn$$suf; \
+		names=`cat $$p | $(EXTRACT_NAMES)`; \
+		for n in $$names; do \
+		    comp_n="$$n"; \
+		    comp_fn="$$fn"; \
+		    case "$(PLATFORM)" in DJGPP|Cygwin*|mingw*|darwin*-*-cc) \
+			comp_n=`echo "$$n" | tr [A-Z] [a-z]`; \
+			comp_fn=`echo "$$fn" | tr [A-Z] [a-z]`; \
+			;; \
+		    esac; \
+		    if [ "$$comp_n" != "$$comp_fn" ]; then \
+			echo "$(RM) $$top/man$$SEC/$$n$$suf"; \
+			$(RM) $$top/man$$SEC/$$n$$suf; \
+		    fi; \
+		done; \
+	    done; \
+	done
+
+install_man_docs:
+	@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
+	@echo "*** Installing manpages"
+	@\
+	OUTSUFFIX='.$${SEC}$(MANSUFFIX)'; \
+	OUTTOP="$(DESTDIR)$(MANDIR)"; \
+	GENERATE='pod2man --name=$$NAME --section=$$SEC --center=OpenSSL --release=$(VERSION)'; \
+	$(PROCESS_PODS)
+
+uninstall_man_docs:
+	@echo "*** Uninstalling manpages"
+	@\
+	OUTSUFFIX='.$${SEC}$(MANSUFFIX)'; \
+	OUTTOP="$(DESTDIR)$(MANDIR)"; \
+	$(UNINSTALL_DOCS)
+
+install_html_docs:
+	@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
+	@echo "*** Installing HTML manpages"
+	@\
+	OUTSUFFIX='.$(HTMLSUFFIX)'; \
+	OUTTOP="$(DESTDIR)$(HTMLDIR)"; \
+	GENERATE="pod2html --podroot=$(SRCDIR)/doc --htmldir=.. \
+			   --podpath=apps:crypto:ssl \
+		  | sed -e 's|href=\"http://man.he.net/man|href=\"../man|g'"; \
+	$(PROCESS_PODS)
+
+uninstall_html_docs:
+	@echo "*** Uninstalling manpages"
+	@\
+	OUTSUFFIX='.$(HTMLSUFFIX)'; \
+	OUTTOP="$(DESTDIR)$(HTMLDIR)"; \
+	$(UNINSTALL_DOCS)
+
+
+# Developer targets (note: these are only available on Unix) #########
+
+update: generate errors ordinals
+
+generate: generate_apps generate_crypto_bn generate_crypto_objects
+
+# Test coverage is a good idea for the future
+#coverage: $(PROGRAMS) $(TESTPROGRAMS)
+#	...
+
+# Currently disabled, util/selftest.pl needs a rewrite
+#report:
+#	SRCDIR=$(SRCDIR) @$(PERL) util/selftest.pl
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRCS)
+
+generate_apps: $(SRCDIR)/apps/openssl-vms.cnf $(SRCDIR)/apps/progs.h
+
+generate_crypto_bn: $(SRCDIR)/crypto/bn/bn_prime.h
+
+generate_crypto_objects: $(SRCDIR)/crypto/objects/obj_dat.h \
+                         $(SRCDIR)/include/openssl/obj_mac.h \
+                         $(SRCDIR)/crypto/objects/obj_xref.h
+
+errors:
+	( cd $(SRCDIR); $(PERL) util/ck_errf.pl -strict */*.c */*/*.c )
+	( cd $(SRCDIR); $(PERL) util/mkerr.pl -recurse -write )
+	( cd $(SRCDIR)/engines; \
+	  for e in *.ec; do \
+	      $(PERL) ../util/mkerr.pl -conf $$e \
+		      -nostatic -staticloader -write *.c; \
+	  done )
+	( cd $(SRCDIR)/crypto/ct; \
+	  $(PERL) ../../util/mkerr.pl -conf ct.ec -hprefix internal/ -write *.c )
+
+ordinals:
+	( b=`pwd`; cd $(SRCDIR); $(PERL) -I$$b util/mkdef.pl crypto update )
+	( b=`pwd`; cd $(SRCDIR); $(PERL) -I$$b util/mkdef.pl ssl update )
+
+test_ordinals:
+	( cd test; \
+	  SRCTOP=../$(SRCDIR) \
+	  BLDTOP=../$(BLDDIR) \
+	    $(PERL) ../$(SRCDIR)/test/run_tests.pl test_ordinals )
+
+tags TAGS: FORCE
+	rm -f TAGS tags
+	-ctags -R .
+	-etags `find . -name '*.[ch]' -o -name '*.pm'`
+
+# Release targets (note: only available on Unix) #####################
+
+tar:
+	TMPDIR=/var/tmp/openssl-copy.$$$$; \
+	DISTDIR=openssl-$(VERSION); \
+	mkdir -p $$TMPDIR/$$DISTDIR; \
+	(cd $(SRCDIR); \
+	 git ls-tree -r --name-only --full-tree HEAD \
+	 | while read F; do \
+	       mkdir -p $$TMPDIR/$$DISTDIR/`dirname $$F`; \
+	       cp $$F $$TMPDIR/$$DISTDIR/$$F; \
+	   done); \
+	(cd $$TMPDIR; \
+	 [ -n "$(PREPARE_CMD)" ] && $(PREPARE_CMD); \
+	 find $$TMPDIR/$$DISTDIR -type d -print | xargs chmod 755; \
+	 find $$TMPDIR/$$DISTDIR -type f -print | xargs chmod a+r; \
+	 find $$TMPDIR/$$DISTDIR -type f -perm -0100 -print | xargs chmod a+x; \
+	 $(TAR) $(TARFLAGS) --owner 0 --group 0 -cvf - $$DISTDIR) \
+	| (cd $(SRCDIR); gzip --best > $(TARFILE).gz); \
+	rm -rf $$TMPDIR
+	cd $(SRCDIR); ls -l $(TARFILE).gz
+
+dist:
+	@$(MAKE) PREPARE_CMD='./Configure dist' tar
+
+# Helper targets #####################################################
+
+rehash: link-utils copy-certs build_apps
+	@if [ -z "$(CROSS_COMPILE)" ]; then \
+		(OPENSSL="$(BLDDIR)/util/shlib_wrap.sh apps/openssl"; \
+		[ -x "$(BLDDIR)/openssl.exe" ] && OPENSSL="$(BLDDIR)/openssl.exe" || :; \
+		OPENSSL_DEBUG_MEMORY=on; OPENSSL_CONF=/dev/null ; \
+		export OPENSSL OPENSSL_DEBUG_MEMORY OPENSSL_CONF; \
+		$$OPENSSL rehash certs/demo \
+		|| $(PERL) tools/c_rehash certs/demo) && \
+		touch rehash.time; \
+	else :; fi
+
+link-utils: $(BLDDIR)/util/opensslwrap.sh $(BLDDIR)/util/shlib_wrap.sh
+
+$(BLDDIR)/util/opensslwrap.sh: Makefile
+	@if [ "$(SRCDIR)" != "$(BLDDIR)" ]; then \
+	    mkdir -p "$(BLDDIR)/util"; \
+	    ln -sf "../$(SRCDIR)/util/opensslwrap.sh" "$(BLDDIR)/util"; \
+	fi
+$(BLDDIR)/util/shlib_wrap.sh: Makefile
+	@if [ "$(SRCDIR)" != "$(BLDDIR)" ]; then \
+	    mkdir -p "$(BLDDIR)/util"; \
+	    ln -sf "../$(SRCDIR)/util/shlib_wrap.sh" "$(BLDDIR)/util"; \
+	fi
+
+copy-certs: FORCE
+	@if [ "$(SRCDIR)" != "$(BLDDIR)" ]; then \
+	    cp -R "$(SRCDIR)/certs" "$(BLDDIR)/"; \
+	fi
+
+$(SRCDIR)/apps/openssl-vms.cnf: $(SRCDIR)/apps/openssl.cnf
+	$(PERL) $(SRCDIR)/VMS/VMSify-conf.pl \
+                < $(SRCDIR)/apps/openssl.cnf > $(SRCDIR)/apps/openssl-vms.cnf
+
+{- # because the program apps/openssl has object files as sources, and
+   # they then have the corresponding C files as source, we need to chain
+   # the lookups in %unified_info
+   my $apps_openssl = catfile("apps","openssl");
+   our @openssl_source = map { @{$unified_info{sources}->{$_}} }
+                         @{$unified_info{sources}->{$apps_openssl}};
+   ""; -}
+$(SRCDIR)/apps/progs.h:
+	$(RM) $@
+	$(PERL) $(SRCDIR)/apps/progs.pl {- join(" ", @openssl_source) -} > $@
+
+$(SRCDIR)/crypto/bn/bn_prime.h: $(SRCDIR)/crypto/bn/bn_prime.pl
+	$(PERL) $(SRCDIR)/crypto/bn/bn_prime.pl > $(SRCDIR)/crypto/bn/bn_prime.h
+
+$(SRCDIR)/crypto/objects/obj_dat.h: $(SRCDIR)/crypto/objects/obj_dat.pl \
+                                    $(SRCDIR)/include/openssl/obj_mac.h
+	$(PERL) $(SRCDIR)/crypto/objects/obj_dat.pl \
+                $(SRCDIR)/include/openssl/obj_mac.h \
+                $(SRCDIR)/crypto/objects/obj_dat.h
+
+# objects.pl both reads and writes obj_mac.num
+$(SRCDIR)/include/openssl/obj_mac.h: $(SRCDIR)/crypto/objects/objects.pl \
+                                     $(SRCDIR)/crypto/objects/objects.txt \
+                                     $(SRCDIR)/crypto/objects/obj_mac.num
+	$(PERL) $(SRCDIR)/crypto/objects/objects.pl \
+                $(SRCDIR)/crypto/objects/objects.txt \
+                $(SRCDIR)/crypto/objects/obj_mac.num \
+                $(SRCDIR)/include/openssl/obj_mac.h
+	@sleep 1; touch $(SRCDIR)/include/openssl/obj_mac.h; sleep 1
+
+$(SRCDIR)/crypto/objects/obj_xref.h: $(SRCDIR)/crypto/objects/objxref.pl \
+                                     $(SRCDIR)/crypto/objects/obj_xref.txt \
+                                     $(SRCDIR)/crypto/objects/obj_mac.num
+	$(PERL) $(SRCDIR)/crypto/objects/objxref.pl \
+                $(SRCDIR)/crypto/objects/obj_mac.num \
+                $(SRCDIR)/crypto/objects/obj_xref.txt \
+                > $(SRCDIR)/crypto/objects/obj_xref.h
+	@sleep 1; touch $(SRCDIR)/crypto/objects/obj_xref.h; sleep 1
+
+FORCE :
+
+# Building targets ###################################################
+
+libcrypto.pc libssl.pc openssl.pc: Makefile $(LIBS)
+libcrypto.pc:
+	@ ( echo 'prefix=$(INSTALLTOP)'; \
+	    echo 'exec_prefix=$${prefix}'; \
+	    echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
+	    echo 'includedir=$${prefix}/include'; \
+	    echo ''; \
+	    echo 'Name: OpenSSL-libcrypto'; \
+	    echo 'Description: OpenSSL cryptography library'; \
+	    echo 'Version: '$(VERSION); \
+	    echo 'Libs: -L$${libdir} -lcrypto'; \
+	    echo 'Libs.private: $(EX_LIBS)'; \
+	    echo 'Cflags: -I$${includedir}' ) > libcrypto.pc
+
+libssl.pc:
+	@ ( echo 'prefix=$(INSTALLTOP)'; \
+	    echo 'exec_prefix=$${prefix}'; \
+	    echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
+	    echo 'includedir=$${prefix}/include'; \
+	    echo ''; \
+	    echo 'Name: OpenSSL-libssl'; \
+	    echo 'Description: Secure Sockets Layer and cryptography libraries'; \
+	    echo 'Version: '$(VERSION); \
+	    echo 'Requires.private: libcrypto'; \
+	    echo 'Libs: -L$${libdir} -lssl'; \
+	    echo 'Libs.private: $(EX_LIBS)'; \
+	    echo 'Cflags: -I$${includedir}' ) > libssl.pc
+
+openssl.pc:
+	@ ( echo 'prefix=$(INSTALLTOP)'; \
+	    echo 'exec_prefix=$${prefix}'; \
+	    echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
+	    echo 'includedir=$${prefix}/include'; \
+	    echo ''; \
+	    echo 'Name: OpenSSL'; \
+	    echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \
+	    echo 'Version: '$(VERSION); \
+	    echo 'Requires: libssl libcrypto' ) > openssl.pc
+
+# Note on the use of $(MFLAGS): this was an older variant of MAKEFLAGS which
+# wasn't passed down automatically.  It's quite safe to use it like we do
+# below; if it doesn't exist, the result will be empty and 'make' will pick
+# up $(MAKEFLAGS) which is passed down as an environment variable.
+Makefile: {- $config{build_file_template} -} $(SRCDIR)/Configure $(SRCDIR)/config
+	@echo "Makefile is older than {- $config{build_file_template} -}, $(SRCDIR)/Configure or $(SRCDIR)/config."
+	@echo "Reconfiguring..."
+	$(SRCDIR)/Configure reconf
+	@echo "**************************************************"
+	@echo "***                                            ***"
+	@echo "***   Please run the same make command again   ***"
+	@echo "***                                            ***"
+	@echo "**************************************************"
+	@false
+
+{-
+  use File::Basename;
+  use File::Spec::Functions qw/:DEFAULT abs2rel rel2abs/;
+
+  # Helper function to figure out dependencies on libraries
+  # It takes a list of library names and outputs a list of dependencies
+  sub compute_lib_depends {
+      if ($config{no_shared}) {
+          return map { $_."\$(LIB_EXT)" } @_;
+      }
+
+      # Depending on shared libraries:
+      # On Windows POSIX layers, we depend on {libname}.dll.a
+      # On Unix platforms, we depend on {shlibname}.so
+      return map { if (windowsdll()) {
+                       "$_\$(SHLIB_EXT_SIMPLE).a"
+		   } else {
+		       my $libname =
+		           $unified_info{sharednames}->{$_} || $_;
+		       "$libname\$(SHLIB_EXT_SIMPLE)"
+		   } } @_;
+  }
+
+  sub src2dep {
+      my %args = @_;
+      my $dep = $args{obj}.'$(DEP_EXT)';
+      my $obj = $args{obj}.'$(OBJ_EXT)';
+      my $srcs = join(" ", @{$args{srcs}});
+      my $deps = join(" ", @{$args{srcs}}, @{$args{deps}});
+      my $incs = join(" ", map { " -I".$_ } @{$args{incs}});
+      my $makedepprog = $config{makedepprog};
+      if ($makedepprog eq "makedepend") {
+          return <<"EOF";
+$dep : $deps
+	rm -f \$\@.tmp; touch \$\@.tmp
+	\$(MAKEDEPEND) -f\$\@.tmp -o"|$obj"\
+	    -- -DOPENSSL_DOING_MAKEDEPEND \$(DEPFLAGS)$incs \
+	    -- $srcs
+	sed -e 's/^.*|//' -e 's/ \\/\\(\\\\.\\|[^ ]\\)*//g' -e '/: *\$/d' -e '/^\\(#.*\\| *\\)\$/d' \$\@.tmp > \$\@
+	rm \$\@.tmp
+EOF
+      }
+      return <<"EOF";
+$dep : $deps Makefile
+	\$(CC) -DOPENSSL_DOING_MAKEDEPEND \$(DEPFLAGS)$incs -MM -MF \$\@ -MQ $obj $srcs
+EOF
+  }
+  sub src2obj {
+      my %args = @_;
+      my $obj = $args{obj}.'$(OBJ_EXT)';
+      my $srcs = join(" ", @{$args{srcs}});
+      my $deps = join(" ", @{$args{srcs}}, @{$args{deps}});
+      my $incs = join(" ", map { " -I".$_ } @{$args{incs}});
+      return <<"EOF";
+$obj : $deps
+	\$(CC) \$(CFLAGS)$incs -c -o \$\@ $srcs
+EOF
+  }
+  # On Unix, we build shlibs from static libs, so we're ignoring the
+  # object file array.  We *know* this routine is only called when we've
+  # configure 'shared'.
+  sub libobj2shlib {
+      my %args = @_;
+      my $lib = $args{lib};
+      my $shlib = $args{shlib};
+      my $libd = dirname($lib);
+      my $libn = basename($lib);
+      (my $libname = $libn) =~ s/^lib//;
+      my $linklibs = join("", map { my $d = dirname($_);
+                                    my $f = basename($_);
+                                    (my $l = $f) =~ s/^lib//;
+                                    " -L$d -l$l" } @{$args{deps}});
+      my $deps = join(" ",compute_lib_depends(@{$args{deps}}));
+      my $shlib_target = $target{shared_target};
+      my $ordinalsfile = defined($args{ordinals}) ? $args{ordinals}->[1] : "";
+      my $shlibtarget = windowsdll() ?
+	  "$lib\$(SHLIB_EXT_SIMPLE).a" : "$shlib\$(SHLIB_EXT_SIMPLE)";
+      return <<"EOF"
+# With a build on a Windows POSIX layer (Cygwin or Mingw), we know for a fact
+# that two files get produced, {shlibname}.dll and {libname}.dll.a.
+# With all other Unix platforms, we often build a shared library with the
+# SO version built into the file name and a symlink without the SO version
+# It's not necessary to have both as targets.  The choice falls on the
+# simplest, {libname}\$(SHLIB_EXT_SIMPLE).a for Windows POSIX layers and
+# {libname}\$(SHLIB_EXT_SIMPLE) for the Unix platforms.
+$shlibtarget : $lib\$(LIB_EXT) $deps $ordinalsfile
+	\$(MAKE) -f \$(SRCDIR)/Makefile.shared -e \\
+		PLATFORM=\$(PLATFORM) \\
+		PERL=\$(PERL) SRCDIR="\$(SRCDIR)" DSTDIR="$libd" \\
+		INSTALLTOP="\$(INSTALLTOP)" LIBDIR="\$(LIBDIR)" \\
+		LIBDEPS="\$(PLIB_LDFLAGS) $linklibs \$(EX_LIBS)" \\
+		LIBNAME=$libname LIBVERSION=\$(SHLIB_MAJOR).\$(SHLIB_MINOR) \\
+		LIBCOMPATVERSIONS=";\$(SHLIB_VERSION_HISTORY)" \\
+		CC="\$(CC)" CFLAGS="\$(CFLAGS)" LDFLAGS="\$(LDFLAGS)" \\
+		CROSS_COMPILE="\$(CROSS_COMPILE)" \\
+		SHARED_LDFLAGS="\$(SHARED_LDFLAGS)" SHLIB_EXT=\$(SHLIB_EXT) \\
+		SHARED_RCFLAGS="\$(SHARED_RCFLAGS)" \\
+		link_a.$shlib_target
+EOF
+	  . (windowsdll() ? <<"EOF" : "");
+	rm -f apps/$shlib\$(SHLIB_EXT)
+	rm -f test/$shlib\$(SHLIB_EXT)
+	cp -p $shlib\$(SHLIB_EXT) apps/
+	cp -p $shlib\$(SHLIB_EXT) test/
+EOF
+  }
+  sub obj2dynlib {
+      my %args = @_;
+      my $lib = $args{lib};
+      my $libd = dirname($lib);
+      my $libn = basename($lib);
+      (my $libname = $libn) =~ s/^lib//;
+      my $shlibdeps = join("", map { my $d = dirname($_);
+                                     my $f = basename($_);
+                                     (my $l = $f) =~ s/^lib//;
+                                     " -L$d -l$l" } @{$args{deps}});
+      my $deps = join(" ",compute_lib_depends(@{$args{deps}}));
+      my $shlib_target = $target{shared_target};
+      my $objs = join(" ", map { $_."\$(OBJ_EXT)" } @{$args{objs}});
+      return <<"EOF";
+$lib\$(SHLIB_EXT_SIMPLE): $objs $deps
+	\$(MAKE) -f \$(SRCDIR)/Makefile.shared -e \\
+		PLATFORM=\$(PLATFORM) \\
+		PERL=\$(PERL) SRCDIR="\$(SRCDIR)" DSTDIR="$libd" \\
+		LIBDEPS="\$(PLIB_LDFLAGS) $shlibdeps \$(EX_LIBS)" \\
+		LIBNAME=$libname LDFLAGS="\$(LDFLAGS)" \\
+		CC="\$(CC)" CFLAGS="\$(CFLAGS)" \\
+		SHARED_LDFLAGS="\$(SHARED_LDFLAGS)" \\
+		SHLIB_EXT=\$(SHLIB_EXT_SIMPLE) \\
+		LIBEXTRAS="$objs" \\
+		link_o.$shlib_target
+EOF
+  }
+  sub obj2lib {
+      my %args = @_;
+      my $lib = $args{lib};
+      my $objs = join(" ", map { $_."\$(OBJ_EXT)" } @{$args{objs}});
+      return <<"EOF";
+$lib\$(LIB_EXT) : $objs
+	\$(AR) \$\@ $objs
+	\$(RANLIB) \$\@ || echo Never mind.
+EOF
+  }
+  sub obj2bin {
+      my %args = @_;
+      my $bin = $args{bin};
+      my $bind = dirname($bin);
+      my $binn = basename($bin);
+      my $objs = join(" ", map { $_."\$(OBJ_EXT)" } @{$args{objs}});
+      my $deps = join(" ",compute_lib_depends(@{$args{deps}}));
+      my $linklibs = join("", map { my $d = dirname($_);
+                                    my $f = basename($_);
+                                    $d = "." if $d eq $f;
+                                    (my $l = $f) =~ s/^lib//;
+                                    " -L$d -l$l" } @{$args{deps}});
+      my $shlib_target = $config{no_shared} ? "" : $target{shared_target};
+      return <<"EOF";
+$bin\$(EXE_EXT) : $objs $deps
+	\$(RM) $bin\$(EXE_EXT)
+	\$(MAKE) -f \$(SRCDIR)/Makefile.shared -e \\
+		PERL=\$(PERL) SRCDIR=\$(SRCDIR) \\
+		APPNAME=$bin OBJECTS="$objs" \\
+		LIBDEPS="\$(PLIB_LDFLAGS) $linklibs \$(EX_LIBS)" \\
+		CC="\$(CC)" CFLAGS="\$(CFLAGS)" LDFLAGS="\$(LDFLAGS)" \\
+		LIBRPATH="\$(INSTALLTOP)/\$(LIBDIR)" \\
+		link_app.$shlib_target
+EOF
+  }
+  sub in2script {
+      my %args = @_;
+      my $script = $args{script};
+      my $sources = join(" ", @{$args{sources}});
+      my $dofile = abs2rel(rel2abs(catfile($config{sourcedir},
+                                           "util", "dofile.pl")),
+                           rel2abs($config{builddir}));
+      return <<"EOF";
+$script : $sources
+	\$(PERL) "-I\$(BLDDIR)" -Mconfigdata "$dofile" \\
+	    "-o$target{build_file}" $sources > "$script"
+	chmod a+x $script
+EOF
+  }
+  ""    # Important!  This becomes part of the template result.
+-}
--- a/3696
+++ b/3696
--- a/65
+++ b/65
@@ -3,7 +3,7 @@
 ---------------------------------

 [Installation on DOS (with djgpp), Windows, OpenVMS, MacOS (before MacOS X)
-  and NetWare is described in INSTALL.DJGPP, INSTALL.W32, INSTALL.VMS,
+  and NetWare is described in INSTALL.DJGPP, INSTALL.WIN, INSTALL.VMS,
  INSTALL.MacOS and INSTALL.NW.
  
  This document describes installation on operating systems in the Unix
@@ -12,7 +12,8 @@
 To install OpenSSL, you will need:

  * make
-  * Perl 5 with core modules (see 'Note on Perl' further down)
+  * Perl 5 with core modules (please read README.PERL)
+  * The perl module Text::Template (please read README.PERL)
  * an ANSI C compiler
  * a development environment in form of development libraries and C
    header files
@@ -50,6 +51,19 @@
  --openssldir=DIR Directory for OpenSSL files. If no prefix is specified,
                the library files and binaries are also installed there.

+  no-autoalginit Don't automatically load all supported ciphers and digests.
+                Typically OpenSSL will make available all of its supported
+                ciphers and digests. For a statically linked application this
+                may be undesirable if small executable size is an objective.
+                This only affects libcrypto. Ciphers and digests will have to be
+                loaded manually using EVP_add_cipher() and EVP_add_digest() if
+                this option is used.
+
+  no-autoerrinit Don't automatically load all libcrypto/libssl error strings.
+                Typically OpenSSL will automatically load human readable error
+                strings. For a statically linked application this may be
+                undesirable if small executable size is an objective.
+
  no-threads    Don't try to build with support for multi-threaded
                applications.

@@ -141,7 +155,7 @@
     generic configurations "cc" or "gcc" should usually work on 32 bit
     systems.

-     Configure creates the file Makefile.ssl from Makefile.org and
+     Configure creates the file Makefile.ssl from Makefile.in and
     defines various macros in crypto/opensslconf.h (generated from
     crypto/opensslconf.h.in).

@@ -158,10 +172,10 @@
     standard headers).  If it is a problem with OpenSSL itself, please
     report the problem to <openssl-bugs@openssl.org> (note that your
     message will be recorded in the request tracker publicly readable
-     via http://www.openssl.org/support/rt.html and will be forwarded to a
-     public mailing list). Include the output of "make report" in your message.
-     Please check out the request tracker. Maybe the bug was already
-     reported or has already been fixed.
+     at https://www.openssl.org/community/index.html#bugs and will be
+     forwarded to a public mailing list). Include the output of "make
+     report" in your message.  Please check out the request tracker. Maybe
+     the bug was already reported or has already been fixed.

     [If you encounter assembler error messages, try the "no-asm"
     configuration option as an immediate fix.]
@@ -180,9 +194,6 @@

       $ HARNESS_VERBOSE=yes make test

-     Also, you will find logs for all commands the tests have executed
-     in logs, test/test_*.log, one for each individual test.
-
     If you want to run just one or a few specific tests, you can use
     the make variable TESTS to specify them, like this:

@@ -196,6 +207,9 @@

       $ make list-tests

+     Have a look at the manual for the perl module Test::Harness to
+     see what other HARNESS_* variables there are.
+
     If you find a problem with OpenSSL itself, try removing any
     compiler optimization flags from the CFLAG line in Makefile and
     run "make clean; make".
@@ -238,10 +252,9 @@
     locations, but have the package installed somewhere else so that
     it can easily be packaged, can use

-       $ make INSTALL_PREFIX=/tmp/package-root install
+       $ make DESTDIR=/tmp/package-root install

-     (or specify "--install_prefix=/tmp/package-root" as a configure
-     option).  The specified prefix will be prepended to all
+     The specified destination directory will be prepended to all
     installation target filenames.


@@ -310,26 +323,6 @@
     with names of the form <foo.h>.


- Note on Perl
- ------------
-
- For our scripts, we rely quite a bit on Perl, and increasingly on
- some core Perl modules.  These Perl modules are part of the Perl
- source, so if you build Perl on your own, you should be set.
-
- However, if you install Perl as binary packages, the outcome might
- differ, and you may have to check that you do get the core modules
- installed properly.  We do not claim to know them all, but experience
- has told us the following:
-
- - on Linux distributions based on Debian, the package 'perl' will
-   install the core Perl modules as well, so you will be fine.
- - on Linux distributions based on RPMs, you will need to install
-   'perl-core' rather than just 'perl'.
-
- It is highly recommended that you have at least Perl version 5.12
- installed.
-
 Note on multi-threading
 -----------------------

@@ -346,6 +339,10 @@
 you can still use "no-threads" to suppress an annoying warning message
 from the Configure script.)

+ OpenSSL provides built-in support for two threading models: pthreads (found on
+ most UNIX/Linux systems), and Windows threads. No other threading models are
+ supported. If your platform does not provide pthreads or Windows threads then
+ you should Configure with the "no-threads" option.

 Note on shared libraries
 ------------------------
@@ -390,7 +387,7 @@
 		rm -f $F; ln -s $OPENSSL_SOURCE/$F $F
 		echo $F '->' $OPENSSL_SOURCE/$F
 	done
-	make -f Makefile.org clean
+	make -f Makefile.in clean

 OPENSSL_SOURCE is an environment variable that contains the absolute (this
 is important!) path to the OpenSSL source tree.
--- a/INSTALL.DJGPP
+++ b/INSTALL.DJGPP
@@ -11,7 +11,8 @@

 You should have a full DJGPP environment installed, including the
 latest versions of DJGPP, GCC, BINUTILS, BASH, etc. This package
- requires that PERL and BC also be installed.
+ requires that PERL and the PERL module Text::Template also be
+ installed.

 All of these can be obtained from the usual DJGPP mirror sites or
 directly at "http://www.delorie.com/pub/djgpp". For help on which
--- a/INSTALL.VMS
+++ b/INSTALL.VMS
@@ -1,302 +1,66 @@
-			VMS Installation instructions
-			written by Richard Levitte
-			<richard@levitte.org>

+ INSTALLATION ON THE VMS PLATFORM
+ --------------------------------

-Intro:
-======
+ Intro
+ -----

-This file is divided in the following parts:
+ This file is divided in the following parts:

-  Requirements			- Mandatory reading.
-  Checking the distribution	- Mandatory reading.
-  Compilation			- Mandatory reading.
-  Logical names			- Mandatory reading.
-  Test				- Mandatory reading.
-  Installation			- Mandatory reading.
-  Backward portability		- Read if it's an issue.
-  Possible bugs or quirks	- A few warnings on things that
-				  may go wrong or may surprise you.
-  TODO				- Things that are to come.
+   Requirements                 - Mandatory reading.
+   Cheking the distribution     - Mandatory reading.
+   Quick start
+   Test                         <TO BE ADDED>
+   Installation                 <TO BE ADDED>
+   Backward portability         <TO BE ADDED>
+   Possible bugs and quirks     <TO BE ADDED>


-Requirements:
-=============
+ Requirements
+ ------------

-To build and install OpenSSL, you will need:
+ To build and install OpenSSL, you will need:

- * Perl 5 with core modules.  If you don't want to build it yourself,
-   we suggest you look here: http://sourceforge.net/projects/vmsperlkit/files/
- * DEC C or some other ANSI C compiler.  VAX C is *not* supported.
-   [Note: OpenSSL has only been tested with DEC C.  Compiling with 
-    a different ANSI C compiler may require some work]
+  * Perl 5 with core modules (please read README.PERL)
+  * The perl module Text::Template (please read README.PERL)
+  * DEC C or some other ANSI C compiler.  VAX C is *not* supported.
+    [Note: OpenSSL has only been tested with DEC C.  Compiling with 
+     a different ANSI C compiler may require some work]

-Checking the distribution:
-==========================
+ Checking the distribution
+ -------------------------

-There have been reports of places where the distribution didn't quite get
-through, for example if you've copied the tree from a NFS-mounted Unix
-mount point.
+ There have been reports of places where the distribution didn't quite
+ get through, for example if you've copied the tree from a NFS-mounted
+ Unix mount point.

-The easiest way to check if everything got through as it should is to check
-for one of the following files:
+ The easiest way to check if everything got through as it should is to
+ check for one of the following files:

-	[.CRYPTO]OPENSSLCONF.H_IN
-	[.CRYPTO]OPENSSLCONF_H.IN
+  [.crypto]opensslconf^.h.in

-They should never exist both at once, but one of them should (preferably
-the first variant).  If you can't find any of those two, something went
-wrong.
+ The best way to get a correct distribution is to download the gzipped
+ tar file from ftp://ftp.openssl.org/source/, use GUNZIP to uncompress
+ it and use VMSTAR to unpack the resulting tar file.

-The best way to get a correct distribution is to download the gzipped tar
-file from ftp://ftp.openssl.org/source/, use GUNZIP to uncompress it and
-use VMSTAR to unpack the resulting tar file.
+ GUNZIP is available {FIXME: where is it available?}

-GUNZIP is available in many places on the net.  One of the distribution
-points is the WKU software archive, ftp://ftp.wku.edu/vms/fileserv/ .
+ VMSTAR is available {FIXME: where is it available?}

-VMSTAR is also available in many places on the net.  The recommended place
-to find information about it is http://www.free.lp.se/vmstar/ .

+ Quick start
+ -----------

-Compilation:
-============
+ If you want to just get on with it, do this:

-I've used the very good command procedures written by Robert Byer
-<byer@mail.all-net.net>, and just slightly modified them, making
-them slightly more general and easier to maintain.
+  $ @config
+  $ mms
+  $ mms test
+  $ mmm install

-You can actually compile in almost any directory separately.  Look
-for a command procedure name xxx-LIB.COM (in the library directories)
-or MAKExxx.COM (in the program directories) and read the comments at
-the top to understand how to use them.  However, if you want to
-compile all you can get, the simplest is to use MAKEVMS.COM in the top
-directory.  The syntax is the following:
+ This will buidl and install OpenSSL in the default location, which is
+ SYS$COMMON:[OPENSSL-'VERSION'].  If you want it to be anywhere else,
+ run config.com like this:

-  @MAKEVMS <option> <bits> <debug-p> [<compiler>]
+  $ @config --prefix=PROGRAM:[OPENSSL]

-<option> must be one of the following:
-
-      ALL       Just build "everything".
-      CONFIG    Just build the "[.CRYPTO]OPENSSLCONF.H" file.
-      BUILDINF  Just build the "[.INCLUDE]BUILDINF.H" file.
-      SOFTLINKS Just copies some files, to simulate Unix soft links.
-      BUILDALL  Same as ALL, except CONFIG, BUILDINF and SOFTLINKS aren't done.
-      RSAREF    Just build the "[.xxx.EXE.RSAREF]LIBRSAGLUE.OLB" library.
-      CRYPTO    Just build the "[.xxx.EXE.CRYPTO]LIBCRYPTO.OLB" library.
-      SSL       Just build the "[.xxx.EXE.SSL]LIBSSL.OLB" library.
-      TEST      Just build the "[.xxx.EXE.TEST]" test programs for OpenSSL.
-      APPS      Just build the "[.xxx.EXE.APPS]" application programs for OpenSSL.
-
-<bits> must be one of the following:
-
-      ""        compile using default pointer size
-      32        compile using 32 bit pointer size
-      64        compile using 64 bit pointer size
-
-<debug-p> must be one of the following:
-
-      DEBUG     compile with debugging info (will not optimize)
-      NODEBUG   compile without debugging info (will optimize)
-
-<compiler> must be one of the following:
-
-      DECC      For DEC C.
-      GNUC      For GNU C.
-
-
-You will find the crypto library in [.xxx.EXE.CRYPTO] (where xxx is VAX,
-ALPHA or IA64), called SSL_LIBCRYPTO32.OLB or SSL_LIBCRYPTO.OLB depending
-on how it was built.  You will find the SSL library in [.xxx.EXE.SSL],
-named SSL_LIBSSL32.OLB or SSL_LIBSSL.OLB, and you will find a bunch of
-useful programs in [.xxx.EXE.APPS].  However, these shouldn't be used
-right off unless it's just to test them.  For production use, make sure
-you install first, see Installation below.
-
-Note 1: Some programs in this package require a TCP/IP library.
-
-Note 2: if you want to compile the crypto library only, please make sure
-        you have at least done a @MAKEVMS CONFIG, a @MAKEVMS BUILDINF and
-        a @MAKEVMS SOFTLINKS.  A lot of things will break if you don't.
-
-
-Logical names:
-==============
-
-There are a few things that can't currently be given through the command
-line.  Instead, logical names are used.
-
-Currently, the logical names supported are:
-
-      OPENSSL_NO_ASM    with value YES, the assembler parts of OpenSSL will
-                        not be used.  Instead, plain C implementations are
-                        used.  This is good to try if something doesn't work.
-      OPENSSL_NO_'alg'  with value YES, the corresponding crypto algorithm,
-                        protocol or other routine will not be implemented if
-                        disabling it is supported.  Supported algorithms to
-                        do this with are: AES, BF, CAMELLIA, CAST, CMS, COMP,
-                        DES, DGRAM, DH, DSA, EC, EC2M, ECDH, ECDSA, ENGINE,
-                        ERR, GOST, HEARTBEATS, HMAC, IDEA, MD2, MD4,
-                        MD5, OCB, OCSP, PSK, RC2, RC4, RC5, RMD160, RSA, SCTP,
-                        SEED, SOCK, SRP, SRTP, WHIRLPOOL.  So, for
-                        example, having the logical name OPENSSL_NO_RSA with
-                        the value YES means that the LIBCRYPTO.OLB library
-                        will not contain an RSA implementation.
-      OPENSSL_EXPERIMENTAL_'alg'
-                        with value YES, the corresponding experimental
-                        algorithm is enabled.  Note that is also requires
-                        the application using this to define the C macro
-                        OPENSSL_EXPERIMENTAL_'alg'.  Supported algorithms
-                        to do this with are: JPAKE, STORE.
-
-Test:
-=====
-
-Testing is very simple, just do the following:
-
-  @[.TEST]TESTS
-
-If a test fails, try with defining the logical name OPENSSL_NO_ASM (yes,
-it's an ugly hack!) and rebuild. Please send a bug report to
-<openssl-bugs@openssl.org>, including the output of "openssl version -a"
-and of the failed test.
-
-
-Installation:
-=============
-
-Installation is easy, just do the following:
-
-  @INSTALL <root> <bits>
-
-<root> is the directory in which everything will be installed,
-subdirectories, libraries, header files, programs and startup command
-procedures.
-
-<bits> works the same way as for MAKEVMS.COM
-
-N.B.: INSTALL.COM builds a new directory structure, different from
-the directory tree where you have now build OpenSSL.
-
-In the [.VMS] subdirectory of the installation, you will find the
-following command procedures:
-
-  OPENSSL_STARTUP.COM
-
-        defines all needed logical names.  Takes one argument that
-        tells it in what logical name table to insert the logical
-        names.  If you insert if it SYS$MANAGER:SYSTARTUP_VMS.COM, the
-        call should look like this: 
-
-          @openssldev:[openssldir.VMS]OPENSSL_STARTUP "/SYSTEM"
-
-  OPENSSL_UTILS.COM
-
-        sets up the symbols to the applications.  Should be called
-        from for example SYS$MANAGER:SYLOGIN.COM 
-
-  OPENSSL_UNDO.COM
-
-	deassigns the logical names created with OPENSSL_STARTUP.COM.
-
-The logical names that are set up are the following:
-
-  SSLROOT       a dotted concealed logical name pointing at the
-                root directory.
-
-  SSLCERTS      Initially an empty directory, this is the default
-		location for certificate files.
-  SSLPRIVATE	Initially an empty directory, this is the default
-		location for private key files.
-
-  SSLEXE        Contains the openssl binary and a few other utility
-		programs.
-  SSLINCLUDE    Contains the header files needed if you want to
-		compile programs with libcrypto or libssl.
-  SSLLIB        Contains the OpenSSL library files themselves:
-  		- SSL_LIBCRYPTO32.OLB and SSL_LIBSSL32.OLB or
-		- SSL_LIBCRYPTO.OLB and SSL_LIBSSL.OLB
-
-  OPENSSL	Same as SSLINCLUDE.  This is because the standard
-		way to include OpenSSL header files from version
-		0.9.3 and on is:
-
-			#include <openssl/header.h>
-
-		For more info on this issue, see the INSTALL. file
-		(the NOTE in section 4 of "Installation in Detail").
-		You don't need to "deleting old header files"!!!
-
-
-Backward portability:
-=====================
-
-One great problem when you build a library is making sure it will work
-on as many versions of VMS as possible.  Especially, code compiled on
-OpenVMS version 7.x and above tend to be unusable in version 6.x or
-lower, because some C library routines have changed names internally
-(the C programmer won't usually see it, because the old name is
-maintained through C macros).  One obvious solution is to make sure
-you have a development machine with an old enough version of OpenVMS.
-However, if you are stuck with a bunch of Alphas running OpenVMS version
-7.1, you seem to be out of luck.  Fortunately, the DEC C header files
-are cluttered with conditionals that make some declarations and definitions
-dependent on the OpenVMS version or the C library version, *and* you
-can use those macros to simulate older OpenVMS or C library versions,
-by defining the macros _VMS_V6_SOURCE, __VMS_VER and __CTRL_VER with
-correct values.  In the compilation scripts, I've provided the possibility
-for the user to influence the creation of such macros, through a bunch of
-symbols, all having names starting with USER_.  Here's the list of them:
-
-  USER_CCFLAGS		 - Used to give additional qualifiers to the
-			   compiler.  It can't be used to define macros
-			   since the scripts will do such things as well.
-			   To do such things, use USER_CCDEFS.
-  USER_CCDEFS		 - Used to define macros on the command line.  The
-			   value of this symbol will be inserted inside a
-			   /DEFINE=(...).
-  USER_CCDISABLEWARNINGS - Used to disable some warnings.  The value is
-			   inserted inside a /DISABLE=WARNING=(...).
-
-So, to maintain backward compatibility with older VMS versions, do the
-following before you start compiling:
-
-  $ USER_CCDEFS := _VMS_V6_SOURCE=1,__VMS_VER=60000000,__CRTL_VER=60000000
-  $ USER_CCDISABLEWARNINGS := PREOPTW
-
-The USER_CCDISABLEWARNINGS is there because otherwise, DEC C will complain
-that those macros have been changed.
-
-Note: Currently, this is only useful for library compilation.  The
-      programs will still be linked with the current version of the
-      C library shareable image, and will thus complain if they are
-      faced with an older version of the same C library shareable image.
-      This will probably be fixed in a future revision of OpenSSL.
-
-
-Possible bugs or quirks:
-========================
-
-I'm not perfectly sure all the programs will use the SSLCERTS:
-directory by default, it may very well be that you have to give them
-extra arguments.  Please experiment.
-
-
-TODO:
-=====
-
-There are a few things that need to be worked out in the VMS version of
-OpenSSL, still:
-
- Description files. ("Makefile's" :-))
- Script code to link an already compiled build tree.
- A VMSINSTALlable version (way in the future, unless someone else hacks).
- shareable images (DLL for you Windows folks).
-
-There may be other things that I have missed and that may be desirable.
-Please send mail to <openssl-users@openssl.org> or to me directly if you
-have any ideas.
-
--
-Richard Levitte <richard@levitte.org>
-2000-02-27, 2011-03-18
--- a/INSTALL.W32
+++ b/INSTALL.W32
@@ -1,325 +0,0 @@
- 
- INSTALLATION ON THE WIN32 PLATFORM
- ----------------------------------
-
- [Instructions for building for Windows CE can be found in INSTALL.WCE]
- [Instructions for building for Win64 can be found in INSTALL.W64]
-
- Here are a few comments about building OpenSSL for Win32 environments,
- such as Windows NT and Windows 9x. It should be noted though that
- Windows 9x are not ordinarily tested. Its mention merely means that we
- attempt to maintain certain programming discipline and pay attention
- to backward compatibility issues, in other words it's kind of expected
- to work on Windows 9x, but no regression tests are actually performed.
-
- On additional note newer OpenSSL versions are compiled and linked with
- Winsock 2. This means that minimum OS requirement was elevated to NT 4
- and Windows 98 [there is Winsock 2 update for Windows 95 though].
-
- - you need Perl for Win32.  Unless you will build on Cygwin, you will need
-   ActiveState Perl, available from http://www.activestate.com/ActivePerl.
-
- - one of the following C compilers:
-
-  * Visual C++
-  * Borland C
-  * GNU C (Cygwin or MinGW)
-
- Netwide Assembler, a.k.a. NASM, available from http://nasm.sourceforge.net/
-  is required if you intend to utilize assembler modules. Note that NASM
-  is now the only supported assembler.
-
- If you are compiling from a tarball or a Git snapshot then the Win32 files
- may well be not up to date. This may mean that some "tweaking" is required to
- get it all to work. See the trouble shooting section later on for if (when?)
- it goes wrong.
-
- Visual C++
- ----------
-
- If you want to compile in the assembly language routines with Visual
- C++, then you will need already mentioned Netwide Assembler binary,
- nasmw.exe or nasm.exe, to be available on your %PATH%.
-
- Firstly you should run Configure with platform VC-WIN32:
-
- > perl Configure VC-WIN32 --prefix=c:\some\openssl\dir
-
- Where the prefix argument specifies where OpenSSL will be installed to.
-
- Next you need to build the Makefiles and optionally the assembly
- language files:
-
- - If you are using NASM then run:
-
-   > ms\do_nasm
-
- - If you don't want to use the assembly language files at all then run:
-
-   > perl Configure VC-WIN32 no-asm --prefix=c:/some/openssl/dir
-   > ms\do_ms
-
- If you get errors about things not having numbers assigned then check the
- troubleshooting section: you probably won't be able to compile it as it
- stands.
-
- Then from the VC++ environment at a prompt do:
-
- > nmake -f ms\ntdll.mak
-
- If all is well it should compile and you will have some DLLs and
- executables in out32dll. If you want to try the tests then do:
- 
- > nmake -f ms\ntdll.mak test
-
-
- To install OpenSSL to the specified location do:
-
- > nmake -f ms\ntdll.mak install
-
- Tweaks:
-
- There are various changes you can make to the Win32 compile
- environment. By default the library is not compiled with debugging
- symbols. If you use the platform debug-VC-WIN32 instead of VC-WIN32
- then debugging symbols will be compiled in.
-
- By default in 1.0.0 OpenSSL will compile builtin ENGINES into the
- separate shared librariesy. If you specify the "enable-static-engine"
- option on the command line to Configure the shared library build
- (ms\ntdll.mak) will compile the engines into libeay32.dll instead.
-
- The default Win32 environment is to leave out any Windows NT specific
- features.
-
- If you want to enable the NT specific features of OpenSSL (currently
- only the logging BIO) follow the instructions above but call the batch
- file do_nt.bat instead of do_ms.bat.
-
- You can also build a static version of the library using the Makefile
- ms\nt.mak
-
-
- Borland C++ builder 5
- ---------------------
-
- * Configure for building with Borland Builder:
-   > perl Configure BC-32
-
- * Create the appropriate makefile
-   > ms\do_nasm
-
- * Build
-   > make -f ms\bcb.mak
-
- Borland C++ builder 3 and 4
- ---------------------------
-
- * Setup PATH. First must be GNU make then bcb4/bin 
-
- * Run ms\bcb4.bat
-
- * Run make:
-   > make -f bcb.mak
-
- GNU C (Cygwin)
- --------------
-
- Cygwin implements a Posix/Unix runtime system (cygwin1.dll) on top of
- Win32 subsystem and provides a bash shell and GNU tools environment.
- Consequently, a make of OpenSSL with Cygwin is virtually identical to
- Unix procedure. It is also possible to create Win32 binaries that only
- use the Microsoft C runtime system (msvcrt.dll or crtdll.dll) using
- MinGW. MinGW can be used in the Cygwin development environment or in a
- standalone setup as described in the following section.
-
- To build OpenSSL using Cygwin:
-
- * Install Cygwin (see http://cygwin.com/)
-
- * Install Perl and ensure it is in the path. Both Cygwin perl
-   (5.6.1-2 or newer) and ActivePerl work.
-
- * Run the Cygwin bash shell
-
- * $ tar zxvf openssl-x.x.x.tar.gz
-   $ cd openssl-x.x.x
-
-   To build the Cygwin version of OpenSSL:
-
-   $ ./config
-   [...]
-   $ make
-   [...]
-   $ make test
-   $ make install
-
-   This will create a default install in /usr/local/ssl.
-
-   To build the MinGW version (native Windows) in Cygwin:
-
-   $ ./Configure mingw
-   [...]
-   $ make
-   [...]
-   $ make test
-   $ make install
-
- Cygwin Notes:
-
- "make test" and normal file operations may fail in directories
- mounted as text (i.e. mount -t c:\somewhere /home) due to Cygwin
- stripping of carriage returns. To avoid this ensure that a binary
- mount is used, e.g. mount -b c:\somewhere /home.
-
- "bc" is not provided in older Cygwin distribution.  This causes a
- non-fatal error in "make test" but is otherwise harmless.  If
- desired and needed, GNU bc can be built with Cygwin without change.
-
- GNU C (MinGW/MSYS)
- -------------
-
- * Compiler and shell environment installation:
-
-   MinGW and MSYS are available from http://www.mingw.org/, both are
-   required. Run the installers and do whatever magic they say it takes
-   to start MSYS bash shell with GNU tools on its PATH.
-
-   N.B. Since source tar-ball can contain symbolic links, it's essential
-   that you use accompanying MSYS tar to unpack the source. It will
-   either handle them in one way or another or fail to extract them,
-   which does the trick too. Latter means that you may safely ignore all
-   "cannot create symlink" messages, as they will be "re-created" at
-   configure stage by copying corresponding files. Alternative programs
-   were observed to create empty files instead, which results in build
-   failure.
-
- * Compile OpenSSL:
-
-   $ ./config
-   [...]
-   $ make
-   [...]
-   $ make test
-
-   This will create the library and binaries in root source directory
-   and openssl.exe application in apps directory.
-
-   It is also possible to cross-compile it on Linux by configuring
-   with './Configure --cross-compile-prefix=i386-mingw32- mingw ...'.
-   'make test' is naturally not applicable then.
-
-   libcrypto.a and libssl.a are the static libraries. To use the DLLs,
-   link with libeay32.a and libssl32.a instead.
-
-   See troubleshooting if you get error messages about functions not
-   having a number assigned.
-
- Installation
- ------------
-
- If you used the Cygwin procedure above, you have already installed and
- can skip this section.  For all other procedures, there's currently no real
- installation procedure for Win32.  There are, however, some suggestions:
-
-    - do nothing.  The include files are found in the inc32/ subdirectory,
-      all binaries are found in out32dll/ or out32/ depending if you built
-      dynamic or static libraries.
-
-    - do as is written in INSTALL.Win32 that comes with modssl:
-
-	$ md c:\openssl 
-	$ md c:\openssl\bin
-	$ md c:\openssl\lib
-	$ md c:\openssl\include
-	$ md c:\openssl\include\openssl
-	$ copy /b inc32\openssl\*       c:\openssl\include\openssl
-	$ copy /b out32dll\ssleay32.lib c:\openssl\lib
-	$ copy /b out32dll\libeay32.lib c:\openssl\lib
-	$ copy /b out32dll\ssleay32.dll c:\openssl\bin
-	$ copy /b out32dll\libeay32.dll c:\openssl\bin
-	$ copy /b out32dll\openssl.exe  c:\openssl\bin
-
-      Of course, you can choose another device than c:.  C: is used here
-      because that's usually the first (and often only) harddisk device.
-      Note: in the modssl INSTALL.Win32, p: is used rather than c:.
-
-
- Troubleshooting
- ---------------
-
- Since the Win32 build is only occasionally tested it may not always compile
- cleanly.  If you get an error about functions not having numbers assigned
- when you run ms\do_ms then this means the Win32 ordinal files are not up to
- date. You can do:
-
- > perl util\mkdef.pl crypto ssl update
-
- then ms\do_XXX should not give a warning any more. However the numbers that
- get assigned by this technique may not match those that eventually get
- assigned in the Git tree: so anything linked against this version of the
- library may need to be recompiled.
-
- If you get errors about unresolved symbols there are several possible
- causes.
-
- If this happens when the DLL is being linked and you have disabled some
- ciphers then it is possible the DEF file generator hasn't removed all
- the disabled symbols: the easiest solution is to edit the DEF files manually
- to delete them. The DEF files are ms\libeay32.def ms\ssleay32.def.
-
- Another cause is if you missed or ignored the errors about missing numbers
- mentioned above.
-
- If you get warnings in the code then the compilation will halt.
-
- The default Makefile for Win32 halts whenever any warnings occur. Since VC++
- has its own ideas about warnings which don't always match up to other
- environments this can happen. The best fix is to edit the file with the
- warning in and fix it. Alternatively you can turn off the halt on warnings by
- editing the CFLAG line in the Makefile and deleting the /WX option.
-
- You might get compilation errors. Again you will have to fix these or report
- them.
-
- One final comment about compiling applications linked to the OpenSSL library.
- If you don't use the multithreaded DLL runtime library (/MD option) your
- program will almost certainly crash because malloc gets confused -- the
- OpenSSL DLLs are statically linked to one version, the application must
- not use a different one.  You might be able to work around such problems
- by adding CRYPTO_malloc_init() to your program before any calls to the
- OpenSSL libraries: This tells the OpenSSL libraries to use the same
- malloc(), free() and realloc() as the application.  However there are many
- standard library functions used by OpenSSL that call malloc() internally
- (e.g. fopen()), and OpenSSL cannot change these; so in general you cannot
- rely on CRYPTO_malloc_init() solving your problem, and you should
- consistently use the multithreaded library.
-
- Linking your application
- ------------------------
-
- If you link with static OpenSSL libraries [those built with ms/nt.mak],
- then you're expected to additionally link your application with
- WS2_32.LIB, ADVAPI32.LIB, GDI32.LIB and USER32.LIB. Those developing
- non-interactive service applications might feel concerned about linking
- with the latter two, as they are justly associated with interactive
- desktop, which is not available to service processes. The toolkit is
- designed to detect in which context it's currently executed, GUI,
- console app or service, and act accordingly, namely whether or not to
- actually make GUI calls. Additionally those who wish to
- /DELAYLOAD:GDI32.DLL and /DELAYLOAD:USER32.DLL and actually keep them
- off service process should consider implementing and exporting from
- .exe image in question own _OPENSSL_isservice not relying on USER32.DLL.
- E.g., on Windows Vista and later you could:
-
-	__declspec(dllexport) __cdecl BOOL _OPENSSL_isservice(void)
-	{   DWORD sess;
-	    if (ProcessIdToSessionId(GetCurrentProcessId(),&sess))
-	        return sess==0;
-	    return FALSE;
-	}
-
- If you link with OpenSSL .DLLs, then you're expected to include into
- your application code small "shim" snippet, which provides glue between
- OpenSSL BIO layer and your compiler run-time. Look up OPENSSL_Applink
- reference page for further details.
--- a/INSTALL.W64
+++ b/INSTALL.W64
@@ -1,66 +0,0 @@
-
- INSTALLATION ON THE WIN64 PLATFORM
- ----------------------------------
-
- Caveat lector
- -------------
-
- As of moment of this writing Win64 support is classified "initial"
- for the following reasons.
-
- - No assembler modules are engaged upon initial 0.9.8 release.
- - API might change within 0.9.8 life-span, *but* in a manner which
-   doesn't break backward binary compatibility. Or in other words,
-   application programs compiled with initial 0.9.8 headers will
-   be expected to work with future minor release .DLL without need
-   to re-compile, even if future minor release features modified API.
- - Above mentioned API modifications have everything to do with
-   elimination of a number of limitations, which are normally
-   considered inherent to 32-bit platforms. Which in turn is why they
-   are treated as limitations on 64-bit platform such as Win64:-)
-   The current list comprises [but not necessarily limited to]:
-
-   - null-terminated strings may not be longer than 2G-1 bytes,
-     longer strings are treated as zero-length;
-   - dynamically and *internally* allocated chunks can't be larger
-     than 2G-1 bytes;
-   - inability to encrypt/decrypt chunks of data larger than 4GB
-     [it's possibly to *hash* chunks of arbitrary size through];
-
-   Neither of these is actually big deal and hardly encountered
-   in real-life applications.
-
- Compiling procedure
- -------------------
-
- You will need Perl. You can run under Cygwin or you can download
- ActiveState Perl from http://www.activestate.com/ActivePerl.
-
- You will need Microsoft Platform SDK, available for download at
- http://www.microsoft.com/msdownload/platformsdk/sdkupdate/. As per
- April 2005 Platform SDK is equipped with Win64 compilers, as well
- as assemblers, but it might change in the future.
-
- To build for Win64/x64:
-
- > perl Configure VC-WIN64A
- > ms\do_win64a
- > nmake -f ms\ntdll.mak
- > cd out32dll
- > ..\ms\test
-
- To build for Win64/IA64:
-
- > perl Configure VC-WIN64I
- > ms\do_win64i
- > nmake -f ms\ntdll.mak
- > cd out32dll
- > ..\ms\test
-
- Naturally test-suite itself has to be executed on the target platform.
-
- Installation
- ------------
-
- TBD, for now see INSTALL.W32.
-
--- a/INSTALL.WCE
+++ b/INSTALL.WCE
@@ -8,6 +8,8 @@
  * Appropriate SDK might be required
  * Perl for Win32 [commonly recommended ActiveState Perl is available
    from http://www.activestate.com/Products/ActivePerl/]
+    You also need the perl module Text::Template.
+    Please read README.PERL for more information.

