revert fipslink.pl unlink retry change

give a hand old assemblers assembling loop instruction. (original by Andy)
typo
2012-01-18 15:07:11 +00:00 · 2012-01-18 14:54:20 +00:00 · 2012-01-03 19:43:06 +00:00 · 2012-01-03 14:23:54 +00:00 · 2012-01-03 14:22:45 +00:00 · 2011-12-12 14:02:57 +00:00
2694 changed files with 405272 additions and 432943 deletions
--- a/.cvsignore
+++ b/.cvsignore
@@ -0,0 +1,20 @@
 openssl.pc
 libcrypto.pc
 libssl.pc
 MINFO
 makefile.one
 outinc
 rehash.time
 testlog
 make.log
 maketest.log
 cctest
 cctest.c
 cctest.a
 *.flc
 semantic.cache
 Makefile
 *.dll*
 *.so*
 *.sl*
 *.dylib*
--- a/.gitignore
+++ b/.gitignore
@@ -1,132 +0,0 @@
 # Object files
 *.o
 *.obj
 # editor artefacts
 *.swp
 .#*
 \#*#
 *~
 /.dir-locals.el
 # Top level excludes
 /Makefile.orig
 /Makefile
 /MINFO
 /TABLE
 /*.a
 /*.pc
 /rehash.time
 /inc.*
 /makefile.*
 /out.*
 /tmp.*
 **/Makefile
 /test/*.ss
 /test/*.srl
 /test/.rnd
 /test/test*.pem
 /test/newkey.pem
 /test/*.log
 # Certificate symbolic links
 *.0
 # Links under apps
 /apps/CA.pl
 /apps/md4.c
 # Auto generated headers
 /crypto/buildinf.h
 /crypto/opensslconf.h
 # Auto generated assembly language source files
 *.s
 !/crypto/*/asm/*.s
 /crypto/arm*.S
 /crypto/*/*.S
 *.asm
 !/crypto/*/asm/*.asm
 # Executables
 /apps/openssl
 /test/sha256t
 /test/sha512t
 /test/gost2814789t
 /test/*test
 /test/fips_aesavs
 /test/fips_desmovs
 /test/fips_dhvs
 /test/fips_drbgvs
 /test/fips_dssvs
 /test/fips_ecdhvs
 /test/fips_ecdsavs
 /test/fips_rngvs
 /test/fips_test_suite
 *.so*
 *.dylib*
 *.dll*
 *.exe
 # Exceptions
 !/test/bctest
 !/crypto/des/times/486-50.sol
 # Misc auto generated files
 include/openssl/opensslconf.h
 /tools/c_rehash
 lib
 Makefile.save
 *.bak
 tags
 TAGS
 cscope.out
 *.d
 crypto.map
 ssl.map
 # Windows
 /tmp32
 /tmp32.dbg
 /tmp32dll
 /tmp32dll.dbg
 /out32
 /out32.dbg
 /out32dll
 /out32dll.dbg
 /inc32
 /MINFO
 ms/bcb.mak
 ms/libeay32.def
 ms/nt.mak
 ms/ntdll.mak
 ms/ssleay32.def
 ms/version32.rc
 # Files created on other branches that are not held in git, and are not
 # needed on this branch
 include/openssl/asn1_mac.h
 include/openssl/des_old.h
 include/openssl/fips.h
 include/openssl/fips_rand.h
 include/openssl/krb5_asn.h
 include/openssl/kssl.h
 include/openssl/pq_compat.h
 include/openssl/ssl23.h
 include/openssl/tmdiff.h
 include/openssl/ui_compat.h
 test/fips_aesavs.c
 test/fips_desmovs.c
 test/fips_dsatest.c
 test/fips_dssvs.c
 test/fips_hmactest.c
 test/fips_randtest.c
 test/fips_rngvs.c
 test/fips_rsagtest.c
 test/fips_rsastest.c
 test/fips_rsavtest.c
 test/fips_shatest.c
 test/fips_test_suite.c
 test/shatest.c
--- a/.travis-create-release.sh
+++ b/.travis-create-release.sh
@@ -1,10 +0,0 @@
 #! /bin/sh
 # $1 is expected to be $TRAVIS_OS_NAME
 if [ "$1" == osx ]; then
    make -f Makefile.in \
 	 DISTTARVARS="NAME=_srcdist TAR_COMMAND='\$\$(TAR) \$\$(TARFLAGS) -s \"|^|\$\$(NAME)/|\" -T \$\$(TARFILE).list -cvf -' TARFLAGS='-n' TARFILE=_srcdist.tar" SHELL='sh -vx' dist
 else
    make -f Makefile.in DISTTARVARS='TARFILE=_srcdist.tar NAME=_srcdist' SHELL='sh -v' dist
 fi
--- a/.travis.yml
+++ b/.travis.yml
@@ -1,96 +0,0 @@
 language: c
 addons:
    apt:
        packages:
            - clang-3.6
            - gcc-5
            - binutils-mingw-w64
            - gcc-mingw-w64
            - wine
        sources:
            - llvm-toolchain-precise-3.6
            - ubuntu-toolchain-r-test
 os:
    - linux
    - osx
 compiler:
    - clang
    - clang-3.6
    - gcc
    - gcc-5
    - i686-w64-mingw32-gcc
    - x86_64-w64-mingw32-gcc
 env:
    - CONFIG_OPTS=""
    - CONFIG_OPTS="shared"
    - CONFIG_OPTS="no-asm"
    - CONFIG_OPTS="--debug --strict-warnings"
 matrix:
    include:
        - os: linux
          compiler: clang-3.6
          env: CONFIG_OPTS="-fsanitize=address"
        - os: linux
          compiler: clang-3.6
          env: CONFIG_OPTS="no-asm --debug --strict-warnings -fno-sanitize-recover -fsanitize=address -fsanitize=undefined"
        - os: linux
          compiler: gcc-5
          env: CONFIG_OPTS="-fsanitize=address"
        - os: linux
          compiler: gcc-5
          env: CONFIG_OPTS="no-asm --debug --strict-warnings -fno-sanitize-recover -fsanitize=address -fsanitize=undefined"
    exclude:
        - os: osx
          compiler: clang-3.6
        - os: osx
          compiler: gcc-5
        - os: osx
          compiler: i686-w64-mingw32-gcc
        - os: osx
          compiler: x86_64-w64-mingw32-gcc
        - compiler: i686-w64-mingw32-gcc
          env: CONFIG_OPTS="shared"
        - compiler: x86_64-w64-mingw32-gcc
          env: CONFIG_OPTS="shared"
        - compiler: i686-w64-mingw32-gcc
          env: CONFIG_OPTS="no-asm"
        - compiler: x86_64-w64-mingw32-gcc
          env: CONFIG_OPTS="no-asm"
    allow_failures:
        - compiler: i686-w64-mingw32-gcc
          env: CONFIG_OPTS="--debug --strict-warnings"
        - compiler: x86_64-w64-mingw32-gcc
          env: CONFIG_OPTS="--debug --strict-warnings"
 before_script:
    - sh .travis-create-release.sh $TRAVIS_OS_NAME
    - tar -xvzf _srcdist.tar.gz
    - cd _srcdist
    - if [ "$CC" == i686-w64-mingw32-gcc ]; then
          export CROSS_COMPILE=${CC%%gcc}; unset CC;
          ./Configure mingw $CONFIG_OPTS -Wno-pedantic-ms-format;
      elif [ "$CC" == x86_64-w64-mingw32-gcc ]; then
          export CROSS_COMPILE=${CC%%gcc}; unset CC;
          ./Configure mingw64 $CONFIG_OPTS -Wno-pedantic-ms-format;
      else
          ./config $CONFIG_OPTS;
      fi
    - cd ..
 script:
    - cd _srcdist
    - make
    - if [ -n "$CROSS_COMPILE" ]; then
          export EXE_SHELL="wine" WINEPREFIX=`pwd`;
      fi
    - make test
    - cd ..
 notifications:
    email:
        - openssl-commits@openssl.org
--- a/2
+++ b/2
@@ -1,2 +0,0 @@
 Please https://www.openssl.org/community/thanks.html for the current
 acknowledgements.
--- a/25
+++ b/25
@@ -0,0 +1,25 @@
 The OpenSSL project depends on volunteer efforts and financial support from
 the end user community. That support comes in the form of donations and paid
 sponsorships, software support contracts, paid consulting services
 and commissioned software development.
 Since all these activities support the continued development and improvement
 of OpenSSL we consider all these clients and customers as sponsors of the
 OpenSSL project.
 We would like to identify and thank the following such sponsors for their past
 or current significant support of the OpenSSL project:
 Very significant support:
 	OpenGear: www.opengear.com
 Significant support:
 	PSW Group: www.psw.net
 Please note that we ask permission to identify sponsors and that some sponsors
 we consider eligible for inclusion here have requested to remain anonymous.
 Additional sponsorship or financial support is always welcome: for more
 information please contact the OpenSSL Software Foundation.
--- a/2025
+++ b/2025
--- a/CHANGES.SSLeay
+++ b/CHANGES.SSLeay
@@ -0,0 +1,968 @@
 This file contains the changes for the SSLeay library up to version
 0.9.0b. For later changes, see the file "CHANGES".
  SSLeay CHANGES
  ______________
 Changes between 0.8.x and 0.9.0b
 10-Apr-1998
 I said the next version would go out at easter, and so it shall.
 I expect a 0.9.1 will follow with portability fixes in the next few weeks.
 This is a quick, meet the deadline.  Look to ssl-users for comments on what
 is new etc.
 eric (about to go bushwalking for the 4 day easter break :-)
 16-Mar-98
    - Patch for Cray T90 from Wayne Schroeder <schroede@SDSC.EDU>
    - Lots and lots of changes
 29-Jan-98
    - ASN1_BIT_STRING_set_bit()/ASN1_BIT_STRING_get_bit() from
      Goetz Babin-Ebell <babinebell@trustcenter.de>.
    - SSL_version() now returns SSL2_VERSION, SSL3_VERSION or
      TLS1_VERSION.
 7-Jan-98
    - Finally reworked the cipher string to ciphers again, so it
      works correctly
    - All the app_data stuff is now ex_data with funcion calls to access.
      The index is supplied by a function and 'methods' can be setup
      for the types that are called on XXX_new/XXX_free.  This lets
      applications get notified on creation and destruction.  Some of
      the RSA methods could be implemented this way and I may do so.
    - Oh yes, SSL under perl5 is working at the basic level.
 15-Dec-97
    - Warning - the gethostbyname cache is not fully thread safe,
      but it should work well enough.
    - Major internal reworking of the app_data stuff.  More functions
      but if you were accessing ->app_data directly, things will
      stop working.
    - The perlv5 stuff is working.  Currently on message digests,
      ciphers and the bignum library.
 9-Dec-97
    - Modified re-negotiation so that server initated re-neg
      will cause a SSL_read() to return -1 should retry.
      The danger otherwise was that the server and the
      client could end up both trying to read when using non-blocking
      sockets.
 4-Dec-97
    - Lots of small changes
    - Fix for binaray mode in Windows for the FILE BIO, thanks to
      Bob Denny <rdenny@dc3.com>
 17-Nov-97
    - Quite a few internal cleanups, (removal of errno, and using macros
      defined in e_os.h).
    - A bug in ca.c, pointed out by yasuyuki-ito@d-cruise.co.jp, where
      the automactic naming out output files was being stuffed up.
 29-Oct-97
    - The Cast5 cipher has been added.  MD5 and SHA-1 are now in assember
      for x86.
 21-Oct-97
    - Fixed a bug in the BIO_gethostbyname() cache.
 15-Oct-97
    - cbc mode for blowfish/des/3des is now in assember.  Blowfish asm
      has also been improved.  At this point in time, on the pentium,
      md5 is %80 faster, the unoptimesed sha-1 is %79 faster,
      des-cbc is %28 faster, des-ede3-cbc is %9 faster and blowfish-cbc
      is %62 faster.
 12-Oct-97
    - MEM_BUF_grow() has been fixed so that it always sets the buf->length
      to the value we are 'growing' to.  Think of MEM_BUF_grow() as the
      way to set the length value correctly.
 10-Oct-97
    - I now hash for certificate lookup on the raw DER encoded RDN (md5).
      This breaks things again :-(.  This is efficent since I cache
      the DER encoding of the RDN.
    - The text DN now puts in the numeric OID instead of UNKNOWN.
    - req can now process arbitary OIDs in the config file.
    - I've been implementing md5 in x86 asm, much faster :-).
    - Started sha1 in x86 asm, needs more work.
    - Quite a few speedups in the BN stuff.  RSA public operation
      has been made faster by caching the BN_MONT_CTX structure.
      The calulating of the Ai where A*Ai === 1 mod m was rather
      expensive.  Basically a 40-50% speedup on public operations.
      The RSA speedup is now 15% on pentiums and %20 on pentium
      pro.
 30-Sep-97
    - After doing some profiling, I added x86 adm for bn_add_words(),
      which just adds 2 arrays of longs together.  A %10 speedup
      for 512 and 1024 bit RSA on the pentium pro.
 29-Sep-97
    - Converted the x86 bignum assembler to us the perl scripts
      for generation.
 23-Sep-97
    - If SSL_set_session() is passed a NULL session, it now clears the
      current session-id.
 22-Sep-97
    - Added a '-ss_cert file' to apps/ca.c.  This will sign selfsigned
      certificates.
    - Bug in crypto/evp/encode.c where by decoding of 65 base64
      encoded lines, one line at a time (via a memory BIO) would report
      EOF after the first line was decoded.
    - Fix in X509_find_by_issuer_and_serial() from
      Dr Stephen Henson <shenson@bigfoot.com>
 19-Sep-97
    - NO_FP_API and NO_STDIO added.
    - Put in sh config command.  It auto runs Configure with the correct
      parameters.
 18-Sep-97
    - Fix x509.c so if a DSA cert has different parameters to its parent,
      they are left in place.  Not tested yet.
 16-Sep-97
    - ssl_create_cipher_list() had some bugs, fixes from
      Patrick Eisenacher <eisenach@stud.uni-frankfurt.de>
    - Fixed a bug in the Base64 BIO, where it would return 1 instead
      of -1 when end of input was encountered but should retry.
      Basically a Base64/Memory BIO interaction problem.
    - Added a HMAC set of functions in preporarion for TLS work.
 15-Sep-97
    - Top level makefile tweak - Cameron Simpson <cs@zip.com.au>
    - Prime generation spead up %25 (512 bit prime, pentium pro linux)
      by using montgomery multiplication in the prime number test.
 11-Sep-97
    - Ugly bug in ssl3_write_bytes().  Basically if application land
      does a SSL_write(ssl,buf,len) where len > 16k, the SSLv3 write code
      did not check the size and tried to copy the entire buffer.
      This would tend to cause memory overwrites since SSLv3 has
      a maximum packet size of 16k.  If your program uses
      buffers <= 16k, you would probably never see this problem.
    - Fixed a few errors that were cause by malloc() not returning
      0 initialised memory..
    - SSL_OP_NETSCAPE_CA_DN_BUG was being switched on when using
      SSL_CTX_set_options(ssl_ctx,SSL_OP_ALL); which was a bad thing
      since this flags stops SSLeay being able to handle client
      cert requests correctly.
 08-Sep-97
    - SSL_SESS_CACHE_NO_INTERNAL_LOOKUP option added.  When switched
      on, the SSL server routines will not use a SSL_SESSION that is
      held in it's cache.  This in intended to be used with the session-id
      callbacks so that while the session-ids are still stored in the
      cache, the decision to use them and how to look them up can be
      done by the callbacks.  The are the 'new', 'get' and 'remove'
      callbacks.  This can be used to determine the session-id
      to use depending on information like which port/host the connection
      is coming from.  Since the are also SSL_SESSION_set_app_data() and
      SSL_SESSION_get_app_data() functions, the application can hold
      information against the session-id as well.
 03-Sep-97
    - Added lookup of CRLs to the by_dir method,
      X509_load_crl_file() also added.  Basically it means you can
      lookup CRLs via the same system used to lookup certificates.
    - Changed things so that the X509_NAME structure can contain
      ASN.1 BIT_STRINGS which is required for the unique
      identifier OID.
    - Fixed some problems with the auto flushing of the session-id
      cache.  It was not occuring on the server side.
 02-Sep-97
    - Added SSL_CTX_sess_cache_size(SSL_CTX *ctx,unsigned long size)
      which is the maximum number of entries allowed in the
      session-id cache.  This is enforced with a simple FIFO list.
      The default size is 20*1024 entries which is rather large :-).
      The Timeout code is still always operating.
 01-Sep-97
    - Added an argument to all the 'generate private key/prime`
      callbacks.  It is the last parameter so this should not
      break existing code but it is needed for C++.
    - Added the BIO_FLAGS_BASE64_NO_NL flag for the BIO_f_base64()
      BIO.  This lets the BIO read and write base64 encoded data
      without inserting or looking for '\n' characters.  The '-A'
      flag turns this on when using apps/enc.c.
    - RSA_NO_PADDING added to help BSAFE functionality.  This is a
      very dangerous thing to use, since RSA private key
      operations without random padding bytes (as PKCS#1 adds) can
      be attacked such that the private key can be revealed.
    - ASN.1 bug and rc2-40-cbc and rc4-40 added by
      Dr Stephen Henson <shenson@bigfoot.com>
 31-Aug-97 (stuff added while I was away)    
    - Linux pthreads by Tim Hudson (tjh@cryptsoft.com).
    - RSA_flags() added allowing bypass of pub/priv match check
      in ssl/ssl_rsa.c - Tim Hudson.
    - A few minor bugs.
 SSLeay 0.8.1 released.
 19-Jul-97
    - Server side initated dynamic renegotiation is broken.  I will fix
      it when I get back from holidays.
 15-Jul-97
    - Quite a few small changes.
    - INVALID_SOCKET usage cleanups from Alex Kiernan <alex@hisoft.co.uk>
 09-Jul-97
    - Added 2 new values to the SSL info callback.
      SSL_CB_START which is passed when the SSL protocol is started
      and SSL_CB_DONE when it has finished sucsessfully.
 08-Jul-97
    - Fixed a few bugs problems in apps/req.c and crypto/asn1/x_pkey.c
      that related to DSA public/private keys.
    - Added all the relevent PEM and normal IO functions to support
      reading and writing RSAPublic keys.
    - Changed makefiles to use ${AR} instead of 'ar r'
 07-Jul-97
    - Error in ERR_remove_state() that would leave a dangling reference
      to a free()ed location - thanks to Alex Kiernan <alex@hisoft.co.uk>
    - s_client now prints the X509_NAMEs passed from the server
      when requesting a client cert.
    - Added a ssl->type, which is one of SSL_ST_CONNECT or
      SSL_ST_ACCEPT.  I had to add it so I could tell if I was
      a connect or an accept after the handshake had finished.
    - SSL_get_client_CA_list(SSL *s) now returns the CA names
      passed by the server if called by a client side SSL.
 05-Jul-97
    - Bug in X509_NAME_get_text_by_OBJ(), looking starting at index
      0, not -1 :-(  Fix from Tim Hudson (tjh@cryptsoft.com).
 04-Jul-97
    - Fixed some things in X509_NAME_add_entry(), thanks to
      Matthew Donald <matthew@world.net>.
    - I had a look at the cipher section and though that it was a
      bit confused, so I've changed it.
    - I was not setting up the RC4-64-MD5 cipher correctly.  It is
      a MS special that appears in exported MS Money.
    - Error in all my DH ciphers.  Section 7.6.7.3 of the SSLv3
      spec.  I was missing the two byte length header for the
      ClientDiffieHellmanPublic value.  This is a packet sent from
      the client to the server.  The SSL_OP_SSLEAY_080_CLIENT_DH_BUG
      option will enable SSLeay server side SSLv3 accept either
      the correct or my 080 packet format.
    - Fixed a few typos in crypto/pem.org.
 02-Jul-97
    - Alias mapping for EVP_get_(digest|cipher)byname is now
      performed before a lookup for actual cipher.  This means
      that an alias can be used to 're-direct' a cipher or a
      digest.
    - ASN1_read_bio() had a bug that only showed up when using a
      memory BIO.  When EOF is reached in the memory BIO, it is
      reported as a -1 with BIO_should_retry() set to true.
 01-Jul-97
    - Fixed an error in X509_verify_cert() caused by my
      miss-understanding how 'do { contine } while(0);' works.
      Thanks to Emil Sit <sit@mit.edu> for educating me :-)
 30-Jun-97
    - Base64 decoding error.  If the last data line did not end with
      a '=', sometimes extra data would be returned.
    - Another 'cut and paste' bug in x509.c related to setting up the
      STDout BIO.
 27-Jun-97
    - apps/ciphers.c was not printing due to an editing error.
    - Alex Kiernan <alex@hisoft.co.uk> send in a nice fix for
      a library build error in util/mk1mf.pl
 26-Jun-97
    - Still did not have the auto 'experimental' code removal
      script correct.
    - A few header tweaks for Watcom 11.0 under Win32 from
      Rolf Lindemann <Lindemann@maz-hh.de>
    - 0 length OCTET_STRING bug in asn1_parse
    - A minor fix with an non-existent function in the MS .def files.
    - A few changes to the PKCS7 stuff.
 25-Jun-97
    SSLeay 0.8.0 finally it gets released.
 24-Jun-97
    Added a SSL_OP_EPHEMERAL_RSA option which causes all SSLv3 RSA keys to
    use a temporary RSA key.  This is experimental and needs some more work.
    Fixed a few Win16 build problems.
 23-Jun-97
    SSLv3 bug. I was not doing the 'lookup' of the CERT structure
    correctly. I was taking the SSL->ctx->default_cert when I should
    have been using SSL->cert. The bug was in ssl/s3_srvr.c
 20-Jun-97
    X509_ATTRIBUTES were being encoded wrongly by apps/reg.c and the
    rest of the library. Even though I had the code required to do
    it correctly, apps/req.c was doing the wrong thing.  I have fixed
    and tested everything.
    Missing a few #ifdef FIONBIO sections in crypto/bio/bss_acpt.c.
 19-Jun-97
    Fixed a bug in the SSLv2 server side first packet handling. When
    using the non-blocking test BIO, the ssl->s2->first_packet flag
    was being reset when a would-block failure occurred when reading
    the first 5 bytes of the first packet. This caused the checking
    logic to run at the wrong time and cause an error.
    Fixed a problem with specifying cipher. If RC4-MD5 were used,
    only the SSLv3 version would be picked up.  Now this will pick
    up both SSLv2 and SSLv3 versions. This required changing the
    SSL_CIPHER->mask values so that they only mask the ciphers,
    digests, authentication, export type and key-exchange algorithms.
    I found that when a SSLv23 session is established, a reused
    session, of type SSLv3 was attempting to write the SSLv2 
    ciphers, which were invalid. The SSL_METHOD->put_cipher_by_char 
    method has been modified so it will only write out cipher which
    that method knows about.  
 Changes between 0.8.0 and 0.8.1
  *) Mostly bug fixes. 
     There is an Ephemeral DH cipher problem which is fixed.
 SSLeay 0.8.0
 This version of SSLeay has quite a lot of things different from the
 previous version.
 Basically check all callback parameters, I will be producing documentation
 about how to use things in th future.  Currently I'm just getting 080 out
 the door.  Please not that there are several ways to do everything, and
 most of the applications in the apps directory are hybrids, some using old
 methods and some using new methods.
 Have a look in demos/bio for some very simple programs and
 apps/s_client.c and apps/s_server.c for some more advanced versions.
 Notes are definitly needed but they are a week or so away.
 Anyway, some quick nots from Tim Hudson (tjh@cryptsoft.com)
 ---
 Quick porting notes for moving from SSLeay-0.6.x to SSLeay-0.8.x to
 get those people that want to move to using the new code base off to
 a quick start.
 Note that Eric has tidied up a lot of the areas of the API that were
 less than desirable and renamed quite a few things (as he had to break
 the API in lots of places anyrate). There are a whole pile of additional
 functions for making dealing with (and creating) certificates a lot
 cleaner.
 01-Jul-97
 Tim Hudson
 tjh@cryptsoft.com
 ---8<---
 To maintain code that uses both SSLeay-0.6.x and SSLeay-0.8.x you could
 use something like the following (assuming you #include "crypto.h" which
 is something that you really should be doing).
 #if SSLEAY_VERSION_NUMBER >= 0x0800
 #define SSLEAY8
 #endif
 buffer.h -> splits into buffer.h and bio.h so you need to include bio.h
            too if you are working with BIO internal stuff (as distinct
        from simply using the interface in an opaque manner)
 #include "bio.h"    - required along with "buffer.h" if you write
              your own BIO routines as the buffer and bio
              stuff that was intermixed has been separated
              out 
 envelope.h -> evp.h  (which should have been done ages ago)
 Initialisation ... don't forget these or you end up with code that
 is missing the bits required to do useful things (like ciphers):
 SSLeay_add_ssl_algorithms()
 (probably also want SSL_load_error_strings() too but you should have
 already had that call in place)
 SSL_CTX_new()   - requires an extra method parameter
              SSL_CTX_new(SSLv23_method()) 
              SSL_CTX_new(SSLv2_method()) 
              SSL_CTX_new(SSLv3_method()) 
          OR to only have the server or the client code
              SSL_CTX_new(SSLv23_server_method()) 
              SSL_CTX_new(SSLv2_server_method()) 
              SSL_CTX_new(SSLv3_server_method()) 
          or  
              SSL_CTX_new(SSLv23_client_method()) 
              SSL_CTX_new(SSLv2_client_method()) 
              SSL_CTX_new(SSLv3_client_method()) 
 SSL_set_default_verify_paths() ... renamed to the more appropriate
 SSL_CTX_set_default_verify_paths()
 If you want to use client certificates then you have to add in a bit
 of extra stuff in that a SSLv3 server sends a list of those CAs that
 it will accept certificates from ... so you have to provide a list to
 SSLeay otherwise certain browsers will not send client certs.
 SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(s_cert_file));
 X509_NAME_oneline(X)    -> X509_NAME_oneline(X,NULL,0)  
               or provide a buffer and size to copy the
               result into
 X509_add_cert ->  X509_STORE_add_cert (and you might want to read the
          notes on X509_NAME structure changes too)
 VERIFICATION CODE
 =================
 The codes have all be renamed from VERIFY_ERR_* to X509_V_ERR_* to
 more accurately reflect things.
 The verification callback args are now packaged differently so that
 extra fields for verification can be added easily in future without
 having to break things by adding extra parameters each release :-)
 X509_cert_verify_error_string -> X509_verify_cert_error_string
 BIO INTERNALS
 =============
 Eric has fixed things so that extra flags can be introduced in
 the BIO layer in future without having to play with all the BIO
 modules by adding in some macros.
 The ugly stuff using 
    b->flags ~= (BIO_FLAGS_RW|BIO_FLAGS_SHOULD_RETRY)
 becomes
    BIO_clear_retry_flags(b)
    b->flags |= (BIO_FLAGS_READ|BIO_FLAGS_SHOULD_RETRY)
 becomes
    BIO_set_retry_read(b)
 Also ... BIO_get_retry_flags(b), BIO_set_flags(b)
 OTHER THINGS
 ============
 X509_NAME has been altered so that it isn't just a STACK ... the STACK
 is now in the "entries" field ... and there are a pile of nice functions
 for getting at the details in a much cleaner manner.
 SSL_CTX has been altered ... "cert" is no longer a direct member of this
 structure ... things are now down under "cert_store" (see x509_vfy.h) and
 things are no longer in a CERTIFICATE_CTX but instead in a X509_STORE.
 If your code "knows" about this level of detail then it will need some 
 surgery.
 If you depending on the incorrect spelling of a number of the error codes
 then you will have to change your code as these have been fixed.
 ENV_CIPHER "type" got renamed to "nid" and as that is what it actually
 has been all along so this makes things clearer.
 ify_cert_error_string(ctx->error));
 SSL_R_NO_CIPHER_WE_TRUST -> SSL_R_NO_CIPHER_LIST
            and SSL_R_REUSE_CIPHER_LIST_NOT_ZERO
 Changes between 0.7.x and 0.8.0
  *) There have been lots of changes, mostly the addition of SSLv3.
     There have been many additions from people and amongst
     others, C2Net has assisted greatly.
 Changes between 0.7.x and 0.7.x
  *) Internal development version only
 SSLeay 0.6.6 13-Jan-1997
 The main additions are
 - assember for x86 DES improvments.
  From 191,000 per second on a pentium 100, I now get 281,000.  The inner
  loop and the IP/FP modifications are from
  Svend Olaf Mikkelsen <svolaf@inet.uni-c.dk>.  Many thanks for his
  contribution.
 - The 'DES macros' introduced in 0.6.5 now have 3 types.
  DES_PTR1, DES_PTR2 and 'normal'.  As per before, des_opts reports which
  is best and there is a summery of mine in crypto/des/options.txt
 - A few bug fixes.
 - Added blowfish.  It is not used by SSL but all the other stuff that
  deals with ciphers can use it in either ecb, cbc, cfb64 or ofb64 modes.
  There are 3 options for optimising Blowfish.  BF_PTR, BF_PTR2 and 'normal'.
  BF_PTR2 is pentium/x86 specific.  The correct option is setup in
  the 'Configure' script.
 - There is now a 'get client certificate' callback which can be
  'non-blocking'.  If more details are required, let me know.  It will
  documented more in SSLv3 when I finish it.
 - Bug fixes from 0.6.5 including the infamous 'ca' bug.  The 'make test'
  now tests the ca program.
 - Lots of little things modified and tweaked.
 SSLeay 0.6.5
 After quite some time (3 months), the new release.  I have been very busy
 for the last few months and so this is mostly bug fixes and improvments.
 The main additions are
 - assember for x86 DES.  For all those gcc based systems, this is a big
  improvement.  From 117,000 DES operation a second on a pentium 100,
  I now get 191,000.  I have also reworked the C version so it
  now gives 148,000 DESs per second.  
 - As mentioned above, the inner DES macros now have some more variant that
  sometimes help, sometimes hinder performance.  There are now 3 options
  DES_PTR (ptr vs array lookup), DES_UNROLL (full vs partial loop unrolling)
  and DES_RISC (a more register intensive version of the inner macro).
  The crypto/des/des_opts.c program, when compiled and run, will give
  an indication of the correct options to use.
 - The BIO stuff has been improved.  Read doc/bio.doc.  There are now
  modules for encryption and base64 encoding and a BIO_printf() function.
 - The CA program will accept simple one line X509v3 extensions in the
  ssleay.cnf file.  Have a look at the example.  Currently this just
  puts the text into the certificate as an OCTET_STRING so currently
  the more advanced X509v3 data types are not handled but this is enough
  for the netscape extensions.
 - There is the start of a nicer higher level interface to the X509
  strucutre.
 - Quite a lot of bug fixes.
 - CRYPTO_malloc_init()  (or CRYPTO_set_mem_functions()) can be used
  to define the malloc(), free() and realloc() routines to use
  (look in crypto/crypto.h).  This is mostly needed for Windows NT/95 when
  using DLLs and mixing CRT libraries.
 In general, read the 'VERSION' file for changes and be aware that some of
 the new stuff may not have been tested quite enough yet, so don't just plonk
 in SSLeay 0.6.5 when 0.6.4 used to work and expect nothing to break.
 SSLeay 0.6.4 30/08/96 eay
 I've just finished some test builds on Windows NT, Windows 3.1, Solaris 2.3,
 Solaris 2.5, Linux, IRIX, HPUX 10 and everthing seems to work :-).
 The main changes in this release
 - Thread safe.  have a read of doc/threads.doc and play in the mt directory.
  For anyone using 0.6.3 with threads, I found 2 major errors so consider
  moving to 0.6.4.  I have a test program that builds under NT and
  solaris.
 - The get session-id callback has changed.  Have a read of doc/callback.doc.
 - The X509_cert_verify callback (the SSL_verify callback) now
  has another argument.  Have a read of doc/callback.doc
 - 'ca -preserve', sign without re-ordering the DN.  Not tested much.
 - VMS support.
 - Compile time memory leak detection can now be built into SSLeay.
  Read doc/memory.doc
 - CONF routines now understand '\', '\n', '\r' etc.  What this means is that
  the  SPKAC object mentioned in doc/ns-ca.doc can be on multiple lines.
 - 'ssleay ciphers' added, lists the default cipher list for SSLeay.
 - RC2 key setup is now compatable with Netscape.
 - Modifed server side of SSL implementation, big performance difference when
      using session-id reuse.
 0.6.3
 Bug fixes and the addition of some nice stuff to the 'ca' program.
 Have a read of doc/ns-ca.doc for how hit has been modified so
 it can be driven from a CGI script.  The CGI script is not provided,
 but that is just being left as an excersize for the reader :-).
 0.6.2
 This is most bug fixes and functionality improvements.
 Additions are
 - More thread debugging patches, the thread stuff is still being
  tested, but for those keep to play with stuff, have a look in
  crypto/cryptlib.c.  The application needs to define 1 (or optionaly
  a second) callback that is used to implement locking.  Compiling
  with LOCK_DEBUG spits out lots of locking crud :-).
  This is what I'm currently working on.
 - SSL_CTX_set_default_passwd_cb() can be used to define the callback
  function used in the SSL*_file() functions used to load keys.  I was
  always of the opinion that people should call
  PEM_read_RSAPrivateKey() and pass the callback they want to use, but
  it appears they just want to use the SSL_*_file() function() :-(.
 - 'enc' now has a -kfile so a key can be read from a file.  This is
  mostly used so that the passwd does not appear when using 'ps',
  which appears imposible to stop under solaris.
 - X509v3 certificates now work correctly.  I even have more examples
  in my tests :-).  There is now a X509_EXTENSION type that is used in
  X509v3 certificates and CRLv2.
 - Fixed that signature type error :-(
 - Fixed quite a few potential memory leaks and problems when reusing
  X509, CRL and REQ structures.
 - EVP_set_pw_prompt() now sets the library wide default password
  prompt.
 - The 'pkcs7' command will now, given the -print_certs flag, output in
  pem format, all certificates and CRL contained within.  This is more
  of a pre-emtive thing for the new verisign distribution method.  I
  should also note, that this also gives and example in code, of how
  to do this :-), or for that matter, what is involved in going the
  other way (list of certs and crl -> pkcs7).
 - Added RSA's DESX to the DES library.  It is also available via the
  EVP_desx_cbc() method and via 'enc desx'. 
 SSLeay 0.6.1
 The main functional changes since 0.6.0 are as follows
 - Bad news, the Microsoft 060 DLL's are not compatable, but the good news is
  that from now on, I'll keep the .def numbers the same so they will be.
 - RSA private key operations are about 2 times faster that 0.6.0
 - The SSL_CTX now has more fields so default values can be put against
  it.  When an SSL structure is created, these default values are used
  but can be overwritten.  There are defaults for cipher, certificate,
  private key, verify mode and callback.  This means SSL session
  creation can now be
  ssl=SSL_new()
  SSL_set_fd(ssl,sock);
  SSL_accept(ssl)
  ....
  All the other uglyness with having to keep a global copy of the
  private key and certificate/verify mode in the server is now gone.
 - ssl/ssltest.c - one process talking SSL to its self for testing.
 - Storage of Session-id's can be controled via a session_cache_mode
  flag.  There is also now an automatic default flushing of 
  old session-id's.
 - The X509_cert_verify() function now has another parameter, this
  should not effect most people but it now means that the reason for
  the failure to verify is now available via SSL_get_verify_result(ssl).
  You don't have to use a global variable.
 - SSL_get_app_data() and SSL_set_app_data() can be used to keep some
  application data against the SSL structure.  It is upto the application
  to free the data.  I don't use it, but it is available.
 - SSL_CTX_set_cert_verify_callback() can be used to specify a
  verify callback function that completly replaces my certificate
  verification code.  Xcert should be able to use this :-).
  The callback is of the form int app_verify_callback(arg,ssl,cert).
  This needs to be documented more.
 - I have started playing with shared library builds, have a look in
  the shlib directory.  It is very simple.  If you need a numbered
  list of functions, have a look at misc/crypto.num and misc/ssl.num.
 - There is some stuff to do locking to make the library thread safe.
  I have only started this stuff and have not finished.  If anyone is
  keen to do so, please send me the patches when finished.
 So I have finally made most of the additions to the SSL interface that
 I thought were needed.
 There will probably be a pause before I make any non-bug/documentation
 related changes to SSLeay since I'm feeling like a bit of a break.
 eric - 12 Jul 1996
 I saw recently a comment by some-one that we now seem to be entering
 the age of perpetual Beta software.
 Pioneered by packages like linux but refined to an art form by
 netscape.
 I too wish to join this trend with the anouncement of SSLeay 0.6.0 :-).
 There are quite a large number of sections that are 'works in
 progress' in this package.  I will also list the major changes and
 what files you should read.
 BIO - this is the new IO structure being used everywhere in SSLeay.  I
 started out developing this because of microsoft, I wanted a mechanism
 to callback to the application for all IO, so Windows 3.1 DLL
 perversion could be hidden from me and the 15 different ways to write
 to a file under NT would also not be dictated by me at library build
 time.  What the 'package' is is an API for a data structure containing
 functions.  IO interfaces can be written to conform to the
 specification.  This in not intended to hide the underlying data type
 from the application, but to hide it from SSLeay :-).
 I have only really finished testing the FILE * and socket/fd modules.
 There are also 'filter' BIO's.  Currently I have only implemented
 message digests, and it is in use in the dgst application.  This
 functionality will allow base64/encrypto/buffering modules to be
 'push' into a BIO without it affecting the semantics.  I'm also
 working on an SSL BIO which will hide the SSL_accept()/SLL_connet()
 from an event loop which uses the interface.
 It is also possible to 'attach' callbacks to a BIO so they get called
 before and after each operation, alowing extensive debug output
 to be generated (try running dgst with -d).
 Unfortunaly in the conversion from 0.5.x to 0.6.0, quite a few
 functions that used to take FILE *, now take BIO *.
 The wrappers are easy to write
 function_fp(fp,x)
 FILE *fp;
    {
    BIO *b;
    int ret;
    if ((b=BIO_new(BIO_s_file())) == NULL) error.....
    BIO_set_fp(b,fp,BIO_NOCLOSE);
    ret=function_bio(b,x);
    BIO_free(b);
    return(ret);
    }
 Remember, there are no functions that take FILE * in SSLeay when
 compiled for Windows 3.1 DLL's.
 --
 I have added a general EVP_PKEY type that can hold a public/private
 key.  This is now what is used by the EVP_ functions and is passed
 around internally.  I still have not done the PKCS#8 stuff, but
 X509_PKEY is defined and waiting :-)
 --
 For a full function name listings, have a look at ms/crypt32.def and
 ms/ssl32.def.  These are auto-generated but are complete.
 Things like ASN1_INTEGER_get() have been added and are in here if you
 look.  I have renamed a few things, again, have a look through the
 function list and you will probably find what you are after.  I intend
 to at least put a one line descrition for each one.....
 --
 Microsoft - thats what this release is about, read the MICROSOFT file.
 --
 Multi-threading support.  I have started hunting through the code and
 flaging where things need to be done.  In a state of work but high on
 the list.
 --
 For random numbers, edit e_os.h and set DEVRANDOM (it's near the top)
 be be you random data device, otherwise 'RFILE' in e_os.h
 will be used, in your home directory.  It will be updated
 periodically.  The environment variable RANDFILE will override this
 choice and read/write to that file instead.  DEVRANDOM is used in
 conjunction to the RFILE/RANDFILE.  If you wish to 'seed' the random
 number generator, pick on one of these files.
 --
 The list of things to read and do
 dgst -d
 s_client -state (this uses a callback placed in the SSL state loop and
        will be used else-where to help debug/monitor what
        is happening.)
 doc/why.doc
 doc/bio.doc <- hmmm, needs lots of work.
 doc/bss_file.doc <- one that is working :-)
 doc/session.doc <- it has changed
 doc/speed.doc
 also play with ssleay version -a.  I have now added a SSLeay()
 function that returns a version number, eg 0600 for this release
 which is primarily to be used to check DLL version against the
 application.
 util/*  Quite a few will not interest people, but some may, like
 mk1mf.pl, mkdef.pl,
 util/do_ms.sh
 try
 cc -Iinclude -Icrypto -c crypto/crypto.c
 cc -Iinclude -Issl -c ssl/ssl.c
 You have just built the SSLeay libraries as 2 object files :-)
 Have a general rummage around in the bin stall directory and look at
 what is in there, like CA.sh and c_rehash
 There are lots more things but it is 12:30am on a Friday night and I'm
 heading home :-).
 eric 22-Jun-1996
 This version has quite a few major bug fixes and improvements.  It DOES NOT
 do SSLv3 yet.
 The main things changed
 - A Few days ago I added the s_mult application to ssleay which is
  a demo of an SSL server running in an event loop type thing.
  It supports non-blocking IO, I have finally gotten it right, SSL_accept()
  can operate in non-blocking IO mode, look at the code to see how :-).
  Have a read of doc/s_mult as well.  This program leaks memory and
  file descriptors everywhere but I have not cleaned it up yet.
  This is a demo of how to do non-blocking IO.
 - The SSL session management has been 'worked over' and there is now
  quite an expansive set of functions to manipulate them.  Have a read of
  doc/session.doc for some-things I quickly whipped up about how it now works.
  This assume you know the SSLv2 protocol :-)
 - I can now read/write the netscape certificate format, use the
  -inform/-outform  'net' options to the x509 command.  I have not put support
  for this type in the other demo programs, but it would be easy to add.
 - asn1parse and 'enc' have been modified so that when reading base64
  encoded files (pem format), they do not require '-----BEGIN' header lines.
  The 'enc' program had a buffering bug fixed, it can be used as a general
  base64 -> binary -> base64 filter by doing 'enc -a -e' and 'enc -a -d'
  respecivly.  Leaving out the '-a' flag in this case makes the 'enc' command
  into a form of 'cat'.
 - The 'x509' and 'req' programs have been fixed and modified a little so
  that they generate self-signed certificates correctly.  The test
  script actually generates a 'CA' certificate and then 'signs' a
  'user' certificate.  Have a look at this shell script (test/sstest)
  to see how things work, it tests most possible combinations of what can
  be done.
 - The 'SSL_set_pref_cipher()' function has been 'fixed' and the prefered name
  of SSL_set_cipher_list() is now the correct API (stops confusion :-).
  If this function is used in the client, only the specified ciphers can
  be used, with preference given to the order the ciphers were listed.
  For the server, if this is used, only the specified ciphers will be used
  to accept connections.  If this 'option' is not used, a default set of
  ciphers will be used.  The SSL_CTX_set_cipher_list(SSL_CTX *ctx) sets this
  list for all ciphers started against the SSL_CTX.  So the order is
  SSL cipher_list, if not present, SSL_CTX cipher list, if not
  present, then the library default.
  What this means is that normally ciphers like
  NULL-MD5 will never be used.  The only way this cipher can be used
  for both ends to specify to use it.
  To enable or disable ciphers in the library at build time, modify the
  first field for the cipher in the ssl_ciphers array in ssl/ssl_lib.c.
  This file also contains the 'pref_cipher' list which is the default
  cipher preference order.
 - I'm not currently sure if the 'rsa -inform net' and the 'rsa -outform net'
  options work.  They should, and they enable loading and writing the
  netscape rsa private key format.  I will be re-working this section of
  SSLeay for the next version.  What is currently in place is a quick and
  dirty hack.
 - I've re-written parts of the bignum library.  This gives speedups
  for all platforms.  I now provide assembler for use under Windows NT.
  I have not tested the Windows 3.1 assembler but it is quite simple code.
  This gives RSAprivate_key operation encryption times of 0.047s (512bit key)
  and 0.230s (1024bit key) on a pentium 100 which I consider reasonable.
  Basically the times available under linux/solaris x86 can be achieve under
  Windows NT.  I still don't know how these times compare to RSA's BSAFE
  library but I have been emailing with people and with their help, I should
  be able to get my library's quite a bit faster still (more algorithm changes).
  The object file crypto/bn/asm/x86-32.obj should be used when linking
  under NT.
 - 'make makefile.one' in the top directory will generate a single makefile
  called 'makefile.one'  This makefile contains no perl references and
  will build the SSLeay library into the 'tmp' and 'out' directories.
  util/mk1mf.pl >makefile.one is how this makefile is
  generated.  The mk1mf.pl command take several option to generate the
  makefile for use with cc, gcc, Visual C++ and Borland C++.  This is
  still under development.  I have only build .lib's for NT and MSDOS
  I will be working on this more.  I still need to play with the
  correct compiler setups for these compilers and add some more stuff but
  basically if you just want to compile the library
  on a 'non-unix' platform, this is a very very good file to start with :-).
  Have a look in the 'microsoft' directory for my current makefiles.
  I have not yet modified things to link with sockets under Windows NT.
  You guys should be able to do this since this is actually outside of the
  SSLeay scope :-).  I will be doing it for myself soon.
  util/mk1mf.pl takes quite a few options including no-rc, rsaref  and no-sock
  to build without RC2/RC4, to require RSAref for linking, and to
  build with no socket code.
 - Oh yes, the cipher that was reported to be compatible with RSA's RC2 cipher
  that was posted to sci.crypt has been added to the library and SSL.
  I take the view that if RC2 is going to be included in a standard,
  I'll include the cipher to make my package complete.
  There are NO_RC2, NO_RC4 and NO_IDEA macros to remove these ciphers
  at compile time.  I have not tested this recently but it should all work
  and if you are in the USA and don't want RSA threatening to sue you,
  you could probably remove the RC4/RC2 code inside these sections.
  I may in the future include a perl script that does this code
  removal automatically for those in the USA :-).
 - I have removed all references to sed in the makefiles.  So basically,
  the development environment requires perl and sh.  The build environment
  does not (use the makefile.one makefile).
  The Configure script still requires perl, this will probably stay that way
  since I have perl for Windows NT :-).
 eric (03-May-1996)
 PS Have a look in the VERSION file for more details on the changes and
   bug fixes.
 I have fixed a few bugs, added alpha and x86 assembler and generally cleaned
 things up.  This version will be quite stable, mostly because I'm on
 holidays until 10-March-1996.  For any problems in the interum, send email
 to Tim Hudson <tjh@mincom.oz.au>.
 SSLeay 0.5.0
 12-12-95
 This is going out before it should really be released.
 I leave for 11 weeks holidays on the 22-12-95 and so I either sit on
 this for 11 weeks or get things out.  It is still going to change a
 lot in the next week so if you do grab this version, please test and
 give me feed back ASAP, inculuding questions on how to do things with
 the library.  This will prompt me to write documentation so I don't
 have to answer the same question again :-).
 This 'pre' release version is for people who are interested in the
 library.  The applications will have to be changed to use
 the new version of the SSL interface.  I intend to finish more
 documentation before I leave but until then, look at the programs in
 the apps directory.  As far as code goes, it is much much nicer than
 the old version.
 The current library works, has no memory leaks (as far as I can tell)
 and is far more bug free that 0.4.5d.  There are no global variable of
 consequence (I believe) and I will produce some documentation that
 tell where to look for those people that do want to do multi-threaded
 stuff.
 There should be more documentation.  Have a look in the
 doc directory.  I'll be adding more before I leave, it is a start
 by mostly documents the crypto library.  Tim Hudson will update
 the web page ASAP.  The spelling and grammar are crap but
 it is better than nothing :-)
 Reasons to start playing with version 0.5.0
 - All the programs in the apps directory build into one ssleay binary.
 - There is a new version of the 'req' program that generates certificate
  requests, there is even documentation for this one :-)
 - There is a demo certification authorithy program.  Currently it will
  look at the simple database and update it.  It will generate CRL from
  the data base.  You need to edit the database by hand to revoke a
  certificate, it is my aim to use perl5/Tk but I don't have time to do
  this right now.  It will generate the certificates but the management
  scripts still need to be written.  This is not a hard task.
 - Things have been cleaned up alot.
 - Have a look at the enc and dgst programs in the apps directory.
 - It supports v3 of x509 certiticates.
 Major things missing.
 - I have been working on (and thinging about) the distributed x509
  hierachy problem.  I have not had time to put my solution in place.
  It will have to wait until I come back.
 - I have not put in CRL checking in the certificate verification but
  it would not be hard to do.  I was waiting until I could generate my
  own CRL (which has only been in the last week) and I don't have time
  to put it in correctly.
 - Montgomery multiplication need to be implemented.  I know the
  algorithm, just ran out of time.
 - PKCS#7.  I can load and write the DER version.  I need to re-work
  things to support BER (if that means nothing, read the ASN1 spec :-).
 - Testing of the higher level digital envelope routines.  I have not
  played with the *_seal() and *_open() type functions.  They are
  written but need testing.  The *_sign() and *_verify() functions are
  rock solid. 
 - PEM.  Doing this and PKCS#7 have been dependant on the distributed
  x509 heirachy problem.  I started implementing my ideas, got
  distracted writing a CA program and then ran out of time.  I provide
  the functionality of RSAref at least.
 - Re work the asm. code for the x86.  I've changed by low level bignum
  interface again, so I really need to tweak the x86 stuff.  gcc is
  good enough for the other boxes.
--- a/38
+++ b/38
@@ -1,38 +0,0 @@
 HOW TO CONTRIBUTE TO OpenSSL
 ----------------------------
 Development is coordinated on the openssl-dev mailing list (see
 http://www.openssl.org for information on subscribing). If you
 would like to submit a patch, send it to rt@openssl.org with
 the string "[PATCH]" in the subject. Please be sure to include a
 textual explanation of what your patch does.
 You can also make GitHub pull requests. If you do this, please also send
 mail to rt@openssl.org with a brief description and a link to the PR so
 that we can more easily keep track of it.
 If you are unsure as to whether a feature will be useful for the general
 OpenSSL community please discuss it on the openssl-dev mailing list first.
 Someone may be already working on the same thing or there may be a good
 reason as to why that feature isn't implemented.
 Patches should be as up to date as possible, preferably relative to the
 current Git or the last snapshot. They should follow our coding style
 (see https://www.openssl.org/policies/codingstyle.html) and compile without
 warnings using the --strict-warnings flag.  OpenSSL compiles on many varied
 platforms: try to ensure you only use portable features.