  * wcecompat compatibility library available at
    http://www.essemer.com.au/windowsce/
@@ -67,10 +69,6 @@

 > ms\do_ms

- If you get errors about things not having numbers assigned then check the
- troubleshooting section in INSTALL.W32: you probably won't be able to compile
- it as it stands.
-
 Then from the VC++ environment at a prompt do:

   > nmake -f ms\cedll.mak
--- a/INSTALL.WIN
+++ b/INSTALL.WIN
@@ -0,0 +1,192 @@
+
+ INSTALLATION ON WINDOWS PLATFORMS
+ ---------------------------------
+
+ [Instructions for building for Windows CE can be found in INSTALL.WCE]
+
+ Here are a few comments about building OpenSSL for Windows environments.
+
+ - you need Perl.  Unless you will build on Cygwin, you will need
+   ActiveState Perl, available from http://www.activestate.com/ActivePerl.  
+   You also need the perl module Text::Template, available on CPAN.
+   Please read README.PERL for more information.
+
+ - one of the following C compilers:
+
+  * Visual C++
+  * GNU C (Cygwin or MinGW)
+
+- Netwide Assembler, a.k.a. NASM, available from http://www.nasm.us,
+  is required if you intend to utilize assembler modules. Note that NASM
+  is now the only supported assembler. Without this the "Configure" step below
+  must be done with the "no-asm" option. The Microsoft provided assembler is NOT
+  supported.
+
+ Visual C++
+ ----------
+
+ If you want to compile in the assembly language routines with Visual
+ C++, then you will need the Netwide Assembler binary, nasmw.exe or nasm.exe, to
+ be available on your %PATH%.
+
+ Firstly you should run Configure and generate the Makefiles. If you don't want
+ the assembly language files then add the "no-asm" option (without quotes) to
+ the Configure lines below.
+
+ For Win32:
+
+ > perl Configure VC-WIN32 --prefix=c:\some\openssl\dir
+ > ms\do_nasm
+
+ Note: replace the last line above with the following if not using the assembly
+ language files:
+
+ > ms\do_ms
+
+ For Win64/x64:
+
+ > perl Configure VC-WIN64A --prefix=c:\some\openssl\dir
+ > ms\do_win64a
+
+ For Win64/IA64:
+
+ > perl Configure VC-WIN64I --prefix=c:\some\openssl\dir
+ > ms\do_win64i
+
+ Where the prefix argument specifies where OpenSSL will be installed to.
+
+ Then from the VC++ environment at a prompt do the following. Note, your %PATH%
+ and other environment variables should be set up for 32-bit or 64-bit
+ development as appropriate.
+
+ > nmake -f ms\ntdll.mak
+
+ If all is well it should compile and you will have some DLLs and
+ executables in out32dll. If you want to try the tests then do:
+
+ > nmake -f ms\ntdll.mak test
+
+ To install OpenSSL to the specified location do:
+
+ > nmake -f ms\ntdll.mak install
+
+ Tweaks:
+
+ There are various changes you can make to the Windows compile
+ environment. By default the library is not compiled with debugging
+ symbols. If you add --debug to the Configure lines above then debugging symbols
+ will be compiled in.
+
+ By default in 1.1.0 OpenSSL will compile builtin ENGINES into separate shared
+ libraries. If you specify the "enable-static-engine" option on the command line
+ to Configure the shared library build (ms\ntdll.mak) will compile the engines
+ into libeay32.dll instead.
+
+ You can also build a static version of the library using the Makefile
+ ms\nt.mak
+
+ GNU C (Cygwin)
+ --------------
+
+ Cygwin implements a Posix/Unix runtime system (cygwin1.dll) on top of the
+ Windows subsystem and provides a bash shell and GNU tools environment.
+ Consequently, a make of OpenSSL with Cygwin is virtually identical to the
+ Unix procedure. It is also possible to create Windows binaries that only
+ use the Microsoft C runtime system (msvcrt.dll or crtdll.dll) using
+ MinGW. MinGW can be used in the Cygwin development environment or in a
+ standalone setup as described in the following section.
+
+ To build OpenSSL using Cygwin:
+
+ * Install Cygwin (see http://cygwin.com/)
+
+ * Install Perl and ensure it is in the path. Both Cygwin perl
+   (5.6.1-2 or newer) and ActivePerl work.
+
+ * Run the Cygwin bash shell
+
+ * $ tar zxvf openssl-x.x.x.tar.gz
+   $ cd openssl-x.x.x
+
+   To build the Cygwin version of OpenSSL:
+
+   $ ./config
+   [...]
+   $ make
+   [...]
+   $ make test
+   $ make install
+
+   This will create a default install in /usr/local/ssl.
+
+   To build the MinGW version (native Windows) in Cygwin:
+
+   $ ./Configure mingw
+   [...]
+   $ make
+   [...]
+   $ make test
+   $ make install
+
+ Cygwin Notes:
+
+ "make test" and normal file operations may fail in directories
+ mounted as text (i.e. mount -t c:\somewhere /home) due to Cygwin
+ stripping of carriage returns. To avoid this ensure that a binary
+ mount is used, e.g. mount -b c:\somewhere /home.
+
+ GNU C (MinGW/MSYS)
+ -------------
+
+ * Compiler and shell environment installation:
+
+   MinGW and MSYS are available from http://www.mingw.org/, both are
+   required. Run the installers and do whatever magic they say it takes
+   to start MSYS bash shell with GNU tools on its PATH.
+
+ * Compile OpenSSL:
+
+   $ ./config
+   [...]
+   $ make
+   [...]
+   $ make test
+
+   This will create the library and binaries in root source directory
+   and openssl.exe application in apps directory.
+
+   It is also possible to cross-compile it on Linux by configuring
+   with './Configure --cross-compile-prefix=i386-mingw32- mingw ...'. Other
+   possible targets include x86_64-w64-mingw32- and i686-w64-mingw32-.
+
+   libcrypto.a and libssl.a are the static libraries. To use the DLLs,
+   link with libeay32.a and libssl32.a instead.
+
+ Linking your application
+ ------------------------
+
+ If you link with static OpenSSL libraries [those built with ms/nt.mak],
+ then you're expected to additionally link your application with
+ WS2_32.LIB, ADVAPI32.LIB, GDI32.LIB and USER32.LIB. Those developing
+ non-interactive service applications might feel concerned about linking
+ with the latter two, as they are justly associated with interactive
+ desktop, which is not available to service processes. The toolkit is
+ designed to detect in which context it's currently executed, GUI,
+ console app or service, and act accordingly, namely whether or not to
+ actually make GUI calls. Additionally those who wish to
+ /DELAYLOAD:GDI32.DLL and /DELAYLOAD:USER32.DLL and actually keep them
+ off service process should consider implementing and exporting from
+ .exe image in question own _OPENSSL_isservice not relying on USER32.DLL.
+ E.g., on Windows Vista and later you could:
+
+	__declspec(dllexport) __cdecl BOOL _OPENSSL_isservice(void)
+	{   DWORD sess;
+	    if (ProcessIdToSessionId(GetCurrentProcessId(),&sess))
+	        return sess==0;
+	    return FALSE;
+	}
+
+ If you link with OpenSSL .DLLs, then you're expected to include into
+ your application code small "shim" snippet, which provides glue between
+ OpenSSL BIO layer and your compiler run-time. See the OPENSSL_Applink
+ manual page for further details.
--- a/2
+++ b/2
@@ -12,7 +12,7 @@
  ---------------

 /* ====================================================================
- * Copyright (c) 1998-2011 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2016 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
--- a/Makefile.org
+++ b/Makefile.org
@@ -1,33 +1,65 @@
 ##
 ## Makefile for OpenSSL
 ##
+## {- join("\n## ", @autowarntext) -}

-VERSION=
-MAJOR=
-MINOR=
-SHLIB_VERSION_NUMBER=
-SHLIB_VERSION_HISTORY=
-SHLIB_MAJOR=
-SHLIB_MINOR=
-SHLIB_EXT=
-PLATFORM=dist
-OPTIONS=
-CONFIGURE_ARGS=
-SHLIB_TARGET=
+VERSION={- $config{version} -}
+MAJOR={- $config{major} -}
+MINOR={- $config{minor} -}
+SHLIB_VERSION_NUMBER={- $config{shlib_version_number} -}
+SHLIB_VERSION_HISTORY={- $config{shlib_version_history} -}
+SHLIB_MAJOR={- $config{shlib_major} -}
+SHLIB_MINOR={- $config{shlib_minor} -}
+SHLIB_EXT={- $target{shared_extension} -}
+PLATFORM={- $config{target} -}
+OPTIONS={- $config{options} -}
+CONFIGURE_ARGS=({- join(", ",quotify_l(@{$config{perlargv}})) -})
+SHLIB_TARGET={- $target{shared_target} -}

 # HERE indicates where this Makefile lives.  This can be used to indicate
 # where sub-Makefiles are expected to be.  Currently has very limited usage,
 # and should probably not be bothered with at all.
 HERE=.

-# INSTALL_PREFIX is for package builders so that they can configure
+# DESTDIR is for package builders so that they can configure
 # for, say, /usr/ and yet have everything installed to /tmp/somedir/usr/.
 # Normally it is left empty.
-INSTALL_PREFIX=
-INSTALLTOP=/usr/local/ssl
+DESTDIR=

-# Do not edit this manually. Use Configure --openssldir=DIR to change this!
-OPENSSLDIR=/usr/local/ssl
+# Do not edit these manually. Use Configure with --prefix or --openssldir
+# to change this!  Short explanation in the top comment in Configure
+INSTALLTOP={- # $prefix is used in the OPENSSLDIR perl snippet
+	      #
+	      our $prefix = $config{prefix} || "/usr/local";
+              $prefix -}
+OPENSSLDIR={- #
+	      # The logic here is that if no --openssldir was given,
+	      # OPENSSLDIR will get the value from $prefix plus "/ssl".
+	      # If --openssldir was given and the value is an absolute
+	      # path, OPENSSLDIR will get its value without change.
+	      # If the value from --openssldir is a relative path,
+	      # OPENSSLDIR will get $prefix with the --openssldir
+	      # value appended as a subdirectory.
+	      #
+              use File::Spec::Functions;
+              our $openssldir =
+                  $config{openssldir} ?
+                      (file_name_is_absolute($config{openssldir}) ?
+                           $config{openssldir}
+                           : catdir($prefix, $config{openssldir}))
+                      : catdir($prefix, "ssl");
+              $openssldir -}
+LIBDIR={- #
+          # if $prefix/lib$target{multilib} is not an existing
+          # directory, then assume that it's not searched by linker
+          # automatically, in which case adding $target{multilib} suffix
+          # causes more grief than we're ready to tolerate, so don't...
+          our $multilib =
+              -d "$prefix/lib$target{multilib}" ? $target{multilib} : "";
+          our $libdir = $config{libdir} || "lib$multilib";
+          $libdir -}
+ENGINESDIR={- use File::Spec::Functions;
+              catdir($prefix,$libdir,"engines") -}

 # NO_IDEA - Define to build without the IDEA algorithm
 # NO_RC4  - Define to build without the RC4 algorithm
@@ -44,9 +76,8 @@ OPENSSLDIR=/usr/local/ssl
 #           NULL encryption ciphers.
 #
 # LOCK_DEBUG - turns on lots of lock debug output :-)
-# REF_CHECK - turn on some xyz_free() assertions.
+# REF_DEBUG - turn on some xyz_free() assertions.
 # REF_PRINT - prints some stuff on structure free.
-# CRYPTO_MDEBUG - turns on my 'memory leak' detecting stuff
 # MFUNC - Make all Malloc/Free/Realloc calls call
 #       CRYPTO_malloc/CRYPTO_free/CRYPTO_realloc which can be setup to
 #       call application defined callbacks via CRYPTO_set_mem_functions()
@@ -57,23 +88,25 @@ OPENSSLDIR=/usr/local/ssl
 # equal 4.
 # PKCS1_CHECK - pkcs1 tests.

-CC= cc
-CFLAG= -O
-DEPFLAG= 
-PEX_LIBS= 
-EX_LIBS= 
-EXE_EXT= 
-ARFLAGS=
-AR=ar $(ARFLAGS) r
-RANLIB= ranlib
-NM= nm
-PERL= perl
+CROSS_COMPILE= {- $config{cross_compile_prefix} -}
+CC= $(CROSS_COMPILE){- $target{cc} -}
+CFLAG={- our $cflags2 = join(" ",(map { "-D".$_} @{$config{defines}}),"-DOPENSSLDIR=\"\\\"\$(OPENSSLDIR)\\\"\"","-DENGINESDIR=\"\\\"\$(ENGINESDIR)\\\"\"") -} {- $config{cflags} -}
+CFLAG_Q={- $cflags2 =~ s|([\\"])|\\$1|g; $cflags2 -} {- $config{cflags} -}
+DEPFLAG= {- join(" ",map { "-D".$_} @{$config{depdefines}}) -}
+LDFLAG= {- $config{lflags} -}
+PLIB_LDFLAG= {- $config{plib_lflags} -}
+EX_LIBS= {- $config{ex_libs} -}
+EXE_EXT= {- $target{exe_extension} -}
+ARFLAGS= {- $target{arflags} -}
+AR=$(CROSS_COMPILE){- $target{ar} -} $(ARFLAGS) r
+RANLIB= {- $target{ranlib} -}
+NM= $(CROSS_COMPILE){- $target{nm} -}
+PERL= {- $config{perl} -}
 #RM= echo --
 RM= rm -f
 TAR= tar
 TARFLAGS= --no-recursion
-MAKEDEPPROG=makedepend
-LIBDIR=lib
+MAKEDEPPROG=$(CROSS_COMPILE){- $config{makedepprog} -}

 # We let the C compiler driver to take care of .s files. This is done in
 # order to be excused from maintaining a separate set of architecture
@@ -85,30 +118,32 @@ ASFLAG=$(CFLAG)

 # For x86 assembler: Set PROCESSOR to 386 if you want to support
 # the 80386.
-PROCESSOR=
+PROCESSOR= {- $config{processor} -}

 # CPUID module collects small commonly used assembler snippets
-CPUID_OBJ= 
-BN_ASM= bn_asm.o
-EC_ASM=
-DES_ENC= des_enc.o fcrypt_b.o
-AES_ENC= aes_core.o aes_cbc.o
-BF_ENC= bf_enc.o
-CAST_ENC= c_enc.o
-RC4_ENC= rc4_enc.o
-RC5_ENC= rc5_enc.o
-MD5_ASM_OBJ= 
-SHA1_ASM_OBJ= 
-RMD160_ASM_OBJ= 
-WP_ASM_OBJ=
-CMLL_ENC=
-MODES_ASM_OBJ=
-ENGINES_ASM_OBJ=
-PERLASM_SCHEME=
+CPUID_OBJ= {- $target{cpuid_obj} -}
+BN_ASM= {- $target{bn_obj} -}
+EC_ASM= {- $target{ec_obj} -}
+DES_ENC= {- $target{des_obj} -}
+AES_ENC= {- $target{aes_obj} -}
+BF_ENC= {- $target{bf_obj} -}
+CAST_ENC= {- $target{cast_obj} -}
+RC4_ENC= {- $target{rc4_obj} -}
+RC5_ENC= {- $target{rc5_obj} -}
+MD5_ASM_OBJ= {- $target{md5_obj} -}
+SHA1_ASM_OBJ= {- $target{sha1_obj} -}
+RMD160_ASM_OBJ= {- $target{rmd160_obj} -}
+WP_ASM_OBJ= {- $target{wp_obj} -}
+CMLL_ENC= {- $target{cmll_obj} -}
+MODES_ASM_OBJ= {- $target{modes_obj} -}
+PADLOCK_ASM_OBJ= {- $target{padlock_obj} -}
+CHACHA_ENC= {- $target{chacha_obj} -}
+POLY1305_ASM_OBJ= {- $target{poly1305_obj} -}
+PERLASM_SCHEME= {- $target{perlasm_scheme} -}

 # Zlib stuff
-ZLIB_INCLUDE=
-LIBZLIB=
+ZLIB_INCLUDE={- $withargs{zlib_include} -}
+LIBZLIB={- $withargs{zlib_lib} -}

 # This is the location of fipscanister.o and friends.
 # The FIPS module build will place it $(INSTALLTOP)/lib
@@ -117,35 +152,25 @@ LIBZLIB=
 # $(INSTALLTOP) for this build may be different so hard
 # code the path.

-FIPSLIBDIR=/usr/local/ssl/$(LIBDIR)/
+FIPSLIBDIR={- $config{fipslibdir} -}

 # The location of the library which contains fipscanister.o
 # normally it will be libcrypto. If not compiling in FIPS mode
 # at all this is empty making it a useful test for a FIPS compile.

-FIPSCANLIB=
+FIPSCANLIB={- $config{fips} ? "libcrypto" : "" -}

 # Shared library base address. Currently only used on Windows.
 #

-BASEADDR=
+BASEADDR={- $config{baseaddr} -}

-DIRS=   crypto ssl engines apps test tools
-ENGDIRS= ccgost
+DIRS=   {- join(" ", @{$config{dirs}}) -}
 SHLIBDIRS= crypto ssl
 INSTALL_SUBS= engines apps tools

 # dirs in crypto to build
-SDIRS=  \
-	objects \
-	md2 md4 md5 sha mdc2 hmac ripemd whrlpool poly1305 \
-	des aes rc2 rc4 rc5 idea bf cast camellia seed chacha modes \
-	bn ec rsa dsa dh dso engine \
-	buffer bio stack lhash rand err \
-	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui \
-	cms pqueue ts jpake srp store cmac ct async
-# keep in mind that the above list is adjusted by ./Configure
-# according to no-xxx arguments...
+SDIRS=  {- join(" ", @{$config{sdirs}}) -}

 # tests to perform.  "alltests" is a special word indicating that all tests
 # should be performed.
@@ -153,21 +178,34 @@ TESTS = alltests

 MAKEFILE= Makefile

-MANDIR=$(OPENSSLDIR)/man
+MANDIR=$(INSTALLTOP)/share/man
 MAN1=1
 MAN3=3
 MANSUFFIX=
 HTMLSUFFIX=html
-HTMLDIR=$(OPENSSLDIR)/html
+HTMLDIR=$(INSTALLTOP)/share/doc/$(BASENAME)/html
 SHELL=/bin/sh

 TOP=    .
 LIBS=   libcrypto.a libssl.a
 SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
 SHARED_SSL=libssl$(SHLIB_EXT)
-SHARED_LIBS=
-SHARED_LIBS_LINK_EXTS=
-SHARED_LDFLAGS=
+SHARED_LIBS={- '$(SHARED_CRYPTO) $(SHARED_SSL)' if (!$config{no_shared}) -}
+SHARED_LDFLAG={- $target{shared_ldflag}
+                 # Unlike other OSes (like Solaris, Linux, Tru64,
+                 # IRIX) BSD run-time linkers (tested OpenBSD, NetBSD
+                 # and FreeBSD) "demand" RPATH set on .so objects.
+                 # Apparently application RPATH is not global and
+                 # does not apply to .so linked with other .so.
+                 # Problem manifests itself when libssl.so fails to
+                 # load libcrypto.so. One can argue that we should
+                 # engrave this into Makefile.shared rules or into
+                 # BSD-* config lines above. Meanwhile let's try to
+                 # be cautious and pass -rpath to linker only when
+                 # $prefix is not /usr.
+                 . ($config{target} =~ m|^BSD-| && $prefix !~ m|^/usr/.*$|
+                    ? " -Wl,-rpath,\$\$(LIBRPATH)" : "") -}
+SHARED_RCFLAG={- $target{shared_rcflag} -}

 GENERAL=        Makefile
 BASENAME=       openssl
@@ -177,16 +215,16 @@ HEADER=         e_os.h

 # Directories created on install if they don't exist.
 INSTALLDIRS=	\
-		$(INSTALL_PREFIX)$(INSTALLTOP)/bin \
-		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
-		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \
-		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig \
-		$(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \
-		$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
-		$(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
-		$(INSTALL_PREFIX)$(OPENSSLDIR)/private
+		$(DESTDIR)$(INSTALLTOP)/bin \
+		$(DESTDIR)$(INSTALLTOP)/$(LIBDIR) \
+		$(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines \
+		$(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig \
+		$(DESTDIR)$(INSTALLTOP)/include/openssl \
+		$(DESTDIR)$(OPENSSLDIR)/misc \
+		$(DESTDIR)$(OPENSSLDIR)/certs \
+		$(DESTDIR)$(OPENSSLDIR)/private

-all: Makefile build_all
+all: Makefile build_all_but_tests

 # as we stick to -e, CLEARENV ensures that local variables in lower
 # Makefiles remain local and variable. $${VAR+VAR} is tribute to Korn
@@ -207,23 +245,23 @@ CLEARENV=	TOP= && unset TOP $${LIB+LIB} $${LIBS+LIBS}	\
 # LC_ALL=C ensures that error [and other] messages are delivered in
 # same language for uniform treatment.
 BUILDENV=	LC_ALL=C PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)'\
-		CC='$(CC)' CFLAG='$(CFLAG)' 			\
+		CC='$(CC)' CFLAG='$(CFLAG)' CFLAG_Q='$(CFLAG_Q)'	\
 		AS='$(CC)' ASFLAG='$(CFLAG) -c'			\
 		AR='$(AR)' NM='$(NM)' RANLIB='$(RANLIB)'	\
 		CROSS_COMPILE='$(CROSS_COMPILE)'	\
-		PERL='$(PERL)' ENGDIRS='$(ENGDIRS)'		\
+		PERL='$(PERL)'	\
 		SDIRS='$(SDIRS)' LIBRPATH='$(INSTALLTOP)/$(LIBDIR)'	\
-		INSTALL_PREFIX='$(INSTALL_PREFIX)'		\
+		DESTDIR='$(DESTDIR)'		\
 		INSTALLTOP='$(INSTALLTOP)' OPENSSLDIR='$(OPENSSLDIR)'	\
 		LIBDIR='$(LIBDIR)'				\
-		MAKEDEPEND='$$$${TOP}/util/domd $$$${TOP} -MD $(MAKEDEPPROG)' \
 		DEPFLAG='$(DEPFLAG)'                    	\
-		MAKEDEPPROG='$(MAKEDEPPROG)'			\
-		SHARED_LDFLAGS='$(SHARED_LDFLAGS)'		\
+		SHARED_LDFLAG='$(SHARED_LDFLAG)'		\
+		SHARED_RCFLAG='$(SHARED_RCFLAG)'		\
 		ZLIB_INCLUDE='$(ZLIB_INCLUDE)' LIBZLIB='$(LIBZLIB)'	\
 		EXE_EXT='$(EXE_EXT)' SHARED_LIBS='$(SHARED_LIBS)'	\
 		SHLIB_EXT='$(SHLIB_EXT)' SHLIB_TARGET='$(SHLIB_TARGET)'	\
-		PEX_LIBS='$(PEX_LIBS)' EX_LIBS='$(EX_LIBS)'	\
+		LDFLAG='$(LDFLAG)'				\
+		PLIB_LDFLAG='$(PLIB_LDFLAG)' EX_LIBS='$(EX_LIBS)'	\
 		CPUID_OBJ='$(CPUID_OBJ)' BN_ASM='$(BN_ASM)'	\
 		EC_ASM='$(EC_ASM)' DES_ENC='$(DES_ENC)'		\
 		AES_ENC='$(AES_ENC)' CMLL_ENC='$(CMLL_ENC)'	\
@@ -234,7 +272,9 @@ BUILDENV=	LC_ALL=C PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)'\
 		RMD160_ASM_OBJ='$(RMD160_ASM_OBJ)'		\
 		WP_ASM_OBJ='$(WP_ASM_OBJ)'			\
 		MODES_ASM_OBJ='$(MODES_ASM_OBJ)'		\
-		ENGINES_ASM_OBJ='$(ENGINES_ASM_OBJ)'		\
+		PADLOCK_ASM_OBJ='$(PADLOCK_ASM_OBJ)'		\
+		CHACHA_ENC='$(CHACHA_ENC)'			\
+		POLY1305_ASM_OBJ='$(POLY1305_ASM_OBJ)'		\
 		PERLASM_SCHEME='$(PERLASM_SCHEME)'		\
 		FIPSLIBDIR='${FIPSLIBDIR}'			\
 		FIPSCANLIB="$${FIPSCANLIB:-$(FIPSCANLIB)}"	\
@@ -271,7 +311,8 @@ reflect:

 sub_all: build_all

-build_all: build_libs build_apps build_tests build_tools
+build_all_but_tests: build_libs build_apps build_tools
+build_all: build_all_but_tests build_tests

 build_libs: build_libcrypto build_libssl openssl.pc

@@ -316,20 +357,6 @@ libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a
 		exit 1; \
 	fi

-clean-shared:
-	@set -e; for i in $(SHLIBDIRS); do \
-		if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \
-			tmp="$(SHARED_LIBS_LINK_EXTS)"; \
-			for j in $${tmp:-x}; do \
-				( set -x; rm -f lib$$i$$j ); \
-			done; \
-		fi; \
-		( set -x; rm -f lib$$i$(SHLIB_EXT) ); \
-		if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \
-			( set -x; rm -f cyg$$i$(SHLIB_EXT) lib$$i$(SHLIB_EXT).a ); \
-		fi; \
-	done
-
 link-shared:
 	@ set -e; for i in $(SHLIBDIRS); do \
 		$(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
@@ -349,6 +376,23 @@ do_$(SHLIB_TARGET):
 			LIBDEPS="$$libs $(EX_LIBS)" \
 			link_a.$(SHLIB_TARGET); \
 		libs="-l$$i $$libs"; \
+		case "$(PLATFORM)" in \
+		Cygwin*) \
+			rm -f apps/cyg$$i-$(SHLIB_MAJOR).$(SHLIB_MINOR).dll; \
+			rm -f test/cyg$$i-$(SHLIB_MAJOR).$(SHLIB_MINOR).dll; \
+			cp cyg$$i-$(SHLIB_MAJOR).$(SHLIB_MINOR).dll apps/; \
+			cp cyg$$i-$(SHLIB_MAJOR).$(SHLIB_MINOR).dll test/; \
+			;; \
+		mingw*) \
+			case $$i in \
+				crypto) i=libeay32;; \
+				ssl) i=ssleay32;; \
+			esac; \
+			rm -f apps/$$i.dll; \
+			rm -f test/$$i.dll; \
+			cp $$i.dll apps/; \
+			cp $$i.dll test/; \
+		esac; \
 	done

 libcrypto.pc: Makefile
@@ -390,8 +434,8 @@ openssl.pc: Makefile
 	    echo 'Version: '$(VERSION); \
 	    echo 'Requires: libssl libcrypto' ) > openssl.pc

-Makefile: Makefile.org Configure config
-	@echo "Makefile is older than Makefile.org, Configure or config."
+Makefile: Makefile.in Configure config
+	@echo "Makefile is older than Makefile.in, Configure or config."
 	@echo "Reconfigure the source tree (via './config' or 'perl Configure'), please."
 	@false

@@ -419,26 +463,22 @@ gentests:
 	@(cd test && echo "generating dummy tests (if needed)..." && \
 	$(CLEARENV) && $(MAKE) -e $(BUILDENV) TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on generate );

-dclean:
-	@set -e; target=dclean; $(RECURSIVE_BUILD_CMD)
-
 rehash: rehash.time
-rehash.time: certs apps
+rehash.time: certs build_apps build_tools
 	@if [ -z "$(CROSS_COMPILE)" ]; then \
 		(OPENSSL="`pwd`/util/opensslwrap.sh"; \
 		[ -x "apps/openssl.exe" ] && OPENSSL="apps/openssl.exe" || :; \
 		OPENSSL_DEBUG_MEMORY=on; OPENSSL_CONF=/dev/null ; \
 		export OPENSSL OPENSSL_DEBUG_MEMORY OPENSSL_CONF; \
-		$$OPENSSL rehash certs/demo) && \
+		$$OPENSSL rehash certs/demo \
+		|| $(PERL) tools/c_rehash certs/demo) && \
 		touch rehash.time; \
 	else :; fi

-test:   tests
+test:   files tests

-test_ordinals:
-	TOP=$(TOP) PERL=$(PERL) $(PERL) test/run_tests.pl test_ordinals

-tests: rehash
+tests:  build_tests rehash
 	@(cd test && echo "testing..." && \
 	$(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on OPENSSL_CONF=../apps/openssl.cnf tests );
 	@if [ -z "$(CROSS_COMPILE)" ]; then \
@@ -452,21 +492,22 @@ list-tests:
 report:
 	@$(PERL) util/selftest.pl

-update: errors stacks util/libeay.num util/ssleay.num TABLE test_ordinals
-	@set -e; target=update; $(RECURSIVE_BUILD_CMD)
+tags TAGS: FORCE
+	rm -f TAGS tags
+	-ctags -R .
+	-etags `find . -name '*.[ch]' -o -name '*.pm'`
+
+FORCE:

 depend:
 	@set -e; target=depend; $(RECURSIVE_BUILD_CMD)

-lint:
-	@set -e; target=lint; $(RECURSIVE_BUILD_CMD)
+update: generate errors ordinals depend

-tags TAGS: FORCE
-	rm -f TAGS tags
-	-ctags -R .
-	-etags -R .
-
-FORCE:
+generate:
+	(cd apps && PERL='${PERL}' $(MAKE) generate)
+	(cd crypto/bn && PERL='${PERL}' $(MAKE) generate)
+	(cd crypto/objects && PERL='${PERL}' $(MAKE) generate)

 errors:
 	$(PERL) util/ck_errf.pl -strict */*.c */*/*.c
@@ -474,14 +515,13 @@ errors:
 	(cd engines; $(MAKE) PERL=$(PERL) errors)
 	(cd crypto/ct; $(MAKE) PERL=$(PERL) errors)

-stacks:
-	$(PERL) util/mkstack.pl -write
-
+ordinals: util/libeay.num util/ssleay.num test_ordinals TABLE
 util/libeay.num::
 	$(PERL) util/mkdef.pl crypto update
-
 util/ssleay.num::
 	$(PERL) util/mkdef.pl ssl update
+test_ordinals:
+	TOP=$(TOP) PERL=$(PERL) $(PERL) test/run_tests.pl test_ordinals

 TABLE: Configure Configurations/*.conf
 	(echo 'Output of `Configure TABLE'"':"; \
@@ -493,15 +533,13 @@ TABLE: Configure Configurations/*.conf
 # and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal
 # tar does not support the --files-from option.
 TAR_COMMAND=$(TAR) $(TARFLAGS) --files-from $(TARFILE).list \
-	                       --owner 0 --group 0 \
+			       --owner 0 --group 0 \
 			       --transform 's|^|$(NAME)/|' \
 			       -cvf -

 $(TARFILE).list:
-	find * \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \
-	       \! -name '*.so' \! -name '*.so.*'  \! -name 'openssl' \
-	       \! -name '*test' \! -name '.#*' \! -name '*~' \!	-type l \
-	    | sort > $(TARFILE).list
+	git diff --quiet HEAD
+	git ls-files | sort > $(TARFILE).list

 tar: $(TARFILE).list
 	find . -type d -print | xargs chmod 755
@@ -516,7 +554,7 @@ tar-snap: $(TARFILE).list
 	rm -f $(TARFILE).list
 	ls -l $(TARFILE)

-dist:   
+dist:
 	$(PERL) Configure dist
 	@$(MAKE) SDIRS='$(SDIRS)' clean
 	@$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar
@@ -528,18 +566,18 @@ uninstall: uninstall_sw uninstall_docs
 install_sw:
 	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALLDIRS)
 	@set -e; for i in include/openssl/*.h; do \
-	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$$i; \
-	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$$i ); \
+	(cp $$i $(DESTDIR)$(INSTALLTOP)/$$i; \
+	chmod 644 $(DESTDIR)$(INSTALLTOP)/$$i ); \
 	done;
 	@set -e; target=install; for dir in $(INSTALL_SUBS); do $(BUILD_CMD); done
 	@set -e; liblist="$(LIBS)"; for i in $$liblist ;\
 	do \
 		if [ -f "$$i" ]; then \
 		(       echo installing $$i; \
-			cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
-			$(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
-			chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
-			mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i ); \
+			cp $$i $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
+			$(RANLIB) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
+			chmod 644 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
+			mv -f $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i ); \
 		fi; \
 	done;
 	@set -e; if [ -n "$(SHARED_LIBS)" ]; then \
@@ -550,16 +588,16 @@ install_sw:
 			(       echo installing $$i; \
 				if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \
 					c=`echo $$i | sed 's/^lib\(.*\)\.dll\.a/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \
-					cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
-					chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
-					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
-					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
-					chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
-					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
+					cp $$c $(DESTDIR)$(INSTALLTOP)/bin/$$c.new; \
+					chmod 755 $(DESTDIR)$(INSTALLTOP)/bin/$$c.new; \
+					mv -f $(DESTDIR)$(INSTALLTOP)/bin/$$c.new $(DESTDIR)$(INSTALLTOP)/bin/$$c; \
+					cp $$i $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
+					chmod 644 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
+					mv -f $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i; \
 				else \
-					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
-					chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
-					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
+					cp $$i $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
+					chmod 555 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
+					mv -f $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i; \
 				fi ); \
 				if expr $(PLATFORM) : 'mingw' > /dev/null; then \
 				(	case $$i in \
@@ -567,34 +605,34 @@ install_sw:
 						*ssl*)    i=ssleay32.dll;; \
 					esac; \
 					echo installing $$i; \
-					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
-					chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
-					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \
+					cp $$i $(DESTDIR)$(INSTALLTOP)/bin/$$i.new; \
+					chmod 755 $(DESTDIR)$(INSTALLTOP)/bin/$$i.new; \
+					mv -f $(DESTDIR)$(INSTALLTOP)/bin/$$i.new $(DESTDIR)$(INSTALLTOP)/bin/$$i ); \
 				fi; \
 			fi; \
 		done; \
 		(	here="`pwd`"; \
-			cd $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR); \
+			cd $(DESTDIR)$(INSTALLTOP)/$(LIBDIR); \
 			$(MAKE) -f $$here/Makefile HERE="$$here" link-shared ); \
 		if [ "$(INSTALLTOP)" != "/usr" ]; then \
 			echo 'OpenSSL shared libraries have been installed in:'; \
 			echo '  $(INSTALLTOP)'; \
 		fi; \
 	fi
-	cp libcrypto.pc $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
-	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libcrypto.pc
-	cp libssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
-	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libssl.pc
-	cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
-	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/openssl.pc
+	cp libcrypto.pc $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
+	chmod 644 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libcrypto.pc
+	cp libssl.pc $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
+	chmod 644 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libssl.pc
+	cp openssl.pc $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
+	chmod 644 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/openssl.pc

 uninstall_sw:
-	cd include/openssl && files=* && cd $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl && $(RM) $$files
+	cd include/openssl && files=* && cd $(DESTDIR)$(INSTALLTOP)/include/openssl && $(RM) $$files
 	@for i in $(LIBS) ;\
 	do \
 		test -f "$$i" && \
-		echo $(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i && \
-		$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
+		echo $(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i && \
+		$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i; \
 	done;
 	@if [ -n "$(SHARED_LIBS)" ]; then \
 		tmp="$(SHARED_LIBS)"; \
@@ -603,28 +641,28 @@ uninstall_sw:
 			if [ -f "$$i" -o -f "$$i.a" ]; then \
 				if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \
 					c=`echo $$i | sed 's/^lib\(.*\)\.dll\.a/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \
-					echo $(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
-					$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
-					echo $(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
-					$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
+					echo $(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$c; \
+					$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$c; \
+					echo $(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i; \
+					$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i; \
 				else \
-					echo $(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
-					$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
+					echo $(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i; \
+					$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i; \
 				fi; \
 				if expr $(PLATFORM) : 'mingw' > /dev/null; then \
 					case $$i in \
 						*crypto*) i=libeay32.dll;; \
 						*ssl*)    i=ssleay32.dll;; \
 					esac; \
-					echo $(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i; \
-					$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i; \
+					echo $(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$i; \
+					$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$i; \
 				fi; \
 			fi; \
 		done; \
 	fi
-	$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libcrypto.pc
-	$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libssl.pc
-	$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/openssl.pc
+	$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libcrypto.pc
+	$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libssl.pc
+	$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/openssl.pc
 	@target=uninstall; $(RECURSIVE_BUILD_CMD)

 install_html_docs:
@@ -634,7 +672,7 @@ install_html_docs:
 		filecase=-i; \
 	esac; \
 	for subdir in apps crypto ssl; do \
-		$(PERL) $(TOP)/util/mkdir-p $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir; \
+		$(PERL) $(TOP)/util/mkdir-p $(DESTDIR)$(HTMLDIR)/$$subdir; \
 		for i in doc/$$subdir/*.pod; do \
 			fn=`basename $$i .pod`; \
 			echo "installing html/$$fn.$(HTMLSUFFIX)"; \
@@ -642,10 +680,10 @@ install_html_docs:
 			| sed -r 's/L<([^)]*)(\([0-9]\))?\|([^)]*)(\([0-9]\))?>/L<\1|\3>/g' \
 			| pod2html --podroot=doc --htmlroot=.. --podpath=$$subdir:apps:crypto:ssl \
 			| sed -r 's/<!DOCTYPE.*//g' \
-			> $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir/$$fn.$(HTMLSUFFIX); \
+			> $(DESTDIR)$(HTMLDIR)/$$subdir/$$fn.$(HTMLSUFFIX); \
 			$(PERL) util/extract-names.pl < $$i | \
 				grep -v $$filecase "^$$fn\$$" | \
-				(cd $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir; \
+				(cd $(DESTDIR)$(HTMLDIR)/$$subdir; \
 				 while read n; do \
 					PLATFORM=$(PLATFORM) $$here/util/point.sh $$fn.$(HTMLSUFFIX) "$$n".$(HTMLSUFFIX); \
 				 done); \
@@ -661,21 +699,21 @@ uninstall_html_docs:
 	for subdir in apps crypto ssl; do \
 		for i in doc/$$subdir/*.pod; do \
 			fn=`basename $$i .pod`; \
-			$(RM) $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir/$$fn.$(HTMLSUFFIX); \
+			$(RM) $(DESTDIR)$(HTMLDIR)/$$subdir/$$fn.$(HTMLSUFFIX); \
 			$(PERL) util/extract-names.pl < $$i | \
 				grep -v $$filecase "^$$fn\$$" | \
 				while read n; do \
-					$(RM) $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir/"$$n".$(HTMLSUFFIX); \
+					$(RM) $(DESTDIR)$(HTMLDIR)/$$subdir/"$$n".$(HTMLSUFFIX); \
 				done; \
 		done; \
 	done

 install_docs:
 	@$(PERL) $(TOP)/util/mkdir-p.pl \
-		$(INSTALL_PREFIX)$(MANDIR)/man1 \
-		$(INSTALL_PREFIX)$(MANDIR)/man3 \
-		$(INSTALL_PREFIX)$(MANDIR)/man5 \
-		$(INSTALL_PREFIX)$(MANDIR)/man7
+		$(DESTDIR)$(MANDIR)/man1 \
+		$(DESTDIR)$(MANDIR)/man3 \
+		$(DESTDIR)$(MANDIR)/man5 \
+		$(DESTDIR)$(MANDIR)/man7
 	here="`pwd`"; \
 	filecase=; \
 	case "$(PLATFORM)" in DJGPP|Cygwin*|mingw*|darwin*-*-cc) \
@@ -689,11 +727,11 @@ install_docs:
 		pod2man \
 			--section=$$sec --center=OpenSSL \
 			--release=$(VERSION) `basename $$i`) \
-			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
+			>  $(DESTDIR)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(PERL) util/extract-names.pl < $$i | \
 			(grep -v $$filecase "^$$fn\$$"; true) | \
 			(grep -v "[	]"; true) | \
-			(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
+			(cd $(DESTDIR)$(MANDIR)/man$$sec/; \
 			 while read n; do \
 				PLATFORM=$(PLATFORM) $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \
 			 done); \
@@ -706,11 +744,11 @@ install_docs:
 		pod2man \
 			--section=$$sec --center=OpenSSL \
 			--release=$(VERSION) `basename $$i`) \
-			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
+			>  $(DESTDIR)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(PERL) util/extract-names.pl < $$i | \
 			(grep -v $$filecase "^$$fn\$$"; true) | \
 			(grep -v "[	]"; true) | \
-			(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
+			(cd $(DESTDIR)$(MANDIR)/man$$sec/; \
 			 while read n; do \
 				PLATFORM=$(PLATFORM) $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \
 			 done); \
@@ -725,27 +763,27 @@ uninstall_docs:
 	for i in doc/apps/*.pod; do \
 		fn=`basename $$i .pod`; \
 		sec=`$(PERL) util/extract-section.pl 1 < $$i`; \
-		echo $(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
-		$(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
+		echo $(RM) $(DESTDIR)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
+		$(RM) $(DESTDIR)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(PERL) util/extract-names.pl < $$i | \
 			(grep -v $$filecase "^$$fn\$$"; true) | \
 			(grep -v "[	]"; true) | \
 			while read n; do \
-				echo $(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/"$$n".$${sec}$(MANSUFFIX); \
-				$(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/"$$n".$${sec}$(MANSUFFIX); \
+				echo $(RM) $(DESTDIR)$(MANDIR)/man$$sec/"$$n".$${sec}$(MANSUFFIX); \
+				$(RM) $(DESTDIR)$(MANDIR)/man$$sec/"$$n".$${sec}$(MANSUFFIX); \
 			done; \
 	done; \
 	for i in doc/crypto/*.pod doc/ssl/*.pod; do \
 		fn=`basename $$i .pod`; \
 		sec=`$(PERL) util/extract-section.pl 3 < $$i`; \
-		echo $(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
-		$(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
+		echo $(RM) $(DESTDIR)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
+		$(RM) $(DESTDIR)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(PERL) util/extract-names.pl < $$i | \
 			(grep -v $$filecase "^$$fn\$$"; true) | \
 			(grep -v "[	]"; true) | \
 			while read n; do \
-				echo $(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/"$$n".$${sec}$(MANSUFFIX); \
-				$(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/"$$n".$${sec}$(MANSUFFIX); \
+				echo $(RM) $(DESTDIR)$(MANDIR)/man$$sec/"$$n".$${sec}$(MANSUFFIX); \
+				$(RM) $(DESTDIR)$(MANDIR)/man$$sec/"$$n".$${sec}$(MANSUFFIX); \
 			done; \
 	done

--- a/Makefile.shared
+++ b/Makefile.shared
@@ -11,8 +11,12 @@ CFLAGS=$(CFLAG)
 # LDFLAGS contains flags to be used when temporary object files (when building
 # shared libraries) are created, or when an application is linked.
 # SHARED_LDFLAGS contains flags to be used when the shared library is created.
-LDFLAGS=
-SHARED_LDFLAGS=
+LDFLAGS=$(LDFLAG)
+SHARED_LDFLAGS=$(SHARED_LDFLAG)
+
+# SHARED_RCFLAGS are flags used with windres, i.e. when build for Cygwin
+# or Mingw.
+SHARED_RCFLAGS=$(SHARED_RCFLAG)

 NM=nm

@@ -31,6 +35,12 @@ LIBNAME=
 #APPNAME=foo
 APPNAME=

+# DSTDIR is the directory where the built file should end up in.
+DSTDIR=.
+
+# SRCDIR is the top directory of the source tree.
+SRCDIR=.
+
 # OBJECTS contains all the object files to link together into the application.
 # This must contain at least one object file.
 #OBJECTS=foo.o
@@ -92,9 +102,11 @@ CALC_VERSIONS=	\
 LINK_APP=	\
  ( $(SET_X);   \
    LIBDEPS="$${LIBDEPS:-$(LIBDEPS)}"; \
-    LDCMD="$${LDCMD:-$(CC)}"; LDFLAGS="$${LDFLAGS:-$(CFLAGS)}"; \
+    LDCMD="$${LDCMD:-$(CC)}"; LDFLAGS="$${LDFLAGS:-$(CFLAGS) $(LDFLAGS)}"; \
    LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \
    LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
+    echo LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
+        $${LDCMD} $${LDFLAGS} -o $${APPNAME:=$(APPNAME)} $(OBJECTS) $${LIBDEPS}; \
    LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
    $${LDCMD} $${LDFLAGS} -o $${APPNAME:=$(APPNAME)} $(OBJECTS) $${LIBDEPS} )

@@ -105,9 +117,13 @@ LINK_SO=	\
    SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \
    LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \
    LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
+    echo LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
+         $${SHAREDCMD} $${SHAREDFLAGS} \
+	     -o $(DSTDIR)/$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \
+	     $$ALLSYMSFLAGS $$SHOBJECTS $$NOALLSYMSFLAGS $$LIBDEPS; \
    LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
    $${SHAREDCMD} $${SHAREDFLAGS} \
-	-o $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \
+	-o $(DSTDIR)/$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \
 	$$ALLSYMSFLAGS $$SHOBJECTS $$NOALLSYMSFLAGS $$LIBDEPS \
  ) && $(SYMLINK_SO)

@@ -116,30 +132,30 @@ SYMLINK_SO=	\
 		prev=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX; \
 		if [ -n "$$SHLIB_COMPAT" ]; then \
 			for x in $$SHLIB_COMPAT; do \
-				( $(SET_X); rm -f $$SHLIB$$x$$SHLIB_SUFFIX; \
-				  ln -s $$prev $$SHLIB$$x$$SHLIB_SUFFIX ); \
+				( $(SET_X); rm -f $(DSTDIR)/$$SHLIB$$x$$SHLIB_SUFFIX; \
+				  ln -s $$prev $(DSTDIR)/$$SHLIB$$x$$SHLIB_SUFFIX ); \
 				prev=$$SHLIB$$x$$SHLIB_SUFFIX; \
 			done; \
 		fi; \
 		if [ -n "$$SHLIB_SOVER" ]; then \
-			( $(SET_X); rm -f $$SHLIB$$SHLIB_SUFFIX; \
-			  ln -s $$prev $$SHLIB$$SHLIB_SUFFIX ); \
+			( $(SET_X); rm -f $(DSTDIR)/$$SHLIB$$SHLIB_SUFFIX; \
+			  ln -s $$prev $(DSTDIR)/$$SHLIB$$SHLIB_SUFFIX ); \
 		fi; \
 	fi

-LINK_SO_A=	SHOBJECTS="lib$(LIBNAME).a $(LIBEXTRAS)"; $(LINK_SO)
+LINK_SO_A=	SHOBJECTS="$(DSTDIR)/lib$(LIBNAME).a $(LIBEXTRAS)"; $(LINK_SO)
 LINK_SO_O=	SHOBJECTS="$(LIBEXTRAS)"; $(LINK_SO)

 LINK_SO_A_VIA_O=	\
-  SHOBJECTS=lib$(LIBNAME).o; \
+  SHOBJECTS=$(DSTDIR)/lib$(LIBNAME).o; \
  ALL=$$ALLSYMSFLAGS; ALLSYMSFLAGS=; NOALLSYMSFLAGS=; \
-  ( $(SET_X); \
-    ld $(LDFLAGS) -r -o lib$(LIBNAME).o $$ALL lib$(LIBNAME).a $(LIBEXTRAS) ); \
-  $(LINK_SO) && rm -f lib$(LIBNAME).o
+  ( echo ld $(LDFLAGS) -r -o $$SHOBJECTS.o $$ALL lib$(LIBNAME).a $(LIBEXTRAS); \
+    ld $(LDFLAGS) -r -o $$SHOBJECTS.o $$ALL $(DSTDIR)/lib$(LIBNAME).a $(LIBEXTRAS) ); \
+  $(LINK_SO) && ( echo rm -f $$SHOBJECTS; rm -f $$SHOBJECTS )

 LINK_SO_A_UNPACKED=	\
  UNPACKDIR=link_tmp.$$$$; rm -rf $$UNPACKDIR; mkdir $$UNPACKDIR; \
-  (cd $$UNPACKDIR; ar x ../lib$(LIBNAME).a) && \
+  (cd $$UNPACKDIR; ar x ../$(DSTDIR)/lib$(LIBNAME).a) && \
  ([ -z "$(LIBEXTRAS)" ] || cp $(LIBEXTRAS) $$UNPACKDIR) && \
  SHOBJECTS=$$UNPACKDIR/*.o; \
  $(LINK_SO) && rm -rf $$UNPACKDIR
@@ -153,7 +169,7 @@ DO_GNU_SO=$(CALC_VERSIONS); \
 	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
 	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"

-DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)"
+DO_GNU_APP=LDFLAGS="$(CFLAGS) $(LDFLAGS) -Wl,-rpath,$(LIBRPATH)"

 #This is rather special.  It's a special target with which one can link
 #applications without bothering with any features that have anything to
@@ -170,6 +186,17 @@ link_a.gnu:
 link_app.gnu:
 	@ $(DO_GNU_APP); $(LINK_APP)

+link_a.linux-shared:
+	@if [ $(LIBNAME) != "crypto" -a $(LIBNAME) != "ssl" ]; then $(DO_GNU_SO); else \
+	$(PERL) $(SRCDIR)/util/mkdef.pl $(LIBNAME) linux >$(LIBNAME).map; \
+	$(CALC_VERSIONS); \
+	SHLIB=lib$(LIBNAME).so; \
+	SHLIB_SUFFIX=; \
+	ALLSYMSFLAGS='-Wl,--whole-archive,--version-script=$(LIBNAME).map'; \
+	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
+	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \
+	fi; $(LINK_SO_A)
+
 link_o.bsd:
 	@if $(DETECT_GNU_LD); then $(DO_GNU_SO); else \
 	$(CALC_VERSIONS); \
@@ -192,7 +219,7 @@ link_a.bsd:
 	fi; $(LINK_SO_A)
 link_app.bsd:
 	@if $(DETECT_GNU_LD); then $(DO_GNU_APP); else \
-	LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBPATH)"; \
+	LDFLAGS="$(CFLAGS) $(LDFLAGS) -Wl,-rpath,$(LIBPATH)"; \
 	fi; $(LINK_APP)

 # For Darwin AKA Mac OS/X (dyld)
@@ -261,7 +288,7 @@ link_o.cygwin:
 	SHLIB_SOVER=${LIBVERSION:+"-$(LIBVERSION)"}; \
 	ALLSYMSFLAGS='-Wl,--whole-archive'; \
 	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
-	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared $$base $$deffile -Wl,-s,-Bsymbolic"; \
+	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared $$base $$deffile -Wl,-Bsymbolic"; \
 	$(LINK_SO_O)
 #for mingw target if def-file is in use dll-name should match library-name
 link_a.cygwin:
@@ -277,25 +304,23 @@ link_a.cygwin:
 		esac; \
 		SHLIB_SOVER=32; \
 		extras="$(LIBNAME).def"; \
-		$(PERL) util/mkdef.pl 32 $$SHLIB > $$extras; \
+		$(PERL) $(SRCDIR)/util/mkdef.pl 32 $$SHLIB > $$extras; \
 		base=; [ $(LIBNAME) = "crypto" ] && base=-Wl,--image-base,0x63000000; \
 	fi; \
 	dll_name=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX; \
-	$(PERL) util/mkrc.pl $$dll_name | \
-		$(CROSS_COMPILE)windres -o rc.o; \
+	echo "$(PERL) $(SRCDIR)/util/mkrc.pl $$dll_name |" \
+		     "$(CROSS_COMPILE)windres $(SHARED_RCFLAGS) -o rc.o"; \
+	$(PERL) $(SRCDIR)/util/mkrc.pl $$dll_name | \
+		$(CROSS_COMPILE)windres $(SHARED_RCFLAGS) -o rc.o; \
 	extras="$$extras rc.o"; \
 	ALLSYMSFLAGS='-Wl,--whole-archive'; \
 	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
-	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared $$base -Wl,-s,-Bsymbolic -Wl,--out-implib,lib$(LIBNAME).dll.a $$extras"; \
-	[ -f apps/$$dll_name ] && rm apps/$$dll_name; \
-	[ -f test/$$dll_name ] && rm test/$$dll_name; \
+	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared $$base -Wl,-Bsymbolic -Wl,--out-implib,lib$(LIBNAME).dll.a $$extras"; \
 	$(LINK_SO_A) || exit 1; \
-	rm $$extras; \
-	cp -p $$dll_name apps/; \
-	cp -p $$dll_name test/
+	rm $$extras
 link_app.cygwin:
 	@if expr "$(CFLAGS)" : '.*OPENSSL_USE_APPLINK' > /dev/null; then \
-		LIBDEPS="$(TOP)/crypto/applink.o $${LIBDEPS:-$(LIBDEPS)}"; \
+		LIBDEPS="$(SRCDIR)/crypto/applink.o $${LIBDEPS:-$(LIBDEPS)}"; \
 		export LIBDEPS; \
 	fi; \
 	$(LINK_APP)
@@ -346,7 +371,7 @@ link_app.alpha-osf1:
 	@if $(DETECT_GNU_LD); then \
 		$(DO_GNU_APP); \
 	else \
-		LDFLAGS="$(CFLAGS) -rpath $(LIBRPATH)"; \
+		LDFLAGS="$(CFLAGS) $(LDFLAGS) -rpath $(LIBRPATH)"; \
 	fi; \
 	$(LINK_APP)

@@ -373,7 +398,12 @@ link_a.solaris:
 		($(CC) -v 2>&1 | grep gcc) > /dev/null && MINUSZ='-Wl,-z,'; \
 		SHLIB=lib$(LIBNAME).so; \
 		SHLIB_SUFFIX=;\
-		ALLSYMSFLAGS="$${MINUSZ}allextract"; \
+		if [ $(LIBNAME) != "crypto" -a $(LIBNAME) != "ssl" ]; then \
+			ALLSYMSFLAGS="$${MINUSZ}allextract"; \
+		else \
+			$(PERL) $(SRCDIR)/util/mkdef.pl $(LIBNAME) linux >$(LIBNAME).map; \
+			ALLSYMSFLAGS="$${MINUSZ}allextract,-M,$(LIBNAME).map"; \
+		fi; \
 		NOALLSYMSFLAGS="$${MINUSZ}defaultextract"; \
 		SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX -Wl,-Bsymbolic"; \
 	fi; \
@@ -382,7 +412,7 @@ link_app.solaris:
 	@ if $(DETECT_GNU_LD); then \
 		$(DO_GNU_APP); \
 	else \
-		LDFLAGS="$(CFLAGS) -R $(LIBRPATH)"; \
+		LDFLAGS="$(CFLAGS) $(LDFLAGS) -R $(LIBRPATH)"; \
 	fi; \
 	$(LINK_APP)

@@ -477,7 +507,7 @@ link_a.irix:
 	fi; \
 	$(LINK_SO_A)
 link_app.irix:
-	@LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)"; \
+	@LDFLAGS="$(CFLAGS) $(LDFLAGS) -Wl,-rpath,$(LIBRPATH)"; \
 	$(LINK_APP)

 # 32-bit PA-RISC HP-UX embeds the -L pathname of libs we link with, so
@@ -516,7 +546,7 @@ link_a.hpux:
 	$(LINK_SO_A) && chmod a=rx $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX
 link_app.hpux:
 	@if $(DETECT_GNU_LD); then $(DO_GNU_APP); else \
-	LDFLAGS="$(CFLAGS) -Wl,+s,+cdp,../:,+cdp,./:,+b,$(LIBRPATH)"; \
+	LDFLAGS="$(CFLAGS) $(LDFLAGS) -Wl,+s,+cdp,../:,+cdp,./:,+b,$(LIBRPATH)"; \
 	fi; \
 	$(LINK_APP)

@@ -541,7 +571,7 @@ link_a.aix:
 	SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -Wl,-bexpall,-bnolibpath,-bM:SRE'; \
 	$(LINK_SO_A_VIA_O)
 link_app.aix:
-	LDFLAGS="$(CFLAGS) -Wl,-brtl,-blibpath:$(LIBRPATH):$${LIBPATH:-/usr/lib:/lib}"; \
+	LDFLAGS="$(CFLAGS) $(LDFLAGS) -Wl,-brtl,-blibpath:$(LIBRPATH):$${LIBPATH:-/usr/lib:/lib}"; \
 	$(LINK_APP)


@@ -566,7 +596,7 @@ symlink.cygwin symlink.alpha-osf1 symlink.tru64 symlink.tru64-rpath:

 # Compatibility targets
 link_o.bsd-gcc-shared link_o.linux-shared link_o.gnu-shared: link_o.gnu
-link_a.bsd-gcc-shared link_a.linux-shared link_a.gnu-shared: link_a.gnu
+link_a.bsd-gcc-shared link_a.gnu-shared: link_a.gnu
 link_app.bsd-gcc-shared link_app.linux-shared link_app.gnu-shared: link_app.gnu
 symlink.bsd-gcc-shared symlink.bsd-shared symlink.linux-shared symlink.gnu-shared: symlink.gnu
 link_o.bsd-shared: link_o.bsd
--- a/24
+++ b/24
@@ -5,14 +5,14 @@
  This file gives a brief overview of the major changes between each OpenSSL
  release. For more details please read the CHANGES file.

-  Major changes between OpenSSL 1.0.2e and OpenSSL 1.1.0 [in pre-release]
+  Major changes between OpenSSL 1.0.2f and OpenSSL 1.1.0 [in pre-release]

      o Support for ChaCha20 and Poly1305 added to libcrypto and libssl
      o Support for extended master secret
      o CCM ciphersuites
      o Reworked test suite, now based on perl, Test::Harness and Test::More
-      o Varous libcrypto structures made opaque including: BIGNUM, EVP_MD,
-        EVP_MD_CTX and HMAC_CTX.
+      o Various libcrypto structures made opaque including: BIGNUM, EVP_MD,
+        EVP_MD_CTX, HMAC_CTX, EVP_CIPHER and EVP_CIPHER_CTX.
      o libssl internal structures made opaque
      o SSLv2 support removed
      o Kerberos ciphersuite support removed
@@ -23,6 +23,22 @@
      o EC revision: now operations use new EC_KEY_METHOD.
      o Support for OCB mode added to libcrypto
      o Support for asynchronous crypto operations added to libcrypto and libssl
+      o Deprecated interfaces can now be disabled at build time either
+        relative to the latest release via the "no-deprecated" Configure
+        argument, or via the "--api=1.1.0|1.0.0|0.9.8" option.
+      o Application software can be compiled with -DOPENSSL_API_COMPAT=version
+        to ensure that features deprecated in that version are not exposed.
+      o Support for RFC6698/RFC7671 DANE TLSA peer authentication
+      o Change of Configure to use --prefix as the main installation
+        directory location rather than --openssldir.  The latter becomes
+        the directory for certs, private key and openssl.cnf exclusively.
+      o Reworked BIO networking library, with full support for IPv6.
+      o New "unified" build system
+
+  Major changes between OpenSSL 1.0.2e and OpenSSL 1.0.2f [28 Jan 2016]
+
+      o DH small subgroups (CVE-2016-0701)
+      o SSLv2 doesn't block disabled ciphers (CVE-2015-3197)

  Major changes between OpenSSL 1.0.2d and OpenSSL 1.0.2e [3 Dec 2015]

@@ -293,7 +309,7 @@
  Major changes between OpenSSL 0.9.8e and OpenSSL 0.9.8f [11 Oct 2007]:

      o Add gcc 4.2 support.
-      o Add support for AES and SSE2 assembly lanugauge optimization
+      o Add support for AES and SSE2 assembly language optimization
        for VC++ build.
      o Support for RFC4507bis and server name extensions if explicitly 
        selected at compile time.
--- a/Netware/set_env.bat
+++ b/Netware/set_env.bat
@@ -1,7 +1,7 @@
@echo off

 rem ========================================================================
-rem   Batch file to assist in setting up the necessary enviroment for
+rem   Batch file to assist in setting up the necessary environment for
 rem   building OpenSSL for NetWare.
 rem
 rem   usage:
@@ -84,10 +84,10 @@ echo using GNU GCC Compiler
 :info
 echo.

-if "%LIBC_BUILD%" == "Y" echo Enviroment configured for LibC build
+if "%LIBC_BUILD%" == "Y" echo Environment configured for LibC build
 if "%LIBC_BUILD%" == "Y" echo use "netware\build.bat netware-libc ..." 

-if "%CLIB_BUILD%" == "Y" echo Enviroment configured for CLib build
+if "%CLIB_BUILD%" == "Y" echo Environment configured for CLib build
 if "%CLIB_BUILD%" == "Y" echo use "netware\build.bat netware-clib ..." 

 goto end
--- a/20
+++ b/20
@@ -1,7 +1,7 @@

- OpenSSL 1.1.0-pre1 (alpha) 10 Dec 2015
+ OpenSSL 1.1.0-pre3 (alpha) 15 Feb 2016

- Copyright (c) 1998-2015 The OpenSSL Project
+ Copyright (c) 1998-2016 The OpenSSL Project
 Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
 All rights reserved.

@@ -11,7 +11,7 @@
 The OpenSSL Project is a collaborative effort to develop a robust,
 commercial-grade, fully featured, and Open Source toolkit implementing the
 Secure Sockets Layer (SSLv3) and Transport Layer Security (TLS) protocols as
- well as a full-strength general purpose cryptograpic library. The project is
+ well as a full-strength general purpose cryptographic library. The project is
 managed by a worldwide community of volunteers that use the Internet to
 communicate, plan, and develop the OpenSSL toolkit and its related
 documentation.
@@ -53,8 +53,7 @@
        INSTALL.NW      Netware
        INSTALL.OS2     OS/2
        INSTALL.VMS     VMS
-        INSTALL.W32     Windows (32bit)
-        INSTALL.W64     Windows (64bit)
+        INSTALL.WIN     Windows
        INSTALL.WCE     Windows CE

 SUPPORT
@@ -90,11 +89,12 @@

 In order to avoid spam, this is a moderated mailing list, and it might
 take a day for the ticket to show up.  (We also scan posts to make sure
- that security disclosures aren't publically posted by mistake.) Mail to
- this address is recorded in the public RT (request tracker) database (see
- https://www.openssl.org/support/rt.html for details) and also forwarded
- the public openssl-dev mailing list.  Confidential mail may be sent to
- openssl-security@openssl.org (PGP key available from the key servers).
+ that security disclosures aren't publically posted by mistake.) Mail
+ to this address is recorded in the public RT (request tracker) database
+ (see https://www.openssl.org/community/index.html#bugs for details) and
+ also forwarded the public openssl-dev mailing list.  Confidential mail
+ may be sent to openssl-security@openssl.org (PGP key available from the
+ key servers).