 Our preferred format for patch files is "git format-patch" output. For example
 to provide a patch file containing the last commit in your local git repository
 use the following command:
 # git format-patch --stdout HEAD^ >mydiffs.patch
 Another method of creating an acceptable patch file without using git is as
 follows:
 # cd openssl-work
 # [your changes]
 # ./Configure dist; make clean
 # cd ..
 # diff -ur openssl-orig openssl-work > mydiffs.patch
--- a/Configurations/10-main.conf
+++ b/Configurations/10-main.conf
--- a/Configurations/90-team.conf
+++ b/Configurations/90-team.conf
@@ -1,123 +0,0 @@
 ## -*- mode: perl; -*-
 ## Build configuration targets for openssl-team members
 ##
 ## If you edit this file, run this command before committing
 ##	make -f Makefile.in TABLE
 ## This file is interpolated by the Configure script.
 %targets = (
    "purify" => {
        cc               => "purify gcc",
        cflags           => "-g -DPURIFY -Wall",
        thread_cflag     => "(unknown)",
        lflags           => "-lsocket -lnsl",
    },
    "debug" => {
        cc               => "gcc",
        cflags           => "-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DOPENSSL_NO_ASM -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror",
        thread_cflag     => "(unknown)",
        lflags           => "-lefence",
    },
    "debug-erbridge" => {
        inherit_from     => [ "x86_64_asm" ],
        cc               => "gcc",
        cflags           => "$gcc_devteam_warn -DBN_DEBUG -DCONF_DEBUG -m64 -DL_ENDIAN -DTERMIO -g",
        thread_cflag     => "-D_REENTRANT",
        lflags           => "-ldl",
        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
        perlasm_scheme   => "elf",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
        shared_cflag     => "-fPIC",
        shared_ldflag    => "-m64",
        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
        multilib         => "64",
    },
    "debug-linux-pentium" => {
        inherit_from     => [ "x86_elf_asm" ],
        cc               => "gcc",
        cflags           => "-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DL_ENDIAN -g -mcpu=pentium -Wall",
        thread_cflag     => "-D_REENTRANT",
        lflags           => "-ldl",
        bn_ops           => "BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}",
        dso_scheme       => "dlfcn",
    },
    "debug-linux-ppro" => {
        inherit_from     => [ "x86_elf_asm" ],
        cc               => "gcc",
        cflags           => "-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DL_ENDIAN -g -mcpu=pentiumpro -Wall",
        thread_cflag     => "-D_REENTRANT",
        lflags           => "-ldl",
        bn_ops           => "BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}",
        dso_scheme       => "dlfcn",
    },
    "debug-linux-elf-noefence" => {
        inherit_from     => [ "x86_elf_asm" ],
        cc               => "gcc",
        cflags           => "-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DL_ENDIAN -g -march=i486 -Wall",
        thread_cflag     => "-D_REENTRANT",
        lflags           => "-ldl",
        bn_ops           => "BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
        shared_cflag     => "-fPIC",
        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
    },
    "debug-linux-ia32-aes" => {
        cc               => "gcc",
        cflags           => "-DAES_EXPERIMENTAL -DL_ENDIAN -O3 -fomit-frame-pointer -Wall",
        thread_cflag     => "-D_REENTRANT",
        lflags           => "-ldl",
        bn_ops           => "BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}",
        cpuid_obj        => "x86cpuid.o",
        bn_obj           => "bn-586.o co-586.o x86-mont.o",
        des_obj          => "des-586.o crypt586.o",
        aes_obj          => "aes_x86core.o aes_cbc.o aesni-x86.o",
        bf_obj           => "bf-586.o",
        md5_obj          => "md5-586.o",
        sha1_obj         => "sha1-586.o sha256-586.o sha512-586.o",
        cast_obj         => "cast-586.o",
        rc4_obj          => "rc4-586.o",
        rmd160_obj       => "rmd-586.o",
        rc5_obj          => "rc5-586.o",
        wp_obj           => "wp_block.o wp-mmx.o",
        modes_obj        => "ghash-x86.o",
        engines_obj      => "e_padlock-x86.o",
        perlasm_scheme   => "elf",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
        shared_cflag     => "-fPIC",
        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
    },
    "dist" => {
        cc               => "cc",
        cflags           => "-O",
        thread_cflag     => "(unknown)",
    },
    "debug-test-64-clang" => {
        inherit_from     => [ "x86_64_asm" ],
        cc               => "clang",
        cflags           => "$gcc_devteam_warn -Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wno-error=unused-const-variable -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
        thread_cflag     => "${BSDthreads}",
        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
        perlasm_scheme   => "elf",
        dso_scheme       => "dlfcn",
        shared_target    => "bsd-gcc-shared",
        shared_cflag     => "-fPIC",
        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
    },
    "darwin64-debug-test-64-clang" => {
        inherit_from     => [ "x86_64_asm" ],
        cc               => "clang",
        cflags           => "-arch x86_64 -DL_ENDIAN $gcc_devteam_warn -Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wno-error=unused-const-variable -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
        thread_cflag     => "${BSDthreads}",
        sys_id           => "MACOSX",
        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
        perlasm_scheme   => "macosx",
        dso_scheme       => "dlfcn",
        shared_target    => "darwin-shared",
        shared_cflag     => "-fPIC -fno-common",
        shared_ldflag    => "-arch x86_64 -dynamiclib",
        shared_extension => ".\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
    },
 );
--- a/Configurations/99-personal-ben.conf
+++ b/Configurations/99-personal-ben.conf
@@ -1,95 +0,0 @@
 ## -*- mode: perl; -*-
 ## Personal configuration targets
 ##
 ## If you edit this file, run this command before committing
 ##	make -f Makefile.in TABLE
 ## This file is interpolated by the Configure script.
 %targets = (
    "debug-ben" => {
        cc               => "gcc",
        cflags           => "$gcc_devteam_warn -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -O2 -pipe",
        thread_cflag     => "(unknown)",
    },
    "debug-ben-openbsd" => {
        cc               => "gcc",
        cflags           => "-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe",
        thread_cflag     => "(unknown)",
    },
    "debug-ben-openbsd-debug" => {
        cc               => "gcc",
        cflags           => "-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe",
        thread_cflag     => "(unknown)",
    },
    "debug-ben-debug" => {
        cc               => "gcc",
        cflags           => "$gcc_devteam_warn -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DOPENSSL_NO_HW_PADLOCK -g3 -O2 -pipe",
        thread_cflag     => "(unknown)",
    },
    "debug-ben-debug-64" => {
        inherit_from     => [ "x86_64_asm" ],
        cc               => "gcc",
        cflags           => "$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
        thread_cflag     => "${BSDthreads}",
        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
        perlasm_scheme   => "elf",
        dso_scheme       => "dlfcn",
        shared_target    => "bsd-gcc-shared",
        shared_cflag     => "-fPIC",
        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
    },
    "debug-ben-debug-64-clang" => {
        inherit_from     => [ "x86_64_asm" ],
        cc               => "clang",
        cflags           => "$gcc_devteam_warn -Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
        thread_cflag     => "${BSDthreads}",
        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
        perlasm_scheme   => "elf",
        dso_scheme       => "dlfcn",
        shared_target    => "bsd-gcc-shared",
        shared_cflag     => "-fPIC",
        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
    },
    "debug-ben-debug-64-noopt" => {
        inherit_from     => [ "x86_64_asm" ],
        cc               => "gcc",
        cflags           => "$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -pipe",
        thread_cflag     => "${BSDthreads}",
        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
        perlasm_scheme   => "elf",
        dso_scheme       => "dlfcn",
        shared_target    => "bsd-gcc-shared",
        shared_cflag     => "-fPIC",
        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
    },
    "debug-ben-macos" => {
        cc               => "cc",
        cflags           => "$gcc_devteam_warn -DOPENSSL_NO_ASM -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -DOPENSSL_THREADS -D_REENTRANT -DDSO_DLFCN -DHAVE_DLFCN_H -arch i386 -O3 -DL_ENDIAN -g3 -pipe",
        thread_cflag     => "(unknown)",
    },
    "debug-ben-no-opt" => {
        cc               => "gcc",
        cflags           => " -Wall -Wmissing-prototypes -Wstrict-prototypes -Wmissing-declarations -DDEBUG_SAFESTACK -Werror -DL_ENDIAN -Wall -g3",
        thread_cflag     => "(unknown)",
    },
    "debug-ben-strict" => {
        cc               => "gcc",
        cflags           => "-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe",
        thread_cflag     => "(unknown)",
    },
    "debug-ben-darwin64" => {
        inherit_from     => [ "x86_64_asm" ],
        cc               => "cc",
        cflags           => "$gcc_devteam_warn -Wno-language-extension-token -Wno-extended-offsetof -arch x86_64 -O3 -DL_ENDIAN -DMD32_REG_T=int -Wall",
        thread_cflag     => "-D_REENTRANT",
        sys_id           => "MACOSX",
        lflags           => "-Wl,-search_paths_first%",
        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
        perlasm_scheme   => "macosx",
        dso_scheme       => "dlfcn",
        shared_target    => "darwin-shared",
        shared_cflag     => "-fPIC -fno-common",
        shared_ldflag    => "-arch x86_64 -dynamiclib",
        shared_extension => ".\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
    },
 );
--- a/Configurations/99-personal-bodo.conf
+++ b/Configurations/99-personal-bodo.conf
@@ -1,24 +0,0 @@
 ## -*- mode: perl; -*-
 ## Personal configuration targets
 ##
 ## If you edit this file, run this command before committing
 ##	make -f Makefile.in TABLE
 ## This file is interpolated by the Configure script.
 %targets = (
    "debug-bodo" => {
        inherit_from     => [ "x86_64_asm" ],
        cc               => "gcc",
        cflags           => "$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DBN_DEBUG_RAND -DCONF_DEBUG -DBIO_PAIR_DEBUG -m64 -DL_ENDIAN -DTERMIO -g -DMD32_REG_T=int",
        thread_cflag     => "-D_REENTRANT",
        lflags           => "-ldl",
        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
        perlasm_scheme   => "elf",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
        shared_cflag     => "-fPIC",
        shared_ldflag    => "-m64",
        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
        multilib         => "64",
    },
 );
--- a/Configurations/99-personal-geoff.conf
+++ b/Configurations/99-personal-geoff.conf
@@ -1,33 +0,0 @@
 ## -*- mode: perl; -*-
 ## Personal configuration targets
 ##
 ## If you edit this file, run this command before committing
 ##	make -f Makefile.in TABLE
 ## This file is interpolated by the Configure script.
 %targets = (
    "debug-geoff32" => {
        inherit_from     => [ "no_asm_filler" ],
        cc               => "gcc",
        cflags           => "-DBN_DEBUG -DBN_DEBUG_RAND -DBN_STRICT -DPURIFY -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_ASM -DOPENSSL_NO_INLINE_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -O1 -ggdb2 -Wall -Werror -Wundef -pedantic -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wsign-compare -Wmissing-prototypes -Wmissing-declarations -Wno-long-long",
        thread_cflag     => "-D_REENTRANT",
        lflags           => "-ldl",
        bn_ops           => "BN_LLONG",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
        shared_cflag     => "-fPIC",
        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
    },
    "debug-geoff64" => {
        inherit_from     => [ "no_asm_filler" ],
        cc               => "gcc",
        cflags           => "-DBN_DEBUG -DBN_DEBUG_RAND -DBN_STRICT -DPURIFY -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_ASM -DOPENSSL_NO_INLINE_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -O1 -ggdb2 -Wall -Werror -Wundef -pedantic -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wsign-compare -Wmissing-prototypes -Wmissing-declarations -Wno-long-long",
        thread_cflag     => "-D_REENTRANT",
        lflags           => "-ldl",
        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
        shared_cflag     => "-fPIC",
        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
    },
 );
--- a/Configurations/99-personal-levitte.conf
+++ b/Configurations/99-personal-levitte.conf
@@ -1,60 +0,0 @@
 ## -*- mode: perl; -*-
 ## Personal configuration targets
 ##
 ## If you edit this file, run this command before committing
 ##	make -f Makefile.in TABLE
 ## This file is interpolated by the Configure script.
 %targets = (
    "levitte-linux-elf" => {
        inherit_from     => [ "x86_elf_asm" ],
        cc               => "gcc",
        cflags           => "-DL_ENDIAN -Wall",
        debug_cflags     => "-DLEVITTE_DEBUG -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -ggdb -g3",
        thread_cflag     => "-D_REENTRANT",
        lflags           => "-ldl",
        bn_ops           => "BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
        shared_cflag     => "-fPIC",
        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
    },
    "debug-levitte-linux-noasm" => {
        inherit_from     => [ "no_asm_filler" ],
        cc               => "gcc",
        cflags           => "-DLEVITTE_DEBUG -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -ggdb -g3 -Wall",
        thread_cflag     => "-D_REENTRANT",
        lflags           => "-ldl",
        bn_ops           => "BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
        shared_cflag     => "-fPIC",
        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
    },
    "debug-levitte-linux-elf-extreme" => {
        inherit_from     => [ "x86_elf_asm" ],
        cc               => "gcc",
        cflags           => "-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DENGINE_CONF_DEBUG -DL_ENDIAN -DPEDANTIC -ggdb -g3 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe",
        thread_cflag     => "-D_REENTRANT",
        lflags           => "-ldl",
        bn_ops           => "BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT",
        perlasm_scheme   => "elf",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
        shared_cflag     => "-fPIC",
        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
    },
    "debug-levitte-linux-noasm-extreme" => {
        inherit_from     => [ "no_asm_filler" ],
        cc               => "gcc",
        cflags           => "-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DPEDANTIC -ggdb -g3 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe",
        thread_cflag     => "-D_REENTRANT",
        lflags           => "-ldl",
        bn_ops           => "BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT",
        perlasm_scheme   => "void",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
        shared_cflag     => "-fPIC",
        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
    },
 );
--- a/Configurations/99-personal-rse.conf
+++ b/Configurations/99-personal-rse.conf
@@ -1,16 +0,0 @@
 ## -*- mode: perl; -*-
 ## Personal configuration targets
 ##
 ## If you edit this file, run this command before committing
 ##	make -f Makefile.in TABLE
 ## This file is interpolated by the Configure script.
 %targets = (
    "debug-rse" => {
        inherit_from     => [ "x86_elf_asm" ],
        cc               => "cc",
        cflags           => "-DL_ENDIAN -pipe -O -g -ggdb3 -Wall",
        thread_cflag     => "(unknown)",
        bn_ops           => "BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}",
    },
 );
--- a/Configurations/99-personal-steve.conf
+++ b/Configurations/99-personal-steve.conf
@@ -1,50 +0,0 @@
 ## -*- mode: perl; -*-
 ## Personal configuration targets
 ##
 ## If you edit this file, run this command before committing
 ##	make -f Makefile.in TABLE
 ## This file is interpolated by the Configure script.
 %targets = (
    "debug-steve64" => {
        inherit_from     => [ "x86_64_asm" ],
        cc               => "gcc",
        cflags           => "$gcc_devteam_warn -pthread -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -g",
        thread_cflag     => "-D_REENTRANT",
        lflags           => "-ldl",
        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
        perlasm_scheme   => "elf",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
        shared_cflag     => "-fPIC",
        shared_ldflag    => "-m64",
        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
    },
    "debug-steve32" => {
        inherit_from     => [ "x86_elf_asm" ],
        cc               => "gcc",
        cflags           => "$gcc_devteam_warn -pthread -m32 -DL_ENDIAN -DCONF_DEBUG -g",
        thread_cflag     => "-D_REENTRANT",
        lflags           => "-rdynamic -ldl",
        bn_ops           => "BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
        shared_cflag     => "-fPIC",
        shared_ldflag    => "-m32",
        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
    },
    "debug-steve-opt" => {
        inherit_from     => [ "x86_64_asm" ],
        cc               => "gcc",
        cflags           => "$gcc_devteam_warn -pthread -m64 -O3 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -g",
        thread_cflag     => "-D_REENTRANT",
        lflags           => "-ldl",
        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
        perlasm_scheme   => "elf",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
        shared_cflag     => "-fPIC",
        shared_ldflag    => "-m64",
        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
    },
 );
--- a/2103
+++ b/2103
--- a/1027
+++ b/1027
--- a/10
+++ b/10
@@ -1,10 +0,0 @@
 #!/bin/sh
 BRANCH=`git rev-parse --abbrev-ref HEAD`
 ./Configure $@
 make files
 util/mk1mf.pl OUT=out.$BRANCH TMP=tmp.$BRANCH INC=inc.$BRANCH copy > makefile.$BRANCH
 MAKE=make
 which bsdmake > /dev/null && MAKE=bsdmake
 $MAKE -f makefile.$BRANCH init
--- a/7
+++ b/7
@@ -1,7 +0,0 @@
 #!/bin/sh
 BRANCH=`git rev-parse --abbrev-ref HEAD`
 MAKE=make
 which bsdmake > /dev/null && MAKE=bsdmake
 $MAKE -f makefile.$BRANCH $@
--- a/76
+++ b/76
@@ -12,7 +12,7 @@
 To install OpenSSL, you will need:
  * make
-  * Perl 5 with core modules (see 'Note on Perl' further down)
+  * Perl 5
  * an ANSI C compiler
  * a development environment in form of development libraries and C
    header files
@@ -79,7 +79,7 @@
                compiler flags for any other CPU specific configuration,
                e.g. "-m32" to build x86 code on an x64 system.
-  no-sse2	Exclude SSE2 code pathes. Normally SSE2 extension is
+  no-sse2	Exclude SSE2 code pathes. Normally SSE2 extention is
 		detected at run-time, but the decision whether or not the
 		machine code will be executed is taken solely on CPU
 		capability vector. This means that if you happen to run OS
@@ -141,7 +141,7 @@
     generic configurations "cc" or "gcc" should usually work on 32 bit
     systems.
-     Configure creates the file Makefile.ssl from Makefile.in and
+     Configure creates the file Makefile.ssl from Makefile.org and
     defines various macros in crypto/opensslconf.h (generated from
     crypto/opensslconf.h.in).
@@ -158,10 +158,10 @@
     standard headers).  If it is a problem with OpenSSL itself, please
     report the problem to <openssl-bugs@openssl.org> (note that your
     message will be recorded in the request tracker publicly readable
-     at https://www.openssl.org/community/index.html#bugs and will be
+     via http://www.openssl.org/support/rt.html and will be forwarded to a
-     forwarded to a public mailing list). Include the output of "make
+     public mailing list). Include the output of "make report" in your message.
-     report" in your message.  Please check out the request tracker. Maybe
+     Please check out the request tracker. Maybe the bug was already
-     the bug was already reported or has already been fixed.
+     reported or has already been fixed.
     [If you encounter assembler error messages, try the "no-asm"
     configuration option as an immediate fix.]
@@ -173,38 +173,14 @@
       $ make test
-     If some tests fail, look at the output.  There may be reasons for
+     If a test fails, look at the output.  There may be reasons for
-     the failure that isn't a problem in OpenSSL itself (like a
+     the failure that isn't a problem in OpenSSL itself (like a missing
-     malfunction with Perl).  You may want increased verbosity, that
+     or malfunctioning bc).  If it is a problem with OpenSSL itself,
-     can be accomplished like this:
+     try removing any compiler optimization flags from the CFLAG line
-
+     in Makefile.ssl and run "make clean; make". Please send a bug
-       $ HARNESS_VERBOSE=yes make test
+     report to <openssl-bugs@openssl.org>, including the output of
-
+     "make report" in order to be added to the request tracker at
-     Also, you will find logs for all commands the tests have executed
+     http://www.openssl.org/support/rt.html.
     in logs, test/test_*.log, one for each individual test.
     If you want to run just one or a few specific tests, you can use
     the make variable TESTS to specify them, like this:
       $ make TESTS='test_rsa test_dsa' test
     And of course, you can combine:
       $ HARNESS_VERBOSE=yes make TESTS='test_rsa test_dsa' test
     You can find the list of available tests like this:
       $ make list-tests
     If you find a problem with OpenSSL itself, try removing any
     compiler optimization flags from the CFLAG line in Makefile and
     run "make clean; make".
     Please send a bug report to <openssl-bugs@openssl.org>, and when
     you do, please run the following and include the output in your
     report:
       $ make report
  4. If everything tests ok, install OpenSSL with
@@ -310,26 +286,6 @@
     with names of the form <foo.h>.
 Note on Perl
 ------------
 For our scripts, we rely quite a bit on Perl, and increasingly on
 some core Perl modules.  These Perl modules are part of the Perl
 source, so if you build Perl on your own, you should be set.
 However, if you install Perl as binary packages, the outcome might
 differ, and you may have to check that you do get the core modules
 installed properly.  We do not claim to know them all, but experience
 has told us the following:
 - on Linux distributions based on Debian, the package 'perl' will
   install the core Perl modules as well, so you will be fine.
 - on Linux distributions based on RPMs, you will need to install
   'perl-core' rather than just 'perl'.
 It is highly recommended that you have at least Perl version 5.12
 installed.
 Note on multi-threading
 -----------------------
@@ -390,7 +346,7 @@
 		rm -f $F; ln -s $OPENSSL_SOURCE/$F $F
 		echo $F '->' $OPENSSL_SOURCE/$F
 	done
-	make -f Makefile.in clean
+	make -f Makefile.org clean
 OPENSSL_SOURCE is an environment variable that contains the absolute (this
 is important!) path to the OpenSSL source tree.
--- a/INSTALL.MacOS
+++ b/INSTALL.MacOS
@@ -0,0 +1,72 @@
 OpenSSL - Port To The Macintosh OS 9 or Earlier
 ===============================================
 Thanks to Roy Wood <roy@centricsystems.ca> initial support for Mac OS (pre
 X) is now provided. "Initial" means that unlike other platforms where you
 get an SDK and a "swiss army" openssl application, on Macintosh you only
 get one sample application which fetches a page over HTTPS(*) and dumps it
 in a window. We don't even build the test applications so that we can't
 guarantee that all algorithms are operational.
 Required software:
 - StuffIt Expander 5.5 or later, alternatively MacGzip and SUNtar;
 - Scriptable Finder;
 - CodeWarrior Pro 5;
 Installation procedure:
 - fetch the source at ftp://ftp.openssl.org/ (well, you probably already
  did, huh?)
 - unpack the .tar.gz file:
 	- if you have StuffIt Expander then just drag it over it;
 	- otherwise uncompress it with MacGzip and then unpack with SUNtar;
 - locate MacOS folder in OpenSSL source tree and open it;
 - unbinhex mklinks.as.hqx and OpenSSL.mcp.hqx if present (**), do it
  "in-place", i.e. unpacked files should end-up in the very same folder;
 - execute mklinks.as;
 - open OpenSSL.mcp(***) and build 'GetHTTPS PPC' target(****);
 - that's it for now;
 (*)	URL is hardcoded into ./MacOS/GetHTTPS.src/GetHTTPS.cpp, lines 40
        to 42, change appropriately.
 (**)	If you use SUNtar, then it might have already unbinhexed the files
 	in question.
 (***)	The project file was saved with CW Pro 5.3. If you have an earlier
 	version and it refuses to open it, then download
 	http://www.openssl.org/~appro/OpenSSL.mcp.xml and import it
 	overwriting the original OpenSSL.mcp.
 (****)	Other targets are works in progress. If you feel like giving 'em a
 	shot, then you should know that OpenSSL* and Lib* targets are
 	supposed to be built with the GUSI, MacOS library which mimics
 	BSD sockets and some other POSIX APIs. The GUSI distribution is
 	expected to be found in the same directory as the openssl source tree,
 	i.e., in the parent directory to the one where this very file,
 	namely INSTALL.MacOS, resides. For more information about GUSI, see
 	http://www.iis.ee.ethz.ch/~neeri/macintosh/gusi-qa.html
 Finally some essential comments from our generous contributor:-)
 "I've gotten OpenSSL working on the Macintosh. It's probably a bit of a
 hack, but it works for what I'm doing. If you don't like the way I've done
 it, then feel free to change what I've done. I freely admit that I've done
 some less-than-ideal things in my port, and if you don't like the way I've
 done something, then feel free to change it-- I won't be offended!
 ... I've tweaked "bss_sock.c" a little to call routines in a "MacSocket"
 library I wrote. My MacSocket library is a wrapper around OpenTransport,
 handling stuff like endpoint creation, reading, writing, etc. It is not
 designed as a high-performance package such as you'd use in a webserver,
 but is fine for lots of other applications. MacSocket also uses some other
 code libraries I've written to deal with string manipulations and error
 handling. Feel free to use these things in your own code, but give me
 credit and/or send me free stuff in appreciation! :-)
 ...
 If you have any questions, feel free to email me as the following:
 roy@centricsystems.ca
 -Roy Wood"
--- a/INSTALL.NW
+++ b/INSTALL.NW
@@ -378,7 +378,7 @@ The openssl program has numerous options and can be used for many different
 things.  Many of the options operate in an interactive mode requiring the
 user to enter data.  Because of this, a default screen is created for the
 program.  However, when running the test script it is not desirable to
-have a separate screen.  Therefore, the build also creates openssl2.nlm.
+have a seperate screen.  Therefore, the build also creates openssl2.nlm.
 Openssl2.nlm is functionally identical but uses the console screen.
 Openssl2 can be used when a non-interactive mode is desired.
--- a/INSTALL.VMS
+++ b/INSTALL.VMS
@@ -25,8 +25,6 @@ Requirements:
 To build and install OpenSSL, you will need:
 * Perl 5 with core modules.  If you don't want to build it yourself,
   we suggest you look here: http://sourceforge.net/projects/vmsperlkit/files/
 * DEC C or some other ANSI C compiler.  VAX C is *not* supported.
   [Note: OpenSSL has only been tested with DEC C.  Compiling with 
    a different ANSI C compiler may require some work]
@@ -85,6 +83,7 @@ directory.  The syntax is the following:
      RSAREF    Just build the "[.xxx.EXE.RSAREF]LIBRSAGLUE.OLB" library.
      CRYPTO    Just build the "[.xxx.EXE.CRYPTO]LIBCRYPTO.OLB" library.
      SSL       Just build the "[.xxx.EXE.SSL]LIBSSL.OLB" library.
      SSL_TASK  Just build the "[.xxx.EXE.SSL]SSL_TASK.EXE" program.
      TEST      Just build the "[.xxx.EXE.TEST]" test programs for OpenSSL.
      APPS      Just build the "[.xxx.EXE.APPS]" application programs for OpenSSL.
@@ -131,23 +130,15 @@ Currently, the logical names supported are:
      OPENSSL_NO_ASM    with value YES, the assembler parts of OpenSSL will
                        not be used.  Instead, plain C implementations are
                        used.  This is good to try if something doesn't work.
-      OPENSSL_NO_'alg'  with value YES, the corresponding crypto algorithm,
+      OPENSSL_NO_'alg'  with value YES, the corresponding crypto algorithm
-                        protocol or other routine will not be implemented if
+                        will not be implemented.  Supported algorithms to
-                        disabling it is supported.  Supported algorithms to
+                        do this with are: RSA, DSA, DH, MD2, MD4, MD5, RIPEMD,
-                        do this with are: AES, BF, CAMELLIA, CAST, CMS, COMP,
+                        SHA, DES, MDC2, CR2, RC4, RC5, IDEA, BF, CAST, HMAC,
-                        DES, DGRAM, DH, DSA, EC, EC2M, ECDH, ECDSA, ENGINE,
+                        SSL2.  So, for example, having the logical name
-                        ERR, GOST, HEARTBEATS, HMAC, IDEA, MD2, MD4,
+                        OPENSSL_NO_RSA with the value YES means that the
-                        MD5, OCB, OCSP, PSK, RC2, RC4, RC5, RMD160, RSA, SCTP,
+                        LIBCRYPTO.OLB library will not contain an RSA
-                        SEED, SOCK, SRP, SRTP, WHIRLPOOL.  So, for
+                        implementation.
-                        example, having the logical name OPENSSL_NO_RSA with
+
                        the value YES means that the LIBCRYPTO.OLB library
                        will not contain an RSA implementation.
      OPENSSL_EXPERIMENTAL_'alg'
                        with value YES, the corresponding experimental
                        algorithm is enabled.  Note that is also requires
                        the application using this to define the C macro
                        OPENSSL_EXPERIMENTAL_'alg'.  Supported algorithms
                        to do this with are: JPAKE, STORE.
 Test:
 =====
--- a/INSTALL.W32
+++ b/INSTALL.W32
@@ -29,7 +29,7 @@
  is required if you intend to utilize assembler modules. Note that NASM
  is now the only supported assembler.
- If you are compiling from a tarball or a Git snapshot then the Win32 files
+ If you are compiling from a tarball or a CVS snapshot then the Win32 files
 may well be not up to date. This may mean that some "tweaking" is required to
 get it all to work. See the trouble shooting section later on for if (when?)
 it goes wrong.
@@ -257,7 +257,7 @@
 then ms\do_XXX should not give a warning any more. However the numbers that
 get assigned by this technique may not match those that eventually get
- assigned in the Git tree: so anything linked against this version of the
+ assigned in the CVS tree: so anything linked against this version of the
 library may need to be recompiled.
 If you get errors about unresolved symbols there are several possible
--- a/Makefile.fips
+++ b/Makefile.fips
@@ -0,0 +1,638 @@
 ##
 ## Makefile for OpenSSL: fipscanister.o only
 ##
 VERSION=fips-2.0-test
 MAJOR=
 MINOR=
 SHLIB_VERSION_NUMBER=
 SHLIB_VERSION_HISTORY=
 SHLIB_MAJOR=
 SHLIB_MINOR=
 SHLIB_EXT=
 PLATFORM=dist
 OPTIONS=
 CONFIGURE_ARGS=
 SHLIB_TARGET=
 # HERE indicates where this Makefile lives.  This can be used to indicate
 # where sub-Makefiles are expected to be.  Currently has very limited usage,
 # and should probably not be bothered with at all.
 HERE=.
 # INSTALL_PREFIX is for package builders so that they can configure
 # for, say, /usr/ and yet have everything installed to /tmp/somedir/usr/.
 # Normally it is left empty.
 INSTALL_PREFIX=
 INSTALLTOP=/usr/local/ssl
 # Do not edit this manually. Use Configure --openssldir=DIR do change this!
 OPENSSLDIR=/usr/local/ssl
 # NO_IDEA - Define to build without the IDEA algorithm
 # NO_RC4  - Define to build without the RC4 algorithm
 # NO_RC2  - Define to build without the RC2 algorithm
 # THREADS - Define when building with threads, you will probably also need any
 #           system defines as well, i.e. _REENTERANT for Solaris 2.[34]
 # TERMIO  - Define the termio terminal subsystem, needed if sgtty is missing.
 # TERMIOS - Define the termios terminal subsystem, Silicon Graphics.
 # LONGCRYPT - Define to use HPUX 10.x's long password modification to crypt(3).
 # DEVRANDOM - Give this the value of the 'random device' if your OS supports
 #           one.  32 bytes will be read from this when the random
 #           number generator is initalised.
 # SSL_FORBID_ENULL - define if you want the server to be not able to use the
 #           NULL encryption ciphers.
 #
 # LOCK_DEBUG - turns on lots of lock debug output :-)
 # REF_CHECK - turn on some xyz_free() assertions.
 # REF_PRINT - prints some stuff on structure free.
 # CRYPTO_MDEBUG - turns on my 'memory leak' detecting stuff
 # MFUNC - Make all Malloc/Free/Realloc calls call
 #       CRYPTO_malloc/CRYPTO_free/CRYPTO_realloc which can be setup to
 #       call application defined callbacks via CRYPTO_set_mem_functions()
 # MD5_ASM needs to be defined to use the x86 assembler for MD5
 # SHA1_ASM needs to be defined to use the x86 assembler for SHA1
 # RMD160_ASM needs to be defined to use the x86 assembler for RIPEMD160
 # Do not define B_ENDIAN or L_ENDIAN if 'unsigned long' == 8.  It must
 # equal 4.
 # PKCS1_CHECK - pkcs1 tests.
 CC= cc
 CFLAG= -O
 DEPFLAG= 
 PEX_LIBS= 
 EX_LIBS= 
 EXE_EXT= 
 ARFLAGS=
 AR=ar $(ARFLAGS) r
 RANLIB= ranlib
 NM= nm
 PERL= perl
 TAR= tar
 TARFLAGS= --no-recursion
 MAKEDEPPROG=makedepend
 LIBDIR=lib
 # We let the C compiler driver to take care of .s files. This is done in
 # order to be excused from maintaining a separate set of architecture
 # dependent assembler flags. E.g. if you throw -mcpu=ultrasparc at SPARC
 # gcc, then the driver will automatically translate it to -xarch=v8plus
 # and pass it down to assembler.
 #AS=$(CC) -c
 ASFLAG=$(CFLAG)
 # For x86 assembler: Set PROCESSOR to 386 if you want to support
 # the 80386.
 PROCESSOR=
 # CPUID module collects small commonly used assembler snippets
 CPUID_OBJ= 
 BN_ASM= bn_asm.o
 DES_ENC= des_enc.o fcrypt_b.o
 AES_ENC= aes_core.o aes_cbc.o
 BF_ENC= bf_enc.o
 CAST_ENC= c_enc.o
 RC4_ENC= rc4_enc.o
 RC5_ENC= rc5_enc.o
 MD5_ASM_OBJ= 
 SHA1_ASM_OBJ= 
 RMD160_ASM_OBJ= 
 WP_ASM_OBJ=
 CMLL_ENC=
 MODES_ASM_OBJ=
 PERLASM_SCHEME=
 # KRB5 stuff
 KRB5_INCLUDES=
 LIBKRB5=
 # Zlib stuff
 ZLIB_INCLUDE=
 LIBZLIB=
 # This is the location of fipscanister.o and friends.
 # The FIPS module build will place it $(INSTALLTOP)/lib
 # but since $(INSTALLTOP) can only take the default value
 # when the module is built it will be in /usr/local/ssl/lib
 # $(INSTALLTOP) for this build may be different so hard
 # code the path.
 FIPSLIBDIR=/usr/local/ssl/$(LIBDIR)/
 # This is set to "y" if fipscanister.o is compiled internally as
 # opposed to coming from an external validated location.
 FIPSCANISTERINTERNAL=n
 # This is set if we only build fipscanister.o
 FIPSCANISTERONLY=y
 # The location of the library which contains fipscanister.o
 # normally it will be libcrypto unless fipsdso is set in which
 # case it will be libfips. If not compiling in FIPS mode at all
 # this is empty making it a useful test for a FIPS compile.
 FIPSCANLIB=
 # Shared library base address. Currently only used on Windows.
 #
 BASEADDR=
 DIRS=   crypto fips test 
 ENGDIRS= ccgost
 SHLIBDIRS= crypto 
 # dirs in crypto to build
 SDIRS=  \
 	sha hmac des aes modes \
 	bn ec rsa dsa ecdsa dh \
 	buffer evp ecdh cmac
 # keep in mind that the above list is adjusted by ./Configure
 # according to no-xxx arguments...
 LINKDIRS=  \
 	objects sha hmac des aes modes \
 	bn ec rsa dsa ecdh cmac ecdsa dh engine \
 	buffer bio stack lhash rand err \
 	evp asn1 ui
 # tests to perform.  "alltests" is a special word indicating that all tests
 # should be performed.
 TESTS = alltests
 MAKEFILE= Makefile
 MANDIR=$(OPENSSLDIR)/man
 MAN1=1
 MAN3=3
 MANSUFFIX=
 HTMLSUFFIX=html
 HTMLDIR=$(OPENSSLDIR)/html
 SHELL=/bin/sh
 TOP=    .
 ONEDIRS=out tmp
 EDIRS=  times doc bugs util include certs ms shlib mt demos perl sf dep VMS
 WDIRS=  windows
 LIBS=   
 SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
 SHARED_SSL=libssl$(SHLIB_EXT)
 SHARED_LIBS=
 SHARED_LIBS_LINK_EXTS=
 SHARED_LDFLAGS=
 GENERAL=        Makefile
 BASENAME=       openssl
 NAME=           $(BASENAME)-$(VERSION)
 TARFILE=        openssl-fips-2.0-test.tar
 WTARFILE=       $(NAME)-win.tar
 EXHEADER=       e_os2.h
 HEADER=         e_os.h
 all: Makefile build_all openssl.pc libssl.pc libcrypto.pc
 # as we stick to -e, CLEARENV ensures that local variables in lower
 # Makefiles remain local and variable. $${VAR+VAR} is tribute to Korn
 # shell, which [annoyingly enough] terminates unset with error if VAR
 # is not present:-( TOP= && unset TOP is tribute to HP-UX /bin/sh,
 # which terminates unset with error if no variable was present:-(
 CLEARENV=	TOP= && unset TOP $${LIB+LIB} $${LIBS+LIBS}	\
 		$${INCLUDE+INCLUDE} $${INCLUDES+INCLUDES}	\
 		$${DIR+DIR} $${DIRS+DIRS} $${SRC+SRC}		\
 		$${LIBSRC+LIBSRC} $${LIBOBJ+LIBOBJ} $${ALL+ALL}	\
 		$${EXHEADER+EXHEADER} $${HEADER+HEADER}		\
 		$${GENERAL+GENERAL} $${CFLAGS+CFLAGS}		\
 		$${ASFLAGS+ASFLAGS} $${AFLAGS+AFLAGS}		\
 		$${LDCMD+LDCMD} $${LDFLAGS+LDFLAGS}		\
 		$${SHAREDCMD+SHAREDCMD} $${SHAREDFLAGS+SHAREDFLAGS}	\
 		$${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS}
 BUILDENV=	PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)' \
 		CC='$(CC)' CFLAG='$(CFLAG)' 			\
 		ASFLAG='$(CFLAG) -c'			\
 		AR='$(AR)' NM='$(NM)' RANLIB='$(RANLIB)'	\
 		CROSS_COMPILE='$(CROSS_COMPILE)'	\
 		PERL='$(PERL)' ENGDIRS='$(ENGDIRS)'		\
 		SDIRS='$(SDIRS)' LIBRPATH='$(INSTALLTOP)/$(LIBDIR)'	\
 		INSTALL_PREFIX='$(INSTALL_PREFIX)'		\
 		INSTALLTOP='$(INSTALLTOP)' OPENSSLDIR='$(OPENSSLDIR)'	\
 		LIBDIR='$(LIBDIR)'				\
 		MAKEDEPEND='$$$${TOP}/util/domd $$$${TOP} -MD $(MAKEDEPPROG)' \
 		DEPFLAG='-DOPENSSL_NO_DEPRECATED $(DEPFLAG)'	\
 		MAKEDEPPROG='$(MAKEDEPPROG)'			\
 		SHARED_LDFLAGS='$(SHARED_LDFLAGS)'		\
 		KRB5_INCLUDES='$(KRB5_INCLUDES)' LIBKRB5='$(LIBKRB5)'	\
 		ZLIB_INCLUDE='$(ZLIB_INCLUDE)' LIBZLIB='$(LIBZLIB)'	\
 		EXE_EXT='$(EXE_EXT)' SHARED_LIBS='$(SHARED_LIBS)'	\
 		SHLIB_EXT='$(SHLIB_EXT)' SHLIB_TARGET='$(SHLIB_TARGET)'	\
 		PEX_LIBS='$(PEX_LIBS)' EX_LIBS='$(EX_LIBS)'	\
 		CPUID_OBJ='$(CPUID_OBJ)'			\
 		BN_ASM='$(BN_ASM)' DES_ENC='$(DES_ENC)' 	\
 		AES_ENC='$(AES_ENC)' CMLL_ENC='$(CMLL_ENC)'	\
 		BF_ENC='$(BF_ENC)' CAST_ENC='$(CAST_ENC)'	\
 		RC4_ENC='$(RC4_ENC)' RC5_ENC='$(RC5_ENC)'	\
 		SHA1_ASM_OBJ='$(SHA1_ASM_OBJ)'			\
 		MD5_ASM_OBJ='$(MD5_ASM_OBJ)'			\
 		RMD160_ASM_OBJ='$(RMD160_ASM_OBJ)'		\
 		WP_ASM_OBJ='$(WP_ASM_OBJ)'			\
 		MODES_ASM_OBJ='$(MODES_ASM_OBJ)'		\
 		PERLASM_SCHEME='$(PERLASM_SCHEME)'		\
 		FIPSLIBDIR='${FIPSLIBDIR}'			\
 		FIPSCANLIB="$${FIPSCANLIB:-$(FIPSCANLIB)}"	\
 		FIPSCANISTERINTERNAL='${FIPSCANISTERINTERNAL}'	\
 		FIPSCANISTERONLY='${FIPSCANISTERONLY}'	\
 		FIPS_EX_OBJ='${FIPS_EX_OBJ}'	\
 		THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES=
 # MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors,
 # which in turn eliminates ambiguities in variable treatment with -e.
 # BUILD_CMD is a generic macro to build a given target in a given
 # subdirectory.  The target must be given through the shell variable
 # `target' and the subdirectory to build in must be given through `dir'.
 # This macro shouldn't be used directly, use RECURSIVE_BUILD_CMD or
 # BUILD_ONE_CMD instead.
 #
 # BUILD_ONE_CMD is a macro to build a given target in a given
 # subdirectory if that subdirectory is part of $(DIRS).  It requires
 # exactly the same shell variables as BUILD_CMD.
 #
 # RECURSIVE_BUILD_CMD is a macro to build a given target in all
 # subdirectories defined in $(DIRS).  It requires that the target
 # is given through the shell variable `target'.
 BUILD_CMD=  if [ -d "$$dir" ]; then \
 	    (	cd $$dir && echo "making $$target in $$dir..." && \
 		$(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. DIR=$$dir $$target \
 	    ) || exit 1; \
 	    fi
 RECURSIVE_BUILD_CMD=for dir in $(DIRS); do $(BUILD_CMD); done
 BUILD_ONE_CMD=\
 	if expr " $(DIRS) " : ".* $$dir " >/dev/null 2>&1; then \
 		$(BUILD_CMD); \
 	fi
 reflect:
 	@[ -n "$(THIS)" ] && $(CLEARENV) && $(MAKE) $(THIS) -e $(BUILDENV)
 FIPS_EX_OBJ= ../crypto/aes/aes_cfb.o \
 	../crypto/aes/aes_ecb.o \
 	../crypto/aes/aes_ofb.o \
 	../crypto/bn/bn_add.o \
 	../crypto/bn/bn_blind.o \
 	../crypto/bn/bn_ctx.o \
 	../crypto/bn/bn_div.o \
 	../crypto/bn/bn_exp2.o \
 	../crypto/bn/bn_exp.o \
 	../crypto/bn/bn_gcd.o \
 	../crypto/bn/bn_gf2m.o \
 	../crypto/bn/bn_lib.o \
 	../crypto/bn/bn_mod.o \
 	../crypto/bn/bn_mont.o \
 	../crypto/bn/bn_mul.o \
 	../crypto/bn/bn_nist.o \
 	../crypto/bn/bn_prime.o \
 	../crypto/bn/bn_rand.o \
 	../crypto/bn/bn_recp.o \
 	../crypto/bn/bn_shift.o \
 	../crypto/bn/bn_sqr.o \
 	../crypto/bn/bn_word.o \
 	../crypto/bn/bn_x931p.o \
 	../crypto/buffer/buf_str.o \
 	../crypto/cmac/cmac.o \
 	../crypto/cryptlib.o \
 	../crypto/des/cfb64ede.o \
 	../crypto/des/cfb64enc.o \
 	../crypto/des/cfb_enc.o \
 	../crypto/des/ecb3_enc.o \
 	../crypto/des/ofb64ede.o \
 	../crypto/des/fcrypt.o \
 	../crypto/des/set_key.o \
 	../crypto/dh/dh_check.o \
 	../crypto/dh/dh_gen.o \
 	../crypto/dh/dh_key.o \
 	../crypto/dsa/dsa_gen.o \
 	../crypto/dsa/dsa_key.o \
 	../crypto/dsa/dsa_ossl.o \
 	../crypto/ec/ec_curve.o \
 	../crypto/ec/ec_cvt.o \
 	../crypto/ec/ec_key.o \
 	../crypto/ec/ec_lib.o \
 	../crypto/ec/ecp_mont.o \
 	../crypto/ec/ec_mult.o \
 	../crypto/ec/ecp_nist.o \
 	../crypto/ec/ecp_smpl.o \
 	../crypto/ec/ec2_mult.o \
 	../crypto/ec/ec2_smpl.o \
 	../crypto/ecdh/ech_key.o \
 	../crypto/ecdh/ech_ossl.o \
 	../crypto/ecdsa/ecs_ossl.o \
 	../crypto/evp/e_aes.o \
 	../crypto/evp/e_des3.o \
 	../crypto/evp/e_null.o \
 	../crypto/evp/m_sha1.o \
 	../crypto/evp/m_dss1.o \
 	../crypto/evp/m_dss.o \
 	../crypto/evp/m_ecdsa.o \
 	../crypto/hmac/hmac.o \
 	../crypto/modes/cbc128.o \
 	../crypto/modes/ccm128.o \
 	../crypto/modes/cfb128.o \
 	../crypto/modes/ctr128.o \
 	../crypto/modes/gcm128.o \
 	../crypto/modes/ofb128.o \
 	../crypto/modes/xts128.o \
 	../crypto/rsa/rsa_eay.o \
 	../crypto/rsa/rsa_gen.o \
 	../crypto/rsa/rsa_crpt.o \
 	../crypto/rsa/rsa_none.o \
 	../crypto/rsa/rsa_oaep.o \
 	../crypto/rsa/rsa_pk1.o \
 	../crypto/rsa/rsa_pss.o \
 	../crypto/rsa/rsa_ssl.o \
 	../crypto/rsa/rsa_x931.o \
 	../crypto/rsa/rsa_x931g.o \
 	../crypto/sha/sha1dgst.o \
 	../crypto/sha/sha256.o \
 	../crypto/sha/sha512.o \
 	../crypto/thr_id.o \
 	../crypto/uid.o
 sub_all: build_all
 build_all: build_libs
 build_libs: build_crypto build_fips
 build_fips:
 	@dir=fips; target=all; [ -z "$(FIPSCANLIB)" ] || $(BUILD_ONE_CMD)
 build_crypto:
 	if [ -n "$(FIPSCANLIB)" ]; then \
 		EXCL_OBJ='$(AES_ENC) $(BN_ASM) $(DES_ENC) $(CPUID_OBJ) $(SHA1_ASM_OBJ) $(MODES_ASM_OBJ) $(FIPS_EX_OBJ)' ; export EXCL_OBJ ; \
 		ARX='$(PERL) $${TOP}/util/arx.pl $(AR)' ; \
 	else \
 		ARX='${AR}' ; \
 	fi ; export ARX ; \
 	if [ $(FIPSCANISTERINTERNAL) = "y" ]; then \
 		AS='$(PERL) $${TOP}/util/fipsas.pl $${TOP} $${<} $(CC)' ; \
 	else \
 		AS='$(CC) -c' ; \
 	fi ; export AS ; \
 		dir=crypto; target=fips; $(BUILD_ONE_CMD)
 build_ssl:
 	@dir=ssl; target=all; $(BUILD_ONE_CMD)
 build_engines:
 	@dir=engines; target=all; $(BUILD_ONE_CMD)
 build_apps:
 	@dir=apps; target=all; $(BUILD_ONE_CMD)
 build_tests:
 	@dir=test; target=fipsexe; $(BUILD_ONE_CMD)
 build_algvs:
 	@dir=test; target=fipsalgvs; $(BUILD_ONE_CMD)
 build_tools:
 	@dir=tools; target=all; $(BUILD_ONE_CMD)
 all_testapps: build_libs build_testapps
 build_testapps:
 	@dir=crypto; target=testapps; $(BUILD_ONE_CMD)
 libcrypto$(SHLIB_EXT): libcrypto.a build_fips
 	@if [ "$(SHLIB_TARGET)" != "" ]; then \
 		if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \
 			FIPSLD_CC="$(CC)"; CC=fips/fipsld; \
 			export CC FIPSLD_CC; \
 		fi; \
 		$(MAKE) SHLIBDIRS=crypto build-shared; \
 	else \
 		echo "There's no support for shared libraries on this platform" >&2; \
 		exit 1; \
 	fi
 libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a
 	@if [ "$(SHLIB_TARGET)" != "" ]; then \
 		$(MAKE) SHLIBDIRS=ssl SHLIBDEPS='-lcrypto' build-shared; \
 	else \
 		echo "There's no support for shared libraries on this platform" >&2; \
 		exit 1; \
 	fi
 clean-shared:
 	@set -e; for i in $(SHLIBDIRS); do \
 		if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \
 			tmp="$(SHARED_LIBS_LINK_EXTS)"; \
 			for j in $${tmp:-x}; do \
 				( set -x; rm -f lib$$i$$j ); \
 			done; \
 		fi; \
 		( set -x; rm -f lib$$i$(SHLIB_EXT) ); \
 		if [ "$(PLATFORM)" = "Cygwin" ]; then \
 			( set -x; rm -f cyg$$i$(SHLIB_EXT) lib$$i$(SHLIB_EXT).a ); \
 		fi; \
 	done
 link-shared:
 	@ set -e; for i in $(SHLIBDIRS); do \
 		$(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
 			LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
 			LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
 			symlink.$(SHLIB_TARGET); \
 		libs="$$libs -l$$i"; \
 	done
 build-shared: do_$(SHLIB_TARGET) link-shared
 do_$(SHLIB_TARGET):
 	@ set -e; libs='-L. $(SHLIBDEPS)'; for i in $(SHLIBDIRS); do \
 		if [ "$$i" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 			libs="$(LIBKRB5) $$libs"; \
 		fi; \
 		$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
 			LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
 			LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
 			LIBDEPS="$$libs $(EX_LIBS)" \
 			link_a.$(SHLIB_TARGET); \
 		libs="-l$$i $$libs"; \
 	done
 libcrypto.pc: Makefile
 	@ ( echo 'prefix=$(INSTALLTOP)'; \
 	    echo 'exec_prefix=$${prefix}'; \
 	    echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
 	    echo 'includedir=$${prefix}/include'; \
 	    echo ''; \
 	    echo 'Name: OpenSSL-libcrypto'; \
 	    echo 'Description: OpenSSL cryptography library'; \
 	    echo 'Version: '$(VERSION); \
 	    echo 'Requires: '; \
 	    echo 'Libs: -L$${libdir} -lcrypto $(EX_LIBS)'; \
 	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc
 libssl.pc: Makefile
 	@ ( echo 'prefix=$(INSTALLTOP)'; \
 	    echo 'exec_prefix=$${prefix}'; \
 	    echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
 	    echo 'includedir=$${prefix}/include'; \
 	    echo ''; \
 	    echo 'Name: OpenSSL'; \
 	    echo 'Description: Secure Sockets Layer and cryptography libraries'; \
 	    echo 'Version: '$(VERSION); \
 	    echo 'Requires: '; \
 	    echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
 	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc
 openssl.pc: Makefile
 	@ ( echo 'prefix=$(INSTALLTOP)'; \
 	    echo 'exec_prefix=$${prefix}'; \
 	    echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
 	    echo 'includedir=$${prefix}/include'; \
 	    echo ''; \
 	    echo 'Name: OpenSSL'; \
 	    echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \
 	    echo 'Version: '$(VERSION); \
 	    echo 'Requires: '; \
 	    echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
 	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
 Makefile: Makefile.fips Configure config
 	@echo "Makefile is older than Makefile.org, Configure or config."
 	@echo "Reconfigure the source tree (via './config' or 'perl Configure'), please."
 	@false
 libclean:
 	rm -f *.map *.so *.so.* *.dll engines/*.so engines/*.dll *.a engines/*.a */lib */*/lib
 clean:	libclean
 	rm -f shlib/*.o *.o core a.out fluff testlog make.log cctest cctest.c
 	@set -e; target=clean; $(RECURSIVE_BUILD_CMD)
 	rm -f $(LIBS)
 	rm -f openssl.pc libssl.pc libcrypto.pc
 	rm -f speed.* .pure
 	rm -f $(TARFILE)
 	@set -e; for i in $(ONEDIRS) ;\
 	do \
 	rm -fr $$i/*; \
 	done
 makefile.one: files
 	$(PERL) util/mk1mf.pl >makefile.one; \
 	sh util/do_ms.sh
 files:
 	$(PERL) $(TOP)/util/files.pl Makefile > $(TOP)/MINFO
 	@set -e; target=files; $(RECURSIVE_BUILD_CMD)
 links:
 	@$(PERL) $(TOP)/util/mkdir-p.pl include/openssl
 	@$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER)
 	@set -e; dir=fips target=links; $(BUILD_ONE_CMD)
 	@(cd crypto ; TEST='' SDIRS='$(LINKDIRS)' $(MAKE) -e links)
 gentests:
 	@(cd test && echo "generating dummy tests (if needed)..." && \
 	$(CLEARENV) && $(MAKE) -e $(BUILDENV) TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on generate );
 dclean:
 	rm -rf *.bak include/openssl certs/.0
 	@set -e; target=dclean; $(RECURSIVE_BUILD_CMD)
 test:   tests
 tests:
 	@echo "Not implemented in FIPS build" ; false
 report:
 	@$(PERL) util/selftest.pl
 depend:
 	@echo make depend not supported ; false
 lint:
 	@set -e; target=lint; $(RECURSIVE_BUILD_CMD)
 tags:
 	rm -f TAGS
 	find . -name '[^.]*.[ch]' | xargs etags -a
 errors:
 	$(PERL) util/mkerr.pl -recurse -write
 	(cd engines; $(MAKE) PERL=$(PERL) errors)
 	$(PERL) util/ck_errf.pl -strict */*.c */*/*.c
 stacks:
 	$(PERL) util/mkstack.pl -write
 util/libeay.num::
 	$(PERL) util/mkdef.pl crypto update
 util/ssleay.num::
 	$(PERL) util/mkdef.pl ssl update
 crypto/objects/obj_dat.h: crypto/objects/obj_dat.pl crypto/objects/obj_mac.h
 	$(PERL) crypto/objects/obj_dat.pl crypto/objects/obj_mac.h crypto/objects/obj_dat.h
 crypto/objects/obj_mac.h: crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num
 	$(PERL) crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num crypto/objects/obj_mac.h
 crypto/objects/obj_xref.h: crypto/objects/objxref.pl crypto/objects/obj_xref.txt crypto/objects/obj_mac.num
 	$(PERL) crypto/objects/objxref.pl crypto/objects/obj_mac.num crypto/objects/obj_xref.txt >crypto/objects/obj_xref.h
 apps/openssl-vms.cnf: apps/openssl.cnf
 	$(PERL) VMS/VMSify-conf.pl < apps/openssl.cnf > apps/openssl-vms.cnf
 crypto/bn/bn_prime.h: crypto/bn/bn_prime.pl
 	$(PERL) crypto/bn/bn_prime.pl >crypto/bn/bn_prime.h
 TABLE: Configure
 	(echo 'Output of `Configure TABLE'"':"; \
 	$(PERL) Configure TABLE) > TABLE
 update: errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h crypto/objects/obj_xref.h apps/openssl-vms.cnf crypto/bn/bn_prime.h TABLE depend
 # Build distribution tar-file. As the list of files returned by "find" is
 # pretty long, on several platforms a "too many arguments" error or similar
 # would occur. Therefore the list of files is temporarily stored into a file
 # and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal
 # tar does not support the --files-from option.
 tar:
 	find . -type d -print | xargs chmod 755
 	find . -type f -print | xargs chmod a+r
 	find . -type f -perm -0100 -print | xargs chmod a+x
 	find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE | $(BUILDENV) LINKDIRS='$(LINKDIRS)' $(PERL) util/fipsdist.pl | sort > ../$(TARFILE).list; \
 	$(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list -cvf - | \
 	tardy --user_number=0  --user_name=openssl \
 	      --group_number=0 --group_name=openssl \
 	      --prefix=openssl-$(VERSION) - |\
 	gzip --best >../$(TARFILE).gz; \
 	rm -f ../$(TARFILE).list; \
 	ls -l ../$(TARFILE).gz
 tar-snap:
 	@$(TAR) $(TARFLAGS) -cvf - \
 		`find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \! -name '*.so' \! -name '*.so.*'  \! -name 'openssl' \! -name '*test' \! -name '.#*' \! -name '*~' | sort` |\
 	tardy --user_number=0  --user_name=openssl \
 	      --group_number=0 --group_name=openssl \
 	      --prefix=openssl-$(VERSION) - > ../$(TARFILE);\
 	ls -l ../$(TARFILE)
 dist:   
 	$(PERL) Configure dist fipscanisteronly
 	@$(MAKE) dist_pem_h
 	@$(MAKE) SDIRS='$(SDIRS)' clean
 	@$(MAKE) -f Makefile.fips TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' tar
 dist_pem_h:
 	(cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean)
 install: all install_sw
 install_sw:
 	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl
 	@set -e; headerlist="$(EXHEADER)"; for i in $$headerlist;\
 	do \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
 	done;
 	@set -e; target=install; $(RECURSIVE_BUILD_CMD)
 # DO NOT DELETE THIS LINE -- make depend depends on it.
--- a/Makefile.org
+++ b/Makefile.org
@@ -26,14 +26,14 @@ HERE=.