 Please do NOT use this for general assistance or support queries.
 Just because something doesn't work the way you expect does not mean it
--- a/README.FIPS
+++ b/README.FIPS
@@ -1,130 +1 @@
-Preliminary status and build information for FIPS module v2.0
-
-NB: if you are cross compiling you now need to use the latest "incore" script
-this can be found at util/incore in the tarballs.
-
-If you have any object files from a previous build do:
-
-make clean
-
-To build the module do:
-
-./config fipscanisteronly
-make
-
-Build should complete without errors.
-
-Build test utilities:
-
-make build_tests
-
-Run test suite:
-
-test/fips_test_suite
-
-again should complete without errors.
-
-Run test vectors: 
-
-1. Download an appropriate set of testvectors from www.openssl.org/docs/fips
-   only the fips-2.0 testvector files are usable for complete tests.
-
-2. Extract the files to a suitable directory.
-
-3. Run the test vector perl script, for example:
-
-   cd fips
-   perl fipsalgtest.pl --dir=/wherever/stuff/was/extracted
-
-4. It should say "passed all tests" at the end. Report full details of any
-   failures.
-
-If you wish to use the older 1.2.x testvectors (for example those from 2007)
-you need the command line switch --disable-v2 to fipsalgtest.pl
-
-Examine the external symbols in fips/fipscanister.o they should all begin
-with FIPS or fips. One way to check with GNU nm is:
-
-	nm -g --defined-only fips/fipscanister.o | grep -v -i fips
-
-If you get *any* output at all from this test (i.e. symbols not starting with
-fips or FIPS) please report it.
-
-Restricted tarball tests.
-
-The validated module will have its own tarball containing sufficient code to
-build fipscanister.o and the associated algorithm tests. You can create a
-similar tarball yourself for testing purposes using the commands below.
-
-Standard restricted tarball:
-
-make -f Makefile.fips dist
-
-Prime field field only ECC tarball:
-
-make NOEC2M=1 -f Makefile.fips dist
-
-Once you've created the tarball extract into a fresh directory and do:
-
-./config
-make
-
-You can then run the algorithm tests as above. This build automatically uses
-fipscanisterbuild and no-ec2m as appropriate.
-
-FIPS capable OpenSSL test: WARNING PRELIMINARY INSTRUCTIONS, SUBJECT TO CHANGE.
-
-At least initially the test module and FIPS capable OpenSSL may change and
-by out of sync. You are advised to check for any changes and pull the latest
-source from CVS if you have problems. See anon CVS and rsync instructions at:
-
-http://www.openssl.org/source/repos.html
-
-Make or download a restricted tarball from ftp://ftp.openssl.org/snapshot/
-
-If required set the environment variable FIPSDIR to an appropriate location
-to install the test module. If cross compiling set other environment
-variables too.
-
-In this restricted tarball on a Linux or U*ix like system run:
-
-./config
-make
-make install
-
-On Windows from a VC++ environment do:
-
-ms\do_fips
-
-This will build and install the test module and some associated files.
-
-Now download the latest version of the OpenSSL 1.0.1 branch from either a
-snapshot or preferably CVS. For Linux do:
-
-./config fips [other args]
-make
-
-For Windows:
-
-perl Configure VC-WIN32 fips [other args]
-ms\do_nasm
-nmake -f ms\ntdll.mak
-
-(or ms\nt.mak for a static build).
-
-Where [other args] can be any other arguments you use for an OpenSSL build
-such as "shared" or "zlib".
-
-This will build the fips capable OpenSSL and link it to the test module. You
-can now try linking and testing applications against the FIPS capable OpenSSL.
-
-Please report any problems to either the openssl-dev mailing list or directly
-to me steve@openssl.org . Check the mailing lists regularly to avoid duplicate
-reports.
-
-Known issues:
-
-Code needs extensively reviewing to ensure it builds correctly on 
-supported platforms and is compliant with FIPS 140-2.
-The "FIPS capable OpenSSL" is still largely untested, it builds and runs
-some simple tests OK on some systems but needs far more "real world" testing.
+This release does not support a FIPS 140-2 validated module.
--- a/README.PERL
+++ b/README.PERL
@@ -0,0 +1,118 @@
+ TOC
+ ===
+
+ - Notes on Perl
+ - Notes on Perl on Windows
+ - Notes on Perl modules we use
+ - Notes on installing a perl module
+
+ Notes on Perl
+ -------------
+
+ For our scripts, we rely quite a bit on Perl, and increasingly on
+ some core Perl modules.  These Perl modules are part of the Perl
+ source, so if you build Perl on your own, you should be set.
+
+ However, if you install Perl as binary packages, the outcome might
+ differ, and you may have to check that you do get the core modules
+ installed properly.  We do not claim to know them all, but experience
+ has told us the following:
+
+ - on Linux distributions based on Debian, the package 'perl' will
+   install the core Perl modules as well, so you will be fine.
+ - on Linux distributions based on RPMs, you will need to install
+   'perl-core' rather than just 'perl'.
+
+ You MUST have at least Perl version 5.10.0 installed.  This minimum
+ requirement is due to our use of regexp backslash sequence \R among
+ other features that didn't exist in core Perl before that version.
+
+ Notes on Perl on Windows
+ ------------------------
+
+ If you will build on Cygwin (and possibly some other POSIX layers),
+ Perl is already part of your distribution.  Simply use the Cygwin
+ package manager to make sure Perl gets installed.
+
+ Otherwise, you will need to install Perl separately.  The Perl
+ package that we know of is ActiveState Perl, available from
+ http://www.activestate.com/ActivePerl.
+
+ Notes on Perl on VMS
+ --------------------
+
+ You will need to install Perl separately.  One way to do so is to
+ download the source from http://perl.org/, unpacking it, reading
+ README.vms and follow instructions.  Another way is to download a
+ .PCSI file from http://www.vmsperl.com/ and install it using the
+ POLYCENTER install tool.
+
+ Notes on Perl modules we use
+ ----------------------------
+
+ We make increasing use of Perl modules, and do our best to limit
+ ourselves to core Perl modules to keep the requirements down.  There
+ are just a few exceptions:
+
+ Test::More         We require the minimum version to be 0.96, which
+                    appeared in Perl 5.13.4, because that version was
+                    the first to have all the features we're using.
+                    This module is required for testing only!  If you
+                    don't plan on running the tests, you don't need to
+                    bother with this one.
+
+ Text::Template     This module is not part of the core Perl modules.
+                    As a matter of fact, the core Perl modules do not
+                    include any templating module to date.
+                    This module is absolutely needed, configuration
+                    depends on it.
+
+ To avoid unnecessary initial hurdles, we have bundled a copy of the
+ following modules in our source.  They will work as fallbacks if
+ these modules aren't already installed on the system.
+
+    Text::Template
+
+ Notes on installing a perl module
+ ---------------------------------
+
+ There are a number of ways to install a perl module.  In all
+ descriptions below, Text::Template will server as an example.
+
+ 1. for Linux users, the easiest is to install with the use of your
+    favorite package manager.  Usually, all you need to do is search
+    for the module name and to install the package that comes up.
+
+    On Debian based Linux distributions, it would go like this:
+
+        $ apt-cache search Text::Template
+        ...
+        libtext-template-perl - perl module to process text templates
+        $ sudo apt-get install libtext-template-perl
+
+    Perl modules in Debian based distributions use package names like
+    the name of the module in question, with "lib" prepended and
+    "-perl" appended.
+
+ 2. Install using CPAN.  This is very easy, but usually requires root
+    access:
+
+        $ cpan -i Text::Template
+
+    Note that this runs all the tests that the module to be install
+    comes with.  This is usually a smooth operation, but there are
+    platforms where a failure is indicate even though the actual tests
+    were successful.  Should that happen, you can force an
+    installation regardless (that should be safe since you've already
+    seen the tests succeed!):
+
+        $ cpan -f -i Text::Template
+
+    Note: on VMS, you must quote any argument that contains upper case
+    characters, so the lines above would be:
+
+        $ cpan -i "Text::Template"
+
+    and:
+
+        $ cpan -f -i "Text::Template"
--- a/VMS/TODO
+++ b/VMS/TODO
@@ -1,18 +0,0 @@
-TODO:
-=====
-
-There are a few things that need to be worked out in the VMS version of
-OpenSSL, still:
-
- Description files. ("Makefile's" :-))
- Script code to link an already compiled build tree.
- A VMSINSTALlable version (way in the future, unless someone else hacks).
- shareable images (DLL for you Windows folks).
-
-There may be other things that I have missed and that may be desirable.
-Please send mail to <openssl-users@openssl.org> or to me directly if you
-have any ideas.
-
--
-Richard Levitte <richard@levitte.org>
-1999-05-24
--- a/VMS/VMSify-conf.pl
+++ b/VMS/VMSify-conf.pl
@@ -7,7 +7,7 @@ my @directory_vars = ( "dir", "certs", "crl_dir", "new_certs_dir" );
 my @file_vars = ( "database", "certificate", "serial", "crlnumber",
 		  "crl", "private_key", "RANDFILE" );
 while(<STDIN>) {
-    chomp;
+    s|\R$||;
    foreach my $d (@directory_vars) {
 	if (/^(\s*\#?\s*${d}\s*=\s*)\.\/([^\s\#]*)([\s\#].*)$/) {
 	    $_ = "$1sys\\\$disk:\[.$2$3";
--- a/VMS/WISHLIST.TXT
+++ b/VMS/WISHLIST.TXT
@@ -1,4 +0,0 @@
-* Have the building procedure contain a LINK-only possibility.
-  Wished by Mark Daniel <mark.daniel@dsto.defence.gov.au>
-
-  One way to enable that is also to go over to DESCRIP.MMS files.
--- a/engines/alpha.opt
+++ b/engines/alpha.opt
@@ -1 +1,2 @@
+CASE_SENSITIVE=YES
 SYMBOL_VECTOR=(bind_engine=PROCEDURE,v_check=PROCEDURE)
--- a/VMS/install-vms.com
+++ b/VMS/install-vms.com
@@ -1,67 +0,0 @@
-$! install-vms.com -- Installs the files in a given directory tree
-$!
-$! Author: Richard Levitte <richard@levitte.org>
-$! Time of creation: 23-MAY-1998 19:22
-$!
-$! P1	root of the directory tree
-$!
-$!
-$! Announce/identify.
-$!
-$ proc = f$environment( "procedure")
-$ write sys$output "@@@ "+ -
-   f$parse( proc, , , "name")+ f$parse( proc, , , "type")
-$!
-$ on error then goto tidy
-$ on control_c then goto tidy
-$!
-$ if p1 .eqs. ""
-$ then
-$   write sys$output "First argument missing."
-$   write sys$output -
-     "Should be the directory where you want things installed."
-$   exit
-$ endif
-$
-$ if (f$getsyi( "cpu") .lt. 128)
-$ then
-$   arch = "VAX"
-$ else
-$   arch = f$edit( f$getsyi( "arch_name"), "upcase")
-$   if (arch .eqs. "") then arch = "UNK"
-$ endif
-$
-$ root = f$parse( P1, "[]A.;0", , , "SYNTAX_ONLY, NO_CONCEAL")- "A.;0"
-$ root_dev = f$parse( root, , , "device", "syntax_only")
-$ root_dir = f$parse( root, , , "directory", "syntax_only") - -
-   "[000000." - "][" - "[" - "]"
-$ root = root_dev + "[" + root_dir
-$
-$ define /nolog wrk_sslroot 'root'.] /translation_attributes = concealed
-$ define /nolog wrk_sslinclude wrk_sslroot:[include]
-$
-$ if f$parse( "wrk_sslroot:[000000]") .eqs. "" then -
-   create /directory /log wrk_sslroot:[000000]
-$ if f$parse( "wrk_sslinclude:") .eqs. "" then -
-   create /directory /log wrk_sslinclude:
-$ if f$parse( "wrk_sslroot:[vms]") .eqs. "" then -
-   create /directory /log wrk_sslroot:[vms]
-$!
-$ copy /log /protection = world:re openssl_startup.com wrk_sslroot:[vms]
-$ copy /log /protection = world:re openssl_undo.com wrk_sslroot:[vms]
-$ copy /log /protection = world:re openssl_utils.com wrk_sslroot:[vms]
-$!
-$ tidy:
-$!
-$ call deass wrk_sslroot
-$ call deass wrk_sslinclude
-$!
-$ exit
-$!
-$ deass: subroutine
-$ if (f$trnlnm( p1, "LNM$PROCESS") .nes. "")
-$ then
-$   deassign /process 'p1'
-$ endif
-$ endsubroutine
-$!
--- a/VMS/mkshared.com
+++ b/VMS/mkshared.com
@@ -1,476 +0,0 @@
-$! MKSHARED.COM -- Create shareable images.
-$!
-$! P1: "64" for 64-bit pointers.
-$!
-$! P2: Zlib object library path (optional).
-$!
-$! Input:	[.UTIL]LIBEAY.NUM,[.xxx.EXE.CRYPTO]SSL_LIBCRYPTO[32].OLB
-$!		[.UTIL]SSLEAY.NUM,[.xxx.EXE.SSL]SSL_LIBSSL[32].OLB
-$!		[.CRYPTO.xxx]OPENSSLCONF.H
-$! Output:	[.xxx.EXE.CRYPTO]SSL_LIBCRYPTO_SHR[32].OPT,.MAP,.EXE
-$!		[.xxx.EXE.SSL]SSL_LIBSSL_SRH[32].OPT,.MAP,.EXE
-$!
-$! So far, tests have only been made on VMS for Alpha.  VAX will come in time.
-$! ===========================================================================
-$!
-$! Announce/identify.
-$!
-$ proc = f$environment( "procedure")
-$ write sys$output "@@@ "+ -
-   f$parse( proc, , , "name")+ f$parse( proc, , , "type")
-$!
-$! Save the original default device:[directory].
-$!
-$ def_orig = f$environment( "default")
-$ on error then goto tidy
-$ on control_c then goto tidy
-$!
-$! SET DEFAULT to the main kit directory.
-$!
-$ proc = f$environment("procedure")
-$ proc = f$parse( "A.;", proc)- "A.;"
-$ set default 'proc'
-$ set default [-]
-$!
-$! ----- Prepare info for processing: version number and file info
-$ gosub read_version_info
-$ if libver .eqs. ""
-$ then
-$   write sys$error "ERROR: Couldn't find any library version info..."
-$   go to tidy:
-$ endif
-$
-$ if (f$getsyi("cpu") .lt. 128)
-$ then
-$   arch_vax = 1
-$   arch = "VAX"
-$ else
-$   arch_vax = 0
-$   arch = f$edit( f$getsyi( "ARCH_NAME"), "UPCASE")
-$   if (arch .eqs. "") then arch = "UNK"
-$ endif
-$!
-$ archd = arch
-$ lib32 = "32"
-$ shr = "SHR32"
-$!
-$ if (p1 .nes. "")
-$ then
-$   if (p1 .eqs. "64")
-$   then
-$     archd = arch+ "_64"
-$     lib32 = ""
-$     shr = "SHR"
-$   else
-$     if (p1 .nes. "32")
-$     then
-$       write sys$output "Second argument invalid."
-$       write sys$output "It should be "32", "64", or nothing."
-$       exit
-$     endif
-$   endif
-$ endif
-$!
-$! ----- Prepare info for processing: disabled algorithms info
-$ gosub read_disabled_algorithms_info
-$!
-$ ZLIB = p2
-$ zlib_lib = ""
-$ if (ZLIB .nes. "")
-$ then
-$   file2 = f$parse( ZLIB, "libz.olb", , , "syntax_only")
-$   if (f$search( file2) .eqs. "")
-$   then
-$     write sys$output ""
-$     write sys$output "The Option ", ZLIB, " Is Invalid."
-$     write sys$output "    Can't find library: ''file2'"
-$     write sys$output ""
-$     goto tidy
-$   endif
-$   zlib_lib = ", ''file2' /library"
-$ endif
-$!
-$ if (arch_vax)
-$ then
-$   libtit = "CRYPTO_TRANSFER_VECTOR"
-$   libid  = "Crypto"
-$   libnum = "[.UTIL]LIBEAY.NUM"
-$   libdir = "[.''ARCHD'.EXE.CRYPTO]"
-$   libmar = "''libdir'SSL_LIBCRYPTO_''shr'.MAR"
-$   libolb = "''libdir'SSL_LIBCRYPTO''lib32'.OLB"
-$   libopt = "''libdir'SSL_LIBCRYPTO_''shr'.OPT"
-$   libobj = "''libdir'SSL_LIBCRYPTO_''shr'.OBJ"
-$   libmap = "''libdir'SSL_LIBCRYPTO_''shr'.MAP"
-$   libgoal= "''libdir'SSL_LIBCRYPTO_''shr'.EXE"
-$   libref = ""
-$   libvec = "LIBCRYPTO"
-$   if f$search( libolb) .nes. "" then gosub create_vax_shr
-$   libtit = "SSL_TRANSFER_VECTOR"
-$   libid  = "SSL"
-$   libnum = "[.UTIL]SSLEAY.NUM"
-$   libdir = "[.''ARCHD'.EXE.SSL]"
-$   libmar = "''libdir'SSL_LIBSSL_''shr'.MAR"
-$   libolb = "''libdir'SSL_LIBSSL''lib32'.OLB"
-$   libopt = "''libdir'SSL_LIBSSL_''shr'.OPT"
-$   libobj = "''libdir'SSL_LIBSSL_''shr'.OBJ"
-$   libmap = "''libdir'SSL_LIBSSL_''shr'.MAP"
-$   libgoal= "''libdir'SSL_LIBSSL_''shr'.EXE"
-$   libref = "[.''ARCHD'.EXE.CRYPTO]SSL_LIBCRYPTO_''shr'.EXE"
-$   libvec = "LIBSSL"
-$   if f$search( libolb) .nes. "" then gosub create_vax_shr
-$ else
-$   libid  = "Crypto"
-$   libnum = "[.UTIL]LIBEAY.NUM"
-$   libdir = "[.''ARCHD'.EXE.CRYPTO]"
-$   libolb = "''libdir'SSL_LIBCRYPTO''lib32'.OLB"
-$   libopt = "''libdir'SSL_LIBCRYPTO_''shr'.OPT"
-$   libmap = "''libdir'SSL_LIBCRYPTO_''shr'.MAP"
-$   libgoal= "''libdir'SSL_LIBCRYPTO_''shr'.EXE"
-$   libref = ""
-$   if f$search( libolb) .nes. "" then gosub create_nonvax_shr
-$   libid  = "SSL"
-$   libnum = "[.UTIL]SSLEAY.NUM"
-$   libdir = "[.''ARCHD'.EXE.SSL]"
-$   libolb = "''libdir'SSL_LIBSSL''lib32'.OLB"
-$   libopt = "''libdir'SSL_LIBSSL_''shr'.OPT"
-$   libmap = "''libdir'SSL_LIBSSL_''shr'.MAP"
-$   libgoal= "''libdir'SSL_LIBSSL_''shr'.EXE"
-$   libref = "[.''ARCHD'.EXE.CRYPTO]SSL_LIBCRYPTO_''shr'.EXE"
-$   if f$search( libolb) .nes. "" then gosub create_nonvax_shr
-$ endif
-$!
-$ tidy:
-$!
-$! Close any open files.
-$!
-$ if (f$trnlnm( "libnum", "LNM$PROCESS", 0, "SUPERVISOR") .nes. "") then -
-   close libnum
-$!
-$ if (f$trnlnm( "mar", "LNM$PROCESS", 0, "SUPERVISOR") .nes. "") then -
-   close mar
-$!
-$ if (f$trnlnm( "opt", "LNM$PROCESS", 0, "SUPERVISOR") .nes. "") then -
-   close opt
-$!
-$ if (f$trnlnm( "vf", "LNM$PROCESS", 0, "SUPERVISOR") .nes. "") then -
-   close vf
-$!
-$! Restore the original default device:[directory].
-$!
-$ set default 'def_orig'
-$ exit
-$
-$! ----- Subroutines to build the shareable libraries
-$! For each supported architecture, there's a main shareable library
-$! creator, which is called from the main code above.
-$! The creator will define a number of variables to tell the next levels of
-$! subroutines what routines to use to write to the option files, call the
-$! main processor, read_func_num, and when that is done, it will write version
-$! data at the end of the .opt file, close it, and link the library.
-$!
-$! read_func_num reads through a .num file and calls the writer routine for
-$! each line.  It's also responsible for checking that order is properly kept
-$! in the .num file, check that each line applies to VMS and the architecture,
-$! and to fill in "holes" with dummy entries.
-$!
-$! The creator routines depend on the following variables:
-$! libnum	The name of the .num file to use as input
-$! libolb	The name of the object library to build from
-$! libid	The identification string of the shareable library
-$! libopt	The name of the .opt file to write
-$! libtit	The title of the assembler transfer vector file (VAX only)
-$! libmar	The name of the assembler transfer vector file (VAX only)
-$! libmap	The name of the map file to write
-$! libgoal	The name of the shareable library to write
-$! libref	The name of a shareable library to link in
-$!
-$! read_func_num depends on the following variables from the creator:
-$! libwriter	The name of the writer routine to call for each .num file line
-$! -----
-$
-$! ----- Subroutines for non-VAX
-$! -----
-$! The creator routine
-$ create_nonvax_shr:
-$   open /write opt 'libopt'
-$   write opt "identification=""",libid," ",libverstr,""""
-$   write opt libolb, " /library"
-$   if libref .nes. "" then write opt libref,"/SHARE"
-$   write opt "SYMBOL_VECTOR=(-"
-$   libfirstentry := true
-$   libwrch   := opt
-$   libwriter := write_nonvax_transfer_entry
-$   textcount = 0
-$   gosub read_func_num
-$   write opt ")"
-$   write opt "GSMATCH=",libvmatch,",",libver
-$   close opt
-$   link /map = 'libmap' /full /share = 'libgoal' 'libopt' /options -
-     'zlib_lib'
-$   return
-$
-$! The record writer routine
-$ write_nonvax_transfer_entry:
-$   if libentry .eqs. ".dummy" then return
-$   if info_kind .eqs. "VARIABLE"
-$   then
-$     pr:=DATA
-$   else
-$     pr:=PROCEDURE
-$   endif
-$   textcount_this = f$length(pr) + f$length(libentry) + 5
-$   if textcount + textcount_this .gt. 1024
-$   then
-$     write opt ")"
-$     write opt "SYMBOL_VECTOR=(-"
-$     textcount = 16
-$     libfirstentry := true
-$   endif
-$   if libfirstentry
-$   then
-$     write 'libwrch' "    ",libentry,"=",pr," -"
-$   else
-$     write 'libwrch' "    ,",libentry,"=",pr," -"
-$   endif
-$   libfirstentry := false
-$   textcount = textcount + textcount_this
-$   return
-$
-$! ----- Subroutines for VAX
-$! -----
-$! The creator routine
-$ create_vax_shr:
-$   open /write mar 'libmar'
-$   type sys$input:/out=mar:
-;
-; Transfer vector for VAX shareable image
-;
-$   write mar "	.TITLE ",libtit
-$   write mar "	.IDENT /",libid,"/"
-$   type sys$input:/out=mar:
-;
-; Define macro to assist in building transfer vector entries.  Each entry
-; should take no more than 8 bytes.
-;
-	.MACRO FTRANSFER_ENTRY routine
-	.ALIGN QUAD
-	.TRANSFER routine
-	.MASK	routine
-	JMP	routine+2
-	.ENDM FTRANSFER_ENTRY
-;
-; Place entries in own program section.
-;
-$   write mar "	.PSECT $$",libvec,",QUAD,PIC,USR,CON,REL,LCL,SHR,EXE,RD,NOWRT"
-$   write mar libvec,"_xfer:"
-$   libwrch   := mar
-$   libwriter := write_vax_ftransfer_entry
-$   gosub read_func_num
-$   type sys$input:/out=mar:
-;
-; Allocate extra storage at end of vector to allow for expansion.
-;
-$   write mar "	.BLKB 32768-<.-",libvec,"_xfer>	; 64 pages total."
-$!   libwriter := write_vax_vtransfer_entry
-$!   gosub read_func_num
-$   write mar "	.END"
-$   close mar
-$   open /write opt 'libopt'
-$   write opt "identification=""",libid," ",libverstr,""""
-$   write opt libobj
-$   write opt libolb, " /library"
-$   if libref .nes. "" then write opt libref,"/SHARE"
-$   type sys$input:/out=opt:
-!
-! Ensure transfer vector is at beginning of image
-!
-CLUSTER=FIRST
-$   write opt "COLLECT=FIRST,$$",libvec
-$   write opt "GSMATCH=",libvmatch,",",libver
-$   type sys$input:/out=opt:
-!
-! make psects nonshareable so image can be installed.
-!
-PSECT_ATTR=$CHAR_STRING_CONSTANTS,NOWRT
-$   libwrch   := opt
-$   libwriter := write_vax_psect_attr
-$   gosub read_func_num
-$   close opt
-$   macro/obj='libobj' 'libmar'
-$   link /map = 'libmap' /full /share = 'libgoal' 'libopt' /options -
-     'zlib_lib'
-$   return
-$
-$! The record writer routine for VAX functions
-$ write_vax_ftransfer_entry:
-$   if info_kind .nes. "FUNCTION" then return
-$   if libentry .eqs ".dummy"
-$   then
-$     write 'libwrch' "	.BLKB 8" ! Dummy is zeroes...
-$   else
-$     write 'libwrch' "	FTRANSFER_ENTRY ",libentry
-$   endif
-$   return
-$! The record writer routine for VAX variables (should never happen!)
-$ write_vax_psect_attr:
-$   if info_kind .nes. "VARIABLE" then return
-$   if libentry .eqs ".dummy" then return
-$   write 'libwrch' "PSECT_ATTR=",libentry,",NOSHR"
-$   return
-$
-$! ----- Common subroutines
-$! -----
-$! The .num file reader.  This one has great responsibility.
-$ read_func_num:
-$   open /read libnum 'libnum'
-$   goto read_nums
-$
-$ read_nums:
-$   libentrynum=0
-$   liblastentry:=false
-$   entrycount=0
-$   loop:
-$     read /end=loop_end /err=loop_end libnum line
-$     lin = f$edit( line, "COMPRESS,TRIM")
-$!    Skip a "#" comment line.
-$     if (f$extract( 0, 1, lin) .eqs. "#") then goto loop
-$     entrynum = f$int(f$element( 1, " ", lin))
-$     entryinfo = f$element( 2, " ", lin)
-$     curentry = f$element( 0, " ", lin)
-$     info_exist = f$element( 0, ":", entryinfo)
-$     info_platforms = ","+ f$element(1, ":", entryinfo)+ ","
-$     info_kind = f$element( 2, ":", entryinfo)
-$     info_algorithms = ","+ f$element( 3, ":", entryinfo)+ ","
-$     if info_exist .eqs. "NOEXIST" then goto loop
-$     truesum = 0
-$     falsesum = 0
-$     negatives = 1
-$     plat_i = 0
-$     loop1:
-$       plat_entry = f$element( plat_i, ",", info_platforms)
-$       plat_i = plat_i + 1
-$       if plat_entry .eqs. "" then goto loop1
-$       if plat_entry .nes. ","
-$       then
-$         if f$extract(0,1,plat_entry) .nes. "!" then negatives = 0
-$         if (arch_vax)
-$         then
-$           if plat_entry .eqs. "EXPORT_VAR_AS_FUNCTION" then -
-$             truesum = truesum + 1
-$           if plat_entry .eqs. "!EXPORT_VAR_AS_FUNCTION" then -
-$             falsesum = falsesum + 1
-$         endif
-$!
-$         if ((plat_entry .eqs. "VMS") .or. -
-            ((plat_entry .eqs. "ZLIB") .and. (ZLIB .nes. "")) .or. -
-            (arch_vax .and. (plat_entry .eqs. "VMSVAX"))) then -
-            truesum = truesum + 1
-$!
-$         if ((plat_entry .eqs. "!VMS") .or. -
-            (arch_vax .and. (plat_entry .eqs. "!VMSVAX"))) then -
-            falsesum = falsesum + 1
-$!
-$	  goto loop1
-$       endif
-$     endloop1:
-$!DEBUG!$     if info_platforms - "EXPORT_VAR_AS_FUNCTION" .nes. info_platforms
-$!DEBUG!$     then
-$!DEBUG!$       write sys$output line
-$!DEBUG!$       write sys$output "        truesum = ",truesum,-
-$!DEBUG!		", negatives = ",negatives,", falsesum = ",falsesum
-$!DEBUG!$     endif
-$     if falsesum .ne. 0 then goto loop
-$     if truesum+negatives .eq. 0 then goto loop
-$     alg_i = 0
-$     loop2:
-$       alg_entry = f$element(alg_i,",",info_algorithms)
-$	alg_i = alg_i + 1
-$       if alg_entry .eqs. "" then goto loop2
-$       if alg_entry .nes. ","
-$       then
-$	  if disabled_algorithms - ("," + alg_entry + ",") .nes disabled_algorithms then goto loop
-$         if f$trnlnm("OPENSSL_NO_"+alg_entry) .nes. "" then goto loop
-$	  goto loop2
-$       endif
-$     endloop2:
-$     if info_platforms - "EXPORT_VAR_AS_FUNCTION" .nes. info_platforms
-$     then
-$!DEBUG!$     write sys$output curentry," ; ",entrynum," ; ",entryinfo
-$     endif
-$   redo:
-$     next:=loop
-$     tolibentry=curentry
-$     if libentrynum .ne. entrynum
-$     then
-$       entrycount=entrycount+1
-$       if entrycount .lt. entrynum
-$       then
-$!DEBUG!$         write sys$output "Info: entrycount: ''entrycount', entrynum: ''entrynum' => 0"
-$         tolibentry=".dummy"
-$         next:=redo
-$       endif
-$       if entrycount .gt. entrynum
-$       then
-$         write sys$error "Decreasing library entry numbers!  Can't continue"
-$         write sys$error """",line,""""
-$         close libnum
-$         return
-$       endif
-$       libentry=tolibentry
-$!DEBUG!$       write sys$output entrycount," ",libentry," ",entryinfo
-$       if libentry .nes. "" .and. libwriter .nes. "" then gosub 'libwriter'
-$     else
-$       write sys$error "Info: ""''curentry'"" is an alias for ""''libentry'"".  Overriding..."
-$     endif
-$     libentrynum=entrycount
-$     goto 'next'
-$   loop_end:
-$   close libnum
-$   return
-$
-$! The version number reader
-$ read_version_info:
-$   libver = ""
-$   open /read vf [.CRYPTO]OPENSSLV.H
-$   loop_rvi:
-$     read/err=endloop_rvi/end=endloop_rvi vf rvi_line
-$     if rvi_line - "SHLIB_VERSION_NUMBER """ .eqs. rvi_line then -
-	goto loop_rvi
-$     libverstr = f$element(1,"""",rvi_line)
-$     libvmajor = f$element(0,".",libverstr)
-$     libvminor = f$element(1,".",libverstr)
-$     libvedit = f$element(2,".",libverstr)
-$     libvpatch = f$cvui(0,8,f$extract(1,1,libvedit)+"@")-f$cvui(0,8,"@")
-$     libvedit = f$extract(0,1,libvedit)
-$     libver = f$string(f$int(libvmajor)*100)+","+-
-	f$string(f$int(libvminor)*100+f$int(libvedit)*10+f$int(libvpatch))
-$     if libvmajor .eqs. "0"
-$     then
-$       libvmatch = "EQUAL"
-$     else
-$       ! Starting with the 1.0 release, backward compatibility should be
-$       ! kept, so switch over to the following
-$       libvmatch = "LEQUAL"
-$     endif
-$   endloop_rvi:
-$   close vf
-$   return
-$
-$! The disabled algorithms reader
-$ read_disabled_algorithms_info:
-$   disabled_algorithms = ","
-$   open /read cf [.CRYPTO.'ARCH']OPENSSLCONF.H
-$   loop_rci:
-$     read/err=endloop_rci/end=endloop_rci cf rci_line
-$     rci_line = f$edit(rci_line,"TRIM,COMPRESS")
-$     rci_ei = 0
-$     if f$extract(0,9,rci_line) .eqs. "# define " then rci_ei = 2
-$     if f$extract(0,8,rci_line) .eqs. "#define " then rci_ei = 1
-$     if rci_ei .eq. 0 then goto loop_rci
-$     rci_e = f$element(rci_ei," ",rci_line)
-$     if f$extract(0,11,rci_e) .nes. "OPENSSL_NO_" then goto loop_rci
-$     disabled_algorithms = disabled_algorithms + f$extract(11,999,rci_e) + ","
-$     goto loop_rci
-$   endloop_rci:
-$   close cf
-$   return
--- a/VMS/multinet_shr.opt
+++ b/VMS/multinet_shr.opt
@@ -1 +0,0 @@
-multinet:multinet_socket_library.exe/share
--- a/VMS/openssl_shutdown.com.in
+++ b/VMS/openssl_shutdown.com.in
@@ -0,0 +1,59 @@
+$	! OpenSSL shutdown script
+$	!
+$	! This script deassigns the logical names used by the installation
+$	! of OpenSSL.  It can do so at any level, defined by P1.
+$	!
+$	! P1	Qualifier(s) for DEASSIGN.
+$	!	Default: /PROCESS
+$	!
+$	! P2	If the value is "NOALIASES", no alias logical names are
+$	!	deassigned.
+$
+$	status = %x10000001	! Generic success
+$
+$	! In case there's a problem
+$	ON CONTROL_Y THEN GOTO bailout
+$	ON ERROR THEN GOTO bailout
+$
+$	! Find the architecture
+$	IF F$GETSYI("CPU") .LT. 128
+$	THEN
+$	    arch := VAX
+$	ELSE
+$	    arch := F$EDIT(F$GETSYI("ARCH_NAME"),"UPCASE")
+$	    IF arch .EQS. "" THEN GOTO unknown_arch
+$	ENDIF
+$
+$	! Generated information
+$	VERSION := {- $config{version} -}
+$	INSTALLTOP := {- $config{INSTALLTOP} -}
+$	POINTER_SIZE = {- $config{pointersize} -}
+$
+$	! Abbrevs
+$	DEAS := DEASSIGN /NOLOG 'P1'
+$	v    =  VERSION - "." - "."
+$
+$	DEAS OSSL$ROOT'v'
+$	DEAS OSSL$INCLUDE'v'
+$	DEAS OSSL$LIB'v'
+$	DEAS OSSL$SHARE'v'
+$	DEAS OSSL$ENGINES'v'
+$	DEAS OSSL$EXE'v'
+$       {- output_off() if $config{no_shared} -}
+$       {- join("\n\$       ", map { "DEAS $_'v'" } map { $unified_info{sharednames}->{$_} || () } @{$unified_info{libraries}}) -}
+$       {- output_on() -}
+$	IF P2 .NES. "NOALIASES"
+$	THEN
+$	    DEAS OSSL$ROOT
+$	    DEAS OSSL$INCLUDE
+$	    DEAS OSSL$LIB
+$	    DEAS OSSL$SHARE
+$	    DEAS OSSL$ENGINES
+$	    DEAS OSSL$EXE
+$	    DEAS OPENSSL
+$           {- output_off() if $config{no_shared} -}
+$           {- join("\n\$           ", map { "DEAS $_" } map { $unified_info{sharednames}->{$_} || () } @{$unified_info{libraries}}) -}
+$           {- output_on() -}
+$	ENDIF
+$
+$	EXIT 'status'
--- a/VMS/openssl_startup.com
+++ b/VMS/openssl_startup.com
@@ -1,108 +0,0 @@
-$!
-$! Startup file for OpenSSL 1.x.
-$!
-$! 2011-03-05 SMS.
-$!
-$! This procedure must reside in the OpenSSL installation directory.
-$! It will fail if it is copied to a different location.
-$!
-$! P1  qualifier(s) for DEFINE.  For example, "/SYSTEM" to get the
-$!     logical names defined in the system logical name table.
-$!
-$! P2  "64", to use executables which were built with 64-bit pointers.
-$!
-$! Good (default) and bad status values.
-$!
-$ status =    %x00010001 ! RMS$_NORMAL, normal successful completion.
-$ rms_e_fnf = %x00018292 ! RMS$_FNF, file not found.
-$!
-$! Prepare for problems.
-$!
-$ orig_dev_dir = f$environment( "DEFAULT")
-$ on control_y then goto clean_up
-$ on error then goto clean_up
-$!
-$! Determine hardware architecture.
-$!
-$ if (f$getsyi( "cpu") .lt. 128)
-$ then
-$   arch_name = "VAX"
-$ else
-$   arch_name = f$edit( f$getsyi( "arch_name"), "upcase")
-$   if (arch_name .eqs. "") then arch_name = "UNK"
-$ endif
-$!
-$ if (p2 .eqs. "64")
-$ then
-$   arch_name_exe = arch_name+ "_64"
-$ else
-$   arch_name_exe = arch_name
-$ endif
-$!
-$! Derive the OpenSSL installation device:[directory] from the location
-$! of this command procedure.
-$!
-$ proc = f$environment( "procedure")
-$ proc_dev_dir = f$parse( "A.;", proc, , , "no_conceal") - "A.;"
-$ proc_dev = f$parse( proc_dev_dir, , , "device", "syntax_only")
-$ proc_dir = f$parse( proc_dev_dir, , , "directory", "syntax_only") - -
-   ".][000000"- "[000000."- "]["- "["- "]"
-$ proc_dev_dir = proc_dev+ "["+ proc_dir+ "]"
-$ set default 'proc_dev_dir'
-$ set default [-]
-$ ossl_dev_dir = f$environment( "default")
-$!
-$! Check existence of expected directories (to see if this procedure has
-$! been moved away from its proper place).
-$!
-$ if ((f$search( "certs.dir;1") .eqs. "") .or. -
-   (f$search( "include.dir;1") .eqs. "") .or. -
-   (f$search( "private.dir;1") .eqs. "") .or. -
-   (f$search( "vms.dir;1") .eqs. ""))
-$ then
-$    write sys$output -
-      "   Can't find expected common OpenSSL directories in:"
-$    write sys$output "   ''ossl_dev_dir'"
-$    status = rms_e_fnf
-$    goto clean_up
-$ endif
-$!
-$ if ((f$search( "''arch_name_exe'_exe.dir;1") .eqs. "") .or. -
-   (f$search( "''arch_name'_lib.dir;1") .eqs. ""))
-$ then
-$    write sys$output -
-      "   Can't find expected architecture-specific OpenSSL directories in:"
-$    write sys$output "   ''ossl_dev_dir'"
-$    status = rms_e_fnf
-$    goto clean_up
-$ endif
-$!
-$! All seems well (enough).  Define the OpenSSL logical names.
-$!
-$ ossl_root = ossl_dev_dir- "]"+ ".]"
-$ define /translation_attributes = concealed /nolog'p1 SSLROOT 'ossl_root'
-$ define /nolog 'p1' SSLCERTS     sslroot:[certs]
-$ define /nolog 'p1' SSLINCLUDE   sslroot:[include]
-$ define /nolog 'p1' SSLPRIVATE   sslroot:[private]
-$ define /nolog 'p1' SSLEXE       sslroot:['arch_name_exe'_exe]
-$ define /nolog 'p1' SSLLIB       sslroot:['arch_name'_lib]
-$!
-$! Defining OPENSSL lets a C program use "#include <openssl/{foo}.h>":
-$ define /nolog 'p1' OPENSSL      SSLINCLUDE:
-$!
-$! Run a site-specific procedure, if it exists.
-$!
-$ if f$search( "sslroot:[vms]openssl_systartup.com") .nes."" then -
-   @ sslroot:[vms]openssl_systartup.com
-$!
-$! Restore the original default dev:[dir] (if known).
-$!
-$ clean_up:
-$!
-$ if (f$type( orig_dev_dir) .nes. "")
-$ then
-$    set default 'orig_dev_dir'
-$ endif
-$!
-$ EXIT 'status'
-$!
--- a/VMS/openssl_startup.com.in
+++ b/VMS/openssl_startup.com.in
@@ -0,0 +1,115 @@
+$	! OpenSSL startup script
+$	!
+$	! This script defines the logical names used by the installation
+$	! of OpenSSL.  It can provide those logical names at any level,
+$	! defined by P1.
+$	!
+$	! The logical names created are:
+$	!
+$	!	OSSL$ROOTnnn	Installation root
+$	!	OSSL$EXEnnn	Where the executables are located
+$	!	OSSL$LIBnnn	Where the library files are located
+$	!	OSSL$SHAREnnn	Where the sahreable images are located
+$	!	OSSL$INCLUDEnnn	Include directory root
+$	!	OSSL$ENGINESnnn	Where the sahreable images are located
+$	!
+$	! In all these, nnn is the OpenSSL version number.  This allows
+$	! several OpenSSL versions to be installed simultaneously.
+$	!
+$	! In addition, unless P2 is "NOALIASES", these logical names are
+$	! created:
+$	!
+$	!	OSSL$ROOT	Alias for OSSL$ROOTnnn
+$	!	OSSL$EXE	Alias for OSSL$EXEnnn
+$	!	OSSL$LIB	Alias for OSSL$LIBnnn
+$	!	OSSL$SHARE	Alias for OSSL$SHAREnnn
+$	!	OSSL$INCLUDE	Alias for OSSL$INCLUDEnnn
+$	!	OPENSSL		is OSSL$INCLUDE:[OPENSSL]
+$	!	OSSL$ENGINES	Alias for OSSL$ENGINESnnn
+$	!
+$	! P1	Qualifier(s) for DEFINE.  "/SYSTEM" would be typical when
+$	!	calling this script from SYS$STARTUP:SYSTARTUP_VMS.COM,
+$	!	while "/PROCESS" would be typical for a personal install.
+$	!	Default: /PROCESS
+$	!
+$	! P2	If the value is "NOALIASES", no alias logical names are
+$	!	created.
+$
+$	status = %x10000001	! Generic success
+$
+$	! In case there's a problem
+$	ON CONTROL_Y THEN GOTO bailout
+$	ON ERROR THEN GOTO bailout
+$
+$	! Find the architecture
+$	IF F$GETSYI("CPU") .LT. 128
+$	THEN
+$	    arch := VAX
+$	ELSE
+$	    arch := F$EDIT(F$GETSYI("ARCH_NAME"),"UPCASE")
+$	    IF arch .EQS. "" THEN GOTO unknown_arch
+$	ENDIF
+$
+$	! Generated information
+$	VERSION := {- $config{version} -}
+$	INSTALLTOP := {- $config{INSTALLTOP} -}
+$	OPENSSLDIR := {- $config{OPENSSLDIR} -}
+$	POINTER_SIZE = {- $config{pointersize} -}
+$
+$	! Make sure that INSTALLTOP and OPENSSLDIR become something one
+$	! can build concealed logical names on
+$	INSTALLTOP_ = F$PARSE("A.;",INSTALLTOP,,,"NO_CONCEAL") - "A.;" -
+		     - ".][000000" - "[000000." - "][" - "]" + ".]"
+$	OPENSSLDIR_ = F$PARSE("A.;",OPENSSLDIR,,,"NO_CONCEAL") - "A.;" -
+		     - ".][000000" - "[000000." - "][" - "]" + ".]"
+$	DEFINE /TRANSLATION=CONCEALED /NOLOG WRK_INSTALLTOP 'INSTALLTOP_'
+$
+$	! Check that things are in place, and specifically, the stuff
+$	! belonging to this architecture
+$	IF F$SEARCH("WRK_INSTALLTOP:[000000]INCLUDE.DIR;1") .EQS. "" -
+	   .OR. F$SEARCH("WRK_INSTALLTOP:[000000]''arch'.DIR;1") .EQS. "" -
+	   .OR. F$SEARCH("WRK_INSTALLTOP:[''arch']LIB.DIR;1") .EQS. "" -
+	   .OR. F$SEARCH("WRK_INSTALLTOP:[''arch']EXE.DIR;1") .EQS. "" -
+	   .OR. F$SEARCH("WRK_INSTALLTOP:[000000]openssl.cnf;1") .EQS. ""
+$	THEN
+$	    WRITE SYS$ERROR "''INSTALLTOP' doesn't look like an OpenSSL installation for ''arch'"
+$	    status = %x00018292 ! RMS$_FNF, file not found
+$	    GOTO bailout
+$	ENDIF
+$
+$	! Abbrevs
+$	DEFT := DEFINE /TRANSLATION=CONCEALED /NOLOG 'P1'
+$	DEF  := DEFINE /NOLOG 'P1'
+$	v    =  VERSION - "." - "."
+$
+$	DEFT OSSL$INSTROOT'v'	'INSTALLTOP_'
+$	DEFT OSSL$INCLUDE'v'	OSSL$INSTROOT:[INCLUDE.]
+$	DEF  OSSL$LIB'v'	OSSL$INSTROOT:['arch'.LIB]
+$	DEF  OSSL$SHARE'v'	OSSL$INSTROOT:['arch'.LIB]
+$	DEF  OSSL$ENGINES'v'	OSSL$INSTROOT:['arch'.ENGINES]
+$	DEF  OSSL$EXE'v'	OSSL$INSTROOT:['arch'.EXE]
+$       {- output_off() if $config{no_shared} -}
+$       {- join("\n\$       ", map { "DEF  $_'v' OSSL\$SHARE:$_" } map { $unified_info{sharednames}->{$_} || () } @{$unified_info{libraries}}) -}
+$       {- output_on() -}
+$	IF P2 .NES. "NOALIASES"
+$	THEN
+$	    DEF OSSL$INSTROOT	OSSL$INSTROOT'v'
+$	    DEF OSSL$INCLUDE	OSSL$INCLUDE'v'
+$	    DEF OSSL$LIB	OSSL$LIB'v'
+$	    DEF OSSL$SHARE	OSSL$SHARE'v'
+$	    DEF OSSL$ENGINES	OSSL$ENGINES'v'
+$	    DEF OSSL$EXE	OSSL$EXE'v'
+$	    DEF OPENSSL		OSSL$INCLUDE:[OPENSSL]
+$       {- output_off() if $config{no_shared} -}
+$       {- join("\n\$           ", map { "DEF  $_ $_'v'" } map { $unified_info{sharednames}->{$_} || () } @{$unified_info{libraries}}) -}
+$       {- output_on() -}
+$	ENDIF
+$
+$	DEFT OSSL$DATAROOT	'OPENSSLDIR_'
+$	DEF  OSSL$CERTS		OSSL$DATAROOT:[CERTS]
+$	DEF  OSSL$PRIVATE	OSSL$DATAROOT:[PRIVATE]
+$
+$ bailout:
+$	DEASSIGN WRK_INSTALLTOP
+$
+$	EXIT 'status'
--- a/VMS/openssl_undo.com
+++ b/VMS/openssl_undo.com
@@ -1,20 +0,0 @@
-$!
-$! Deassign OpenSSL logical names.
-$!
-$ call deass "OPENSSL" "''p1'"
-$ call deass "SSLCERTS" "''p1'"
-$ call deass "SSLEXE" "''p1'"
-$ call deass "SSLINCLUDE" "''p1'"
-$ call deass "SSLLIB" "''p1'"
-$ call deass "SSLPRIVATE" "''p1'"
-$ call deass "SSLROOT" "''p1'"
-$!
-$ exit
-$!
-$deass: subroutine
-$ if (f$trnlnm( p1) .nes. "")
-$ then
-$    deassign 'p2' 'p1'
-$ endif
-$ endsubroutine
-$!
--- a/VMS/openssl_utils.com
+++ b/VMS/openssl_utils.com
@@ -1,46 +1,12 @@
-$!
-$!  APPS.COM
-$!  Written By:  Robert Byer
-$!               Vice-President
-$!               A-Com Computing, Inc.
-$!               byer@mail.all-net.net
-$!
-$!
-$! Slightly modified by Richard Levitte <richard@levitte.org>
-$!
-$!
-$! Always define OPENSSL.  Others are optional (non-null P1).
-$!
-$ OPENSSL  :== $SSLEXE:OPENSSL
+$	! OpenSSL utilities
+$	!
 $
-$ IF (P1 .NES. "")
-$ THEN
-$     VERIFY   :== $SSLEXE:OPENSSL VERIFY
-$     ASN1PARSE:== $SSLEXE:OPENSSL ASN1PARS
-$! REQ could conflict with REQUEST.
-$     OREQ     :== $SSLEXE:OPENSSL REQ
-$     DGST     :== $SSLEXE:OPENSSL DGST
-$     DH       :== $SSLEXE:OPENSSL DH
-$     ENC      :== $SSLEXE:OPENSSL ENC
-$     GENDH    :== $SSLEXE:OPENSSL GENDH
-$     ERRSTR   :== $SSLEXE:OPENSSL ERRSTR
-$     CA       :== $SSLEXE:OPENSSL CA
-$     CRL      :== $SSLEXE:OPENSSL CRL
-$     RSA      :== $SSLEXE:OPENSSL RSA
-$     DSA      :== $SSLEXE:OPENSSL DSA
-$     DSAPARAM :== $SSLEXE:OPENSSL DSAPARAM
-$     X509     :== $SSLEXE:OPENSSL X509
-$     GENRSA   :== $SSLEXE:OPENSSL GENRSA
-$     GENDSA   :== $SSLEXE:OPENSSL GENDSA
-$     S_SERVER :== $SSLEXE:OPENSSL S_SERVER
-$     S_CLIENT :== $SSLEXE:OPENSSL S_CLIENT
-$     SPEED    :== $SSLEXE:OPENSSL SPEED
-$     S_TIME   :== $SSLEXE:OPENSSL S_TIME
-$     VERSION  :== $SSLEXE:OPENSSL VERSION
-$     PKCS7    :== $SSLEXE:OPENSSL PKCS7
-$     CRL2PKCS7:== $SSLEXE:OPENSSL CRL2P7
-$     SESS_ID  :== $SSLEXE:OPENSSL SESS_ID
-$     CIPHERS  :== $SSLEXE:OPENSSL CIPHERS
-$     NSEQ     :== $SSLEXE:OPENSSL NSEQ
-$     PKCS12   :== $SSLEXE:OPENSSL PKCS12
-$ ENDIF
+$	OPENSSL		:== $OSSL$EXE:OPENSSL
+$
+$	IF F$SYMBOL(PERL) .EQS. "STRING"
+$	THEN
+$	    OSSLCA	:== 'PERL' OSSL$EXE:CA.pl
+$	    OSSLREHASH	:== 'PERL' OSSL$EXE:c_rehash.pl
+$	ELSE
+$	    WRITE SYS$ERROR "NOTE: no perl => no OSSLCA or OSSLREHASH"
+$	ENDIF
--- a/VMS/socketshr_shr.opt
+++ b/VMS/socketshr_shr.opt
@@ -1 +0,0 @@
-socketshr/share
--- a/VMS/tcpip_shr_decc.opt
+++ b/VMS/tcpip_shr_decc.opt
@@ -1 +0,0 @@
-sys$share:tcpip$ipc_shr.exe/share
--- a/VMS/translatesyms.pl
+++ b/VMS/translatesyms.pl
@@ -0,0 +1,55 @@
+#! /usr/bin/perl
+
+# This script will translate any SYMBOL_VECTOR item that has a translation
+# in CXX$DEMANGLER_DB.  The latter is generated by and CC/DECC command that
+# uses the qualifier /REPOSITORY with the build directory as value.  When
+# /NAMES=SHORTENED has been used, this file will hold the translations from
+# the original symbols to the shortened variants.
+#
+# CXX$DEMAGLER_DB. is an ISAM file, but with the magic of RMS, it can be
+# read as a text file, with each record as one line.
+#
+# The lines will have the following syntax for any symbol found that's longer
+# than 31 characters:
+#
+# LONG_symbol_34567890123{cksum}$LONG_symbol_34567890123_more_than_31_chars
+#
+# $ is present at the end of the shortened symbol name, and is preceded by a
+# 7 character checksum.  The $ makes it easy to separate the shortened name
+# from the original one.
+
+use strict;
+use warnings;
+
+usage() if scalar @ARGV < 1;
+
+my %translations = ();
+
+open DEMANGLER_DATA, $ARGV[0]
+    or die "Couldn't open $ARGV[0]: $!\n";
+while(<DEMANGLER_DATA>) {
+    s|\R$||;
+    (my $translated, my $original) = split /\$/;
+    $translations{$original} = $translated.'$';
+}
+close DEMANGLER_DATA;
+
+$| = 1;                         # Autoflush
+while(<STDIN>) {
+    s@
+      ((?:[A-Za-z0-9_]+)\/)?([A-Za-z0-9_]+)=(PROCEDURE|DATA)
+     @
+      if (defined($translations{$2})) {
+          my $trans = $translations{$2};
+          my $trans_uc = uc $trans;
+          if (defined($1) && $trans ne $trans_uc) {
+              "$trans_uc/$trans=$3"
+          } else {
+              "$trans=$3"
+          }
+      } else {
+          $&
+      }
+     @gxe;
+    print $_;
+}
--- a/VMS/ucx_shr_decc.opt
+++ b/VMS/ucx_shr_decc.opt
@@ -1 +0,0 @@
-sys$share:ucx$ipc_shr.exe/share
--- a/VMS/ucx_shr_decc_log.opt
+++ b/VMS/ucx_shr_decc_log.opt
@@ -1 +0,0 @@
-ucx$ipc_shr/share
--- a/VMS/ucx_shr_vaxc.opt
+++ b/VMS/ucx_shr_vaxc.opt
@@ -1 +0,0 @@
-sys$library:ucx$ipc.olb/library
--- a/apps/CA.com
+++ b/apps/CA.com
@@ -1,221 +0,0 @@
-$! CA - wrapper around ca to make it easier to use ... basically ca requires
-$!      some setup stuff to be done before you can use it and this makes
-$!      things easier between now and when Eric is convinced to fix it :-)
-$!
-$! CA -newca ... will setup the right stuff
-$! CA -newreq ... will generate a certificate request 
-$! CA -sign ... will sign the generated request and output 
-$!
-$! At the end of that grab newreq.pem and newcert.pem (one has the key 
-$! and the other the certificate) and cat them together and that is what
-$! you want/need ... I'll make even this a little cleaner later.
-$!
-$! default openssl.cnf file has setup as per the following
-$! demoCA ... where everything is stored
-$
-$ IF F$TYPE(OPENSSL_CONFIG) .EQS. "" THEN OPENSSL_CONFIG := SSLLIB:OPENSSL.CNF
-$
-$ DAYS   = "-days 365"
-$ REQ    = openssl + " req " + OPENSSL_CONFIG
-$ CA     = openssl + " ca " + OPENSSL_CONFIG
-$ VERIFY = openssl + " verify"
-$ X509   = openssl + " x509"
-$ PKCS12 = openssl + " pkcs12"
-$ echo   = "write sys$Output"
-$ RET = 1
-$!
-$! 2010-12-20 SMS.
-$! Use a concealed logical name to reduce command line lengths, to
-$! avoid DCL errors on VAX:
-$!     %DCL-W-TKNOVF, command element is too long - shorten
-$! (Path segments like "openssl-1_0_1-stable-SNAP-20101217" accumulate
-$! quickly.)
-$!
-$ CATOP = F$PARSE( F$ENVIRONMENT( "DEFAULT"), "[]")- "].;"+ ".demoCA.]"
-$ define /translation_attributes = concealed CATOP 'CATOP'
-$!
-$ on error then goto clean_up
-$ on control_y then goto clean_up
-$!
-$ CAKEY  = "CATOP:[private]cakey.pem"
-$ CACERT = "CATOP:[000000]cacert.pem"
-$
-$ __INPUT := SYS$COMMAND
-$!
-$ i = 1
-$opt_loop:
-$ if i .gt. 8 then goto opt_loop_end
-$
-$ prog_opt = F$EDIT(P'i',"lowercase")
-$
-$ IF (prog_opt .EQS. "?" .OR. prog_opt .EQS. "-h" .OR. prog_opt .EQS. "-help") 
-$ THEN
-$   echo "usage: CA -newcert|-newreq|-newca|-sign|-verify" 
-$   goto clean_up
-$ ENDIF
-$!
-$ IF (prog_opt .EQS. "-input")
-$ THEN
-$   ! Get input from somewhere other than SYS$COMMAND
-$   i = i + 1
-$   __INPUT = P'i'
-$   GOTO opt_loop_continue
-$ ENDIF
-$!
-$ IF (prog_opt .EQS. "-newcert")
-$ THEN
-$   ! Create a certificate.
-$   DEFINE /USER_MODE SYS$INPUT '__INPUT'
-$   REQ -new -x509 -keyout newreq.pem -out newreq.pem 'DAYS'
-$   RET=$STATUS
-$   echo "Certificate (and private key) is in newreq.pem"
-$   GOTO opt_loop_continue
-$ ENDIF
-$!
-$ IF (prog_opt .EQS. "-newreq")
-$ THEN
-$   ! Create a certificate request
-$   DEFINE /USER_MODE SYS$INPUT '__INPUT'
-$   REQ -new -keyout newreq.pem -out newreq.pem 'DAYS'
-$   RET=$STATUS
-$   echo "Request (and private key) is in newreq.pem"
-$   GOTO opt_loop_continue
-$ ENDIF
-$!
-$ IF (prog_opt .EQS. "-newca")
-$ THEN
-$   ! If explicitly asked for or it doesn't exist then setup the directory
-$   ! structure that Eric likes to manage things.
-$   IF F$SEARCH( "CATOP:[000000]serial.") .EQS. ""
-$   THEN
-$     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[000000]
-$     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[certs]
-$     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[crl]
-$     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[newcerts]
-$     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[private]
-$
-$     OPEN /WRITE ser_file CATOP:[000000]serial. 
-$     WRITE ser_file "01"
-$     CLOSE ser_file
-$     APPEND /NEW_VERSION NL: CATOP:[000000]index.txt
-$
-$     ! The following is to make sure access() doesn't get confused.  It
-$     ! really needs one file in the directory to give correct answers...
-$     COPY NLA0: CATOP:[certs].;
-$     COPY NLA0: CATOP:[crl].;
-$     COPY NLA0: CATOP:[newcerts].;
-$     COPY NLA0: CATOP:[private].;
-$   ENDIF
-$!
-$   IF F$SEARCH( CAKEY) .EQS. ""
-$   THEN
-$     READ '__INPUT' FILE -
-       /PROMPT="CA certificate filename (or enter to create): "
-$     IF (FILE .NES. "") .AND. (F$SEARCH(FILE) .NES. "")
-$     THEN
-$       COPY 'FILE' 'CAKEY'
-$       RET=$STATUS
-$     ELSE
-$       echo "Making CA certificate ..."
-$       DEFINE /USER_MODE SYS$INPUT '__INPUT'
-$       REQ -new -x509 -keyout 'CAKEY' -out 'CACERT' 'DAYS'
-$       RET=$STATUS
-$     ENDIF
-$   ENDIF
-$   GOTO opt_loop_continue
-$ ENDIF
-$!
-$ IF (prog_opt .EQS. "-pkcs12")
-$ THEN
-$   i = i + 1
-$   cname = P'i'
-$   IF cname .EQS. "" THEN cname = "My certificate"
-$   PKCS12 -in newcert.pem -inkey newreq.pem -certfile 'CACERT' -
-     -out newcert.p12 -export -name "''cname'"
-$   RET=$STATUS
-$   goto clean_up
-$ ENDIF
-$!
-$ IF (prog_opt .EQS. "-xsign")
-$ THEN
-$!
-$   DEFINE /USER_MODE SYS$INPUT '__INPUT'
-$   CA -policy policy_anything -infiles newreq.pem
-$   RET=$STATUS
-$   GOTO opt_loop_continue
-$ ENDIF
-$!
-$ IF ((prog_opt .EQS. "-sign") .OR. (prog_opt .EQS. "-signreq"))
-$ THEN
-$!   
-$   DEFINE /USER_MODE SYS$INPUT '__INPUT'
-$   CA -policy policy_anything -out newcert.pem -infiles newreq.pem
-$   RET=$STATUS
-$   type newcert.pem
-$   echo "Signed certificate is in newcert.pem"
-$   GOTO opt_loop_continue
-$ ENDIF
-$!
-$ IF (prog_opt .EQS. "-signcert")
-$  THEN
-$!   
-$   echo "Cert passphrase will be requested twice - bug?"
-$   DEFINE /USER_MODE SYS$INPUT '__INPUT'
-$   X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
-$   DEFINE /USER_MODE SYS$INPUT '__INPUT'
-$   CA -policy policy_anything -out newcert.pem -infiles tmp.pem
-y
-y
-$   type newcert.pem
-$   echo "Signed certificate is in newcert.pem"
-$   GOTO opt_loop_continue
-$ ENDIF
-$!
-$ IF (prog_opt .EQS. "-verify")
-$ THEN
-$!   
-$   i = i + 1
-$   IF (p'i' .EQS. "")
-$   THEN
-$     DEFINE /USER_MODE SYS$INPUT '__INPUT'
-$     VERIFY "-CAfile" 'CACERT' newcert.pem
-$   ELSE
-$     j = i
-$    verify_opt_loop:
-$     IF j .GT. 8 THEN GOTO verify_opt_loop_end
-$     IF p'j' .NES. ""
-$     THEN 
-$       DEFINE /USER_MODE SYS$INPUT '__INPUT'
-$       __tmp = p'j'
-$       VERIFY "-CAfile" 'CACERT' '__tmp'
-$       tmp=$STATUS
-$       IF tmp .NE. 0 THEN RET=tmp
-$     ENDIF
-$     j = j + 1
-$     GOTO verify_opt_loop
-$    verify_opt_loop_end:
-$   ENDIF
-$   
-$   GOTO opt_loop_end
-$ ENDIF
-$!
-$ IF (prog_opt .NES. "")
-$ THEN
-$!   
-$   echo "Unknown argument ''prog_opt'"
-$   RET = 3
-$   goto clean_up
-$ ENDIF
-$
-$opt_loop_continue:
-$ i = i + 1
-$ GOTO opt_loop
-$
-$opt_loop_end:
-$!
-$clean_up:
-$!
-$ if f$trnlnm( "CATOP", "LNM$PROCESS") .nes. "" then -
-   deassign /process CATOP
-$!
-$ EXIT 'RET'
--- a/apps/CA.pl.in
+++ b/apps/CA.pl.in
@@ -1,8 +1,8 @@
-#!/usr/bin/perl
+#!{- $config{perl} -}
 #
 # Wrapper around the ca to make it easier to use
-# Edit CA.pl.in not CA.pl!
-
+#
+# {- join("\n# ", @autowarntext) -}

 use strict;
 use warnings;
@@ -120,9 +120,9 @@ if ($WHAT eq '-newcert' ) {
    close OUT;
    # ask user for existing CA certificate
    print "CA certificate filename (or enter to create)\n";
-    $FILE = <STDIN>;
-    chop $FILE if $FILE;
-    if ($FILE) {
+    $FILE = "" unless defined($FILE = <STDIN>);
+    $FILE =~ s{\R$}{};
+    if ($FILE ne "") {
        copy_pemfile($FILE,"${CATOP}/private/$CAKEY", "PRIVATE");
        copy_pemfile($FILE,"${CATOP}/$CACERT", "CERTIFICATE");
    } else {
@@ -164,7 +164,7 @@ if ($WHAT eq '-newcert' ) {
    my @files = @ARGV ? @ARGV : ( $NEWCERT );
    my $file;
    foreach $file (@files) {
-        my $status = run("$VERIFY -CAfile ${CATOP}/$CACERT $file");
+        my $status = run("$VERIFY \"-CAfile\" ${CATOP}/$CACERT $file");
        $RET = $status if $status != 0;
    }
 } elsif ($WHAT eq '-crl' ) {
--- a/apps/Makefile
+++ b/apps/Makefile
@@ -1,977 +0,0 @@
-#
-#  apps/Makefile
-#
-
-DIR=		apps
-TOP=		..
-CC=		cc
-INCLUDES=	-I$(TOP) -I../crypto -I../include
-CFLAG=		-g -static -Wswitch
-MAKEFILE=	Makefile
-PERL=		perl
-RM=		rm -f
-
-PEX_LIBS=
-EX_LIBS= 
-EXE_EXT= 
-
-SHLIB_TARGET=
-
-CFLAGS= $(INCLUDES) $(CFLAG)
-
-GENERAL=Makefile makeapps.com install.com
-
-DLIBCRYPTO=../libcrypto.a
-DLIBSSL=../libssl.a
-LIBCRYPTO=-L.. -lcrypto
-LIBSSL=-L.. -lssl
-
-SCRIPTS=CA.pl tsget
-EXE= openssl$(EXE_EXT)
-
-COMMANDS= \
-	asn1pars.o ca.o ciphers.o cms.o crl.o crl2p7.o dgst.o dhparam.o \
-	dsa.o dsaparam.o ec.o ecparam.o enc.o engine.o errstr.o gendsa.o \
-	genpkey.o genrsa.o nseq.o ocsp.o passwd.o pkcs12.o pkcs7.o pkcs8.o \
-	pkey.o pkeyparam.o pkeyutl.o prime.o rand.o req.o rsa.o rsautl.o \
-	s_client.o s_server.o s_time.o sess_id.o smime.o speed.o spkac.o \
-	srp.o ts.o verify.o version.o x509.o rehash.o
-
-EXTRA_OBJ=apps.o opt.o s_cb.o s_socket.o
-EXTRA_SRC=apps.c opt.c s_cb.c s_socket.c
-RAND_OBJ=app_rand.o
-RAND_SRC=app_rand.c
-
-OBJ	= $(COMMANDS)
-
-SRC	= \
-	asn1pars.c ca.c ciphers.c cms.c crl.c crl2p7.c dgst.c dhparam.c \
-	dsa.c dsaparam.c ec.c ecparam.c enc.c engine.c errstr.c gendsa.c \
-	genpkey.c genrsa.c nseq.c ocsp.c passwd.c pkcs12.c pkcs7.c pkcs8.c \
-	pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c rsa.c rsautl.c \
-	s_client.c s_server.c s_time.c sess_id.c smime.c speed.c spkac.c \
-	srp.c ts.c verify.c version.c x509.c
-
-EXE_OBJ	= openssl.o $(OBJ) $(EXTRA_OBJ) $(RAND_OBJ)
-EXE_SRC = openssl.c $(SRC) $(EXTRA_SRC) $(RAND_SRC)
-
-HEADER=	apps.h progs.h s_apps.h \
-	testdsa.h testrsa.h timeouts.h
-
-ALL=    $(GENERAL) $(EXE_SRC) $(HEADER)
-
-top:
-	@(cd ..; $(MAKE) DIRS=$(DIR) all)
-
-all:	exe
-
-exe:	$(EXE)
-
-openssl-vms.cnf: openssl.cnf
-	$(PERL) $(TOP)/VMS/VMSify-conf.pl < openssl.cnf > openssl-vms.cnf
-
-files:
-	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
-
-install:
-	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
-	@set -e; for i in $(EXE); \
-	do  \
-	(echo installing $$i; \
-	 cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
-	 chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
-	 mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \
-	 done;
-	@set -e; for i in $(SCRIPTS); \
-	do  \
-	(echo installing $$i; \
-	 cp $$i $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \
-	 chmod 755 $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \
-	 mv -f $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i ); \
-	 done
-	@cp openssl.cnf $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new; \
-	chmod 644 $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new; \
-	mv -f  $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf
-
-uninstall:
-	@set -e; for i in $(EXE); \
-	do  \
-		echo $(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i; \
-		$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i; \
-	done;
-	@set -e; for i in $(SCRIPTS); \
-	do  \
-		echo $(RM) $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i; \
-		$(RM) $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i; \
-	done
-	$(RM) $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf
-
-tags:
-	ctags $(EXE_SRC) $(HEADER)
-
-tests:
-
-lint:
-	echo nope >fluff
-
-update: openssl-vms.cnf local_depend
-
-depend: local_depend
-	@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
-local_depend:
-	@[ -z "$(THIS)" ] || $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(EXE_SRC)
-
-dclean:
-	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
-	mv -f Makefile.new $(MAKEFILE)
-
-clean:
-	rm -f *.o *.obj *.dll lib tags core .pure .nfs* *.old *.bak fluff $(EXE)
-	rm -f req
-
-$(DLIBSSL):
-	(cd ..; $(MAKE) build_libssl)
-
-$(DLIBCRYPTO):
-	(cd ..; $(MAKE) build_libcrypto)
-
-$(EXE): progs.h $(EXE_OBJ) $(DLIBCRYPTO) $(DLIBSSL)
-	$(RM) $(EXE)
-	shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \
-		shlib_target="$(SHLIB_TARGET)"; \
-	fi; \
-	LIBRARIES="$(LIBSSL) $(LIBCRYPTO)" ; \
-	$(MAKE) -f $(TOP)/Makefile.shared -e \
-		APPNAME=$(EXE) OBJECTS="$(EXE_OBJ)" \
-		LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \
-		link_app.$${shlib_target}
-
-progs.h: progs.pl Makefile
-	$(RM) progs.h
-	$(PERL) progs.pl $(COMMANDS) >progs.h
-	$(RM) openssl.o
-
-# DO NOT DELETE THIS LINE -- make depend depends on it.
-
-app_rand.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-app_rand.o: ../include/openssl/buffer.h ../include/openssl/conf.h
-app_rand.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
-app_rand.o: ../include/openssl/ec.h ../include/openssl/engine.h
-app_rand.o: ../include/openssl/evp.h ../include/openssl/lhash.h
-app_rand.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-app_rand.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
-app_rand.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-app_rand.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-app_rand.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-app_rand.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-app_rand.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-app_rand.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h
-app_rand.o: app_rand.c apps.h progs.h
-apps.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-apps.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-apps.o: ../include/openssl/comp.h ../include/openssl/conf.h
-apps.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
-apps.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
-apps.o: ../include/openssl/engine.h ../include/openssl/err.h
-apps.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-apps.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-apps.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-apps.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-apps.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-apps.o: ../include/openssl/pem2.h ../include/openssl/pkcs12.h
-apps.o: ../include/openssl/pkcs7.h ../include/openssl/rsa.h
-apps.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-apps.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-apps.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
-apps.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-apps.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
-apps.o: ../include/openssl/ui.h ../include/openssl/x509.h
-apps.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.c apps.h
-apps.o: progs.h
-asn1pars.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-asn1pars.o: ../include/openssl/buffer.h ../include/openssl/conf.h
-asn1pars.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
-asn1pars.o: ../include/openssl/ec.h ../include/openssl/engine.h
-asn1pars.o: ../include/openssl/err.h ../include/openssl/evp.h
-asn1pars.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-asn1pars.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-asn1pars.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-asn1pars.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-asn1pars.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-asn1pars.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-asn1pars.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-asn1pars.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-asn1pars.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-asn1pars.o: asn1pars.c progs.h
-ca.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-ca.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-ca.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-ca.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
-ca.o: ../include/openssl/engine.h ../include/openssl/err.h
-ca.o: ../include/openssl/evp.h ../include/openssl/lhash.h
-ca.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-ca.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
-ca.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-ca.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-ca.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
-ca.o: ../include/openssl/sha.h ../include/openssl/stack.h
-ca.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-ca.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-ca.o: ../include/openssl/x509v3.h apps.h ca.c progs.h
-ciphers.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-ciphers.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-ciphers.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-ciphers.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-ciphers.o: ../include/openssl/ec.h ../include/openssl/engine.h
-ciphers.o: ../include/openssl/err.h ../include/openssl/evp.h
-ciphers.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
-ciphers.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-ciphers.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
-ciphers.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-ciphers.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-ciphers.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
-ciphers.o: ../include/openssl/sha.h ../include/openssl/srtp.h
-ciphers.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-ciphers.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-ciphers.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-ciphers.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-ciphers.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-ciphers.o: ciphers.c progs.h
-cms.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-cms.o: ../include/openssl/buffer.h ../include/openssl/cms.h
-cms.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-cms.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
-cms.o: ../include/openssl/engine.h ../include/openssl/err.h
-cms.o: ../include/openssl/evp.h ../include/openssl/lhash.h
-cms.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-cms.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
-cms.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-cms.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-cms.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
-cms.o: ../include/openssl/sha.h ../include/openssl/stack.h
-cms.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-cms.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-cms.o: ../include/openssl/x509v3.h apps.h cms.c progs.h
-crl.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-crl.o: ../include/openssl/buffer.h ../include/openssl/conf.h
-crl.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
-crl.o: ../include/openssl/ec.h ../include/openssl/engine.h
-crl.o: ../include/openssl/err.h ../include/openssl/evp.h
-crl.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-crl.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-crl.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-crl.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-crl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-crl.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-crl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-crl.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-crl.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h crl.c
-crl.o: progs.h
-crl2p7.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-crl2p7.o: ../include/openssl/buffer.h ../include/openssl/conf.h
-crl2p7.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
-crl2p7.o: ../include/openssl/ec.h ../include/openssl/engine.h
-crl2p7.o: ../include/openssl/err.h ../include/openssl/evp.h
-crl2p7.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-crl2p7.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-crl2p7.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-crl2p7.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-crl2p7.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-crl2p7.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-crl2p7.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-crl2p7.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-crl2p7.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-crl2p7.o: crl2p7.c progs.h
-dgst.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-dgst.o: ../include/openssl/buffer.h ../include/openssl/conf.h
-dgst.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
-dgst.o: ../include/openssl/ec.h ../include/openssl/engine.h
-dgst.o: ../include/openssl/err.h ../include/openssl/evp.h
-dgst.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
-dgst.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-dgst.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
-dgst.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-dgst.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-dgst.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
-dgst.o: ../include/openssl/sha.h ../include/openssl/stack.h
-dgst.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-dgst.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-dgst.o: ../include/openssl/x509v3.h apps.h dgst.c progs.h
-dhparam.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-dhparam.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-dhparam.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-dhparam.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-dhparam.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
-dhparam.o: ../include/openssl/engine.h ../include/openssl/err.h
-dhparam.o: ../include/openssl/evp.h ../include/openssl/lhash.h
-dhparam.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-dhparam.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
-dhparam.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-dhparam.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-dhparam.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
-dhparam.o: ../include/openssl/sha.h ../include/openssl/stack.h
-dhparam.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-dhparam.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-dhparam.o: ../include/openssl/x509v3.h apps.h dhparam.c progs.h
-dsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-dsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-dsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-dsa.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-dsa.o: ../include/openssl/ec.h ../include/openssl/engine.h
-dsa.o: ../include/openssl/err.h ../include/openssl/evp.h
-dsa.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-dsa.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-dsa.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-dsa.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-dsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-dsa.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-dsa.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-dsa.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-dsa.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h dsa.c
-dsa.o: progs.h
-dsaparam.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-dsaparam.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-dsaparam.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-dsaparam.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-dsaparam.o: ../include/openssl/ec.h ../include/openssl/engine.h
-dsaparam.o: ../include/openssl/err.h ../include/openssl/evp.h
-dsaparam.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-dsaparam.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-dsaparam.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-dsaparam.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-dsaparam.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-dsaparam.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-dsaparam.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-dsaparam.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-dsaparam.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-dsaparam.o: dsaparam.c progs.h
-ec.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-ec.o: ../include/openssl/buffer.h ../include/openssl/conf.h
-ec.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
-ec.o: ../include/openssl/ec.h ../include/openssl/engine.h
-ec.o: ../include/openssl/err.h ../include/openssl/evp.h
-ec.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-ec.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-ec.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-ec.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-ec.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-ec.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-ec.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-ec.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-ec.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h ec.c
-ec.o: progs.h
-ecparam.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-ecparam.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-ecparam.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-ecparam.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
-ecparam.o: ../include/openssl/engine.h ../include/openssl/err.h
-ecparam.o: ../include/openssl/evp.h ../include/openssl/lhash.h
-ecparam.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-ecparam.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
-ecparam.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-ecparam.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-ecparam.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
-ecparam.o: ../include/openssl/sha.h ../include/openssl/stack.h
-ecparam.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-ecparam.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-ecparam.o: ../include/openssl/x509v3.h apps.h ecparam.c progs.h
-enc.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-enc.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-enc.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-enc.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
-enc.o: ../include/openssl/engine.h ../include/openssl/err.h
-enc.o: ../include/openssl/evp.h ../include/openssl/lhash.h
-enc.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-enc.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
-enc.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-enc.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-enc.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-enc.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-enc.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-enc.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-enc.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h enc.c
-enc.o: progs.h
-engine.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-engine.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-engine.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-engine.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-engine.o: ../include/openssl/ec.h ../include/openssl/engine.h
-engine.o: ../include/openssl/err.h ../include/openssl/evp.h
-engine.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
-engine.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-engine.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
-engine.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-engine.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-engine.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
-engine.o: ../include/openssl/sha.h ../include/openssl/srtp.h
-engine.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-engine.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-engine.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-engine.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-engine.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-engine.o: engine.c progs.h
-errstr.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-errstr.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-errstr.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-errstr.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-errstr.o: ../include/openssl/ec.h ../include/openssl/engine.h
-errstr.o: ../include/openssl/err.h ../include/openssl/evp.h
-errstr.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
-errstr.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-errstr.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
-errstr.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-errstr.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-errstr.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
-errstr.o: ../include/openssl/sha.h ../include/openssl/srtp.h
-errstr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-errstr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-errstr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-errstr.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-errstr.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-errstr.o: errstr.c progs.h
-gendsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-gendsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-gendsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-gendsa.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-gendsa.o: ../include/openssl/ec.h ../include/openssl/engine.h
-gendsa.o: ../include/openssl/err.h ../include/openssl/evp.h
-gendsa.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-gendsa.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-gendsa.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-gendsa.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-gendsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-gendsa.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-gendsa.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-gendsa.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-gendsa.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-gendsa.o: gendsa.c progs.h
-genpkey.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-genpkey.o: ../include/openssl/buffer.h ../include/openssl/conf.h
-genpkey.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
-genpkey.o: ../include/openssl/ec.h ../include/openssl/engine.h
-genpkey.o: ../include/openssl/err.h ../include/openssl/evp.h
-genpkey.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-genpkey.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-genpkey.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-genpkey.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-genpkey.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-genpkey.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-genpkey.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-genpkey.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-genpkey.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-genpkey.o: genpkey.c progs.h
-genrsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-genrsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-genrsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-genrsa.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
-genrsa.o: ../include/openssl/engine.h ../include/openssl/err.h
-genrsa.o: ../include/openssl/evp.h ../include/openssl/lhash.h
-genrsa.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-genrsa.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
-genrsa.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-genrsa.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-genrsa.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-genrsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-genrsa.o: ../include/openssl/sha.h ../include/openssl/stack.h
-genrsa.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-genrsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-genrsa.o: ../include/openssl/x509v3.h apps.h genrsa.c progs.h
-nseq.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-nseq.o: ../include/openssl/buffer.h ../include/openssl/conf.h
-nseq.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
-nseq.o: ../include/openssl/ec.h ../include/openssl/engine.h
-nseq.o: ../include/openssl/err.h ../include/openssl/evp.h
-nseq.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-nseq.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-nseq.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-nseq.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-nseq.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-nseq.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-nseq.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-nseq.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-nseq.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h nseq.c
-nseq.o: progs.h
-ocsp.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-ocsp.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-ocsp.o: ../include/openssl/comp.h ../include/openssl/conf.h
-ocsp.o: ../include/openssl/crypto.h ../include/openssl/dtls1.h
-ocsp.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
-ocsp.o: ../include/openssl/engine.h ../include/openssl/err.h
-ocsp.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-ocsp.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-ocsp.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-ocsp.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-ocsp.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-ocsp.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-ocsp.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-ocsp.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-ocsp.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
-ocsp.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-ocsp.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
-ocsp.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-ocsp.o: ../include/openssl/x509v3.h apps.h ocsp.c progs.h
-openssl.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-openssl.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-openssl.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-openssl.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-openssl.o: ../include/openssl/ec.h ../include/openssl/engine.h
-openssl.o: ../include/openssl/err.h ../include/openssl/evp.h
-openssl.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
-openssl.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-openssl.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
-openssl.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-openssl.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-openssl.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-openssl.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-openssl.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-openssl.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
-openssl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-openssl.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
-openssl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-openssl.o: ../include/openssl/x509v3.h apps.h openssl.c progs.h s_apps.h
-opt.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-opt.o: ../include/openssl/buffer.h ../include/openssl/conf.h
-opt.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
-opt.o: ../include/openssl/ec.h ../include/openssl/engine.h
-opt.o: ../include/openssl/evp.h ../include/openssl/lhash.h
-opt.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-opt.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
-opt.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-opt.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
-opt.o: ../include/openssl/sha.h ../include/openssl/stack.h
-opt.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-opt.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-opt.o: ../include/openssl/x509v3.h apps.h opt.c progs.h
-passwd.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-passwd.o: ../include/openssl/buffer.h ../include/openssl/conf.h
-passwd.o: ../include/openssl/crypto.h ../include/openssl/des.h
-passwd.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
-passwd.o: ../include/openssl/engine.h ../include/openssl/err.h
-passwd.o: ../include/openssl/evp.h ../include/openssl/lhash.h
-passwd.o: ../include/openssl/md5.h ../include/openssl/obj_mac.h
-passwd.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-passwd.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-passwd.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h
-passwd.o: ../include/openssl/rand.h ../include/openssl/safestack.h
-passwd.o: ../include/openssl/sha.h ../include/openssl/stack.h
-passwd.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-passwd.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-passwd.o: ../include/openssl/x509v3.h apps.h passwd.c progs.h
-pkcs12.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-pkcs12.o: ../include/openssl/buffer.h ../include/openssl/conf.h
-pkcs12.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
-pkcs12.o: ../include/openssl/ec.h ../include/openssl/engine.h
-pkcs12.o: ../include/openssl/err.h ../include/openssl/evp.h
-pkcs12.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-pkcs12.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-pkcs12.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-pkcs12.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-pkcs12.o: ../include/openssl/pem2.h ../include/openssl/pkcs12.h
-pkcs12.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
-pkcs12.o: ../include/openssl/sha.h ../include/openssl/stack.h
-pkcs12.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-pkcs12.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-pkcs12.o: ../include/openssl/x509v3.h apps.h pkcs12.c progs.h
-pkcs7.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-pkcs7.o: ../include/openssl/buffer.h ../include/openssl/conf.h
-pkcs7.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
-pkcs7.o: ../include/openssl/ec.h ../include/openssl/engine.h
-pkcs7.o: ../include/openssl/err.h ../include/openssl/evp.h
-pkcs7.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-pkcs7.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-pkcs7.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-pkcs7.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-pkcs7.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-pkcs7.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-pkcs7.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-pkcs7.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-pkcs7.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-pkcs7.o: pkcs7.c progs.h
-pkcs8.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-pkcs8.o: ../include/openssl/buffer.h ../include/openssl/conf.h
-pkcs8.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
-pkcs8.o: ../include/openssl/ec.h ../include/openssl/engine.h
-pkcs8.o: ../include/openssl/err.h ../include/openssl/evp.h
-pkcs8.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-pkcs8.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-pkcs8.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-pkcs8.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-pkcs8.o: ../include/openssl/pem2.h ../include/openssl/pkcs12.h
-pkcs8.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
-pkcs8.o: ../include/openssl/sha.h ../include/openssl/stack.h
-pkcs8.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-pkcs8.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-pkcs8.o: ../include/openssl/x509v3.h apps.h pkcs8.c progs.h
-pkey.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-pkey.o: ../include/openssl/buffer.h ../include/openssl/conf.h
-pkey.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
-pkey.o: ../include/openssl/ec.h ../include/openssl/engine.h
-pkey.o: ../include/openssl/err.h ../include/openssl/evp.h
-pkey.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-pkey.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-pkey.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-pkey.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-pkey.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-pkey.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-pkey.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-pkey.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-pkey.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h pkey.c
-pkey.o: progs.h
-pkeyparam.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-pkeyparam.o: ../include/openssl/buffer.h ../include/openssl/conf.h
-pkeyparam.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
-pkeyparam.o: ../include/openssl/ec.h ../include/openssl/engine.h
-pkeyparam.o: ../include/openssl/err.h ../include/openssl/evp.h
-pkeyparam.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-pkeyparam.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-pkeyparam.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-pkeyparam.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-pkeyparam.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-pkeyparam.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-pkeyparam.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-pkeyparam.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-pkeyparam.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-pkeyparam.o: pkeyparam.c progs.h
-pkeyutl.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-pkeyutl.o: ../include/openssl/buffer.h ../include/openssl/conf.h
-pkeyutl.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
-pkeyutl.o: ../include/openssl/ec.h ../include/openssl/engine.h
-pkeyutl.o: ../include/openssl/err.h ../include/openssl/evp.h
-pkeyutl.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-pkeyutl.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-pkeyutl.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-pkeyutl.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-pkeyutl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-pkeyutl.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-pkeyutl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-pkeyutl.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-pkeyutl.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-pkeyutl.o: pkeyutl.c progs.h
-prime.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-prime.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-prime.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-prime.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
-prime.o: ../include/openssl/engine.h ../include/openssl/evp.h
-prime.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-prime.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-prime.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-prime.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h
-prime.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-prime.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-prime.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-prime.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-prime.o: prime.c progs.h
-rand.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-rand.o: ../include/openssl/buffer.h ../include/openssl/conf.h
-rand.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
-rand.o: ../include/openssl/ec.h ../include/openssl/engine.h
-rand.o: ../include/openssl/err.h ../include/openssl/evp.h
-rand.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-rand.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-rand.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-rand.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h
-rand.o: ../include/openssl/rand.h ../include/openssl/safestack.h
-rand.o: ../include/openssl/sha.h ../include/openssl/stack.h
-rand.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-rand.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-rand.o: ../include/openssl/x509v3.h apps.h progs.h rand.c
-req.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-req.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-req.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-req.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-req.o: ../include/openssl/ec.h ../include/openssl/engine.h
-req.o: ../include/openssl/err.h ../include/openssl/evp.h
-req.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-req.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-req.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-req.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-req.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-req.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-req.o: ../include/openssl/sha.h ../include/openssl/stack.h
-req.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-req.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-req.o: ../include/openssl/x509v3.h apps.h progs.h req.c
-rsa.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-rsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-rsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-rsa.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
-rsa.o: ../include/openssl/engine.h ../include/openssl/err.h
-rsa.o: ../include/openssl/evp.h ../include/openssl/lhash.h
-rsa.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-rsa.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
-rsa.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-rsa.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-rsa.o: ../include/openssl/pkcs7.h ../include/openssl/rsa.h
-rsa.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-rsa.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-rsa.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-rsa.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h progs.h
-rsa.o: rsa.c
-rsautl.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-rsautl.o: ../include/openssl/buffer.h ../include/openssl/conf.h
-rsautl.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
-rsautl.o: ../include/openssl/ec.h ../include/openssl/engine.h
-rsautl.o: ../include/openssl/err.h ../include/openssl/evp.h
-rsautl.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-rsautl.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-rsautl.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-rsautl.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-rsautl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-rsautl.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-rsautl.o: ../include/openssl/sha.h ../include/openssl/stack.h
-rsautl.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-rsautl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-rsautl.o: ../include/openssl/x509v3.h apps.h progs.h rsautl.c
-s_cb.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-s_cb.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-s_cb.o: ../include/openssl/comp.h ../include/openssl/conf.h
-s_cb.o: ../include/openssl/crypto.h ../include/openssl/dh.h
-s_cb.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-s_cb.o: ../include/openssl/ec.h ../include/openssl/engine.h
-s_cb.o: ../include/openssl/err.h ../include/openssl/evp.h
-s_cb.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
-s_cb.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s_cb.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
-s_cb.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s_cb.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s_cb.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-s_cb.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s_cb.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-s_cb.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
-s_cb.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s_cb.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
-s_cb.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-s_cb.o: ../include/openssl/x509v3.h apps.h progs.h s_apps.h s_cb.c
-s_client.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/async.h
-s_client.o: ../include/openssl/bio.h ../include/openssl/bn.h
-s_client.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-s_client.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-s_client.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-s_client.o: ../include/openssl/ec.h ../include/openssl/engine.h
-s_client.o: ../include/openssl/err.h ../include/openssl/evp.h
-s_client.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
-s_client.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s_client.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
-s_client.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s_client.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s_client.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-s_client.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s_client.o: ../include/openssl/srp.h ../include/openssl/srtp.h
-s_client.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s_client.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s_client.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s_client.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-s_client.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-s_client.o: progs.h s_apps.h s_client.c timeouts.h
-s_server.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/async.h
-s_server.o: ../include/openssl/bio.h ../include/openssl/bn.h
-s_server.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-s_server.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-s_server.o: ../include/openssl/dh.h ../include/openssl/dtls1.h
-s_server.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
-s_server.o: ../include/openssl/engine.h ../include/openssl/err.h
-s_server.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-s_server.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-s_server.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-s_server.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-s_server.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-s_server.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s_server.o: ../include/openssl/rand.h ../include/openssl/rsa.h
-s_server.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s_server.o: ../include/openssl/srp.h ../include/openssl/srtp.h
-s_server.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s_server.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s_server.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s_server.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-s_server.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-s_server.o: progs.h s_apps.h s_server.c timeouts.h
-s_socket.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-s_socket.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-s_socket.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-s_socket.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-s_socket.o: ../include/openssl/ec.h ../include/openssl/engine.h
-s_socket.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-s_socket.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-s_socket.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-s_socket.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-s_socket.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-s_socket.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-s_socket.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s_socket.o: ../include/openssl/srtp.h ../include/openssl/ssl.h
-s_socket.o: ../include/openssl/ssl2.h ../include/openssl/ssl3.h
-s_socket.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s_socket.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
-s_socket.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-s_socket.o: ../include/openssl/x509v3.h apps.h progs.h s_apps.h s_socket.c
-s_time.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-s_time.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-s_time.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-s_time.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-s_time.o: ../include/openssl/ec.h ../include/openssl/engine.h
-s_time.o: ../include/openssl/err.h ../include/openssl/evp.h
-s_time.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
-s_time.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s_time.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
-s_time.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-s_time.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s_time.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
-s_time.o: ../include/openssl/sha.h ../include/openssl/srtp.h
-s_time.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s_time.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-s_time.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s_time.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-s_time.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-s_time.o: progs.h s_apps.h s_time.c
-sess_id.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-sess_id.o: ../include/openssl/buffer.h ../include/openssl/comp.h
-sess_id.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-sess_id.o: ../include/openssl/dtls1.h ../include/openssl/e_os2.h
-sess_id.o: ../include/openssl/ec.h ../include/openssl/engine.h
-sess_id.o: ../include/openssl/err.h ../include/openssl/evp.h
-sess_id.o: ../include/openssl/hmac.h ../include/openssl/lhash.h
-sess_id.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-sess_id.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
-sess_id.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-sess_id.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-sess_id.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
-sess_id.o: ../include/openssl/sha.h ../include/openssl/srtp.h
-sess_id.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-sess_id.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
-sess_id.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-sess_id.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-sess_id.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-sess_id.o: progs.h sess_id.c
-smime.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-smime.o: ../include/openssl/buffer.h ../include/openssl/conf.h
-smime.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
-smime.o: ../include/openssl/ec.h ../include/openssl/engine.h
-smime.o: ../include/openssl/err.h ../include/openssl/evp.h
-smime.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-smime.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-smime.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-smime.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-smime.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-smime.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-smime.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-smime.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-smime.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-smime.o: progs.h smime.c
-speed.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
-speed.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
-speed.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-speed.o: ../include/openssl/camellia.h ../include/openssl/cast.h
-speed.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-speed.o: ../include/openssl/des.h ../include/openssl/dsa.h
-speed.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
-speed.o: ../include/openssl/engine.h ../include/openssl/err.h
-speed.o: ../include/openssl/evp.h ../include/openssl/hmac.h
-speed.o: ../include/openssl/idea.h ../include/openssl/lhash.h
-speed.o: ../include/openssl/md4.h ../include/openssl/md5.h
-speed.o: ../include/openssl/mdc2.h ../include/openssl/modes.h
-speed.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-speed.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
-speed.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-speed.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-speed.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-speed.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-speed.o: ../include/openssl/safestack.h ../include/openssl/seed.h
-speed.o: ../include/openssl/sha.h ../include/openssl/stack.h
-speed.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-speed.o: ../include/openssl/whrlpool.h ../include/openssl/x509.h
-speed.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-speed.o: progs.h speed.c testdsa.h testrsa.h
-spkac.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-spkac.o: ../include/openssl/buffer.h ../include/openssl/conf.h
-spkac.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
-spkac.o: ../include/openssl/ec.h ../include/openssl/engine.h
-spkac.o: ../include/openssl/err.h ../include/openssl/evp.h
-spkac.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-spkac.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-spkac.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-spkac.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-spkac.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-spkac.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-spkac.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-spkac.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-spkac.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-spkac.o: progs.h spkac.c
-srp.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-srp.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-srp.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-srp.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
-srp.o: ../include/openssl/engine.h ../include/openssl/err.h
-srp.o: ../include/openssl/evp.h ../include/openssl/lhash.h
-srp.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-srp.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
-srp.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-srp.o: ../include/openssl/pkcs7.h ../include/openssl/safestack.h
-srp.o: ../include/openssl/sha.h ../include/openssl/srp.h
-srp.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-srp.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-srp.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h progs.h
-srp.o: srp.c
-ts.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-ts.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-ts.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-ts.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-ts.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
-ts.o: ../include/openssl/engine.h ../include/openssl/err.h
-ts.o: ../include/openssl/evp.h ../include/openssl/lhash.h
-ts.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-ts.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
-ts.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-ts.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-ts.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-ts.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-ts.o: ../include/openssl/sha.h ../include/openssl/stack.h
-ts.o: ../include/openssl/symhacks.h ../include/openssl/ts.h
-ts.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-ts.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h progs.h
-ts.o: ts.c
-verify.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-verify.o: ../include/openssl/buffer.h ../include/openssl/conf.h
-verify.o: ../include/openssl/crypto.h ../include/openssl/e_os2.h
-verify.o: ../include/openssl/ec.h ../include/openssl/engine.h
-verify.o: ../include/openssl/err.h ../include/openssl/evp.h
-verify.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-verify.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-verify.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-verify.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-verify.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-verify.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-verify.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-verify.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-verify.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-verify.o: progs.h verify.c
-version.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-version.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-version.o: ../include/openssl/buffer.h ../include/openssl/conf.h
-version.o: ../include/openssl/crypto.h ../include/openssl/des.h
-version.o: ../include/openssl/e_os2.h ../include/openssl/ec.h
-version.o: ../include/openssl/engine.h ../include/openssl/evp.h
-version.o: ../include/openssl/idea.h ../include/openssl/lhash.h
-version.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-version.o: ../include/openssl/ocsp.h ../include/openssl/opensslconf.h
-version.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
-version.o: ../include/openssl/pkcs7.h ../include/openssl/rc4.h
-version.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-version.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-version.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-version.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-version.o: progs.h version.c
-x509.o: ../e_os.h ../include/openssl/asn1.h ../include/openssl/bio.h
-x509.o: ../include/openssl/bn.h ../include/openssl/buffer.h
-x509.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-x509.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
-x509.o: ../include/openssl/ec.h ../include/openssl/engine.h
-x509.o: ../include/openssl/err.h ../include/openssl/evp.h
-x509.o: ../include/openssl/lhash.h ../include/openssl/obj_mac.h
-x509.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
-x509.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-x509.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
-x509.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-x509.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-x509.o: ../include/openssl/sha.h ../include/openssl/stack.h
-x509.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
-x509.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
-x509.o: ../include/openssl/x509v3.h apps.h progs.h x509.c
--- a/apps/Makefile.in
+++ b/apps/Makefile.in
@@ -0,0 +1,147 @@
+#
+#  apps/Makefile
+#
+
+DIR=		apps
+TOP=		..
+CC=		cc
+INCLUDES=	-I$(TOP) -I../crypto -I../include
+CFLAG=		-g -static -Wswitch
+MAKEFILE=	Makefile
+PERL=		perl
+RM=		rm -f
+
+PLIB_LDFLAG=
+EX_LIBS= 
+EXE_EXT= 
+
+SHLIB_TARGET=
+
+CFLAGS= $(INCLUDES) $(CFLAG)
+
+GENERAL=Makefile makeapps.com install.com
+
+DLIBCRYPTO=../libcrypto.a
+DLIBSSL=../libssl.a
+LIBCRYPTO=-L.. -lcrypto
+LIBSSL=-L.. -lssl
+
+SCRIPTS=CA.pl tsget
+EXE= openssl$(EXE_EXT)
+
+COMMANDS= \
+	asn1pars.o ca.o ciphers.o cms.o crl.o crl2p7.o dgst.o dhparam.o \
+	dsa.o dsaparam.o ec.o ecparam.o enc.o engine.o errstr.o gendsa.o \
+	genpkey.o genrsa.o nseq.o ocsp.o passwd.o pkcs12.o pkcs7.o pkcs8.o \
+	pkey.o pkeyparam.o pkeyutl.o prime.o rand.o req.o rsa.o rsautl.o \
+	s_client.o s_server.o s_time.o sess_id.o smime.o speed.o spkac.o \
+	srp.o ts.o verify.o version.o x509.o rehash.o
+
+EXTRA_OBJ=apps.o opt.o s_cb.o s_socket.o
+EXTRA_SRC=apps.c opt.c s_cb.c s_socket.c
+RAND_OBJ=app_rand.o
+RAND_SRC=app_rand.c
+
+OBJ	= $(COMMANDS)
+
+SRC	= \
+	asn1pars.c ca.c ciphers.c cms.c crl.c crl2p7.c dgst.c dhparam.c \
+	dsa.c dsaparam.c ec.c ecparam.c enc.c engine.c errstr.c gendsa.c \
+	genpkey.c genrsa.c nseq.c ocsp.c passwd.c pkcs12.c pkcs7.c pkcs8.c \
+	pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c rsa.c rsautl.c \
+	s_client.c s_server.c s_time.c sess_id.c smime.c speed.c spkac.c \
+	srp.c ts.c verify.c version.c x509.c rehash.c
+
+EXE_OBJ	= openssl.o $(OBJ) $(EXTRA_OBJ) $(RAND_OBJ)
+EXE_SRC = openssl.c $(SRC) $(EXTRA_SRC) $(RAND_SRC)
+
+HEADER=	apps.h progs.h s_apps.h \
+	testdsa.h testrsa.h timeouts.h
+
+ALL=    $(GENERAL) $(EXE_SRC) $(HEADER)
+
+top:
+	@(cd ..; $(MAKE) DIRS=$(DIR) all)
+
+all:	exe scripts
+
+exe:	$(EXE)
+
+scripts: $(SCRIPTS)
+
+openssl-vms.cnf: openssl.cnf
+	$(PERL) $(TOP)/VMS/VMSify-conf.pl < openssl.cnf > openssl-vms.cnf
+
+files:
+	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
+
+install:
+	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
+	@set -e; for i in $(EXE); \
+	do  \
+	(echo installing $$i; \
+	 cp $$i $(DESTDIR)$(INSTALLTOP)/bin/$$i.new; \
+	 chmod 755 $(DESTDIR)$(INSTALLTOP)/bin/$$i.new; \
+	 mv -f $(DESTDIR)$(INSTALLTOP)/bin/$$i.new $(DESTDIR)$(INSTALLTOP)/bin/$$i ); \
+	 done;
+	@set -e; for i in $(SCRIPTS); \
+	do  \
+	(echo installing $$i; \
+	 cp $$i $(DESTDIR)$(OPENSSLDIR)/misc/$$i.new; \
+	 chmod 755 $(DESTDIR)$(OPENSSLDIR)/misc/$$i.new; \
+	 mv -f $(DESTDIR)$(OPENSSLDIR)/misc/$$i.new $(DESTDIR)$(OPENSSLDIR)/misc/$$i ); \
+	 done
+	@cp openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new; \
+	chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new; \
+	mv -f  $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new $(DESTDIR)$(OPENSSLDIR)/openssl.cnf
+
+uninstall:
+	@set -e; for i in $(EXE); \
+	do  \
+		echo $(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$i; \
+		$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$i; \
+	done;
+	@set -e; for i in $(SCRIPTS); \
+	do  \
+		echo $(RM) $(DESTDIR)$(OPENSSLDIR)/misc/$$i; \
+		$(RM) $(DESTDIR)$(OPENSSLDIR)/misc/$$i; \
+	done
+	$(RM) $(DESTDIR)$(OPENSSLDIR)/openssl.cnf
+
+generate: openssl-vms.cnf progs.h
+
+depend:
+	$(TOP)/util/domd $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(EXE_SRC)
+
+clean:
+	rm -f *.o *.obj *.dll lib tags core .pure .nfs* *.old *.bak fluff $(EXE)
+	rm -f req
+
+$(DLIBSSL):
+	(cd ..; $(MAKE) build_libssl)
+
+$(DLIBCRYPTO):
+	(cd ..; $(MAKE) build_libcrypto)
+
+$(EXE): $(EXE_OBJ) $(DLIBCRYPTO) $(DLIBSSL)
+	$(RM) $(EXE)
+	shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \
+		shlib_target="$(SHLIB_TARGET)"; \
+	fi; \
+	LIBRARIES="$(LIBSSL) $(LIBCRYPTO)" ; \
+	$(MAKE) -f $(TOP)/Makefile.shared -e \
+		APPNAME=$(EXE) OBJECTS="$(EXE_OBJ)" \
+		LDFLAG="$(LDFLAG)" \
+		LIBDEPS="$(PLIB_LDFLAG) $$LIBRARIES $(EX_LIBS)" \
+		link_app.$${shlib_target}
+
+progs.h: progs.pl Makefile.in
+	$(RM) progs.h
+	$(PERL) progs.pl $(EXE_SRC) > progs.h
+
+CA.pl: CA.pl.in
+	$(PERL) -I$(TOP) -Mconfigdata $(TOP)/util/dofile.pl -oapps/Makefile CA.pl.in > CA.pl.new
+	mv CA.pl.new CA.pl
+
+
+# DO NOT DELETE THIS LINE -- make depend depends on it.
--- a/apps/app_rand.c
+++ b/apps/app_rand.c
@@ -126,6 +126,7 @@ int app_RAND_load_file(const char *file, int dont_warn)

    if (file == NULL)
        file = RAND_file_name(buffer, sizeof buffer);
+#ifndef OPENSSL_NO_EGD
    else if (RAND_egd(file) > 0) {
        /*
         * we try if the given filename is an EGD socket. if it is, we don't
@@ -134,6 +135,7 @@ int app_RAND_load_file(const char *file, int dont_warn)
        egdsocket = 1;
        return 1;
    }
+#endif
    if (file == NULL || !RAND_load_file(file, -1)) {
        if (RAND_status() == 0) {
            if (!dont_warn) {
@@ -161,7 +163,9 @@ long app_RAND_load_files(char *name)
    char *p, *n;
    int last;
    long tot = 0;
+#ifndef OPENSSL_NO_EGD
    int egd;
+#endif

    for (;;) {
        last = 0;
@@ -174,10 +178,12 @@ long app_RAND_load_files(char *name)
        if (*n == '\0')
            break;

+#ifndef OPENSSL_NO_EGD
        egd = RAND_egd(n);
        if (egd > 0)
            tot += egd;
        else
+#endif
            tot += RAND_load_file(n, -1);
        if (last)
            break;
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -183,7 +183,7 @@ int chopup_args(ARGS *arg, char *buf)

    for (p = buf;;) {
        /* Skip whitespace. */
-        while (*p && isspace(*p))
+        while (*p && isspace(_UC(*p)))
            p++;
        if (!*p)
            break;
@@ -207,7 +207,7 @@ int chopup_args(ARGS *arg, char *buf)
                p++;
            *p++ = '\0';
        } else {
-            while (*p && !isspace(*p))
+            while (*p && !isspace(_UC(*p)))
                p++;
            if (*p)
                *p++ = '\0';
@@ -432,14 +432,14 @@ static char *app_get_pass(char *arg, int keepbio)
    int i;

    if (strncmp(arg, "pass:", 5) == 0)
-        return BUF_strdup(arg + 5);
+        return OPENSSL_strdup(arg + 5);
    if (strncmp(arg, "env:", 4) == 0) {
        tmp = getenv(arg + 4);
        if (!tmp) {
            BIO_printf(bio_err, "Can't read environment variable %s\n", arg + 4);
            return NULL;
        }
-        return BUF_strdup(tmp);
+        return OPENSSL_strdup(tmp);
    }
    if (!keepbio || !pwdbio) {
        if (strncmp(arg, "file:", 5) == 0) {
@@ -495,7 +495,7 @@ static char *app_get_pass(char *arg, int keepbio)
    tmp = strchr(tpass, '\n');
    if (tmp)
        *tmp = 0;
-    return BUF_strdup(tpass);
+    return OPENSSL_strdup(tpass);
 }

 static CONF *app_load_config_(BIO *in, const char *filename)
@@ -763,20 +763,22 @@ EVP_PKEY *load_key(const char *file, int format, int maybe_stdin,
        BIO_printf(bio_err, "no keyfile specified\n");
        goto end;
    }
-#ifndef OPENSSL_NO_ENGINE
    if (format == FORMAT_ENGINE) {
-        if (!e)
+        if (e == NULL)
            BIO_printf(bio_err, "no engine specified\n");
        else {
+#ifndef OPENSSL_NO_ENGINE
            pkey = ENGINE_load_private_key(e, file, ui_method, &cb_data);
-            if (!pkey) {
+            if (pkey == NULL) {
                BIO_printf(bio_err, "cannot load %s from engine\n", key_descrip);
                ERR_print_errors(bio_err);
            }
+#else
+            BIO_printf(bio_err, "engines not supported\n");
+#endif
        }
        goto end;
    }
-#endif
    if (file == NULL && maybe_stdin) {
        unbuffer(stdin);
        key = dup_bio_in(format);
@@ -831,15 +833,22 @@ EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin,
        BIO_printf(bio_err, "no keyfile specified\n");
        goto end;
    }
-#ifndef OPENSSL_NO_ENGINE
    if (format == FORMAT_ENGINE) {
-        if (!e)
+        if (e == NULL)
            BIO_printf(bio_err, "no engine specified\n");
-        else
+        else {
+#ifndef OPENSSL_NO_ENGINE
            pkey = ENGINE_load_public_key(e, file, ui_method, &cb_data);
+            if (pkey == NULL) {
+                BIO_printf(bio_err, "cannot load %s from engine\n", key_descrip);
+                ERR_print_errors(bio_err);
+            }
+#else
+            BIO_printf(bio_err, "engines not supported\n");
+#endif
+        }
        goto end;
    }
-#endif
    if (file == NULL && maybe_stdin) {
        unbuffer(stdin);
        key = dup_bio_in(format);
@@ -850,8 +859,8 @@ EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin,
    if (format == FORMAT_ASN1) {
        pkey = d2i_PUBKEY_bio(key, NULL);
    }
-#ifndef OPENSSL_NO_RSA
    else if (format == FORMAT_ASN1RSA) {
+#ifndef OPENSSL_NO_RSA
        RSA *rsa;
        rsa = d2i_RSAPublicKey_bio(key, NULL);
        if (rsa) {
@@ -860,8 +869,12 @@ EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin,
                EVP_PKEY_set1_RSA(pkey, rsa);
            RSA_free(rsa);
        } else
+#else
+        BIO_printf(bio_err, "RSA keys not supported\n");
+#endif
            pkey = NULL;
    } else if (format == FORMAT_PEMRSA) {
+#ifndef OPENSSL_NO_RSA
        RSA *rsa;
        rsa = PEM_read_bio_RSAPublicKey(key, NULL,
                                        (pem_password_cb *)password_callback,
@@ -872,9 +885,11 @@ EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin,
                EVP_PKEY_set1_RSA(pkey, rsa);
            RSA_free(rsa);
        } else
+#else
+        BIO_printf(bio_err, "RSA keys not supported\n");
+#endif
            pkey = NULL;
    }
-#endif
    else if (format == FORMAT_PEM) {
        pkey = PEM_read_bio_PUBKEY(key, NULL,
                                   (pem_password_cb *)password_callback,
@@ -921,13 +936,13 @@ static int load_certs_crls(const char *file, int format,

    BIO_free(bio);

-    if (pcerts) {
+    if (pcerts && *pcerts == NULL) {
        *pcerts = sk_X509_new_null();
        if (!*pcerts)
            goto end;
    }

-    if (pcrls) {
+    if (pcrls && *pcrls == NULL) {
        *pcrls = sk_X509_CRL_new_null();
        if (!*pcrls)
            goto end;
@@ -986,24 +1001,22 @@ void* app_malloc(int sz, const char *what)
    return vp;
 }

-
-
-STACK_OF(X509) *load_certs(const char *file, int format,
-                           const char *pass, ENGINE *e, const char *desc)
+/*
+ * Initialize or extend, if *certs != NULL,  a certificate stack.
+ */
+int load_certs(const char *file, STACK_OF(X509) **certs, int format,
+               const char *pass, ENGINE *e, const char *desc)
 {
-    STACK_OF(X509) *certs;
-    if (!load_certs_crls(file, format, pass, e, desc, &certs, NULL))
-        return NULL;
-    return certs;
+    return load_certs_crls(file, format, pass, e, desc, certs, NULL);
 }

-STACK_OF(X509_CRL) *load_crls(const char *file, int format,
-                              const char *pass, ENGINE *e, const char *desc)
+/*
+ * Initialize or extend, if *crls != NULL,  a certificate stack.
+ */
+int load_crls(const char *file, STACK_OF(X509_CRL) **crls, int format,
+              const char *pass, ENGINE *e, const char *desc)
 {
-    STACK_OF(X509_CRL) *crls;
-    if (!load_certs_crls(file, format, pass, e, desc, NULL, &crls))
-        return NULL;
-    return crls;
+    return load_certs_crls(file, format, pass, e, desc, NULL, crls);
 }

 #define X509V3_EXT_UNKNOWN_MASK         (0xfL << 16)
@@ -1444,7 +1457,7 @@ int save_serial(char *serialfile, char *suffix, BIGNUM *serial,
    }

    if (suffix == NULL)
-        BUF_strlcpy(buf[0], serialfile, BSIZE);
+        OPENSSL_strlcpy(buf[0], serialfile, BSIZE);
    else {
 #ifndef OPENSSL_SYS_VMS
        j = BIO_snprintf(buf[0], sizeof buf[0], "%s.%s", serialfile, suffix);
@@ -1909,7 +1922,11 @@ int bio_to_mem(unsigned char **out, int maxlen, BIO *in)
        else
            len = 1024;
        len = BIO_read(in, tbuf, len);
-        if (len <= 0)
+        if (len < 0) {
+            BIO_free(mem);
+            return -1;
+        }
+        if (len == 0)
            break;
        if (BIO_write(mem, tbuf, len) != len) {
            BIO_free(mem);
@@ -1926,11 +1943,11 @@ int bio_to_mem(unsigned char **out, int maxlen, BIO *in)
    return ret;
 }

-int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value)
+int pkey_ctrl_string(EVP_PKEY_CTX *ctx, const char *value)
 {
    int rv;
    char *stmp, *vtmp = NULL;
-    stmp = BUF_strdup(value);
+    stmp = OPENSSL_strdup(value);
    if (!stmp)
        return -1;
    vtmp = strchr(stmp, ':');
@@ -2796,7 +2813,7 @@ BIO *bio_open_owner(const char *filename, int format, int private)
 {
    FILE *fp = NULL;
    BIO *b = NULL;
-    int fd = -1, bflags, mode, binmode;
+    int fd = -1, bflags, mode, textmode;

    if (!private || filename == NULL || strcmp(filename, "-") == 0)
        return bio_open_default(filename, 'w', format);
@@ -2808,8 +2825,8 @@ BIO *bio_open_owner(const char *filename, int format, int private)
 #ifdef O_TRUNC
    mode |= O_TRUNC;
 #endif
-    binmode = istext(format);
-    if (binmode) {
+    textmode = istext(format);
+    if (!textmode) {
 #ifdef O_BINARY
        mode |= O_BINARY;
 #elif defined(_O_BINARY)
@@ -2817,14 +2834,24 @@ BIO *bio_open_owner(const char *filename, int format, int private)
 #endif
    }

-    fd = open(filename, mode, 0600);
+#ifdef OPENSSL_SYS_VMS
+    /* VMS doesn't have O_BINARY, it just doesn't make sense.  But,
+     * it still needs to know that we're going binary, or fdopen()
+     * will fail with "invalid argument"...  so we tell VMS what the
+     * context is.
+     */
+    if (!textmode)
+        fd = open(filename, mode, 0600, "ctx=bin");
+    else
+#endif
+        fd = open(filename, mode, 0600);
    if (fd < 0)
        goto err;
    fp = fdopen(fd, modestr('w', format));
    if (fp == NULL)
        goto err;
    bflags = BIO_CLOSE;
-    if (!binmode)
+    if (textmode)
        bflags |= BIO_FP_TEXT;
    b = BIO_new_fp(fp, bflags);
    if (b)
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -1,4 +1,3 @@
-/* apps/apps.h */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -116,6 +115,7 @@
 # include <assert.h>

 # include <openssl/e_os2.h>
+# include <openssl/ossl_typ.h>
 # include <openssl/bio.h>
 # include <openssl/x509.h>
 # include <openssl/lhash.h>
@@ -138,6 +138,24 @@
 #  define openssl_fdset(a,b) FD_SET(a, b)
 # endif

+# if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L && \
+     defined(INTMAX_MAX) && defined(UINTMAX_MAX)
+int opt_imax(const char *value, intmax_t *result);
+int opt_umax(const char *value, uintmax_t *result);
+# else
+#  define opt_imax opt_long
+#  define opt_umax opt_ulong
+#  define intmax_t long
+#  define uintmax_t unsigned long
+# endif
+
+/*
+ * quick macro when you need to pass an unsigned char instead of a char.
+ * this is true for some implementations of the is*() functions, for
+ * example.
+ */
+#define _UC(c) ((unsigned char)(c))
+
 int app_RAND_load_file(const char *file, int dont_warn);
 int app_RAND_write_file(const char *file);
 /*
@@ -181,34 +199,51 @@ void wait_for_async(SSL *s);
        OPT_V__LAST

 # define OPT_V_OPTIONS \
-        { "policy", OPT_V_POLICY, 's' }, \
-        { "purpose", OPT_V_PURPOSE, 's' }, \
-        { "verify_name", OPT_V_VERIFY_NAME, 's' }, \
-        { "verify_depth", OPT_V_VERIFY_DEPTH, 'p' }, \
-        { "attime", OPT_V_ATTIME, 'p' }, \
-        { "verify_hostname", OPT_V_VERIFY_HOSTNAME, 's' }, \
-        { "verify_email", OPT_V_VERIFY_EMAIL, 's' }, \
-        { "verify_ip", OPT_V_VERIFY_IP, 's' }, \
-        { "ignore_critical", OPT_V_IGNORE_CRITICAL, '-' }, \
-        { "issuer_checks", OPT_V_ISSUER_CHECKS, '-' }, \
-        { "crl_check", OPT_V_CRL_CHECK, '-', "Check that peer cert has not been revoked" }, \
-        { "crl_check_all", OPT_V_CRL_CHECK_ALL, '-', "Also check all certs in the chain" }, \
-        { "policy_check", OPT_V_POLICY_CHECK, '-' }, \
-        { "explicit_policy", OPT_V_EXPLICIT_POLICY, '-' }, \
-        { "inhibit_any", OPT_V_INHIBIT_ANY, '-' }, \
-        { "inhibit_map", OPT_V_INHIBIT_MAP, '-' }, \
-        { "x509_strict", OPT_V_X509_STRICT, '-' }, \
-        { "extended_crl", OPT_V_EXTENDED_CRL, '-' }, \
-        { "use_deltas", OPT_V_USE_DELTAS, '-' }, \
-        { "policy_print", OPT_V_POLICY_PRINT, '-' }, \
-        { "check_ss_sig", OPT_V_CHECK_SS_SIG, '-' }, \
-        { "trusted_first", OPT_V_TRUSTED_FIRST, '-', "Use locally-trusted CA's first in building chain" }, \
-        { "suiteB_128_only", OPT_V_SUITEB_128_ONLY, '-' }, \
-        { "suiteB_128", OPT_V_SUITEB_128, '-' }, \
-        { "suiteB_192", OPT_V_SUITEB_192, '-' }, \
-        { "partial_chain", OPT_V_PARTIAL_CHAIN, '-' }, \
-        { "no_alt_chains", OPT_V_NO_ALT_CHAINS, '-', "Only use the first cert chain found" }, \
-        { "no_check_time", OPT_V_NO_CHECK_TIME, '-', "Do not check validity against current time" }
+        { "policy", OPT_V_POLICY, 's', "adds policy to the acceptable policy set"}, \
+        { "purpose", OPT_V_PURPOSE, 's', \
+            "certificate chain purpose"}, \
+        { "verify_name", OPT_V_VERIFY_NAME, 's', "verification policy name"}, \
+        { "verify_depth", OPT_V_VERIFY_DEPTH, 'p', \
+            "chain depth limit"}, \
+        { "attime", OPT_V_ATTIME, 'M', "verification epoch time" }, \
+        { "verify_hostname", OPT_V_VERIFY_HOSTNAME, 's', \
+            "expected peer hostname" }, \
+        { "verify_email", OPT_V_VERIFY_EMAIL, 's', \
+            "expected peer email" }, \
+        { "verify_ip", OPT_V_VERIFY_IP, 's', \
+            "expected peer IP address" }, \
+        { "ignore_critical", OPT_V_IGNORE_CRITICAL, '-', \
+            "permit unhandled critical extensions"}, \
+        { "issuer_checks", OPT_V_ISSUER_CHECKS, '-', "(deprecated)"}, \
+        { "crl_check", OPT_V_CRL_CHECK, '-', "check leaf certificate revocation" }, \
+        { "crl_check_all", OPT_V_CRL_CHECK_ALL, '-', "check full chain revocation" }, \
+        { "policy_check", OPT_V_POLICY_CHECK, '-', "perform rfc5280 policy checks"}, \
+        { "explicit_policy", OPT_V_EXPLICIT_POLICY, '-', \
+            "set policy variable require-explicit-policy"}, \
+        { "inhibit_any", OPT_V_INHIBIT_ANY, '-', \
+            "set policy variable inihibit-any-policy"}, \
+        { "inhibit_map", OPT_V_INHIBIT_MAP, '-', \
+            "set policy variable inihibit-policy-mapping"}, \
+        { "x509_strict", OPT_V_X509_STRICT, '-', \
+            "disable certificate compatibility work-arounds"}, \
+        { "extended_crl", OPT_V_EXTENDED_CRL, '-', \
+            "enable extended CRL features"}, \
+        { "use_deltas", OPT_V_USE_DELTAS, '-', \
+            "use delta CRLs"}, \
+        { "policy_print", OPT_V_POLICY_PRINT, '-', \
+            "print policy processing diagnostics"}, \
+        { "check_ss_sig", OPT_V_CHECK_SS_SIG, '-', \
+            "check root CA self-signatures"}, \
+        { "trusted_first", OPT_V_TRUSTED_FIRST, '-', \
+            "search trust store first (default)" }, \
+        { "suiteB_128_only", OPT_V_SUITEB_128_ONLY, '-', "Suite B 128-bit-only mode"}, \
+        { "suiteB_128", OPT_V_SUITEB_128, '-', \
+            "Suite B 128-bit mode allowing 192-bit algorithms"}, \
+        { "suiteB_192", OPT_V_SUITEB_192, '-', "Suite B 192-bit-only mode" }, \
+        { "partial_chain", OPT_V_PARTIAL_CHAIN, '-', \
+            "accept chains anchored by intermediate trust-store CAs"}, \
+        { "no_alt_chains", OPT_V_NO_ALT_CHAINS, '-', "(deprecated)" }, \
+        { "no_check_time", OPT_V_NO_CHECK_TIME, '-', "ignore certificate validity time" }

 # define OPT_V_CASES \
        OPT_V__FIRST: case OPT_V__LAST: break; \
@@ -251,12 +286,15 @@ void wait_for_async(SSL *s);
        OPT_X__LAST

 # define OPT_X_OPTIONS \
-        { "xkey", OPT_X_KEY, '<' }, \
-        { "xcert", OPT_X_CERT, '<' }, \
-        { "xchain", OPT_X_CHAIN, '<' }, \
-        { "xchain_build", OPT_X_CHAIN_BUILD, '-' }, \
-        { "xcertform", OPT_X_CERTFORM, 'F' }, \
-        { "xkeyform", OPT_X_KEYFORM, 'F' }
+        { "xkey", OPT_X_KEY, '<', "key for Extended certificates"}, \
+        { "xcert", OPT_X_CERT, '<', "cert for Extended certificates"}, \
+        { "xchain", OPT_X_CHAIN, '<', "chain for Extended certificates"}, \
+        { "xchain_build", OPT_X_CHAIN_BUILD, '-', \
+            "build certificate chain for the extended certificates"}, \
+        { "xcertform", OPT_X_CERTFORM, 'F', \
+            "format of Extended certificate (PEM or DER) PEM default " }, \
+        { "xkeyform", OPT_X_KEYFORM, 'F', \
+            "format of Exnteded certificate's key (PEM or DER) PEM default"}

 # define OPT_X_CASES \
        OPT_X__FIRST: case OPT_X__LAST: break; \
@@ -274,28 +312,34 @@ void wait_for_async(SSL *s);
 # define OPT_S_ENUM \
        OPT_S__FIRST=3000, \
        OPT_S_NOSSL3, OPT_S_NOTLS1, OPT_S_NOTLS1_1, OPT_S_NOTLS1_2, \
-        OPT_S_BUGS, OPT_S_NOCOMP, OPT_S_ECDHSINGLE, OPT_S_NOTICKET, \
+        OPT_S_BUGS, OPT_S_NO_COMP, OPT_S_NOTICKET, \
        OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_LEGACYCONN, \
        OPT_S_ONRESUMP, OPT_S_NOLEGACYCONN, OPT_S_STRICT, OPT_S_SIGALGS, \
        OPT_S_CLIENTSIGALGS, OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, \
-        OPT_S_DHPARAM, OPT_S_DEBUGBROKE, \
+        OPT_S_DHPARAM, OPT_S_DEBUGBROKE, OPT_S_COMP, \
        OPT_S__LAST

 # define OPT_S_OPTIONS \
-        {"no_ssl3", OPT_S_NOSSL3, '-' }, \
-        {"no_tls1", OPT_S_NOTLS1, '-' }, \
-        {"no_tls1_1", OPT_S_NOTLS1_1, '-' }, \
-        {"no_tls1_2", OPT_S_NOTLS1_2, '-' }, \
-        {"bugs", OPT_S_BUGS, '-' }, \
-        {"no_comp", OPT_S_NOCOMP, '-', "Don't use SSL/TLS-level compression" }, \
-        {"ecdh_single", OPT_S_ECDHSINGLE, '-' }, \
-        {"no_ticket", OPT_S_NOTICKET, '-' }, \
-        {"serverpref", OPT_S_SERVERPREF, '-' }, \
-        {"legacy_renegotiation", OPT_S_LEGACYRENEG, '-' }, \
-        {"legacy_server_connect", OPT_S_LEGACYCONN, '-' }, \
-        {"no_resumption_on_reneg", OPT_S_ONRESUMP, '-' }, \
-        {"no_legacy_server_connect", OPT_S_NOLEGACYCONN, '-' }, \
-        {"strict", OPT_S_STRICT, '-' }, \
+        {"no_ssl3", OPT_S_NOSSL3, '-',"Just disable SSLv3" }, \
+        {"no_tls1", OPT_S_NOTLS1, '-', "Just disable TLSv1"}, \
+        {"no_tls1_1", OPT_S_NOTLS1_1, '-', "Just disable TLSv1.1" }, \
+        {"no_tls1_2", OPT_S_NOTLS1_2, '-', "Just disable TLSv1.2"}, \
+        {"bugs", OPT_S_BUGS, '-', "Turn on SSL bug compatibility"}, \
+        {"no_comp", OPT_S_NO_COMP, '-', "Disable SSL/TLS compression (default)" }, \
+        {"comp", OPT_S_COMP, '-', "Use SSL/TLS-level compression" }, \
+        {"no_ticket", OPT_S_NOTICKET, '-', \
+            "Disable use of TLS session tickets"}, \
+        {"serverpref", OPT_S_SERVERPREF, '-', "Use server's cipher preferences"}, \
+        {"legacy_renegotiation", OPT_S_LEGACYRENEG, '-', \
+            "Enable use of legacy renegotiation (dangerous)"}, \
+        {"legacy_server_connect", OPT_S_LEGACYCONN, '-', \
+            "Allow initial connection to servers that don't support RI"}, \
+        {"no_resumption_on_reneg", OPT_S_ONRESUMP, '-', \
+            "Disallow session resumption on renegotiation"}, \
+        {"no_legacy_server_connect", OPT_S_NOLEGACYCONN, '-', \
+            "Disallow initial connection to servers that don't support RI"}, \
+        {"strict", OPT_S_STRICT, '-', \
+            "Enforce strict certificate checks as per TLS standard"}, \
        {"sigalgs", OPT_S_SIGALGS, 's', \
            "Signature algorithms to support (colon-separated list)" }, \
        {"client_sigalgs", OPT_S_CLIENTSIGALGS, 's', \
@@ -305,9 +349,11 @@ void wait_for_async(SSL *s);
            "Elliptic curves to advertise (colon-separated list)" }, \
        {"named_curve", OPT_S_NAMEDCURVE, 's', \
            "Elliptic curve used for ECDHE (server-side only)" }, \
-        {"cipher", OPT_S_CIPHER, 's', }, \
-        {"dhparam", OPT_S_DHPARAM, '<' }, \
-        {"debug_broken_protocol", OPT_S_DEBUGBROKE, '-' }
+        {"cipher", OPT_S_CIPHER, 's', "Specify cipher list to be used"}, \
+        {"dhparam", OPT_S_DHPARAM, '<', \
+            "DH parameter file to use, in cert file if not specified"}, \
+        {"debug_broken_protocol", OPT_S_DEBUGBROKE, '-', \
+            "Perform all sorts of protocol violations for testing purposes"}