 INSTALL_PREFIX=
 INSTALLTOP=/usr/local/ssl
-# Do not edit this manually. Use Configure --openssldir=DIR to change this!
+# Do not edit this manually. Use Configure --openssldir=DIR do change this!
 OPENSSLDIR=/usr/local/ssl
 # NO_IDEA - Define to build without the IDEA algorithm
 # NO_RC4  - Define to build without the RC4 algorithm
 # NO_RC2  - Define to build without the RC2 algorithm
 # THREADS - Define when building with threads, you will probably also need any
-#           system defines as well, i.e. _REENTRANT for Solaris 2.[34]
+#           system defines as well, i.e. _REENTERANT for Solaris 2.[34]
 # TERMIO  - Define the termio terminal subsystem, needed if sgtty is missing.
 # TERMIOS - Define the termios terminal subsystem, Silicon Graphics.
 # LONGCRYPT - Define to use HPUX 10.x's long password modification to crypt(3).
@@ -46,6 +46,7 @@ OPENSSLDIR=/usr/local/ssl
 # LOCK_DEBUG - turns on lots of lock debug output :-)
 # REF_CHECK - turn on some xyz_free() assertions.
 # REF_PRINT - prints some stuff on structure free.
 # CRYPTO_MDEBUG - turns on my 'memory leak' detecting stuff
 # MFUNC - Make all Malloc/Free/Realloc calls call
 #       CRYPTO_malloc/CRYPTO_free/CRYPTO_realloc which can be setup to
 #       call application defined callbacks via CRYPTO_set_mem_functions()
@@ -67,8 +68,6 @@ AR=ar $(ARFLAGS) r
 RANLIB= ranlib
 NM= nm
 PERL= perl
 #RM= echo --
 RM= rm -f
 TAR= tar
 TARFLAGS= --no-recursion
 MAKEDEPPROG=makedepend
@@ -79,7 +78,7 @@ LIBDIR=lib
 # dependent assembler flags. E.g. if you throw -mcpu=ultrasparc at SPARC
 # gcc, then the driver will automatically translate it to -xarch=v8plus
 # and pass it down to assembler.
-AS=$(CC) -c
+#AS=$(CC) -c
 ASFLAG=$(CFLAG)
 # For x86 assembler: Set PROCESSOR to 386 if you want to support
@@ -89,7 +88,6 @@ PROCESSOR=
 # CPUID module collects small commonly used assembler snippets
 CPUID_OBJ= 
 BN_ASM= bn_asm.o
 EC_ASM=
 DES_ENC= des_enc.o fcrypt_b.o
 AES_ENC= aes_core.o aes_cbc.o
 BF_ENC= bf_enc.o
@@ -103,10 +101,12 @@ WP_ASM_OBJ=
 CMLL_ENC=
 MODES_ASM_OBJ=
 ENGINES_ASM_OBJ=
 CHACHA_ENC= chacha_enc.o
 POLY1305_ASM_OBJ=
 PERLASM_SCHEME=
 # KRB5 stuff
 KRB5_INCLUDES=
 LIBKRB5=
 # Zlib stuff
 ZLIB_INCLUDE=
 LIBZLIB=
@@ -120,9 +120,15 @@ LIBZLIB=
 FIPSLIBDIR=/usr/local/ssl/$(LIBDIR)/
 # This is set to "y" if fipscanister.o is compiled internally as
 # opposed to coming from an external validated location.
 FIPSCANISTERINTERNAL=n
 # The location of the library which contains fipscanister.o
-# normally it will be libcrypto. If not compiling in FIPS mode
+# normally it will be libcrypto unless fipsdso is set in which
-# at all this is empty making it a useful test for a FIPS compile.
+# case it will be libfips. If not compiling in FIPS mode at all
 # this is empty making it a useful test for a FIPS compile.
 FIPSCANLIB=
@@ -131,20 +137,19 @@ FIPSCANLIB=
 BASEADDR=
-DIRS=   crypto ssl engines apps test tools
+DIRS=   crypto fips ssl engines apps test tools
 ENGDIRS= ccgost
 SHLIBDIRS= crypto ssl
 INSTALL_SUBS= engines apps tools
 # dirs in crypto to build
 SDIRS=  \
 	objects \
-	md2 md4 md5 sha mdc2 hmac ripemd whrlpool poly1305 \
+	md2 md4 md5 sha mdc2 hmac ripemd whrlpool \
-	des aes rc2 rc4 rc5 idea bf cast camellia seed chacha modes \
+	des aes rc2 rc4 rc5 idea bf cast camellia seed modes \
-	bn ec rsa dsa dh dso engine \
+	bn ec rsa dsa ecdsa dh ecdh dso engine \
 	buffer bio stack lhash rand err \
-	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui \
+	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5 \
-	cms pqueue ts jpake srp store cmac ct async
+	cms pqueue ts jpake srp store cmac
 # keep in mind that the above list is adjusted by ./Configure
 # according to no-xxx arguments...
@@ -163,6 +168,9 @@ HTMLDIR=$(OPENSSLDIR)/html
 SHELL=/bin/sh
 TOP=    .
 ONEDIRS=out tmp
 EDIRS=  times doc bugs util include certs ms shlib mt demos perl sf dep VMS
 WDIRS=  windows
 LIBS=   libcrypto.a libssl.a
 SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
 SHARED_SSL=libssl$(SHLIB_EXT)
@@ -173,21 +181,12 @@ SHARED_LDFLAGS=
 GENERAL=        Makefile
 BASENAME=       openssl
 NAME=           $(BASENAME)-$(VERSION)
-TARFILE=        ../$(NAME).tar
+TARFILE=        $(NAME).tar
 WTARFILE=       $(NAME)-win.tar
 EXHEADER=       e_os2.h
 HEADER=         e_os.h
-# Directories created on install if they don't exist.
+all: Makefile build_all openssl.pc libssl.pc libcrypto.pc
 INSTALLDIRS=	\
 		$(INSTALL_PREFIX)$(INSTALLTOP)/bin \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/private
 all: Makefile build_all
 # as we stick to -e, CLEARENV ensures that local variables in lower
 # Makefiles remain local and variable. $${VAR+VAR} is tribute to Korn
@@ -198,18 +197,16 @@ CLEARENV=	TOP= && unset TOP $${LIB+LIB} $${LIBS+LIBS}	\
 		$${INCLUDE+INCLUDE} $${INCLUDES+INCLUDES}	\
 		$${DIR+DIR} $${DIRS+DIRS} $${SRC+SRC}		\
 		$${LIBSRC+LIBSRC} $${LIBOBJ+LIBOBJ} $${ALL+ALL}	\
-		$${HEADER+HEADER}				\
+		$${EXHEADER+EXHEADER} $${HEADER+HEADER}		\
 		$${GENERAL+GENERAL} $${CFLAGS+CFLAGS}		\
 		$${ASFLAGS+ASFLAGS} $${AFLAGS+AFLAGS}		\
-		$${LDCMD+LDCMD} $${LDFLAGS+LDFLAGS} $${SCRIPTS+SCRIPTS}	\
+		$${LDCMD+LDCMD} $${LDFLAGS+LDFLAGS}		\
 		$${SHAREDCMD+SHAREDCMD} $${SHAREDFLAGS+SHAREDFLAGS}	\
 		$${SHARED_LIB+SHARED_LIB} $${LIBEXTRAS+LIBEXTRAS}
-# LC_ALL=C ensures that error [and other] messages are delivered in
+BUILDENV=	PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)' \
 # same language for uniform treatment.
 BUILDENV=	LC_ALL=C PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)'\
 		CC='$(CC)' CFLAG='$(CFLAG)' 			\
-		AS='$(CC)' ASFLAG='$(CFLAG) -c'			\
+		ASFLAG='$(CFLAG) -c'			\
 		AR='$(AR)' NM='$(NM)' RANLIB='$(RANLIB)'	\
 		CROSS_COMPILE='$(CROSS_COMPILE)'	\
 		PERL='$(PERL)' ENGDIRS='$(ENGDIRS)'		\
@@ -218,15 +215,16 @@ BUILDENV=	LC_ALL=C PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)'\
 		INSTALLTOP='$(INSTALLTOP)' OPENSSLDIR='$(OPENSSLDIR)'	\
 		LIBDIR='$(LIBDIR)'				\
 		MAKEDEPEND='$$$${TOP}/util/domd $$$${TOP} -MD $(MAKEDEPPROG)' \
-		DEPFLAG='$(DEPFLAG)'                    	\
+		DEPFLAG='-DOPENSSL_NO_DEPRECATED $(DEPFLAG)'	\
 		MAKEDEPPROG='$(MAKEDEPPROG)'			\
 		SHARED_LDFLAGS='$(SHARED_LDFLAGS)'		\
 		KRB5_INCLUDES='$(KRB5_INCLUDES)' LIBKRB5='$(LIBKRB5)'	\
 		ZLIB_INCLUDE='$(ZLIB_INCLUDE)' LIBZLIB='$(LIBZLIB)'	\
 		EXE_EXT='$(EXE_EXT)' SHARED_LIBS='$(SHARED_LIBS)'	\
 		SHLIB_EXT='$(SHLIB_EXT)' SHLIB_TARGET='$(SHLIB_TARGET)'	\
 		PEX_LIBS='$(PEX_LIBS)' EX_LIBS='$(EX_LIBS)'	\
-		CPUID_OBJ='$(CPUID_OBJ)' BN_ASM='$(BN_ASM)'	\
+		CPUID_OBJ='$(CPUID_OBJ)'			\
-		EC_ASM='$(EC_ASM)' DES_ENC='$(DES_ENC)'		\
+		BN_ASM='$(BN_ASM)' DES_ENC='$(DES_ENC)' 	\
 		AES_ENC='$(AES_ENC)' CMLL_ENC='$(CMLL_ENC)'	\
 		BF_ENC='$(BF_ENC)' CAST_ENC='$(CAST_ENC)'	\
 		RC4_ENC='$(RC4_ENC)' RC5_ENC='$(RC5_ENC)'	\
@@ -236,11 +234,11 @@ BUILDENV=	LC_ALL=C PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)'\
 		WP_ASM_OBJ='$(WP_ASM_OBJ)'			\
 		MODES_ASM_OBJ='$(MODES_ASM_OBJ)'		\
 		ENGINES_ASM_OBJ='$(ENGINES_ASM_OBJ)'		\
 		CHACHA_ENC='$(CHACHA_ENC)'			\
 		POLY1305_ASM_OBJ='$(POLY1305_ASM_OBJ)'		\
 		PERLASM_SCHEME='$(PERLASM_SCHEME)'		\
 		FIPSLIBDIR='${FIPSLIBDIR}'			\
 		FIPSCANLIB="$${FIPSCANLIB:-$(FIPSCANLIB)}"	\
 		FIPSCANISTERINTERNAL='${FIPSCANISTERINTERNAL}'	\
 		FIPS_EX_OBJ='${FIPS_EX_OBJ}'	\
 		THIS=$${THIS:-$@} MAKEFILE=Makefile MAKEOVERRIDES=
 # MAKEOVERRIDES= effectively "equalizes" GNU-ish and SysV-ish make flavors,
 # which in turn eliminates ambiguities in variable treatment with -e.
@@ -251,13 +249,13 @@ BUILDENV=	LC_ALL=C PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)'\
 # This macro shouldn't be used directly, use RECURSIVE_BUILD_CMD or
 # BUILD_ONE_CMD instead.
 #
 # RECURSIVE_BUILD_CMD is a macro to build a given target in all
 # subdirectories defined in $(DIRS).  It requires that the target
 # is given through the shell variable `target'.
 #
 # BUILD_ONE_CMD is a macro to build a given target in a given
 # subdirectory if that subdirectory is part of $(DIRS).  It requires
 # exactly the same shell variables as BUILD_CMD.
 #
 # RECURSIVE_BUILD_CMD is a macro to build a given target in all
 # subdirectories defined in $(DIRS).  It requires that the target
 # is given through the shell variable `target'.
 BUILD_CMD=  if [ -d "$$dir" ]; then \
 	    (	cd $$dir && echo "making $$target in $$dir..." && \
 		$(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. DIR=$$dir $$target \
@@ -272,40 +270,132 @@ BUILD_ONE_CMD=\
 reflect:
 	@[ -n "$(THIS)" ] && $(CLEARENV) && $(MAKE) $(THIS) -e $(BUILDENV)
-sub_all: build_all
+FIPS_EX_OBJ= ../crypto/aes/aes_cfb.o \
 	../crypto/aes/aes_ecb.o \
 	../crypto/aes/aes_ofb.o \
 	../crypto/bn/bn_add.o \
 	../crypto/bn/bn_blind.o \
 	../crypto/bn/bn_ctx.o \
 	../crypto/bn/bn_div.o \
 	../crypto/bn/bn_exp2.o \
 	../crypto/bn/bn_exp.o \
 	../crypto/bn/bn_gcd.o \
 	../crypto/bn/bn_gf2m.o \
 	../crypto/bn/bn_lib.o \
 	../crypto/bn/bn_mod.o \
 	../crypto/bn/bn_mont.o \
 	../crypto/bn/bn_mul.o \
 	../crypto/bn/bn_nist.o \
 	../crypto/bn/bn_prime.o \
 	../crypto/bn/bn_rand.o \
 	../crypto/bn/bn_recp.o \
 	../crypto/bn/bn_shift.o \
 	../crypto/bn/bn_sqr.o \
 	../crypto/bn/bn_word.o \
 	../crypto/bn/bn_x931p.o \
 	../crypto/buffer/buf_str.o \
 	../crypto/cmac/cmac.o \
 	../crypto/cryptlib.o \
 	../crypto/des/cfb64ede.o \
 	../crypto/des/cfb64enc.o \
 	../crypto/des/cfb_enc.o \
 	../crypto/des/ecb3_enc.o \
 	../crypto/des/ofb64ede.o \
 	../crypto/des/fcrypt.o \
 	../crypto/des/set_key.o \
 	../crypto/dh/dh_check.o \
 	../crypto/dh/dh_gen.o \
 	../crypto/dh/dh_key.o \
 	../crypto/dsa/dsa_gen.o \
 	../crypto/dsa/dsa_key.o \
 	../crypto/dsa/dsa_ossl.o \
 	../crypto/ec/ec_curve.o \
 	../crypto/ec/ec_cvt.o \
 	../crypto/ec/ec_key.o \
 	../crypto/ec/ec_lib.o \
 	../crypto/ec/ecp_mont.o \
 	../crypto/ec/ec_mult.o \
 	../crypto/ec/ecp_nist.o \
 	../crypto/ec/ecp_smpl.o \
 	../crypto/ec/ec2_mult.o \
 	../crypto/ec/ec2_smpl.o \
 	../crypto/ecdh/ech_key.o \
 	../crypto/ecdh/ech_ossl.o \
 	../crypto/ecdsa/ecs_ossl.o \
 	../crypto/evp/e_aes.o \
 	../crypto/evp/e_des3.o \
 	../crypto/evp/e_null.o \
 	../crypto/evp/m_sha1.o \
 	../crypto/evp/m_dss1.o \
 	../crypto/evp/m_dss.o \
 	../crypto/evp/m_ecdsa.o \
 	../crypto/hmac/hmac.o \
 	../crypto/modes/cbc128.o \
 	../crypto/modes/ccm128.o \
 	../crypto/modes/cfb128.o \
 	../crypto/modes/ctr128.o \
 	../crypto/modes/gcm128.o \
 	../crypto/modes/ofb128.o \
 	../crypto/modes/xts128.o \
 	../crypto/rsa/rsa_eay.o \
 	../crypto/rsa/rsa_gen.o \
 	../crypto/rsa/rsa_crpt.o \
 	../crypto/rsa/rsa_none.o \
 	../crypto/rsa/rsa_oaep.o \
 	../crypto/rsa/rsa_pk1.o \
 	../crypto/rsa/rsa_pss.o \
 	../crypto/rsa/rsa_ssl.o \
 	../crypto/rsa/rsa_x931.o \
 	../crypto/rsa/rsa_x931g.o \
 	../crypto/sha/sha1dgst.o \
 	../crypto/sha/sha256.o \
 	../crypto/sha/sha512.o \
 	../crypto/thr_id.o \
 	../crypto/uid.o
 sub_all: build_all
 build_all: build_libs build_apps build_tests build_tools
-build_libs: build_libcrypto build_libssl openssl.pc
+build_libs: build_crypto build_fips build_ssl build_engines
-build_libcrypto: build_crypto build_engines libcrypto.pc
+build_fips:
-build_libssl: build_ssl libssl.pc
+	@dir=fips; target=all; [ -z "$(FIPSCANLIB)" ] || $(BUILD_ONE_CMD)
 build_crypto:
-	@dir=crypto; target=all; $(BUILD_ONE_CMD)
+	if [ -n "$(FIPSCANLIB)" ]; then \
-build_ssl: build_crypto
+		EXCL_OBJ='$(AES_ENC) $(BN_ASM) $(DES_ENC) $(CPUID_OBJ) $(SHA1_ASM_OBJ) $(MODES_ASM_OBJ) $(FIPS_EX_OBJ)' ; export EXCL_OBJ ; \
 		ARX='$(PERL) $${TOP}/util/arx.pl $(AR)' ; \
 	else \
 		ARX='${AR}' ; \
 	fi ; export ARX ; \
 	if [ $(FIPSCANISTERINTERNAL) = "y" ]; then \
 		AS='$(PERL) $${TOP}/util/fipsas.pl $${TOP} $${<} $(CC) -c' ; \
 	else \
 		AS='$(CC) -c' ; \
 	fi ; export AS ; \
 		dir=crypto; target=all; $(BUILD_ONE_CMD)
 build_ssl:
 	@dir=ssl; target=all; $(BUILD_ONE_CMD)
-build_engines: build_crypto
+build_engines:
 	@dir=engines; target=all; AS='$(CC) -c'; export AS; $(BUILD_ONE_CMD)
-
+build_apps:
 build_apps: build_libs
 	@dir=apps; target=all; $(BUILD_ONE_CMD)
-build_tests: build_libs
+build_tests:
 	@dir=test; target=all; $(BUILD_ONE_CMD)
-build_tools: build_libs
+build_tools:
 	@dir=tools; target=all; $(BUILD_ONE_CMD)
 all_testapps: build_libs build_testapps
 build_testapps:
 	@dir=crypto; target=testapps; $(BUILD_ONE_CMD)
-libcrypto$(SHLIB_EXT): libcrypto.a
+libcrypto$(SHLIB_EXT): libcrypto.a build_fips
 	@if [ "$(SHLIB_TARGET)" != "" ]; then \
 		if [ "$(FIPSCANLIB)" = "libcrypto" ]; then \
 			FIPSLD_CC="$(CC)"; CC=fips/fipsld; \
 			export CC FIPSLD_CC; \
 		fi; \
-		$(MAKE) -e SHLIBDIRS=crypto CC="$${CC:-$(CC)}" build-shared; \
+		$(MAKE) -e SHLIBDIRS=crypto build-shared; \
 	else \
 		echo "There's no support for shared libraries on this platform" >&2; \
 		exit 1; \
@@ -328,7 +418,7 @@ clean-shared:
 			done; \
 		fi; \
 		( set -x; rm -f lib$$i$(SHLIB_EXT) ); \
-		if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \
+		if [ "$(PLATFORM)" = "Cygwin" ]; then \
 			( set -x; rm -f cyg$$i$(SHLIB_EXT) lib$$i$(SHLIB_EXT).a ); \
 		fi; \
 	done
@@ -346,6 +436,9 @@ build-shared: do_$(SHLIB_TARGET) link-shared
 do_$(SHLIB_TARGET):
 	@ set -e; libs='-L. $(SHLIBDEPS)'; for i in $(SHLIBDIRS); do \
 		if [ "$$i" = "ssl" -a -n "$(LIBKRB5)" ]; then \
 			libs="$(LIBKRB5) $$libs"; \
 		fi; \
 		$(CLEARENV) && $(MAKE) -f Makefile.shared -e $(BUILDENV) \
 			LIBNAME=$$i LIBVERSION=$(SHLIB_MAJOR).$(SHLIB_MINOR) \
 			LIBCOMPATVERSIONS=";$(SHLIB_VERSION_HISTORY)" \
@@ -364,9 +457,8 @@ libcrypto.pc: Makefile
 	    echo 'Description: OpenSSL cryptography library'; \
 	    echo 'Version: '$(VERSION); \
 	    echo 'Requires: '; \
-	    echo 'Libs: -L$${libdir} -lcrypto'; \
+	    echo 'Libs: -L$${libdir} -lcrypto $(EX_LIBS)'; \
-	    echo 'Libs.private: $(EX_LIBS)'; \
+	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libcrypto.pc
 	    echo 'Cflags: -I$${includedir}' ) > libcrypto.pc
 libssl.pc: Makefile
 	@ ( echo 'prefix=$(INSTALLTOP)'; \
@@ -374,13 +466,12 @@ libssl.pc: Makefile
 	    echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
 	    echo 'includedir=$${prefix}/include'; \
 	    echo ''; \
-	    echo 'Name: OpenSSL-libssl'; \
+	    echo 'Name: OpenSSL'; \
 	    echo 'Description: Secure Sockets Layer and cryptography libraries'; \
 	    echo 'Version: '$(VERSION); \
-	    echo 'Requires.private: libcrypto'; \
+	    echo 'Requires: '; \
-	    echo 'Libs: -L$${libdir} -lssl'; \
+	    echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
-	    echo 'Libs.private: $(EX_LIBS)'; \
+	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > libssl.pc
 	    echo 'Cflags: -I$${includedir}' ) > libssl.pc
 openssl.pc: Makefile
 	@ ( echo 'prefix=$(INSTALLTOP)'; \
@@ -391,24 +482,29 @@ openssl.pc: Makefile
 	    echo 'Name: OpenSSL'; \
 	    echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \
 	    echo 'Version: '$(VERSION); \
-	    echo 'Requires: libssl libcrypto' ) > openssl.pc
+	    echo 'Requires: '; \
 	    echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
 	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
-Makefile: Makefile.in Configure config
+Makefile: Makefile.org Configure config
-	@echo "Makefile is older than Makefile.in, Configure or config."
+	@echo "Makefile is older than Makefile.org, Configure or config."
 	@echo "Reconfigure the source tree (via './config' or 'perl Configure'), please."
 	@false
 libclean:
-	rm -f *.map *.so *.so.* *.dylib *.dll engines/*.so engines/*.dll engines/*.dylib *.a engines/*.a */lib */*/lib
+	rm -f *.map *.so *.so.* *.dll engines/*.so engines/*.dll *.a engines/*.a */lib */*/lib
 clean:	libclean
-	rm -f */*/*.o */*.o *.o core a.out fluff rehash.time testlog make.log cctest cctest.c
+	rm -f shlib/*.o *.o core a.out fluff rehash.time testlog make.log cctest cctest.c
 	rm -rf *.bak certs/.0
 	@set -e; target=clean; $(RECURSIVE_BUILD_CMD)
-	rm -f $(LIBS) tags TAGS
+	rm -f $(LIBS)
 	rm -f openssl.pc libssl.pc libcrypto.pc
 	rm -f speed.* .pure
 	rm -f $(TARFILE)
 	@set -e; for i in $(ONEDIRS) ;\
 	do \
 	rm -fr $$i/*; \
 	done
 makefile.one: files
 	$(PERL) util/mk1mf.pl >makefile.one; \
@@ -418,65 +514,60 @@ files:
 	$(PERL) $(TOP)/util/files.pl Makefile > $(TOP)/MINFO
 	@set -e; target=files; $(RECURSIVE_BUILD_CMD)
 links:
 	@$(PERL) $(TOP)/util/mkdir-p.pl include/openssl
 	@$(PERL) $(TOP)/util/mklink.pl include/openssl $(EXHEADER)
 	@set -e; target=links; $(RECURSIVE_BUILD_CMD)
 	@if [ -z "$(FIPSCANLIB)" ]; then \
 		set -e; target=links; dir=fips ; $(BUILD_CMD) ; \
 	fi
 gentests:
 	@(cd test && echo "generating dummy tests (if needed)..." && \
 	$(CLEARENV) && $(MAKE) -e $(BUILDENV) TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on generate );
 dclean:
 	rm -rf *.bak include/openssl certs/.0
 	@set -e; target=dclean; $(RECURSIVE_BUILD_CMD)
 rehash: rehash.time
-rehash.time: certs build_apps
+rehash.time: certs apps
 	@if [ -z "$(CROSS_COMPILE)" ]; then \
 		(OPENSSL="`pwd`/util/opensslwrap.sh"; \
 		[ -x "apps/openssl.exe" ] && OPENSSL="apps/openssl.exe" || :; \
-		OPENSSL_DEBUG_MEMORY=on; OPENSSL_CONF=/dev/null ; \
+		OPENSSL_DEBUG_MEMORY=on; \
-		export OPENSSL OPENSSL_DEBUG_MEMORY OPENSSL_CONF; \
+		export OPENSSL OPENSSL_DEBUG_MEMORY; \
-		$$OPENSSL rehash certs/demo \
+		$(PERL) tools/c_rehash certs) && \
 		|| $(PERL) tools/c_rehash certs/demo) && \
 		touch rehash.time; \
 	else :; fi
 test:   tests
 test_ordinals:
 	TOP=$(TOP) PERL=$(PERL) $(PERL) test/run_tests.pl test_ordinals
 tests: rehash
 	@(cd test && echo "testing..." && \
 	$(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on OPENSSL_CONF=../apps/openssl.cnf tests );
-	@if [ -z "$(CROSS_COMPILE)" ]; then \
+	OPENSSL_CONF=apps/openssl.cnf util/opensslwrap.sh version -a
 		OPENSSL_CONF=apps/openssl.cnf util/opensslwrap.sh version -a; \
 	fi
 list-tests:
 	@(cd test && \
 	        $(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. list-tests)
 report:
 	@$(PERL) util/selftest.pl
 update: errors util/libeay.num util/ssleay.num TABLE test_ordinals
 	@set -e; target=update; $(RECURSIVE_BUILD_CMD)
 depend:
 	@set -e; target=depend; $(RECURSIVE_BUILD_CMD)
 lint:
 	@set -e; target=lint; $(RECURSIVE_BUILD_CMD)
-tags TAGS: FORCE
+tags:
-	rm -f TAGS tags
+	rm -f TAGS
-	-ctags -R .
+	find . -name '[^.]*.[ch]' | xargs etags -a
 	-etags `find . -name '*.[ch]' -o -name '*.pm'`
 FORCE:
 errors:
 	$(PERL) util/ck_errf.pl -strict */*.c */*/*.c
 	$(PERL) util/mkerr.pl -recurse -write
 	(cd engines; $(MAKE) PERL=$(PERL) errors)
-	(cd crypto/ct; $(MAKE) PERL=$(PERL) errors)
+	$(PERL) util/ck_errf.pl -strict */*.c */*/*.c
 stacks:
 	$(PERL) util/mkstack.pl -write
 util/libeay.num::
 	$(PERL) util/mkdef.pl crypto update
@@ -484,55 +575,78 @@ util/libeay.num::
 util/ssleay.num::
 	$(PERL) util/mkdef.pl ssl update
-TABLE: Configure Configurations/*.conf
+crypto/objects/obj_dat.h: crypto/objects/obj_dat.pl crypto/objects/obj_mac.h
 	$(PERL) crypto/objects/obj_dat.pl crypto/objects/obj_mac.h crypto/objects/obj_dat.h
 crypto/objects/obj_mac.h: crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num
 	$(PERL) crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num crypto/objects/obj_mac.h
 crypto/objects/obj_xref.h: crypto/objects/objxref.pl crypto/objects/obj_xref.txt crypto/objects/obj_mac.num
 	$(PERL) crypto/objects/objxref.pl crypto/objects/obj_mac.num crypto/objects/obj_xref.txt >crypto/objects/obj_xref.h
 apps/openssl-vms.cnf: apps/openssl.cnf
 	$(PERL) VMS/VMSify-conf.pl < apps/openssl.cnf > apps/openssl-vms.cnf
 crypto/bn/bn_prime.h: crypto/bn/bn_prime.pl
 	$(PERL) crypto/bn/bn_prime.pl >crypto/bn/bn_prime.h
 TABLE: Configure
 	(echo 'Output of `Configure TABLE'"':"; \
 	$(PERL) Configure TABLE) > TABLE
 update: errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_dat.h crypto/objects/obj_xref.h apps/openssl-vms.cnf crypto/bn/bn_prime.h TABLE depend
 # Build distribution tar-file. As the list of files returned by "find" is
 # pretty long, on several platforms a "too many arguments" error or similar
 # would occur. Therefore the list of files is temporarily stored into a file
 # and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal
 # tar does not support the --files-from option.
-TAR_COMMAND=$(TAR) $(TARFLAGS) --files-from $(TARFILE).list \
+tar:
 	                       --owner 0 --group 0 \
 			       --transform 's|^|$(NAME)/|' \
 			       -cvf -
 $(TARFILE).list:
 	find * \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \
 	       \! -name '*.so' \! -name '*.so.*'  \! -name 'openssl' \
 	       \! -name '*test' \! -name '.#*' \! -name '*~' \!	-type l \
 	    | sort > $(TARFILE).list
 tar: $(TARFILE).list
 	find . -type d -print | xargs chmod 755
 	find . -type f -print | xargs chmod a+r
 	find . -type f -perm -0100 -print | xargs chmod a+x
-	$(TAR_COMMAND) | gzip --best > $(TARFILE).gz
+	find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE | sort > ../$(TARFILE).list; \
-	rm -f $(TARFILE).list
+	$(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list -cvf - | \
-	ls -l $(TARFILE).gz
+	tardy --user_number=0  --user_name=openssl \
 	      --group_number=0 --group_name=openssl \
 	      --prefix=openssl-$(VERSION) - |\
 	gzip --best >../$(TARFILE).gz; \
 	rm -f ../$(TARFILE).list; \
 	ls -l ../$(TARFILE).gz
-tar-snap: $(TARFILE).list
+tar-snap:
-	$(TAR_COMMAND) > $(TARFILE)
+	@$(TAR) $(TARFLAGS) -cvf - \
-	rm -f $(TARFILE).list
+		`find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \! -name '*.so' \! -name '*.so.*'  \! -name 'openssl' \! -name '*test' \! -name '.#*' \! -name '*~' | sort` |\
-	ls -l $(TARFILE)
+	tardy --user_number=0  --user_name=openssl \
 	      --group_number=0 --group_name=openssl \
 	      --prefix=openssl-$(VERSION) - > ../$(TARFILE);\
 	ls -l ../$(TARFILE)
 dist:   
 	$(PERL) Configure dist
 	@$(MAKE) dist_pem_h
 	@$(MAKE) SDIRS='$(SDIRS)' clean
-	@$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar
+	@$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' tar
 dist_pem_h:
 	(cd crypto/pem; $(MAKE) -e $(BUILDENV) pem.h; $(MAKE) clean)
 install: all install_docs install_sw
 uninstall: uninstall_sw uninstall_docs
 install_sw:
-	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALLDIRS)
+	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
-	@set -e; for i in include/openssl/*.h; do \
+		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
-	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$$i; \
+		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \
-	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$$i ); \
+		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/private
 	@set -e; headerlist="$(EXHEADER)"; for i in $$headerlist;\
 	do \
 	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i; \
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl/$$i ); \
 	done;
-	@set -e; target=install; for dir in $(INSTALL_SUBS); do $(BUILD_CMD); done
+	@set -e; target=install; $(RECURSIVE_BUILD_CMD)
 	@set -e; liblist="$(LIBS)"; for i in $$liblist ;\
 	do \
 		if [ -f "$$i" ]; then \
@@ -549,7 +663,11 @@ install_sw:
 		do \
 			if [ -f "$$i" -o -f "$$i.a" ]; then \
 			(       echo installing $$i; \
-				if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \
+				if [ "$(PLATFORM)" != "Cygwin" ]; then \
 					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
 					chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
 					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
 				else \
 					c=`echo $$i | sed 's/^lib\(.*\)\.dll\.a/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \
 					cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
 					chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
@@ -557,10 +675,6 @@ install_sw:
 					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
 					chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
 					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
 				else \
 					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
 					chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
 					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
 				fi ); \
 				if expr $(PLATFORM) : 'mingw' > /dev/null; then \
 				(	case $$i in \
@@ -568,9 +682,9 @@ install_sw:
 						*ssl*)    i=ssleay32.dll;; \
 					esac; \
 					echo installing $$i; \
-					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
+	 				cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
-					chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
+	 				chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
-					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \
+	 				mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \
 				fi; \
 			fi; \
 		done; \
@@ -580,6 +694,8 @@ install_sw:
 		if [ "$(INSTALLTOP)" != "/usr" ]; then \
 			echo 'OpenSSL shared libraries have been installed in:'; \
 			echo '  $(INSTALLTOP)'; \
 			echo ''; \
 			sed -e '1,/^$$/d' doc/openssl-shared.txt; \
 		fi; \
 	fi
 	cp libcrypto.pc $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
@@ -589,59 +705,16 @@ install_sw:
 	cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
 	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/openssl.pc
 uninstall_sw:
 	cd include/openssl && files=* && cd $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl && $(RM) $$files
 	@for i in $(LIBS) ;\
 	do \
 		test -f "$$i" && \
 		echo $(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i && \
 		$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
 	done;
 	@if [ -n "$(SHARED_LIBS)" ]; then \
 		tmp="$(SHARED_LIBS)"; \
 		for i in $${tmp:-x}; \
 		do \
 			if [ -f "$$i" -o -f "$$i.a" ]; then \
 				if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \
 					c=`echo $$i | sed 's/^lib\(.*\)\.dll\.a/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \
 					echo $(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
 					$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
 					echo $(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
 					$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
 				else \
 					echo $(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
 					$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
 				fi; \
 				if expr $(PLATFORM) : 'mingw' > /dev/null; then \
 					case $$i in \
 						*crypto*) i=libeay32.dll;; \
 						*ssl*)    i=ssleay32.dll;; \
 					esac; \
 					echo $(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i; \
 					$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i; \
 				fi; \
 			fi; \
 		done; \
 	fi
 	$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libcrypto.pc
 	$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libssl.pc
 	$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/openssl.pc
 	@target=uninstall; $(RECURSIVE_BUILD_CMD)
 install_html_docs:
 	here="`pwd`"; \
 	filecase=; \
 	case "$(PLATFORM)" in DJGPP|Cygwin*|mingw*|darwin*-*-cc) \
 		filecase=-i; \
 	esac; \
 	for subdir in apps crypto ssl; do \
-		$(PERL) $(TOP)/util/mkdir-p $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir; \
+		mkdir -p $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir; \
 		for i in doc/$$subdir/*.pod; do \
 			fn=`basename $$i .pod`; \
 			echo "installing html/$$fn.$(HTMLSUFFIX)"; \
 			cat $$i \
 			| sed -r 's/L<([^)]*)(\([0-9]\))?\|([^)]*)(\([0-9]\))?>/L<\1|\3>/g' \
-			| pod2html --podroot=doc --htmlroot=.. --podpath=$$subdir:apps:crypto:ssl \
+			| pod2html --podroot=doc --htmlroot=.. --podpath=apps:crypto:ssl \
 			| sed -r 's/<!DOCTYPE.*//g' \
 			> $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir/$$fn.$(HTMLSUFFIX); \
 			$(PERL) util/extract-names.pl < $$i | \
@@ -653,43 +726,26 @@ install_html_docs:
 		done; \
 	done
 uninstall_html_docs:
 	here="`pwd`"; \
 	filecase=; \
 	case "$(PLATFORM)" in DJGPP|Cygwin*|mingw*|darwin*-*-cc) \
 		filecase=-i; \
 	esac; \
 	for subdir in apps crypto ssl; do \
 		for i in doc/$$subdir/*.pod; do \
 			fn=`basename $$i .pod`; \
 			$(RM) $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir/$$fn.$(HTMLSUFFIX); \
 			$(PERL) util/extract-names.pl < $$i | \
 				grep -v $$filecase "^$$fn\$$" | \
 				while read n; do \
 					$(RM) $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir/"$$n".$(HTMLSUFFIX); \
 				done; \
 		done; \
 	done
 install_docs:
 	@$(PERL) $(TOP)/util/mkdir-p.pl \
 		$(INSTALL_PREFIX)$(MANDIR)/man1 \
 		$(INSTALL_PREFIX)$(MANDIR)/man3 \
 		$(INSTALL_PREFIX)$(MANDIR)/man5 \
 		$(INSTALL_PREFIX)$(MANDIR)/man7
 	@pod2man="`cd ./util; ./pod2mantest $(PERL)`"; \
 	here="`pwd`"; \
 	filecase=; \
-	case "$(PLATFORM)" in DJGPP|Cygwin*|mingw*|darwin*-*-cc) \
+	if [ "$(PLATFORM)" = "DJGPP" -o "$(PLATFORM)" = "Cygwin" -o "$(PLATFORM)" = "mingw" ]; then \
 		filecase=-i; \
-	esac; \
+	fi; \
 	set -e; for i in doc/apps/*.pod; do \
 		fn=`basename $$i .pod`; \
 		sec=`$(PERL) util/extract-section.pl 1 < $$i`; \
 		echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
 		(cd `$(PERL) util/dirname.pl $$i`; \
-		pod2man \
+		sh -c "$$pod2man \
 			--section=$$sec --center=OpenSSL \
-			--release=$(VERSION) `basename $$i`) \
+			--release=$(VERSION) `basename $$i`") \
 			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(PERL) util/extract-names.pl < $$i | \
 			(grep -v $$filecase "^$$fn\$$"; true) | \
@@ -704,9 +760,9 @@ install_docs:
 		sec=`$(PERL) util/extract-section.pl 3 < $$i`; \
 		echo "installing man$$sec/$$fn.$${sec}$(MANSUFFIX)"; \
 		(cd `$(PERL) util/dirname.pl $$i`; \
-		pod2man \
+		sh -c "$$pod2man \
 			--section=$$sec --center=OpenSSL \
-			--release=$(VERSION) `basename $$i`) \
+			--release=$(VERSION) `basename $$i`") \
 			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(PERL) util/extract-names.pl < $$i | \
 			(grep -v $$filecase "^$$fn\$$"; true) | \
@@ -717,37 +773,4 @@ install_docs:
 			 done); \
 	done
 uninstall_docs:
 	@here="`pwd`"; \
 	filecase=; \
 	case "$(PLATFORM)" in DJGPP|Cygwin*|mingw*) \
 		filecase=-i; \
 	esac; \
 	for i in doc/apps/*.pod; do \
 		fn=`basename $$i .pod`; \
 		sec=`$(PERL) util/extract-section.pl 1 < $$i`; \
 		echo $(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(PERL) util/extract-names.pl < $$i | \
 			(grep -v $$filecase "^$$fn\$$"; true) | \
 			(grep -v "[	]"; true) | \
 			while read n; do \
 				echo $(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/"$$n".$${sec}$(MANSUFFIX); \
 				$(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/"$$n".$${sec}$(MANSUFFIX); \
 			done; \
 	done; \
 	for i in doc/crypto/*.pod doc/ssl/*.pod; do \
 		fn=`basename $$i .pod`; \
 		sec=`$(PERL) util/extract-section.pl 3 < $$i`; \
 		echo $(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(PERL) util/extract-names.pl < $$i | \
 			(grep -v $$filecase "^$$fn\$$"; true) | \
 			(grep -v "[	]"; true) | \
 			while read n; do \
 				echo $(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/"$$n".$${sec}$(MANSUFFIX); \
 				$(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/"$$n".$${sec}$(MANSUFFIX); \
 			done; \
 	done
 # DO NOT DELETE THIS LINE -- make depend depends on it.
--- a/Makefile.shared
+++ b/Makefile.shared
@@ -170,16 +170,16 @@ link_a.gnu:
 link_app.gnu:
 	@ $(DO_GNU_APP); $(LINK_APP)
-link_a.linux-shared:
+DO_BEOS_SO=	SHLIB=lib$(LIBNAME).so; \
 	@if [ $(LIBNAME) != "crypto" -a $(LIBNAME) != "ssl" ]; then echo libname is $(LIBNAME); sleep 2; $(DO_GNU_SO); else \
 	$(PERL) util/mkdef.pl $(LIBNAME) linux >$(LIBNAME).map; \
 	$(CALC_VERSIONS); \
 	SHLIB=lib$(LIBNAME).so; \
 	SHLIB_SUFFIX=; \
-	ALLSYMSFLAGS='-Wl,--whole-archive,--version-script=$(LIBNAME).map'; \
+	ALLSYMSFLAGS='-Wl,--whole-archive'; \
 	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
-	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"; \
+	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SUFFIX"
-	fi; $(LINK_SO_A)
+
 link_o.beos:
 	@ $(DO_BEOS_SO); $(LINK_SO_O)
 link_a.beos:
 	@ $(DO_BEOS_SO); $(LINK_SO_A)
 link_o.bsd:
 	@if $(DETECT_GNU_LD); then $(DO_GNU_SO); else \
@@ -555,10 +555,28 @@ link_app.aix:
 	LDFLAGS="$(CFLAGS) -Wl,-brtl,-blibpath:$(LIBRPATH):$${LIBPATH:-/usr/lib:/lib}"; \
 	$(LINK_APP)
 link_o.reliantunix:
 	@ $(CALC_VERSIONS); \
 	SHLIB=lib$(LIBNAME).so; \
 	SHLIB_SUFFIX=; \
 	ALLSYMSFLAGS=; \
 	NOALLSYMSFLAGS=''; \
 	SHAREDFLAGS='$(CFLAGS) -G'; \
 	$(LINK_SO_O)
 link_a.reliantunix:
 	@ $(CALC_VERSIONS); \
 	SHLIB=lib$(LIBNAME).so; \
 	SHLIB_SUFFIX=; \
 	ALLSYMSFLAGS=; \
 	NOALLSYMSFLAGS=''; \
 	SHAREDFLAGS='$(CFLAGS) -G'; \
 	$(LINK_SO_A_UNPACKED)
 link_app.reliantunix:
 	$(LINK_APP)
 # Targets to build symbolic links when needed
 symlink.gnu symlink.solaris symlink.svr3 symlink.svr5 symlink.irix \
-symlink.aix:
+symlink.aix symlink.reliantunix:
 	@ $(CALC_VERSIONS); \
 	SHLIB=lib$(LIBNAME).so; \
 	$(SYMLINK_SO)
@@ -573,11 +591,11 @@ symlink.hpux:
 	expr $(PLATFORM) : '.*ia64' > /dev/null && SHLIB=lib$(LIBNAME).so; \
 	$(SYMLINK_SO)
 # The following lines means those specific architectures do no symlinks
-symlink.cygwin symlink.alpha-osf1 symlink.tru64 symlink.tru64-rpath:
+symlink.cygwin symlink.alpha-osf1 symlink.tru64 symlink.tru64-rpath symlink.beos:
 # Compatibility targets
 link_o.bsd-gcc-shared link_o.linux-shared link_o.gnu-shared: link_o.gnu
-link_a.bsd-gcc-shared link_a.gnu-shared: link_a.gnu
+link_a.bsd-gcc-shared link_a.linux-shared link_a.gnu-shared: link_a.gnu
 link_app.bsd-gcc-shared link_app.linux-shared link_app.gnu-shared: link_app.gnu
 symlink.bsd-gcc-shared symlink.bsd-shared symlink.linux-shared symlink.gnu-shared: symlink.gnu
 link_o.bsd-shared: link_o.bsd
@@ -627,3 +645,11 @@ link_o.aix-shared: link_o.aix
 link_a.aix-shared: link_a.aix
 link_app.aix-shared: link_app.aix
 symlink.aix-shared: symlink.aix
 link_o.reliantunix-shared: link_o.reliantunix
 link_a.reliantunix-shared: link_a.reliantunix
 link_app.reliantunix-shared: link_app.reliantunix
 symlink.reliantunix-shared: symlink.reliantunix
 link_o.beos-shared: link_o.beos
 link_a.beos-shared: link_a.beos
 link_app.beos-shared: link_app.gnu
 symlink.beos-shared: symlink.beos
--- a/325
+++ b/325
@@ -5,213 +5,11 @@
  This file gives a brief overview of the major changes between each OpenSSL
  release. For more details please read the CHANGES file.
-  Major changes between OpenSSL 1.0.2e and OpenSSL 1.1.0 [in pre-release]
+  Major changes between OpenSSL 1.0.0c and OpenSSL 1.0.0d:
      o Support for ChaCha20 and Poly1305 added to libcrypto and libssl
      o Support for extended master secret
      o CCM ciphersuites
      o Reworked test suite, now based on perl, Test::Harness and Test::More
      o Varous libcrypto structures made opaque including: BIGNUM, EVP_MD,
        EVP_MD_CTX, HMAC_CTX, EVP_CIPHER and EVP_CIPHER_CTX.
      o libssl internal structures made opaque
      o SSLv2 support removed
      o Kerberos ciphersuite support removed
      o RC4 removed from DEFAULT ciphersuites in libssl
      o 40 and 56 bit cipher support removed from libssl
      o All public header files moved to include/openssl, no more symlinking
      o SSL/TLS state machine, version negotiation and record layer rewritten
      o EC revision: now operations use new EC_KEY_METHOD.
      o Support for OCB mode added to libcrypto
      o Support for asynchronous crypto operations added to libcrypto and libssl
      o Deprecated interfaces can now be disabled at build time either
        relative to the latest relate via the "no-deprecated" Configure
        argument, or via the "--api=1.1.0|1.0.0|0.9.8" option.
      o Application software can be compiled with -DOPENSSL_API_COMPAT=version
        to ensure that features deprecated before that version are not exposed.
      o Support for RFC6698/RFC7671 DANE TLSA peer authentication
  Major changes between OpenSSL 1.0.2d and OpenSSL 1.0.2e [3 Dec 2015]
      o BN_mod_exp may produce incorrect results on x86_64 (CVE-2015-3193)
      o Certificate verify crash with missing PSS parameter (CVE-2015-3194)
      o X509_ATTRIBUTE memory leak (CVE-2015-3195)
      o Rewrite EVP_DecodeUpdate (base64 decoding) to fix several bugs
      o In DSA_generate_parameters_ex, if the provided seed is too short,
        return an error
  Major changes between OpenSSL 1.0.2c and OpenSSL 1.0.2d [9 Jul 2015]
      o Alternate chains certificate forgery (CVE-2015-1793)
      o Race condition handling PSK identify hint (CVE-2015-3196)
  Major changes between OpenSSL 1.0.2b and OpenSSL 1.0.2c [12 Jun 2015]
      o Fix HMAC ABI incompatibility
  Major changes between OpenSSL 1.0.2a and OpenSSL 1.0.2b [11 Jun 2015]
      o Malformed ECParameters causes infinite loop (CVE-2015-1788)
      o Exploitable out-of-bounds read in X509_cmp_time (CVE-2015-1789)
      o PKCS7 crash with missing EnvelopedContent (CVE-2015-1790)
      o CMS verify infinite loop with unknown hash function (CVE-2015-1792)
      o Race condition handling NewSessionTicket (CVE-2015-1791)
  Major changes between OpenSSL 1.0.2 and OpenSSL 1.0.2a [19 Mar 2015]
      o OpenSSL 1.0.2 ClientHello sigalgs DoS fix (CVE-2015-0291)
      o Multiblock corrupted pointer fix (CVE-2015-0290)
      o Segmentation fault in DTLSv1_listen fix (CVE-2015-0207)
      o Segmentation fault in ASN1_TYPE_cmp fix (CVE-2015-0286)
      o Segmentation fault for invalid PSS parameters fix (CVE-2015-0208)
      o ASN.1 structure reuse memory corruption fix (CVE-2015-0287)
      o PKCS7 NULL pointer dereferences fix (CVE-2015-0289)
      o DoS via reachable assert in SSLv2 servers fix (CVE-2015-0293)
      o Empty CKE with client auth and DHE fix (CVE-2015-1787)
      o Handshake with unseeded PRNG fix (CVE-2015-0285)
      o Use After Free following d2i_ECPrivatekey error fix (CVE-2015-0209)
      o X509_to_X509_REQ NULL pointer deref fix (CVE-2015-0288)
      o Removed the export ciphers from the DEFAULT ciphers
  Major changes between OpenSSL 1.0.1l and OpenSSL 1.0.2 [22 Jan 2015]:
      o Suite B support for TLS 1.2 and DTLS 1.2
      o Support for DTLS 1.2
      o TLS automatic EC curve selection.
      o API to set TLS supported signature algorithms and curves
      o SSL_CONF configuration API.
      o TLS Brainpool support.
      o ALPN support.
      o CMS support for RSA-PSS, RSA-OAEP, ECDH and X9.42 DH.
  Major changes between OpenSSL 1.0.1k and OpenSSL 1.0.1l [15 Jan 2015]
      o Build fixes for the Windows and OpenVMS platforms
  Major changes between OpenSSL 1.0.1j and OpenSSL 1.0.1k [8 Jan 2015]
      o Fix for CVE-2014-3571
      o Fix for CVE-2015-0206
      o Fix for CVE-2014-3569
      o Fix for CVE-2014-3572
      o Fix for CVE-2015-0204
      o Fix for CVE-2015-0205
      o Fix for CVE-2014-8275
      o Fix for CVE-2014-3570
  Major changes between OpenSSL 1.0.1i and OpenSSL 1.0.1j [15 Oct 2014]
      o Fix for CVE-2014-3513
      o Fix for CVE-2014-3567
      o Mitigation for CVE-2014-3566 (SSL protocol vulnerability)
      o Fix for CVE-2014-3568
  Major changes between OpenSSL 1.0.1h and OpenSSL 1.0.1i [6 Aug 2014]
      o Fix for CVE-2014-3512
      o Fix for CVE-2014-3511
      o Fix for CVE-2014-3510
      o Fix for CVE-2014-3507
      o Fix for CVE-2014-3506
      o Fix for CVE-2014-3505
      o Fix for CVE-2014-3509
      o Fix for CVE-2014-5139
      o Fix for CVE-2014-3508
  Major changes between OpenSSL 1.0.1g and OpenSSL 1.0.1h [5 Jun 2014]
      o Fix for CVE-2014-0224
      o Fix for CVE-2014-0221
      o Fix for CVE-2014-0198
      o Fix for CVE-2014-0195
      o Fix for CVE-2014-3470
      o Fix for CVE-2010-5298
  Major changes between OpenSSL 1.0.1f and OpenSSL 1.0.1g [7 Apr 2014]
      o Fix for CVE-2014-0160
      o Add TLS padding extension workaround for broken servers.
      o Fix for CVE-2014-0076
  Major changes between OpenSSL 1.0.1e and OpenSSL 1.0.1f [6 Jan 2014]
      o Don't include gmt_unix_time in TLS server and client random values
      o Fix for TLS record tampering bug CVE-2013-4353
      o Fix for TLS version checking bug CVE-2013-6449
      o Fix for DTLS retransmission bug CVE-2013-6450
  Major changes between OpenSSL 1.0.1d and OpenSSL 1.0.1e [11 Feb 2013]:
      o Corrected fix for CVE-2013-0169
  Major changes between OpenSSL 1.0.1c and OpenSSL 1.0.1d [4 Feb 2013]:
      o Fix renegotiation in TLS 1.1, 1.2 by using the correct TLS version.
      o Include the fips configuration module.
      o Fix OCSP bad key DoS attack CVE-2013-0166
      o Fix for SSL/TLS/DTLS CBC plaintext recovery attack CVE-2013-0169
      o Fix for TLS AESNI record handling flaw CVE-2012-2686
  Major changes between OpenSSL 1.0.1b and OpenSSL 1.0.1c [10 May 2012]:
      o Fix TLS/DTLS record length checking bug CVE-2012-2333
      o Don't attempt to use non-FIPS composite ciphers in FIPS mode.
  Major changes between OpenSSL 1.0.1a and OpenSSL 1.0.1b [26 Apr 2012]:
      o Fix compilation error on non-x86 platforms.
      o Make FIPS capable OpenSSL ciphers work in non-FIPS mode.
      o Fix SSL_OP_NO_TLSv1_1 clash with SSL_OP_ALL in OpenSSL 1.0.0
  Major changes between OpenSSL 1.0.1 and OpenSSL 1.0.1a [19 Apr 2012]:
      o Fix for ASN1 overflow bug CVE-2012-2110
      o Workarounds for some servers that hang on long client hellos.
      o Fix SEGV in AES code.
  Major changes between OpenSSL 1.0.0h and OpenSSL 1.0.1 [14 Mar 2012]:
      o TLS/DTLS heartbeat support.
      o SCTP support.
      o RFC 5705 TLS key material exporter.
      o RFC 5764 DTLS-SRTP negotiation.
      o Next Protocol Negotiation.
      o PSS signatures in certificates, requests and CRLs.
      o Support for password based recipient info for CMS.
      o Support TLS v1.2 and TLS v1.1.
      o Preliminary FIPS capability for unvalidated 2.0 FIPS module.
      o SRP support.
  Major changes between OpenSSL 1.0.0g and OpenSSL 1.0.0h [12 Mar 2012]:
      o Fix for CMS/PKCS#7 MMA CVE-2012-0884
      o Corrected fix for CVE-2011-4619
      o Various DTLS fixes.
  Major changes between OpenSSL 1.0.0f and OpenSSL 1.0.0g [18 Jan 2012]:
      o Fix for DTLS DoS issue CVE-2012-0050
  Major changes between OpenSSL 1.0.0e and OpenSSL 1.0.0f [4 Jan 2012]:
      o Fix for DTLS plaintext recovery attack CVE-2011-4108
      o Clear block padding bytes of SSL 3.0 records CVE-2011-4576
      o Only allow one SGC handshake restart for SSL/TLS CVE-2011-4619
      o Check parameters are not NULL in GOST ENGINE CVE-2012-0027
      o Check for malformed RFC3779 data CVE-2011-4577
  Major changes between OpenSSL 1.0.0d and OpenSSL 1.0.0e [6 Sep 2011]:
      o Fix for CRL vulnerability issue CVE-2011-3207
      o Fix for ECDH crashes CVE-2011-3210
      o Protection against EC timing attacks.
      o Support ECDH ciphersuites for certificates using SHA2 algorithms.
      o Various DTLS fixes.
  Major changes between OpenSSL 1.0.0c and OpenSSL 1.0.0d [8 Feb 2011]:
      o Fix for security issue CVE-2011-0014
-  Major changes between OpenSSL 1.0.0b and OpenSSL 1.0.0c [2 Dec 2010]:
+  Major changes between OpenSSL 1.0.0b and OpenSSL 1.0.0c:
      o Fix for security issue CVE-2010-4180
      o Fix for CVE-2010-4252
@@ -219,18 +17,18 @@
      o Fix various platform compilation issues.
      o Corrected fix for security issue CVE-2010-3864.
-  Major changes between OpenSSL 1.0.0a and OpenSSL 1.0.0b [16 Nov 2010]:
+  Major changes between OpenSSL 1.0.0a and OpenSSL 1.0.0b:
      o Fix for security issue CVE-2010-3864.
      o Fix for CVE-2010-2939
      o Fix WIN32 build system for GOST ENGINE.
-  Major changes between OpenSSL 1.0.0 and OpenSSL 1.0.0a [1 Jun 2010]:
+  Major changes between OpenSSL 1.0.0 and OpenSSL 1.0.0a:
      o Fix for security issue CVE-2010-1633.
      o GOST MAC and CFB fixes.
-  Major changes between OpenSSL 0.9.8n and OpenSSL 1.0.0 [29 Mar 2010]:
+  Major changes between OpenSSL 0.9.8n and OpenSSL 1.0.0:
      o RFC3280 path validation: sufficient to process PKITS tests.
      o Integrated support for PVK files and keyblobs.
@@ -253,12 +51,33 @@
      o Opaque PRF Input TLS extension support.
      o Updated time routines to avoid OS limitations.
-  Major changes between OpenSSL 0.9.8m and OpenSSL 0.9.8n [24 Mar 2010]:
+  Major changes between OpenSSL 0.9.8q and OpenSSL 0.9.8r:
      o Fix for security issue CVE-2011-0014
  Major changes between OpenSSL 0.9.8p and OpenSSL 0.9.8q:
      o Fix for security issue CVE-2010-4180
      o Fix for CVE-2010-4252
  Major changes between OpenSSL 0.9.8o and OpenSSL 0.9.8p:
      o Fix for security issue CVE-2010-3864.
  Major changes between OpenSSL 0.9.8n and OpenSSL 0.9.8o:
      o Fix for security issue CVE-2010-0742.
      o Various DTLS fixes.
      o Recognise SHA2 certificates if only SSL algorithms added.
      o Fix for no-rc4 compilation.
      o Chil ENGINE unload workaround.
  Major changes between OpenSSL 0.9.8m and OpenSSL 0.9.8n:
      o CFB cipher definition fixes.
      o Fix security issues CVE-2010-0740 and CVE-2010-0433.
-  Major changes between OpenSSL 0.9.8l and OpenSSL 0.9.8m [25 Feb 2010]:
+  Major changes between OpenSSL 0.9.8l and OpenSSL 0.9.8m:
      o Cipher definition fixes.
      o Workaround for slow RAND_poll() on some WIN32 versions.
@@ -270,33 +89,33 @@
      o Ticket and SNI coexistence fixes.
      o Many fixes to DTLS handling. 
-  Major changes between OpenSSL 0.9.8k and OpenSSL 0.9.8l [5 Nov 2009]:
+  Major changes between OpenSSL 0.9.8k and OpenSSL 0.9.8l:
      o Temporary work around for CVE-2009-3555: disable renegotiation.
-  Major changes between OpenSSL 0.9.8j and OpenSSL 0.9.8k [25 Mar 2009]:
+  Major changes between OpenSSL 0.9.8j and OpenSSL 0.9.8k:
      o Fix various build issues.
      o Fix security issues (CVE-2009-0590, CVE-2009-0591, CVE-2009-0789)
-  Major changes between OpenSSL 0.9.8i and OpenSSL 0.9.8j [7 Jan 2009]:
+  Major changes between OpenSSL 0.9.8i and OpenSSL 0.9.8j:
      o Fix security issue (CVE-2008-5077)
      o Merge FIPS 140-2 branch code.
-  Major changes between OpenSSL 0.9.8g and OpenSSL 0.9.8h [28 May 2008]:
+  Major changes between OpenSSL 0.9.8g and OpenSSL 0.9.8h:
      o CryptoAPI ENGINE support.
      o Various precautionary measures.
      o Fix for bugs affecting certificate request creation.
      o Support for local machine keyset attribute in PKCS#12 files.
-  Major changes between OpenSSL 0.9.8f and OpenSSL 0.9.8g [19 Oct 2007]:
+  Major changes between OpenSSL 0.9.8f and OpenSSL 0.9.8g:
      o Backport of CMS functionality to 0.9.8.
      o Fixes for bugs introduced with 0.9.8f.
-  Major changes between OpenSSL 0.9.8e and OpenSSL 0.9.8f [11 Oct 2007]:
+  Major changes between OpenSSL 0.9.8e and OpenSSL 0.9.8f:
      o Add gcc 4.2 support.
      o Add support for AES and SSE2 assembly lanugauge optimization
@@ -307,23 +126,23 @@
      o RFC4507bis support.
      o TLS Extensions support.
-  Major changes between OpenSSL 0.9.8d and OpenSSL 0.9.8e [23 Feb 2007]:
+  Major changes between OpenSSL 0.9.8d and OpenSSL 0.9.8e:
      o Various ciphersuite selection fixes.
      o RFC3779 support.
-  Major changes between OpenSSL 0.9.8c and OpenSSL 0.9.8d [28 Sep 2006]:
+  Major changes between OpenSSL 0.9.8c and OpenSSL 0.9.8d:
      o Introduce limits to prevent malicious key DoS  (CVE-2006-2940)
      o Fix security issues (CVE-2006-2937, CVE-2006-3737, CVE-2006-4343)
      o Changes to ciphersuite selection algorithm
-  Major changes between OpenSSL 0.9.8b and OpenSSL 0.9.8c [5 Sep 2006]:
+  Major changes between OpenSSL 0.9.8b and OpenSSL 0.9.8c:
      o Fix Daniel Bleichenbacher forged signature attack, CVE-2006-4339
      o New cipher Camellia
-  Major changes between OpenSSL 0.9.8a and OpenSSL 0.9.8b [4 May 2006]:
+  Major changes between OpenSSL 0.9.8a and OpenSSL 0.9.8b:
      o Cipher string fixes.
      o Fixes for VC++ 2005.
@@ -333,12 +152,12 @@
      o Built in dynamic engine compilation support on Win32.
      o Fixes auto dynamic engine loading in Win32.
-  Major changes between OpenSSL 0.9.8 and OpenSSL 0.9.8a [11 Oct 2005]:
+  Major changes between OpenSSL 0.9.8 and OpenSSL 0.9.8a:
      o Fix potential SSL 2.0 rollback, CVE-2005-2969
      o Extended Windows CE support
-  Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.8 [5 Jul 2005]:
+  Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.8:
      o Major work on the BIGNUM library for higher efficiency and to
        make operations more streamlined and less contradictory.  This
@@ -412,36 +231,36 @@
      o Added initial support for Win64.
      o Added alternate pkg-config files.
-  Major changes between OpenSSL 0.9.7l and OpenSSL 0.9.7m [23 Feb 2007]:
+  Major changes between OpenSSL 0.9.7l and OpenSSL 0.9.7m:
      o FIPS 1.1.1 module linking.
      o Various ciphersuite selection fixes.
-  Major changes between OpenSSL 0.9.7k and OpenSSL 0.9.7l [28 Sep 2006]:
+  Major changes between OpenSSL 0.9.7k and OpenSSL 0.9.7l:
      o Introduce limits to prevent malicious key DoS  (CVE-2006-2940)
      o Fix security issues (CVE-2006-2937, CVE-2006-3737, CVE-2006-4343)
-  Major changes between OpenSSL 0.9.7j and OpenSSL 0.9.7k [5 Sep 2006]:
+  Major changes between OpenSSL 0.9.7j and OpenSSL 0.9.7k:
      o Fix Daniel Bleichenbacher forged signature attack, CVE-2006-4339
-  Major changes between OpenSSL 0.9.7i and OpenSSL 0.9.7j [4 May 2006]:
+  Major changes between OpenSSL 0.9.7i and OpenSSL 0.9.7j:
      o Visual C++ 2005 fixes.
      o Update Windows build system for FIPS.
-  Major changes between OpenSSL 0.9.7h and OpenSSL 0.9.7i [14 Oct 2005]:
+  Major changes between OpenSSL 0.9.7h and OpenSSL 0.9.7i:
      o Give EVP_MAX_MD_SIZE it's old value, except for a FIPS build.
-  Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.7h [11 Oct 2005]:
+  Major changes between OpenSSL 0.9.7g and OpenSSL 0.9.7h:
      o Fix SSL 2.0 Rollback, CVE-2005-2969
      o Allow use of fixed-length exponent on DSA signing
      o Default fixed-window RSA, DSA, DH private-key operations
-  Major changes between OpenSSL 0.9.7f and OpenSSL 0.9.7g [11 Apr 2005]:
+  Major changes between OpenSSL 0.9.7f and OpenSSL 0.9.7g:
      o More compilation issues fixed.
      o Adaptation to more modern Kerberos API.
@@ -450,7 +269,7 @@
      o More constification.
      o Added processing of proxy certificates (RFC 3820).
-  Major changes between OpenSSL 0.9.7e and OpenSSL 0.9.7f [22 Mar 2005]:
+  Major changes between OpenSSL 0.9.7e and OpenSSL 0.9.7f:
      o Several compilation issues fixed.
      o Many memory allocation failure checks added.
@@ -458,12 +277,12 @@
      o Mandatory basic checks on certificates.
      o Performance improvements.
-  Major changes between OpenSSL 0.9.7d and OpenSSL 0.9.7e [25 Oct 2004]:
+  Major changes between OpenSSL 0.9.7d and OpenSSL 0.9.7e:
      o Fix race condition in CRL checking code.
      o Fixes to PKCS#7 (S/MIME) code.
-  Major changes between OpenSSL 0.9.7c and OpenSSL 0.9.7d [17 Mar 2004]:
+  Major changes between OpenSSL 0.9.7c and OpenSSL 0.9.7d:
      o Security: Fix Kerberos ciphersuite SSL/TLS handshaking bug
      o Security: Fix null-pointer assignment in do_change_cipher_spec()
@@ -471,14 +290,14 @@
      o Multiple X509 verification fixes
      o Speed up HMAC and other operations
-  Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c [30 Sep 2003]:
+  Major changes between OpenSSL 0.9.7b and OpenSSL 0.9.7c:
      o Security: fix various ASN1 parsing bugs.
      o New -ignore_err option to OCSP utility.
      o Various interop and bug fixes in S/MIME code.
      o SSL/TLS protocol fix for unrequested client certificates.
-  Major changes between OpenSSL 0.9.7a and OpenSSL 0.9.7b [10 Apr 2003]:
+  Major changes between OpenSSL 0.9.7a and OpenSSL 0.9.7b:
      o Security: counter the Klima-Pokorny-Rosa extension of
        Bleichbacher's attack 
@@ -489,7 +308,7 @@
      o ASN.1: treat domainComponent correctly.
      o Documentation: fixes and additions.
-  Major changes between OpenSSL 0.9.7 and OpenSSL 0.9.7a [19 Feb 2003]:
+  Major changes between OpenSSL 0.9.7 and OpenSSL 0.9.7a:
      o Security: Important security related bugfixes.
      o Enhanced compatibility with MIT Kerberos.
@@ -500,7 +319,7 @@
      o SSL/TLS: now handles manual certificate chain building.
      o SSL/TLS: certain session ID malfunctions corrected.
-  Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.7 [30 Dec 2002]:
+  Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.7:
      o New library section OCSP.
      o Complete rewrite of ASN1 code.
@@ -546,23 +365,23 @@
      o SSL/TLS: add callback to retrieve SSL/TLS messages.
      o SSL/TLS: support AES cipher suites (RFC3268).
-  Major changes between OpenSSL 0.9.6j and OpenSSL 0.9.6k [30 Sep 2003]:
+  Major changes between OpenSSL 0.9.6j and OpenSSL 0.9.6k:
      o Security: fix various ASN1 parsing bugs.
      o SSL/TLS protocol fix for unrequested client certificates.
-  Major changes between OpenSSL 0.9.6i and OpenSSL 0.9.6j [10 Apr 2003]:
+  Major changes between OpenSSL 0.9.6i and OpenSSL 0.9.6j:
      o Security: counter the Klima-Pokorny-Rosa extension of
        Bleichbacher's attack 
      o Security: make RSA blinding default.
      o Build: shared library support fixes.
-  Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i [19 Feb 2003]:
+  Major changes between OpenSSL 0.9.6h and OpenSSL 0.9.6i:
      o Important security related bugfixes.
-  Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h [5 Dec 2002]:
+  Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h:
      o New configuration targets for Tandem OSS and A/UX.
      o New OIDs for Microsoft attributes.
@@ -576,25 +395,25 @@
      o Fixes for smaller building problems.
      o Updates of manuals, FAQ and other instructive documents.
-  Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g [9 Aug 2002]:
+  Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g:
      o Important building fixes on Unix.
-  Major changes between OpenSSL 0.9.6e and OpenSSL 0.9.6f [8 Aug 2002]:
+  Major changes between OpenSSL 0.9.6e and OpenSSL 0.9.6f:
      o Various important bugfixes.
-  Major changes between OpenSSL 0.9.6d and OpenSSL 0.9.6e [30 Jul 2002]:
+  Major changes between OpenSSL 0.9.6d and OpenSSL 0.9.6e:
      o Important security related bugfixes.
      o Various SSL/TLS library bugfixes.
-  Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d [9 May 2002]:
+  Major changes between OpenSSL 0.9.6c and OpenSSL 0.9.6d:
      o Various SSL/TLS library bugfixes.
      o Fix DH parameter generation for 'non-standard' generators.
-  Major changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c [21 Dec 2001]:
+  Major changes between OpenSSL 0.9.6b and OpenSSL 0.9.6c:
      o Various SSL/TLS library bugfixes.
      o BIGNUM library fixes.
@@ -607,7 +426,7 @@
        Broadcom and Cryptographic Appliance's keyserver
        [in 0.9.6c-engine release].
-  Major changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b [9 Jul 2001]:
+  Major changes between OpenSSL 0.9.6a and OpenSSL 0.9.6b:
      o Security fix: PRNG improvements.
      o Security fix: RSA OAEP check.
@@ -624,7 +443,7 @@
      o Increase default size for BIO buffering filter.
      o Compatibility fixes in some scripts.
-  Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.6a [5 Apr 2001]:
+  Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.6a:
      o Security fix: change behavior of OpenSSL to avoid using
        environment variables when running as root.
@@ -649,7 +468,7 @@
      o New function BN_rand_range().
      o Add "-rand" option to openssl s_client and s_server.
-  Major changes between OpenSSL 0.9.5a and OpenSSL 0.9.6 [10 Oct 2000]:
+  Major changes between OpenSSL 0.9.5a and OpenSSL 0.9.6:
      o Some documentation for BIO and SSL libraries.
      o Enhanced chain verification using key identifiers.
@@ -664,7 +483,7 @@
    [1] The support for external crypto devices is currently a separate
        distribution.  See the file README.ENGINE.
-  Major changes between OpenSSL 0.9.5 and OpenSSL 0.9.5a [1 Apr 2000]:
+  Major changes between OpenSSL 0.9.5 and OpenSSL 0.9.5a:
      o Bug fixes for Win32, SuSE Linux, NeXTSTEP and FreeBSD 2.2.8 
      o Shared library support for HPUX and Solaris-gcc
@@ -673,7 +492,7 @@
      o New 'rand' application
      o New way to check for existence of algorithms from scripts
-  Major changes between OpenSSL 0.9.4 and OpenSSL 0.9.5 [25 May 2000]:
+  Major changes between OpenSSL 0.9.4 and OpenSSL 0.9.5:
      o S/MIME support in new 'smime' command
      o Documentation for the OpenSSL command line application
@@ -709,7 +528,7 @@
      o Enhanced support for Alpha Linux
      o Experimental MacOS support
-  Major changes between OpenSSL 0.9.3 and OpenSSL 0.9.4 [9 Aug 1999]:
+  Major changes between OpenSSL 0.9.3 and OpenSSL 0.9.4:
      o Transparent support for PKCS#8 format private keys: these are used
        by several software packages and are more secure than the standard
@@ -720,7 +539,7 @@
      o New pipe-like BIO that allows using the SSL library when actual I/O
        must be handled by the application (BIO pair)
-  Major changes between OpenSSL 0.9.2b and OpenSSL 0.9.3 [24 May 1999]:
+  Major changes between OpenSSL 0.9.2b and OpenSSL 0.9.3:
      o Lots of enhancements and cleanups to the Configuration mechanism
      o RSA OEAP related fixes
      o Added `openssl ca -revoke' option for revoking a certificate
@@ -734,7 +553,7 @@
      o Sparc assembler bignum implementation, optimized hash functions
      o Option to disable selected ciphers
-  Major changes between OpenSSL 0.9.1c and OpenSSL 0.9.2b [22 Mar 1999]:
+  Major changes between OpenSSL 0.9.1c and OpenSSL 0.9.2b:
      o Fixed a security hole related to session resumption
      o Fixed RSA encryption routines for the p < q case
      o "ALL" in cipher lists now means "everything except NULL ciphers"
@@ -756,7 +575,7 @@
      o Lots of memory leak fixes.
      o Lots of bug fixes.
-  Major changes between SSLeay 0.9.0b and OpenSSL 0.9.1c [23 Dec 1998]:
+  Major changes between SSLeay 0.9.0b and OpenSSL 0.9.1c:
      o Integration of the popular NO_RSA/NO_DSA patches
      o Initial support for compression inside the SSL record layer
      o Added BIO proxy and filtering functionality
--- a/Netware/do_tests.pl
+++ b/Netware/do_tests.pl
@@ -270,6 +270,22 @@ sub ssl_tests
   print( OUT "\n========================================================\n");
   print( OUT "SSL TESTS:\n\n");
   system("ssltest -ssl2 (CLIB_OPT)/>$outFile");
   log_desc("Testing sslv2:");
   log_output("ssltest -ssl2", $outFile);
   system("$ssltest -ssl2 -server_auth (CLIB_OPT)/>$outFile");
   log_desc("Testing sslv2 with server authentication:");
   log_output("$ssltest -ssl2 -server_auth", $outFile);
   system("$ssltest -ssl2 -client_auth (CLIB_OPT)/>$outFile");
   log_desc("Testing sslv2 with client authentication:");
   log_output("$ssltest -ssl2 -client_auth", $outFile);
   system("$ssltest -ssl2 -server_auth -client_auth (CLIB_OPT)/>$outFile");
   log_desc("Testing sslv2 with both client and server authentication:");
   log_output("$ssltest -ssl2 -server_auth -client_auth", $outFile);
   system("ssltest -ssl3 (CLIB_OPT)/>$outFile");
   log_desc("Testing sslv3:");
   log_output("ssltest -ssl3", $outFile);
@@ -302,10 +318,26 @@ sub ssl_tests
   log_desc("Testing sslv2/sslv3 with both client and server authentication:");
   log_output("$ssltest -server_auth -client_auth", $outFile);
   system("ssltest -bio_pair -ssl2 (CLIB_OPT)/>$outFile");
   log_desc("Testing sslv2 via BIO pair:");
   log_output("ssltest -bio_pair -ssl2", $outFile);
   system("ssltest -bio_pair -dhe1024dsa -v (CLIB_OPT)/>$outFile");
   log_desc("Testing sslv2/sslv3 with 1024 bit DHE via BIO pair:");
   log_output("ssltest -bio_pair -dhe1024dsa -v", $outFile);
   system("$ssltest -bio_pair -ssl2 -server_auth (CLIB_OPT)/>$outFile");
   log_desc("Testing sslv2 with server authentication via BIO pair:");
   log_output("$ssltest -bio_pair -ssl2 -server_auth", $outFile);
   system("$ssltest -bio_pair -ssl2 -client_auth (CLIB_OPT)/>$outFile");
   log_desc("Testing sslv2 with client authentication via BIO pair:");
   log_output("$ssltest -bio_pair -ssl2 -client_auth", $outFile);
   system("$ssltest -bio_pair -ssl2 -server_auth -client_auth (CLIB_OPT)/>$outFile");
   log_desc("Testing sslv2 with both client and server authentication via BIO pair:");
   log_output("$ssltest -bio_pair -ssl2 -server_auth -client_auth", $outFile);
   system("ssltest -bio_pair -ssl3 (CLIB_OPT)/>$outFile");
   log_desc("Testing sslv3 via BIO pair:");
   log_output("ssltest -bio_pair -ssl3", $outFile);
--- a/Netware/globals.txt
+++ b/Netware/globals.txt
@@ -66,7 +66,7 @@ static LHASH *error_hash=NULL;
 static LHASH *thread_hash=NULL;
 several files have routines with static "init" to track if error strings
-   have been loaded ( may not want separate error strings for each process )
+   have been loaded ( may not want seperate error strings for each process )
   The "init" variable can't be left "global" because the error has is a ptr
   that is malloc'ed.  The malloc'ed error has is dependant on the "init"
   vars.
--- a/16
+++ b/16
@@ -47,7 +47,7 @@ While running tests, running a parallell make is a bad idea.  Many test
 scripts use the same name for output and input files, which means different
 will interfere with each other and lead to test failure.
-The solution is simple for now: don't run parallel make when testing.
+The solution is simple for now: don't run parallell make when testing.
 * Bugs in gcc triggered
@@ -197,17 +197,3 @@ reconfigure with additional no-sse2 [or 386] option passed to ./config.
 We don't have framework to associate -ldl with no-dso, therefore the only
 way is to edit Makefile right after ./config no-dso and remove -ldl from
 EX_LIBS line.
 * hpux-parisc2-cc no-asm build fails with SEGV in ECDSA/DH.
 Compiler bug, presumably at particular patch level. Remaining
 hpux*-parisc*-cc configurations can be affected too. Drop optimization
 level to +O2 when compiling bn_nist.o.
 * solaris64-sparcv9-cc link failure
 Solaris 8 ar can fail to maintain symbol table in .a, which results in
 link failures. Apply 109147-09 or later or modify Makefile generated
 by ./Configure solaris64-sparcv9-cc and replace RANLIB assignment with
 	RANLIB= /usr/ccs/bin/ar rs
--- a/205
+++ b/205
@@ -1,7 +1,7 @@
- OpenSSL 1.1.0-pre2 (alpha) 14 Jan 2016
+ OpenSSL 1.1.0-dev
- Copyright (c) 1998-2016 The OpenSSL Project
+ Copyright (c) 1998-2011 The OpenSSL Project
 Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
 All rights reserved.
@@ -10,17 +10,17 @@
 The OpenSSL Project is a collaborative effort to develop a robust,
 commercial-grade, fully featured, and Open Source toolkit implementing the
- Secure Sockets Layer (SSLv3) and Transport Layer Security (TLS) protocols as
+ Secure Sockets Layer (SSL v2/v3) and Transport Layer Security (TLS v1)
- well as a full-strength general purpose cryptograpic library. The project is
+ protocols as well as a full-strength general purpose cryptography library.
- managed by a worldwide community of volunteers that use the Internet to
+ The project is managed by a worldwide community of volunteers that use the
- communicate, plan, and develop the OpenSSL toolkit and its related
+ Internet to communicate, plan, and develop the OpenSSL toolkit and its
- documentation.
+ related documentation.
- OpenSSL is descended from the SSLeay library developed by Eric A. Young
+ OpenSSL is based on the excellent SSLeay library developed from Eric A. Young
 and Tim J. Hudson.  The OpenSSL toolkit is licensed under a dual-license (the
- OpenSSL license plus the SSLeay license), which means that you are free to
+ OpenSSL license plus the SSLeay license) situation, which basically means
- get and use it for commercial and non-commercial purposes as long as you
+ that you are free to get and use it for commercial and non-commercial
- fulfill the conditions of both licenses.
+ purposes as long as you fulfill the conditions of both licenses.
 OVERVIEW
 --------
@@ -28,39 +28,116 @@
 The OpenSSL toolkit includes:
 libssl.a:
-     Provides the client and server-side implementations for SSLv3 and TLS.
+     Implementation of SSLv2, SSLv3, TLSv1 and the required code to support
     both SSLv2, SSLv3 and TLSv1 in the one server and client.
 libcrypto.a:
-     Provides general cryptographic and X.509 support needed by SSL/TLS but
+     General encryption and X.509 v1/v3 stuff needed by SSL/TLS but not
-     not logically part of it.
+     actually logically part of it. It includes routines for the following:
     Ciphers
        libdes - EAY's libdes DES encryption package which was floating
                 around the net for a few years, and was then relicensed by
                 him as part of SSLeay.  It includes 15 'modes/variations'
                 of DES (1, 2 and 3 key versions of ecb, cbc, cfb and ofb;
                 pcbc and a more general form of cfb and ofb) including desx
                 in cbc mode, a fast crypt(3), and routines to read
                 passwords from the keyboard.
        RC4 encryption,
        RC2 encryption      - 4 different modes, ecb, cbc, cfb and ofb.
        Blowfish encryption - 4 different modes, ecb, cbc, cfb and ofb.
        IDEA encryption     - 4 different modes, ecb, cbc, cfb and ofb.
     Digests
        MD5 and MD2 message digest algorithms, fast implementations,
        SHA (SHA-0) and SHA-1 message digest algorithms,
        MDC2 message digest. A DES based hash that is popular on smart cards.
     Public Key
        RSA encryption/decryption/generation.
            There is no limit on the number of bits.
        DSA encryption/decryption/generation.
            There is no limit on the number of bits.
        Diffie-Hellman key-exchange/key generation.
            There is no limit on the number of bits.
     X.509v3 certificates
        X509 encoding/decoding into/from binary ASN1 and a PEM
             based ASCII-binary encoding which supports encryption with a
             private key.  Program to generate RSA and DSA certificate
             requests and to generate RSA and DSA certificates.
     Systems
        The normal digital envelope routines and base64 encoding.  Higher
        level access to ciphers and digests by name.  New ciphers can be
        loaded at run time.  The BIO io system which is a simple non-blocking
        IO abstraction.  Current methods supported are file descriptors,
        sockets, socket accept, socket connect, memory buffer, buffering, SSL
        client/server, file pointer, encryption, digest, non-blocking testing
        and null.
     Data structures
        A dynamically growing hashing system
        A simple stack.
        A Configuration loader that uses a format similar to MS .ini files.
 openssl:
     A command line tool that can be used for:
-        Creation of key parameters
+        Creation of RSA, DH and DSA key parameters
        Creation of X.509 certificates, CSRs and CRLs
-        Calculation of message digests
+        Calculation of Message Digests
-        Encryption and decryption
+        Encryption and Decryption with Ciphers
-        SSL/TLS client and server tests
+        SSL/TLS Client and Server Tests
        Handling of S/MIME signed or encrypted mail
-        And more...
+
 PATENTS
 -------
 Various companies hold various patents for various algorithms in various
 locations around the world. _YOU_ are responsible for ensuring that your use
 of any algorithms is legal by checking if there are any patents in your
 country.  The file contains some of the patents that we know about or are
 rumored to exist. This is not a definitive list.
 RSA Security holds software patents on the RC5 algorithm.  If you
 intend to use this cipher, you must contact RSA Security for
 licensing conditions. Their web page is http://www.rsasecurity.com/.
 RC4 is a trademark of RSA Security, so use of this label should perhaps
 only be used with RSA Security's permission.
 The IDEA algorithm is patented by Ascom in Austria, France, Germany, Italy,
 Japan, the Netherlands, Spain, Sweden, Switzerland, UK and the USA.  They
 should be contacted if that algorithm is to be used; their web page is
 http://www.ascom.ch/.
 NTT and Mitsubishi have patents and pending patents on the Camellia
 algorithm, but allow use at no charge without requiring an explicit
 licensing agreement: http://info.isl.ntt.co.jp/crypt/eng/info/chiteki.html
 INSTALLATION
 ------------
- See the appropriate file:
+ To install this package under a Unix derivative, read the INSTALL file.  For
-        INSTALL         Linux, Unix, etc.
+ a Win32 platform, read the INSTALL.W32 file.  For OpenVMS systems, read
-        INSTALL.DJGPP   DOS platform with DJGPP
+ INSTALL.VMS.
-        INSTALL.NW      Netware
+
-        INSTALL.OS2     OS/2
+ Read the documentation in the doc/ directory.  It is quite rough, but it
-        INSTALL.VMS     VMS
+ lists the functions; you will probably have to look at the code to work out
-        INSTALL.W32     Windows (32bit)
+ how to use them. Look at the example programs.
-        INSTALL.W64     Windows (64bit)
+
-        INSTALL.WCE     Windows CE
+ PROBLEMS
 --------
 For some platforms, there are some known problems that may affect the user
 or application author.  We try to collect those in doc/PROBLEMS, with current
 thoughts on how they should be solved in a future of OpenSSL.
 SUPPORT
 -------
- See the OpenSSL website www.openssl.org for details on how to obtain
+ See the OpenSSL website www.openssl.org for details of how to obtain
 commercial technical support.
 If you have any problems with OpenSSL then please take the following steps
@@ -84,36 +161,58 @@
    - Problem Description (steps that will reproduce the problem, if known)
    - Stack Traceback (if the application dumps core)
- Email the report to:
+ Report the bug to the OpenSSL project via the Request Tracker
 (http://www.openssl.org/support/rt.html) by mail to:
-    rt@openssl.org
+    openssl-bugs@openssl.org
- In order to avoid spam, this is a moderated mailing list, and it might
+ Note that the request tracker should NOT be used for general assistance
- take a day for the ticket to show up.  (We also scan posts to make sure
+ or support queries. Just because something doesn't work the way you expect
- that security disclosures aren't publically posted by mistake.) Mail
+ does not mean it is necessarily a bug in OpenSSL.
 to this address is recorded in the public RT (request tracker) database
 (see https://www.openssl.org/community/index.html#bugs for details) and
 also forwarded the public openssl-dev mailing list.  Confidential mail
 may be sent to openssl-security@openssl.org (PGP key available from the
 key servers).
- Please do NOT use this for general assistance or support queries.
+ Note that mail to openssl-bugs@openssl.org is recorded in the publicly
- Just because something doesn't work the way you expect does not mean it
+ readable request tracker database and is forwarded to a public
- is necessarily a bug in OpenSSL.
+ mailing list. Confidential mail may be sent to openssl-security@openssl.org
-
+ (PGP key available from the key servers).
 You can also make GitHub pull requests. If you do this, please also send
 mail to rt@openssl.org with a link to the PR so that we can more easily
 keep track of it.
 HOW TO CONTRIBUTE TO OpenSSL
 ----------------------------
- See CONTRIBUTING
+ Development is coordinated on the openssl-dev mailing list (see
 http://www.openssl.org for information on subscribing). If you
 would like to submit a patch, send it to openssl-bugs@openssl.org with
 the string "[PATCH]" in the subject. Please be sure to include a
 textual explanation of what your patch does.
- LEGALITIES
+ If you are unsure as to whether a feature will be useful for the general
- ----------
+ OpenSSL community please discuss it on the openssl-dev mailing list first.
 Someone may be already working on the same thing or there may be a good
 reason as to why that feature isn't implemented.
 Patches should be as up to date as possible, preferably relative to the
 current CVS or the last snapshot. They should follow the coding style of
 OpenSSL and compile without warnings. Some of the core team developer targets
 can be used for testing purposes, (debug-steve64, debug-geoff etc). OpenSSL
 compiles on many varied platforms: try to ensure you only use portable
 features.
 Note: For legal reasons, contributions from the US can be accepted only
 if a TSU notification and a copy of the patch are sent to crypt@bis.doc.gov
 (formerly BXA) with a copy to the ENC Encryption Request Coordinator;
 please take some time to look at
    http://www.bis.doc.gov/Encryption/PubAvailEncSourceCodeNofify.html [sic]
 and
    http://w3.access.gpo.gov/bis/ear/pdf/740.pdf (EAR Section 740.13(e))
 for the details. If "your encryption source code is too large to serve as
 an email attachment", they are glad to receive it by fax instead; hope you
 have a cheap long-distance plan.
 Our preferred format for changes is "diff -u" output. You might
 generate it like this:
 # cd openssl-work
 # [your changes]
 # ./Configure dist; make clean
 # cd ..
 # diff -ur openssl-orig openssl-work > mydiffs.patch
 A number of nations, in particular the U.S., restrict the use or export
 of cryptography. If you are potentially subject to such restrictions
 you should seek competent professional legal advice before attempting to
 develop or distribute cryptographic code.
--- a/README.ASN1
+++ b/README.ASN1
@@ -0,0 +1,187 @@
 OpenSSL ASN1 Revision
 =====================
 This document describes some of the issues relating to the new ASN1 code.
 Previous OpenSSL ASN1 problems
 =============================
 OK why did the OpenSSL ASN1 code need revising in the first place? Well
 there are lots of reasons some of which are included below...
 1. The code is difficult to read and write. For every single ASN1 structure
 (e.g. SEQUENCE) four functions need to be written for new, free, encode and
 decode operations. This is a very painful and error prone operation. Very few
 people have ever written any OpenSSL ASN1 and those that have usually wish
 they hadn't.
 2. Partly because of 1. the code is bloated and takes up a disproportionate
 amount of space. The SEQUENCE encoder is particularly bad: it essentially
 contains two copies of the same operation, one to compute the SEQUENCE length
 and the other to encode it.
 3. The code is memory based: that is it expects to be able to read the whole
 structure from memory. This is fine for small structures but if you have a
 (say) 1Gb PKCS#7 signedData structure it isn't such a good idea...
 4. The code for the ASN1 IMPLICIT tag is evil. It is handled by temporarily
 changing the tag to the expected one, attempting to read it, then changing it
 back again. This means that decode buffers have to be writable even though they
 are ultimately unchanged. This gets in the way of constification.
 5. The handling of EXPLICIT isn't much better. It adds a chunk of code into 
 the decoder and encoder for every EXPLICIT tag.
 6. APPLICATION and PRIVATE tags aren't even supported at all.
 7. Even IMPLICIT isn't complete: there is no support for implicitly tagged
 types that are not OPTIONAL.
 8. Much of the code assumes that a tag will fit in a single octet. This is
 only true if the tag is 30 or less (mercifully tags over 30 are rare).
 9. The ASN1 CHOICE type has to be largely handled manually, there aren't any
 macros that properly support it.
 10. Encoders have no concept of OPTIONAL and have no error checking. If the
 passed structure contains a NULL in a mandatory field it will not be encoded,
 resulting in an invalid structure.
 11. It is tricky to add ASN1 encoders and decoders to external applications.
 Template model
 ==============
 One of the major problems with revision is the sheer volume of the ASN1 code.
 Attempts to change (for example) the IMPLICIT behaviour would result in a
 modification of *every* single decode function. 
 I decided to adopt a template based approach. I'm using the term 'template'
 in a manner similar to SNACC templates: it has nothing to do with C++
 templates.
 A template is a description of an ASN1 module as several constant C structures.
 It describes in a machine readable way exactly how the ASN1 structure should
 behave. If this template contains enough detail then it is possible to write
 versions of new, free, encode, decode (and possibly others operations) that
 operate on templates.
 Instead of having to write code to handle each operation only a single
 template needs to be written. If new operations are needed (such as a 'print'
 operation) only a single new template based function needs to be written 
 which will then automatically handle all existing templates.
 Plans for revision
 ==================
 The revision will consist of the following steps. Other than the first two
 these can be handled in any order.
 o Design and write template new, free, encode and decode operations, initially
 memory based. *DONE*
 o Convert existing ASN1 code to template form. *IN PROGRESS*
 o Convert an existing ASN1 compiler (probably SNACC) to output templates
 in OpenSSL form.
 o Add support for BIO based ASN1 encoders and decoders to handle large
 structures, initially blocking I/O.
 o Add support for non blocking I/O: this is quite a bit harder than blocking
 I/O.
 o Add new ASN1 structures, such as OCSP, CRMF, S/MIME v3 (CMS), attribute
 certificates etc etc.
 Description of major changes
 ============================
 The BOOLEAN type now takes three values. 0xff is TRUE, 0 is FALSE and -1 is
 absent. The meaning of absent depends on the context. If for example the
 boolean type is DEFAULT FALSE (as in the case of the critical flag for
 certificate extensions) then -1 is FALSE, if DEFAULT TRUE then -1 is TRUE.
 Usually the value will only ever be read via an API which will hide this from
 an application.
 There is an evil bug in the old ASN1 code that mishandles OPTIONAL with
 SEQUENCE OF or SET OF. These are both implemented as a STACK structure. The
 old code would omit the structure if the STACK was NULL (which is fine) or if
 it had zero elements (which is NOT OK). This causes problems because an empty
 SEQUENCE OF or SET OF will result in an empty STACK when it is decoded but when
 it is encoded it will be omitted resulting in different encodings. The new code
 only omits the encoding if the STACK is NULL, if it contains zero elements it
 is encoded and empty. There is an additional problem though: because an empty
 STACK was omitted, sometimes the corresponding *_new() function would
 initialize the STACK to empty so an application could immediately use it, if
 this is done with the new code (i.e. a NULL) it wont work. Therefore a new
 STACK should be allocated first. One instance of this is the X509_CRL list of
 revoked certificates: a helper function X509_CRL_add0_revoked() has been added
 for this purpose.
 The X509_ATTRIBUTE structure used to have an element called 'set' which took
 the value 1 if the attribute value was a SET OF or 0 if it was a single. Due
 to the behaviour of CHOICE in the new code this has been changed to a field
 called 'single' which is 0 for a SET OF and 1 for single. The old field has
 been deleted to deliberately break source compatibility. Since this structure
 is normally accessed via higher level functions this shouldn't break too much.
 The X509_REQ_INFO certificate request info structure no longer has a field
 called 'req_kludge'. This used to be set to 1 if the attributes field was
 (incorrectly) omitted. You can check to see if the field is omitted now by
 checking if the attributes field is NULL. Similarly if you need to omit
 the field then free attributes and set it to NULL.
 The top level 'detached' field in the PKCS7 structure is no longer set when
 a PKCS#7 structure is read in. PKCS7_is_detached() should be called instead.
 The behaviour of PKCS7_get_detached() is unaffected.
 The values of 'type' in the GENERAL_NAME structure have changed. This is
 because the old code use the ASN1 initial octet as the selector. The new
 code uses the index in the ASN1_CHOICE template.
 The DIST_POINT_NAME structure has changed to be a true CHOICE type.
 typedef struct DIST_POINT_NAME_st {
 int type;
 union {
 	STACK_OF(GENERAL_NAME) *fullname;
 	STACK_OF(X509_NAME_ENTRY) *relativename;
 } name;
 } DIST_POINT_NAME;
 This means that name.fullname or name.relativename should be set
 and type reflects the option. That is if name.fullname is set then
 type is 0 and if name.relativename is set type is 1.
 With the old code using the i2d functions would typically involve:
 unsigned char *buf, *p;
 int len;
 /* Find length of encoding */
 len = i2d_SOMETHING(x, NULL);
 /* Allocate buffer */
 buf = OPENSSL_malloc(len);
 if(buf == NULL) {
 	/* Malloc error */
 }
 /* Use temp variable because &p gets updated to point to end of
 * encoding.
 */
 p = buf;
 i2d_SOMETHING(x, &p);
 Using the new i2d you can also do:
 unsigned char *buf = NULL;
 int len;
 len = i2d_SOMETHING(x, &buf);
 if(len < 0) {
 	/* Malloc error */
 }
 and it will automatically allocate and populate a buffer with the
 encoding. After this call 'buf' will point to the start of the
 encoding which is len bytes long.
--- a/README.FIPS
+++ b/README.FIPS
@@ -1 +1,130 @@
-This release does not support a FIPS 140-2 validated module.
+Preliminary status and build information for FIPS module v2.0 
 NB: if you are cross compiling you now need to use the latest "incore" script
 this can be found at util/incore in the tarballs.
 If you have any object files from a previous build do:
 make clean
 To build the module do:
 ./config fipscanisteronly
 make
 Build should complete without errors.
 Build test utilities:
 make build_tests
 Run test suite:
 test/fips_test_suite
 again should complete without errors.
 Run test vectors: 
 1. Download an appropriate set of testvectors from www.openssl.org/docs/fips
   only the fips-2.0 testvector files are usable for complete tests.
 2. Extract the files to a suitable directory.
 3. Run the test vector perl script, for example:
   cd fips
   perl fipsalgtest.pl --dir=/wherever/stuff/was/extracted
 4. It should say "passed all tests" at the end. Report full details of any
   failures.
 If you wish to use the older 1.2.x testvectors (for example those from 2007)
 you need the command line switch --disable-v2 to fipsalgtest.pl
 Examine the external symbols in fips/fipscanister.o they should all begin
 with FIPS or fips. One way to check with GNU nm is:
 	nm -g --defined-only fips/fipscanister.o | grep -v -i fips
 If you get *any* output at all from this test (i.e. symbols not starting with
 fips or FIPS) please report it.
 Restricted tarball tests.
 The validated module will have its own tarball containing sufficient code to
 build fipscanister.o and the associated algorithm tests. You can create a
 similar tarball yourself for testing purposes using the commands below.
 Standard restricted tarball:
 make -f Makefile.fips dist
 Prime field field only ECC tarball:
 make NOEC2M=1 -f Makefile.fips dist
 Once you've created the tarball extract into a fresh directory and do:
 ./config
 make
 You can then run the algorithm tests as above. This build automatically uses
 fipscanisterbuild and no-ec2m as appropriate.
 FIPS capable OpenSSL test: WARNING PRELIMINARY INSTRUCTIONS, SUBJECT TO CHANGE.
 At least initially the test module and FIPS capable OpenSSL may change and
 by out of sync. You are advised to check for any changes and pull the latest
 source from CVS if you have problems. See anon CVS and rsync instructions at:
 http://www.openssl.org/source/repos.html
 Make or download a restricted tarball from ftp://ftp.openssl.org/snapshot/
 If required set the environment variable FIPSDIR to an appropriate location
 to install the test module. If cross compiling set other environment
 variables too.
 In this restricted tarball on a Linux or U*ix like system run:
 ./config
 make
 make install
 On Windows from a VC++ environment do:
 ms\do_fips
 This will build and install the test module and some associated files.
 Now download the latest version of the OpenSSL 1.0.1 branch from either a
 snapshot or preferably CVS. For Linux do:
 ./config fips [other args]
 make
 For Windows:
 perl Configure VC-WIN32 fips [other args]
 ms\do_nasm
 nmake -f ms\ntdll.mak
 (or ms\nt.mak for a static build).
 Where [other args] can be any other arguments you use for an OpenSSL build
 such as "shared" or "zlib".
 This will build the fips capable OpenSSL and link it to the test module. You
 can now try linking and testing applications against the FIPS capable OpenSSL.
 Please report any problems to either the openssl-dev mailing list or directly
 to me steve@openssl.org . Check the mailing lists regularly to avoid duplicate
 reports.
 Known issues:
 Code needs extensively reviewing to ensure it builds correctly on 
 supported platforms and is compliant with FIPS 140-2.
 The "FIPS capable OpenSSL" is still largely untested, it builds and runs
 some simple tests OK on some systems but needs far more "real world" testing.
--- a/148
+++ b/148
@@ -0,0 +1,148 @@
  OpenSSL STATUS                           Last modified at
  ______________                           $Date: 2011/02/08 17:48:56 $
  DEVELOPMENT STATE
    o  OpenSSL 1.1.0:  Under development...
    o  OpenSSL 1.0.1:  Under development...
    o  OpenSSL 1.0.0d: Released on February   8nd, 2011
    o  OpenSSL 1.0.0c: Released on December   2nd, 2010
    o  OpenSSL 1.0.0b: Released on November  16th, 2010
    o  OpenSSL 1.0.0a: Released on June      1st,  2010
    o  OpenSSL 1.0.0:  Released on March     29th, 2010
    o  OpenSSL 0.9.8r: Released on February   8nd, 2011
    o  OpenSSL 0.9.8q: Released on December   2nd, 2010
    o  OpenSSL 0.9.8p: Released on November  16th, 2010
    o  OpenSSL 0.9.8o: Released on June       1st, 2010
    o  OpenSSL 0.9.8n: Released on March     24th, 2010
    o  OpenSSL 0.9.8m: Released on February  25th, 2010
    o  OpenSSL 0.9.8l: Released on November   5th, 2009
    o  OpenSSL 0.9.8k: Released on March     25th, 2009
    o  OpenSSL 0.9.8j: Released on January    7th, 2009
    o  OpenSSL 0.9.8i: Released on September 15th, 2008
    o  OpenSSL 0.9.8h: Released on May       28th, 2008
    o  OpenSSL 0.9.8g: Released on October   19th, 2007
    o  OpenSSL 0.9.8f: Released on October   11th, 2007
    o  OpenSSL 0.9.8e: Released on February  23rd, 2007
    o  OpenSSL 0.9.8d: Released on September 28th, 2006
    o  OpenSSL 0.9.8c: Released on September  5th, 2006
    o  OpenSSL 0.9.8b: Released on May        4th, 2006
    o  OpenSSL 0.9.8a: Released on October   11th, 2005
    o  OpenSSL 0.9.8:  Released on July       5th, 2005
    o  OpenSSL 0.9.7m: Released on February  23rd, 2007
    o  OpenSSL 0.9.7l: Released on September 28th, 2006
    o  OpenSSL 0.9.7k: Released on September  5th, 2006
    o  OpenSSL 0.9.7j: Released on May        4th, 2006
    o  OpenSSL 0.9.7i: Released on October   14th, 2005
    o  OpenSSL 0.9.7h: Released on October   11th, 2005
    o  OpenSSL 0.9.7g: Released on April     11th, 2005
    o  OpenSSL 0.9.7f: Released on March     22nd, 2005
    o  OpenSSL 0.9.7e: Released on October   25th, 2004
    o  OpenSSL 0.9.7d: Released on March     17th, 2004
    o  OpenSSL 0.9.7c: Released on September 30th, 2003
    o  OpenSSL 0.9.7b: Released on April     10th, 2003
    o  OpenSSL 0.9.7a: Released on February  19th, 2003
    o  OpenSSL 0.9.7:  Released on December  31st, 2002
    o  OpenSSL 0.9.6m: Released on March     17th, 2004
    o  OpenSSL 0.9.6l: Released on November   4th, 2003
    o  OpenSSL 0.9.6k: Released on September 30th, 2003
    o  OpenSSL 0.9.6j: Released on April     10th, 2003
    o  OpenSSL 0.9.6i: Released on February  19th, 2003
    o  OpenSSL 0.9.6h: Released on December   5th, 2002
    o  OpenSSL 0.9.6g: Released on August     9th, 2002
    o  OpenSSL 0.9.6f: Released on August     8th, 2002
    o  OpenSSL 0.9.6e: Released on July      30th, 2002
    o  OpenSSL 0.9.6d: Released on May        9th, 2002
    o  OpenSSL 0.9.6c: Released on December  21st, 2001
    o  OpenSSL 0.9.6b: Released on July       9th, 2001
    o  OpenSSL 0.9.6a: Released on April      5th, 2001
    o  OpenSSL 0.9.6:  Released on September 24th, 2000
    o  OpenSSL 0.9.5a: Released on April      1st, 2000
    o  OpenSSL 0.9.5:  Released on February  28th, 2000
    o  OpenSSL 0.9.4:  Released on August    09th, 1999
    o  OpenSSL 0.9.3a: Released on May       29th, 1999
    o  OpenSSL 0.9.3:  Released on May       25th, 1999
    o  OpenSSL 0.9.2b: Released on March     22th, 1999
    o  OpenSSL 0.9.1c: Released on December  23th, 1998
  [See also http://www.openssl.org/support/rt.html]
  RELEASE SHOWSTOPPERS
    o The Makefiles fail with some SysV makes.
    o 
  AVAILABLE PATCHES
    o 
  IN PROGRESS
    o Steve is currently working on (in no particular order):
        ASN1 code redesign, butchery, replacement.
        OCSP
        EVP cipher enhancement.
        Enhanced certificate chain verification.
 	Private key, certificate and CRL API and implementation.
 	Developing and bugfixing PKCS#7 (S/MIME code).
        Various X509 issues: character sets, certificate request extensions.
    o Richard is currently working on:
 	Constification
 	Attribute Certificate support
 	Certificate Pair support
 	Storage Engines (primarly an LDAP storage engine)
 	Certificate chain validation with full RFC 3280 compatibility
  NEEDS PATCH
    o  0.9.8-dev: COMPLEMENTOFALL and COMPLEMENTOFDEFAULT do not
       handle ECCdraft cipher suites correctly.
    o  apps/ca.c: "Sign the certificate?" - "n" creates empty certificate file
    o  "OpenSSL STATUS" is never up-to-date.