 # define OPT_S_CASES \
        OPT_S__FIRST: case OPT_S__LAST: break; \
@@ -316,8 +362,8 @@ void wait_for_async(SSL *s);
        case OPT_S_NOTLS1_1: \
        case OPT_S_NOTLS1_2: \
        case OPT_S_BUGS: \
-        case OPT_S_NOCOMP: \
-        case OPT_S_ECDHSINGLE: \
+        case OPT_S_NO_COMP: \
+        case OPT_S_COMP: \
        case OPT_S_NOTICKET: \
        case OPT_S_SERVERPREF: \
        case OPT_S_LEGACYRENEG: \
@@ -343,8 +389,9 @@ typedef struct options_st {
    int retval;
    /*
     * value type: - no value (also the value zero), n number, p positive
-     * number, u unsigned, s string, < input file, > output file, f der/pem
-     * format, F any format identifier.  n and u include zero; p does not.
+     * number, u unsigned, l long, s string, < input file, > output file,
+     * f any format, F der/pem format , E der/pem/engine format identifier.
+     * l, n and u include zero; p does not.
     */
    int valtype;
    const char *helpstr;
@@ -371,6 +418,7 @@ typedef struct string_int_pair_st {
 # define OPT_FMT_TEXT            (1L <<  8)
 # define OPT_FMT_HTTP            (1L <<  9)
 # define OPT_FMT_PVK             (1L << 10)
+# define OPT_FMT_PDE     (OPT_FMT_PEMDER | OPT_FMT_ENGINE)
 # define OPT_FMT_ANY     ( \
        OPT_FMT_PEMDER | OPT_FMT_PKCS12 | OPT_FMT_SMIME | \
        OPT_FMT_ENGINE | OPT_FMT_MSBLOB | OPT_FMT_NETSCAPE | \
@@ -384,6 +432,11 @@ int opt_format(const char *s, unsigned long flags, int *result);
 int opt_int(const char *arg, int *result);
 int opt_ulong(const char *arg, unsigned long *result);
 int opt_long(const char *arg, long *result);
+#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L && \
+    defined(INTMAX_MAX) && defined(UINTMAX_MAX)
+int opt_imax(const char *arg, intmax_t *result);
+int opt_umax(const char *arg, uintmax_t *result);
+#endif
 int opt_pair(const char *arg, const OPT_PAIR * pairs, int *result);
 int opt_cipher(const char *name, const EVP_CIPHER **cipherp);
 int opt_md(const char *name, const EVP_MD **mdp);
@@ -437,12 +490,10 @@ EVP_PKEY *load_key(const char *file, int format, int maybe_stdin,
                   const char *pass, ENGINE *e, const char *key_descrip);
 EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin,
                      const char *pass, ENGINE *e, const char *key_descrip);
-STACK_OF(X509) *load_certs(const char *file, int format,
-                           const char *pass, ENGINE *e,
-                           const char *cert_descrip);
-STACK_OF(X509_CRL) *load_crls(const char *file, int format,
-                              const char *pass, ENGINE *e,
-                              const char *cert_descrip);
+int load_certs(const char *file, STACK_OF(X509) **certs, int format,
+               const char *pass, ENGINE *e, const char *cert_descrip);
+int load_crls(const char *file, STACK_OF(X509_CRL) **crls, int format,
+              const char *pass, ENGINE *e, const char *cert_descrip);
 X509_STORE *setup_verify(char *CAfile, char *CApath,
                         int noCAfile, int noCApath);
 int ctx_set_verify_locations(SSL_CTX *ctx, const char *CAfile,
@@ -508,7 +559,7 @@ int args_verify(char ***pargs, int *pargc,
                int *badarg, X509_VERIFY_PARAM **pm);
 void policies_print(X509_STORE_CTX *ctx);
 int bio_to_mem(unsigned char **out, int maxlen, BIO *in);
-int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value);
+int pkey_ctrl_string(EVP_PKEY_CTX *ctx, const char *value);
 int init_gen_str(EVP_PKEY_CTX **pctx,
                 const char *algname, ENGINE *e, int do_param);
 int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
--- a/apps/asn1pars.c
+++ b/apps/asn1pars.c
@@ -81,7 +81,7 @@ OPTIONS asn1parse_options[] = {
    {"inform", OPT_INFORM, 'F', "input format - one of DER PEM"},
    {"in", OPT_IN, '<', "input file"},
    {"out", OPT_OUT, '>', "output file (output format is always DER)"},
-    {"i", OPT_INDENT, 0, "entries"},
+    {"i", OPT_INDENT, 0, "indents the output"},
    {"noout", OPT_NOOUT, 0, "don't produce any output"},
    {"offset", OPT_OFFSET, 'p', "offset into file"},
    {"length", OPT_LENGTH, 'p', "length of section in file"},
--- a/apps/build.info
+++ b/apps/build.info
@@ -0,0 +1,18 @@
+{- use File::Spec::Functions qw/catdir rel2abs/; -}
+PROGRAMS=openssl
+SOURCE[openssl]=\
+        openssl.c \
+        asn1pars.c ca.c ciphers.c cms.c crl.c crl2p7.c dgst.c dhparam.c \
+        dsa.c dsaparam.c ec.c ecparam.c enc.c engine.c errstr.c gendsa.c \
+        genpkey.c genrsa.c nseq.c ocsp.c passwd.c pkcs12.c pkcs7.c pkcs8.c \
+        pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c rsa.c rsautl.c \
+        s_client.c s_server.c s_time.c sess_id.c smime.c speed.c spkac.c \
+        srp.c ts.c verify.c version.c x509.c rehash.c \
+        apps.c opt.c s_cb.c s_socket.c \
+        app_rand.c \
+        {- $target{apps_extra_src} -}
+INCLUDE[openssl]={- rel2abs(catdir($builddir,"../include")) -} .. ../include
+DEPEND[openssl]=../libssl
+
+SCRIPTS=CA.pl
+SOURCE[CA.pl]=CA.pl.in
--- a/apps/ca-key.pem
+++ b/apps/ca-key.pem
@@ -1,15 +1,16 @@
-----BEGIN RSA PRIVATE KEY-----
-MIICXQIBAAKBgQCju6PLddelT+nIMm07GQwmYa/eZ2JWbsmt2gotSCqM7asFp425
-gxSK4jqhhT62UPpqDBEwvQ+fYkVv3RV0r9ReuZGv12NoS4fXsQgqO17lHA7Od0Kd
-2yNwJjKh44MxPKDt2o8iQMyZE0zlHnEFNpsP4COLTDNC6ljEEu5bk8uPsQIDAQAB
-AoGAVZmpFZsDZfr0l2S9tLLwpjRWNOlKATQkno6q2WesT0eGLQufTciY+c8ypfU6
-hyio8r5iUl/VhhdjhAtKx1mRpiotftHo/eYf8rtsrnprOnWG0bWjLjtIoMbcxGn2
-J3bN6LJmbJMjDs0eJ3KnTu646F3nDUw2oGAwmpzKXA1KAP0CQQDRvQhxk2D3Pehs
-HvG665u2pB5ipYQngEFlZO7RHJZzJOZEWSLuuMqaF/7pTfA5jiBvWqCgJeCRRInL
-21ru4dlPAkEAx9jj7BgKn5TYnMoBSSe0afjsV9oApVpN1Nacb1YDtCwy+scp3++s
-nFxlv98wxIlSdpwMUn+AUWfjiWR7Tu/G/wJBAJ/KjwZIrFVxewP0x2ILYsTRYLzz
-MS4PDsO7FB+I0i7DbBOifXS2oNSpd3I0CNMwrxFnUHzynpbOStVfN3ZL5w0CQQCa
-pwFahxBRhkJKsxhjoFJBX9yl75JoY4Wvm5Tbo9ih6UJaRx3kqfkN14L2BKYcsZgb
-KY9vmDOYy6iNfjDeWTfJAkBkfPUb8oTJ/nSP5zN6sqGxSY4krc4xLxpRmxoJ8HL2
-XfhqXkTzbU13RX9JJ/NZ8vQN9Vm2NhxRGJocQkmcdVtJ
-----END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAL4tQNyKy4U2zX6l
+IZvORB1edmwMwIgSB4cgoFECrG5pixzYxKauZkAwKG9/+L4DB8qXRjfXWcvafcOU
+DlYpRROykJ7wGkiqmqbZyrxY8DWjk5ZZQXiSuhYOAJB+Fyfb11JZV6+CvBQX/1g+
+vhJr39Gmp6oAesoYrj90ecozClmnAgMBAAECgYA3j6sSg+5f9hnldUMzbPjTh8Sb
+XsJlPrc6UFrmMBzGiUleXSpe9Dbla+x0XvQCN4pwMvAN4nnWp/f0Su5BV/9Y93nb
+im5ijGNrfN9i6QrnqGCr+MMute+4E8HR2pCScX0mBLDDf40SmDvMzCaxtd21keyr
+9DqHgInQZNEi6NKlkQJBAPCbUTFg6iQ6VTCQ8CsEf5q2xHhuTK23fJ999lvWVxN7
+QsvWb9RP9Ng34HVtvB7Pl6P7FyHLQYiDJhhvYR0L0+kCQQDKV/09Kt6Wjf5Omp1I
+wd3A+tFnipdqnPw+qNHGjevv0hYiEIWQOYbx00zXgaX+WN/pzV9eeNN2XAxlNJ++
+dxcPAkBrzeuPKFFAcjKBVC+H1rgl5gYZv7Hzk+buv02G0H6rZ+sB0c7BXiHiTwbv
+Fn/XfkP/YR14Ms3mEH0dLaphjU8hAkEAh3Ar/rRiN04mCcEuRFQXtaNtZSv8PA2G
+Pf7MI2Y9pdHupLCAZlBLRjTUO2/5hu1AO4QPMPIZQSFN3rRBtMCL+wJAMp/m2hvI
+TmtbMp/IrKGfma09e3yFiCmoNn7cHLJ7jLvXcacV2XNzpr9YHfBxiZo0g9FqZKvv
+PZoQ5B2XJ7bhTQ==
+-----END PRIVATE KEY-----
--- a/apps/ca-req.pem
+++ b/apps/ca-req.pem
@@ -1,11 +1,11 @@
 -----BEGIN CERTIFICATE REQUEST-----
-MIIBmTCCAQICAQAwWzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQx
-GjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYDVQQDExJUZXN0IENBICgx
-MDI0IGJpdCkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKO7o8t116VP6cgy
-bTsZDCZhr95nYlZuya3aCi1IKoztqwWnjbmDFIriOqGFPrZQ+moMETC9D59iRW/d
-FXSv1F65ka/XY2hLh9exCCo7XuUcDs53Qp3bI3AmMqHjgzE8oO3ajyJAzJkTTOUe
-cQU2mw/gI4tMM0LqWMQS7luTy4+xAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAKlk7
-cxu9gCJN3/iQFyJXQ6YphaiQAT5VBXTx9ftRrQIjA3vxlDzPWGDy+V5Tqa7h8PtR
-5Bn00JShII2zf0hjyjKils6x/UkWmjEiwSiFp4hR70iE8XwSNEHY2P6j6nQEIpgW
-kbfgmmUqk7dl2V+ossTJ80B8SBpEhrn81V/cHxA=
+MIIBmzCCAQQCAQAwWzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClF1ZWVuc2xhbmQx
+GjAYBgNVBAoMEUNyeXB0U29mdCBQdHkgTHRkMRswGQYDVQQDDBJUZXN0IENBICgx
+MDI0IGJpdCkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL4tQNyKy4U2zX6l
+IZvORB1edmwMwIgSB4cgoFECrG5pixzYxKauZkAwKG9/+L4DB8qXRjfXWcvafcOU
+DlYpRROykJ7wGkiqmqbZyrxY8DWjk5ZZQXiSuhYOAJB+Fyfb11JZV6+CvBQX/1g+
+vhJr39Gmp6oAesoYrj90ecozClmnAgMBAAGgADANBgkqhkiG9w0BAQsFAAOBgQCo
+2jE7J1SNV7kyRm9m8CoPw8xYsuVcVFxPheBymYp8BlO0/rSdYygRjobpYnLVRUPZ
+pV792wzT1Rp4sXfZWO10lkFY4yi0pH2cdK2RX7qedibV1Xu9vt/yYANFBKVpA4dy
+PRyTQwi3In1N8hdfddpYR8f5MIUYRe5poFMIJcf8JA==
 -----END CERTIFICATE REQUEST-----
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -209,7 +209,8 @@ OPTIONS ca_options[] = {
    {"name", OPT_NAME, 's', "The particular CA definition to use"},
    {"subj", OPT_SUBJ, 's', "Use arg instead of request's subject"},
    {"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"},
-    {"create_serial", OPT_CREATE_SERIAL, '-'},
+    {"create_serial", OPT_CREATE_SERIAL, '-',
+    "If reading serial fails, create a new random serial"},
    {"multivalue-rdn", OPT_MULTIVALUE_RDN, '-',
     "Enable support for multivalued RDNs"},
    {"startdate", OPT_STARTDATE, 's', "Cert notBefore, YYMMDDHHMMSSZ"},
@@ -218,7 +219,7 @@ OPTIONS ca_options[] = {
    {"days", OPT_DAYS, 'p', "Number of days to certify the cert for"},
    {"md", OPT_MD, 's', "md to use; one of md2, md5, sha or sha1"},
    {"policy", OPT_POLICY, 's', "The CA 'policy' to support"},
-    {"keyfile", OPT_KEYFILE, '<', "Private key file"},
+    {"keyfile", OPT_KEYFILE, 's', "Private key"},
    {"keyform", OPT_KEYFORM, 'f', "Private key file format (PEM or ENGINE)"},
    {"passin", OPT_PASSIN, 's'},
    {"key", OPT_KEY, 's', "Key to decode the private key if it is encrypted"},
@@ -253,10 +254,13 @@ OPTIONS ca_options[] = {
    {"updatedb", OPT_UPDATEDB, '-', "Updates db for expired cert"},
    {"crlexts", OPT_CRLEXTS, 's',
     "CRL extension section (override value in config file)"},
-    {"crl_reason", OPT_CRL_REASON, 's'},
-    {"crl_hold", OPT_CRL_HOLD, 's'},
-    {"crl_compromise", OPT_CRL_COMPROMISE, 's'},
-    {"crl_CA_compromise", OPT_CRL_CA_COMPROMISE, 's'},
+    {"crl_reason", OPT_CRL_REASON, 's', "revocation reason"},
+    {"crl_hold", OPT_CRL_HOLD, 's',
+     "the hold instruction, an OID. Sets revocation reason to certificateHold"},
+    {"crl_compromise", OPT_CRL_COMPROMISE, 's',
+     "sets compromise time to val and the revocation reason to keyCompromise"},
+    {"crl_CA_compromise", OPT_CRL_CA_COMPROMISE, 's',
+     "sets compromise time to val and the revocation reason to CACompromise"},
 #ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 #endif
@@ -727,7 +731,7 @@ end_of_options:
            goto end;
        }
        for ( ; *p; p++) {
-            if (!isxdigit(*p)) {
+            if (!isxdigit(_UC(*p))) {
                BIO_printf(bio_err,
                           "entry %d: bad char 0%o '%c' in serial number\n",
                           i + 1, *p, *p);
@@ -1067,7 +1071,7 @@ end_of_options:
            strcpy(buf[2], outdir);

 #ifndef OPENSSL_SYS_VMS
-            BUF_strlcat(buf[2], "/", sizeof(buf[2]));
+            OPENSSL_strlcat(buf[2], "/", sizeof(buf[2]));
 #endif

            n = (char *)&(buf[2][strlen(buf[2])]);
@@ -1402,12 +1406,11 @@ static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,

    BIO_printf(bio_err, "Check that the request matches the signature\n");

-    if ((pktmp = X509_get_pubkey(req)) == NULL) {
+    if ((pktmp = X509_get0_pubkey(req)) == NULL) {
        BIO_printf(bio_err, "error unpacking public key\n");
        goto end;
    }
    i = X509_verify(req, pktmp);
-    EVP_PKEY_free(pktmp);
    if (i < 0) {
        ok = 0;
        BIO_printf(bio_err, "Signature verification problems....\n");
@@ -1420,7 +1423,7 @@ static int certify_cert(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
    } else
        BIO_printf(bio_err, "Signature ok\n");

-    if ((rreq = X509_to_X509_REQ(req, NULL, EVP_md5())) == NULL)
+    if ((rreq = X509_to_X509_REQ(req, NULL, NULL)) == NULL)
        goto end;

    ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj,
@@ -1680,7 +1683,7 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
    }

    if (BN_is_zero(serial))
-        row[DB_serial] = BUF_strdup("00");
+        row[DB_serial] = OPENSSL_strdup("00");
    else
        row[DB_serial] = BN_bn2hex(serial);
    if (row[DB_serial] == NULL) {
@@ -1890,27 +1893,22 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
        }
    }

-    pktmp = X509_get_pubkey(ret);
+    pktmp = X509_get0_pubkey(ret);
    if (EVP_PKEY_missing_parameters(pktmp) &&
        !EVP_PKEY_missing_parameters(pkey))
        EVP_PKEY_copy_parameters(pktmp, pkey);
-    EVP_PKEY_free(pktmp);

    if (!do_X509_sign(ret, pkey, dgst, sigopts))
        goto end;

    /* We now just add it to the database */
-    row[DB_type] = app_malloc(2, "row db type");
-
+    row[DB_type] = OPENSSL_strdup("V");
    tm = X509_get_notAfter(ret);
    row[DB_exp_date] = app_malloc(tm->length + 1, "row expdate");
    memcpy(row[DB_exp_date], tm->data, tm->length);
    row[DB_exp_date][tm->length] = '\0';
-
    row[DB_rev_date] = NULL;
-
-    /* row[DB_serial] done already */
-    row[DB_file] = app_malloc(8, "row file");
+    row[DB_file] = OPENSSL_strdup("unknown");
    row[DB_name] = X509_NAME_oneline(X509_get_subject_name(ret), NULL, 0);

    if ((row[DB_type] == NULL) || (row[DB_exp_date] == NULL) ||
@@ -1918,9 +1916,6 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
        BIO_printf(bio_err, "Memory allocation failure\n");
        goto end;
    }
-    BUF_strlcpy(row[DB_file], "unknown", 8);
-    row[DB_type][0] = 'V';
-    row[DB_type][1] = '\0';

    irow = app_malloc(sizeof(*irow) * (DB_NUMBER + 1), "row space");
    for (i = 0; i < DB_NUMBER; i++) {
@@ -2120,7 +2115,7 @@ static int do_revoke(X509 *x509, CA_DB *db, int type, char *value)
    if (!bn)
        goto end;
    if (BN_is_zero(bn))
-        row[DB_serial] = BUF_strdup("00");
+        row[DB_serial] = OPENSSL_strdup("00");
    else
        row[DB_serial] = BN_bn2hex(bn);
    BN_free(bn);
@@ -2139,23 +2134,13 @@ static int do_revoke(X509 *x509, CA_DB *db, int type, char *value)
                   row[DB_serial], row[DB_name]);

        /* We now just add it to the database */
-        row[DB_type] = app_malloc(2, "row type");
-
+        row[DB_type] = OPENSSL_strdup("V");
        tm = X509_get_notAfter(x509);
        row[DB_exp_date] = app_malloc(tm->length + 1, "row exp_data");
        memcpy(row[DB_exp_date], tm->data, tm->length);
        row[DB_exp_date][tm->length] = '\0';
-
        row[DB_rev_date] = NULL;
-
-        /* row[DB_serial] done already */
-        row[DB_file] = app_malloc(8, "row filename");
-
-        /* row[DB_name] done already */
-
-        BUF_strlcpy(row[DB_file], "unknown", 8);
-        row[DB_type][0] = 'V';
-        row[DB_type][1] = '\0';
+        row[DB_file] = OPENSSL_strdup("unknown");

        irow = app_malloc(sizeof(*irow) * (DB_NUMBER + 1), "row ptr");
        for (i = 0; i < DB_NUMBER; i++) {
@@ -2430,14 +2415,14 @@ char *make_revocation_str(int rev_type, char *rev_arg)
        i += strlen(other) + 1;

    str = app_malloc(i, "revocation reason");
-    BUF_strlcpy(str, (char *)revtm->data, i);
+    OPENSSL_strlcpy(str, (char *)revtm->data, i);
    if (reason) {
-        BUF_strlcat(str, ",", i);
-        BUF_strlcat(str, reason, i);
+        OPENSSL_strlcat(str, ",", i);
+        OPENSSL_strlcat(str, reason, i);
    }
    if (other) {
-        BUF_strlcat(str, ",", i);
-        BUF_strlcat(str, other, i);
+        OPENSSL_strlcat(str, ",", i);
+        OPENSSL_strlcat(str, other, i);
    }
    ASN1_UTCTIME_free(revtm);
    return str;
@@ -2555,7 +2540,7 @@ int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold,
    ASN1_OBJECT *hold = NULL;
    ASN1_GENERALIZEDTIME *comp_time = NULL;

-    tmp = BUF_strdup(str);
+    tmp = OPENSSL_strdup(str);
    if (!tmp) {
        BIO_printf(bio_err, "memory allocation failure\n");
        goto end;
--- a/apps/ciphers.c
+++ b/apps/ciphers.c
@@ -78,21 +78,28 @@ OPTIONS ciphers_options[] = {
    {"v", OPT_V, '-', "Verbose listing of the SSL/TLS ciphers"},
    {"V", OPT_UPPER_V, '-', "Even more verbose"},
    {"s", OPT_S, '-', "Only supported ciphers"},
-    {"tls1", OPT_TLS1, '-', "TLS1 mode"},
-    {"tls1_1", OPT_TLS1_1, '-', "TLS1.1 mode"},
-    {"tls1_2", OPT_TLS1_2, '-', "TLS1.2 mode"},
-#ifndef OPENSSL_NO_SSL_TRACE
-    {"stdname", OPT_STDNAME, '-', "Show standard cipher names"},
-#endif
 #ifndef OPENSSL_NO_SSL3
    {"ssl3", OPT_SSL3, '-', "SSL3 mode"},
 #endif
+#ifndef OPENSSL_NO_TLS1
+    {"tls1", OPT_TLS1, '-', "TLS1 mode"},
+#endif
+#ifndef OPENSSL_NO_TLS1_1
+    {"tls1_1", OPT_TLS1_1, '-', "TLS1.1 mode"},
+#endif
+#ifndef OPENSSL_NO_TLS1_2
+    {"tls1_2", OPT_TLS1_2, '-', "TLS1.2 mode"},
+#endif
+#ifndef OPENSSL_NO_SSL_TRACE
+    {"stdname", OPT_STDNAME, '-', "Show standard cipher names"},
+#endif
 #ifndef OPENSSL_NO_PSK
    {"psk", OPT_PSK, '-', "include ciphersuites requiring PSK"},
 #endif
    {NULL}
 };

+#ifndef OPENSSL_NO_PSK
 static unsigned int dummy_psk(SSL *ssl, const char *hint, char *identity,
                              unsigned int max_identity_len,
                              unsigned char *psk,
@@ -100,6 +107,7 @@ static unsigned int dummy_psk(SSL *ssl, const char *hint, char *identity,
 {
    return 0;
 }
+#endif

 int ciphers_main(int argc, char **argv)
 {
@@ -151,13 +159,19 @@ int ciphers_main(int argc, char **argv)
 #endif
            break;
        case OPT_TLS1:
+#ifndef OPENSSL_NO_TLS1
            meth = TLSv1_client_method();
+#endif
            break;
        case OPT_TLS1_1:
+#ifndef OPENSSL_NO_TLS1_1
            meth = TLSv1_1_client_method();
+#endif
            break;
        case OPT_TLS1_2:
+#ifndef OPENSSL_NO_TLS1_2
            meth = TLSv1_2_client_method();
+#endif
            break;
        case OPT_PSK:
 #ifndef OPENSSL_NO_PSK
@@ -198,7 +212,7 @@ int ciphers_main(int argc, char **argv)

    if (!verbose) {
        for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
-            SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i);
+            const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i);
            p = SSL_CIPHER_get_name(c);
            if (p == NULL)
                break;
@@ -210,7 +224,7 @@ int ciphers_main(int argc, char **argv)
    } else {

        for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
-            SSL_CIPHER *c;
+            const SSL_CIPHER *c;

            c = sk_SSL_CIPHER_value(sk, i);

--- a/apps/cms.c
+++ b/apps/cms.c
@@ -206,7 +206,7 @@ OPTIONS cms_options[] = {
    {"recip", OPT_RECIP, '<', "Recipient cert file for decryption"},
    {"certsout", OPT_CERTSOUT, '>', "Certificate output file"},
    {"md", OPT_MD, 's'},
-    {"inkey", OPT_INKEY, '<',
+    {"inkey", OPT_INKEY, 's',
     "Input private key (if not signer or recipient)"},
    {"keyform", OPT_KEYFORM, 'f', "Input private key format (PEM or ENGINE)"},
    {"keyopt", OPT_KEYOPT, 's', "Set public key parameters as n:v pairs"},
@@ -735,8 +735,8 @@ int cms_main(int argc, char **argv)
    }

    if (certfile) {
-        if ((other = load_certs(certfile, FORMAT_PEM, NULL, e,
-                                "certificate file")) == NULL) {
+        if (!load_certs(certfile, &other, FORMAT_PEM, NULL, e,
+                        "certificate file")) {
            ERR_print_errors(bio_err);
            goto end;
        }
@@ -902,7 +902,7 @@ int cms_main(int argc, char **argv)
            secret_keyid = NULL;
        }
        if (pwri_pass) {
-            pwri_tmp = (unsigned char *)BUF_strdup((char *)pwri_pass);
+            pwri_tmp = (unsigned char *)OPENSSL_strdup((char *)pwri_pass);
            if (!pwri_tmp)
                goto end;
            if (!CMS_add0_recipient_password(cms,
--- a/apps/crl.c
+++ b/apps/crl.c
@@ -253,14 +253,13 @@ int crl_main(int argc, char **argv)
            BIO_printf(bio_err, "Error getting CRL issuer certificate\n");
            goto end;
        }
-        pkey = X509_get_pubkey(xobj.data.x509);
+        pkey = X509_get0_pubkey(xobj.data.x509);
        X509_OBJECT_free_contents(&xobj);
        if (!pkey) {
            BIO_printf(bio_err, "Error getting CRL issuer public key\n");
            goto end;
        }
        i = X509_CRL_verify(x, pkey);
-        EVP_PKEY_free(pkey);
        if (i < 0)
            goto end;
        if (i == 0)
--- a/apps/crl2p7.c
+++ b/apps/crl2p7.c
@@ -138,7 +138,7 @@ int crl2pkcs7_main(int argc, char **argv)
            if ((certflst == NULL)
                && (certflst = sk_OPENSSL_STRING_new_null()) == NULL)
                goto end;
-            if (!sk_OPENSSL_STRING_push(certflst, *(++argv))) {
+            if (!sk_OPENSSL_STRING_push(certflst, opt_arg())) {
                sk_OPENSSL_STRING_free(certflst);
                goto end;
            }
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -80,7 +80,7 @@ typedef enum OPTION_choice {
    OPT_C, OPT_R, OPT_RAND, OPT_OUT, OPT_SIGN, OPT_PASSIN, OPT_VERIFY,
    OPT_PRVERIFY, OPT_SIGNATURE, OPT_KEYFORM, OPT_ENGINE, OPT_ENGINE_IMPL,
    OPT_HEX, OPT_BINARY, OPT_DEBUG, OPT_FIPS_FINGERPRINT,
-    OPT_NON_FIPS_ALLOW, OPT_HMAC, OPT_MAC, OPT_SIGOPT, OPT_MACOPT,
+    OPT_HMAC, OPT_MAC, OPT_SIGOPT, OPT_MACOPT,
    OPT_DIGEST
 } OPTION_CHOICE;

@@ -91,30 +91,32 @@ OPTIONS dgst_options[] = {
    {"help", OPT_HELP, '-', "Display this summary"},
    {"c", OPT_C, '-', "Print the digest with separating colons"},
    {"r", OPT_R, '-', "Print the digest in coreutils format"},
-    {"rand", OPT_RAND, 's'},
+    {"rand", OPT_RAND, 's',
+     "Use file(s) containing random data to seed RNG or an EGD sock"},
    {"out", OPT_OUT, '>', "Output to filename rather than stdout"},
-    {"passin", OPT_PASSIN, 's'},
-    {"sign", OPT_SIGN, '<', "Sign digest using private key in file"},
-    {"verify", OPT_VERIFY, '<',
-     "Verify a signature using public key in file"},
-    {"prverify", OPT_PRVERIFY, '<',
-     "Verify a signature using private key in file"},
+    {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
+    {"sign", OPT_SIGN, 's', "Sign digest using private key"},
+    {"verify", OPT_VERIFY, 's',
+     "Verify a signature using public key"},
+    {"prverify", OPT_PRVERIFY, 's',
+     "Verify a signature using private key"},
    {"signature", OPT_SIGNATURE, '<', "File with signature to verify"},
    {"keyform", OPT_KEYFORM, 'f', "Key file format (PEM or ENGINE)"},
    {"hex", OPT_HEX, '-', "Print as hex dump"},
    {"binary", OPT_BINARY, '-', "Print in binary form"},
    {"d", OPT_DEBUG, '-', "Print debug info"},
-    {"debug", OPT_DEBUG, '-'},
-    {"fips-fingerprint", OPT_FIPS_FINGERPRINT, '-'},
-    {"non-fips-allow", OPT_NON_FIPS_ALLOW, '-'},
+    {"debug", OPT_DEBUG, '-', "Print debug info"},
+    {"fips-fingerprint", OPT_FIPS_FINGERPRINT, '-',
+     "Compute HMAC with the key used in OpenSSL-FIPS fingerprint"},
    {"hmac", OPT_HMAC, 's', "Create hashed MAC with key"},
-    {"mac", OPT_MAC, 's', "Create MAC (not neccessarily HMAC)"},
+    {"mac", OPT_MAC, 's', "Create MAC (not necessarily HMAC)"},
    {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
    {"macopt", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form or key"},
    {"", OPT_DIGEST, '-', "Any supported digest"},
 #ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
-    {"engine_impl", OPT_ENGINE_IMPL, '-'},
+    {"engine_impl", OPT_ENGINE_IMPL, '-',
+     "Also use engine given by -engine for digest operations"},
 #endif
    {NULL}
 };
@@ -133,8 +135,7 @@ int dgst_main(int argc, char **argv)
    const char *sigfile = NULL, *randfile = NULL;
    OPTION_CHOICE o;
    int separator = 0, debug = 0, keyform = FORMAT_PEM, siglen = 0;
-    int i, ret = 1, out_bin = -1, want_pub = 0, do_verify =
-        0, non_fips_allow = 0;
+    int i, ret = 1, out_bin = -1, want_pub = 0, do_verify = 0;
    unsigned char *buf = NULL, *sigbuf = NULL;
    int engine_impl = 0;

@@ -205,9 +206,6 @@ int dgst_main(int argc, char **argv)
        case OPT_FIPS_FINGERPRINT:
            hmac_key = "etaonrishdlcupfm";
            break;
-        case OPT_NON_FIPS_ALLOW:
-            non_fips_allow = 1;
-            break;
        case OPT_HMAC:
            hmac_key = opt_arg();
            break;
@@ -323,12 +321,6 @@ int dgst_main(int argc, char **argv)
            goto end;
    }

-    if (non_fips_allow) {
-        EVP_MD_CTX *md_ctx;
-        BIO_get_md_ctx(bmd, &md_ctx);
-        EVP_MD_CTX_set_flags(md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
-    }
-
    if (hmac_key) {
        sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, impl,
                                      (unsigned char *)hmac_key, -1);
@@ -375,7 +367,7 @@ int dgst_main(int argc, char **argv)
            goto end;
        }
        if (md == NULL)
-            md = EVP_md5();
+            md = EVP_sha256();
        if (!EVP_DigestInit_ex(mctx, md, impl)) {
            BIO_printf(bio_err, "Error setting digest\n");
            ERR_print_errors(bio_err);
--- a/apps/dhparam.c
+++ b/apps/dhparam.c
@@ -108,8 +108,11 @@
 *
 */

-#include <openssl/opensslconf.h> /* for OPENSSL_NO_DH */
-#ifndef OPENSSL_NO_DH
+#include <openssl/opensslconf.h>
+#ifdef OPENSSL_NO_DH
+NON_EMPTY_TRANSLATION_UNIT
+#else
+
 # include <stdio.h>
 # include <stdlib.h>
 # include <time.h>
@@ -443,11 +446,4 @@ static int dh_cb(int p, int n, BN_GENCB *cb)
    (void)BIO_flush(BN_GENCB_get_arg(cb));
    return 1;
 }
-
-#else                           /* !OPENSSL_NO_DH */
-
-# if PEDANTIC
-static void *dummy = &dummy;
-# endif
-
 #endif
--- a/apps/dsa-ca.pem
+++ b/apps/dsa-ca.pem
@@ -11,30 +11,37 @@ tOFDITEAl+YZZariXOD7tdOSOl9RLMPC6+daHKS9e68u3enxhqnDGQIUB78dhW77
 J6zsFbSEHaQGUmfSeoM=
 -----END DSA PRIVATE KEY-----
 -----BEGIN CERTIFICATE REQUEST-----
-MIICUjCCAhECAQAwUjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUx
-ITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDELMAkGA1UEAxMCQ0Ew
-ggG0MIIBKQYFKw4DAgwwggEeAoGBAKc/boW/QWopffCfRxkwkJoJHdpqMx7FPYaW
-sxXgUy6P4FmCc5A+dTGZR3pS+4Xk2aZ7OJtoioSbh8YetX6GS1NbWc9xZRmIbs5m
-rmuINvvsKNzC16W75Sw5JkvamnAYlTeVEFYj9hXtugRe3jlP/bdDH7WkZW/NgBHk
-cJVbUM1JAhUA9wcx7fpsBgPVhYocrJxl51BmZW8CgYBN30wDppGK9RlvUEYlmeVo
-bzDjaeHls12YuyiGSPzemQQ/X4gMnHMkDSBduSqaPxiWJ+Rih8F7dGJT/GEnqHqR
-CZ228U2cVA9YBu5JdAfOVX4jzhb2ytxaYQF+yXG1TfbcNCmHaPZeIJOz2/XkCWxB
-F5WS6wG1c6Vqftgy7Q4CuAOBhAACgYAapll6iqz9XrZFlk2GCVcB+KihxWnH7IuH
-vSLw9YUrJahcBHmbpvt494lF4gC5w3WPM+vXJofbusk4GoQEEsQNMDaah4m49uUq
-AylOVFJJJXuirVJ+o+0TtOFDITEAl+YZZariXOD7tdOSOl9RLMPC6+daHKS9e68u
-3enxhqnDGaAAMAkGBSsOAwIbBQADMAAwLQIVAJGVuFsG/0DBuSZ0jF7ypdU0/G0v
-AhQfeF5BoMMDbX/kidUVpQ6gadPlZA==
+MIICVjCCAhMCAQAwUjELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
+ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDELMAkGA1UEAwwCQ0Ew
+ggG2MIIBKwYHKoZIzjgEATCCAR4CgYEApz9uhb9Bail98J9HGTCQmgkd2mozHsU9
+hpazFeBTLo/gWYJzkD51MZlHelL7heTZpns4m2iKhJuHxh61foZLU1tZz3FlGYhu
+zmaua4g2++wo3MLXpbvlLDkmS9qacBiVN5UQViP2Fe26BF7eOU/9t0MftaRlb82A
+EeRwlVtQzUkCFQD3BzHt+mwGA9WFihysnGXnUGZlbwKBgE3fTAOmkYr1GW9QRiWZ
+5WhvMONp4eWzXZi7KIZI/N6ZBD9fiAyccyQNIF25Kpo/GJYn5GKHwXt0YlP8YSeo
+epEJnbbxTZxUD1gG7kl0B85VfiPOFvbK3FphAX7JcbVN9tw0KYdo9l4gk7Pb9eQJ
+bEEXlZLrAbVzpWp+2DLtDgK4A4GEAAKBgBqmWXqKrP1etkWWTYYJVwH4qKHFacfs
+i4e9IvD1hSslqFwEeZum+3j3iUXiALnDdY8z69cmh9u6yTgahAQSxA0wNpqHibj2
+5SoDKU5UUkkle6KtUn6j7RO04UMhMQCX5hllquJc4Pu105I6X1Esw8Lr51ocpL17
+ry7d6fGGqcMZoAAwCwYJYIZIAWUDBAMCAzAAMC0CFCp7rUwGJNtxK6Aqo6k6US+S
+KP8sAhUAyfSi8Zs3QAvkJoFG0IMRaq8M03I=
 -----END CERTIFICATE REQUEST-----
 -----BEGIN CERTIFICATE-----
-MIIBrjCCAWwCAQswCQYFKw4DAhsFADBTMQswCQYDVQQGEwJBVTETMBEGA1UECBMK
-U29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQww
-CgYDVQQDEwNQQ0EwHhcNOTcwNjE1MDIxNDI5WhcNOTcwNzE1MDIxNDI5WjBSMQsw
-CQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJu
-ZXQgV2lkZ2l0cyBQdHkgTHRkMQswCQYDVQQDEwJDQTCBkjAJBgUrDgMCDAUAA4GE
-AAKBgBqmWXqKrP1etkWWTYYJVwH4qKHFacfsi4e9IvD1hSslqFwEeZum+3j3iUXi
-ALnDdY8z69cmh9u6yTgahAQSxA0wNpqHibj25SoDKU5UUkkle6KtUn6j7RO04UMh
-MQCX5hllquJc4Pu105I6X1Esw8Lr51ocpL17ry7d6fGGqcMZMAkGBSsOAwIbBQAD
-MQAwLgIVAJ4wtQsANPxHo7Q4IQZYsL12SKdbAhUAjJ9n38zxT+iai2164xS+LIfa
-C1Q=
+MIIDMDCCAuygAwIBAgIBAjALBglghkgBZQMEAwIwUzELMAkGA1UEBhMCQVUxEzAR
+BgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5
+IEx0ZDEMMAoGA1UEAwwDUENBMCAXDTE2MDExMzIxNDE0OVoYDzMwMTUwNTE2MjE0
+MTQ5WjBSMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UE
+CgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQswCQYDVQQDDAJDQTCCAbYwggEr
+BgcqhkjOOAQBMIIBHgKBgQCnP26Fv0FqKX3wn0cZMJCaCR3aajMexT2GlrMV4FMu
+j+BZgnOQPnUxmUd6UvuF5NmmezibaIqEm4fGHrV+hktTW1nPcWUZiG7OZq5riDb7
+7Cjcwtelu+UsOSZL2ppwGJU3lRBWI/YV7boEXt45T/23Qx+1pGVvzYAR5HCVW1DN
+SQIVAPcHMe36bAYD1YWKHKycZedQZmVvAoGATd9MA6aRivUZb1BGJZnlaG8w42nh
+5bNdmLsohkj83pkEP1+IDJxzJA0gXbkqmj8YlifkYofBe3RiU/xhJ6h6kQmdtvFN
+nFQPWAbuSXQHzlV+I84W9srcWmEBfslxtU323DQph2j2XiCTs9v15AlsQReVkusB
+tXOlan7YMu0OArgDgYQAAoGAGqZZeoqs/V62RZZNhglXAfioocVpx+yLh70i8PWF
+KyWoXAR5m6b7ePeJReIAucN1jzPr1yaH27rJOBqEBBLEDTA2moeJuPblKgMpTlRS
+SSV7oq1SfqPtE7ThQyExAJfmGWWq4lzg+7XTkjpfUSzDwuvnWhykvXuvLt3p8Yap
+wxmjUDBOMB0GA1UdDgQWBBTMZcORcBEVlqO/CD4pf4V6N1NM1zAfBgNVHSMEGDAW
+gBTGjwJ33uvjSa20RNrMKWoGptOLdDAMBgNVHRMEBTADAQH/MAsGCWCGSAFlAwQD
+AgMxADAuAhUA4V6MrHufG8R79E+AtVO02olPxK8CFQDkZyo/TWpavsUBRDJbCeD9
+jgjIkA==
 -----END CERTIFICATE-----
-
--- a/apps/dsa-pca.pem
+++ b/apps/dsa-pca.pem
@@ -11,36 +11,37 @@ umz6tl+iUcNe5EoxdsYV1IXSddjOi08LOLsZq7AQlNnKvbtlmMDULpqkZJD0bO7A
 6TicfImU7UFRn9h00j0lJQ==
 -----END DSA PRIVATE KEY-----
 -----BEGIN CERTIFICATE REQUEST-----
-MIICVTCCAhMCAQAwUzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUx
-ITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEMMAoGA1UEAxMDUENB
-MIIBtTCCASkGBSsOAwIMMIIBHgKBgQCnP26Fv0FqKX3wn0cZMJCaCR3aajMexT2G
-lrMV4FMuj+BZgnOQPnUxmUd6UvuF5NmmezibaIqEm4fGHrV+hktTW1nPcWUZiG7O
-Zq5riDb77Cjcwtelu+UsOSZL2ppwGJU3lRBWI/YV7boEXt45T/23Qx+1pGVvzYAR
-5HCVW1DNSQIVAPcHMe36bAYD1YWKHKycZedQZmVvAoGATd9MA6aRivUZb1BGJZnl
-aG8w42nh5bNdmLsohkj83pkEP1+IDJxzJA0gXbkqmj8YlifkYofBe3RiU/xhJ6h6
-kQmdtvFNnFQPWAbuSXQHzlV+I84W9srcWmEBfslxtU323DQph2j2XiCTs9v15Als
-QReVkusBtXOlan7YMu0OArgDgYUAAoGBAKbtuR5AdW+ICjCFe2ixjUiJJzM2IKwe
-6NZEMXg39+HQ1UTPTmfLZLps+rZfolHDXuRKMXbGFdSF0nXYzotPCzi7GauwEJTZ
-yr27ZZjA1C6apGSQ9GzuwNvZ4rCXystVEagAS8OQ4H3D4dWS17Zg31ICb5o4E5r0
-z09o/Uz46u0VoAAwCQYFKw4DAhsFAAMxADAuAhUArRubTxsbIXy3AhtjQ943AbNB
-nSICFQCu+g1iW3jwF+gOcbroD4S/ZcvB3w==
+MIICWDCCAhUCAQAwUzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
+ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEMMAoGA1UEAwwDUENB
+MIIBtzCCASsGByqGSM44BAEwggEeAoGBAKc/boW/QWopffCfRxkwkJoJHdpqMx7F
+PYaWsxXgUy6P4FmCc5A+dTGZR3pS+4Xk2aZ7OJtoioSbh8YetX6GS1NbWc9xZRmI
+bs5mrmuINvvsKNzC16W75Sw5JkvamnAYlTeVEFYj9hXtugRe3jlP/bdDH7WkZW/N
+gBHkcJVbUM1JAhUA9wcx7fpsBgPVhYocrJxl51BmZW8CgYBN30wDppGK9RlvUEYl
+meVobzDjaeHls12YuyiGSPzemQQ/X4gMnHMkDSBduSqaPxiWJ+Rih8F7dGJT/GEn
+qHqRCZ228U2cVA9YBu5JdAfOVX4jzhb2ytxaYQF+yXG1TfbcNCmHaPZeIJOz2/Xk
+CWxBF5WS6wG1c6Vqftgy7Q4CuAOBhQACgYEApu25HkB1b4gKMIV7aLGNSIknMzYg
+rB7o1kQxeDf34dDVRM9OZ8tkumz6tl+iUcNe5EoxdsYV1IXSddjOi08LOLsZq7AQ
+lNnKvbtlmMDULpqkZJD0bO7A29nisJfKy1URqABLw5DgfcPh1ZLXtmDfUgJvmjgT
+mvTPT2j9TPjq7RWgADALBglghkgBZQMEAwIDMAAwLQIVAPA6/jxCT1D2HgzE4iZR
+AEup/C7YAhRPLTQvQnAiS5FRrA+8SwBLvDAsaw==
 -----END CERTIFICATE REQUEST-----
 -----BEGIN CERTIFICATE-----
-MIIC0zCCApECAQAwCQYFKw4DAhsFADBTMQswCQYDVQQGEwJBVTETMBEGA1UECBMK
-U29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQww
-CgYDVQQDEwNQQ0EwHhcNOTcwNjE0MjI1NDQ1WhcNOTcwNzE0MjI1NDQ1WjBTMQsw
-CQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJu
-ZXQgV2lkZ2l0cyBQdHkgTHRkMQwwCgYDVQQDEwNQQ0EwggG1MIIBKQYFKw4DAgww
-ggEeAoGBAKc/boW/QWopffCfRxkwkJoJHdpqMx7FPYaWsxXgUy6P4FmCc5A+dTGZ
-R3pS+4Xk2aZ7OJtoioSbh8YetX6GS1NbWc9xZRmIbs5mrmuINvvsKNzC16W75Sw5
-JkvamnAYlTeVEFYj9hXtugRe3jlP/bdDH7WkZW/NgBHkcJVbUM1JAhUA9wcx7fps
-BgPVhYocrJxl51BmZW8CgYBN30wDppGK9RlvUEYlmeVobzDjaeHls12YuyiGSPze
-mQQ/X4gMnHMkDSBduSqaPxiWJ+Rih8F7dGJT/GEnqHqRCZ228U2cVA9YBu5JdAfO
-VX4jzhb2ytxaYQF+yXG1TfbcNCmHaPZeIJOz2/XkCWxBF5WS6wG1c6Vqftgy7Q4C
-uAOBhQACgYEApu25HkB1b4gKMIV7aLGNSIknMzYgrB7o1kQxeDf34dDVRM9OZ8tk
-umz6tl+iUcNe5EoxdsYV1IXSddjOi08LOLsZq7AQlNnKvbtlmMDULpqkZJD0bO7A
-29nisJfKy1URqABLw5DgfcPh1ZLXtmDfUgJvmjgTmvTPT2j9TPjq7RUwCQYFKw4D
-AhsFAAMxADAuAhUAvtv6AkMolix1Jvy3UnVEIUqdCUICFQC+jq8P49mwrY9oJ24n
-5rKUjNBhSg==
+MIIDMDCCAu6gAwIBAgIBATALBglghkgBZQMEAwIwUzELMAkGA1UEBhMCQVUxEzAR
+BgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5
+IEx0ZDEMMAoGA1UEAwwDUENBMCAXDTE2MDExMzIxNDE0OVoYDzMwMTUwNTE2MjE0
+MTQ5WjBTMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UE
+CgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQwwCgYDVQQDDANQQ0EwggG3MIIB
+KwYHKoZIzjgEATCCAR4CgYEApz9uhb9Bail98J9HGTCQmgkd2mozHsU9hpazFeBT
+Lo/gWYJzkD51MZlHelL7heTZpns4m2iKhJuHxh61foZLU1tZz3FlGYhuzmaua4g2
++wo3MLXpbvlLDkmS9qacBiVN5UQViP2Fe26BF7eOU/9t0MftaRlb82AEeRwlVtQ
+zUkCFQD3BzHt+mwGA9WFihysnGXnUGZlbwKBgE3fTAOmkYr1GW9QRiWZ5WhvMONp
+4eWzXZi7KIZI/N6ZBD9fiAyccyQNIF25Kpo/GJYn5GKHwXt0YlP8YSeoepEJnbbx
+TZxUD1gG7kl0B85VfiPOFvbK3FphAX7JcbVN9tw0KYdo9l4gk7Pb9eQJbEEXlZLr
+AbVzpWp+2DLtDgK4A4GFAAKBgQCm7bkeQHVviAowhXtosY1IiSczNiCsHujWRDF4
+N/fh0NVEz05ny2S6bPq2X6JRw17kSjF2xhXUhdJ12M6LTws4uxmrsBCU2cq9u2WY
+wNQumqRkkPRs7sDb2eKwl8rLVRGoAEvDkOB9w+HVkte2YN9SAm+aOBOa9M9PaP1M
+OrtFaNQME4wHQYDVR0OBBYEFMaPAnfe6+NJrbRE2swpagam04t0MB8GA1UdIwQY
+MBaAFMaPAnfe6+NJrbRE2swpagam04t0MAwGA1UdEwQFMAMBAf8wCwYJYIZIAWUD
+BAMCAy8AMCwCFFhdz4fzQo9BBF20U1CHldYTi/D7AhQydDnDMj21y+U1UhDZJrvh
+lnt88g==
 -----END CERTIFICATE-----
-
--- a/apps/dsa.c
+++ b/apps/dsa.c
@@ -55,8 +55,11 @@
 * [including the GNU Public Licence.]
 */

-#include <openssl/opensslconf.h> /* for OPENSSL_NO_DSA */
-#ifndef OPENSSL_NO_DSA
+#include <openssl/opensslconf.h>
+#ifdef OPENSSL_NO_DSA
+NON_EMPTY_TRANSLATION_UNIT
+#else
+
 # include <stdio.h>
 # include <stdlib.h>
 # include <string.h>
@@ -82,7 +85,7 @@ OPTIONS dsa_options[] = {
    {"help", OPT_HELP, '-', "Display this summary"},
    {"inform", OPT_INFORM, 'F', "Input format, DER PEM PVK"},
    {"outform", OPT_OUTFORM, 'F', "Output format, DER PEM PVK"},
-    {"in", OPT_IN, '<', "Input file"},
+    {"in", OPT_IN, 's', "Input key"},
    {"out", OPT_OUT, '>', "Output file"},
    {"noout", OPT_NOOUT, '-', "Don't print key out"},
    {"text", OPT_TEXT, '-', "Print the key in text"},
@@ -130,8 +133,7 @@ int dsa_main(int argc, char **argv)
            ret = 0;
            goto end;
        case OPT_INFORM:
-            if (!opt_format
-                (opt_arg(), OPT_FMT_PEMDER | OPT_FMT_PVK, &informat))
+            if (!opt_format(opt_arg(), OPT_FMT_ANY, &informat))
                goto opthelp;
            break;
        case OPT_IN:
@@ -194,7 +196,7 @@ int dsa_main(int argc, char **argv)
    argc = opt_num_rest();
    argv = opt_rest();
    private = pubin || pubout ? 0 : 1;
-    if (text)
+    if (text && !pubin)
        private = 1;

    if (!app_passwd(passinarg, passoutarg, &passin, &passout)) {
@@ -227,7 +229,7 @@ int dsa_main(int argc, char **argv)
        goto end;

    if (text) {
-        assert(private);
+        assert(pubin || private);
        if (!DSA_print(out, dsa, 0)) {
            perror(outfile);
            ERR_print_errors(bio_err);
@@ -267,6 +269,11 @@ int dsa_main(int argc, char **argv)
        pk = EVP_PKEY_new();
        EVP_PKEY_set1_DSA(pk, dsa);
        if (outformat == FORMAT_PVK) {
+            if (pubin) {
+                BIO_printf(bio_err, "PVK form impossible with public key input\n");
+                EVP_PKEY_free(pk);
+                goto end;
+            }
            assert(private);
            i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout);
        }
@@ -295,10 +302,4 @@ int dsa_main(int argc, char **argv)
    OPENSSL_free(passout);
    return (ret);
 }
-#else                           /* !OPENSSL_NO_DSA */
-
-# if PEDANTIC
-static void *dummy = &dummy;
-# endif
-
 #endif
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -55,9 +55,11 @@
 * [including the GNU Public Licence.]
 */