  OPEN ISSUES
    o  The Makefile hierarchy and build mechanism is still not a round thing:
       1. The config vs. Configure scripts
          It's the same nasty situation as for Apache with APACI vs.
          src/Configure. It confuses.
          Suggestion: Merge Configure and config into a single configure
                      script with a Autoconf style interface ;-) and remove
                      Configure and config. Or even let us use GNU Autoconf
                      itself. Then we can avoid a lot of those platform checks
                      which are currently in Configure.
    o  Support for Shared Libraries has to be added at least
       for the major Unix platforms. The details we can rip from the stuff
       Ralf has done for the Apache src/Configure script. Ben wants the
       solution to be really simple.
       Status: Ralf will look how we can easily incorporate the
               compiler PIC and linker DSO flags from Apache
               into the OpenSSL Configure script.
               Ulf: +1 for using GNU autoconf and libtool (but not automake,
                    which apparently is not flexible enough to generate
                    libcrypto)
  WISHES
    o  Add variants of DH_generate_parameters() and BN_generate_prime() [etc?]
       where the callback function can request that the function be aborted.
       [Gregory Stark <ghstark@pobox.com>, <rayyang2000@yahoo.com>]
    o  SRP in TLS.
       [wished by:
        Dj <derek@yo.net>, Tom Wu <tom@arcot.com>,
        Tom Holroyd <tomh@po.crl.go.jp>]
       See http://search.ietf.org/internet-drafts/draft-ietf-tls-srp-00.txt
       as well as http://www-cs-students.stanford.edu/~tjw/srp/.
       Tom Holroyd tells us there is a SRP patch for OpenSSH at
       http://members.tripod.com/professor_tom/archives/, that could
       be useful.
--- a/6139
+++ b/6139
--- a/VMS/mkshared.com
+++ b/VMS/mkshared.com
@@ -0,0 +1,454 @@
 $! MKSHARED.COM -- Create shareable images.
 $!
 $! P1: "64" for 64-bit pointers.
 $!
 $! P2: Zlib object library path (optional).
 $!
 $! Input:	[.UTIL]LIBEAY.NUM,[.xxx.EXE.CRYPTO]SSL_LIBCRYPTO[32].OLB
 $!		[.UTIL]SSLEAY.NUM,[.xxx.EXE.SSL]SSL_LIBSSL[32].OLB
 $! Output:	[.xxx.EXE.CRYPTO]SSL_LIBCRYPTO_SHR[32].OPT,.MAP,.EXE
 $!		[.xxx.EXE.SSL]SSL_LIBSSL_SRH[32].OPT,.MAP,.EXE
 $!
 $! So far, tests have only been made on VMS for Alpha.  VAX will come in time.
 $! ===========================================================================
 $!
 $! Announce/identify.
 $!
 $ proc = f$environment( "procedure")
 $ write sys$output "@@@ "+ -
   f$parse( proc, , , "name")+ f$parse( proc, , , "type")
 $!
 $! Save the original default device:[directory].
 $!
 $ def_orig = f$environment( "default")
 $ on error then goto tidy
 $ on control_c then goto tidy
 $!
 $! SET DEFAULT to the main kit directory.
 $!
 $ proc = f$environment("procedure")
 $ proc = f$parse( "A.;", proc)- "A.;"
 $ set default 'proc'
 $ set default [-]
 $!
 $! ----- Prepare info for processing: version number and file info
 $ gosub read_version_info
 $ if libver .eqs. ""
 $ then
 $   write sys$error "ERROR: Couldn't find any library version info..."
 $   go to tidy:
 $ endif
 $
 $ if (f$getsyi("cpu") .lt. 128)
 $ then
 $   arch_vax = 1
 $   arch = "VAX"
 $ else
 $   arch_vax = 0
 $   arch = f$edit( f$getsyi( "ARCH_NAME"), "UPCASE")
 $   if (arch .eqs. "") then arch = "UNK"
 $ endif
 $!
 $ archd = arch
 $ lib32 = "32"
 $ shr = "SHR32"
 $!
 $ if (p1 .nes. "")
 $ then
 $   if (p1 .eqs. "64")
 $   then
 $     archd = arch+ "_64"
 $     lib32 = ""
 $     shr = "SHR"
 $   else
 $     if (p1 .nes. "32")
 $     then
 $       write sys$output "Second argument invalid."
 $       write sys$output "It should be "32", "64", or nothing."
 $       exit
 $     endif
 $   endif
 $ endif
 $!
 $ ZLIB = p2
 $ zlib_lib = ""
 $ if (ZLIB .nes. "")
 $ then
 $   file2 = f$parse( ZLIB, "libz.olb", , , "syntax_only")
 $   if (f$search( file2) .eqs. "")
 $   then
 $     write sys$output ""
 $     write sys$output "The Option ", ZLIB, " Is Invalid."
 $     write sys$output "    Can't find library: ''file2'"
 $     write sys$output ""
 $     goto tidy
 $   endif
 $   zlib_lib = ", ''file2' /library"
 $ endif
 $!
 $ if (arch_vax)
 $ then
 $   libtit = "CRYPTO_TRANSFER_VECTOR"
 $   libid  = "Crypto"
 $   libnum = "[.UTIL]LIBEAY.NUM"
 $   libdir = "[.''ARCHD'.EXE.CRYPTO]"
 $   libmar = "''libdir'SSL_LIBCRYPTO_''shr'.MAR"
 $   libolb = "''libdir'SSL_LIBCRYPTO''lib32'.OLB"
 $   libopt = "''libdir'SSL_LIBCRYPTO_''shr'.OPT"
 $   libobj = "''libdir'SSL_LIBCRYPTO_''shr'.OBJ"
 $   libmap = "''libdir'SSL_LIBCRYPTO_''shr'.MAP"
 $   libgoal= "''libdir'SSL_LIBCRYPTO_''shr'.EXE"
 $   libref = ""
 $   libvec = "LIBCRYPTO"
 $   if f$search( libolb) .nes. "" then gosub create_vax_shr
 $   libtit = "SSL_TRANSFER_VECTOR"
 $   libid  = "SSL"
 $   libnum = "[.UTIL]SSLEAY.NUM"
 $   libdir = "[.''ARCHD'.EXE.SSL]"
 $   libmar = "''libdir'SSL_LIBSSL_''shr'.MAR"
 $   libolb = "''libdir'SSL_LIBSSL''lib32'.OLB"
 $   libopt = "''libdir'SSL_LIBSSL_''shr'.OPT"
 $   libobj = "''libdir'SSL_LIBSSL_''shr'.OBJ"
 $   libmap = "''libdir'SSL_LIBSSL_''shr'.MAP"
 $   libgoal= "''libdir'SSL_LIBSSL_''shr'.EXE"
 $   libref = "[.''ARCHD'.EXE.CRYPTO]SSL_LIBCRYPTO_''shr'.EXE"
 $   libvec = "LIBSSL"
 $   if f$search( libolb) .nes. "" then gosub create_vax_shr
 $ else
 $   libid  = "Crypto"
 $   libnum = "[.UTIL]LIBEAY.NUM"
 $   libdir = "[.''ARCHD'.EXE.CRYPTO]"
 $   libolb = "''libdir'SSL_LIBCRYPTO''lib32'.OLB"
 $   libopt = "''libdir'SSL_LIBCRYPTO_''shr'.OPT"
 $   libmap = "''libdir'SSL_LIBCRYPTO_''shr'.MAP"
 $   libgoal= "''libdir'SSL_LIBCRYPTO_''shr'.EXE"
 $   libref = ""
 $   if f$search( libolb) .nes. "" then gosub create_nonvax_shr
 $   libid  = "SSL"
 $   libnum = "[.UTIL]SSLEAY.NUM"
 $   libdir = "[.''ARCHD'.EXE.SSL]"
 $   libolb = "''libdir'SSL_LIBSSL''lib32'.OLB"
 $   libopt = "''libdir'SSL_LIBSSL_''shr'.OPT"
 $   libmap = "''libdir'SSL_LIBSSL_''shr'.MAP"
 $   libgoal= "''libdir'SSL_LIBSSL_''shr'.EXE"
 $   libref = "[.''ARCHD'.EXE.CRYPTO]SSL_LIBCRYPTO_''shr'.EXE"
 $   if f$search( libolb) .nes. "" then gosub create_nonvax_shr
 $ endif
 $!
 $ tidy:
 $!
 $! Close any open files.
 $!
 $ if (f$trnlnm( "libnum", "LNM$PROCESS", 0, "SUPERVISOR") .nes. "") then -
   close libnum
 $!
 $ if (f$trnlnm( "mar", "LNM$PROCESS", 0, "SUPERVISOR") .nes. "") then -
   close mar
 $!
 $ if (f$trnlnm( "opt", "LNM$PROCESS", 0, "SUPERVISOR") .nes. "") then -
   close opt
 $!
 $ if (f$trnlnm( "vf", "LNM$PROCESS", 0, "SUPERVISOR") .nes. "") then -
   close vf
 $!
 $! Restore the original default device:[directory].
 $!
 $ set default 'def_orig'
 $ exit
 $
 $! ----- Subroutines to build the shareable libraries
 $! For each supported architecture, there's a main shareable library
 $! creator, which is called from the main code above.
 $! The creator will define a number of variables to tell the next levels of
 $! subroutines what routines to use to write to the option files, call the
 $! main processor, read_func_num, and when that is done, it will write version
 $! data at the end of the .opt file, close it, and link the library.
 $!
 $! read_func_num reads through a .num file and calls the writer routine for
 $! each line.  It's also responsible for checking that order is properly kept
 $! in the .num file, check that each line applies to VMS and the architecture,
 $! and to fill in "holes" with dummy entries.
 $!
 $! The creator routines depend on the following variables:
 $! libnum	The name of the .num file to use as input
 $! libolb	The name of the object library to build from
 $! libid	The identification string of the shareable library
 $! libopt	The name of the .opt file to write
 $! libtit	The title of the assembler transfer vector file (VAX only)
 $! libmar	The name of the assembler transfer vector file (VAX only)
 $! libmap	The name of the map file to write
 $! libgoal	The name of the shareable library to write
 $! libref	The name of a shareable library to link in
 $!
 $! read_func_num depends on the following variables from the creator:
 $! libwriter	The name of the writer routine to call for each .num file line
 $! -----
 $
 $! ----- Subroutines for non-VAX
 $! -----
 $! The creator routine
 $ create_nonvax_shr:
 $   open /write opt 'libopt'
 $   write opt "identification=""",libid," ",libverstr,""""
 $   write opt libolb, " /library"
 $   if libref .nes. "" then write opt libref,"/SHARE"
 $   write opt "SYMBOL_VECTOR=(-"
 $   libfirstentry := true
 $   libwrch   := opt
 $   libwriter := write_nonvax_transfer_entry
 $   textcount = 0
 $   gosub read_func_num
 $   write opt ")"
 $   write opt "GSMATCH=",libvmatch,",",libver
 $   close opt
 $   link /map = 'libmap' /full /share = 'libgoal' 'libopt' /options -
     'zlib_lib'
 $   return
 $
 $! The record writer routine
 $ write_nonvax_transfer_entry:
 $   if libentry .eqs. ".dummy" then return
 $   if info_kind .eqs. "VARIABLE"
 $   then
 $     pr:=DATA
 $   else
 $     pr:=PROCEDURE
 $   endif
 $   textcount_this = f$length(pr) + f$length(libentry) + 5
 $   if textcount + textcount_this .gt. 1024
 $   then
 $     write opt ")"
 $     write opt "SYMBOL_VECTOR=(-"
 $     textcount = 16
 $     libfirstentry := true
 $   endif
 $   if libfirstentry
 $   then
 $     write 'libwrch' "    ",libentry,"=",pr," -"
 $   else
 $     write 'libwrch' "    ,",libentry,"=",pr," -"
 $   endif
 $   libfirstentry := false
 $   textcount = textcount + textcount_this
 $   return
 $
 $! ----- Subroutines for VAX
 $! -----
 $! The creator routine
 $ create_vax_shr:
 $   open /write mar 'libmar'
 $   type sys$input:/out=mar:
 ;
 ; Transfer vector for VAX shareable image
 ;
 $   write mar "	.TITLE ",libtit
 $   write mar "	.IDENT /",libid,"/"
 $   type sys$input:/out=mar:
 ;
 ; Define macro to assist in building transfer vector entries.  Each entry
 ; should take no more than 8 bytes.
 ;
 	.MACRO FTRANSFER_ENTRY routine
 	.ALIGN QUAD
 	.TRANSFER routine
 	.MASK	routine
 	JMP	routine+2
 	.ENDM FTRANSFER_ENTRY
 ;
 ; Place entries in own program section.
 ;
 $   write mar "	.PSECT $$",libvec,",QUAD,PIC,USR,CON,REL,LCL,SHR,EXE,RD,NOWRT"
 $   write mar libvec,"_xfer:"
 $   libwrch   := mar
 $   libwriter := write_vax_ftransfer_entry
 $   gosub read_func_num
 $   type sys$input:/out=mar:
 ;
 ; Allocate extra storage at end of vector to allow for expansion.
 ;
 $   write mar "	.BLKB 32768-<.-",libvec,"_xfer>	; 64 pages total."
 $!   libwriter := write_vax_vtransfer_entry
 $!   gosub read_func_num
 $   write mar "	.END"
 $   close mar
 $   open /write opt 'libopt'
 $   write opt "identification=""",libid," ",libverstr,""""
 $   write opt libobj
 $   write opt libolb, " /library"
 $   if libref .nes. "" then write opt libref,"/SHARE"
 $   type sys$input:/out=opt:
 !
 ! Ensure transfer vector is at beginning of image
 !
 CLUSTER=FIRST
 $   write opt "COLLECT=FIRST,$$",libvec
 $   write opt "GSMATCH=",libvmatch,",",libver
 $   type sys$input:/out=opt:
 !
 ! make psects nonshareable so image can be installed.
 !
 PSECT_ATTR=$CHAR_STRING_CONSTANTS,NOWRT
 $   libwrch   := opt
 $   libwriter := write_vax_psect_attr
 $   gosub read_func_num
 $   close opt
 $   macro/obj='libobj' 'libmar'
 $   link /map = 'libmap' /full /share = 'libgoal' 'libopt' /options -
     'zlib_lib'
 $   return
 $
 $! The record writer routine for VAX functions
 $ write_vax_ftransfer_entry:
 $   if info_kind .nes. "FUNCTION" then return
 $   if libentry .eqs ".dummy"
 $   then
 $     write 'libwrch' "	.BLKB 8" ! Dummy is zeroes...
 $   else
 $     write 'libwrch' "	FTRANSFER_ENTRY ",libentry
 $   endif
 $   return
 $! The record writer routine for VAX variables (should never happen!)
 $ write_vax_psect_attr:
 $   if info_kind .nes. "VARIABLE" then return
 $   if libentry .eqs ".dummy" then return
 $   write 'libwrch' "PSECT_ATTR=",libentry,",NOSHR"
 $   return
 $
 $! ----- Common subroutines
 $! -----
 $! The .num file reader.  This one has great responsibility.
 $ read_func_num:
 $   open /read libnum 'libnum'
 $   goto read_nums
 $
 $ read_nums:
 $   libentrynum=0
 $   liblastentry:=false
 $   entrycount=0
 $   loop:
 $     read /end=loop_end /err=loop_end libnum line
 $     lin = f$edit( line, "COMPRESS,TRIM")
 $!    Skip a "#" comment line.
 $     if (f$extract( 0, 1, lin) .eqs. "#") then goto loop
 $     entrynum = f$int(f$element( 1, " ", lin))
 $     entryinfo = f$element( 2, " ", lin)
 $     curentry = f$element( 0, " ", lin)
 $     info_exist = f$element( 0, ":", entryinfo)
 $     info_platforms = ","+ f$element(1, ":", entryinfo)+ ","
 $     info_kind = f$element( 2, ":", entryinfo)
 $     info_algorithms = ","+ f$element( 3, ":", entryinfo)+ ","
 $     if info_exist .eqs. "NOEXIST" then goto loop
 $     truesum = 0
 $     falsesum = 0
 $     negatives = 1
 $     plat_i = 0
 $     loop1:
 $       plat_entry = f$element( plat_i, ",", info_platforms)
 $       plat_i = plat_i + 1
 $       if plat_entry .eqs. "" then goto loop1
 $       if plat_entry .nes. ","
 $       then
 $         if f$extract(0,1,plat_entry) .nes. "!" then negatives = 0
 $         if (arch_vax)
 $         then
 $           if plat_entry .eqs. "EXPORT_VAR_AS_FUNCTION" then -
 $             truesum = truesum + 1
 $           if plat_entry .eqs. "!EXPORT_VAR_AS_FUNCTION" then -
 $             falsesum = falsesum + 1
 $         endif
 $!
 $         if ((plat_entry .eqs. "VMS") .or. -
            ((plat_entry .eqs. "ZLIB") .and. (ZLIB .nes. "")) .or. -
            (arch_vax .and. (plat_entry .eqs. "VMSVAX"))) then -
            truesum = truesum + 1
 $!
 $         if ((plat_entry .eqs. "!VMS") .or. -
            (arch_vax .and. (plat_entry .eqs. "!VMSVAX"))) then -
            falsesum = falsesum + 1
 $!
 $	  goto loop1
 $       endif
 $     endloop1:
 $!DEBUG!$     if info_platforms - "EXPORT_VAR_AS_FUNCTION" .nes. info_platforms
 $!DEBUG!$     then
 $!DEBUG!$       write sys$output line
 $!DEBUG!$       write sys$output "        truesum = ",truesum,-
 $!DEBUG!		", negatives = ",negatives,", falsesum = ",falsesum
 $!DEBUG!$     endif
 $     if falsesum .ne. 0 then goto loop
 $     if truesum+negatives .eq. 0 then goto loop
 $     alg_i = 0
 $     loop2:
 $       alg_entry = f$element(alg_i,",",info_algorithms)
 $	alg_i = alg_i + 1
 $       if alg_entry .eqs. "" then goto loop2
 $       if alg_entry .nes. ","
 $       then
 $         if alg_entry .eqs. "KRB5" then goto loop ! Special for now
 $	  if alg_entry .eqs. "STATIC_ENGINE" then goto loop ! Special for now
 $         if f$trnlnm("OPENSSL_NO_"+alg_entry) .nes. "" then goto loop
 $	  goto loop2
 $       endif
 $     endloop2:
 $     if info_platforms - "EXPORT_VAR_AS_FUNCTION" .nes. info_platforms
 $     then
 $!DEBUG!$     write sys$output curentry," ; ",entrynum," ; ",entryinfo
 $     endif
 $   redo:
 $     next:=loop
 $     tolibentry=curentry
 $     if libentrynum .ne. entrynum
 $     then
 $       entrycount=entrycount+1
 $       if entrycount .lt. entrynum
 $       then
 $!DEBUG!$         write sys$output "Info: entrycount: ''entrycount', entrynum: ''entrynum' => 0"
 $         tolibentry=".dummy"
 $         next:=redo
 $       endif
 $       if entrycount .gt. entrynum
 $       then
 $         write sys$error "Decreasing library entry numbers!  Can't continue"
 $         write sys$error """",line,""""
 $         close libnum
 $         return
 $       endif
 $       libentry=tolibentry
 $!DEBUG!$       write sys$output entrycount," ",libentry," ",entryinfo
 $       if libentry .nes. "" .and. libwriter .nes. "" then gosub 'libwriter'
 $     else
 $       write sys$error "Info: ""''curentry'"" is an alias for ""''libentry'"".  Overriding..."
 $     endif
 $     libentrynum=entrycount
 $     goto 'next'
 $   loop_end:
 $   close libnum
 $   return
 $
 $! The version number reader
 $ read_version_info:
 $   libver = ""
 $   open /read vf [.CRYPTO]OPENSSLV.H
 $   loop_rvi:
 $     read/err=endloop_rvi/end=endloop_rvi vf rvi_line
 $     if rvi_line - "SHLIB_VERSION_NUMBER """ .eqs. rvi_line then -
 	goto loop_rvi
 $     libverstr = f$element(1,"""",rvi_line)
 $     libvmajor = f$element(0,".",libverstr)
 $     libvminor = f$element(1,".",libverstr)
 $     libvedit = f$element(2,".",libverstr)
 $     libvpatch = f$cvui(0,8,f$extract(1,1,libvedit)+"@")-f$cvui(0,8,"@")
 $     libvedit = f$extract(0,1,libvedit)
 $     libver = f$string(f$int(libvmajor)*100)+","+-
 	f$string(f$int(libvminor)*100+f$int(libvedit)*10+f$int(libvpatch))
 $     if libvmajor .eqs. "0"
 $     then
 $       libvmatch = "EQUAL"
 $     else
 $       ! Starting with the 1.0 release, backward compatibility should be
 $       ! kept, so switch over to the following
 $       libvmatch = "LEQUAL"
 $     endif
 $   endloop_rvi:
 $   close vf
 $   return
--- a/apps/.cvsignore
+++ b/apps/.cvsignore
@@ -0,0 +1,8 @@
 openssl
 Makefile.save
 der_chop
 der_chop.bak
 CA.pl
 *.flc
 semantic.cache
 *.dll
--- a/apps/CA.com
+++ b/apps/CA.com
@@ -10,14 +10,29 @@ $! At the end of that grab newreq.pem and newcert.pem (one has the key
 $! and the other the certificate) and cat them together and that is what
 $! you want/need ... I'll make even this a little cleaner later.
 $!
-$! default openssl.cnf file has setup as per the following
+$!
 $! 12-Jan-96 tjh    Added more things ... including CA -signcert which
 $!                  converts a certificate to a request and then signs it.
 $! 10-Jan-96 eay    Fixed a few more bugs and added the SSLEAY_CONFIG
 $!                 environment variable so this can be driven from
 $!                 a script.
 $! 25-Jul-96 eay    Cleaned up filenames some more.
 $! 11-Jun-96 eay    Fixed a few filename missmatches.
 $! 03-May-96 eay    Modified to use 'openssl cmd' instead of 'cmd'.
 $! 18-Apr-96 tjh    Original hacking
 $!
 $! Tim Hudson
 $! tjh@cryptsoft.com
 $!
 $!
 $! default ssleay.cnf file has setup as per the following
 $! demoCA ... where everything is stored
 $
-$ IF F$TYPE(OPENSSL_CONFIG) .EQS. "" THEN OPENSSL_CONFIG := SSLLIB:OPENSSL.CNF
+$ IF F$TYPE(SSLEAY_CONFIG) .EQS. "" THEN SSLEAY_CONFIG := SSLLIB:SSLEAY.CNF
 $
 $ DAYS   = "-days 365"
-$ REQ    = openssl + " req " + OPENSSL_CONFIG
+$ REQ    = openssl + " req " + SSLEAY_CONFIG
-$ CA     = openssl + " ca " + OPENSSL_CONFIG
+$ CA     = openssl + " ca " + SSLEAY_CONFIG
 $ VERIFY = openssl + " verify"
 $ X509   = openssl + " x509"
 $ PKCS12 = openssl + " pkcs12"
--- a/apps/CA.pl.in
+++ b/apps/CA.pl.in
@@ -1,189 +1,189 @@
-#!/usr/bin/perl
+#!/usr/local/bin/perl
 #
 # CA - wrapper around ca to make it easier to use ... basically ca requires
 #      some setup stuff to be done before you can use it and this makes
 #      things easier between now and when Eric is convinced to fix it :-)
 #
 # CA -newca ... will setup the right stuff
 # CA -newreq[-nodes] ... will generate a certificate request 
 # CA -sign ... will sign the generated request and output 
 #
 # At the end of that grab newreq.pem and newcert.pem (one has the key 
 # and the other the certificate) and cat them together and that is what
 # you want/need ... I'll make even this a little cleaner later.
 #
 #
 # 12-Jan-96 tjh    Added more things ... including CA -signcert which
 #                  converts a certificate to a request and then signs it.
 # 10-Jan-96 eay    Fixed a few more bugs and added the SSLEAY_CONFIG
 #		   environment variable so this can be driven from
 #		   a script.
 # 25-Jul-96 eay    Cleaned up filenames some more.
 # 11-Jun-96 eay    Fixed a few filename missmatches.
 # 03-May-96 eay    Modified to use 'ssleay cmd' instead of 'cmd'.
 # 18-Apr-96 tjh    Original hacking
 #
 # Tim Hudson
 # tjh@cryptsoft.com
 #
 # Wrapper around the ca to make it easier to use
 # Edit CA.pl.in not CA.pl!
-
+# 27-Apr-98 snh    Translation into perl, fix existing CA bug.
-use strict;
+#
-use warnings;
+#
-
+# Steve Henson
-my $openssl = "openssl";
+# shenson@bigfoot.com
 if(defined $ENV{'OPENSSL'}) {
    $openssl = $ENV{'OPENSSL'};
 } else {
    $ENV{'OPENSSL'} = $openssl;
 }
 my $verbose = 1;
 my $OPENSSL_CONFIG = $ENV{"OPENSSL_CONFIG"};
 my $DAYS = "-days 365";
 my $CADAYS = "-days 1095";	# 3 years
 my $REQ = "$openssl req $OPENSSL_CONFIG";
 my $CA = "$openssl ca $OPENSSL_CONFIG";
 my $VERIFY = "$openssl verify";
 my $X509 = "$openssl x509";
 my $PKCS12 = "$openssl pkcs12";
 # default openssl.cnf file has setup as per the following
-my $CATOP = "./demoCA";
+# demoCA ... where everything is stored
 my $CAKEY = "cakey.pem";
 my $CAREQ = "careq.pem";
 my $CACERT = "cacert.pem";
 my $CACRL = "crl.pem";
 my $DIRMODE = 0777;
-my $NEWKEY = "newkey.pem";
+my $openssl;
-my $NEWREQ = "newreq.pem";
+if(defined $ENV{OPENSSL}) {
-my $NEWCERT = "newcert.pem";
+	$openssl = $ENV{OPENSSL};
 my $NEWP12 = "newcert.p12";
 my $RET = 0;
 my $WHAT = shift @ARGV;
 my $FILE;
 # See if reason for a CRL entry is valid; exit if not.
 sub crl_reason_ok
 {
    my $r = shift;
    if ($r eq 'unspecified' || $r eq 'keyCompromise'
        || $r eq 'CACompromise' || $r eq 'affiliationChanged'
        || $r eq 'superseded' || $r eq 'cessationOfOperation'
        || $r eq 'certificateHold' || $r eq 'removeFromCRL') {
        return 1;
    }
    print STDERR "Invalid CRL reason; must be one of:\n";
    print STDERR "    unspecified, keyCompromise, CACompromise,\n";
    print STDERR "    affiliationChanged, superseded, cessationOfOperation\n";
    print STDERR "    certificateHold, removeFromCRL";
    exit 1;
 }
 # Copy a PEM-format file; return like exit status (zero means ok)
 sub copy_pemfile
 {
    my ($infile, $outfile, $bound) = @_;
    my $found = 0;
    open IN, $infile || die "Cannot open $infile, $!";
    open OUT, ">$outfile" || die "Cannot write to $outfile, $!";
    while (<IN>) {
        $found = 1 if /^-----BEGIN.*$bound/;
        print OUT $_ if $found;
        $found = 2, last if /^-----END.*$bound/;
    }
    close IN;
    close OUT;
    return $found == 2 ? 0 : 1;
 }
 # Wrapper around system; useful for debugging.  Returns just the exit status
 sub run
 {
    my $cmd = shift;
    print "====\n$cmd\n" if $verbose;
    my $status = system($cmd);
    print "==> $status\n====\n" if $verbose;
    return $status >> 8;
 }
 if ( $WHAT =~ /^(-\?|-h|-help)$/ ) {
    print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
    print STDERR "       CA -pkcs12 [certname]\n";
    print STDERR "       CA -crl|-revoke cert-filename [reason]\n";
    exit 0;
 }
 if ($WHAT eq '-newcert' ) {
    # create a certificate
    $RET = run("$REQ -new -x509 -keyout $NEWKEY -out $NEWCERT $DAYS");
    print "Cert is in $NEWCERT, private key is in $NEWKEY\n" if $RET == 0;
 } elsif ($WHAT eq '-newreq' ) {
    # create a certificate request
    $RET = run("$REQ -new -keyout $NEWKEY -out $NEWREQ $DAYS");
    print "Request is in $NEWREQ, private key is in $NEWKEY\n" if $RET == 0;
 } elsif ($WHAT eq '-newreq-nodes' ) {
    # create a certificate request
    $RET = run("$REQ -new -nodes -keyout $NEWKEY -out $NEWREQ $DAYS");
    print "Request is in $NEWREQ, private key is in $NEWKEY\n" if $RET == 0;
 } elsif ($WHAT eq '-newca' ) {
    # create the directory hierarchy
    mkdir ${CATOP}, $DIRMODE;
    mkdir "${CATOP}/certs", $DIRMODE;
    mkdir "${CATOP}/crl", $DIRMODE ;
    mkdir "${CATOP}/newcerts", $DIRMODE;
    mkdir "${CATOP}/private", $DIRMODE;
    open OUT, ">${CATOP}/index.txt";
    close OUT;
    open OUT, ">${CATOP}/crlnumber";
    print OUT "01\n";
    close OUT;
    # ask user for existing CA certificate
    print "CA certificate filename (or enter to create)\n";
    $FILE = <STDIN>;
    chop $FILE if $FILE;
    if ($FILE) {
        copy_pemfile($FILE,"${CATOP}/private/$CAKEY", "PRIVATE");
        copy_pemfile($FILE,"${CATOP}/$CACERT", "CERTIFICATE");
    } else {
        print "Making CA certificate ...\n";
        $RET = run("$REQ -new -keyout"
                . " ${CATOP}/private/$CAKEY"
                . " -out ${CATOP}/$CAREQ");
        $RET = run("$CA -create_serial"
                . " -out ${CATOP}/$CACERT $CADAYS -batch"
                . " -keyfile ${CATOP}/private/$CAKEY -selfsign"
                . " -extensions v3_ca"
                . " -infiles ${CATOP}/$CAREQ") if $RET == 0;
        print "CA certificate is in ${CATOP}/$CACERT\n" if $RET == 0;
    }
 } elsif ($WHAT eq '-pkcs12' ) {
    my $cname = $ARGV[1];
    $cname = "My Certificate" unless defined $cname;
    $RET = run("$PKCS12 -in $NEWCERT -inkey $NEWKEY"
            . " -certfile ${CATOP}/$CACERT"
            . " -out $NEWP12"
            . " -export -name \"$cname\"");
    print "PKCS #12 file is in $NEWP12\n" if $RET == 0;
 } elsif ($WHAT eq '-xsign' ) {
    $RET = run("$CA -policy policy_anything -infiles $NEWREQ");
 } elsif ($WHAT eq '-sign' ) {
    $RET = run("$CA -policy policy_anything -out $NEWCERT -infiles $NEWREQ");
    print "Signed certificate is in $NEWCERT\n" if $RET == 0;
 } elsif ($WHAT eq '-signCA' ) {
    $RET = run("$CA -policy policy_anything -out $NEWCERT"
            . " -extensions v3_ca -infiles $NEWREQ");
    print "Signed CA certificate is in $NEWCERT\n" if $RET == 0;
 } elsif ($WHAT eq '-signcert' ) {
    $RET = run("$X509 -x509toreq -in $NEWREQ -signkey $NEWREQ"
            . " -out tmp.pem");
    $RET = run("$CA -policy policy_anything -out $NEWCERT"
            . " -infiles tmp.pem") if $RET == 0;
    print "Signed certificate is in $NEWCERT\n" if $RET == 0;
 } elsif ($WHAT eq '-verify' ) {
    my @files = @ARGV ? @ARGV : ( $NEWCERT );
    my $file;
    foreach $file (@files) {
        my $status = run("$VERIFY \"-CAfile\" ${CATOP}/$CACERT $file");
        $RET = $status if $status != 0;
    }
 } elsif ($WHAT eq '-crl' ) {
    $RET = run("$CA -gencrl -out ${CATOP}/crl/$CACRL");
    print "Generated CRL is in ${CATOP}/crl/$CACRL\n" if $RET == 0;
 } elsif ($WHAT eq '-revoke' ) {
    my $cname = $ARGV[1];
    if (!defined $cname) {
        print "Certificate filename is required; reason optional.\n";
        exit 1;
    }
    my $reason = $ARGV[2];
    $reason = " -crl_reason $reason"
        if defined $reason && crl_reason_ok($reason);
    $RET = run("$CA -revoke \"$cname\"" . $reason);
 } else {
-    print STDERR "Unknown arg \"$WHAT\"\n";
+	$openssl = "openssl";
-    print STDERR "Use -help for help.\n";
+	$ENV{OPENSSL} = $openssl;
-    exit 1;
+}
 $SSLEAY_CONFIG=$ENV{"SSLEAY_CONFIG"};
 $DAYS="-days 365";	# 1 year
 $CADAYS="-days 1095";	# 3 years
 $REQ="$openssl req $SSLEAY_CONFIG";
 $CA="$openssl ca $SSLEAY_CONFIG";
 $VERIFY="$openssl verify";
 $X509="$openssl x509";
 $PKCS12="$openssl pkcs12";
 $CATOP="./demoCA";
 $CAKEY="cakey.pem";
 $CAREQ="careq.pem";
 $CACERT="cacert.pem";
 $DIRMODE = 0777;
 $RET = 0;
 foreach (@ARGV) {
 	if ( /^(-\?|-h|-help)$/ ) {
 	    print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
 	    exit 0;
 	} elsif (/^-newcert$/) {
 	    # create a certificate
 	    system ("$REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS");
 	    $RET=$?;
 	    print "Certificate is in newcert.pem, private key is in newkey.pem\n"
 	} elsif (/^-newreq$/) {
 	    # create a certificate request
 	    system ("$REQ -new -keyout newkey.pem -out newreq.pem $DAYS");
 	    $RET=$?;
 	    print "Request is in newreq.pem, private key is in newkey.pem\n";
 	} elsif (/^-newreq-nodes$/) {
 	    # create a certificate request
 	    system ("$REQ -new -nodes -keyout newkey.pem -out newreq.pem $DAYS");
 	    $RET=$?;
 	    print "Request is in newreq.pem, private key is in newkey.pem\n";
 	} elsif (/^-newca$/) {
 		# if explicitly asked for or it doesn't exist then setup the
 		# directory structure that Eric likes to manage things 
 	    $NEW="1";
 	    if ( "$NEW" || ! -f "${CATOP}/serial" ) {
 		# create the directory hierarchy
 		mkdir $CATOP, $DIRMODE;
 		mkdir "${CATOP}/certs", $DIRMODE;
 		mkdir "${CATOP}/crl", $DIRMODE ;
 		mkdir "${CATOP}/newcerts", $DIRMODE;
 		mkdir "${CATOP}/private", $DIRMODE;
 		open OUT, ">${CATOP}/index.txt";
 		close OUT;
 		open OUT, ">${CATOP}/crlnumber";
 		print OUT "01\n";
 		close OUT;
 	    }
 	    if ( ! -f "${CATOP}/private/$CAKEY" ) {
 		print "CA certificate filename (or enter to create)\n";
 		$FILE = <STDIN>;
 		chop $FILE;
 		# ask user for existing CA certificate
 		if ($FILE) {
 		    cp_pem($FILE,"${CATOP}/private/$CAKEY", "PRIVATE");
 		    cp_pem($FILE,"${CATOP}/$CACERT", "CERTIFICATE");
 		    $RET=$?;
 		} else {
 		    print "Making CA certificate ...\n";
 		    system ("$REQ -new -keyout " .
 			"${CATOP}/private/$CAKEY -out ${CATOP}/$CAREQ");
 		    system ("$CA -create_serial " .
 			"-out ${CATOP}/$CACERT $CADAYS -batch " . 
 			"-keyfile ${CATOP}/private/$CAKEY -selfsign " .
 			"-extensions v3_ca " .
 			"-infiles ${CATOP}/$CAREQ ");
 		    $RET=$?;
 		}
 	    }
 	} elsif (/^-pkcs12$/) {
 	    my $cname = $ARGV[1];
 	    $cname = "My Certificate" unless defined $cname;
 	    system ("$PKCS12 -in newcert.pem -inkey newkey.pem " .
 			"-certfile ${CATOP}/$CACERT -out newcert.p12 " .
 			"-export -name \"$cname\"");
 	    $RET=$?;
 	    print "PKCS #12 file is in newcert.p12\n";
 	    exit $RET;
 	} elsif (/^-xsign$/) {
 	    system ("$CA -policy policy_anything -infiles newreq.pem");
 	    $RET=$?;
 	} elsif (/^(-sign|-signreq)$/) {
 	    system ("$CA -policy policy_anything -out newcert.pem " .
 							"-infiles newreq.pem");
 	    $RET=$?;
 	    print "Signed certificate is in newcert.pem\n";
 	} elsif (/^(-signCA)$/) {
 	    system ("$CA -policy policy_anything -out newcert.pem " .
 					"-extensions v3_ca -infiles newreq.pem");
 	    $RET=$?;
 	    print "Signed CA certificate is in newcert.pem\n";
 	} elsif (/^-signcert$/) {
 	    system ("$X509 -x509toreq -in newreq.pem -signkey newreq.pem " .
 								"-out tmp.pem");
 	    system ("$CA -policy policy_anything -out newcert.pem " .
 							"-infiles tmp.pem");
 	    $RET = $?;
 	    print "Signed certificate is in newcert.pem\n";
 	} elsif (/^-verify$/) {
 	    if (shift) {
 		foreach $j (@ARGV) {
 		    system ("$VERIFY -CAfile $CATOP/$CACERT $j");
 		    $RET=$? if ($? != 0);
 		}
 		exit $RET;
 	    } else {
 		    system ("$VERIFY -CAfile $CATOP/$CACERT newcert.pem");
 		    $RET=$?;
 	    	    exit 0;
 	    }
 	} else {
 	    print STDERR "Unknown arg $_\n";
 	    print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
 	    exit 1;
 	}
 }
 exit $RET;
 sub cp_pem {
 my ($infile, $outfile, $bound) = @_;
 open IN, $infile;
 open OUT, ">$outfile";
 my $flag = 0;
 while (<IN>) {
 	$flag = 1 if (/^-----BEGIN.*$bound/) ;
 	print OUT $_ if ($flag);
 	if (/^-----END.*$bound/) {
 		close IN;
 		close OUT;
 		return;
 	}
 }
 }
--- a/apps/CA.sh
+++ b/apps/CA.sh
@@ -0,0 +1,198 @@
 #!/bin/sh
 #
 # CA - wrapper around ca to make it easier to use ... basically ca requires
 #      some setup stuff to be done before you can use it and this makes
 #      things easier between now and when Eric is convinced to fix it :-)
 #
 # CA -newca ... will setup the right stuff
 # CA -newreq ... will generate a certificate request
 # CA -sign ... will sign the generated request and output
 #
 # At the end of that grab newreq.pem and newcert.pem (one has the key
 # and the other the certificate) and cat them together and that is what
 # you want/need ... I'll make even this a little cleaner later.
 #
 #
 # 12-Jan-96 tjh    Added more things ... including CA -signcert which
 #                  converts a certificate to a request and then signs it.
 # 10-Jan-96 eay    Fixed a few more bugs and added the SSLEAY_CONFIG
 #                  environment variable so this can be driven from
 #                  a script.
 # 25-Jul-96 eay    Cleaned up filenames some more.
 # 11-Jun-96 eay    Fixed a few filename missmatches.
 # 03-May-96 eay    Modified to use 'ssleay cmd' instead of 'cmd'.
 # 18-Apr-96 tjh    Original hacking
 #
 # Tim Hudson
 # tjh@cryptsoft.com
 #
 # default openssl.cnf file has setup as per the following
 # demoCA ... where everything is stored
 cp_pem() {
    infile=$1
    outfile=$2
    bound=$3
    flag=0
    exec <$infile;
    while read line; do
 	if [ $flag -eq 1 ]; then
 		echo $line|grep "^-----END.*$bound"  2>/dev/null 1>/dev/null
 		if [ $? -eq 0 ] ; then
 			echo $line >>$outfile
 			break
 		else
 			echo $line >>$outfile
 		fi
 	fi
 	echo $line|grep "^-----BEGIN.*$bound"  2>/dev/null 1>/dev/null
 	if [ $? -eq 0 ]; then
 		echo $line >$outfile
 		flag=1
 	fi
    done
 }
 usage() {
 echo "usage: $0 -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify" >&2
 }
 if [ -z "$OPENSSL" ]; then OPENSSL=openssl; fi
 if [ -z "$DAYS" ] ; then DAYS="-days 365" ; fi	# 1 year
 CADAYS="-days 1095"	# 3 years
 REQ="$OPENSSL req $SSLEAY_CONFIG"
 CA="$OPENSSL ca $SSLEAY_CONFIG"
 VERIFY="$OPENSSL verify"
 X509="$OPENSSL x509"
 PKCS12="openssl pkcs12"
 if [ -z "$CATOP" ] ; then CATOP=./demoCA ; fi
 CAKEY=./cakey.pem
 CAREQ=./careq.pem
 CACERT=./cacert.pem
 RET=0
 while [ "$1" != "" ] ; do
 case $1 in
 -\?|-h|-help)
    usage
    exit 0
    ;;
 -newcert)
    # create a certificate
    $REQ -new -x509 -keyout newkey.pem -out newcert.pem $DAYS
    RET=$?
    echo "Certificate is in newcert.pem, private key is in newkey.pem"
    ;;
 -newreq)
    # create a certificate request
    $REQ -new -keyout newkey.pem -out newreq.pem $DAYS
    RET=$?
    echo "Request is in newreq.pem, private key is in newkey.pem"
    ;;
 -newreq-nodes) 
    # create a certificate request
    $REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS
    RET=$?
    echo "Request (and private key) is in newreq.pem"
    ;;
 -newca)
    # if explicitly asked for or it doesn't exist then setup the directory
    # structure that Eric likes to manage things
    NEW="1"
    if [ "$NEW" -o ! -f ${CATOP}/serial ]; then
 	# create the directory hierarchy
 	mkdir -p ${CATOP}
 	mkdir -p ${CATOP}/certs
 	mkdir -p ${CATOP}/crl
 	mkdir -p ${CATOP}/newcerts
 	mkdir -p ${CATOP}/private
 	touch ${CATOP}/index.txt
    fi
    if [ ! -f ${CATOP}/private/$CAKEY ]; then
 	echo "CA certificate filename (or enter to create)"
 	read FILE
 	# ask user for existing CA certificate
 	if [ "$FILE" ]; then
 	    cp_pem $FILE ${CATOP}/private/$CAKEY PRIVATE
 	    cp_pem $FILE ${CATOP}/$CACERT CERTIFICATE
 	    RET=$?
 	    if [ ! -f "${CATOP}/serial" ]; then
 		$X509 -in ${CATOP}/$CACERT -noout -next_serial \
 		      -out ${CATOP}/serial
 	    fi
 	else
 	    echo "Making CA certificate ..."
 	    $REQ -new -keyout ${CATOP}/private/$CAKEY \
 			   -out ${CATOP}/$CAREQ
 	    $CA -create_serial -out ${CATOP}/$CACERT $CADAYS -batch \
 			   -keyfile ${CATOP}/private/$CAKEY -selfsign \
 			   -extensions v3_ca \
 			   -infiles ${CATOP}/$CAREQ
 	    RET=$?
 	fi
    fi
    ;;
 -xsign)
    $CA -policy policy_anything -infiles newreq.pem
    RET=$?
    ;;
 -pkcs12)
    if [ -z "$2" ] ; then
 	CNAME="My Certificate"
    else
 	CNAME="$2"
    fi
    $PKCS12 -in newcert.pem -inkey newreq.pem -certfile ${CATOP}/$CACERT \
 	    -out newcert.p12 -export -name "$CNAME"
    RET=$?
    exit $RET
    ;;
 -sign|-signreq)
    $CA -policy policy_anything -out newcert.pem -infiles newreq.pem
    RET=$?
    cat newcert.pem
    echo "Signed certificate is in newcert.pem"
    ;;
 -signCA)
    $CA -policy policy_anything -out newcert.pem -extensions v3_ca -infiles newreq.pem
    RET=$?
    echo "Signed CA certificate is in newcert.pem"
    ;;
 -signcert)
    echo "Cert passphrase will be requested twice - bug?"
    $X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
    $CA -policy policy_anything -out newcert.pem -infiles tmp.pem
    RET=$?
    cat newcert.pem
    echo "Signed certificate is in newcert.pem"
    ;;
 -verify)
    shift
    if [ -z "$1" ]; then
 	    $VERIFY -CAfile $CATOP/$CACERT newcert.pem
 	    RET=$?
    else
 	for j
 	do
 	    $VERIFY -CAfile $CATOP/$CACERT $j
 	    if [ $? != 0 ]; then
 		    RET=$?
 	    fi
 	done
    fi
    exit $RET
    ;;
 *)
    echo "Unknown arg $i" >&2
    usage
    exit 1
    ;;
 esac
 shift
 done
 exit $RET
--- a/apps/Makefile
+++ b/apps/Makefile
--- a/apps/Makefile.in
+++ b/apps/Makefile.in
@@ -1,154 +0,0 @@
 #
 #  apps/Makefile
 #
 DIR=		apps
 TOP=		..
 CC=		cc
 INCLUDES=	-I$(TOP) -I../crypto -I../include
 CFLAG=		-g -static -Wswitch
 MAKEFILE=	Makefile
 PERL=		perl
 RM=		rm -f
 PEX_LIBS=
 EX_LIBS= 
 EXE_EXT= 
 SHLIB_TARGET=
 CFLAGS= $(INCLUDES) $(CFLAG)
 GENERAL=Makefile makeapps.com install.com
 DLIBCRYPTO=../libcrypto.a
 DLIBSSL=../libssl.a
 LIBCRYPTO=-L.. -lcrypto
 LIBSSL=-L.. -lssl
 SCRIPTS=CA.pl tsget
 EXE= openssl$(EXE_EXT)
 COMMANDS= \
 	asn1pars.o ca.o ciphers.o cms.o crl.o crl2p7.o dgst.o dhparam.o \
 	dsa.o dsaparam.o ec.o ecparam.o enc.o engine.o errstr.o gendsa.o \
 	genpkey.o genrsa.o nseq.o ocsp.o passwd.o pkcs12.o pkcs7.o pkcs8.o \
 	pkey.o pkeyparam.o pkeyutl.o prime.o rand.o req.o rsa.o rsautl.o \
 	s_client.o s_server.o s_time.o sess_id.o smime.o speed.o spkac.o \
 	srp.o ts.o verify.o version.o x509.o rehash.o
 EXTRA_OBJ=apps.o opt.o s_cb.o s_socket.o
 EXTRA_SRC=apps.c opt.c s_cb.c s_socket.c
 RAND_OBJ=app_rand.o
 RAND_SRC=app_rand.c
 OBJ	= $(COMMANDS)
 SRC	= \
 	asn1pars.c ca.c ciphers.c cms.c crl.c crl2p7.c dgst.c dhparam.c \
 	dsa.c dsaparam.c ec.c ecparam.c enc.c engine.c errstr.c gendsa.c \
 	genpkey.c genrsa.c nseq.c ocsp.c passwd.c pkcs12.c pkcs7.c pkcs8.c \
 	pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c rsa.c rsautl.c \
 	s_client.c s_server.c s_time.c sess_id.c smime.c speed.c spkac.c \
 	srp.c ts.c verify.c version.c x509.c
 EXE_OBJ	= openssl.o $(OBJ) $(EXTRA_OBJ) $(RAND_OBJ)
 EXE_SRC = openssl.c $(SRC) $(EXTRA_SRC) $(RAND_SRC)
 HEADER=	apps.h progs.h s_apps.h \
 	testdsa.h testrsa.h timeouts.h
 ALL=    $(GENERAL) $(EXE_SRC) $(HEADER)
 top:
 	@(cd ..; $(MAKE) DIRS=$(DIR) all)
 all:	exe
 exe:	$(EXE)
 openssl-vms.cnf: openssl.cnf
 	$(PERL) $(TOP)/VMS/VMSify-conf.pl < openssl.cnf > openssl-vms.cnf
 files:
 	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
 install:
 	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
 	@set -e; for i in $(EXE); \
 	do  \
 	(echo installing $$i; \
 	 cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
 	 chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
 	 mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \
 	 done;
 	@set -e; for i in $(SCRIPTS); \
 	do  \
 	(echo installing $$i; \
 	 cp $$i $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \
 	 chmod 755 $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \
 	 mv -f $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i ); \
 	 done
 	@cp openssl.cnf $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new; \
 	chmod 644 $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new; \
 	mv -f  $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf
 uninstall:
 	@set -e; for i in $(EXE); \
 	do  \
 		echo $(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i; \
 		$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i; \
 	done;
 	@set -e; for i in $(SCRIPTS); \
 	do  \
 		echo $(RM) $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i; \
 		$(RM) $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i; \
 	done
 	$(RM) $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf
 tags:
 	ctags $(EXE_SRC) $(HEADER)
 tests:
 lint:
 	echo nope >fluff
 update: openssl-vms.cnf local_depend
 depend: local_depend
 	@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
 local_depend:
 	@[ -z "$(THIS)" ] || $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(EXE_SRC)
 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
 	mv -f Makefile.new $(MAKEFILE)
 clean:
 	rm -f *.o *.obj *.dll lib tags core .pure .nfs* *.old *.bak fluff $(EXE)
 	rm -f req
 $(DLIBSSL):
 	(cd ..; $(MAKE) build_libssl)
 $(DLIBCRYPTO):
 	(cd ..; $(MAKE) build_libcrypto)
 $(EXE): progs.h $(EXE_OBJ) $(DLIBCRYPTO) $(DLIBSSL)
 	$(RM) $(EXE)
 	shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \
 		shlib_target="$(SHLIB_TARGET)"; \
 	fi; \
 	LIBRARIES="$(LIBSSL) $(LIBCRYPTO)" ; \
 	$(MAKE) -f $(TOP)/Makefile.shared -e \
 		APPNAME=$(EXE) OBJECTS="$(EXE_OBJ)" \
 		LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \
 		link_app.$${shlib_target}
 progs.h: progs.pl Makefile
 	$(RM) progs.h
 	$(PERL) progs.pl $(COMMANDS) >progs.h
 	$(RM) openssl.o
 # DO NOT DELETE THIS LINE -- make depend depends on it.
--- a/apps/app_rand.c
+++ b/apps/app_rand.c
@@ -1,24 +1,25 @@
 /* apps/app_rand.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
- *
+ * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
- *
+ * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
@@ -33,10 +34,10 @@
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -48,7 +49,7 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
+ * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
@@ -62,7 +63,7 @@
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
+ *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
@@ -108,107 +109,110 @@
 *
 */
 #define NON_MAIN
 #include "apps.h"
 #undef NON_MAIN
 #include <openssl/bio.h>
 #include <openssl/rand.h>
 static int seeded = 0;
 static int egdsocket = 0;
-int app_RAND_load_file(const char *file, int dont_warn)
+int app_RAND_load_file(const char *file, BIO *bio_e, int dont_warn)
-{
+	{
-    int consider_randfile = (file == NULL);
+	int consider_randfile = (file == NULL);
-    char buffer[200];
+	char buffer[200];
-
+	
 #ifdef OPENSSL_SYS_WINDOWS
-    RAND_screen();
+	BIO_printf(bio_e,"Loading 'screen' into random state -");
 	BIO_flush(bio_e);
 	RAND_screen();
 	BIO_printf(bio_e," done\n");
 #endif
-    if (file == NULL)
+	if (file == NULL)
-        file = RAND_file_name(buffer, sizeof buffer);
+		file = RAND_file_name(buffer, sizeof buffer);
-    else if (RAND_egd(file) > 0) {
+	else if (RAND_egd(file) > 0)
-        /*
+		{
-         * we try if the given filename is an EGD socket. if it is, we don't
+		/* we try if the given filename is an EGD socket.
-         * write anything back to the file.
+		   if it is, we don't write anything back to the file. */
-         */
+		egdsocket = 1;
-        egdsocket = 1;
+		return 1;
-        return 1;
+		}
-    }
+	if (file == NULL || !RAND_load_file(file, -1))
-    if (file == NULL || !RAND_load_file(file, -1)) {
+		{
-        if (RAND_status() == 0) {
+		if (RAND_status() == 0)
-            if (!dont_warn) {
+			{
-                BIO_printf(bio_err, "unable to load 'random state'\n");
+			if (!dont_warn)
-                BIO_printf(bio_err,
+				{
-                           "This means that the random number generator has not been seeded\n");
+				BIO_printf(bio_e,"unable to load 'random state'\n");
-                BIO_printf(bio_err, "with much random data.\n");
+				BIO_printf(bio_e,"This means that the random number generator has not been seeded\n");
-                if (consider_randfile) { /* explanation does not apply when a
+				BIO_printf(bio_e,"with much random data.\n");
-                                          * file is explicitly named */
+				if (consider_randfile) /* explanation does not apply when a file is explicitly named */
-                    BIO_printf(bio_err,
+					{
-                               "Consider setting the RANDFILE environment variable to point at a file that\n");
+					BIO_printf(bio_e,"Consider setting the RANDFILE environment variable to point at a file that\n");
-                    BIO_printf(bio_err,
+					BIO_printf(bio_e,"'random' data can be kept in (the file will be overwritten).\n");
-                               "'random' data can be kept in (the file will be overwritten).\n");
+					}
-                }
+				}
-            }
+			return 0;
-            return 0;
+			}
-        }
+		}
-    }
+	seeded = 1;
-    seeded = 1;
+	return 1;
-    return 1;
+	}
 }
 long app_RAND_load_files(char *name)
-{
+	{
-    char *p, *n;
+	char *p,*n;
-    int last;
+	int last;
-    long tot = 0;
+	long tot=0;
-    int egd;
+	int egd;
 	for (;;)
 		{
 		last=0;
 		for (p=name; ((*p != '\0') && (*p != LIST_SEPARATOR_CHAR)); p++);
 		if (*p == '\0') last=1;
 		*p='\0';
 		n=name;
 		name=p+1;
 		if (*n == '\0') break;
-    for (;;) {
+		egd=RAND_egd(n);
-        last = 0;
+		if (egd > 0)
-        for (p = name; ((*p != '\0') && (*p != LIST_SEPARATOR_CHAR)); p++) ;
+			tot+=egd;
-        if (*p == '\0')
+		else
-            last = 1;
+			tot+=RAND_load_file(n,-1);
-        *p = '\0';
+		if (last) break;
-        n = name;
+		}
-        name = p + 1;
+	if (tot > 512)
-        if (*n == '\0')
+		app_RAND_allow_write_file();
-            break;
+	return(tot);
 	}
-        egd = RAND_egd(n);
+int app_RAND_write_file(const char *file, BIO *bio_e)
-        if (egd > 0)
+	{
-            tot += egd;
+	char buffer[200];
-        else
+	
-            tot += RAND_load_file(n, -1);
+	if (egdsocket || !seeded)
-        if (last)
+		/* If we did not manage to read the seed file,
-            break;
+		 * we should not write a low-entropy seed file back --
-    }
+		 * it would suppress a crucial warning the next time
-    if (tot > 512)
+		 * we want to use it. */
-        app_RAND_allow_write_file();
+		return 0;
    return (tot);
 }
-int app_RAND_write_file(const char *file)
+	if (file == NULL)
-{
+		file = RAND_file_name(buffer, sizeof buffer);
-    char buffer[200];
+	if (file == NULL || !RAND_write_file(file))
-
+		{
-    if (egdsocket || !seeded)
+		BIO_printf(bio_e,"unable to write 'random state'\n");
-        /*
+		return 0;
-         * If we did not manage to read the seed file, we should not write a
+		}
-         * low-entropy seed file back -- it would suppress a crucial warning
+	return 1;
-         * the next time we want to use it.
+	}
         */
        return 0;
    if (file == NULL)
        file = RAND_file_name(buffer, sizeof buffer);
    if (file == NULL || !RAND_write_file(file)) {
        BIO_printf(bio_err, "unable to write 'random state'\n");
        return 0;
    }
    return 1;
 }
 void app_RAND_allow_write_file(void)
-{
+	{
-    seeded = 1;
+	seeded = 1;
-}
+	}
--- a/apps/apps.c
+++ b/apps/apps.c
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -5,21 +5,21 @@
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
- *
+ * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
- *
+ * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
@@ -34,10 +34,10 @@
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -49,7 +49,7 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
+ * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
@@ -63,7 +63,7 @@
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
+ *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
@@ -110,484 +110,263 @@
 */
 #ifndef HEADER_APPS_H
-# define HEADER_APPS_H
+#define HEADER_APPS_H
-# include "e_os.h"
+#include "e_os.h"
 # include <assert.h>
-# include <openssl/e_os2.h>
+#include <openssl/bio.h>
-# include <openssl/ossl_typ.h>
+#include <openssl/x509.h>
-# include <openssl/bio.h>
+#include <openssl/lhash.h>
-# include <openssl/x509.h>
+#include <openssl/conf.h>
-# include <openssl/lhash.h>
+#include <openssl/txt_db.h>
-# include <openssl/conf.h>
+#ifndef OPENSSL_NO_ENGINE
-# include <openssl/txt_db.h>
+#include <openssl/engine.h>
-# ifndef OPENSSL_NO_ENGINE
+#endif
-#  include <openssl/engine.h>
+#ifndef OPENSSL_NO_OCSP
-# endif
+#include <openssl/ocsp.h>
-# ifndef OPENSSL_NO_OCSP
+#endif
-#  include <openssl/ocsp.h>
+#include <openssl/ossl_typ.h>
 # endif
 # include <openssl/ossl_typ.h>
 # ifndef OPENSSL_SYS_NETWARE
 #  include <signal.h>
 # endif
-# if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WINCE)
+int app_RAND_load_file(const char *file, BIO *bio_e, int dont_warn);
-#  define openssl_fdset(a,b) FD_SET((unsigned int)a, b)
+int app_RAND_write_file(const char *file, BIO *bio_e);
-# else
+/* When `file' is NULL, use defaults.
-#  define openssl_fdset(a,b) FD_SET(a, b)
+ * `bio_e' is for error messages. */
 # endif
 int app_RAND_load_file(const char *file, int dont_warn);
 int app_RAND_write_file(const char *file);
 /*
 * When `file' is NULL, use defaults. `bio_e' is for error messages.
 */
 void app_RAND_allow_write_file(void);
 long app_RAND_load_files(char *file); /* `file' is a list of files to read,
                                       * separated by LIST_SEPARATOR_CHAR
                                       * (see e_os.h).  The string is
                                       * destroyed! */
-extern char *default_config_file;
+#ifndef MONOLITH
-extern BIO *bio_in;
+
-extern BIO *bio_out;
+#define MAIN(a,v)	main(a,v)
 #ifndef NON_MAIN
 CONF *config=NULL;
 BIO *bio_err=NULL;
 #else
 extern CONF *config;
 extern BIO *bio_err;
 BIO *dup_bio_in(int format);
 BIO *dup_bio_out(int format);
 BIO *bio_open_owner(const char *filename, int format, int private);
 BIO *bio_open_default(const char *filename, char mode, int format);
 BIO *bio_open_default_quiet(const char *filename, char mode, int format);
 CONF *app_load_config(const char *filename);
 CONF *app_load_config_quiet(const char *filename);
 int app_load_modules(const CONF *config);
 void unbuffer(FILE *fp);
 void wait_for_async(SSL *s);
 /*
 * Common verification options.
 */
 # define OPT_V_ENUM \
        OPT_V__FIRST=2000, \
        OPT_V_POLICY, OPT_V_PURPOSE, OPT_V_VERIFY_NAME, OPT_V_VERIFY_DEPTH, \
        OPT_V_ATTIME, OPT_V_VERIFY_HOSTNAME, OPT_V_VERIFY_EMAIL, \
        OPT_V_VERIFY_IP, OPT_V_IGNORE_CRITICAL, OPT_V_ISSUER_CHECKS, \
        OPT_V_CRL_CHECK, OPT_V_CRL_CHECK_ALL, OPT_V_POLICY_CHECK, \
        OPT_V_EXPLICIT_POLICY, OPT_V_INHIBIT_ANY, OPT_V_INHIBIT_MAP, \
        OPT_V_X509_STRICT, OPT_V_EXTENDED_CRL, OPT_V_USE_DELTAS, \
        OPT_V_POLICY_PRINT, OPT_V_CHECK_SS_SIG, OPT_V_TRUSTED_FIRST, \
        OPT_V_SUITEB_128_ONLY, OPT_V_SUITEB_128, OPT_V_SUITEB_192, \
        OPT_V_PARTIAL_CHAIN, OPT_V_NO_ALT_CHAINS, OPT_V_NO_CHECK_TIME, \
        OPT_V__LAST
 # define OPT_V_OPTIONS \
        { "policy", OPT_V_POLICY, 's' }, \
        { "purpose", OPT_V_PURPOSE, 's' }, \
        { "verify_name", OPT_V_VERIFY_NAME, 's' }, \
        { "verify_depth", OPT_V_VERIFY_DEPTH, 'p' }, \
        { "attime", OPT_V_ATTIME, 'M' }, \
        { "verify_hostname", OPT_V_VERIFY_HOSTNAME, 's' }, \
        { "verify_email", OPT_V_VERIFY_EMAIL, 's' }, \
        { "verify_ip", OPT_V_VERIFY_IP, 's' }, \
        { "ignore_critical", OPT_V_IGNORE_CRITICAL, '-' }, \
        { "issuer_checks", OPT_V_ISSUER_CHECKS, '-' }, \
        { "crl_check", OPT_V_CRL_CHECK, '-', "Check that peer cert has not been revoked" }, \
        { "crl_check_all", OPT_V_CRL_CHECK_ALL, '-', "Also check all certs in the chain" }, \
        { "policy_check", OPT_V_POLICY_CHECK, '-' }, \
        { "explicit_policy", OPT_V_EXPLICIT_POLICY, '-' }, \
        { "inhibit_any", OPT_V_INHIBIT_ANY, '-' }, \
        { "inhibit_map", OPT_V_INHIBIT_MAP, '-' }, \
        { "x509_strict", OPT_V_X509_STRICT, '-' }, \
        { "extended_crl", OPT_V_EXTENDED_CRL, '-' }, \
        { "use_deltas", OPT_V_USE_DELTAS, '-' }, \
        { "policy_print", OPT_V_POLICY_PRINT, '-' }, \
        { "check_ss_sig", OPT_V_CHECK_SS_SIG, '-' }, \
        { "trusted_first", OPT_V_TRUSTED_FIRST, '-', "Use locally-trusted CA's first in building chain" }, \
        { "suiteB_128_only", OPT_V_SUITEB_128_ONLY, '-' }, \
        { "suiteB_128", OPT_V_SUITEB_128, '-' }, \
        { "suiteB_192", OPT_V_SUITEB_192, '-' }, \
        { "partial_chain", OPT_V_PARTIAL_CHAIN, '-' }, \
        { "no_alt_chains", OPT_V_NO_ALT_CHAINS, '-', "Only use the first cert chain found" }, \
        { "no_check_time", OPT_V_NO_CHECK_TIME, '-', "Do not check validity against current time" }
 # define OPT_V_CASES \
        OPT_V__FIRST: case OPT_V__LAST: break; \
        case OPT_V_POLICY: \
        case OPT_V_PURPOSE: \
        case OPT_V_VERIFY_NAME: \
        case OPT_V_VERIFY_DEPTH: \
        case OPT_V_ATTIME: \
        case OPT_V_VERIFY_HOSTNAME: \
        case OPT_V_VERIFY_EMAIL: \
        case OPT_V_VERIFY_IP: \
        case OPT_V_IGNORE_CRITICAL: \
        case OPT_V_ISSUER_CHECKS: \
        case OPT_V_CRL_CHECK: \
        case OPT_V_CRL_CHECK_ALL: \
        case OPT_V_POLICY_CHECK: \
        case OPT_V_EXPLICIT_POLICY: \
        case OPT_V_INHIBIT_ANY: \
        case OPT_V_INHIBIT_MAP: \
        case OPT_V_X509_STRICT: \
        case OPT_V_EXTENDED_CRL: \
        case OPT_V_USE_DELTAS: \
        case OPT_V_POLICY_PRINT: \
        case OPT_V_CHECK_SS_SIG: \
        case OPT_V_TRUSTED_FIRST: \
        case OPT_V_SUITEB_128_ONLY: \
        case OPT_V_SUITEB_128: \
        case OPT_V_SUITEB_192: \
        case OPT_V_PARTIAL_CHAIN: \
        case OPT_V_NO_ALT_CHAINS: \
        case OPT_V_NO_CHECK_TIME
 /*
 * Common "extended"? options.
 */
 # define OPT_X_ENUM \
        OPT_X__FIRST=1000, \
        OPT_X_KEY, OPT_X_CERT, OPT_X_CHAIN, OPT_X_CHAIN_BUILD, \
        OPT_X_CERTFORM, OPT_X_KEYFORM, \
        OPT_X__LAST
 # define OPT_X_OPTIONS \
        { "xkey", OPT_X_KEY, '<' }, \
        { "xcert", OPT_X_CERT, '<' }, \
        { "xchain", OPT_X_CHAIN, '<' }, \
        { "xchain_build", OPT_X_CHAIN_BUILD, '-' }, \
        { "xcertform", OPT_X_CERTFORM, 'F' }, \
        { "xkeyform", OPT_X_KEYFORM, 'F' }
 # define OPT_X_CASES \
        OPT_X__FIRST: case OPT_X__LAST: break; \
        case OPT_X_KEY: \
        case OPT_X_CERT: \
        case OPT_X_CHAIN: \
        case OPT_X_CHAIN_BUILD: \
        case OPT_X_CERTFORM: \
        case OPT_X_KEYFORM
 /*
 * Common SSL options.
 * Any changes here must be coordinated with ../ssl/ssl_conf.c
 */
 # define OPT_S_ENUM \
        OPT_S__FIRST=3000, \
        OPT_S_NOSSL3, OPT_S_NOTLS1, OPT_S_NOTLS1_1, OPT_S_NOTLS1_2, \
        OPT_S_BUGS, OPT_S_NOCOMP, OPT_S_ECDHSINGLE, OPT_S_NOTICKET, \
        OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_LEGACYCONN, \
        OPT_S_ONRESUMP, OPT_S_NOLEGACYCONN, OPT_S_STRICT, OPT_S_SIGALGS, \
        OPT_S_CLIENTSIGALGS, OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, \
        OPT_S_DHPARAM, OPT_S_DEBUGBROKE, \
        OPT_S__LAST
 # define OPT_S_OPTIONS \
        {"no_ssl3", OPT_S_NOSSL3, '-' }, \
        {"no_tls1", OPT_S_NOTLS1, '-' }, \
        {"no_tls1_1", OPT_S_NOTLS1_1, '-' }, \
        {"no_tls1_2", OPT_S_NOTLS1_2, '-' }, \
        {"bugs", OPT_S_BUGS, '-' }, \
        {"no_comp", OPT_S_NOCOMP, '-', "Don't use SSL/TLS-level compression" }, \
        {"ecdh_single", OPT_S_ECDHSINGLE, '-' }, \
        {"no_ticket", OPT_S_NOTICKET, '-' }, \
        {"serverpref", OPT_S_SERVERPREF, '-' }, \
        {"legacy_renegotiation", OPT_S_LEGACYRENEG, '-' }, \
        {"legacy_server_connect", OPT_S_LEGACYCONN, '-' }, \
        {"no_resumption_on_reneg", OPT_S_ONRESUMP, '-' }, \
        {"no_legacy_server_connect", OPT_S_NOLEGACYCONN, '-' }, \
        {"strict", OPT_S_STRICT, '-' }, \
        {"sigalgs", OPT_S_SIGALGS, 's', \
            "Signature algorithms to support (colon-separated list)" }, \
        {"client_sigalgs", OPT_S_CLIENTSIGALGS, 's', \
            "Signature algorithms to support for client certificate" \
            " authentication (colon-separated list)" }, \
        {"curves", OPT_S_CURVES, 's', \
            "Elliptic curves to advertise (colon-separated list)" }, \
        {"named_curve", OPT_S_NAMEDCURVE, 's', \
            "Elliptic curve used for ECDHE (server-side only)" }, \
        {"cipher", OPT_S_CIPHER, 's', }, \
        {"dhparam", OPT_S_DHPARAM, '<' }, \
        {"debug_broken_protocol", OPT_S_DEBUGBROKE, '-' }
 # define OPT_S_CASES \
        OPT_S__FIRST: case OPT_S__LAST: break; \
        case OPT_S_NOSSL3: \
        case OPT_S_NOTLS1: \
        case OPT_S_NOTLS1_1: \
        case OPT_S_NOTLS1_2: \
        case OPT_S_BUGS: \
        case OPT_S_NOCOMP: \
        case OPT_S_ECDHSINGLE: \
        case OPT_S_NOTICKET: \
        case OPT_S_SERVERPREF: \
        case OPT_S_LEGACYRENEG: \
        case OPT_S_LEGACYCONN: \
        case OPT_S_ONRESUMP: \
        case OPT_S_NOLEGACYCONN: \
        case OPT_S_STRICT: \
        case OPT_S_SIGALGS: \
        case OPT_S_CLIENTSIGALGS: \
        case OPT_S_CURVES: \
        case OPT_S_NAMEDCURVE: \
        case OPT_S_CIPHER: \
        case OPT_S_DHPARAM: \
        case OPT_S_DEBUGBROKE
 /*
 * Option parsing.
 */
 extern const char OPT_HELP_STR[];
 extern const char OPT_MORE_STR[];
 typedef struct options_st {
    const char *name;
    int retval;
    /*
     * value type: - no value (also the value zero), n number, p positive
     * number, u unsigned, s string, < input file, > output file, f der/pem
     * format, F any format identifier.  n and u include zero; p does not.
     */
    int valtype;
    const char *helpstr;
 } OPTIONS;
 /*
 * A string/int pairing; widely use for option value lookup, hence the
 * name OPT_PAIR. But that name is misleading in s_cb.c, so we also use
 * the "generic" name STRINT_PAIR.
 */
 typedef struct string_int_pair_st {
    const char *name;
    int retval;
 } OPT_PAIR, STRINT_PAIR;
 /* Flags to pass into opt_format; see FORMAT_xxx, below. */
 # define OPT_FMT_PEMDER          (1L <<  1)
 # define OPT_FMT_PKCS12          (1L <<  2)
 # define OPT_FMT_SMIME           (1L <<  3)
 # define OPT_FMT_ENGINE          (1L <<  4)
 # define OPT_FMT_MSBLOB          (1L <<  5)
 # define OPT_FMT_NETSCAPE        (1L <<  6)
 # define OPT_FMT_NSS             (1L <<  7)
 # define OPT_FMT_TEXT            (1L <<  8)
 # define OPT_FMT_HTTP            (1L <<  9)
 # define OPT_FMT_PVK             (1L << 10)
 # define OPT_FMT_ANY     ( \
        OPT_FMT_PEMDER | OPT_FMT_PKCS12 | OPT_FMT_SMIME | \
        OPT_FMT_ENGINE | OPT_FMT_MSBLOB | OPT_FMT_NETSCAPE | \
        OPT_FMT_NSS | OPT_FMT_TEXT | OPT_FMT_HTTP | OPT_FMT_PVK)
 char *opt_progname(const char *argv0);
 char *opt_getprog(void);
 char *opt_init(int ac, char **av, const OPTIONS * o);
 int opt_next();
 int opt_format(const char *s, unsigned long flags, int *result);
 int opt_int(const char *arg, int *result);
 int opt_ulong(const char *arg, unsigned long *result);
 int opt_long(const char *arg, long *result);
 #if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L && \
    defined(INTMAX_MAX) && defined(UINTMAX_MAX)
 int opt_imax(const char *arg, intmax_t *result);
 int opt_umax(const char *arg, uintmax_t *result);
 #endif
 int opt_pair(const char *arg, const OPT_PAIR * pairs, int *result);
 int opt_cipher(const char *name, const EVP_CIPHER **cipherp);
 int opt_md(const char *name, const EVP_MD **mdp);
 char *opt_arg(void);
 char *opt_flag(void);
 char *opt_unknown(void);
 char *opt_reset(void);
 char **opt_rest(void);
 int opt_num_rest(void);
 int opt_verify(int i, X509_VERIFY_PARAM *vpm);
 void opt_help(const OPTIONS * list);
 int opt_format_error(const char *s, unsigned long flags);
 int opt_next(void);
-typedef struct args_st {
+#else
    int size;
    int argc;
    char **argv;
 } ARGS;
-# define PW_MIN_LENGTH 4
+#define MAIN(a,v)	PROG(a,v)
-typedef struct pw_cb_data {
+extern CONF *config;
-    const void *password;
+extern char *default_config_file;
-    const char *prompt_info;
+extern BIO *bio_err;
 } PW_CB_DATA;
-int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_data);
+#endif
 #ifndef OPENSSL_SYS_NETWARE
 #include <signal.h>
 #endif
 #ifdef SIGPIPE
 #define do_pipe_sig()	signal(SIGPIPE,SIG_IGN)
 #else
 #define do_pipe_sig()
 #endif
 #ifdef OPENSSL_NO_COMP
 #define zlib_cleanup() 
 #else
 #define zlib_cleanup() COMP_zlib_cleanup()
 #endif
 #if defined(MONOLITH) && !defined(OPENSSL_C)
 #  define apps_startup() \
 		do_pipe_sig()
 #  define apps_shutdown()
 #else
 #  ifndef OPENSSL_NO_ENGINE
 #    define apps_startup() \
 			do { do_pipe_sig(); CRYPTO_malloc_init(); \
 			ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \
 			ENGINE_load_builtin_engines(); setup_ui_method(); } while(0)
 #    define apps_shutdown() \
 			do { CONF_modules_unload(1); destroy_ui_method(); \
 			OBJ_cleanup(); EVP_cleanup(); ENGINE_cleanup(); \
 			CRYPTO_cleanup_all_ex_data(); ERR_remove_thread_state(NULL); \
 			ERR_free_strings(); zlib_cleanup();} while(0)
 #  else
 #    define apps_startup() \
 			do { do_pipe_sig(); CRYPTO_malloc_init(); \
 			ERR_load_crypto_strings(); OpenSSL_add_all_algorithms(); \
 			setup_ui_method(); } while(0)
 #    define apps_shutdown() \
 			do { CONF_modules_unload(1); destroy_ui_method(); \
 			OBJ_cleanup(); EVP_cleanup(); \
 			CRYPTO_cleanup_all_ex_data(); ERR_remove_thread_state(NULL); \
 			ERR_free_strings(); zlib_cleanup(); } while(0)
 #  endif
 #endif
 #ifdef OPENSSL_SYSNAME_WIN32
 #  define openssl_fdset(a,b) FD_SET((unsigned int)a, b)
 #else
 #  define openssl_fdset(a,b) FD_SET(a, b)
 #endif
 typedef struct args_st
 	{
 	char **data;
 	int count;
 	} ARGS;
 #define PW_MIN_LENGTH 4
 typedef struct pw_cb_data
 	{
 	const void *password;
 	const char *prompt_info;
 	} PW_CB_DATA;
 int password_callback(char *buf, int bufsiz, int verify,
 	PW_CB_DATA *cb_data);
 int setup_ui_method(void);
 void destroy_ui_method(void);
-int chopup_args(ARGS *arg, char *buf);
+int should_retry(int i);
-# ifdef HEADER_X509_H
+int args_from_file(char *file, int *argc, char **argv[]);
 int str2fmt(char *s);
 void program_name(char *in,char *out,int size);
 int chopup_args(ARGS *arg,char *buf, int *argc, char **argv[]);
 #ifdef HEADER_X509_H
 int dump_cert_text(BIO *out, X509 *x);
-void print_name(BIO *out, const char *title, X509_NAME *nm,
+void print_name(BIO *out, const char *title, X509_NAME *nm, unsigned long lflags);
-                unsigned long lflags);
+#endif
 # endif
 void print_bignum_var(BIO *, BIGNUM *, const char*, int, unsigned char *);
 void print_array(BIO *, const char *, int, const unsigned char *);
 int set_cert_ex(unsigned long *flags, const char *arg);
 int set_name_ex(unsigned long *flags, const char *arg);
 int set_ext_copy(int *copy_type, const char *arg);
 int copy_extensions(X509 *x, X509_REQ *req, int copy_type);
-int app_passwd(char *arg1, char *arg2, char **pass1, char **pass2);
+int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2);
-int add_oid_section(CONF *conf);
+int add_oid_section(BIO *err, CONF *conf);
-X509 *load_cert(const char *file, int format,
+X509 *load_cert(BIO *err, const char *file, int format,
-                const char *pass, ENGINE *e, const char *cert_descrip);
+	const char *pass, ENGINE *e, const char *cert_descrip);
-X509_CRL *load_crl(const char *infile, int format);
+EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
-int load_cert_crl_http(const char *url, X509 **pcert, X509_CRL **pcrl);
+	const char *pass, ENGINE *e, const char *key_descrip);
-EVP_PKEY *load_key(const char *file, int format, int maybe_stdin,
+EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
-                   const char *pass, ENGINE *e, const char *key_descrip);
+	const char *pass, ENGINE *e, const char *key_descrip);
-EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin,
+STACK_OF(X509) *load_certs(BIO *err, const char *file, int format,
-                      const char *pass, ENGINE *e, const char *key_descrip);
+	const char *pass, ENGINE *e, const char *cert_descrip);
-STACK_OF(X509) *load_certs(const char *file, int format,
+STACK_OF(X509_CRL) *load_crls(BIO *err, const char *file, int format,
-                           const char *pass, ENGINE *e,
+	const char *pass, ENGINE *e, const char *cert_descrip);
-                           const char *cert_descrip);
+X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath);
-STACK_OF(X509_CRL) *load_crls(const char *file, int format,
+#ifndef OPENSSL_NO_ENGINE
-                              const char *pass, ENGINE *e,
+ENGINE *setup_engine(BIO *err, const char *engine, int debug);
-                              const char *cert_descrip);
+#endif
-X509_STORE *setup_verify(char *CAfile, char *CApath,
+
-                         int noCAfile, int noCApath);
+#ifndef OPENSSL_NO_OCSP
-int ctx_set_verify_locations(SSL_CTX *ctx, const char *CAfile,
+OCSP_RESPONSE *process_responder(BIO *err, OCSP_REQUEST *req,
-                             const char *CApath, int noCAfile, int noCApath);
+			char *host, char *path, char *port, int use_ssl,
-# ifdef OPENSSL_NO_ENGINE
+			STACK_OF(CONF_VALUE) *headers,
-#  define setup_engine(engine, debug) NULL
+			int req_timeout);
-# else
+#endif
-ENGINE *setup_engine(const char *engine, int debug);
+
-# endif
+int load_config(BIO *err, CONF *cnf);
-# ifndef OPENSSL_NO_OCSP
+char *make_config_name(void);
 OCSP_RESPONSE *process_responder(OCSP_REQUEST *req,
                                 const char *host, const char *path,
                                 const char *port, int use_ssl,
                                 STACK_OF(CONF_VALUE) *headers,
                                 int req_timeout);
 # endif
 /* Functions defined in ca.c and also used in ocsp.c */
 int unpack_revinfo(ASN1_TIME **prevtm, int *preason, ASN1_OBJECT **phold,
-                   ASN1_GENERALIZEDTIME **pinvtm, const char *str);
+			ASN1_GENERALIZEDTIME **pinvtm, const char *str);
-# define DB_type         0
+#define DB_type         0
-# define DB_exp_date     1
+#define DB_exp_date     1
-# define DB_rev_date     2
+#define DB_rev_date     2
-# define DB_serial       3      /* index - unique */
+#define DB_serial       3       /* index - unique */
-# define DB_file         4
+#define DB_file         4       
-# define DB_name         5      /* index - unique when active and not
+#define DB_name         5       /* index - unique when active and not disabled */
-                                 * disabled */
+#define DB_NUMBER       6
 # define DB_NUMBER       6
-# define DB_TYPE_REV     'R'
+#define DB_TYPE_REV	'R'
-# define DB_TYPE_EXP     'E'
+#define DB_TYPE_EXP	'E'
-# define DB_TYPE_VAL     'V'
+#define DB_TYPE_VAL	'V'
-typedef struct db_attr_st {
+typedef struct db_attr_st
-    int unique_subject;
+	{
-} DB_ATTR;
+	int unique_subject;
-typedef struct ca_db_st {
+	} DB_ATTR;
-    DB_ATTR attributes;
+typedef struct ca_db_st
-    TXT_DB *db;
+	{
-} CA_DB;
+	DB_ATTR attributes;
 	TXT_DB *db;
 	} CA_DB;
 void* app_malloc(int sz, const char *what);
 BIGNUM *load_serial(char *serialfile, int create, ASN1_INTEGER **retai);
-int save_serial(char *serialfile, char *suffix, BIGNUM *serial,
+int save_serial(char *serialfile, char *suffix, BIGNUM *serial, ASN1_INTEGER **retai);
                ASN1_INTEGER **retai);
 int rotate_serial(char *serialfile, char *new_suffix, char *old_suffix);
 int rand_serial(BIGNUM *b, ASN1_INTEGER *ai);
 CA_DB *load_index(char *dbfile, DB_ATTR *dbattr);
 int index_index(CA_DB *db);
 int save_index(const char *dbfile, const char *suffix, CA_DB *db);
-int rotate_index(const char *dbfile, const char *new_suffix,
+int rotate_index(const char *dbfile, const char *new_suffix, const char *old_suffix);
                 const char *old_suffix);
 void free_index(CA_DB *db);
-# define index_name_cmp_noconst(a, b) \
+#define index_name_cmp_noconst(a, b) \
-        index_name_cmp((const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, a), \
+	index_name_cmp((const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, a), \
-        (const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, b))
+	(const OPENSSL_CSTRING *)CHECKED_PTR_OF(OPENSSL_STRING, b))
 int index_name_cmp(const OPENSSL_CSTRING *a, const OPENSSL_CSTRING *b);
 int parse_yesno(const char *str, int def);
-X509_NAME *parse_name(const char *str, long chtype, int multirdn);
+X509_NAME *parse_name(char *str, long chtype, int multirdn);
 int args_verify(char ***pargs, int *pargc,
-                int *badarg, X509_VERIFY_PARAM **pm);
+			int *badarg, BIO *err, X509_VERIFY_PARAM **pm);
-void policies_print(X509_STORE_CTX *ctx);
+void policies_print(BIO *out, X509_STORE_CTX *ctx);
 int bio_to_mem(unsigned char **out, int maxlen, BIO *in);
 int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value);
-int init_gen_str(EVP_PKEY_CTX **pctx,
+int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx,
-                 const char *algname, ENGINE *e, int do_param);
+			const char *algname, ENGINE *e, int do_param);
-int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
+int do_X509_sign(BIO *err, X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
-                 STACK_OF(OPENSSL_STRING) *sigopts);
+			STACK_OF(OPENSSL_STRING) *sigopts);
-int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
+int do_X509_REQ_sign(BIO *err, X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
-                     STACK_OF(OPENSSL_STRING) *sigopts);
+			STACK_OF(OPENSSL_STRING) *sigopts);
-int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md,
+int do_X509_CRL_sign(BIO *err, X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md,
-                     STACK_OF(OPENSSL_STRING) *sigopts);
+			STACK_OF(OPENSSL_STRING) *sigopts);
-# ifndef OPENSSL_NO_PSK
+#ifndef OPENSSL_NO_PSK
 extern char *psk_key;
-# endif
+#endif
-# ifndef OPENSSL_NO_JPAKE
+#ifndef OPENSSL_NO_JPAKE
 void jpake_client_auth(BIO *out, BIO *conn, const char *secret);
 void jpake_server_auth(BIO *out, BIO *conn, const char *secret);
-# endif
+#endif
-
+
-unsigned char *next_protos_parse(unsigned short *outlen, const char *in);
+#define FORMAT_UNDEF    0
-
+#define FORMAT_ASN1     1
-void print_cert_checks(BIO *bio, X509 *x,
+#define FORMAT_TEXT     2
-                       const char *checkhost,
+#define FORMAT_PEM      3
-                       const char *checkemail, const char *checkip);
+#define FORMAT_NETSCAPE 4
-
+#define FORMAT_PKCS12   5
-void store_setup_crl_download(X509_STORE *st);
+#define FORMAT_SMIME    6
-
+#define FORMAT_ENGINE   7
-/* See OPT_FMT_xxx, above. */
+#define FORMAT_IISSGC	8	/* XXX this stupid macro helps us to avoid
-/* On some platforms, it's important to distinguish between text and binary
+				 * adding yet another param to load_*key() */
- * files.  On some, there might even be specific file formats for different
+#define FORMAT_PEMRSA	9	/* PEM RSAPubicKey format */
- * contents.  The FORMAT_xxx macros are meant to express an intent with the
+#define FORMAT_ASN1RSA	10	/* DER RSAPubicKey format */
- * file being read or created.
+#define FORMAT_MSBLOB	11	/* MS Key blob format */
- */
+#define FORMAT_PVK	12	/* MS PVK file format */
-# define B_FORMAT_TEXT   0x8000
+
-# define FORMAT_UNDEF    0
+#define EXT_COPY_NONE	0
-# define FORMAT_TEXT    (1 | B_FORMAT_TEXT)     /* Generic text */
+#define EXT_COPY_ADD	1
-# define FORMAT_BINARY   2                      /* Generic binary */
+#define EXT_COPY_ALL	2
-# define FORMAT_BASE64  (3 | B_FORMAT_TEXT)     /* Base64 */
+
-# define FORMAT_ASN1     4                      /* ASN.1/DER */
+#define NETSCAPE_CERT_HDR	"certificate"
-# define FORMAT_PEM     (5 | B_FORMAT_TEXT)
+
-# define FORMAT_PKCS12   6
+#define APP_PASS_LEN	1024
-# define FORMAT_SMIME   (7 | B_FORMAT_TEXT)
+
-# define FORMAT_ENGINE   8                      /* Not really a file format */
+#define SERIAL_RAND_BITS	64
-# define FORMAT_PEMRSA  (9 | B_FORMAT_TEXT)     /* PEM RSAPubicKey format */
+
-# define FORMAT_ASN1RSA  10                     /* DER RSAPubicKey format */
+int app_isdir(const char *);
-# define FORMAT_MSBLOB   11                     /* MS Key blob format */
+int raw_read_stdin(void *,int);
-# define FORMAT_PVK      12                     /* MS PVK file format */
+int raw_write_stdout(const void *,int);
-# define FORMAT_HTTP     13                     /* Download using HTTP */
+
-# define FORMAT_NSS      14                     /* NSS keylog format */
+#define TM_START	0
-
+#define TM_STOP		1
-# define EXT_COPY_NONE   0
+double app_tminterval (int stop,int usertime);
-# define EXT_COPY_ADD    1
+#endif
-# define EXT_COPY_ALL    2
+
-
+#define OPENSSL_NO_SSL_INTERN
-# define NETSCAPE_CERT_HDR       "certificate"
+
-
+#ifndef OPENSSL_NO_NEXTPROTONEG
-# define APP_PASS_LEN    1024
+unsigned char *next_protos_parse(unsigned short *outlen, const char *in);
 # define SERIAL_RAND_BITS        64
 int app_hex(char);
 int app_isdir(const char *);
 int app_access(const char *, int flag);
 int raw_read_stdin(void *, int);
 int raw_write_stdout(const void *, int);
 # define TM_START        0
 # define TM_STOP         1
 double app_tminterval(int stop, int usertime);
 /* this is an accident waiting to happen (-Wshadow is your friend) */
 extern int verify_depth;
 extern int verify_quiet;
 extern int verify_error;
 extern int verify_return_error;
 # include "progs.h"
 #endif
--- a/apps/asn1pars.c
+++ b/apps/asn1pars.c
@@ -1,24 +1,25 @@
 /* apps/asn1pars.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
- *
+ * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
- *
+ * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
@@ -33,10 +34,10 @@
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -48,16 +49,15 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
+ * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
-/*
+/* A nice addition from Dr Stephen Henson <steve@openssl.org> to 
- * A nice addition from Dr Stephen Henson <steve@openssl.org> to add the
+ * add the -strparse option which parses nested binary structures
 * -strparse option which parses nested binary structures
 */
 #include <stdio.h>
@@ -69,309 +69,377 @@
 #include <openssl/x509.h>
 #include <openssl/pem.h>
-typedef enum OPTION_choice {
+/* -inform arg	- input format - default PEM (DER or PEM)
-    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+ * -in arg	- input file - default stdin
-    OPT_INFORM, OPT_IN, OPT_OUT, OPT_INDENT, OPT_NOOUT,
+ * -i		- indent the details by depth
-    OPT_OID, OPT_OFFSET, OPT_LENGTH, OPT_DUMP, OPT_DLIMIT,
+ * -offset	- where in the file to start
-    OPT_STRPARSE, OPT_GENSTR, OPT_GENCONF, OPT_STRICTPEM
+ * -length	- how many bytes to use
-} OPTION_CHOICE;
+ * -oid file	- extra oid description file
 */
-OPTIONS asn1parse_options[] = {
+#undef PROG
-    {"help", OPT_HELP, '-', "Display this summary"},
+#define PROG	asn1parse_main
    {"inform", OPT_INFORM, 'F', "input format - one of DER PEM"},
    {"in", OPT_IN, '<', "input file"},
    {"out", OPT_OUT, '>', "output file (output format is always DER)"},
    {"i", OPT_INDENT, 0, "entries"},
    {"noout", OPT_NOOUT, 0, "don't produce any output"},
    {"offset", OPT_OFFSET, 'p', "offset into file"},
    {"length", OPT_LENGTH, 'p', "length of section in file"},
    {"oid", OPT_OID, '<', "file of extra oid definitions"},
    {"dump", OPT_DUMP, 0, "unknown data in hex form"},
    {"dlimit", OPT_DLIMIT, 'p',
     "dump the first arg bytes of unknown data in hex form"},
    {"strparse", OPT_STRPARSE, 's',
     "offset; a series of these can be used to 'dig'"},
    {OPT_MORE_STR, 0, 0, "into multiple ASN1 blob wrappings"},
    {"genstr", OPT_GENSTR, 's', "string to generate ASN1 structure from"},
    {"genconf", OPT_GENCONF, 's', "file to generate ASN1 structure from"},
    {OPT_MORE_STR, 0, 0, "(-inform  will be ignored)"},
    {"strictpem", OPT_STRICTPEM, 0,
     "do not attempt base64 decode outside PEM markers"},
    {NULL}
 };
-static int do_generate(char *genstr, char *genconf, BUF_MEM *buf);
+int MAIN(int, char **);
-int asn1parse_main(int argc, char **argv)
+static int do_generate(BIO *bio, char *genstr, char *genconf, BUF_MEM *buf);
 {
    ASN1_TYPE *at = NULL;
    BIO *in = NULL, *b64 = NULL, *derout = NULL;
    BUF_MEM *buf = NULL;
    STACK_OF(OPENSSL_STRING) *osk = NULL;
    char *genstr = NULL, *genconf = NULL;
    char *infile = NULL, *str = NULL, *oidfile = NULL, *derfile = NULL;
    char *name = NULL, *header = NULL, *prog;
    const unsigned char *ctmpbuf;
    int indent = 0, noout = 0, dump = 0, strictpem = 0, informat = FORMAT_PEM;
    int offset = 0, ret = 1, i, j;
    long num, tmplen;
    unsigned char *tmpbuf;
    unsigned int length = 0;
    OPTION_CHOICE o;
-    prog = opt_init(argc, argv, asn1parse_options);
+int MAIN(int argc, char **argv)
 	{
 	int i,badops=0,offset=0,ret=1,j;
 	unsigned int length=0;
 	long num,tmplen;
 	BIO *in=NULL,*out=NULL,*b64=NULL, *derout = NULL;
 	int informat,indent=0, noout = 0, dump = 0;
 	char *infile=NULL,*str=NULL,*prog,*oidfile=NULL, *derfile=NULL;
 	char *genstr=NULL, *genconf=NULL;
 	unsigned char *tmpbuf;
 	const unsigned char *ctmpbuf;
 	BUF_MEM *buf=NULL;
 	STACK_OF(OPENSSL_STRING) *osk=NULL;
 	ASN1_TYPE *at=NULL;
-    if ((osk = sk_OPENSSL_STRING_new_null()) == NULL) {
+	informat=FORMAT_PEM;
        BIO_printf(bio_err, "%s: Memory allocation failure\n", prog);
        goto end;
    }
-    while ((o = opt_next()) != OPT_EOF) {
+	apps_startup();
        switch (o) {
        case OPT_EOF:
        case OPT_ERR:
 opthelp:
            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
            goto end;
        case OPT_HELP:
            opt_help(asn1parse_options);
            ret = 0;
            goto end;
        case OPT_INFORM:
            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
                goto opthelp;
            break;
        case OPT_IN:
            infile = opt_arg();
            break;
        case OPT_OUT:
            derfile = opt_arg();
            break;
        case OPT_INDENT:
            indent = 1;
            break;
        case OPT_NOOUT:
            noout = 1;
            break;
        case OPT_OID:
            oidfile = opt_arg();
            break;
        case OPT_OFFSET:
            offset = strtol(opt_arg(), NULL, 0);
            break;
        case OPT_LENGTH:
            length = atoi(opt_arg());
            break;
        case OPT_DUMP:
            dump = -1;
            break;
        case OPT_DLIMIT:
            dump = atoi(opt_arg());
            break;
        case OPT_STRPARSE:
            sk_OPENSSL_STRING_push(osk, opt_arg());
            break;
        case OPT_GENSTR:
            genstr = opt_arg();
            break;
        case OPT_GENCONF:
            genconf = opt_arg();
            break;
        case OPT_STRICTPEM:
            strictpem = 1;
            informat = FORMAT_PEM;
            break;
        }
    }
    argc = opt_num_rest();
    argv = opt_rest();
-    if (oidfile != NULL) {
+	if (bio_err == NULL)
-        in = bio_open_default(oidfile, 'r', FORMAT_TEXT);
+		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
-        if (in == NULL)
+			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
            goto end;
        OBJ_create_objects(in);
        BIO_free(in);
    }
-    if ((in = bio_open_default(infile, 'r', informat)) == NULL)
+	if (!load_config(bio_err, NULL))
-        goto end;
+		goto end;
-    if (derfile && (derout = bio_open_default(derfile, 'w', FORMAT_ASN1)) == NULL)
+	prog=argv[0];
-        goto end;
+	argc--;
 	argv++;
 	if ((osk=sk_OPENSSL_STRING_new_null()) == NULL)
 		{
 		BIO_printf(bio_err,"Memory allocation failure\n");
 		goto end;
 		}
 	while (argc >= 1)
 		{
 		if 	(strcmp(*argv,"-inform") == 0)
 			{
 			if (--argc < 1) goto bad;
 			informat=str2fmt(*(++argv));
 			}
 		else if (strcmp(*argv,"-in") == 0)
 			{
 			if (--argc < 1) goto bad;
 			infile= *(++argv);
 			}
 		else if (strcmp(*argv,"-out") == 0)
 			{
 			if (--argc < 1) goto bad;
 			derfile= *(++argv);
 			}
 		else if (strcmp(*argv,"-i") == 0)
 			{
 			indent=1;
 			}
 		else if (strcmp(*argv,"-noout") == 0) noout = 1;
 		else if (strcmp(*argv,"-oid") == 0)
 			{
 			if (--argc < 1) goto bad;
 			oidfile= *(++argv);
 			}
 		else if (strcmp(*argv,"-offset") == 0)
 			{
 			if (--argc < 1) goto bad;
 			offset= atoi(*(++argv));
 			}
 		else if (strcmp(*argv,"-length") == 0)
 			{
 			if (--argc < 1) goto bad;
 			length= atoi(*(++argv));
 			if (length == 0) goto bad;
 			}
 		else if (strcmp(*argv,"-dump") == 0)
 			{
 			dump= -1;
 			}
 		else if (strcmp(*argv,"-dlimit") == 0)
 			{
 			if (--argc < 1) goto bad;
 			dump= atoi(*(++argv));
 			if (dump <= 0) goto bad;
 			}
 		else if (strcmp(*argv,"-strparse") == 0)
 			{
 			if (--argc < 1) goto bad;
 			sk_OPENSSL_STRING_push(osk,*(++argv));
 			}
 		else if (strcmp(*argv,"-genstr") == 0)
 			{
 			if (--argc < 1) goto bad;
 			genstr= *(++argv);
 			}
 		else if (strcmp(*argv,"-genconf") == 0)
 			{
 			if (--argc < 1) goto bad;
 			genconf= *(++argv);
 			}
 		else
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
 			badops=1;
 			break;
 			}
 		argc--;
 		argv++;
 		}
-    if (strictpem) {
+	if (badops)
-        if (PEM_read_bio(in, &name, &header, (unsigned char **)&str, &num) !=
+		{
-            1) {
+bad:
-            BIO_printf(bio_err, "Error reading PEM file\n");
+		BIO_printf(bio_err,"%s [options] <infile\n",prog);
-            ERR_print_errors(bio_err);
+		BIO_printf(bio_err,"where options are\n");
-            goto end;
+		BIO_printf(bio_err," -inform arg   input format - one of DER PEM\n");
-        }
+		BIO_printf(bio_err," -in arg       input file\n");
-    } else {
+		BIO_printf(bio_err," -out arg      output file (output format is always DER\n");
 		BIO_printf(bio_err," -noout arg    don't produce any output\n");
 		BIO_printf(bio_err," -offset arg   offset into file\n");
 		BIO_printf(bio_err," -length arg   length of section in file\n");
 		BIO_printf(bio_err," -i            indent entries\n");
 		BIO_printf(bio_err," -dump         dump unknown data in hex form\n");
 		BIO_printf(bio_err," -dlimit arg   dump the first arg bytes of unknown data in hex form\n");
 		BIO_printf(bio_err," -oid file     file of extra oid definitions\n");
 		BIO_printf(bio_err," -strparse offset\n");
 		BIO_printf(bio_err,"               a series of these can be used to 'dig' into multiple\n");
 		BIO_printf(bio_err,"               ASN1 blob wrappings\n");
 		BIO_printf(bio_err," -genstr str   string to generate ASN1 structure from\n");
 		BIO_printf(bio_err," -genconf file file to generate ASN1 structure from\n");
 		goto end;
 		}
-        if ((buf = BUF_MEM_new()) == NULL)
+	ERR_load_crypto_strings();
            goto end;
        if (!BUF_MEM_grow(buf, BUFSIZ * 8))
            goto end;           /* Pre-allocate :-) */
-        if (genstr || genconf) {
+	in=BIO_new(BIO_s_file());
-            num = do_generate(genstr, genconf, buf);
+	out=BIO_new(BIO_s_file());
-            if (num < 0) {
+	if ((in == NULL) || (out == NULL))
-                ERR_print_errors(bio_err);
+		{
-                goto end;
+		ERR_print_errors(bio_err);
-            }
+		goto end;
-        }
+		}
 	BIO_set_fp(out,stdout,BIO_NOCLOSE|BIO_FP_TEXT);
 #ifdef OPENSSL_SYS_VMS
 	{
 	BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 	out = BIO_push(tmpbio, out);
 	}
 #endif
-        else {
+	if (oidfile != NULL)
 		{
 		if (BIO_read_filename(in,oidfile) <= 0)
 			{
 			BIO_printf(bio_err,"problems opening %s\n",oidfile);
 			ERR_print_errors(bio_err);
 			goto end;
 			}
 		OBJ_create_objects(in);
 		}
-            if (informat == FORMAT_PEM) {
+	if (infile == NULL)
-                BIO *tmp;
+		BIO_set_fp(in,stdin,BIO_NOCLOSE);
 	else
 		{
 		if (BIO_read_filename(in,infile) <= 0)
 			{
 			perror(infile);
 			goto end;
 			}
 		}
-                if ((b64 = BIO_new(BIO_f_base64())) == NULL)
+	if (derfile) {
-                    goto end;
+		if(!(derout = BIO_new_file(derfile, "wb"))) {
-                BIO_push(b64, in);
+			BIO_printf(bio_err,"problems opening %s\n",derfile);
-                tmp = in;
+			ERR_print_errors(bio_err);
-                in = b64;
+			goto end;
-                b64 = tmp;
+		}
-            }
+	}
-            num = 0;
+	if ((buf=BUF_MEM_new()) == NULL) goto end;
-            for (;;) {
+	if (!BUF_MEM_grow(buf,BUFSIZ*8)) goto end; /* Pre-allocate :-) */
                if (!BUF_MEM_grow(buf, (int)num + BUFSIZ))
                    goto end;
                i = BIO_read(in, &(buf->data[num]), BUFSIZ);
                if (i <= 0)
                    break;
                num += i;
            }
        }
        str = buf->data;
-    }
+	if (genstr || genconf)
 		{
 		num = do_generate(bio_err, genstr, genconf, buf);
 		if (num < 0)
 			{
 			ERR_print_errors(bio_err);
 			goto end;
 			}
 		}
-    /* If any structs to parse go through in sequence */
+	else
 		{
-    if (sk_OPENSSL_STRING_num(osk)) {
+		if (informat == FORMAT_PEM)
-        tmpbuf = (unsigned char *)str;
+			{
-        tmplen = num;
+			BIO *tmp;
        for (i = 0; i < sk_OPENSSL_STRING_num(osk); i++) {
            ASN1_TYPE *atmp;
            int typ;
            j = atoi(sk_OPENSSL_STRING_value(osk, i));
            if (j == 0) {
                BIO_printf(bio_err, "'%s' is an invalid number\n",
                           sk_OPENSSL_STRING_value(osk, i));
                continue;
            }
            tmpbuf += j;
            tmplen -= j;
            atmp = at;
            ctmpbuf = tmpbuf;
            at = d2i_ASN1_TYPE(NULL, &ctmpbuf, tmplen);
            ASN1_TYPE_free(atmp);
            if (!at) {
                BIO_printf(bio_err, "Error parsing structure\n");
                ERR_print_errors(bio_err);
                goto end;
            }
            typ = ASN1_TYPE_get(at);
            if ((typ == V_ASN1_OBJECT)
                || (typ == V_ASN1_BOOLEAN)
                || (typ == V_ASN1_NULL)) {
                BIO_printf(bio_err, "Can't parse %s type\n", ASN1_tag2str(typ));
                ERR_print_errors(bio_err);
                goto end;
            }
            /* hmm... this is a little evil but it works */