-#include <openssl/opensslconf.h> /* for OPENSSL_NO_DSA */
+#include <openssl/opensslconf.h>
+#ifdef OPENSSL_NO_DSA
+NON_EMPTY_TRANSLATION_UNIT
+#else

-#ifndef OPENSSL_NO_DSA
 # include <stdio.h>
 # include <stdlib.h>
 # include <time.h>
@@ -86,7 +88,7 @@ static int dsa_cb(int p, int n, BN_GENCB *cb);
 typedef enum OPTION_choice {
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_TEXT, OPT_C,
-    OPT_NOOUT, OPT_GENKEY, OPT_RAND, OPT_NON_FIPS_ALLOW, OPT_ENGINE,
+    OPT_NOOUT, OPT_GENKEY, OPT_RAND, OPT_ENGINE,
    OPT_TIMEBOMB
 } OPTION_CHOICE;

@@ -101,7 +103,6 @@ OPTIONS dsaparam_options[] = {
    {"noout", OPT_NOOUT, '-', "No output"},
    {"genkey", OPT_GENKEY, '-', "Generate a DSA key"},
    {"rand", OPT_RAND, 's', "Files to use for random number input"},
-    {"non-fips-allow", OPT_NON_FIPS_ALLOW, '-'},
 # ifdef GENCB_TEST
    {"timebomb", OPT_TIMEBOMB, 'p', "Interrupt keygen after 'pnum' seconds"},
 # endif
@@ -116,7 +117,7 @@ int dsaparam_main(int argc, char **argv)
    DSA *dsa = NULL;
    BIO *in = NULL, *out = NULL;
    BN_GENCB *cb = NULL;
-    int numbits = -1, num = 0, genkey = 0, need_rand = 0, non_fips_allow = 0;
+    int numbits = -1, num = 0, genkey = 0, need_rand = 0;
    int informat = FORMAT_PEM, outformat = FORMAT_PEM, noout = 0, C = 0;
    int ret = 1, i, text = 0, private = 0;
 # ifdef GENCB_TEST
@@ -175,16 +176,13 @@ int dsaparam_main(int argc, char **argv)
        case OPT_NOOUT:
            noout = 1;
            break;
-        case OPT_NON_FIPS_ALLOW:
-            non_fips_allow = 1;
-            break;
        }
    }
    argc = opt_num_rest();
    argv = opt_rest();

    if (argc == 1) {
-        if (!opt_int(argv[0], &num))
+        if (!opt_int(argv[0], &num) || num < 0)
            goto end;
        /* generate a key */
        numbits = num;
@@ -219,8 +217,6 @@ int dsaparam_main(int argc, char **argv)
            BIO_printf(bio_err, "Error allocating DSA object\n");
            goto end;
        }
-        if (non_fips_allow)
-            dsa->flags |= DSA_FLAG_NON_FIPS_ALLOW;
        BIO_printf(bio_err, "Generating DSA parameters, %d bit long prime\n",
                   num);
        BIO_printf(bio_err, "This could take some time\n");
@@ -309,8 +305,6 @@ int dsaparam_main(int argc, char **argv)
        assert(need_rand);
        if ((dsakey = DSAparams_dup(dsa)) == NULL)
            goto end;
-        if (non_fips_allow)
-            dsakey->flags |= DSA_FLAG_NON_FIPS_ALLOW;
        if (!DSA_generate_key(dsakey)) {
            ERR_print_errors(bio_err);
            DSA_free(dsakey);
@@ -355,10 +349,4 @@ static int dsa_cb(int p, int n, BN_GENCB *cb)
 # endif
    return 1;
 }
-#else                           /* !OPENSSL_NO_DSA */
-
-# if PEDANTIC
-static void *dummy = &dummy;
-# endif
-
 #endif
--- a/apps/ec.c
+++ b/apps/ec.c
@@ -56,7 +56,10 @@
 */

 #include <openssl/opensslconf.h>
-#ifndef OPENSSL_NO_EC
+#ifdef OPENSSL_NO_EC
+NON_EMPTY_TRANSLATION_UNIT
+#else
+
 # include <stdio.h>
 # include <stdlib.h>
 # include <string.h>
@@ -83,7 +86,8 @@ typedef enum OPTION_choice {
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT,
    OPT_NOOUT, OPT_TEXT, OPT_PARAM_OUT, OPT_PUBIN, OPT_PUBOUT,
-    OPT_PASSIN, OPT_PASSOUT, OPT_PARAM_ENC, OPT_CONV_FORM, OPT_CIPHER
+    OPT_PASSIN, OPT_PASSOUT, OPT_PARAM_ENC, OPT_CONV_FORM, OPT_CIPHER,
+    OPT_NO_PUBLIC, OPT_CHECK
 } OPTION_CHOICE;

 OPTIONS ec_options[] = {
@@ -97,6 +101,8 @@ OPTIONS ec_options[] = {
    {"param_out", OPT_PARAM_OUT, '-', "Print the elliptic curve parameters"},
    {"pubin", OPT_PUBIN, '-'},
    {"pubout", OPT_PUBOUT, '-'},
+    {"no_public", OPT_NO_PUBLIC, '-', "exclude public key from private key"},
+    {"check", OPT_CHECK, '-', "check key consistency"},
    {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
    {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
    {"param_enc", OPT_PARAM_ENC, 's',
@@ -122,6 +128,7 @@ int ec_main(int argc, char **argv)
    int asn1_flag = OPENSSL_EC_NAMED_CURVE, new_form = 0, new_asn1_flag = 0;
    int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0;
    int pubin = 0, pubout = 0, param_out = 0, i, ret = 1, private = 0;
+    int no_public = 0, check = 0;

    prog = opt_init(argc, argv, ec_options);
    while ((o = opt_next()) != OPT_EOF) {
@@ -189,12 +196,18 @@ int ec_main(int argc, char **argv)
            new_asn1_flag = 1;
            asn1_flag = i;
            break;
+        case OPT_NO_PUBLIC:
+            no_public = 1;
+            break;
+        case OPT_CHECK:
+            check = 1;
+            break;
        }
    }
    argc = opt_num_rest();
    argv = opt_rest();
    private = param_out || pubin || pubout ? 0 : 1;
-    if (text)
+    if (text && !pubin)
        private = 1;

    if (!app_passwd(passinarg, passoutarg, &passin, &passout)) {
@@ -236,8 +249,11 @@ int ec_main(int argc, char **argv)
    if (new_asn1_flag)
        EC_KEY_set_asn1_flag(eckey, asn1_flag);

+    if (no_public)
+        EC_KEY_set_enc_flags(eckey, EC_PKEY_NO_PUBKEY);
+
    if (text) {
-        assert(private);
+        assert(pubin || private);
        if (!EC_KEY_print(out, eckey, 0)) {
            perror(outfile);
            ERR_print_errors(bio_err);
@@ -245,6 +261,15 @@ int ec_main(int argc, char **argv)
        }
    }

+    if (check) {
+        if (EC_KEY_check_key(eckey) == 1) {
+            BIO_printf(bio_err, "EC Key valid.\n");
+        } else {
+            BIO_printf(bio_err, "EC Key Invalid!\n");
+            ERR_print_errors(bio_err);
+        }
+    }
+
    if (noout) {
        ret = 0;
        goto end;
@@ -285,10 +310,4 @@ int ec_main(int argc, char **argv)
    OPENSSL_free(passout);
    return (ret);
 }
-#else                           /* !OPENSSL_NO_EC */
-
-# if PEDANTIC
-static void *dummy = &dummy;
-# endif
-
 #endif
--- a/apps/ecparam.c
+++ b/apps/ecparam.c
@@ -69,7 +69,10 @@
 */

 #include <openssl/opensslconf.h>
-#ifndef OPENSSL_NO_EC
+#ifdef OPENSSL_NO_EC
+NON_EMPTY_TRANSLATION_UNIT
+#else
+
 # include <stdio.h>
 # include <stdlib.h>
 # include <time.h>
@@ -462,11 +465,17 @@ int ecparam_main(int argc, char **argv)

        assert(need_rand);

-        if (EC_KEY_set_group(eckey, group) == 0)
+        if (EC_KEY_set_group(eckey, group) == 0) {
+            BIO_printf(bio_err, "unable to set group when generating key\n");
+            EC_KEY_free(eckey);
+            ERR_print_errors(bio_err);
            goto end;
+        }

        if (!EC_KEY_generate_key(eckey)) {
+            BIO_printf(bio_err, "unable to generate key\n");
            EC_KEY_free(eckey);
+            ERR_print_errors(bio_err);
            goto end;
        }
        assert(private);
@@ -496,10 +505,4 @@ int ecparam_main(int argc, char **argv)
    return (ret);
 }

-#else                           /* !OPENSSL_NO_EC */
-
-# if PEDANTIC
-static void *dummy = &dummy;
-# endif
-
 #endif
--- a/apps/enc.c
+++ b/apps/enc.c
@@ -58,6 +58,7 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
+#include <limits.h>
 #include "apps.h"
 #include <openssl/bio.h>
 #include <openssl/err.h>
@@ -84,7 +85,7 @@ typedef enum OPTION_choice {
    OPT_E, OPT_IN, OPT_OUT, OPT_PASS, OPT_ENGINE, OPT_D, OPT_P, OPT_V,
    OPT_NOPAD, OPT_SALT, OPT_NOSALT, OPT_DEBUG, OPT_UPPER_P, OPT_UPPER_A,
    OPT_A, OPT_Z, OPT_BUFSIZE, OPT_K, OPT_KFILE, OPT_UPPER_K, OPT_NONE,
-    OPT_UPPER_S, OPT_IV, OPT_MD, OPT_NON_FIPS_ALLOW, OPT_CIPHER
+    OPT_UPPER_S, OPT_IV, OPT_MD, OPT_CIPHER
 } OPTION_CHOICE;

 OPTIONS enc_options[] = {
@@ -111,7 +112,6 @@ OPTIONS enc_options[] = {
    {"S", OPT_UPPER_S, 's', "Salt, in hex"},
    {"iv", OPT_IV, 's', "IV in hex"},
    {"md", OPT_MD, 's', "Use specified digest to create key from passphrase"},
-    {"non-fips-allow", OPT_NON_FIPS_ALLOW, '-'},
    {"none", OPT_NONE, '-', "Don't encrypt"},
    {"", OPT_CIPHER, '-', "Any supported cipher"},
 #ifdef ZLIB
@@ -140,10 +140,10 @@ int enc_main(int argc, char **argv)
    int bsize = BSIZE, verbose = 0, debug = 0, olb64 = 0, nosalt = 0;
    int enc = 1, printkey = 0, i, k;
    int base64 = 0, informat = FORMAT_BINARY, outformat = FORMAT_BINARY;
-    int ret = 1, inl, nopad = 0, non_fips_allow = 0;
+    int ret = 1, inl, nopad = 0;
    unsigned char key[EVP_MAX_KEY_LENGTH], iv[EVP_MAX_IV_LENGTH];
    unsigned char *buff = NULL, salt[PKCS5_SALT_LEN];
-    unsigned long n;
+    long n;
 #ifdef ZLIB
    int do_zlib = 0;
    BIO *bzl = NULL;
@@ -237,7 +237,8 @@ int enc_main(int argc, char **argv)
            k = i >= 1 && p[i] == 'k';
            if (k)
                p[i] = '\0';
-            if (!opt_ulong(opt_arg(), &n))
+            if (!opt_long(opt_arg(), &n)
+                    || n < 0 || (k && n >= LONG_MAX / 1024))
                goto opthelp;
            if (k)
                n *= 1024;
@@ -279,9 +280,6 @@ int enc_main(int argc, char **argv)
            if (!opt_md(opt_arg(), &dgst))
                goto opthelp;
            break;
-        case OPT_NON_FIPS_ALLOW:
-            non_fips_allow = 1;
-            break;
        case OPT_CIPHER:
            if (!opt_cipher(opt_unknown(), &c))
                goto opthelp;
@@ -306,7 +304,7 @@ int enc_main(int argc, char **argv)
    }

    if (dgst == NULL)
-        dgst = EVP_md5();
+        dgst = EVP_sha256();

    /* It must be large enough for a base64 encoded line */
    if (base64 && bsize < 80)
@@ -501,9 +499,6 @@ int enc_main(int argc, char **argv)

        BIO_get_cipher_ctx(benc, &ctx);

-        if (non_fips_allow)
-            EVP_CIPHER_CTX_set_flags(ctx, EVP_CIPH_FLAG_NON_FIPS_ALLOW);
-
        if (!EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, enc)) {
            BIO_printf(bio_err, "Error setting cipher %s\n",
                       EVP_CIPHER_name(cipher));
@@ -533,15 +528,15 @@ int enc_main(int argc, char **argv)
                    printf("%02X", salt[i]);
                printf("\n");
            }
-            if (cipher->key_len > 0) {
+            if (EVP_CIPHER_key_length(cipher) > 0) {
                printf("key=");
-                for (i = 0; i < cipher->key_len; i++)
+                for (i = 0; i < EVP_CIPHER_key_length(cipher); i++)
                    printf("%02X", key[i]);
                printf("\n");
            }
-            if (cipher->iv_len > 0) {
+            if (EVP_CIPHER_iv_length(cipher) > 0) {
                printf("iv =");
-                for (i = 0; i < cipher->iv_len; i++)
+                for (i = 0; i < EVP_CIPHER_iv_length(cipher); i++)
                    printf("%02X", iv[i]);
                printf("\n");
            }
--- a/apps/engine.c
+++ b/apps/engine.c
@@ -56,12 +56,16 @@
 *
 */

-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include "apps.h"
-#include <openssl/err.h>
-#ifndef OPENSSL_NO_ENGINE
+#include <openssl/opensslconf.h>
+#ifdef OPENSSL_NO_ENGINE
+NON_EMPTY_TRANSLATION_UNIT
+#else
+
+# include "apps.h"
+# include <stdio.h>
+# include <stdlib.h>
+# include <string.h>
+# include <openssl/err.h>
 # include <openssl/engine.h>
 # include <openssl/ssl.h>

@@ -72,13 +76,16 @@ typedef enum OPTION_choice {
 } OPTION_CHOICE;

 OPTIONS engine_options[] = {
+    {OPT_HELP_STR, 1, '-', "Usage: %s [options] engine...\n"},
+    {OPT_HELP_STR, 1, '-',
+        "  engine... Engines to load\n"},
    {"help", OPT_HELP, '-', "Display this summary"},
-    {"vvvv", OPT_VVVV, '-', "Also show internal input flags"},
-    {"vvv", OPT_VVV, '-', "Also add the input flags for each command"},
+    {"v", OPT_V, '-', "List 'control commands' For each specified engine"},
    {"vv", OPT_VV, '-', "Also display each command's description"},
-    {"v", OPT_V, '-', "For each engine, list its 'control commands'"},
-    {"c", OPT_C, '-', "List the capabilities of each engine"},
-    {"t", OPT_T, '-', "Check that each engine is available"},
+    {"vvv", OPT_VVV, '-', "Also add the input flags for each command"},
+    {"vvvv", OPT_VVVV, '-', "Also show internal input flags"},
+    {"c", OPT_C, '-', "List the capabilities of specified engine"},
+    {"t", OPT_T, '-', "Check that specified engine is available"},
    {"tt", OPT_TT, '-', "Display error trace for unavailable engines"},
    {"pre", OPT_PRE, 's', "Run command against the ENGINE before loading it"},
    {"post", OPT_POST, 's', "Run command against the ENGINE after loading it"},
@@ -89,19 +96,18 @@ OPTIONS engine_options[] = {

 static void identity(char *ptr)
 {
-    return;
 }

-static int append_buf(char **buf, const char *s, int *size, int step)
+static int append_buf(char **buf, int *size, const char *s)
 {
    if (*buf == NULL) {
-        *size = step;
+        *size = 256;
        *buf = app_malloc(*size, "engine buffer");
        **buf = '\0';
    }

    if (strlen(*buf) + strlen(s) >= (unsigned int)*size) {
-        *size += step;
+        *size += 256;
        *buf = OPENSSL_realloc(*buf, *size);
    }

@@ -109,8 +115,8 @@ static int append_buf(char **buf, const char *s, int *size, int step)
        return 0;

    if (**buf != '\0')
-        BUF_strlcat(*buf, ", ", *size);
-    BUF_strlcat(*buf, s, *size);
+        OPENSSL_strlcat(*buf, ", ", *size);
+    OPENSSL_strlcat(*buf, s, *size);

    return 1;
 }
@@ -313,11 +319,23 @@ int engine_main(int argc, char **argv)
    const char *indent = "     ";
    OPTION_CHOICE o;
    char *prog;
+    char *argv1;

    out = dup_bio_out(FORMAT_TEXT);
-    prog = opt_init(argc, argv, engine_options);
-    if (!engines || !pre_cmds || !post_cmds)
+    if (engines == NULL || pre_cmds == NULL || post_cmds == NULL)
        goto end;
+
+    /* Remember the original command name, parse/skip any leading engine
+     * names, and then setup to parse the rest of the line as flags. */
+    prog = argv[0];
+    while ((argv1 = argv[1]) != NULL && *argv1 != '-') {
+        sk_OPENSSL_STRING_push(engines, argv1);
+        argc--;
+        argv++;
+    }
+    argv[0] = prog;
+    opt_init(argc, argv, engine_options);
+
    while ((o = opt_next()) != OPT_EOF) {
        switch (o) {
        case OPT_EOF:
@@ -353,10 +371,19 @@ int engine_main(int argc, char **argv)
            break;
        }
    }
+
+    /* Allow any trailing parameters as engine names. */
    argc = opt_num_rest();
    argv = opt_rest();
-    for ( ; *argv; argv++)
+    for ( ; *argv; argv++) {
+        if (**argv == '-') {
+            BIO_printf(bio_err, "%s: Cannot mix flags and engine names.\n",
+                       prog);
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+            goto end;
+        }
        sk_OPENSSL_STRING_push(engines, *argv);
+    }

    if (sk_OPENSSL_STRING_num(engines) == 0) {
        for (e = ENGINE_get_first(); e != NULL; e = ENGINE_get_next(e)) {
@@ -387,16 +414,16 @@ int engine_main(int argc, char **argv)
                ENGINE_PKEY_METHS_PTR fn_pk;

                if (ENGINE_get_RSA(e) != NULL
-                    && !append_buf(&cap_buf, "RSA", &cap_size, 256))
+                    && !append_buf(&cap_buf, &cap_size, "RSA"))
                    goto end;
                if (ENGINE_get_DSA(e) != NULL
-                    && !append_buf(&cap_buf, "DSA", &cap_size, 256))
+                    && !append_buf(&cap_buf, &cap_size, "DSA"))
                    goto end;
                if (ENGINE_get_DH(e) != NULL
-                    && !append_buf(&cap_buf, "DH", &cap_size, 256))
+                    && !append_buf(&cap_buf, &cap_size, "DH"))
                    goto end;
                if (ENGINE_get_RAND(e) != NULL
-                    && !append_buf(&cap_buf, "RAND", &cap_size, 256))
+                    && !append_buf(&cap_buf, &cap_size, "RAND"))
                    goto end;

                fn_c = ENGINE_get_ciphers(e);
@@ -404,8 +431,7 @@ int engine_main(int argc, char **argv)
                    goto skip_ciphers;
                n = fn_c(e, NULL, &nids, 0);
                for (k = 0; k < n; ++k)
-                    if (!append_buf(&cap_buf,
-                                    OBJ_nid2sn(nids[k]), &cap_size, 256))
+                    if (!append_buf(&cap_buf, &cap_size, OBJ_nid2sn(nids[k])))
                        goto end;

 skip_ciphers:
@@ -414,8 +440,7 @@ int engine_main(int argc, char **argv)
                    goto skip_digests;
                n = fn_d(e, NULL, &nids, 0);
                for (k = 0; k < n; ++k)
-                    if (!append_buf(&cap_buf,
-                                    OBJ_nid2sn(nids[k]), &cap_size, 256))
+                    if (!append_buf(&cap_buf, &cap_size, OBJ_nid2sn(nids[k])))
                        goto end;

 skip_digests:
@@ -424,8 +449,7 @@ int engine_main(int argc, char **argv)
                    goto skip_pmeths;
                n = fn_pk(e, NULL, &nids, 0);
                for (k = 0; k < n; ++k)
-                    if (!append_buf(&cap_buf,
-                                    OBJ_nid2sn(nids[k]), &cap_size, 256))
+                    if (!append_buf(&cap_buf, &cap_size, OBJ_nid2sn(nids[k])))
                        goto end;
 skip_pmeths:
                if (cap_buf && (*cap_buf != '\0'))
@@ -463,10 +487,4 @@ int engine_main(int argc, char **argv)
    BIO_free_all(out);
    return (ret);
 }
-#else
-
-# if PEDANTIC
-static void *dummy = &dummy;
-# endif
-
 #endif
--- a/apps/errstr.c
+++ b/apps/errstr.c
@@ -111,9 +111,14 @@ int errstr_main(int argc, char **argv)

    ret = 0;
    for (argv = opt_rest(); *argv; argv++) {
-        if (!opt_ulong(*argv, &l))
+        if (sscanf(*argv, "%lx", &l) == 0)
            ret++;
        else {
+            /* We're not really an SSL application so this won't auto-init, but
+             * we're still interested in SSL error strings
+             */
+            OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS
+                             | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
            ERR_error_string_n(l, buf, sizeof buf);
            BIO_printf(bio_out, "%s\n", buf);
        }
--- a/apps/gendsa.c
+++ b/apps/gendsa.c
@@ -55,8 +55,11 @@
 * [including the GNU Public Licence.]
 */

-#include <openssl/opensslconf.h> /* for OPENSSL_NO_DSA */
-#ifndef OPENSSL_NO_DSA
+#include <openssl/opensslconf.h>
+#ifdef OPENSSL_NO_DSA
+NON_EMPTY_TRANSLATION_UNIT
+#else
+
 # include <stdio.h>
 # include <string.h>
 # include <sys/types.h>
@@ -185,10 +188,4 @@ int gendsa_main(int argc, char **argv)
    OPENSSL_free(passout);
    return (ret);
 }
-#else                           /* !OPENSSL_NO_DSA */
-
-# if PEDANTIC
-static void *dummy = &dummy;
-# endif
-
 #endif
--- a/apps/genrsa.c
+++ b/apps/genrsa.c
@@ -56,8 +56,10 @@
 */

 #include <openssl/opensslconf.h>
+#ifdef OPENSSL_NO_RSA
+NON_EMPTY_TRANSLATION_UNIT
+#else

-#ifndef OPENSSL_NO_RSA
 # include <stdio.h>
 # include <string.h>
 # include <sys/types.h>
@@ -78,7 +80,7 @@ static int genrsa_cb(int p, int n, BN_GENCB *cb);

 typedef enum OPTION_choice {
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
-    OPT_3, OPT_F4, OPT_NON_FIPS_ALLOW, OPT_ENGINE,
+    OPT_3, OPT_F4, OPT_ENGINE,
    OPT_OUT, OPT_RAND, OPT_PASSOUT, OPT_CIPHER
 } OPTION_CHOICE;

@@ -87,7 +89,6 @@ OPTIONS genrsa_options[] = {
    {"3", OPT_3, '-', "Use 3 for the E value"},
    {"F4", OPT_F4, '-', "Use F4 (0x10001) for the E value"},
    {"f4", OPT_F4, '-', "Use F4 (0x10001) for the E value"},
-    {"non-fips-allow", OPT_NON_FIPS_ALLOW, '-'},
    {"out", OPT_OUT, 's', "Output the key to specified file"},
    {"rand", OPT_RAND, 's',
     "Load the file(s) into the random number generator"},
@@ -108,7 +109,7 @@ int genrsa_main(int argc, char **argv)
    BIO *out = NULL;
    RSA *rsa = NULL;
    const EVP_CIPHER *enc = NULL;
-    int ret = 1, non_fips_allow = 0, num = DEFBITS, private = 0;
+    int ret = 1, num = DEFBITS, private = 0;
    unsigned long f4 = RSA_F4;
    char *outfile = NULL, *passoutarg = NULL, *passout = NULL;
    char *inrand = NULL, *prog, *hexe, *dece;
@@ -136,9 +137,6 @@ int genrsa_main(int argc, char **argv)
        case OPT_F4:
            f4 = RSA_F4;
            break;
-        case OPT_NON_FIPS_ALLOW:
-            non_fips_allow = 1;
-            break;
        case OPT_OUT:
            outfile = opt_arg();
            break;
@@ -188,9 +186,6 @@ int genrsa_main(int argc, char **argv)
    if (rsa == NULL)
        goto end;

-    if (non_fips_allow)
-        rsa->flags |= RSA_FLAG_NON_FIPS_ALLOW;
-
    if (!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, cb))
        goto end;

@@ -239,10 +234,4 @@ static int genrsa_cb(int p, int n, BN_GENCB *cb)
    (void)BIO_flush(BN_GENCB_get_arg(cb));
    return 1;
 }
-#else                           /* !OPENSSL_NO_RSA */
-
-# if PEDANTIC
-static void *dummy = &dummy;
-# endif
-
 #endif
--- a/apps/install-apps.com
+++ b/apps/install-apps.com
@@ -1,107 +0,0 @@
-$! INSTALL.COM -- Installs the files in a given directory tree
-$!
-$! Author: Richard Levitte <richard@levitte.org>
-$! Time of creation: 22-MAY-1998 10:13
-$!
-$! P1  root of the directory tree
-$! P2  "64" for 64-bit pointers.
-$!
-$!
-$! Announce/identify.
-$!
-$ proc = f$environment( "procedure")
-$ write sys$output "@@@ "+ -
-   f$parse( proc, , , "name")+ f$parse( proc, , , "type")
-$!
-$ on error then goto tidy
-$ on control_c then goto tidy
-$!
-$ if (p1 .eqs. "")
-$ then
-$   write sys$output "First argument missing."
-$   write sys$output -
-     "It should be the directory where you want things installed."
-$   exit
-$ endif
-$!
-$ if (f$getsyi("cpu") .lt. 128)
-$ then
-$   arch = "VAX"
-$ else
-$   arch = f$edit( f$getsyi( "arch_name"), "upcase")
-$   if (arch .eqs. "") then arch = "UNK"
-$ endif
-$!
-$ archd = arch
-$!
-$ if (p2 .nes. "")
-$ then
-$   if (p2 .eqs. "64")
-$   then
-$     archd = arch+ "_64"
-$   else
-$     if (p2 .nes. "32")
-$     then
-$       write sys$output "Second argument invalid."
-$       write sys$output "It should be "32", "64", or nothing."
-$       exit
-$     endif
-$   endif
-$ endif
-$!
-$ root = f$parse( p1, "[]A.;0", , , "syntax_only, no_conceal") - "A.;0"
-$ root_dev = f$parse(root,,,"device","syntax_only")
-$ root_dir = f$parse(root,,,"directory","syntax_only") - -
-   "[000000." - "][" - "[" - "]"
-$ root = root_dev + "[" + root_dir
-$!
-$ define /nolog wrk_sslroot 'root'.] /trans=conc
-$ define /nolog wrk_sslxexe wrk_sslroot:['archd'_exe]
-$!
-$ if f$parse("wrk_sslroot:[000000]") .eqs. "" then -
-   create /directory /log wrk_sslroot:[000000]
-$ if f$parse("wrk_sslxexe:") .eqs. "" then -
-   create /directory /log wrk_sslxexe:
-$!
-$ exe := openssl
-$!
-$ exe_dir := [-.'archd'.exe.apps]
-$!
-$! Executables.
-$!
-$ i = 0
-$ loop_exe:
-$   e = f$edit(f$element( i, ",", exe), "trim")
-$   i = i + 1
-$   if e .eqs. "," then goto loop_exe_end
-$   set noon
-$   file = exe_dir+ e+ ".exe"
-$   if f$search( file) .nes. ""
-$   then
-$     copy /protection = w:re 'file' wrk_sslxexe: /log
-$   endif
-$   set on
-$ goto loop_exe
-$ loop_exe_end:
-$!
-$! Miscellaneous.
-$!
-$ set noon
-$ copy /protection = w:re ca.com wrk_sslxexe:ca.com /log
-$ copy /protection = w:re openssl-vms.cnf wrk_sslroot:[000000]openssl.cnf /log
-$ set on
-$!
-$ tidy:
-$!
-$ call deass wrk_sslroot
-$ call deass wrk_sslxexe
-$!
-$ exit
-$!
-$ deass: subroutine
-$ if (f$trnlnm( p1, "LNM$PROCESS") .nes. "")
-$ then
-$   deassign /process 'p1'
-$ endif
-$ endsubroutine
-$!
--- a/apps/makeapps.com
+++ b/apps/makeapps.com
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -521,7 +521,7 @@ int ocsp_main(int argc, char **argv)
            goto end;
    }

-    if (rsignfile && !rdb) {
+    if (rsignfile) {
        if (!rkeyfile)
            rkeyfile = rsignfile;
        rsigner = load_cert(rsignfile, FORMAT_PEM,
@@ -533,9 +533,8 @@ int ocsp_main(int argc, char **argv)
        rca_cert = load_cert(rca_filename, FORMAT_PEM,
                             NULL, NULL, "CA certificate");
        if (rcertfile) {
-            rother = load_certs(rcertfile, FORMAT_PEM,
-                                NULL, NULL, "responder other certificates");
-            if (!rother)
+            if (!load_certs(rcertfile, &rother, FORMAT_PEM, NULL, NULL,
+                            "responder other certificates"))
                goto end;
        }
        rkey = load_key(rkeyfile, FORMAT_PEM, 0, NULL, NULL,
@@ -578,9 +577,8 @@ int ocsp_main(int argc, char **argv)
            goto end;
        }
        if (sign_certfile) {
-            sign_other = load_certs(sign_certfile, FORMAT_PEM,
-                                    NULL, NULL, "signer certificates");
-            if (!sign_other)
+            if (!load_certs(sign_certfile, &sign_other, FORMAT_PEM, NULL, NULL,
+                            "signer certificates"))
                goto end;
        }
        key = load_key(keyfile, FORMAT_PEM, 0, NULL, NULL,
@@ -702,9 +700,8 @@ int ocsp_main(int argc, char **argv)
    if (vpmtouched)
        X509_STORE_set1_param(store, vpm);
    if (verify_certfile) {
-        verify_other = load_certs(verify_certfile, FORMAT_PEM,
-                                  NULL, NULL, "validator certificate");
-        if (!verify_other)
+        if (!load_certs(verify_certfile, &verify_other, FORMAT_PEM, NULL, NULL,
+                        "validator certificate"))
            goto end;
    }

@@ -914,7 +911,7 @@ static void make_ocsp_response(OCSP_RESPONSE **resp, OCSP_REQUEST *req,
    bs = OCSP_BASICRESP_new();
    thisupd = X509_gmtime_adj(NULL, 0);
    if (ndays != -1)
-        nextupd = X509_gmtime_adj(NULL, nmin * 60 + ndays * 3600 * 24);
+        nextupd = X509_time_adj_ex(NULL, ndays, nmin * 60, NULL);

    /* Examine each certificate id in the request */
    for (i = 0; i < id_count; i++) {
@@ -1007,7 +1004,7 @@ static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser)
    OPENSSL_assert(bn);         /* FIXME: should report an error at this
                                 * point and abort */
    if (BN_is_zero(bn))
-        itmp = BUF_strdup("00");
+        itmp = OPENSSL_strdup("00");
    else
        itmp = BN_bn2hex(bn);
    row[DB_serial] = itmp;
@@ -1068,7 +1065,7 @@ static int urldecode(char *p)
    for (; *p; p++) {
        if (*p != '%')
            *out++ = *p;
-        else if (isxdigit(p[1]) && isxdigit(p[2])) {
+        else if (isxdigit(_UC(p[1])) && isxdigit(_UC(p[2]))) {
            *out++ = (app_hex(p[1]) << 4) | app_hex(p[2]);
            p += 2;
        }
--- a/apps/openssl-vms.cnf
+++ b/apps/openssl-vms.cnf
@@ -335,8 +335,7 @@ signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
 certs		= $dir.cacert.pem]	# Certificate chain to include in reply
 					# (optional)
 signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
-signer_digest  = sha1			# Signing digest to use. (Optional)
-
+signer_digest  = sha256			# Signing digest to use. (Optional)
 default_policy	= tsa_policy1		# Policy if request did not specify it
 					# (optional)
 other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
--- a/apps/openssl.c
+++ b/apps/openssl.c
@@ -153,7 +153,6 @@
 * required type of "FUNCTION*"). This removes the necessity for
 * macro-generated wrapper functions.
 */
-DECLARE_LHASH_OF(FUNCTION);
 static LHASH_OF(FUNCTION) *prog_init(void);
 static int do_cmd(LHASH_OF(FUNCTION) *prog, int argc, char *argv[]);
 static void list_pkey(void);
@@ -171,44 +170,20 @@ static int apps_startup()
 #ifdef SIGPIPE
    signal(SIGPIPE, SIG_IGN);
 #endif
-    CRYPTO_malloc_init();
-    ERR_load_crypto_strings();
-    ERR_load_SSL_strings();

-    OPENSSL_load_builtin_modules();
-#ifndef OPENSSL_NO_ENGINE
-    ENGINE_load_builtin_engines();
-#endif
-    if (!app_load_modules(NULL)) {
-        ERR_print_errors(bio_err);
-        BIO_printf(bio_err, "Error loading default configuration\n");
+    /* Set non-default library initialisation settings */
+    if (!OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_ALL_BUILTIN
+                             | OPENSSL_INIT_LOAD_CONFIG, NULL))
        return 0;
-    }

-    OpenSSL_add_all_algorithms();
-    OpenSSL_add_ssl_algorithms();
    setup_ui_method();
-    /*SSL_library_init();*/
+
    return 1;
 }

 static void apps_shutdown()
 {
-#ifndef OPENSSL_NO_ENGINE
-    ENGINE_cleanup();
-#endif
    destroy_ui_method();
-    CONF_modules_unload(1);
-#ifndef OPENSSL_NO_COMP
-    COMP_zlib_cleanup();
-    SSL_COMP_free_compression_methods();
-#endif
-    OBJ_cleanup();
-    EVP_cleanup();
-    CRYPTO_cleanup_all_ex_data();
-    ERR_remove_thread_state(NULL);
-    RAND_cleanup();
-    ERR_free_strings();
 }

 static char *make_config_name()
@@ -218,7 +193,7 @@ static char *make_config_name()
    char *p;

    if ((t = getenv("OPENSSL_CONF")) != NULL)
-        return BUF_strdup(t);
+        return OPENSSL_strdup(t);

    t = X509_get_default_cert_area();
    len = strlen(t) + 1 + strlen(OPENSSL_CONF) + 1;
@@ -310,22 +285,14 @@ int main(int argc, char *argv[])
 #endif

    p = getenv("OPENSSL_DEBUG_MEMORY");
-    if (p == NULL)
-        /* if not set, use compiled-in default */
-        ;
-    else if (strcmp(p, "off") != 0) {
-        CRYPTO_malloc_debug_init();
-        CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
-    } else {
-        CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
-    }
+    if (p != NULL && strcmp(p, "on") == 0)
+        CRYPTO_set_mem_debug(1);
    CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
    CRYPTO_set_locking_callback(lock_dbg_cb);

    if (getenv("OPENSSL_FIPS")) {
 #ifdef OPENSSL_FIPS
        if (!FIPS_mode_set(1)) {
-            ERR_load_crypto_strings();
            ERR_print_errors(bio_err);
            return 1;
        }
@@ -436,9 +403,12 @@ int main(int argc, char *argv[])
    BIO_free(bio_in);
    BIO_free_all(bio_out);
    apps_shutdown();
-    CRYPTO_mem_leaks(bio_err);
+#ifndef OPENSSL_NO_CRYPTO_MDEBUG
+    if (CRYPTO_mem_leaks(bio_err) <= 0)
+        ret = 1;
+#endif
    BIO_free(bio_err);
-    return (ret);
+    EXIT(ret);
 }

 OPTIONS exit_options[] = {
@@ -706,15 +676,11 @@ static int function_cmp(const FUNCTION * a, const FUNCTION * b)
    return strncmp(a->name, b->name, 8);
 }

-static IMPLEMENT_LHASH_COMP_FN(function, FUNCTION)
-
 static unsigned long function_hash(const FUNCTION * a)
 {
    return lh_strhash(a->name);
 }

-static IMPLEMENT_LHASH_HASH_FN(function, FUNCTION)
-
 static int SortFnByName(const void *_f1, const void *_f2)
 {
    const FUNCTION *f1 = _f1;
@@ -761,9 +727,15 @@ static void list_disabled(void)
 #ifdef OPENSSL_NO_DSA
    BIO_puts(bio_out, "DSA\n");
 #endif
-#if defined(OPENSSL_NO_DTLS1) || defined(OPENSSL_NO_DTLS)
+#if defined(OPENSSL_NO_DTLS)
+    BIO_puts(bio_out, "DTLS\n");
+#endif
+#if defined(OPENSSL_NO_DTLS1)
    BIO_puts(bio_out, "DTLS1\n");
 #endif
+#if defined(OPENSSL_NO_DTLS1_2)
+    BIO_puts(bio_out, "DTLS1_2\n");
+#endif
 #ifdef OPENSSL_NO_EC
    BIO_puts(bio_out, "EC\n");
 #endif
@@ -776,6 +748,9 @@ static void list_disabled(void)
 #ifdef OPENSSL_NO_GOST
    BIO_puts(bio_out, "GOST\n");
 #endif
+#ifdef OPENSSL_NO_HEARTBEATS
+    BIO_puts(bio_out, "HEARTBEATS\n");
+#endif
 #ifdef OPENSSL_NO_HMAC
    BIO_puts(bio_out, "HMAC\n");
 #endif
@@ -845,9 +820,24 @@ static void list_disabled(void)
 #ifdef OPENSSL_NO_SRTP
    BIO_puts(bio_out, "SRTP\n");
 #endif
+#ifdef OPENSSL_NO_SSL
+    BIO_puts(bio_out, "SSL\n");
+#endif
 #ifdef OPENSSL_NO_SSL3
    BIO_puts(bio_out, "SSL3\n");
 #endif
+#if defined(OPENSSL_NO_TLS)
+    BIO_puts(bio_out, "TLS\n");
+#endif
+#ifdef OPENSSL_NO_TLS1
+    BIO_puts(bio_out, "TLS1\n");
+#endif
+#ifdef OPENSSL_NO_TLS1_1
+    BIO_puts(bio_out, "TLS1_1\n");
+#endif
+#ifdef OPENSSL_NO_TLS1_2
+    BIO_puts(bio_out, "TLS1_2\n");
+#endif
 #ifdef OPENSSL_NO_WHIRLPOOL
    BIO_puts(bio_out, "WHIRLPOOL\n");
 #endif
@@ -866,7 +856,7 @@ static LHASH_OF(FUNCTION) *prog_init(void)
    for (i = 0, f = functions; f->name != NULL; ++f, ++i) ;
    qsort(functions, i, sizeof(*functions), SortFnByName);

-    if ((ret = lh_FUNCTION_new()) == NULL)
+    if ((ret = lh_FUNCTION_new(function_hash, function_cmp)) == NULL)
        return (NULL);

    for (f = functions; f->name != NULL; f++)
--- a/apps/opt.c
+++ b/apps/opt.c
@@ -57,6 +57,7 @@
 #include <stdlib.h>
 #include <errno.h>
 #include <ctype.h>
+#include <limits.h>
 #include <openssl/bio.h>

 #define MAX_OPT_HELP_WIDTH 30
@@ -127,7 +128,7 @@ char *opt_progname(const char *argv0)
    q = strrchr(p, '.');
    strncpy(prog, p, sizeof prog - 1);
    prog[sizeof prog - 1] = '\0';
-    if (q == NULL || q - p >= sizeof prog)
+    if (q != NULL && q - p < sizeof prog)
        prog[q - p] = '\0';
    return prog;
 }
@@ -180,10 +181,14 @@ char *opt_init(int ac, char **av, const OPTIONS *o)
        /* Make sure options are legit. */
        assert(o->name[0] != '-');
        assert(o->retval > 0);
-        assert(i == 0 || i == '-'
-               || i == 'n' || i == 'p' || i == 'u'
-               || i == 's' || i == '<' || i == '>' || i == '/'
-               || i == 'f' || i == 'F');
+        switch (i) {
+        case   0: case '-': case '/': case '<': case '>': case 'E': case 'F':
+        case 'M': case 'U': case 'f': case 'l': case 'n': case 'p': case 's':
+        case 'u':
+            break;
+        default:
+            assert(0);
+        }

        /* Make sure there are no duplicates. */
        for (next = o + 1; next->name; ++next) {
@@ -350,30 +355,16 @@ int opt_pair(const char *name, const OPT_PAIR* pairs, int *result)
    return 0;
 }

-/* See if cp looks like a hex number, in case user left off the 0x */
-static int scanforhex(const char *cp)
-{
-    if (*cp == '0' && (cp[1] == 'x' || cp[1] == 'X'))
-        return 16;
-    for (; *cp; cp++)
-        /* Look for a hex digit that isn't a regular digit. */
-        if (isxdigit(*cp) && !isdigit(*cp))
-            return 16;
-    return 0;
-}
-
 /* Parse an int, put it into *result; return 0 on failure, else 1. */
 int opt_int(const char *value, int *result)
 {
-    const char *fmt = "%d";
-    int base = scanforhex(value);
+    long l;

-    if (base == 16)
-        fmt = "%x";
-    else if (*value == '0')
-        fmt = "%o";
-    if (sscanf(value, fmt, result) != 1) {
-        BIO_printf(bio_err, "%s: Can't parse \"%s\" as a number\n",
+    if (!opt_long(value, &l))
+        return 0;
+    *result = (int)l;
+    if (*result != l) {
+        BIO_printf(bio_err, "%s: Value \"%s\" outside integer range\n",
                   prog, value);
        return 0;
    }
@@ -383,32 +374,94 @@ int opt_int(const char *value, int *result)
 /* Parse a long, put it into *result; return 0 on failure, else 1. */
 int opt_long(const char *value, long *result)
 {
-    char *endptr;
-    int base = scanforhex(value);
+    int oerrno = errno;
+    long l;
+    char *endp;

-    *result = strtol(value, &endptr, base);
-    if (*endptr) {
-        BIO_printf(bio_err,
-                   "%s: Bad char %c in number %s\n", prog, *endptr, value);
+    l = strtol(value, &endp, 0);
+    if (*endp
+            || endp == value
+            || ((l == LONG_MAX || l == LONG_MIN) && errno == ERANGE)
+            || (l == 0 && errno != 0)) {
+        BIO_printf(bio_err, "%s: Can't parse \"%s\" as a number\n",
+                   prog, value);
+        errno = oerrno;
        return 0;
    }
+    *result = l;
+    errno = oerrno;
    return 1;
 }

+#if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L && \
+    defined(INTMAX_MAX) && defined(UINTMAX_MAX)
+
+/* Parse an intmax_t, put it into *result; return 0 on failure, else 1. */
+int opt_imax(const char *value, intmax_t *result)
+{
+    int oerrno = errno;
+    intmax_t m;
+    char *endp;
+
+    m = strtoimax(value, &endp, 0);
+    if (*endp
+            || endp == value
+            || ((m == INTMAX_MAX || m == INTMAX_MIN) && errno == ERANGE)
+            || (m == 0 && errno != 0)) {
+        BIO_printf(bio_err, "%s: Can't parse \"%s\" as a number\n",
+                   prog, value);
+        errno = oerrno;
+        return 0;
+    }
+    *result = m;
+    errno = oerrno;
+    return 1;
+}
+
+/* Parse a uintmax_t, put it into *result; return 0 on failure, else 1. */
+int opt_umax(const char *value, uintmax_t *result)
+{
+    int oerrno = errno;
+    uintmax_t m;
+    char *endp;
+
+    m = strtoumax(value, &endp, 0);
+    if (*endp
+            || endp == value
+            || (m == UINTMAX_MAX && errno == ERANGE)
+            || (m == 0 && errno != 0)) {
+        BIO_printf(bio_err, "%s: Can't parse \"%s\" as a number\n",
+                   prog, value);
+        errno = oerrno;
+        return 0;
+    }
+    *result = m;
+    errno = oerrno;
+    return 1;
+}
+#endif
+
 /*
 * Parse an unsigned long, put it into *result; return 0 on failure, else 1.
 */
 int opt_ulong(const char *value, unsigned long *result)
 {
+    int oerrno = errno;
    char *endptr;
-    int base = scanforhex(value);
+    unsigned long l;

-    *result = strtoul(value, &endptr, base);
-    if (*endptr) {
-        BIO_printf(bio_err,
-                   "%s: Bad char %c in number %s\n", prog, *endptr, value);
+    l = strtoul(value, &endptr, 0);
+    if (*endptr
+            || endptr == value
+            || ((l == ULONG_MAX) && errno == ERANGE)
+            || (l == 0 && errno != 0)) {
+        BIO_printf(bio_err, "%s: Can't parse \"%s\" as an unsigned number\n",
+                   prog, value);
+        errno = oerrno;
        return 0;
    }
+    *result = l;
+    errno = oerrno;
    return 1;
 }

@@ -421,8 +474,8 @@ enum range { OPT_V_ENUM };

 int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
 {
-    unsigned long ul;
    int i;
+    ossl_intmax_t t = 0;
    ASN1_OBJECT *otmp;
    X509_PURPOSE *xptmp;
    const X509_VERIFY_PARAM *vtmp;
@@ -444,14 +497,25 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
        X509_VERIFY_PARAM_add0_policy(vpm, otmp);
        break;
    case OPT_V_PURPOSE:
+        /* purpose name -> purpose index */
        i = X509_PURPOSE_get_by_sname(opt_arg());
        if (i < 0) {
            BIO_printf(bio_err, "%s: Invalid purpose %s\n", prog, opt_arg());
            return 0;
        }
+
+        /* purpose index -> purpose object */
        xptmp = X509_PURPOSE_get0(i);
+
+        /* purpose object -> purpose value */
        i = X509_PURPOSE_get_id(xptmp);
-        X509_VERIFY_PARAM_set_purpose(vpm, i);
+
+        if (!X509_VERIFY_PARAM_set_purpose(vpm, i)) {
+            BIO_printf(bio_err,
+                       "%s: Internal error setting purpose %s\n",
+                       prog, opt_arg());
+            return 0;
+        }
        break;
    case OPT_V_VERIFY_NAME:
        vtmp = X509_VERIFY_PARAM_lookup(opt_arg());
@@ -468,9 +532,14 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
            X509_VERIFY_PARAM_set_depth(vpm, i);
        break;
    case OPT_V_ATTIME:
-        opt_ulong(opt_arg(), &ul);
-        if (ul)
-            X509_VERIFY_PARAM_set_time(vpm, (time_t)ul);
+        if (!opt_imax(opt_arg(), &t))
+            return 0;
+        if (t != (time_t)t) {
+            BIO_printf(bio_err, "%s: epoch time out of range %s\n",
+                       prog, opt_arg());
+            return 0;
+        }
+        X509_VERIFY_PARAM_set_time(vpm, (time_t)t);
        break;
    case OPT_V_VERIFY_HOSTNAME:
        if (!X509_VERIFY_PARAM_set1_host(vpm, opt_arg(), 0))
@@ -488,7 +557,7 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_IGNORE_CRITICAL);
        break;
    case OPT_V_ISSUER_CHECKS:
-        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CB_ISSUER_CHECK);
+        /* NOP, deprecated */
        break;
    case OPT_V_CRL_CHECK:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CRL_CHECK);
@@ -558,11 +627,12 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
 int opt_next(void)
 {
    char *p;
-    char *endptr;
    const OPTIONS *o;
-    int dummy;
-    int base;
-    long val;
+    int ival;
+    long lval;
+    unsigned long ulval;
+    ossl_intmax_t imval;
+    ossl_uintmax_t umval;

    /* Look at current arg; at end of the list? */
    arg = NULL;
@@ -613,10 +683,6 @@ int opt_next(void)
        }