            tmpbuf = at->value.asn1_string->data;
            tmplen = at->value.asn1_string->length;
        }
        str = (char *)tmpbuf;
        num = tmplen;
    }
-    if (offset >= num) {
+			if ((b64=BIO_new(BIO_f_base64())) == NULL)
-        BIO_printf(bio_err, "Error: offset too large\n");
+				goto end;
-        goto end;
+			BIO_push(b64,in);
-    }
+			tmp=in;
 			in=b64;
 			b64=tmp;
 			}
-    num -= offset;
+		num=0;
 		for (;;)
 			{
 			if (!BUF_MEM_grow(buf,(int)num+BUFSIZ)) goto end;
 			i=BIO_read(in,&(buf->data[num]),BUFSIZ);
 			if (i <= 0) break;
 			num+=i;
 			}
 		}
 	str=buf->data;
-    if ((length == 0) || ((long)length > num))
+	/* If any structs to parse go through in sequence */
        length = (unsigned int)num;
    if (derout) {
        if (BIO_write(derout, str + offset, length) != (int)length) {
            BIO_printf(bio_err, "Error writing output\n");
            ERR_print_errors(bio_err);
            goto end;
        }
    }
    if (!noout &&
        !ASN1_parse_dump(bio_out, (unsigned char *)&(str[offset]), length,
                         indent, dump)) {
        ERR_print_errors(bio_err);
        goto end;
    }
    ret = 0;
 end:
    BIO_free(derout);
    BIO_free(in);
    BIO_free(b64);
    if (ret != 0)
        ERR_print_errors(bio_err);
    BUF_MEM_free(buf);
    OPENSSL_free(name);
    OPENSSL_free(header);
    if (strictpem)
        OPENSSL_free(str);
    ASN1_TYPE_free(at);
    sk_OPENSSL_STRING_free(osk);
    OBJ_cleanup();
    return (ret);
 }
-static int do_generate(char *genstr, char *genconf, BUF_MEM *buf)
+	if (sk_OPENSSL_STRING_num(osk))
-{
+		{
-    CONF *cnf = NULL;
+		tmpbuf=(unsigned char *)str;
-    int len;
+		tmplen=num;
-    unsigned char *p;
+		for (i=0; i<sk_OPENSSL_STRING_num(osk); i++)
-    ASN1_TYPE *atyp = NULL;
+			{
 			ASN1_TYPE *atmp;
 			int typ;
 			j=atoi(sk_OPENSSL_STRING_value(osk,i));
 			if (j == 0)
 				{
 				BIO_printf(bio_err,"'%s' is an invalid number\n",sk_OPENSSL_STRING_value(osk,i));
 				continue;
 				}
 			tmpbuf+=j;
 			tmplen-=j;
 			atmp = at;
 			ctmpbuf = tmpbuf;
 			at = d2i_ASN1_TYPE(NULL,&ctmpbuf,tmplen);
 			ASN1_TYPE_free(atmp);
 			if(!at)
 				{
 				BIO_printf(bio_err,"Error parsing structure\n");
 				ERR_print_errors(bio_err);
 				goto end;
 				}
 			typ = ASN1_TYPE_get(at);
 			if ((typ == V_ASN1_OBJECT)
 				|| (typ == V_ASN1_NULL))
 				{
 				BIO_printf(bio_err, "Can't parse %s type\n",
 					typ == V_ASN1_NULL ? "NULL" : "OBJECT");
 				ERR_print_errors(bio_err);
 				goto end;
 				}
 			/* hmm... this is a little evil but it works */
 			tmpbuf=at->value.asn1_string->data;
 			tmplen=at->value.asn1_string->length;
 			}
 		str=(char *)tmpbuf;
 		num=tmplen;
 		}
-    if (genconf) {
+	if (offset >= num)
-        if ((cnf = app_load_config(genconf)) == NULL)
+		{
-            goto err;
+		BIO_printf(bio_err, "Error: offset too large\n");
-        if (!genstr)
+		goto end;
-            genstr = NCONF_get_string(cnf, "default", "asn1");
+		}
        if (!genstr) {
            BIO_printf(bio_err, "Can't find 'asn1' in '%s'\n", genconf);
            goto err;
        }
    }
-    atyp = ASN1_generate_nconf(genstr, cnf);
+	num -= offset;
    NCONF_free(cnf);
    cnf = NULL;
-    if (!atyp)
+	if ((length == 0) || ((long)length > num)) length=(unsigned int)num;
-        return -1;
+	if(derout) {
 		if(BIO_write(derout, str + offset, length) != (int)length) {
 			BIO_printf(bio_err, "Error writing output\n");
 			ERR_print_errors(bio_err);
 			goto end;
 		}
 	}
 	if (!noout &&
 	    !ASN1_parse_dump(out,(unsigned char *)&(str[offset]),length,
 		    indent,dump))
 		{
 		ERR_print_errors(bio_err);
 		goto end;
 		}
 	ret=0;
 end:
 	BIO_free(derout);
 	if (in != NULL) BIO_free(in);
 	if (out != NULL) BIO_free_all(out);
 	if (b64 != NULL) BIO_free(b64);
 	if (ret != 0)
 		ERR_print_errors(bio_err);
 	if (buf != NULL) BUF_MEM_free(buf);
 	if (at != NULL) ASN1_TYPE_free(at);
 	if (osk != NULL) sk_OPENSSL_STRING_free(osk);
 	OBJ_cleanup();
 	apps_shutdown();
 	OPENSSL_EXIT(ret);
 	}
-    len = i2d_ASN1_TYPE(atyp, NULL);
+static int do_generate(BIO *bio, char *genstr, char *genconf, BUF_MEM *buf)
 	{
 	CONF *cnf = NULL;
 	int len;
 	long errline;
 	unsigned char *p;
 	ASN1_TYPE *atyp = NULL;
-    if (len <= 0)
+	if (genconf)
-        goto err;
+		{
 		cnf = NCONF_new(NULL);
 		if (!NCONF_load(cnf, genconf, &errline))
 			goto conferr;
 		if (!genstr)
 			genstr = NCONF_get_string(cnf, "default", "asn1");
 		if (!genstr)
 			{
 			BIO_printf(bio, "Can't find 'asn1' in '%s'\n", genconf);
 			goto err;
 			}
 		}
-    if (!BUF_MEM_grow(buf, len))
+	atyp = ASN1_generate_nconf(genstr, cnf);
-        goto err;
+	NCONF_free(cnf);
 	cnf = NULL;
-    p = (unsigned char *)buf->data;
+	if (!atyp)
 		return -1;
-    i2d_ASN1_TYPE(atyp, &p);
+	len = i2d_ASN1_TYPE(atyp, NULL);
-    ASN1_TYPE_free(atyp);
+	if (len <= 0)
-    return len;
+		goto err;
- err:
+	if (!BUF_MEM_grow(buf,len))
-    NCONF_free(cnf);
+		goto err;
-    ASN1_TYPE_free(atyp);
+
-    return -1;
+	p=(unsigned char *)buf->data;
-}
+
 	i2d_ASN1_TYPE(atyp, &p);
 	ASN1_TYPE_free(atyp);
 	return len;
 	conferr:
 	if (errline > 0)
 		BIO_printf(bio, "Error on line %ld of config file '%s'\n",
 							errline, genconf);
 	else
 		BIO_printf(bio, "Error loading config file '%s'\n", genconf);
 	err:
 	NCONF_free(cnf);
 	ASN1_TYPE_free(atyp);
 	return -1;
 	}
--- a/apps/ca-key.pem
+++ b/apps/ca-key.pem
@@ -1,16 +1,15 @@
-----BEGIN PRIVATE KEY-----
+-----BEGIN RSA PRIVATE KEY-----
-MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBAL4tQNyKy4U2zX6l
+MIICXQIBAAKBgQCju6PLddelT+nIMm07GQwmYa/eZ2JWbsmt2gotSCqM7asFp425
-IZvORB1edmwMwIgSB4cgoFECrG5pixzYxKauZkAwKG9/+L4DB8qXRjfXWcvafcOU
+gxSK4jqhhT62UPpqDBEwvQ+fYkVv3RV0r9ReuZGv12NoS4fXsQgqO17lHA7Od0Kd
-DlYpRROykJ7wGkiqmqbZyrxY8DWjk5ZZQXiSuhYOAJB+Fyfb11JZV6+CvBQX/1g+
+2yNwJjKh44MxPKDt2o8iQMyZE0zlHnEFNpsP4COLTDNC6ljEEu5bk8uPsQIDAQAB
-vhJr39Gmp6oAesoYrj90ecozClmnAgMBAAECgYA3j6sSg+5f9hnldUMzbPjTh8Sb
+AoGAVZmpFZsDZfr0l2S9tLLwpjRWNOlKATQkno6q2WesT0eGLQufTciY+c8ypfU6
-XsJlPrc6UFrmMBzGiUleXSpe9Dbla+x0XvQCN4pwMvAN4nnWp/f0Su5BV/9Y93nb
+hyio8r5iUl/VhhdjhAtKx1mRpiotftHo/eYf8rtsrnprOnWG0bWjLjtIoMbcxGn2
-im5ijGNrfN9i6QrnqGCr+MMute+4E8HR2pCScX0mBLDDf40SmDvMzCaxtd21keyr
+J3bN6LJmbJMjDs0eJ3KnTu646F3nDUw2oGAwmpzKXA1KAP0CQQDRvQhxk2D3Pehs
-9DqHgInQZNEi6NKlkQJBAPCbUTFg6iQ6VTCQ8CsEf5q2xHhuTK23fJ999lvWVxN7
+HvG665u2pB5ipYQngEFlZO7RHJZzJOZEWSLuuMqaF/7pTfA5jiBvWqCgJeCRRInL
-QsvWb9RP9Ng34HVtvB7Pl6P7FyHLQYiDJhhvYR0L0+kCQQDKV/09Kt6Wjf5Omp1I
+21ru4dlPAkEAx9jj7BgKn5TYnMoBSSe0afjsV9oApVpN1Nacb1YDtCwy+scp3++s
-wd3A+tFnipdqnPw+qNHGjevv0hYiEIWQOYbx00zXgaX+WN/pzV9eeNN2XAxlNJ++
+nFxlv98wxIlSdpwMUn+AUWfjiWR7Tu/G/wJBAJ/KjwZIrFVxewP0x2ILYsTRYLzz
-dxcPAkBrzeuPKFFAcjKBVC+H1rgl5gYZv7Hzk+buv02G0H6rZ+sB0c7BXiHiTwbv
+MS4PDsO7FB+I0i7DbBOifXS2oNSpd3I0CNMwrxFnUHzynpbOStVfN3ZL5w0CQQCa
-Fn/XfkP/YR14Ms3mEH0dLaphjU8hAkEAh3Ar/rRiN04mCcEuRFQXtaNtZSv8PA2G
+pwFahxBRhkJKsxhjoFJBX9yl75JoY4Wvm5Tbo9ih6UJaRx3kqfkN14L2BKYcsZgb
-Pf7MI2Y9pdHupLCAZlBLRjTUO2/5hu1AO4QPMPIZQSFN3rRBtMCL+wJAMp/m2hvI
+KY9vmDOYy6iNfjDeWTfJAkBkfPUb8oTJ/nSP5zN6sqGxSY4krc4xLxpRmxoJ8HL2
-TmtbMp/IrKGfma09e3yFiCmoNn7cHLJ7jLvXcacV2XNzpr9YHfBxiZo0g9FqZKvv
+XfhqXkTzbU13RX9JJ/NZ8vQN9Vm2NhxRGJocQkmcdVtJ
-PZoQ5B2XJ7bhTQ==
+-----END RSA PRIVATE KEY-----
 -----END PRIVATE KEY-----
--- a/apps/ca-req.pem
+++ b/apps/ca-req.pem
@@ -1,11 +1,11 @@
 -----BEGIN CERTIFICATE REQUEST-----
-MIIBmzCCAQQCAQAwWzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClF1ZWVuc2xhbmQx
+MIIBmTCCAQICAQAwWzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQx
-GjAYBgNVBAoMEUNyeXB0U29mdCBQdHkgTHRkMRswGQYDVQQDDBJUZXN0IENBICgx
+GjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYDVQQDExJUZXN0IENBICgx
-MDI0IGJpdCkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAL4tQNyKy4U2zX6l
+MDI0IGJpdCkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAKO7o8t116VP6cgy
-IZvORB1edmwMwIgSB4cgoFECrG5pixzYxKauZkAwKG9/+L4DB8qXRjfXWcvafcOU
+bTsZDCZhr95nYlZuya3aCi1IKoztqwWnjbmDFIriOqGFPrZQ+moMETC9D59iRW/d
-DlYpRROykJ7wGkiqmqbZyrxY8DWjk5ZZQXiSuhYOAJB+Fyfb11JZV6+CvBQX/1g+
+FXSv1F65ka/XY2hLh9exCCo7XuUcDs53Qp3bI3AmMqHjgzE8oO3ajyJAzJkTTOUe
-vhJr39Gmp6oAesoYrj90ecozClmnAgMBAAGgADANBgkqhkiG9w0BAQsFAAOBgQCo
+cQU2mw/gI4tMM0LqWMQS7luTy4+xAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAKlk7
-2jE7J1SNV7kyRm9m8CoPw8xYsuVcVFxPheBymYp8BlO0/rSdYygRjobpYnLVRUPZ
+cxu9gCJN3/iQFyJXQ6YphaiQAT5VBXTx9ftRrQIjA3vxlDzPWGDy+V5Tqa7h8PtR
-pV792wzT1Rp4sXfZWO10lkFY4yi0pH2cdK2RX7qedibV1Xu9vt/yYANFBKVpA4dy
+5Bn00JShII2zf0hjyjKils6x/UkWmjEiwSiFp4hR70iE8XwSNEHY2P6j6nQEIpgW
-PRyTQwi3In1N8hdfddpYR8f5MIUYRe5poFMIJcf8JA==
+kbfgmmUqk7dl2V+ossTJ80B8SBpEhrn81V/cHxA=
 -----END CERTIFICATE REQUEST-----
--- a/apps/ca.c
+++ b/apps/ca.c
--- a/apps/ciphers.c
+++ b/apps/ciphers.c
@@ -1,24 +1,25 @@
 /* apps/ciphers.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
- *
+ * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
- *
+ * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
@@ -33,10 +34,10 @@
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -48,7 +49,7 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
+ * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
@@ -58,197 +59,173 @@
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #ifdef OPENSSL_NO_STDIO
 #define APPS_WIN16
 #endif
 #include "apps.h"
 #include <openssl/err.h>
 #include <openssl/ssl.h>
-typedef enum OPTION_choice {
+#undef PROG
-    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+#define PROG	ciphers_main
    OPT_STDNAME,
    OPT_SSL3,
    OPT_TLS1,
    OPT_TLS1_1,
    OPT_TLS1_2,
    OPT_PSK,
    OPT_V, OPT_UPPER_V, OPT_S
 } OPTION_CHOICE;
-OPTIONS ciphers_options[] = {
+static const char *ciphers_usage[]={
-    {"help", OPT_HELP, '-', "Display this summary"},
+"usage: ciphers args\n",
-    {"v", OPT_V, '-', "Verbose listing of the SSL/TLS ciphers"},
+" -v          - verbose mode, a textual listing of the SSL/TLS ciphers in OpenSSL\n",
-    {"V", OPT_UPPER_V, '-', "Even more verbose"},
+" -V          - even more verbose\n",
-    {"s", OPT_S, '-', "Only supported ciphers"},
+" -ssl2       - SSL2 mode\n",
-    {"tls1", OPT_TLS1, '-', "TLS1 mode"},
+" -ssl3       - SSL3 mode\n",
-    {"tls1_1", OPT_TLS1_1, '-', "TLS1.1 mode"},
+" -tls1       - TLS1 mode\n",
-    {"tls1_2", OPT_TLS1_2, '-', "TLS1.2 mode"},
+NULL
 #ifndef OPENSSL_NO_SSL_TRACE
    {"stdname", OPT_STDNAME, '-', "Show standard cipher names"},
 #endif
 #ifndef OPENSSL_NO_SSL3
    {"ssl3", OPT_SSL3, '-', "SSL3 mode"},
 #endif
 #ifndef OPENSSL_NO_PSK
    {"psk", OPT_PSK, '-', "include ciphersuites requiring PSK"},
 #endif
    {NULL}
 };
-#ifndef OPENSSL_NO_PSK
+int MAIN(int, char **);
-static unsigned int dummy_psk(SSL *ssl, const char *hint, char *identity,
+
-                              unsigned int max_identity_len,
+int MAIN(int argc, char **argv)
-                              unsigned char *psk,
+	{
-                              unsigned int max_psk_len)
+	int ret=1,i;
-{
+	int verbose=0,Verbose=0;
-    return 0;
+	const char **pp;
-}
+	const char *p;
 	int badops=0;
 	SSL_CTX *ctx=NULL;
 	SSL *ssl=NULL;
 	char *ciphers=NULL;
 	const SSL_METHOD *meth=NULL;
 	STACK_OF(SSL_CIPHER) *sk;
 	char buf[512];
 	BIO *STDout=NULL;
 #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
 	meth=SSLv23_server_method();
 #elif !defined(OPENSSL_NO_SSL3)
 	meth=SSLv3_server_method();
 #elif !defined(OPENSSL_NO_SSL2)
 	meth=SSLv2_server_method();
 #endif
-int ciphers_main(int argc, char **argv)
+	apps_startup();
 {
    SSL_CTX *ctx = NULL;
    SSL *ssl = NULL;
    STACK_OF(SSL_CIPHER) *sk = NULL;
    const SSL_METHOD *meth = TLS_server_method();
    int ret = 1, i, verbose = 0, Verbose = 0, use_supported = 0;
 #ifndef OPENSSL_NO_SSL_TRACE
    int stdname = 0;
 #endif
 #ifndef OPENSSL_NO_PSK
    int psk = 0;
 #endif
    const char *p;
    char *ciphers = NULL, *prog;
    char buf[512];
    OPTION_CHOICE o;
-    prog = opt_init(argc, argv, ciphers_options);
+	if (bio_err == NULL)
-    while ((o = opt_next()) != OPT_EOF) {
+		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
-        switch (o) {
+	STDout=BIO_new_fp(stdout,BIO_NOCLOSE);
-        case OPT_EOF:
+#ifdef OPENSSL_SYS_VMS
-        case OPT_ERR:
+	{
- opthelp:
+	BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+	STDout = BIO_push(tmpbio, STDout);
-            goto end;
+	}
-        case OPT_HELP:
+#endif
-            opt_help(ciphers_options);
+	if (!load_config(bio_err, NULL))
-            ret = 0;
+		goto end;
-            goto end;
+
-        case OPT_V:
+	argc--;
-            verbose = 1;
+	argv++;
-            break;
+	while (argc >= 1)
-        case OPT_UPPER_V:
+		{
-            verbose = Verbose = 1;
+		if (strcmp(*argv,"-v") == 0)
-            break;
+			verbose=1;
-        case OPT_S:
+		else if (strcmp(*argv,"-V") == 0)
-            use_supported = 1;
+			verbose=Verbose=1;
-            break;
+#ifndef OPENSSL_NO_SSL2
-        case OPT_STDNAME:
+		else if (strcmp(*argv,"-ssl2") == 0)
-#ifndef OPENSSL_NO_SSL_TRACE
+			meth=SSLv2_client_method();
            stdname = verbose = 1;
 #endif
            break;
        case OPT_SSL3:
 #ifndef OPENSSL_NO_SSL3
-            meth = SSLv3_client_method();
+		else if (strcmp(*argv,"-ssl3") == 0)
 			meth=SSLv3_client_method();
 #endif
-            break;
+#ifndef OPENSSL_NO_TLS1
-        case OPT_TLS1:
+		else if (strcmp(*argv,"-tls1") == 0)
-            meth = TLSv1_client_method();
+			meth=TLSv1_client_method();
            break;
        case OPT_TLS1_1:
            meth = TLSv1_1_client_method();
            break;
        case OPT_TLS1_2:
            meth = TLSv1_2_client_method();
            break;
        case OPT_PSK:
 #ifndef OPENSSL_NO_PSK
            psk = 1;
 #endif
-            break;
+		else if ((strncmp(*argv,"-h",2) == 0) ||
-        }
+			 (strcmp(*argv,"-?") == 0))
-    }
+			{
-    argv = opt_rest();
+			badops=1;
-    argc = opt_num_rest();
+			break;
 			}
 		else
 			{
 			ciphers= *argv;
 			}
 		argc--;
 		argv++;
 		}
-    if (argc == 1)
+	if (badops)
-        ciphers = *argv;
+		{
-    else if (argc != 0)
+		for (pp=ciphers_usage; (*pp != NULL); pp++)
-        goto opthelp;
+			BIO_printf(bio_err,"%s",*pp);
 		goto end;
 		}
-    ctx = SSL_CTX_new(meth);
+	OpenSSL_add_ssl_algorithms();
    if (ctx == NULL)
        goto err;
 #ifndef OPENSSL_NO_PSK
    if (psk)
        SSL_CTX_set_psk_client_callback(ctx, dummy_psk);
 #endif
    if (ciphers != NULL) {
        if (!SSL_CTX_set_cipher_list(ctx, ciphers)) {
            BIO_printf(bio_err, "Error in cipher list\n");
            goto err;
        }
    }
    ssl = SSL_new(ctx);
    if (ssl == NULL)
        goto err;
-    if (use_supported)
+	ctx=SSL_CTX_new(meth);
-        sk = SSL_get1_supported_ciphers(ssl);
+	if (ctx == NULL) goto err;
-    else
+	if (ciphers != NULL) {
-        sk = SSL_get_ciphers(ssl);
+		if(!SSL_CTX_set_cipher_list(ctx,ciphers)) {
 			BIO_printf(bio_err, "Error in cipher list\n");
 			goto err;
 		}
 	}
 	ssl=SSL_new(ctx);
 	if (ssl == NULL) goto err;
    if (!verbose) {
        for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
            const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i);
            p = SSL_CIPHER_get_name(c);
            if (p == NULL)
                break;
            if (i != 0)
                BIO_printf(bio_out, ":");
            BIO_printf(bio_out, "%s", p);
        }
        BIO_printf(bio_out, "\n");
    } else {
-        for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) {
+	if (!verbose)
-            const SSL_CIPHER *c;
+		{
 		for (i=0; ; i++)
 			{
 			p=SSL_get_cipher_list(ssl,i);
 			if (p == NULL) break;
 			if (i != 0) BIO_printf(STDout,":");
 			BIO_printf(STDout,"%s",p);
 			}
 		BIO_printf(STDout,"\n");
 		}
 	else /* verbose */
 		{
 		sk=SSL_get_ciphers(ssl);
-            c = sk_SSL_CIPHER_value(sk, i);
+		for (i=0; i<sk_SSL_CIPHER_num(sk); i++)
 			{
 			SSL_CIPHER *c;
-            if (Verbose) {
+			c = sk_SSL_CIPHER_value(sk,i);
-                unsigned long id = SSL_CIPHER_get_id(c);
+			
-                int id0 = (int)(id >> 24);
+			if (Verbose)
-                int id1 = (int)((id >> 16) & 0xffL);
+				{
-                int id2 = (int)((id >> 8) & 0xffL);
+				unsigned long id = SSL_CIPHER_get_id(c);
-                int id3 = (int)(id & 0xffL);
+				int id0 = (int)(id >> 24);
 				int id1 = (int)((id >> 16) & 0xffL);
 				int id2 = (int)((id >> 8) & 0xffL);
 				int id3 = (int)(id & 0xffL);
 				if ((id & 0xff000000L) == 0x02000000L)
 					BIO_printf(STDout, "     0x%02X,0x%02X,0x%02X - ", id1, id2, id3); /* SSL2 cipher */
 				else if ((id & 0xff000000L) == 0x03000000L)
 					BIO_printf(STDout, "          0x%02X,0x%02X - ", id2, id3); /* SSL3 cipher */
 				else
 					BIO_printf(STDout, "0x%02X,0x%02X,0x%02X,0x%02X - ", id0, id1, id2, id3); /* whatever */
 				}
-                if ((id & 0xff000000L) == 0x03000000L)
+			BIO_puts(STDout,SSL_CIPHER_description(c,buf,sizeof buf));
-                    BIO_printf(bio_out, "          0x%02X,0x%02X - ", id2, id3); /* SSL3
+			}
-                                                                                  * cipher */
+		}
-                else
+
-                    BIO_printf(bio_out, "0x%02X,0x%02X,0x%02X,0x%02X - ", id0, id1, id2, id3); /* whatever */
+	ret=0;
-            }
+	if (0)
-#ifndef OPENSSL_NO_SSL_TRACE
+		{
-            if (stdname) {
+err:
-                const char *nm = SSL_CIPHER_standard_name(c);
+		SSL_load_error_strings();
-                if (nm == NULL)
+		ERR_print_errors(bio_err);
-                    nm = "UNKNOWN";
+		}
-                BIO_printf(bio_out, "%s - ", nm);
+end:
-            }
+	if (ctx != NULL) SSL_CTX_free(ctx);
-#endif
+	if (ssl != NULL) SSL_free(ssl);
-            BIO_puts(bio_out, SSL_CIPHER_description(c, buf, sizeof buf));
+	if (STDout != NULL) BIO_free_all(STDout);
-        }
+	apps_shutdown();
-    }
+	OPENSSL_EXIT(ret);
 	}
    ret = 0;
    goto end;
 err:
    ERR_print_errors(bio_err);
 end:
    if (use_supported)
        sk_SSL_CIPHER_free(sk);
    SSL_CTX_free(ctx);
    SSL_free(ssl);
    return (ret);
 }
--- a/apps/client.pem
+++ b/apps/client.pem
@@ -1,52 +1,24 @@
-subject= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = Test Client Cert
+issuer= /C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Test CA (1024 bit)
-issuer= C = UK, O = OpenSSL Group, OU = FOR TESTING PURPOSES ONLY, CN = OpenSSL Test Intermediate CA
+subject=/C=AU/ST=Queensland/O=CryptSoft Pty Ltd/CN=Client test cert (512 bit)
 -----BEGIN CERTIFICATE-----
-MIID5zCCAs+gAwIBAgIJALnu1NlVpZ6yMA0GCSqGSIb3DQEBBQUAMHAxCzAJBgNV
+MIIB6TCCAVICAQIwDQYJKoZIhvcNAQEEBQAwWzELMAkGA1UEBhMCQVUxEzARBgNV
-BAYTAlVLMRYwFAYDVQQKDA1PcGVuU1NMIEdyb3VwMSIwIAYDVQQLDBlGT1IgVEVT
+BAgTClF1ZWVuc2xhbmQxGjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRswGQYD
-VElORyBQVVJQT1NFUyBPTkxZMSUwIwYDVQQDDBxPcGVuU1NMIFRlc3QgSW50ZXJt
+VQQDExJUZXN0IENBICgxMDI0IGJpdCkwHhcNOTcwNjA5MTM1NzU2WhcNOTgwNjA5
-ZWRpYXRlIENBMB4XDTExMTIwODE0MDE0OFoXDTIxMTAxNjE0MDE0OFowZDELMAkG
+MTM1NzU2WjBjMQswCQYDVQQGEwJBVTETMBEGA1UECBMKUXVlZW5zbGFuZDEaMBgG
-A1UEBhMCVUsxFjAUBgNVBAoMDU9wZW5TU0wgR3JvdXAxIjAgBgNVBAsMGUZPUiBU
+A1UEChMRQ3J5cHRTb2Z0IFB0eSBMdGQxIzAhBgNVBAMTGkNsaWVudCB0ZXN0IGNl
-RVNUSU5HIFBVUlBPU0VTIE9OTFkxGTAXBgNVBAMMEFRlc3QgQ2xpZW50IENlcnQw
+cnQgKDUxMiBiaXQpMFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALtv55QyzG6i2Plw
-ggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC0ranbHRLcLVqN+0BzcZpY
+Z1pah7++Gv8L5j6Hnyr/uTZE1NLG0ABDDexmq/R4KedLjFEIYjocDui+IXs62NNt
-+yOLqxzDWT1LD9eW1stC4NzXX9/DCtSIVyN7YIHdGLrIPr64IDdXXaMRzgZ2rOKs
+XrT8odkCAwEAATANBgkqhkiG9w0BAQQFAAOBgQBwtMmI7oGUG8nKmftQssATViH5
-lmHCAiFpO/ja99gGCJRxH0xwQatqAULfJVHeUhs7OEGOZc2nWifjqKvGfNTilP7D
+NRRtoEw07DxJp/LfatHdrhqQB73eGdL5WILZJXk46Xz2e9WMSUjVCSYhdKxtflU3
-nwi69ipQFq9oS19FmhwVHk2wg7KZGHI1qDyG04UrfCZMRitvS9+UVhPpIPjuiBi2
+UR2Ajv1Oo0sTNdfz0wDqJNirLNtzyhhsaq8qMTrLwXrCP31VxBiigFSQSUFnZyTE
-x3/FZIpL5gXJvvFK6xHY63oq2asyzBATntBgnP4qJFWWcvRx24wF1PnZabxuVoL2
+9TKwhS4GlwbtCfxSKQ==
 bPnQ/KvONDrw3IdqkKhYNTul7jEcu3OlcZIMw+7DiaKJLAzKb/bBF5gm/pwW6As9
 AgMBAAGjgY8wgYwwDAYDVR0TAQH/BAIwADAOBgNVHQ8BAf8EBAMCBeAwLAYJYIZI
 AYb4QgENBB8WHU9wZW5TU0wgR2VuZXJhdGVkIENlcnRpZmljYXRlMB0GA1UdDgQW
 BBSZHKyLoTh7Mb409Zn/mK1ceSDAjDAfBgNVHSMEGDAWgBQ2w2yI55X+sL3szj49
 hqshgYfa2jANBgkqhkiG9w0BAQUFAAOCAQEAD0mL7PtPYgCEuDyOQSbLpeND5hVS
 curxQdGnrJ6Acrhodb7E9ccATokeb0PLx6HBLQUicxhTZIQ9FbO43YkQcOU6C3BB
 IlwskqmtN6+VmrQzNolHCDzvxNZs9lYL2VbGPGqVRyjZeHpoAlf9cQr8PgDb4d4b
 vUx2KAhHQvV2nkmYvKyXcgnRuHggumF87mkxidriGAEFwH4qfOqetUg64WyxP7P2
 QLipm04SyQa7ONtIApfVXgHcE42Py4/f4arzCzMjKe3VyhGkS7nsT55X/fWgTaRm
 CQPkO+H94P958WTvQDt77bQ+D3IvYaVvfil8n6HJMOJfFT0LJuSUbpSXJg==
 -----END CERTIFICATE-----
 -----BEGIN RSA PRIVATE KEY-----
-MIIEpQIBAAKCAQEAtK2p2x0S3C1ajftAc3GaWPsji6scw1k9Sw/XltbLQuDc11/f
+MIIBOwIBAAJBALtv55QyzG6i2PlwZ1pah7++Gv8L5j6Hnyr/uTZE1NLG0ABDDexm
-wwrUiFcje2CB3Ri6yD6+uCA3V12jEc4GdqzirJZhwgIhaTv42vfYBgiUcR9McEGr
+q/R4KedLjFEIYjocDui+IXs62NNtXrT8odkCAwEAAQJAbwXq0vJ/+uyEvsNgxLko
-agFC3yVR3lIbOzhBjmXNp1on46irxnzU4pT+w58IuvYqUBavaEtfRZocFR5NsIOy
+/V86mGXQ/KrSkeKlL0r4ENxjcyeMAGoKu6J9yMY7+X9+Zm4nxShNfTsf/+Freoe1
-mRhyNag8htOFK3wmTEYrb0vflFYT6SD47ogYtsd/xWSKS+YFyb7xSusR2Ot6Ktmr
+HQIhAPOSm5Q1YI+KIsII2GeVJx1U69+wnd71OasIPakS1L1XAiEAxQAW+J3/JWE0
-MswQE57QYJz+KiRVlnL0cduMBdT52Wm8blaC9mz50PyrzjQ68NyHapCoWDU7pe4x
+ftEYakbhUOKL8tD1OaFZS71/5GdG7E8CIQCefUMmySSvwd6kC0VlATSWbW+d+jp/
-HLtzpXGSDMPuw4miiSwMym/2wReYJv6cFugLPQIDAQABAoIBAAZOyc9MhIwLSU4L
+nWmM1KvqnAo5uQIhALqEADu5U1Wvt8UN8UDGBRPQulHWNycuNV45d3nnskWPAiAw
-p4RgQvM4UVVe8/Id+3XTZ8NsXExJbWxXfIhiqGjaIfL8u4vsgRjcl+v1s/jo2/iT
+ueTyr6WsZ5+SD8g/Hy3xuvF3nPmJRH+rwvVihlcFOg==
 KMab4o4D8gXD7UavQVDjtjb/ta79WL3SjRl2Uc9YjjMkyq6WmDNQeo2NKDdafCTB
 1uzSJtLNipB8Z53ELPuHJhxX9QMHrMnuha49riQgXZ7buP9iQrHJFhImBjSzbxJx
 L+TI6rkyLSf9Wi0Pd3L27Ob3QWNfNRYNSeTE+08eSRChkur5W0RuXAcuAICdQlCl
 LBvWO/LmmvbzCqiDcgy/TliSb6CGGwgiNG7LJZmlkYNj8laGwalNlYZs3UrVv6NO
 Br2loAECgYEA2kvCvPGj0Dg/6g7WhXDvAkEbcaL1tSeCxBbNH+6HS2UWMWvyTtCn
 /bbD519QIdkvayy1QjEf32GV/UjUVmlULMLBcDy0DGjtL3+XpIhLKWDNxN1v1/ai
 1oz23ZJCOgnk6K4qtFtlRS1XtynjA+rBetvYvLP9SKeFrnpzCgaA2r0CgYEA0+KX
 1ACXDTNH5ySX3kMjSS9xdINf+OOw4CvPHFwbtc9aqk2HePlEsBTz5I/W3rKwXva3
 NqZ/bRqVVeZB/hHKFywgdUQk2Uc5z/S7Lw70/w1HubNTXGU06Ngb6zOFAo/o/TwZ
 zTP1BMIKSOB6PAZPS3l+aLO4FRIRotfFhgRHOoECgYEAmiZbqt8cJaJDB/5YYDzC
 mp3tSk6gIb936Q6M5VqkMYp9pIKsxhk0N8aDCnTU+kIK6SzWBpr3/d9Ecmqmfyq7
 5SvWO3KyVf0WWK9KH0abhOm2BKm2HBQvI0DB5u8sUx2/hsvOnjPYDISbZ11t0MtK
 u35Zy89yMYcSsIYJjG/ROCUCgYEAgI2P9G5PNxEP5OtMwOsW84Y3Xat/hPAQFlI+
 HES+AzbFGWJkeT8zL2nm95tVkFP1sggZ7Kxjz3w7cpx7GX0NkbWSE9O+T51pNASV
 tN1sQ3p5M+/a+cnlqgfEGJVvc7iAcXQPa3LEi5h2yPR49QYXAgG6cifn3dDSpmwn
 SUI7PQECgYEApGCIIpSRPLAEHTGmP87RBL1smurhwmy2s/pghkvUkWehtxg0sGHh
 kuaqDWcskogv+QC0sVdytiLSz8G0DwcEcsHK1Fkyb8A+ayiw6jWJDo2m9+IF4Fww
 1Te6jFPYDESnbhq7+TLGgHGhtwcu5cnb4vSuYXGXKupZGzoLOBbv1Zw=
 -----END RSA PRIVATE KEY-----
--- a/apps/cms.c
+++ b/apps/cms.c
--- a/apps/crl.c
+++ b/apps/crl.c
@@ -1,24 +1,25 @@
 /* apps/crl.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
- *
+ * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
- *
+ * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
@@ -33,10 +34,10 @@
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -48,7 +49,7 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
+ * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
@@ -65,331 +66,381 @@
 #include <openssl/x509v3.h>
 #include <openssl/pem.h>
-typedef enum OPTION_choice {
+#undef PROG
-    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+#define PROG	crl_main
    OPT_INFORM, OPT_IN, OPT_OUTFORM, OPT_OUT, OPT_KEYFORM, OPT_KEY,
    OPT_ISSUER, OPT_LASTUPDATE, OPT_NEXTUPDATE, OPT_FINGERPRINT,
    OPT_CRLNUMBER, OPT_BADSIG, OPT_GENDELTA, OPT_CAPATH, OPT_CAFILE,
    OPT_NOCAPATH, OPT_NOCAFILE, OPT_VERIFY, OPT_TEXT, OPT_HASH, OPT_HASH_OLD,
    OPT_NOOUT, OPT_NAMEOPT, OPT_MD
 } OPTION_CHOICE;
-OPTIONS crl_options[] = {
+#undef POSTFIX
-    {"help", OPT_HELP, '-', "Display this summary"},
+#define	POSTFIX	".rvk"
-    {"inform", OPT_INFORM, 'F', "Input format; default PEM"},
+
-    {"in", OPT_IN, '<', "Input file - default stdin"},
+static const char *crl_usage[]={
-    {"outform", OPT_OUTFORM, 'F', "Output format - default PEM"},
+"usage: crl args\n",
-    {"out", OPT_OUT, '>', "output file - default stdout"},
+"\n",
-    {"keyform", OPT_KEYFORM, 'F'},
+" -inform arg     - input format - default PEM (DER or PEM)\n",
-    {"key", OPT_KEY, '<'},
+" -outform arg    - output format - default PEM\n",
-    {"issuer", OPT_ISSUER, '-', "Print issuer DN"},
+" -text           - print out a text format version\n",
-    {"lastupdate", OPT_LASTUPDATE, '-', "Set lastUpdate field"},
+" -in arg         - input file - default stdin\n",
-    {"nextupdate", OPT_NEXTUPDATE, '-', "Set nextUpdate field"},
+" -out arg        - output file - default stdout\n",
-    {"noout", OPT_NOOUT, '-', "No CRL output"},
+" -hash           - print hash value\n",
-    {"fingerprint", OPT_FINGERPRINT, '-', "Print the crl fingerprint"},
+" -fingerprint    - print the crl fingerprint\n",
-    {"crlnumber", OPT_CRLNUMBER, '-', "Print CRL number"},
+" -issuer         - print issuer DN\n",
-    {"badsig", OPT_BADSIG, '-'},
+" -lastupdate     - lastUpdate field\n",
-    {"gendelta", OPT_GENDELTA, '<'},
+" -nextupdate     - nextUpdate field\n",
-    {"CApath", OPT_CAPATH, '/', "Verify CRL using certificates in dir"},
+" -crlnumber      - print CRL number\n",
-    {"CAfile", OPT_CAFILE, '<', "Verify CRL using certificates in file name"},
+" -noout          - no CRL output\n",
-    {"no-CAfile", OPT_NOCAFILE, '-',
+" -CAfile  name   - verify CRL using certificates in file \"name\"\n",
-     "Do not load the default certificates file"},
+" -CApath  dir    - verify CRL using certificates in \"dir\"\n",
-    {"no-CApath", OPT_NOCAPATH, '-',
+" -nameopt arg    - various certificate name options\n",
-     "Do not load certificates from the default certificates directory"},
+NULL
    {"verify", OPT_VERIFY, '-'},
    {"text", OPT_TEXT, '-', "Print out a text format version"},
    {"hash", OPT_HASH, '-', "Print hash value"},
    {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
    {"", OPT_MD, '-', "Any supported digest"},
 #ifndef OPENSSL_NO_MD5
    {"hash_old", OPT_HASH_OLD, '-', "Print old-style (MD5) hash value"},
 #endif
    {NULL}
 };
-int crl_main(int argc, char **argv)
+static X509_CRL *load_crl(char *file, int format);
-{
+static BIO *bio_out=NULL;
-    X509_CRL *x = NULL;
+
-    BIO *out = NULL;
+int MAIN(int, char **);
-    X509_STORE *store = NULL;
+
-    X509_STORE_CTX ctx;
+int MAIN(int argc, char **argv)
-    X509_LOOKUP *lookup = NULL;
+	{
-    X509_OBJECT xobj;
+	unsigned long nmflag = 0;
-    EVP_PKEY *pkey;
+	X509_CRL *x=NULL;
-    const EVP_MD *digest = EVP_sha1();
+	char *CAfile = NULL, *CApath = NULL;
-    unsigned long nmflag = 0;
+	int ret=1,i,num,badops=0;
-    char nmflag_set = 0;
+	BIO *out=NULL;
-    char *infile = NULL, *outfile = NULL, *crldiff = NULL, *keyfile = NULL;
+	int informat,outformat;
-    char *CAfile = NULL, *CApath = NULL, *prog;
+	char *infile=NULL,*outfile=NULL;
-    OPTION_CHOICE o;
+	int hash=0,issuer=0,lastupdate=0,nextupdate=0,noout=0,text=0;
-    int hash = 0, issuer = 0, lastupdate = 0, nextupdate = 0, noout = 0;
+	int fingerprint = 0, crlnumber = 0;
-    int informat = FORMAT_PEM, outformat = FORMAT_PEM, keyformat = FORMAT_PEM;
+	const char **pp;
-    int ret = 1, num = 0, badsig = 0, fingerprint = 0, crlnumber = 0;
+	X509_STORE *store = NULL;
-    int text = 0, do_ver = 0, noCAfile = 0, noCApath = 0;
+	X509_STORE_CTX ctx;
-    int i;
+	X509_LOOKUP *lookup = NULL;
-#ifndef OPENSSL_NO_MD5
+	X509_OBJECT xobj;
-    int hash_old = 0;
+	EVP_PKEY *pkey;
 	int do_ver = 0;
 	const EVP_MD *md_alg,*digest=EVP_sha1();
 	apps_startup();
 	if (bio_err == NULL)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 	if (!load_config(bio_err, NULL))
 		goto end;
 	if (bio_out == NULL)
 		if ((bio_out=BIO_new(BIO_s_file())) != NULL)
 			{
 			BIO_set_fp(bio_out,stdout,BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 			{
 			BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 			bio_out = BIO_push(tmpbio, bio_out);
 			}
 #endif
 			}
-    prog = opt_init(argc, argv, crl_options);
+	informat=FORMAT_PEM;
-    while ((o = opt_next()) != OPT_EOF) {
+	outformat=FORMAT_PEM;
-        switch (o) {
+
-        case OPT_EOF:
+	argc--;
-        case OPT_ERR:
+	argv++;
- opthelp:
+	num=0;
-            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+	while (argc >= 1)
-            goto end;
+		{
-        case OPT_HELP:
+#ifdef undef
-            opt_help(crl_options);
+		if	(strcmp(*argv,"-p") == 0)
-            ret = 0;
+			{
-            goto end;
+			if (--argc < 1) goto bad;
-        case OPT_INFORM:
+			if (!args_from_file(++argv,Nargc,Nargv)) { goto end; }*/
-            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
+			}
                goto opthelp;
            break;
        case OPT_IN:
            infile = opt_arg();
            break;
        case OPT_OUTFORM:
            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
                goto opthelp;
            break;
        case OPT_OUT:
            outfile = opt_arg();
            break;
        case OPT_KEYFORM:
            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &keyformat))
                goto opthelp;
            break;
        case OPT_KEY:
            keyfile = opt_arg();
            break;
        case OPT_GENDELTA:
            crldiff = opt_arg();
            break;
        case OPT_CAPATH:
            CApath = opt_arg();
            do_ver = 1;
            break;
        case OPT_CAFILE:
            CAfile = opt_arg();
            do_ver = 1;
            break;
        case OPT_NOCAPATH:
            noCApath =  1;
            break;
        case OPT_NOCAFILE:
            noCAfile =  1;
            break;
        case OPT_HASH_OLD:
 #ifndef OPENSSL_NO_MD5
            hash_old = ++num;
 #endif
-            break;
+		if 	(strcmp(*argv,"-inform") == 0)
-        case OPT_VERIFY:
+			{
-            do_ver = 1;
+			if (--argc < 1) goto bad;
-            break;
+			informat=str2fmt(*(++argv));
-        case OPT_TEXT:
+			}
-            text = 1;
+		else if (strcmp(*argv,"-outform") == 0)
-            break;
+			{
-        case OPT_HASH:
+			if (--argc < 1) goto bad;
-            hash = ++num;
+			outformat=str2fmt(*(++argv));
-            break;
+			}
-        case OPT_ISSUER:
+		else if (strcmp(*argv,"-in") == 0)
-            issuer = ++num;
+			{
-            break;
+			if (--argc < 1) goto bad;
-        case OPT_LASTUPDATE:
+			infile= *(++argv);
-            lastupdate = ++num;
+			}
-            break;
+		else if (strcmp(*argv,"-out") == 0)
-        case OPT_NEXTUPDATE:
+			{
-            nextupdate = ++num;
+			if (--argc < 1) goto bad;
-            break;
+			outfile= *(++argv);
-        case OPT_NOOUT:
+			}
-            noout = ++num;
+		else if (strcmp(*argv,"-CApath") == 0)
-            break;
+			{
-        case OPT_FINGERPRINT:
+			if (--argc < 1) goto bad;
-            fingerprint = ++num;
+			CApath = *(++argv);
-            break;
+			do_ver = 1;
-        case OPT_CRLNUMBER:
+			}
-            crlnumber = ++num;
+		else if (strcmp(*argv,"-CAfile") == 0)
-            break;
+			{
-        case OPT_BADSIG:
+			if (--argc < 1) goto bad;
-            badsig = 1;
+			CAfile = *(++argv);
-            break;
+			do_ver = 1;
-        case OPT_NAMEOPT:
+			}
-            nmflag_set = 1;
+		else if (strcmp(*argv,"-verify") == 0)
-            if (!set_name_ex(&nmflag, opt_arg()))
+			do_ver = 1;
-                goto opthelp;
+		else if (strcmp(*argv,"-text") == 0)
-            break;
+			text = 1;
-        case OPT_MD:
+		else if (strcmp(*argv,"-hash") == 0)
-            if (!opt_md(opt_unknown(), &digest))
+			hash= ++num;
-                goto opthelp;
+		else if (strcmp(*argv,"-nameopt") == 0)
-        }
+			{
-    }
+			if (--argc < 1) goto bad;
-    argc = opt_num_rest();
+			if (!set_name_ex(&nmflag, *(++argv))) goto bad;
-    argv = opt_rest();
+			}
 		else if (strcmp(*argv,"-issuer") == 0)
 			issuer= ++num;
 		else if (strcmp(*argv,"-lastupdate") == 0)
 			lastupdate= ++num;
 		else if (strcmp(*argv,"-nextupdate") == 0)
 			nextupdate= ++num;
 		else if (strcmp(*argv,"-noout") == 0)
 			noout= ++num;
 		else if (strcmp(*argv,"-fingerprint") == 0)
 			fingerprint= ++num;
 		else if (strcmp(*argv,"-crlnumber") == 0)
 			crlnumber= ++num;
 		else if ((md_alg=EVP_get_digestbyname(*argv + 1)))
 			{
 			/* ok */
 			digest=md_alg;
 			}
 		else
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
 			badops=1;
 			break;
 			}
 		argc--;
 		argv++;
 		}
-    if (!nmflag_set)
+	if (badops)
-        nmflag = XN_FLAG_ONELINE;
+		{
 bad:
 		for (pp=crl_usage; (*pp != NULL); pp++)
 			BIO_printf(bio_err,"%s",*pp);
 		goto end;
 		}
-    x = load_crl(infile, informat);
+	ERR_load_crypto_strings();
-    if (x == NULL)
+	x=load_crl(infile,informat);
-        goto end;
+	if (x == NULL) { goto end; }
-    if (do_ver) {
+	if(do_ver) {
-        if ((store = setup_verify(CAfile, CApath, noCAfile, noCApath)) == NULL)
+		store = X509_STORE_new();
-            goto end;
+		lookup=X509_STORE_add_lookup(store,X509_LOOKUP_file());
-        lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
+		if (lookup == NULL) goto end;
-        if (lookup == NULL)
+		if (!X509_LOOKUP_load_file(lookup,CAfile,X509_FILETYPE_PEM))
-            goto end;
+			X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT);
-        if (!X509_STORE_CTX_init(&ctx, store, NULL, NULL)) {
+			
-            BIO_printf(bio_err, "Error initialising X509 store\n");
+		lookup=X509_STORE_add_lookup(store,X509_LOOKUP_hash_dir());
-            goto end;
+		if (lookup == NULL) goto end;
-        }
+		if (!X509_LOOKUP_add_dir(lookup,CApath,X509_FILETYPE_PEM))
 			X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT);
 		ERR_clear_error();
-        i = X509_STORE_get_by_subject(&ctx, X509_LU_X509,
+		if(!X509_STORE_CTX_init(&ctx, store, NULL, NULL)) {
-                                      X509_CRL_get_issuer(x), &xobj);
+			BIO_printf(bio_err,
-        if (i <= 0) {
+				"Error initialising X509 store\n");
-            BIO_printf(bio_err, "Error getting CRL issuer certificate\n");
+			goto end;
-            goto end;
+		}
        }
        pkey = X509_get0_pubkey(xobj.data.x509);
        X509_OBJECT_free_contents(&xobj);
        if (!pkey) {
            BIO_printf(bio_err, "Error getting CRL issuer public key\n");
            goto end;
        }
        i = X509_CRL_verify(x, pkey);
        if (i < 0)
            goto end;
        if (i == 0)
            BIO_printf(bio_err, "verify failure\n");
        else
            BIO_printf(bio_err, "verify OK\n");
    }
-    if (crldiff) {
+		i = X509_STORE_get_by_subject(&ctx, X509_LU_X509, 
-        X509_CRL *newcrl, *delta;
+					X509_CRL_get_issuer(x), &xobj);
-        if (!keyfile) {
+		if(i <= 0) {
-            BIO_puts(bio_err, "Missing CRL signing key\n");
+			BIO_printf(bio_err,
-            goto end;
+				"Error getting CRL issuer certificate\n");
-        }
+			goto end;
-        newcrl = load_crl(crldiff, informat);
+		}
-        if (!newcrl)
+		pkey = X509_get_pubkey(xobj.data.x509);
-            goto end;
+		X509_OBJECT_free_contents(&xobj);
-        pkey = load_key(keyfile, keyformat, 0, NULL, NULL, "CRL signing key");
+		if(!pkey) {
-        if (!pkey) {
+			BIO_printf(bio_err,
-            X509_CRL_free(newcrl);
+				"Error getting CRL issuer public key\n");
-            goto end;
+			goto end;
-        }
+		}
-        delta = X509_CRL_diff(x, newcrl, pkey, digest, 0);
+		i = X509_CRL_verify(x, pkey);
-        X509_CRL_free(newcrl);
+		EVP_PKEY_free(pkey);
-        EVP_PKEY_free(pkey);
+		if(i < 0) goto end;
-        if (delta) {
+		if(i == 0) BIO_printf(bio_err, "verify failure\n");
-            X509_CRL_free(x);
+		else BIO_printf(bio_err, "verify OK\n");
-            x = delta;
+	}
        } else {
            BIO_puts(bio_err, "Error creating delta CRL\n");
            goto end;
        }
    }
-    if (num) {
+	if (num)
-        for (i = 1; i <= num; i++) {
+		{
-            if (issuer == i) {
+		for (i=1; i<=num; i++)
-                print_name(bio_out, "issuer=", X509_CRL_get_issuer(x),
+			{
-                           nmflag);
+			if (issuer == i)
-            }
+				{
-            if (crlnumber == i) {
+				print_name(bio_out, "issuer=", X509_CRL_get_issuer(x), nmflag);
-                ASN1_INTEGER *crlnum;
+				}
-                crlnum = X509_CRL_get_ext_d2i(x, NID_crl_number, NULL, NULL);
+			if (crlnumber == i)
-                BIO_printf(bio_out, "crlNumber=");
+				{
-                if (crlnum) {
+				ASN1_INTEGER *crlnum;
-                    i2a_ASN1_INTEGER(bio_out, crlnum);
+				crlnum = X509_CRL_get_ext_d2i(x, NID_crl_number,
-                    ASN1_INTEGER_free(crlnum);
+							      NULL, NULL);
-                } else
+				BIO_printf(bio_out,"crlNumber=");
-                    BIO_puts(bio_out, "<NONE>");
+				if (crlnum)
-                BIO_printf(bio_out, "\n");
+					{
-            }
+					i2a_ASN1_INTEGER(bio_out, crlnum);
-            if (hash == i) {
+					ASN1_INTEGER_free(crlnum);
-                BIO_printf(bio_out, "%08lx\n",
+					}
-                           X509_NAME_hash(X509_CRL_get_issuer(x)));
+				else
-            }
+					BIO_puts(bio_out, "<NONE>");
-#ifndef OPENSSL_NO_MD5
+				BIO_printf(bio_out,"\n");
-            if (hash_old == i) {
+				}
-                BIO_printf(bio_out, "%08lx\n",
+			if (hash == i)
-                           X509_NAME_hash_old(X509_CRL_get_issuer(x)));
+				{
-            }
+				BIO_printf(bio_out,"%08lx\n",
 					X509_NAME_hash(X509_CRL_get_issuer(x)));
 				}
 			if (lastupdate == i)
 				{
 				BIO_printf(bio_out,"lastUpdate=");
 				ASN1_TIME_print(bio_out,
 						X509_CRL_get_lastUpdate(x));
 				BIO_printf(bio_out,"\n");
 				}
 			if (nextupdate == i)
 				{
 				BIO_printf(bio_out,"nextUpdate=");
 				if (X509_CRL_get_nextUpdate(x)) 
 					ASN1_TIME_print(bio_out,
 						X509_CRL_get_nextUpdate(x));
 				else
 					BIO_printf(bio_out,"NONE");
 				BIO_printf(bio_out,"\n");
 				}
 			if (fingerprint == i)
 				{
 				int j;
 				unsigned int n;
 				unsigned char md[EVP_MAX_MD_SIZE];
 				if (!X509_CRL_digest(x,digest,md,&n))
 					{
 					BIO_printf(bio_err,"out of memory\n");
 					goto end;
 					}
 				BIO_printf(bio_out,"%s Fingerprint=",
 						OBJ_nid2sn(EVP_MD_type(digest)));
 				for (j=0; j<(int)n; j++)
 					{
 					BIO_printf(bio_out,"%02X%c",md[j],
 						(j+1 == (int)n)
 						?'\n':':');
 					}
 				}
 			}
 		}
 	out=BIO_new(BIO_s_file());
 	if (out == NULL)
 		{
 		ERR_print_errors(bio_err);
 		goto end;
 		}
 	if (outfile == NULL)
 		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
-            if (lastupdate == i) {
+		}
-                BIO_printf(bio_out, "lastUpdate=");
+	else
-                ASN1_TIME_print(bio_out, X509_CRL_get_lastUpdate(x));
+		{
-                BIO_printf(bio_out, "\n");
+		if (BIO_write_filename(out,outfile) <= 0)
-            }
+			{
-            if (nextupdate == i) {
+			perror(outfile);
-                BIO_printf(bio_out, "nextUpdate=");
+			goto end;
-                if (X509_CRL_get_nextUpdate(x))
+			}
-                    ASN1_TIME_print(bio_out, X509_CRL_get_nextUpdate(x));
+		}
                else
                    BIO_printf(bio_out, "NONE");
                BIO_printf(bio_out, "\n");
            }
            if (fingerprint == i) {
                int j;
                unsigned int n;
                unsigned char md[EVP_MAX_MD_SIZE];
-                if (!X509_CRL_digest(x, digest, md, &n)) {
+	if (text) X509_CRL_print(out, x);
                    BIO_printf(bio_err, "out of memory\n");
                    goto end;
                }
                BIO_printf(bio_out, "%s Fingerprint=",
                           OBJ_nid2sn(EVP_MD_type(digest)));
                for (j = 0; j < (int)n; j++) {
                    BIO_printf(bio_out, "%02X%c", md[j], (j + 1 == (int)n)
                               ? '\n' : ':');
                }
            }
        }
    }
    out = bio_open_default(outfile, 'w', outformat);
    if (out == NULL)
        goto end;
-    if (text)
+	if (noout) 
-        X509_CRL_print(out, x);
+		{
 		ret = 0;
 		goto end;
 		}
-    if (noout) {
+	if 	(outformat == FORMAT_ASN1)
-        ret = 0;
+		i=(int)i2d_X509_CRL_bio(out,x);
-        goto end;
+	else if (outformat == FORMAT_PEM)
-    }
+		i=PEM_write_bio_X509_CRL(out,x);
 	else	
 		{
 		BIO_printf(bio_err,"bad output format specified for outfile\n");
 		goto end;
 		}
 	if (!i) { BIO_printf(bio_err,"unable to write CRL\n"); goto end; }
 	ret=0;
 end:
 	BIO_free_all(out);
 	BIO_free_all(bio_out);
 	bio_out=NULL;
 	X509_CRL_free(x);
 	if(store) {
 		X509_STORE_CTX_cleanup(&ctx);
 		X509_STORE_free(store);
 	}
 	apps_shutdown();
 	OPENSSL_EXIT(ret);
 	}
-    if (badsig) {
+static X509_CRL *load_crl(char *infile, int format)
-        ASN1_BIT_STRING *sig;
+	{
-        unsigned char *psig;
+	X509_CRL *x=NULL;
-        X509_CRL_get0_signature(&sig, NULL, x);
+	BIO *in=NULL;
        psig = ASN1_STRING_data(sig);
        psig[ASN1_STRING_length(sig) - 1] ^= 0x1;
    }
-    if (outformat == FORMAT_ASN1)
+	in=BIO_new(BIO_s_file());
-        i = (int)i2d_X509_CRL_bio(out, x);
+	if (in == NULL)
-    else
+		{
-        i = PEM_write_bio_X509_CRL(out, x);
+		ERR_print_errors(bio_err);
-    if (!i) {
+		goto end;
-        BIO_printf(bio_err, "unable to write CRL\n");
+		}
-        goto end;
+
-    }
+	if (infile == NULL)
-    ret = 0;
+		BIO_set_fp(in,stdin,BIO_NOCLOSE);
 	else
 		{
 		if (BIO_read_filename(in,infile) <= 0)
 			{
 			perror(infile);
 			goto end;
 			}
 		}
 	if 	(format == FORMAT_ASN1)
 		x=d2i_X509_CRL_bio(in,NULL);
 	else if (format == FORMAT_PEM)
 		x=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL);
 	else	{
 		BIO_printf(bio_err,"bad input format specified for input crl\n");
 		goto end;
 		}
 	if (x == NULL)
 		{
 		BIO_printf(bio_err,"unable to load CRL\n");
 		ERR_print_errors(bio_err);
 		goto end;
 		}
 end:
 	BIO_free(in);
 	return(x);
 	}
 end:
    if (ret != 0)
        ERR_print_errors(bio_err);
    BIO_free_all(out);
    X509_CRL_free(x);
    if (store) {
        X509_STORE_CTX_cleanup(&ctx);
        X509_STORE_free(store);
    }
    return (ret);
 }
--- a/apps/crl2p7.c
+++ b/apps/crl2p7.c
@@ -1,24 +1,25 @@
 /* apps/crl2p7.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
- *
+ * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
- *
+ * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
@@ -33,10 +34,10 @@
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -48,18 +49,16 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
+ * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
-/*
+/* This was written by Gordon Chaffee <chaffee@plateau.cs.berkeley.edu>
- * This was written by Gordon Chaffee <chaffee@plateau.cs.berkeley.edu> and
+ * and donated 'to the cause' along with lots and lots of other fixes to
- * donated 'to the cause' along with lots and lots of other fixes to the
+ * the library. */
 * library.