        /* Syntax-check value. */
-        /*
-         * Do some basic syntax-checking on the value.  These tests aren't
-         * perfect (ignore range overflow) but they catch common failures.
-         */
        switch (o->valtype) {
        default:
        case 's':
@@ -645,35 +711,53 @@ int opt_next(void)
            return -1;
        case 'p':
        case 'n':
-            base = scanforhex(arg);
-            val = strtol(arg, &endptr, base);
-            if (*endptr == '\0') {
-                if (o->valtype == 'p' && val <= 0) {
-                    BIO_printf(bio_err,
-                               "%s: Non-positive number \"%s\" for -%s\n",
-                               prog, arg, o->name);
-                    return -1;
-                }
-                break;
+            if (!opt_int(arg, &ival)
+                    || (o->valtype == 'p' && ival <= 0)) {
+                BIO_printf(bio_err,
+                           "%s: Non-positive number \"%s\" for -%s\n",
+                           prog, arg, o->name);
+                return -1;
            }
-            BIO_printf(bio_err,
-                       "%s: Invalid number \"%s\" for -%s\n",
-                       prog, arg, o->name);
-            return -1;
+            break;
+        case 'M':
+            if (!opt_imax(arg, &imval)) {
+                BIO_printf(bio_err,
+                           "%s: Invalid number \"%s\" for -%s\n",
+                           prog, arg, o->name);
+                return -1;
+            }
+            break;
+        case 'U':
+            if (!opt_umax(arg, &umval)) {
+                BIO_printf(bio_err,
+                           "%s: Invalid number \"%s\" for -%s\n",
+                           prog, arg, o->name);
+                return -1;
+            }
+            break;
+        case 'l':
+            if (!opt_long(arg, &lval)) {
+                BIO_printf(bio_err,
+                           "%s: Invalid number \"%s\" for -%s\n",
+                           prog, arg, o->name);
+                return -1;
+            }
+            break;
        case 'u':
-            base = scanforhex(arg);
-            strtoul(arg, &endptr, base);
-            if (*endptr == '\0')
-                break;
-            BIO_printf(bio_err,
-                       "%s: Invalid number \"%s\" for -%s\n",
-                       prog, arg, o->name);
-            return -1;
-        case 'f':
+            if (!opt_ulong(arg, &ulval)) {
+                BIO_printf(bio_err,
+                           "%s: Invalid number \"%s\" for -%s\n",
+                           prog, arg, o->name);
+                return -1;
+            }
+            break;
+        case 'E':
        case 'F':
+        case 'f':
            if (opt_format(arg,
+                           o->valtype == 'E' ? OPT_FMT_PDE :
                           o->valtype == 'F' ? OPT_FMT_PEMDER
-                           : OPT_FMT_ANY, &dummy))
+                           : OPT_FMT_ANY, &ival))
                break;
            BIO_printf(bio_err,
                       "%s: Invalid format \"%s\" for -%s\n",
@@ -731,6 +815,7 @@ int opt_num_rest(void)
 static const char *valtype2param(const OPTIONS *o)
 {
    switch (o->valtype) {
+    case 0:
    case '-':
        return "";
    case 's':
@@ -742,15 +827,23 @@ static const char *valtype2param(const OPTIONS *o)
    case '>':
        return "outfile";
    case 'p':
-        return "pnum";
+        return "+int";
    case 'n':
-        return "num";
+        return "int";
+    case 'l':
+        return "long";
    case 'u':
-        return "unum";
+        return "ulong";
+    case 'E':
+        return "PEM|DER|ENGINE";
    case 'F':
-        return "der/pem";
+        return "PEM|DER";
    case 'f':
        return "format";
+    case 'M':
+        return "intmax";
+    case 'U':
+        return "uintmax";
    }
    return "parm";
 }
--- a/apps/passwd.c
+++ b/apps/passwd.c
@@ -314,9 +314,9 @@ static char *md5crypt(const char *passwd, const char *magic, const char *salt)
    out_buf[0] = '$';
    out_buf[1] = 0;
    assert(strlen(magic) <= 4); /* "1" or "apr1" */
-    strncat(out_buf, magic, 4);
-    strncat(out_buf, "$", 1);
-    strncat(out_buf, salt, 8);
+    OPENSSL_strlcat(out_buf, magic, sizeof out_buf);
+    OPENSSL_strlcat(out_buf, "$", sizeof out_buf);
+    OPENSSL_strlcat(out_buf, salt, sizeof out_buf);
    assert(strlen(out_buf) <= 6 + 8); /* "$apr1$..salt.." */
    salt_out = out_buf + 2 + strlen(magic);
    salt_len = strlen(salt_out);
--- a/apps/pca-key.pem
+++ b/apps/pca-key.pem
@@ -1,15 +1,16 @@
-----BEGIN RSA PRIVATE KEY-----
-MIICXAIBAAKBgQCdoWk/3+WcMlfjIrkg40ketmnQaEogQe1LLcuOJV6rKfUSAsPg
-wgsabJ/wn8TxA1yy3eKJbFl3OiUXMRsp22Jp85PmemiDzyUIStwk72qhp1imbANZ
-vlmlCFKiQrjUyuDfu4TABmn+kkt3vR1YBEOGt+IFye1UBVSATVdRJ2UVhwIDAQAB
-AoGAba4fTtuap5l7/8ZsbE7Z1O32KJY4ZcOZukLOLUUhXxXduT+FTgGWujc0/rgc
-z9qYCLlNZHOouMYTgtSfYvuMuLZ11VIt0GYH+nRioLShE59Yy+zCRyC+gPigS1kz
-xvo14AsOIPYV14Tk/SsHyq6E0eTk7VzaIE197giiINUERPECQQDSKmtPTh/lRKw7
-HSZSM0I1mFWn/1zqrAbontRQY5w98QWIOe5qmzYyFbPXYT3d9BzlsMyhgiRNoBbD
-yvohSHXJAkEAwAHx6ezAZeWWzD5yXD36nyjpkVCw7Tk7TSmOceLJMWt1QcrCfqlS
-xA5jjpQ6Z8suU5DdtWAryM2sAir1WisYzwJAd6Zcx56jvAQ3xcPXsE6scBTVFzrj
-7FqZ6E+cclPzfLQ+QQsyOBE7bpI6e/FJppY26XGZXo3YGzV8IGXrt40oOQJALETG
-h86EFXo3qGOFbmsDy4pdP5nBERCu8X1xUCSfintiD4c2DInxgS5oGclnJeMcjTvL
-QjQoJCX3UJCi/OUO1QJBAKgcDHWjMvt+l1pjJBsSEZ0HX9AAIIVx0RQmbFGS+F2Q
-hhu5l77WnnZOQ9vvhV5u7NPCUF9nhU3jh60qWWO8mkc=
-----END RSA PRIVATE KEY-----
+-----BEGIN PRIVATE KEY-----
+MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALYYjjtpLs/lfkPF
+xAFZ4V3He5mZFbsEakK9bA2fQaryreRwyfhbXbDJHyBV+c4xI5fbmmVd2t/us4k4
+rMhGsBtL89SqCEHhPJpLFywiQVmJTAjANYrWkZK5uR/++YmZyzuLfPHLButuK6cF
+GKXw3NNToxjYooMf0mad2rPX3cKTAgMBAAECgYBvrJ+Nz/Pli9jjt2V9bqHH4Y7r
+o/avuwVv6Ltbn0+mhy4d6w3yQhYzVSTBr/iDe59YglUt1WFl8/4nKZrNOIzHJlav
+Sw4hd3fYBHxbT+DgZMQ9ikjHECWRdDffrnlTLsSJAcxnpMJBPe3dKCRDMUrqWUvB
+IIKaxyqmXJms5Y/wAQJBAPFL9NMKJcWBftMKXCasxsV0ZGjgqHGZODYjtGFN9jJO
+6AbZrxfCcapTWG4RCC2o/EDEMN8aArEhfdrYY3lhXGsCQQDBMRzFevkD7SYXTw5G
+NA/gJOAsFMYbt7tebcCRsHT7t3ymVfO2QwK7ZF0f/SYvi7cMAPraHvO7s3kFdGTB
+kDx5AkAHBICASsFCdzurA5gef9PgFjx9WFtNwnkCChPK6KuKVwUkfdw7wqnvnDDs
+Mo6cVVfQwmPxeR4u7JxuavCprQ01AkEAp5ZGAh1J9Jj9CQ1AMbAp8WOrvzGKJTM9
+641Dll4/LLif/d7j2kDJFuvaSMyeGnKVqGkVMq/U+QeYPR4Z5TuM6QJAWK05qFed
+wYgTZyVN0MY53ZOMAIWwjz0cr24TvDfmsZqIvguGL616GKQZKdKDZQyQHg+dCzqJ
+HgIoacuFDKz5CA==
+-----END PRIVATE KEY-----
--- a/apps/pca-req.pem
+++ b/apps/pca-req.pem
@@ -1,11 +1,11 @@
 -----BEGIN CERTIFICATE REQUEST-----
-MIIBmjCCAQMCAQAwXDELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQx
-GjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYDVQQDExNUZXN0IFBDQSAo
-MTAyNCBiaXQpMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdoWk/3+WcMlfj
-Irkg40ketmnQaEogQe1LLcuOJV6rKfUSAsPgwgsabJ/wn8TxA1yy3eKJbFl3OiUX
-MRsp22Jp85PmemiDzyUIStwk72qhp1imbANZvlmlCFKiQrjUyuDfu4TABmn+kkt3
-vR1YBEOGt+IFye1UBVSATVdRJ2UVhwIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAEzz
-IG8NnfpnPTQSCN5zJhOfy6p9AcDyQzuJirYv1HR/qoYWalPh/U2uiK0lAim7qMcv
-wOlK3I7A8B7/4dLqvIqgtUj9b1WT8zIrnwdvJI4osLI2BY+c1pVlp174DHLMol1L
-Cl1e3N5BTm7lCitTYjuUhsw6hiA8IcdNKDo6sktV
+MIIBnDCCAQUCAQAwXDELMAkGA1UEBhMCQVUxEzARBgNVBAgMClF1ZWVuc2xhbmQx
+GjAYBgNVBAoMEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYDVQQDDBNUZXN0IFBDQSAo
+MTAyNCBiaXQpMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2GI47aS7P5X5D
+xcQBWeFdx3uZmRW7BGpCvWwNn0Gq8q3kcMn4W12wyR8gVfnOMSOX25plXdrf7rOJ
+OKzIRrAbS/PUqghB4TyaSxcsIkFZiUwIwDWK1pGSubkf/vmJmcs7i3zxywbrbiun
+BRil8NzTU6MY2KKDH9Jmndqz193CkwIDAQABoAAwDQYJKoZIhvcNAQELBQADgYEA
+eJdCB0nHnFK0hek4biAxX0GuJXkknuUy46NKEhv3GBwt4gtO29bfkbQTGOsBBKNs
+KptlnkItscOXY+0lSva9K3XlwD9do7k2IZFtXJVayZVw1GcKybIY0l7B6kcSxG7T
+f3CsO+ifdrsJKtyoZNs96lBMrtXyGybt3mgQNdZauQU=
 -----END CERTIFICATE REQUEST-----
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -74,7 +74,8 @@
 # define CLCERTS         0x8
 # define CACERTS         0x10

-int get_cert_chain(X509 *cert, X509_STORE *store, STACK_OF(X509) **chain);
+static int get_cert_chain(X509 *cert, X509_STORE *store,
+                          STACK_OF(X509) **chain);
 int dump_certs_keys_p12(BIO *out, PKCS12 *p12, char *pass, int passlen,
                        int options, char *pempass, const EVP_CIPHER *enc);
 int dump_certs_pkeys_bags(BIO *out, STACK_OF(PKCS12_SAFEBAG) *bags,
@@ -394,9 +395,8 @@ int pkcs12_main(int argc, char **argv)

        /* Load in all certs in input file */
        if (!(options & NOCERTS)) {
-            certs = load_certs(infile, FORMAT_PEM, NULL, e,
-                               "certificates");
-            if (!certs)
+            if (!load_certs(infile, &certs, FORMAT_PEM, NULL, e,
+                            "certificates"))
                goto export_end;

            if (key) {
@@ -424,13 +424,9 @@ int pkcs12_main(int argc, char **argv)

        /* Add any more certificates asked for */
        if (certfile) {
-            STACK_OF(X509) *morecerts = NULL;
-            if ((morecerts = load_certs(certfile, FORMAT_PEM, NULL, e,
-                                        "certificates from certfile")) == NULL)
+            if (!load_certs(certfile, &certs, FORMAT_PEM, NULL, e,
+                            "certificates from certfile"))
                goto export_end;
-            while (sk_X509_num(morecerts) > 0)
-                sk_X509_push(certs, sk_X509_shift(morecerts));
-            sk_X509_free(morecerts);
        }

        /* If chaining get chain from user cert */
@@ -445,7 +441,7 @@ int pkcs12_main(int argc, char **argv)
            vret = get_cert_chain(ucert, store, &chain2);
            X509_STORE_free(store);

-            if (!vret) {
+            if (vret == X509_V_OK) {
                /* Exclude verified certificate */
                for (i = 1; i < sk_X509_num(chain2); i++)
                    sk_X509_push(certs, sk_X509_value(chain2, i));
@@ -453,7 +449,7 @@ int pkcs12_main(int argc, char **argv)
                X509_free(sk_X509_value(chain2, 0));
                sk_X509_free(chain2);
            } else {
-                if (vret >= 0)
+                if (vret != X509_V_ERR_UNSPECIFIED)
                    BIO_printf(bio_err, "Error %s getting chain.\n",
                               X509_verify_cert_error_string(vret));
                else
@@ -484,7 +480,7 @@ int pkcs12_main(int argc, char **argv)
            goto export_end;
        }
        if (!twopass)
-            BUF_strlcpy(macpass, pass, sizeof macpass);
+            OPENSSL_strlcpy(macpass, pass, sizeof macpass);

        p12 = PKCS12_create(cpass, name, key, ucert, certs,
                            key_pbe, cert_pbe, iter, -1, keytype);
@@ -542,11 +538,15 @@ int pkcs12_main(int argc, char **argv)
    }

    if (!twopass)
-        BUF_strlcpy(macpass, pass, sizeof macpass);
+        OPENSSL_strlcpy(macpass, pass, sizeof macpass);

-    if ((options & INFO) && p12->mac)
+    if ((options & INFO) && PKCS12_mac_present(p12)) {
+        ASN1_INTEGER *tmaciter;
+
+        PKCS12_get0_mac(NULL, NULL, NULL, &tmaciter, p12);
        BIO_printf(bio_err, "MAC Iteration %ld\n",
-                   p12->mac->iter ? ASN1_INTEGER_get(p12->mac->iter) : 1);
+                   tmaciter  != NULL ? ASN1_INTEGER_get(tmaciter) : 1L);
+    }
    if (macver) {
        /* If we enter empty password try no password first */
        if (!mpass[0] && PKCS12_verify_mac(p12, NULL, 0)) {
@@ -644,15 +644,18 @@ int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass,
    EVP_PKEY *pkey;
    PKCS8_PRIV_KEY_INFO *p8;
    X509 *x509;
+    STACK_OF(X509_ATTRIBUTE) *attrs;

-    switch (M_PKCS12_bag_type(bag)) {
+    attrs = PKCS12_SAFEBAG_get0_attrs(bag);
+
+    switch (PKCS12_SAFEBAG_get_nid(bag)) {
    case NID_keyBag:
        if (options & INFO)
            BIO_printf(bio_err, "Key bag\n");
        if (options & NOKEYS)
            return 1;
-        print_attribs(out, bag->attrib, "Bag Attributes");
-        p8 = bag->value.keybag;
+        print_attribs(out, attrs, "Bag Attributes");
+        p8 = PKCS12_SAFEBAG_get0_p8inf(bag);
        if ((pkey = EVP_PKCS82PKEY(p8)) == NULL)
            return 0;
        print_attribs(out, p8->attributes, "Key Attributes");
@@ -662,12 +665,15 @@ int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass,

    case NID_pkcs8ShroudedKeyBag:
        if (options & INFO) {
+            X509_SIG *tp8;
+
            BIO_printf(bio_err, "Shrouded Keybag: ");
-            alg_print(bag->value.shkeybag->algor);
+            tp8 = PKCS12_SAFEBAG_get0_pkcs8(bag);
+            alg_print(tp8->algor);
        }
        if (options & NOKEYS)
            return 1;
-        print_attribs(out, bag->attrib, "Bag Attributes");
+        print_attribs(out, attrs, "Bag Attributes");
        if ((p8 = PKCS12_decrypt_skey(bag, pass, passlen)) == NULL)
            return 0;
        if ((pkey = EVP_PKCS82PKEY(p8)) == NULL) {
@@ -685,15 +691,15 @@ int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass,
            BIO_printf(bio_err, "Certificate bag\n");
        if (options & NOCERTS)
            return 1;
-        if (PKCS12_get_attr(bag, NID_localKeyID)) {
+        if (PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID)) {
            if (options & CACERTS)
                return 1;
        } else if (options & CLCERTS)
            return 1;
-        print_attribs(out, bag->attrib, "Bag Attributes");
-        if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate)
+        print_attribs(out, attrs, "Bag Attributes");
+        if (PKCS12_SAFEBAG_get_bag_nid(bag) != NID_x509Certificate)
            return 1;
-        if ((x509 = PKCS12_certbag2x509(bag)) == NULL)
+        if ((x509 = PKCS12_SAFEBAG_get1_cert(bag)) == NULL)
            return 0;
        dump_cert_text(out, x509);
        PEM_write_bio_X509(out, x509);
@@ -703,13 +709,13 @@ int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass,
    case NID_safeContentsBag:
        if (options & INFO)
            BIO_printf(bio_err, "Safe Contents bag\n");
-        print_attribs(out, bag->attrib, "Bag Attributes");
-        return dump_certs_pkeys_bags(out, bag->value.safes, pass,
-                                     passlen, options, pempass, enc);
+        print_attribs(out, attrs, "Bag Attributes");
+        return dump_certs_pkeys_bags(out, PKCS12_SAFEBAG_get0_safes(bag),
+                                     pass, passlen, options, pempass, enc);

    default:
        BIO_printf(bio_err, "Warning unsupported bag type: ");
-        i2a_ASN1_OBJECT(bio_err, bag->type);
+        i2a_ASN1_OBJECT(bio_err, PKCS12_SAFEBAG_get0_type(bag));
        BIO_printf(bio_err, "\n");
        return 1;
    }
@@ -718,36 +724,25 @@ int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass,

 /* Given a single certificate return a verified chain or NULL if error */

-/* Hope this is OK .... */
-
-int get_cert_chain(X509 *cert, X509_STORE *store, STACK_OF(X509) **chain)
+static int get_cert_chain(X509 *cert, X509_STORE *store,
+                          STACK_OF(X509) **chain)
 {
    X509_STORE_CTX store_ctx;
-    STACK_OF(X509) *chn;
+    STACK_OF(X509) *chn = NULL;
    int i = 0;

-    /*
-     * FIXME: Should really check the return status of X509_STORE_CTX_init
-     * for an error, but how that fits into the return value of this function
-     * is less obvious.
-     */
-    X509_STORE_CTX_init(&store_ctx, store, cert, NULL);
-    if (X509_verify_cert(&store_ctx) <= 0) {
-        i = X509_STORE_CTX_get_error(&store_ctx);
-        if (i == 0)
-            /*
-             * avoid returning 0 if X509_verify_cert() did not set an
-             * appropriate error value in the context
-             */
-            i = -1;
-        chn = NULL;
-        goto err;
-    } else
+    if (!X509_STORE_CTX_init(&store_ctx, store, cert, NULL)) {
+        *chain = NULL;
+        return X509_V_ERR_UNSPECIFIED;
+    }
+
+    if (X509_verify_cert(&store_ctx) > 0)
        chn = X509_STORE_CTX_get1_chain(&store_ctx);
- err:
+    else if ((i = X509_STORE_CTX_get_error(&store_ctx)) == 0)
+        i = X509_V_ERR_UNSPECIFIED;
+
    X509_STORE_CTX_cleanup(&store_ctx);
    *chain = chn;
-
    return i;
 }

--- a/apps/pkcs8.c
+++ b/apps/pkcs8.c
@@ -121,7 +121,7 @@ int pkcs8_main(int argc, char **argv)
    int informat = FORMAT_PEM, outformat = FORMAT_PEM, topk8 = 0, pbe_nid = -1;
    int private = 0;
 #ifndef OPENSSL_NO_SCRYPT
-    unsigned long scrypt_N = 0, scrypt_r = 0, scrypt_p = 0;
+    long scrypt_N = 0, scrypt_r = 0, scrypt_p = 0;
 #endif

    prog = opt_init(argc, argv, pkcs8_options);
@@ -210,15 +210,15 @@ int pkcs8_main(int argc, char **argv)
                cipher = EVP_aes_256_cbc();
            break;
        case OPT_SCRYPT_N:
-            if (!opt_ulong(opt_arg(), &scrypt_N))
+            if (!opt_long(opt_arg(), &scrypt_N) || scrypt_N <= 0)
                goto opthelp;
            break;
        case OPT_SCRYPT_R:
-            if (!opt_ulong(opt_arg(), &scrypt_r))
+            if (!opt_long(opt_arg(), &scrypt_r) || scrypt_r <= 0)
                goto opthelp;
            break;
        case OPT_SCRYPT_P:
-            if (!opt_ulong(opt_arg(), &scrypt_p))
+            if (!opt_long(opt_arg(), &scrypt_p) || scrypt_p <= 0)
                goto opthelp;
            break;
 #endif
--- a/apps/pkey.c
+++ b/apps/pkey.c
@@ -75,7 +75,7 @@ OPTIONS pkey_options[] = {
    {"outform", OPT_OUTFORM, 'F', "Output format (DER or PEM)"},
    {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
    {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
-    {"in", OPT_IN, '<', "Input file"},
+    {"in", OPT_IN, 's', "Input key"},
    {"out", OPT_OUT, '>', "Output file"},
    {"pubin", OPT_PUBIN, '-',
     "Read public key from input (default is private key)"},
@@ -116,7 +116,7 @@ int pkey_main(int argc, char **argv)
            ret = 0;
            goto end;
        case OPT_INFORM:
-            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
+            if (!opt_format(opt_arg(), OPT_FMT_ANY, &informat))
                goto opthelp;
            break;
        case OPT_OUTFORM:
@@ -182,18 +182,20 @@ int pkey_main(int argc, char **argv)

    if (!noout) {
        if (outformat == FORMAT_PEM) {
-            assert(private);
            if (pubout)
                PEM_write_bio_PUBKEY(out, pkey);
-            else
+            else {
+                assert(private);
                PEM_write_bio_PrivateKey(out, pkey, cipher,
                                         NULL, 0, NULL, passout);
+            }
        } else if (outformat == FORMAT_ASN1) {
-            assert(private);
            if (pubout)
                i2d_PUBKEY_bio(out, pkey);
-            else
+            else {
+                assert(private);
                i2d_PrivateKey_bio(out, pkey);
+            }
        } else {
            BIO_printf(bio_err, "Bad format specified for key\n");
            goto end;
--- a/apps/pkeyutl.c
+++ b/apps/pkeyutl.c
@@ -67,10 +67,12 @@
 #define KEY_CERT        3

 static EVP_PKEY_CTX *init_ctx(int *pkeysize,
-                              char *keyfile, int keyform, int key_type,
-                              char *passinarg, int pkey_op, ENGINE *e);
+                              const char *keyfile, int keyform, int key_type,
+                              char *passinarg, int pkey_op, ENGINE *e,
+                              const int impl);

-static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file);
+static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file,
+                      ENGINE *e);

 static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
                    unsigned char *out, size_t *poutlen,
@@ -78,7 +80,7 @@ static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,

 typedef enum OPTION_choice {
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
-    OPT_ENGINE, OPT_IN, OPT_OUT,
+    OPT_ENGINE, OPT_ENGINE_IMPL, OPT_IN, OPT_OUT,
    OPT_PUBIN, OPT_CERTIN, OPT_ASN1PARSE, OPT_HEXDUMP, OPT_SIGN,
    OPT_VERIFY, OPT_VERIFYRECOVER, OPT_REV, OPT_ENCRYPT, OPT_DECRYPT,
    OPT_DERIVE, OPT_SIGFILE, OPT_INKEY, OPT_PEERKEY, OPT_PASSIN,
@@ -87,29 +89,31 @@ typedef enum OPTION_choice {

 OPTIONS pkeyutl_options[] = {
    {"help", OPT_HELP, '-', "Display this summary"},
-    {"in", OPT_IN, '<', "Input file"},
-    {"out", OPT_OUT, '>', "Output file"},
+    {"in", OPT_IN, '<', "Input file - default stdin"},
+    {"out", OPT_OUT, '>', "Output file - default stdout"},
    {"pubin", OPT_PUBIN, '-', "Input is a public key"},
    {"certin", OPT_CERTIN, '-', "Input is a cert with a public key"},
-    {"asn1parse", OPT_ASN1PARSE, '-'},
+    {"asn1parse", OPT_ASN1PARSE, '-', "asn1parse the output data"},
    {"hexdump", OPT_HEXDUMP, '-', "Hex dump output"},
-    {"sign", OPT_SIGN, '-', "Sign with private key"},
+    {"sign", OPT_SIGN, '-', "Sign input data with private key"},
    {"verify", OPT_VERIFY, '-', "Verify with public key"},
    {"verifyrecover", OPT_VERIFYRECOVER, '-',
     "Verify with public key, recover original data"},
-    {"rev", OPT_REV, '-'},
-    {"encrypt", OPT_ENCRYPT, '-', "Encrypt with public key"},
-    {"decrypt", OPT_DECRYPT, '-', "Decrypt with private key"},
+    {"rev", OPT_REV, '-', "Reverse the order of the input buffer"},
+    {"encrypt", OPT_ENCRYPT, '-', "Encrypt input data with public key"},
+    {"decrypt", OPT_DECRYPT, '-', "Decrypt input data with private key"},
    {"derive", OPT_DERIVE, '-', "Derive shared secret"},
    {"sigfile", OPT_SIGFILE, '<', "Signature file (verify operation only)"},
-    {"inkey", OPT_INKEY, 's', "Input key"},
-    {"peerkey", OPT_PEERKEY, 's'},
+    {"inkey", OPT_INKEY, 's', "Input private key file"},
+    {"peerkey", OPT_PEERKEY, 's', "Peer key file used in key derivation"},
    {"passin", OPT_PASSIN, 's', "Pass phrase source"},
-    {"peerform", OPT_PEERFORM, 'F'},
-    {"keyform", OPT_KEYFORM, 'F', "Private key format - default PEM"},
+    {"peerform", OPT_PEERFORM, 'E', "Peer key format - default PEM"},
+    {"keyform", OPT_KEYFORM, 'E', "Private key format - default PEM"},
    {"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"},
 #ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+    {"engine_impl", OPT_ENGINE_IMPL, '-',
+     "Also use engine given by -engine for crypto operations"},
 #endif
    {NULL}
 };
@@ -126,8 +130,12 @@ int pkeyutl_main(int argc, char **argv)
    int buf_inlen = 0, siglen = -1, keyform = FORMAT_PEM, peerform =
        FORMAT_PEM;
    int keysize = -1, pkey_op = EVP_PKEY_OP_SIGN, key_type = KEY_PRIVKEY;
+    int engine_impl = 0;
    int ret = 1, rv = -1;
    size_t buf_outlen;
+    const char *inkey = NULL;
+    const char *peerkey = NULL;
+    STACK_OF(OPENSSL_STRING) *pkeyopts = NULL;

    prog = opt_init(argc, argv, pkeyutl_options);
    while ((o = opt_next()) != OPT_EOF) {
@@ -150,28 +158,24 @@ int pkeyutl_main(int argc, char **argv)
        case OPT_SIGFILE:
            sigfile = opt_arg();
            break;
+        case OPT_ENGINE_IMPL:
+            engine_impl = 1;
+            break;
        case OPT_INKEY:
-            ctx = init_ctx(&keysize, opt_arg(), keyform, key_type,
-                           passinarg, pkey_op, e);
-            if (ctx == NULL) {
-                BIO_puts(bio_err, "%s: Error initializing context\n");
-                ERR_print_errors(bio_err);
-                goto opthelp;
-            }
+            inkey = opt_arg();
            break;
        case OPT_PEERKEY:
-            if (!setup_peer(ctx, peerform, opt_arg()))
-                goto opthelp;
+            peerkey = opt_arg();
            break;
        case OPT_PASSIN:
            passinarg = opt_arg();
            break;
        case OPT_PEERFORM:
-            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &peerform))
+            if (!opt_format(opt_arg(), OPT_FMT_PDE, &peerform))
                goto opthelp;
            break;
        case OPT_KEYFORM:
-            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &keyform))
+            if (!opt_format(opt_arg(), OPT_FMT_PDE, &keyform))
                goto opthelp;
            break;
        case OPT_ENGINE:
@@ -198,9 +202,6 @@ int pkeyutl_main(int argc, char **argv)
        case OPT_VERIFYRECOVER:
            pkey_op = EVP_PKEY_OP_VERIFYRECOVER;
            break;
-        case OPT_REV:
-            rev = 1;
-            break;
        case OPT_ENCRYPT:
            pkey_op = EVP_PKEY_OP_ENCRYPT;
            break;
@@ -210,15 +211,14 @@ int pkeyutl_main(int argc, char **argv)
        case OPT_DERIVE:
            pkey_op = EVP_PKEY_OP_DERIVE;
            break;
+        case OPT_REV:
+            rev = 1;
+            break;
        case OPT_PKEYOPT:
-            if (ctx == NULL) {
-                BIO_printf(bio_err,
-                           "%s: Must have -inkey before -pkeyopt\n", prog);
-                goto opthelp;
-            }
-            if (pkey_ctrl_string(ctx, opt_arg()) <= 0) {
-                BIO_printf(bio_err, "%s: Can't set parameter:\n", prog);
-                ERR_print_errors(bio_err);
+            if ((pkeyopts == NULL &&
+                 (pkeyopts = sk_OPENSSL_STRING_new_null()) == NULL) ||
+                sk_OPENSSL_STRING_push(pkeyopts, *++argv) == 0) {
+                BIO_puts(bio_err, "out of memory\n");
                goto end;
            }
            break;
@@ -227,9 +227,37 @@ int pkeyutl_main(int argc, char **argv)
    argc = opt_num_rest();
    argv = opt_rest();

-    if (ctx == NULL)
+    if (inkey == NULL ||
+        (peerkey != NULL && pkey_op != EVP_PKEY_OP_DERIVE))
        goto opthelp;

+    ctx = init_ctx(&keysize, inkey, keyform, key_type,
+                   passinarg, pkey_op, e, engine_impl);
+    if (ctx == NULL) {
+        BIO_printf(bio_err, "%s: Error initializing context\n", prog);
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+    if (peerkey != NULL && !setup_peer(ctx, peerform, peerkey, e)) {
+        BIO_printf(bio_err, "%s: Error setting up peer key\n", prog);
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+    if (pkeyopts != NULL) {
+        int num = sk_OPENSSL_STRING_num(pkeyopts);
+        int i;
+
+        for (i = 0; i < num; ++i) {
+            const char *opt = sk_OPENSSL_STRING_value(pkeyopts, i);
+
+            if (pkey_ctrl_string(ctx, opt) <= 0) {
+                BIO_printf(bio_err, "%s: Can't set parameter:\n", prog);
+                ERR_print_errors(bio_err);
+                goto end;
+            }
+        }
+    }
+
    if (sigfile && (pkey_op != EVP_PKEY_OP_VERIFY)) {
        BIO_printf(bio_err,
                   "%s: Signature file specified for non verify\n", prog);
@@ -262,7 +290,7 @@ int pkeyutl_main(int argc, char **argv)
        }
        siglen = bio_to_mem(&sig, keysize * 10, sigbio);
        BIO_free(sigbio);
-        if (siglen <= 0) {
+        if (siglen < 0) {
            BIO_printf(bio_err, "Error reading signature data\n");
            goto end;
        }
@@ -271,7 +299,7 @@ int pkeyutl_main(int argc, char **argv)
    if (in) {
        /* Read the input data */
        buf_inlen = bio_to_mem(&buf_in, keysize * 10, in);
-        if (buf_inlen <= 0) {
+        if (buf_inlen < 0) {
            BIO_printf(bio_err, "Error reading input Data\n");
            exit(1);
        }
@@ -299,13 +327,13 @@ int pkeyutl_main(int argc, char **argv)
    }
    rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen,
                  buf_in, (size_t)buf_inlen);
-    if (rv > 0) {
+    if (rv > 0 && buf_outlen != 0) {
        buf_out = app_malloc(buf_outlen, "buffer output");
        rv = do_keyop(ctx, pkey_op,
                      buf_out, (size_t *)&buf_outlen,
                      buf_in, (size_t)buf_inlen);
    }
-    if (rv <= 0) {
+    if (rv < 0) {
        ERR_print_errors(bio_err);
        goto end;
    }
@@ -326,15 +354,18 @@ int pkeyutl_main(int argc, char **argv)
    OPENSSL_free(buf_in);
    OPENSSL_free(buf_out);
    OPENSSL_free(sig);
+    sk_OPENSSL_STRING_free(pkeyopts);
    return ret;
 }

 static EVP_PKEY_CTX *init_ctx(int *pkeysize,
-                              char *keyfile, int keyform, int key_type,
-                              char *passinarg, int pkey_op, ENGINE *e)
+                              const char *keyfile, int keyform, int key_type,
+                              char *passinarg, int pkey_op, ENGINE *e,
+                              const int engine_impl)
 {
    EVP_PKEY *pkey = NULL;
    EVP_PKEY_CTX *ctx = NULL;
+    ENGINE *impl = NULL;
    char *passin = NULL;
    int rv = -1;
    X509 *x;
@@ -372,7 +403,12 @@ static EVP_PKEY_CTX *init_ctx(int *pkeysize,
    if (!pkey)
        goto end;

-    ctx = EVP_PKEY_CTX_new(pkey, e);
+#ifndef OPENSSL_NO_ENGINE
+    if (engine_impl)
+        impl = e;
+#endif
+    
+    ctx = EVP_PKEY_CTX_new(pkey, impl);

    EVP_PKEY_free(pkey);

@@ -416,17 +452,16 @@ static EVP_PKEY_CTX *init_ctx(int *pkeysize,

 }

-static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file)
+static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file,
+                      ENGINE* e)
 {
    EVP_PKEY *peer = NULL;
+    ENGINE* engine = NULL;
    int ret;
-    if (!ctx) {
-        BIO_puts(bio_err, "-peerkey command before -inkey\n");
-        return 0;
-    }
-
-    peer = load_pubkey(file, peerform, 0, NULL, NULL, "Peer Key");

+    if (peerform == FORMAT_ENGINE)
+        engine = e;
+    peer = load_pubkey(file, peerform, 0, NULL, engine, "Peer Key");
    if (!peer) {
        BIO_printf(bio_err, "Error reading peer key %s\n", file);
        ERR_print_errors(bio_err);
--- a/apps/progs.h
+++ b/apps/progs.h
@@ -16,6 +16,8 @@ typedef struct function_st {
    const OPTIONS *help;
 } FUNCTION;

+DEFINE_LHASH_OF(FUNCTION);
+
 extern int asn1parse_main(int argc, char *argv[]);
 extern int ca_main(int argc, char *argv[]);
 extern int ciphers_main(int argc, char *argv[]);
@@ -31,9 +33,12 @@ extern int ecparam_main(int argc, char *argv[]);
 extern int enc_main(int argc, char *argv[]);
 extern int engine_main(int argc, char *argv[]);
 extern int errstr_main(int argc, char *argv[]);
+extern int exit_main(int argc, char *argv[]);
 extern int gendsa_main(int argc, char *argv[]);
 extern int genpkey_main(int argc, char *argv[]);
 extern int genrsa_main(int argc, char *argv[]);
+extern int help_main(int argc, char *argv[]);
+extern int list_main(int argc, char *argv[]);
 extern int nseq_main(int argc, char *argv[]);
 extern int ocsp_main(int argc, char *argv[]);
 extern int passwd_main(int argc, char *argv[]);
@@ -45,6 +50,7 @@ extern int pkeyparam_main(int argc, char *argv[]);
 extern int pkeyutl_main(int argc, char *argv[]);
 extern int prime_main(int argc, char *argv[]);
 extern int rand_main(int argc, char *argv[]);
+extern int rehash_main(int argc, char *argv[]);
 extern int req_main(int argc, char *argv[]);
 extern int rsa_main(int argc, char *argv[]);
 extern int rsautl_main(int argc, char *argv[]);
@@ -60,10 +66,6 @@ extern int ts_main(int argc, char *argv[]);
 extern int verify_main(int argc, char *argv[]);
 extern int version_main(int argc, char *argv[]);
 extern int x509_main(int argc, char *argv[]);
-extern int rehash_main(int argc, char *argv[]);
-extern int list_main(int argc, char *argv[]);
-extern int help_main(int argc, char *argv[]);
-extern int exit_main(int argc, char *argv[]);

 extern OPTIONS asn1parse_options[];
 extern OPTIONS ca_options[];
@@ -80,9 +82,12 @@ extern OPTIONS ecparam_options[];
 extern OPTIONS enc_options[];
 extern OPTIONS engine_options[];
 extern OPTIONS errstr_options[];
+extern OPTIONS exit_options[];
 extern OPTIONS gendsa_options[];
 extern OPTIONS genpkey_options[];
 extern OPTIONS genrsa_options[];
+extern OPTIONS help_options[];
+extern OPTIONS list_options[];
 extern OPTIONS nseq_options[];
 extern OPTIONS ocsp_options[];
 extern OPTIONS passwd_options[];
@@ -94,6 +99,7 @@ extern OPTIONS pkeyparam_options[];
 extern OPTIONS pkeyutl_options[];
 extern OPTIONS prime_options[];
 extern OPTIONS rand_options[];
+extern OPTIONS rehash_options[];
 extern OPTIONS req_options[];
 extern OPTIONS rsa_options[];
 extern OPTIONS rsautl_options[];
@@ -109,10 +115,6 @@ extern OPTIONS ts_options[];
 extern OPTIONS verify_options[];
 extern OPTIONS version_options[];
 extern OPTIONS x509_options[];
-extern OPTIONS rehash_options[];
-extern OPTIONS list_options[];
-extern OPTIONS help_options[];
-extern OPTIONS exit_options[];

 #ifdef INCLUDE_FUNCTION_TABLE
 static FUNCTION functions[] = {
@@ -147,6 +149,7 @@ static FUNCTION functions[] = {
    { FT_general, "engine", engine_main, engine_options },
 #endif
    { FT_general, "errstr", errstr_main, errstr_options },
+    { FT_general, "exit", exit_main, exit_options },
 #ifndef OPENSSL_NO_DSA
    { FT_general, "gendsa", gendsa_main, gendsa_options },
 #endif
@@ -154,6 +157,8 @@ static FUNCTION functions[] = {
 #ifndef OPENSSL_NO_RSA
    { FT_general, "genrsa", genrsa_main, genrsa_options },
 #endif
+    { FT_general, "help", help_main, help_options },
+    { FT_general, "list", list_main, list_options },
    { FT_general, "nseq", nseq_main, nseq_options },
 #ifndef OPENSSL_NO_OCSP
    { FT_general, "ocsp", ocsp_main, ocsp_options },
@@ -169,6 +174,7 @@ static FUNCTION functions[] = {
    { FT_general, "pkeyutl", pkeyutl_main, pkeyutl_options },
    { FT_general, "prime", prime_main, prime_options },
    { FT_general, "rand", rand_main, rand_options },
+    { FT_general, "rehash", rehash_main, rehash_options },
    { FT_general, "req", req_main, req_options },
 #ifndef OPENSSL_NO_RSA
    { FT_general, "rsa", rsa_main, rsa_options },
@@ -196,10 +202,6 @@ static FUNCTION functions[] = {
    { FT_general, "verify", verify_main, verify_options },
    { FT_general, "version", version_main, version_options },
    { FT_general, "x509", x509_main, x509_options },
-    { FT_general, "rehash", rehash_main, rehash_options },
-    { FT_general, "list", list_main, list_options },
-    { FT_general, "help", help_main, help_options },
-    { FT_general, "exit", exit_main, exit_options },
 #ifndef OPENSSL_NO_MD2
    { FT_md, "md2", dgst_main},
 #endif
@@ -212,7 +214,6 @@ static FUNCTION functions[] = {
 #ifndef OPENSSL_NO_MD_GHOST94
    { FT_md, "md_ghost94", dgst_main},
 #endif
-    { FT_md, "sha", dgst_main},
    { FT_md, "sha1", dgst_main},
    { FT_md, "sha224", dgst_main},
    { FT_md, "sha256", dgst_main},
--- a/apps/progs.pl
+++ b/apps/progs.pl
@@ -1,5 +1,23 @@
-#!/usr/local/bin/perl
-# Generate progs.h file from list of "programs" passed on the command line.
+#!/usr/bin/perl
+# Generate progs.h file by looking for command mains in list of C files
+# passed on the command line.
+
+use strict;
+use warnings;
+
+my %commands = ();
+my $cmdre = qr/^\s*int\s+([a-z_][a-z0-9_]*)_main\(\s*int\s+argc\s*,/;
+
+foreach my $filename (@ARGV) {
+	open F, $filename or die "Coudn't open $_: $!\n";
+	foreach (grep /$cmdre/, <F>) {
+		my @foo = /$cmdre/;
+		$commands{$1} = 1;
+	}
+	close F;
+}
+
+@ARGV = sort keys %commands;

 print <<'EOF';
 /*
@@ -20,14 +38,9 @@ typedef struct function_st {
    const OPTIONS *help;
 } FUNCTION;

-EOF
+DEFINE_LHASH_OF(FUNCTION);

-grep(s/\.o//, @ARGV);
-grep(s/^asn1pars$/asn1parse/, @ARGV);
-grep(s/^crl2p7$/crl2pkcs7/, @ARGV);
-push @ARGV, 'list';
-push @ARGV, 'help';
-push @ARGV, 'exit';
+EOF

 foreach (@ARGV) {
 	printf "extern int %s_main(int argc, char *argv[]);\n", $_;
@@ -41,7 +54,7 @@ foreach (@ARGV) {
 print "\n#ifdef INCLUDE_FUNCTION_TABLE\n";
 print "static FUNCTION functions[] = {\n";
 foreach (@ARGV) {
-	$str="    { FT_general, \"$_\", ${_}_main, ${_}_options },\n";
+	my $str="    { FT_general, \"$_\", ${_}_main, ${_}_options },\n";
 	if (/^s_/ || /^ciphers$/) {
 		print "#if !defined(OPENSSL_NO_SOCK)\n${str}#endif\n";
 	} elsif (/^engine$/) {
@@ -70,7 +83,7 @@ foreach (@ARGV) {
 foreach (
 	"md2", "md4", "md5",
 	"md_ghost94",
-	"sha", "sha1", "sha224", "sha256", "sha384", "sha512",
+	"sha1", "sha224", "sha256", "sha384", "sha512",
 	"mdc2", "rmd160"
 ) {
        printf "#ifndef OPENSSL_NO_".uc($_)."\n" if ! /sha/;
@@ -99,7 +112,7 @@ foreach (
 	"cast5-cbc","cast5-ecb", "cast5-cfb","cast5-ofb",
 	"cast-cbc", "rc5-cbc",   "rc5-ecb",  "rc5-cfb",  "rc5-ofb"
 ) {
-	$str="    { FT_cipher, \"$_\", enc_main, enc_options },\n";
+	my $str="    { FT_cipher, \"$_\", enc_main, enc_options },\n";
 	if (/des/) {
 		printf "#ifndef OPENSSL_NO_DES\n${str}#endif\n";
 	} elsif (/aes/) {
--- a/apps/rand.c
+++ b/apps/rand.c
@@ -121,9 +121,7 @@ int rand_main(int argc, char **argv)
    argc = opt_num_rest();
    argv = opt_rest();

-    if (argc != 1)
-        goto opthelp;
-    if (sscanf(argv[0], "%d", &num) != 1 || num < 0)
+    if (argc != 1 || !opt_int(argv[0], &num) || num < 0)
        goto opthelp;

    app_RAND_load_file(NULL, (inrand != NULL));
--- a/apps/rehash.c
+++ b/apps/rehash.c
@@ -175,7 +175,7 @@ static int add_entry(enum Type type, unsigned int hash, const char *filename,
        ep = app_malloc(sizeof(*ep), "collision bucket");
        *ep = nilhentry;
        ep->old_id = ~0;
-        ep->filename = BUF_strdup(filename);
+        ep->filename = OPENSSL_strdup(filename);
        if (bp->last_entry)
            bp->last_entry->next = ep;
        if (bp->first_entry == NULL)
@@ -468,7 +468,7 @@ int rehash_main(int argc, char **argv)
        while (*argv)
            errs += do_dir(*argv++, h);
    } else if ((env = getenv("SSL_CERT_DIR")) != NULL) {
-        m = BUF_strdup(env);
+        m = OPENSSL_strdup(env);
        for (e = strtok(m, ":"); e != NULL; e = strtok(NULL, ":"))
            errs += do_dir(e, h);
        OPENSSL_free(m);
--- a/apps/req.c
+++ b/apps/req.c
@@ -89,8 +89,8 @@
 #define STRING_MASK     "string_mask"
 #define UTF8_IN         "utf8"

-#define DEFAULT_KEY_LENGTH      512
-#define MIN_KEY_LENGTH          384
+#define DEFAULT_KEY_LENGTH      2048
+#define MIN_KEY_LENGTH          512

 static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *dn, int mutlirdn,
                    int attribs, unsigned long chtype);
@@ -136,8 +136,8 @@ OPTIONS req_options[] = {
    {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
    {"in", OPT_IN, '<', "Input file"},
    {"out", OPT_OUT, '>', "Output file"},
-    {"key", OPT_KEY, '<', "Use the private key contained in file"},
-    {"keyform", OPT_KEYFORM, 'F', "Key file format"},
+    {"key", OPT_KEY, 's', "Private key to use"},
+    {"keyform", OPT_KEYFORM, 'f', "Key file format"},
    {"pubkey", OPT_PUBKEY, '-', "Output public key"},
    {"new", OPT_NEW, '-', "New request"},
    {"config", OPT_CONFIG, '<', "Request template file"},
@@ -235,7 +235,7 @@ int req_main(int argc, char **argv)
                goto opthelp;
            break;
        case OPT_ENGINE:
-            (void)setup_engine(opt_arg(), 0);
+            e = setup_engine(opt_arg(), 0);
            break;
        case OPT_KEYGEN_ENGINE:
 #ifndef OPENSSL_NO_ENGINE
@@ -259,7 +259,7 @@ int req_main(int argc, char **argv)
            template = opt_arg();
            break;
        case OPT_KEYFORM:
-            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &keyform))
+            if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform))
                goto opthelp;
            break;
        case OPT_IN:
@@ -811,7 +811,7 @@ int req_main(int argc, char **argv)
        fprintf(stdout, "Modulus=");
 #ifndef OPENSSL_NO_RSA
        if (EVP_PKEY_base_id(tpubkey) == EVP_PKEY_RSA)
-            BN_print(out, tpubkey->pkey.rsa->n);
+            BN_print(out, EVP_PKEY_get0_RSA(tpubkey)->n);
        else
 #endif
            fprintf(stdout, "Wrong Algorithm type");
@@ -1189,8 +1189,8 @@ static int add_DN_object(X509_NAME *n, char *text, const char *def,
        BIO_printf(bio_err, "%s [%s]:", text, def);
    (void)BIO_flush(bio_err);
    if (value != NULL) {
-        BUF_strlcpy(buf, value, sizeof buf);
-        BUF_strlcat(buf, "\n", sizeof buf);
+        OPENSSL_strlcpy(buf, value, sizeof buf);
+        OPENSSL_strlcat(buf, "\n", sizeof buf);
        BIO_printf(bio_err, "%s\n", value);
    } else {
        buf[0] = '\0';
@@ -1208,8 +1208,8 @@ static int add_DN_object(X509_NAME *n, char *text, const char *def,
    else if (buf[0] == '\n') {
        if ((def == NULL) || (def[0] == '\0'))
            return (1);
-        BUF_strlcpy(buf, def, sizeof buf);
-        BUF_strlcat(buf, "\n", sizeof buf);
+        OPENSSL_strlcpy(buf, def, sizeof buf);
+        OPENSSL_strlcat(buf, "\n", sizeof buf);
    } else if ((buf[0] == '.') && (buf[1] == '\n'))
        return (1);

@@ -1248,8 +1248,8 @@ static int add_attribute_object(X509_REQ *req, char *text, const char *def,
        BIO_printf(bio_err, "%s [%s]:", text, def);
    (void)BIO_flush(bio_err);
    if (value != NULL) {
-        BUF_strlcpy(buf, value, sizeof buf);
-        BUF_strlcat(buf, "\n", sizeof buf);
+        OPENSSL_strlcpy(buf, value, sizeof buf);
+        OPENSSL_strlcat(buf, "\n", sizeof buf);
        BIO_printf(bio_err, "%s\n", value);
    } else {
        buf[0] = '\0';
@@ -1267,8 +1267,8 @@ static int add_attribute_object(X509_REQ *req, char *text, const char *def,
    else if (buf[0] == '\n') {
        if ((def == NULL) || (def[0] == '\0'))
            return (1);
-        BUF_strlcpy(buf, def, sizeof buf);
-        BUF_strlcat(buf, "\n", sizeof buf);
+        OPENSSL_strlcpy(buf, def, sizeof buf);
+        OPENSSL_strlcat(buf, "\n", sizeof buf);
    } else if ((buf[0] == '.') && (buf[1] == '\n'))
        return (1);

@@ -1428,7 +1428,7 @@ static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
            return NULL;
        }
        EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, &anam, ameth);
-        *palgnam = BUF_strdup(anam);
+        *palgnam = OPENSSL_strdup(anam);
 #ifndef OPENSSL_NO_ENGINE
        if (tmpeng)
            ENGINE_finish(tmpeng);
@@ -1451,6 +1451,7 @@ static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
    if (EVP_PKEY_keygen_init(gctx) <= 0) {
        BIO_puts(bio_err, "Error initializing keygen context\n");
        ERR_print_errors(bio_err);
+        EVP_PKEY_CTX_free(gctx);
        return NULL;
    }
 #ifndef OPENSSL_NO_RSA
--- a/Show More
+++ b/Show More