 */
 #include <stdio.h>
 #include <string.h>
@@ -73,200 +72,266 @@
 #include <openssl/objects.h>
 static int add_certs_from_file(STACK_OF(X509) *stack, char *certfile);
 #undef PROG
 #define PROG	crl2pkcs7_main
-typedef enum OPTION_choice {
+/* -inform arg	- input format - default PEM (DER or PEM)
-    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+ * -outform arg - output format - default PEM
-    OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_NOCRL, OPT_CERTFILE
+ * -in arg	- input file - default stdin
-} OPTION_CHOICE;
+ * -out arg	- output file - default stdout
 */
-OPTIONS crl2pkcs7_options[] = {
+int MAIN(int, char **);
    {"help", OPT_HELP, '-', "Display this summary"},
    {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
    {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
    {"in", OPT_IN, '<', "Input file"},
    {"out", OPT_OUT, '>', "Output file"},
    {"nocrl", OPT_NOCRL, '-', "No crl to load, just certs from '-certfile'"},
    {"certfile", OPT_CERTFILE, '<',
     "File of chain of certs to a trusted CA; can be repeated"},
    {NULL}
 };
-int crl2pkcs7_main(int argc, char **argv)
+int MAIN(int argc, char **argv)
-{
+	{
-    BIO *in = NULL, *out = NULL;
+	int i,badops=0;
-    PKCS7 *p7 = NULL;
+	BIO *in=NULL,*out=NULL;
-    PKCS7_SIGNED *p7s = NULL;
+	int informat,outformat;
-    STACK_OF(OPENSSL_STRING) *certflst = NULL;
+	char *infile,*outfile,*prog,*certfile;
-    STACK_OF(X509) *cert_stack = NULL;
+	PKCS7 *p7 = NULL;
-    STACK_OF(X509_CRL) *crl_stack = NULL;
+	PKCS7_SIGNED *p7s = NULL;
-    X509_CRL *crl = NULL;
+	X509_CRL *crl=NULL;
-    char *infile = NULL, *outfile = NULL, *prog, *certfile;
+	STACK_OF(OPENSSL_STRING) *certflst=NULL;
-    int i = 0, informat = FORMAT_PEM, outformat = FORMAT_PEM, ret = 1, nocrl =
+	STACK_OF(X509_CRL) *crl_stack=NULL;
-        0;
+	STACK_OF(X509) *cert_stack=NULL;
-    OPTION_CHOICE o;
+	int ret=1,nocrl=0;
-    prog = opt_init(argc, argv, crl2pkcs7_options);
+	apps_startup();
    while ((o = opt_next()) != OPT_EOF) {
        switch (o) {
        case OPT_EOF:
        case OPT_ERR:
 opthelp:
            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
            goto end;
        case OPT_HELP:
            opt_help(crl2pkcs7_options);
            ret = 0;
            goto end;
        case OPT_INFORM:
            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
                goto opthelp;
            break;
        case OPT_OUTFORM:
            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
                goto opthelp;
            break;
        case OPT_IN:
            infile = opt_arg();
            break;
        case OPT_OUT:
            outfile = opt_arg();
            break;
        case OPT_NOCRL:
            nocrl = 1;
            break;
        case OPT_CERTFILE:
            if ((certflst == NULL)
                && (certflst = sk_OPENSSL_STRING_new_null()) == NULL)
                goto end;
            if (!sk_OPENSSL_STRING_push(certflst, opt_arg())) {
                sk_OPENSSL_STRING_free(certflst);
                goto end;
            }
            break;
        }
    }
    argc = opt_num_rest();
    argv = opt_rest();
-    if (!nocrl) {
+	if (bio_err == NULL)
-        in = bio_open_default(infile, 'r', informat);
+		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
-        if (in == NULL)
+			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
            goto end;
-        if (informat == FORMAT_ASN1)
+	infile=NULL;
-            crl = d2i_X509_CRL_bio(in, NULL);
+	outfile=NULL;
-        else if (informat == FORMAT_PEM)
+	informat=FORMAT_PEM;
-            crl = PEM_read_bio_X509_CRL(in, NULL, NULL, NULL);
+	outformat=FORMAT_PEM;
        if (crl == NULL) {
            BIO_printf(bio_err, "unable to load CRL\n");
            ERR_print_errors(bio_err);
            goto end;
        }
    }
-    if ((p7 = PKCS7_new()) == NULL)
+	prog=argv[0];
-        goto end;
+	argc--;
-    if ((p7s = PKCS7_SIGNED_new()) == NULL)
+	argv++;
-        goto end;
+	while (argc >= 1)
-    p7->type = OBJ_nid2obj(NID_pkcs7_signed);
+		{
-    p7->d.sign = p7s;
+		if 	(strcmp(*argv,"-inform") == 0)
-    p7s->contents->type = OBJ_nid2obj(NID_pkcs7_data);
+			{
 			if (--argc < 1) goto bad;
 			informat=str2fmt(*(++argv));
 			}
 		else if (strcmp(*argv,"-outform") == 0)
 			{
 			if (--argc < 1) goto bad;
 			outformat=str2fmt(*(++argv));
 			}
 		else if (strcmp(*argv,"-in") == 0)
 			{
 			if (--argc < 1) goto bad;
 			infile= *(++argv);
 			}
 		else if (strcmp(*argv,"-nocrl") == 0)
 			{
 			nocrl=1;
 			}
 		else if (strcmp(*argv,"-out") == 0)
 			{
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
 		else if (strcmp(*argv,"-certfile") == 0)
 			{
 			if (--argc < 1) goto bad;
 			if(!certflst) certflst = sk_OPENSSL_STRING_new_null();
 			sk_OPENSSL_STRING_push(certflst,*(++argv));
 			}
 		else
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
 			badops=1;
 			break;
 			}
 		argc--;
 		argv++;
 		}
-    if (!ASN1_INTEGER_set(p7s->version, 1))
+	if (badops)
-        goto end;
+		{
-    if ((crl_stack = sk_X509_CRL_new_null()) == NULL)
+bad:
-        goto end;
+		BIO_printf(bio_err,"%s [options] <infile >outfile\n",prog);
-    p7s->crl = crl_stack;
+		BIO_printf(bio_err,"where options are\n");
-    if (crl != NULL) {
+		BIO_printf(bio_err," -inform arg    input format - DER or PEM\n");
-        sk_X509_CRL_push(crl_stack, crl);
+		BIO_printf(bio_err," -outform arg   output format - DER or PEM\n");
-        crl = NULL;             /* now part of p7 for OPENSSL_freeing */
+		BIO_printf(bio_err," -in arg        input file\n");
-    }
+		BIO_printf(bio_err," -out arg       output file\n");
 		BIO_printf(bio_err," -certfile arg  certificates file of chain to a trusted CA\n");
 		BIO_printf(bio_err,"                (can be used more than once)\n");
 		BIO_printf(bio_err," -nocrl         no crl to load, just certs from '-certfile'\n");
 		ret = 1;
 		goto end;
 		}
-    if ((cert_stack = sk_X509_new_null()) == NULL)
+	ERR_load_crypto_strings();
        goto end;
    p7s->cert = cert_stack;
-    if (certflst)
+	in=BIO_new(BIO_s_file());
-        for (i = 0; i < sk_OPENSSL_STRING_num(certflst); i++) {
+	out=BIO_new(BIO_s_file());
-            certfile = sk_OPENSSL_STRING_value(certflst, i);
+	if ((in == NULL) || (out == NULL))
-            if (add_certs_from_file(cert_stack, certfile) < 0) {
+		{
-                BIO_printf(bio_err, "error loading certificates\n");
+		ERR_print_errors(bio_err);
-                ERR_print_errors(bio_err);
+		goto end;
-                goto end;
+		}
            }
        }
-    sk_OPENSSL_STRING_free(certflst);
+	if (!nocrl)
 		{
 		if (infile == NULL)
 			BIO_set_fp(in,stdin,BIO_NOCLOSE);
 		else
 			{
 			if (BIO_read_filename(in,infile) <= 0)
 				{
 				perror(infile);
 				goto end;
 				}
 			}
-    out = bio_open_default(outfile, 'w', outformat);
+		if 	(informat == FORMAT_ASN1)
-    if (out == NULL)
+			crl=d2i_X509_CRL_bio(in,NULL);
-        goto end;
+		else if (informat == FORMAT_PEM)
 			crl=PEM_read_bio_X509_CRL(in,NULL,NULL,NULL);
 		else	{
 			BIO_printf(bio_err,"bad input format specified for input crl\n");
 			goto end;
 			}
 		if (crl == NULL)
 			{
 			BIO_printf(bio_err,"unable to load CRL\n");
 			ERR_print_errors(bio_err);
 			goto end;
 			}
 		}
 	if ((p7=PKCS7_new()) == NULL) goto end;
 	if ((p7s=PKCS7_SIGNED_new()) == NULL) goto end;
 	p7->type=OBJ_nid2obj(NID_pkcs7_signed);
 	p7->d.sign=p7s;
 	p7s->contents->type=OBJ_nid2obj(NID_pkcs7_data);
-    if (outformat == FORMAT_ASN1)
+	if (!ASN1_INTEGER_set(p7s->version,1)) goto end;
-        i = i2d_PKCS7_bio(out, p7);
+	if ((crl_stack=sk_X509_CRL_new_null()) == NULL) goto end;
-    else if (outformat == FORMAT_PEM)
+	p7s->crl=crl_stack;
-        i = PEM_write_bio_PKCS7(out, p7);
+	if (crl != NULL)
-    if (!i) {
+		{
-        BIO_printf(bio_err, "unable to write pkcs7 object\n");
+		sk_X509_CRL_push(crl_stack,crl);
-        ERR_print_errors(bio_err);
+		crl=NULL; /* now part of p7 for OPENSSL_freeing */
-        goto end;
+		}
    }
    ret = 0;
 end:
    BIO_free(in);
    BIO_free_all(out);
    PKCS7_free(p7);
    X509_CRL_free(crl);
-    return (ret);
+	if ((cert_stack=sk_X509_new_null()) == NULL) goto end;
-}
+	p7s->cert=cert_stack;
-/*-
+	if(certflst) for(i = 0; i < sk_OPENSSL_STRING_num(certflst); i++) {
 		certfile = sk_OPENSSL_STRING_value(certflst, i);
 		if (add_certs_from_file(cert_stack,certfile) < 0)
 			{
 			BIO_printf(bio_err, "error loading certificates\n");
 			ERR_print_errors(bio_err);
 			goto end;
 			}
 	}
 	sk_OPENSSL_STRING_free(certflst);
 	if (outfile == NULL)
 		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
 			{
 			perror(outfile);
 			goto end;
 			}
 		}
 	if 	(outformat == FORMAT_ASN1)
 		i=i2d_PKCS7_bio(out,p7);
 	else if (outformat == FORMAT_PEM)
 		i=PEM_write_bio_PKCS7(out,p7);
 	else	{
 		BIO_printf(bio_err,"bad output format specified for outfile\n");
 		goto end;
 		}
 	if (!i)
 		{
 		BIO_printf(bio_err,"unable to write pkcs7 object\n");
 		ERR_print_errors(bio_err);
 		goto end;
 		}
 	ret=0;
 end:
 	if (in != NULL) BIO_free(in);
 	if (out != NULL) BIO_free_all(out);
 	if (p7 != NULL) PKCS7_free(p7);
 	if (crl != NULL) X509_CRL_free(crl);
 	apps_shutdown();
 	OPENSSL_EXIT(ret);
 	}
 /*
 *----------------------------------------------------------------------
 * int add_certs_from_file
 *
- *      Read a list of certificates to be checked from a file.
+ *	Read a list of certificates to be checked from a file.
 *
 * Results:
- *      number of certs added if successful, -1 if not.
+ *	number of certs added if successful, -1 if not.
 *----------------------------------------------------------------------
 */
 static int add_certs_from_file(STACK_OF(X509) *stack, char *certfile)
-{
+	{
-    BIO *in = NULL;
+	BIO *in=NULL;
-    int count = 0;
+	int count=0;
-    int ret = -1;
+	int ret= -1;
-    STACK_OF(X509_INFO) *sk = NULL;
+	STACK_OF(X509_INFO) *sk=NULL;
-    X509_INFO *xi;
+	X509_INFO *xi;
-    in = BIO_new_file(certfile, "r");
+	in=BIO_new(BIO_s_file());
-    if (in == NULL) {
+	if ((in == NULL) || (BIO_read_filename(in,certfile) <= 0))
-        BIO_printf(bio_err, "error opening the file, %s\n", certfile);
+		{
-        goto end;
+		BIO_printf(bio_err,"error opening the file, %s\n",certfile);
-    }
+		goto end;
 		}
-    /* This loads from a file, a stack of x509/crl/pkey sets */
+	/* This loads from a file, a stack of x509/crl/pkey sets */
-    sk = PEM_X509_INFO_read_bio(in, NULL, NULL, NULL);
+	sk=PEM_X509_INFO_read_bio(in,NULL,NULL,NULL);
-    if (sk == NULL) {
+	if (sk == NULL) {
-        BIO_printf(bio_err, "error reading the file, %s\n", certfile);
+		BIO_printf(bio_err,"error reading the file, %s\n",certfile);
-        goto end;
+		goto end;
-    }
+	}
-    /* scan over it and pull out the CRL's */
+	/* scan over it and pull out the CRL's */
-    while (sk_X509_INFO_num(sk)) {
+	while (sk_X509_INFO_num(sk))
-        xi = sk_X509_INFO_shift(sk);
+		{
-        if (xi->x509 != NULL) {
+		xi=sk_X509_INFO_shift(sk);
-            sk_X509_push(stack, xi->x509);
+		if (xi->x509 != NULL)
-            xi->x509 = NULL;
+			{
-            count++;
+			sk_X509_push(stack,xi->x509);
-        }
+			xi->x509=NULL;
-        X509_INFO_free(xi);
+			count++;
-    }
+			}
 		X509_INFO_free(xi);
 		}
 	ret=count;
 end:
 	/* never need to OPENSSL_free x */
 	if (in != NULL) BIO_free(in);
 	if (sk != NULL) sk_X509_INFO_free(sk);
 	return(ret);
 	}
    ret = count;
 end:
    /* never need to OPENSSL_free x */
    BIO_free(in);
    sk_X509_INFO_free(sk);
    return (ret);
 }
--- a/apps/dgst.c
+++ b/apps/dgst.c
--- a/apps/dh.c
+++ b/apps/dh.c
@@ -0,0 +1,355 @@
 /* apps/dh.c */
 /* obsoleted by dhparam.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
 * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
 * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
 #include <openssl/opensslconf.h>	/* for OPENSSL_NO_DH */
 #ifndef OPENSSL_NO_DH
 #include <stdio.h>
 #include <stdlib.h>
 #include <time.h>
 #include <string.h>
 #include "apps.h"
 #include <openssl/bio.h>
 #include <openssl/err.h>
 #include <openssl/bn.h>
 #include <openssl/dh.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #undef PROG
 #define PROG	dh_main
 /* -inform arg	- input format - default PEM (DER or PEM)
 * -outform arg - output format - default PEM
 * -in arg	- input file - default stdin
 * -out arg	- output file - default stdout
 * -check	- check the parameters are ok
 * -noout
 * -text
 * -C
 */
 int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	DH *dh=NULL;
 	int i,badops=0,text=0;
 	BIO *in=NULL,*out=NULL;
 	int informat,outformat,check=0,noout=0,C=0,ret=1;
 	char *infile,*outfile,*prog;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine;
 #endif
 	apps_startup();
 	if (bio_err == NULL)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 	if (!load_config(bio_err, NULL))
 		goto end;
 #ifndef OPENSSL_NO_ENGINE
 	engine=NULL;
 #endif
 	infile=NULL;
 	outfile=NULL;
 	informat=FORMAT_PEM;
 	outformat=FORMAT_PEM;
 	prog=argv[0];
 	argc--;
 	argv++;
 	while (argc >= 1)
 		{
 		if 	(strcmp(*argv,"-inform") == 0)
 			{
 			if (--argc < 1) goto bad;
 			informat=str2fmt(*(++argv));
 			}
 		else if (strcmp(*argv,"-outform") == 0)
 			{
 			if (--argc < 1) goto bad;
 			outformat=str2fmt(*(++argv));
 			}
 		else if (strcmp(*argv,"-in") == 0)
 			{
 			if (--argc < 1) goto bad;
 			infile= *(++argv);
 			}
 		else if (strcmp(*argv,"-out") == 0)
 			{
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 #endif
 		else if (strcmp(*argv,"-check") == 0)
 			check=1;
 		else if (strcmp(*argv,"-text") == 0)
 			text=1;
 		else if (strcmp(*argv,"-C") == 0)
 			C=1;
 		else if (strcmp(*argv,"-noout") == 0)
 			noout=1;
 		else
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
 			badops=1;
 			break;
 			}
 		argc--;
 		argv++;
 		}
 	if (badops)
 		{
 bad:
 		BIO_printf(bio_err,"%s [options] <infile >outfile\n",prog);
 		BIO_printf(bio_err,"where options are\n");
 		BIO_printf(bio_err," -inform arg   input format - one of DER PEM\n");
 		BIO_printf(bio_err," -outform arg  output format - one of DER PEM\n");
 		BIO_printf(bio_err," -in arg       input file\n");
 		BIO_printf(bio_err," -out arg      output file\n");
 		BIO_printf(bio_err," -check        check the DH parameters\n");
 		BIO_printf(bio_err," -text         print a text form of the DH parameters\n");
 		BIO_printf(bio_err," -C            Output C code\n");
 		BIO_printf(bio_err," -noout        no output\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," -engine e     use engine e, possibly a hardware device.\n");
 #endif
 		goto end;
 		}
 	ERR_load_crypto_strings();
 #ifndef OPENSSL_NO_ENGINE
        setup_engine(bio_err, engine, 0);
 #endif
 	in=BIO_new(BIO_s_file());
 	out=BIO_new(BIO_s_file());
 	if ((in == NULL) || (out == NULL))
 		{
 		ERR_print_errors(bio_err);
 		goto end;
 		}
 	if (infile == NULL)
 		BIO_set_fp(in,stdin,BIO_NOCLOSE);
 	else
 		{
 		if (BIO_read_filename(in,infile) <= 0)
 			{
 			perror(infile);
 			goto end;
 			}
 		}
 	if (outfile == NULL)
 		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
 			{
 			perror(outfile);
 			goto end;
 			}
 		}
 	if	(informat == FORMAT_ASN1)
 		dh=d2i_DHparams_bio(in,NULL);
 	else if (informat == FORMAT_PEM)
 		dh=PEM_read_bio_DHparams(in,NULL,NULL,NULL);
 	else
 		{
 		BIO_printf(bio_err,"bad input format specified\n");
 		goto end;
 		}
 	if (dh == NULL)
 		{
 		BIO_printf(bio_err,"unable to load DH parameters\n");
 		ERR_print_errors(bio_err);
 		goto end;
 		}
 	if (text)
 		{
 		DHparams_print(out,dh);
 #ifdef undef
 		printf("p=");
 		BN_print(stdout,dh->p);
 		printf("\ng=");
 		BN_print(stdout,dh->g);
 		printf("\n");
 		if (dh->length != 0)
 			printf("recommended private length=%ld\n",dh->length);
 #endif
 		}
 	if (check)
 		{
 		if (!DH_check(dh,&i))
 			{
 			ERR_print_errors(bio_err);
 			goto end;
 			}
 		if (i & DH_CHECK_P_NOT_PRIME)
 			printf("p value is not prime\n");
 		if (i & DH_CHECK_P_NOT_SAFE_PRIME)
 			printf("p value is not a safe prime\n");
 		if (i & DH_UNABLE_TO_CHECK_GENERATOR)
 			printf("unable to check the generator value\n");
 		if (i & DH_NOT_SUITABLE_GENERATOR)
 			printf("the g value is not a generator\n");
 		if (i == 0)
 			printf("DH parameters appear to be ok.\n");
 		}
 	if (C)
 		{
 		unsigned char *data;
 		int len,l,bits;
 		len=BN_num_bytes(dh->p);
 		bits=BN_num_bits(dh->p);
 		data=(unsigned char *)OPENSSL_malloc(len);
 		if (data == NULL)
 			{
 			perror("OPENSSL_malloc");
 			goto end;
 			}
 		l=BN_bn2bin(dh->p,data);
 		printf("static unsigned char dh%d_p[]={",bits);
 		for (i=0; i<l; i++)
 			{
 			if ((i%12) == 0) printf("\n\t");
 			printf("0x%02X,",data[i]);
 			}
 		printf("\n\t};\n");
 		l=BN_bn2bin(dh->g,data);
 		printf("static unsigned char dh%d_g[]={",bits);
 		for (i=0; i<l; i++)
 			{
 			if ((i%12) == 0) printf("\n\t");
 			printf("0x%02X,",data[i]);
 			}
 		printf("\n\t};\n\n");
 		printf("DH *get_dh%d()\n\t{\n",bits);
 		printf("\tDH *dh;\n\n");
 		printf("\tif ((dh=DH_new()) == NULL) return(NULL);\n");
 		printf("\tdh->p=BN_bin2bn(dh%d_p,sizeof(dh%d_p),NULL);\n",
 			bits,bits);
 		printf("\tdh->g=BN_bin2bn(dh%d_g,sizeof(dh%d_g),NULL);\n",
 			bits,bits);
 		printf("\tif ((dh->p == NULL) || (dh->g == NULL))\n");
 		printf("\t\treturn(NULL);\n");
 		printf("\treturn(dh);\n\t}\n");
 		OPENSSL_free(data);
 		}
 	if (!noout)
 		{
 		if 	(outformat == FORMAT_ASN1)
 			i=i2d_DHparams_bio(out,dh);
 		else if (outformat == FORMAT_PEM)
 			i=PEM_write_bio_DHparams(out,dh);
 		else	{
 			BIO_printf(bio_err,"bad output format specified for outfile\n");
 			goto end;
 			}
 		if (!i)
 			{
 			BIO_printf(bio_err,"unable to write DH parameters\n");
 			ERR_print_errors(bio_err);
 			goto end;
 			}
 		}
 	ret=0;
 end:
 	if (in != NULL) BIO_free(in);
 	if (out != NULL) BIO_free_all(out);
 	if (dh != NULL) DH_free(dh);
 	apps_shutdown();
 	OPENSSL_EXIT(ret);
 	}
 #else /* !OPENSSL_NO_DH */
 # if PEDANTIC
 static void *dummy=&dummy;
 # endif
 #endif
--- a/apps/dh512.pem
+++ b/apps/dh512.pem
@@ -0,0 +1,9 @@
 -----BEGIN DH PARAMETERS-----
 MEYCQQD1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6ypUM2Zafq9AKUJsCRtMIPWak
 XUGfnHy9iUsiGSa6q6Jew1XpKgVfAgEC
 -----END DH PARAMETERS-----
 These are the 512 bit DH parameters from "Assigned Number for SKIP Protocols"
 (http://www.skip-vpn.org/spec/numbers.html).
 See there for how they were generated.
 Note that g is not a generator, but this is not a problem since p is a safe prime.
--- a/apps/dhparam.c
+++ b/apps/dhparam.c
@@ -1,24 +1,25 @@
 /* apps/dhparam.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
- *
+ * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
- *
+ * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
@@ -33,10 +34,10 @@
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -48,7 +49,7 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
+ * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
@@ -62,7 +63,7 @@
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
+ *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
@@ -108,346 +109,452 @@
 *
 */
-#include <openssl/opensslconf.h> /* for OPENSSL_NO_DH */
+#include <openssl/opensslconf.h>	/* for OPENSSL_NO_DH */
 #ifndef OPENSSL_NO_DH
-# include <stdio.h>
+#include <stdio.h>
-# include <stdlib.h>
+#include <stdlib.h>
-# include <time.h>
+#include <time.h>
-# include <string.h>
+#include <string.h>
-# include "apps.h"
+#include "apps.h"
-# include <openssl/bio.h>
+#include <openssl/bio.h>
-# include <openssl/err.h>
+#include <openssl/err.h>
-# include <openssl/bn.h>
+#include <openssl/bn.h>
-# include <openssl/dh.h>
+#include <openssl/dh.h>
-# include <openssl/x509.h>
+#include <openssl/x509.h>
-# include <openssl/pem.h>
+#include <openssl/pem.h>
-# ifndef OPENSSL_NO_DSA
+#ifndef OPENSSL_NO_DSA
-#  include <openssl/dsa.h>
+#include <openssl/dsa.h>
-# endif
+#endif
-# define DEFBITS 2048
+#undef PROG
 #define PROG	dhparam_main
-static int dh_cb(int p, int n, BN_GENCB *cb);
+#define DEFBITS	512
-typedef enum OPTION_choice {
+/* -inform arg	- input format - default PEM (DER or PEM)
-    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+ * -outform arg - output format - default PEM
-    OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT,
+ * -in arg	- input file - default stdin
-    OPT_ENGINE, OPT_CHECK, OPT_TEXT, OPT_NOOUT,
+ * -out arg	- output file - default stdout
-    OPT_RAND, OPT_DSAPARAM, OPT_C, OPT_2, OPT_5
+ * -dsaparam  - read or generate DSA parameters, convert to DH
-} OPTION_CHOICE;
+ * -check	- check the parameters are ok
 * -noout
 * -text
 * -C
 */
-OPTIONS dhparam_options[] = {
+static int MS_CALLBACK dh_cb(int p, int n, BN_GENCB *cb);
    {OPT_HELP_STR, 1, '-', "Usage: %s [flags] [numbits]\n"},
    {OPT_HELP_STR, 1, '-', "Valid options are:\n"},
    {"help", OPT_HELP, '-', "Display this summary"},
    {"in", OPT_IN, '<', "Input file"},
    {"inform", OPT_INFORM, 'F', "Input format, DER or PEM"},
    {"outform", OPT_OUTFORM, 'F', "Output format, DER or PEM"},
    {"out", OPT_OUT, '>', "Output file"},
    {"check", OPT_CHECK, '-', "Check the DH parameters"},
    {"text", OPT_TEXT, '-', "Print a text form of the DH parameters"},
    {"noout", OPT_NOOUT, '-'},
    {"rand", OPT_RAND, 's',
     "Load the file(s) into the random number generator"},
    {"C", OPT_C, '-', "Print C code"},
    {"2", OPT_2, '-', "Generate parameters using 2 as the generator value"},
    {"5", OPT_5, '-', "Generate parameters using 5 as the generator value"},
 # ifndef OPENSSL_NO_DSA
    {"dsaparam", OPT_DSAPARAM, '-',
     "Read or generate DSA parameters, convert to DH"},
 # endif
 # ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
 # endif
    {NULL}
 };
-int dhparam_main(int argc, char **argv)
+int MAIN(int, char **);
 {
    BIO *in = NULL, *out = NULL;
    DH *dh = NULL;
    char *infile = NULL, *outfile = NULL, *prog, *inrand = NULL;
    int dsaparam = 0, i, text = 0, C = 0, ret = 1, num = 0, g = 0;
    int informat = FORMAT_PEM, outformat = FORMAT_PEM, check = 0, noout = 0;
    OPTION_CHOICE o;
-    prog = opt_init(argc, argv, dhparam_options);
+int MAIN(int argc, char **argv)
-    while ((o = opt_next()) != OPT_EOF) {
+	{
-        switch (o) {
+	DH *dh=NULL;
-        case OPT_EOF:
+	int i,badops=0,text=0;
-        case OPT_ERR:
+#ifndef OPENSSL_NO_DSA
- opthelp:
+	int dsaparam=0;
-            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+#endif
-            goto end;
+	BIO *in=NULL,*out=NULL;
-        case OPT_HELP:
+	int informat,outformat,check=0,noout=0,C=0,ret=1;
-            opt_help(dhparam_options);
+	char *infile,*outfile,*prog;
-            ret = 0;
+	char *inrand=NULL;
-            goto end;
+#ifndef OPENSSL_NO_ENGINE
-        case OPT_INFORM:
+	char *engine=NULL;
-            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
+#endif
-                goto opthelp;
+	int num = 0, g = 0;
            break;
        case OPT_OUTFORM:
            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
                goto opthelp;
            break;
        case OPT_IN:
            infile = opt_arg();
            break;
        case OPT_OUT:
            outfile = opt_arg();
            break;
        case OPT_ENGINE:
            (void)setup_engine(opt_arg(), 0);
            break;
        case OPT_CHECK:
            check = 1;
            break;
        case OPT_TEXT:
            text = 1;
            break;
        case OPT_DSAPARAM:
            dsaparam = 1;
            break;
        case OPT_C:
            C = 1;
            break;
        case OPT_2:
            g = 2;
            break;
        case OPT_5:
            g = 5;
            break;
        case OPT_NOOUT:
            noout = 1;
            break;
        case OPT_RAND:
            inrand = opt_arg();
            break;
        }
    }
    argc = opt_num_rest();
    argv = opt_rest();
-    if (argv[0] && (!opt_int(argv[0], &num) || num <= 0))
+	apps_startup();
        goto end;
-    if (g && !num)
+	if (bio_err == NULL)
-        num = DEFBITS;
+		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
-# ifndef OPENSSL_NO_DSA
+	if (!load_config(bio_err, NULL))
-    if (dsaparam && g) {
+		goto end;
        BIO_printf(bio_err,
                   "generator may not be chosen for DSA parameters\n");
        goto end;
    }
 # endif
    /* DH parameters */
    if (num && !g)
        g = 2;
-    if (num) {
+	infile=NULL;
 	outfile=NULL;
 	informat=FORMAT_PEM;
 	outformat=FORMAT_PEM;
-        BN_GENCB *cb;
+	prog=argv[0];
-        cb = BN_GENCB_new();
+	argc--;
-        if (cb == NULL) {
+	argv++;
-            ERR_print_errors(bio_err);
+	while (argc >= 1)
-            goto end;
+		{
-        }
+		if 	(strcmp(*argv,"-inform") == 0)
 			{
 			if (--argc < 1) goto bad;
 			informat=str2fmt(*(++argv));
 			}
 		else if (strcmp(*argv,"-outform") == 0)
 			{
 			if (--argc < 1) goto bad;
 			outformat=str2fmt(*(++argv));
 			}
 		else if (strcmp(*argv,"-in") == 0)
 			{
 			if (--argc < 1) goto bad;
 			infile= *(++argv);
 			}
 		else if (strcmp(*argv,"-out") == 0)
 			{
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 #endif
 		else if (strcmp(*argv,"-check") == 0)
 			check=1;
 		else if (strcmp(*argv,"-text") == 0)
 			text=1;
 #ifndef OPENSSL_NO_DSA
 		else if (strcmp(*argv,"-dsaparam") == 0)
 			dsaparam=1;
 #endif
 		else if (strcmp(*argv,"-C") == 0)
 			C=1;
 		else if (strcmp(*argv,"-noout") == 0)
 			noout=1;
 		else if (strcmp(*argv,"-2") == 0)
 			g=2;
 		else if (strcmp(*argv,"-5") == 0)
 			g=5;
 		else if (strcmp(*argv,"-rand") == 0)
 			{
 			if (--argc < 1) goto bad;
 			inrand= *(++argv);
 			}
 		else if (((sscanf(*argv,"%d",&num) == 0) || (num <= 0)))
 			goto bad;
 		argv++;
 		argc--;
 		}
-        BN_GENCB_set(cb, dh_cb, bio_err);
+	if (badops)
-        if (!app_RAND_load_file(NULL, 1) && inrand == NULL) {
+		{
-            BIO_printf(bio_err,
+bad:
-                       "warning, not much extra random data, consider using the -rand option\n");
+		BIO_printf(bio_err,"%s [options] [numbits]\n",prog);
-        }
+		BIO_printf(bio_err,"where options are\n");
-        if (inrand != NULL)
+		BIO_printf(bio_err," -inform arg   input format - one of DER PEM\n");
-            BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
+		BIO_printf(bio_err," -outform arg  output format - one of DER PEM\n");
-                       app_RAND_load_files(inrand));
+		BIO_printf(bio_err," -in arg       input file\n");
 		BIO_printf(bio_err," -out arg      output file\n");
 #ifndef OPENSSL_NO_DSA
 		BIO_printf(bio_err," -dsaparam     read or generate DSA parameters, convert to DH\n");
 #endif
 		BIO_printf(bio_err," -check        check the DH parameters\n");
 		BIO_printf(bio_err," -text         print a text form of the DH parameters\n");
 		BIO_printf(bio_err," -C            Output C code\n");
 		BIO_printf(bio_err," -2            generate parameters using  2 as the generator value\n");
 		BIO_printf(bio_err," -5            generate parameters using  5 as the generator value\n");
 		BIO_printf(bio_err," numbits       number of bits in to generate (default 512)\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," -engine e     use engine e, possibly a hardware device.\n");
 #endif
 		BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err,"               - load the file (or the files in the directory) into\n");
 		BIO_printf(bio_err,"               the random number generator\n");
 		BIO_printf(bio_err," -noout        no output\n");
 		goto end;
 		}
-# ifndef OPENSSL_NO_DSA
+	ERR_load_crypto_strings();
        if (dsaparam) {
            DSA *dsa = DSA_new();
-            BIO_printf(bio_err,
+#ifndef OPENSSL_NO_ENGINE
-                       "Generating DSA parameters, %d bit long prime\n", num);
+        setup_engine(bio_err, engine, 0);
-            if (dsa == NULL
+#endif
                || !DSA_generate_parameters_ex(dsa, num, NULL, 0, NULL, NULL,
                                               cb)) {
                DSA_free(dsa);
                BN_GENCB_free(cb);
                ERR_print_errors(bio_err);
                goto end;
            }
-            dh = DSA_dup_DH(dsa);
+	if (g && !num)
-            DSA_free(dsa);
+		num = DEFBITS;
            if (dh == NULL) {
                BN_GENCB_free(cb);
                ERR_print_errors(bio_err);
                goto end;
            }
        } else
 # endif
        {
            dh = DH_new();
            BIO_printf(bio_err,
                       "Generating DH parameters, %d bit long safe prime, generator %d\n",
                       num, g);
            BIO_printf(bio_err, "This is going to take a long time\n");
            if (dh == NULL || !DH_generate_parameters_ex(dh, num, g, cb)) {
                BN_GENCB_free(cb);
                ERR_print_errors(bio_err);
                goto end;
            }
        }
-        BN_GENCB_free(cb);
+#ifndef OPENSSL_NO_DSA
-        app_RAND_write_file(NULL);
+	if (dsaparam)
-    } else {
+		{
 		if (g)
 			{
 			BIO_printf(bio_err, "generator may not be chosen for DSA parameters\n");
 			goto end;
 			}
 		}
 	else
 #endif
 		{
 		/* DH parameters */
 		if (num && !g)
 			g = 2;
 		}
-        in = bio_open_default(infile, 'r', informat);
+	if(num) {
        if (in == NULL)
            goto end;
-# ifndef OPENSSL_NO_DSA
+		BN_GENCB cb;
-        if (dsaparam) {
+		BN_GENCB_set(&cb, dh_cb, bio_err);
-            DSA *dsa;
+		if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL)
 			{
 			BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
 			}
 		if (inrand != NULL)
 			BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
 				app_RAND_load_files(inrand));
-            if (informat == FORMAT_ASN1)
+#ifndef OPENSSL_NO_DSA
-                dsa = d2i_DSAparams_bio(in, NULL);
+		if (dsaparam)
-            else                /* informat == FORMAT_PEM */
+			{
-                dsa = PEM_read_bio_DSAparams(in, NULL, NULL, NULL);
+			DSA *dsa = DSA_new();
 			BIO_printf(bio_err,"Generating DSA parameters, %d bit long prime\n",num);
 			if(!dsa || !DSA_generate_parameters_ex(dsa, num,
 						NULL, 0, NULL, NULL, &cb))
 				{
 				if(dsa) DSA_free(dsa);
 				ERR_print_errors(bio_err);
 				goto end;
 				}
-            if (dsa == NULL) {
+			dh = DSA_dup_DH(dsa);
-                BIO_printf(bio_err, "unable to load DSA parameters\n");
+			DSA_free(dsa);
-                ERR_print_errors(bio_err);
+			if (dh == NULL)
-                goto end;
+				{
-            }
+				ERR_print_errors(bio_err);
 				goto end;
 				}
 			}
 		else
 #endif
 			{
 			dh = DH_new();
 			BIO_printf(bio_err,"Generating DH parameters, %d bit long safe prime, generator %d\n",num,g);
 			BIO_printf(bio_err,"This is going to take a long time\n");
 			if(!dh || !DH_generate_parameters_ex(dh, num, g, &cb))
 				{
 				if(dh) DH_free(dh);
 				ERR_print_errors(bio_err);
 				goto end;
 				}
 			}
-            dh = DSA_dup_DH(dsa);
+		app_RAND_write_file(NULL, bio_err);
-            DSA_free(dsa);
+	} else {
            if (dh == NULL) {
                ERR_print_errors(bio_err);
                goto end;
            }
        } else
 # endif
        {
            if (informat == FORMAT_ASN1)
                dh = d2i_DHparams_bio(in, NULL);
            else                /* informat == FORMAT_PEM */
                dh = PEM_read_bio_DHparams(in, NULL, NULL, NULL);
-            if (dh == NULL) {
+		in=BIO_new(BIO_s_file());
-                BIO_printf(bio_err, "unable to load DH parameters\n");
+		if (in == NULL)
-                ERR_print_errors(bio_err);
+			{
-                goto end;
+			ERR_print_errors(bio_err);
-            }
+			goto end;
-        }
+			}
 		if (infile == NULL)
 			BIO_set_fp(in,stdin,BIO_NOCLOSE);
 		else
 			{
 			if (BIO_read_filename(in,infile) <= 0)
 				{
 				perror(infile);
 				goto end;
 				}
 			}
-        /* dh != NULL */
+		if	(informat != FORMAT_ASN1 && informat != FORMAT_PEM)
-    }
+			{
 			BIO_printf(bio_err,"bad input format specified\n");
 			goto end;
 			}
-    out = bio_open_default(outfile, 'w', outformat);
+#ifndef OPENSSL_NO_DSA
-    if (out == NULL)
+		if (dsaparam)
-        goto end;
+			{
 			DSA *dsa;
 			if (informat == FORMAT_ASN1)
 				dsa=d2i_DSAparams_bio(in,NULL);
 			else /* informat == FORMAT_PEM */
 				dsa=PEM_read_bio_DSAparams(in,NULL,NULL,NULL);
 			if (dsa == NULL)
 				{
 				BIO_printf(bio_err,"unable to load DSA parameters\n");
 				ERR_print_errors(bio_err);
 				goto end;
 				}
 			dh = DSA_dup_DH(dsa);
 			DSA_free(dsa);
 			if (dh == NULL)
 				{
 				ERR_print_errors(bio_err);
 				goto end;
 				}
 			}
 		else
 #endif
 			{
 			if (informat == FORMAT_ASN1)
 				dh=d2i_DHparams_bio(in,NULL);
 			else /* informat == FORMAT_PEM */
 				dh=PEM_read_bio_DHparams(in,NULL,NULL,NULL);
 			if (dh == NULL)
 				{
 				BIO_printf(bio_err,"unable to load DH parameters\n");
 				ERR_print_errors(bio_err);
 				goto end;
 				}
 			}
 		/* dh != NULL */
 	}
 	out=BIO_new(BIO_s_file());
 	if (out == NULL)
 		{
 		ERR_print_errors(bio_err);
 		goto end;
 		}
 	if (outfile == NULL)
 		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
 			{
 			perror(outfile);
 			goto end;
 			}
 		}
    if (text) {
        DHparams_print(out, dh);
    }
-    if (check) {
+	if (text)
-        if (!DH_check(dh, &i)) {
+		{
-            ERR_print_errors(bio_err);
+		DHparams_print(out,dh);
-            goto end;
+		}
-        }
+	
-        if (i & DH_CHECK_P_NOT_PRIME)
+	if (check)
-            printf("p value is not prime\n");
+		{
-        if (i & DH_CHECK_P_NOT_SAFE_PRIME)
+		if (!DH_check(dh,&i))
-            printf("p value is not a safe prime\n");
+			{
-        if (i & DH_UNABLE_TO_CHECK_GENERATOR)
+			ERR_print_errors(bio_err);
-            printf("unable to check the generator value\n");
+			goto end;
-        if (i & DH_NOT_SUITABLE_GENERATOR)
+			}
-            printf("the g value is not a generator\n");
+		if (i & DH_CHECK_P_NOT_PRIME)
-        if (i == 0)
+			printf("p value is not prime\n");
-            printf("DH parameters appear to be ok.\n");
+		if (i & DH_CHECK_P_NOT_SAFE_PRIME)
-    }
+			printf("p value is not a safe prime\n");
-    if (C) {
+		if (i & DH_UNABLE_TO_CHECK_GENERATOR)
-        unsigned char *data;
+			printf("unable to check the generator value\n");
-        int len, bits;
+		if (i & DH_NOT_SUITABLE_GENERATOR)
 			printf("the g value is not a generator\n");
 		if (i == 0)
 			printf("DH parameters appear to be ok.\n");
 		}
 	if (C)
 		{
 		unsigned char *data;
 		int len,l,bits;
-        len = BN_num_bytes(dh->p);
+		len=BN_num_bytes(dh->p);
-        bits = BN_num_bits(dh->p);
+		bits=BN_num_bits(dh->p);
-        data = app_malloc(len, "print a BN");
+		data=(unsigned char *)OPENSSL_malloc(len);
-        BIO_printf(out, "#ifndef HEADER_DH_H\n"
+		if (data == NULL)
-                        "# include <openssl/dh.h>\n"
+			{
-                        "#endif\n"
+			perror("OPENSSL_malloc");
-                        "\n");
+			goto end;
-        BIO_printf(out, "DH *get_dh%d()\n{\n", bits);
+			}
-        print_bignum_var(out, dh->p, "dhp", bits, data);
+		printf("#ifndef HEADER_DH_H\n"
-        print_bignum_var(out, dh->g, "dhg", bits, data);
+		       "#include <openssl/dh.h>\n"
-        BIO_printf(out, "    DH *dh = DN_new();\n"
+		       "#endif\n");
-                        "\n"
+		printf("DH *get_dh%d()\n\t{\n",bits);
                        "    if (dh == NULL)\n"
                        "        return NULL;\n");
        BIO_printf(out, "    dh->p = BN_bin2bn(dhp_%d, sizeof (dhp_%d), NULL);\n",
               bits, bits);
        BIO_printf(out, "    dh->g = BN_bin2bn(dhg_%d, sizeof (dhg_%d), NULL);\n",
               bits, bits);
        BIO_printf(out, "    if (!dh->p || !dh->g) {\n"
                        "        DH_free(dh);\n"
                        "        return NULL;\n"
                        "    }\n");
        if (dh->length)
            BIO_printf(out,
                        "    dh->length = %ld;\n", dh->length);
        BIO_printf(out, "    return dh;\n}\n");
        OPENSSL_free(data);
    }
-    if (!noout) {
+		l=BN_bn2bin(dh->p,data);
-        if (outformat == FORMAT_ASN1)
+		printf("\tstatic unsigned char dh%d_p[]={",bits);
-            i = i2d_DHparams_bio(out, dh);
+		for (i=0; i<l; i++)
-        else if (dh->q)
+			{
-            i = PEM_write_bio_DHxparams(out, dh);
+			if ((i%12) == 0) printf("\n\t\t");
-        else
+			printf("0x%02X,",data[i]);
-            i = PEM_write_bio_DHparams(out, dh);
+			}
-        if (!i) {
+		printf("\n\t\t};\n");
            BIO_printf(bio_err, "unable to write DH parameters\n");
            ERR_print_errors(bio_err);
            goto end;
        }
    }
    ret = 0;
 end:
    BIO_free(in);
    BIO_free_all(out);
    DH_free(dh);
    return (ret);
 }
-static int dh_cb(int p, int n, BN_GENCB *cb)
+		l=BN_bn2bin(dh->g,data);
-{
+		printf("\tstatic unsigned char dh%d_g[]={",bits);
-    char c = '*';
+		for (i=0; i<l; i++)
 			{
 			if ((i%12) == 0) printf("\n\t\t");
 			printf("0x%02X,",data[i]);
 			}
 		printf("\n\t\t};\n");
-    if (p == 0)
+		printf("\tDH *dh;\n\n");
-        c = '.';
+		printf("\tif ((dh=DH_new()) == NULL) return(NULL);\n");
-    if (p == 1)
+		printf("\tdh->p=BN_bin2bn(dh%d_p,sizeof(dh%d_p),NULL);\n",
-        c = '+';
+			bits,bits);
-    if (p == 2)
+		printf("\tdh->g=BN_bin2bn(dh%d_g,sizeof(dh%d_g),NULL);\n",
-        c = '*';
+			bits,bits);
-    if (p == 3)
+		printf("\tif ((dh->p == NULL) || (dh->g == NULL))\n");
-        c = '\n';
+		printf("\t\t{ DH_free(dh); return(NULL); }\n");
-    BIO_write(BN_GENCB_get_arg(cb), &c, 1);
+		if (dh->length)
-    (void)BIO_flush(BN_GENCB_get_arg(cb));
+			printf("\tdh->length = %ld;\n", dh->length);
-    return 1;
+		printf("\treturn(dh);\n\t}\n");
-}
+		OPENSSL_free(data);
 		}
-#else                           /* !OPENSSL_NO_DH */
+
 	if (!noout)
 		{
 		if 	(outformat == FORMAT_ASN1)
 			i=i2d_DHparams_bio(out,dh);
 		else if (outformat == FORMAT_PEM)
 			i=PEM_write_bio_DHparams(out,dh);
 		else	{
 			BIO_printf(bio_err,"bad output format specified for outfile\n");
 			goto end;
 			}
 		if (!i)
 			{
 			BIO_printf(bio_err,"unable to write DH parameters\n");
 			ERR_print_errors(bio_err);
 			goto end;
 			}
 		}
 	ret=0;
 end:
 	if (in != NULL) BIO_free(in);
 	if (out != NULL) BIO_free_all(out);
 	if (dh != NULL) DH_free(dh);
 	apps_shutdown();
 	OPENSSL_EXIT(ret);
 	}
 /* dh_cb is identical to dsa_cb in apps/dsaparam.c */
 static int MS_CALLBACK dh_cb(int p, int n, BN_GENCB *cb)
 	{
 	char c='*';
 	if (p == 0) c='.';
 	if (p == 1) c='+';
 	if (p == 2) c='*';
 	if (p == 3) c='\n';
 	BIO_write(cb->arg,&c,1);
 	(void)BIO_flush(cb->arg);
 #ifdef LINT
 	p=n;
 #endif
 	return 1;
 	}
 #else /* !OPENSSL_NO_DH */
 # if PEDANTIC
-static void *dummy = &dummy;
+static void *dummy=&dummy;
 # endif
 #endif
--- a/apps/dsa-ca.pem
+++ b/apps/dsa-ca.pem
@@ -11,37 +11,30 @@ tOFDITEAl+YZZariXOD7tdOSOl9RLMPC6+daHKS9e68u3enxhqnDGQIUB78dhW77
 J6zsFbSEHaQGUmfSeoM=
 -----END DSA PRIVATE KEY-----
 -----BEGIN CERTIFICATE REQUEST-----
-MIICVjCCAhMCAQAwUjELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
+MIICUjCCAhECAQAwUjELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUx
-ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDELMAkGA1UEAwwCQ0Ew
+ITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDELMAkGA1UEAxMCQ0Ew
-ggG2MIIBKwYHKoZIzjgEATCCAR4CgYEApz9uhb9Bail98J9HGTCQmgkd2mozHsU9
+ggG0MIIBKQYFKw4DAgwwggEeAoGBAKc/boW/QWopffCfRxkwkJoJHdpqMx7FPYaW
-hpazFeBTLo/gWYJzkD51MZlHelL7heTZpns4m2iKhJuHxh61foZLU1tZz3FlGYhu
+sxXgUy6P4FmCc5A+dTGZR3pS+4Xk2aZ7OJtoioSbh8YetX6GS1NbWc9xZRmIbs5m
-zmaua4g2++wo3MLXpbvlLDkmS9qacBiVN5UQViP2Fe26BF7eOU/9t0MftaRlb82A
+rmuINvvsKNzC16W75Sw5JkvamnAYlTeVEFYj9hXtugRe3jlP/bdDH7WkZW/NgBHk
-EeRwlVtQzUkCFQD3BzHt+mwGA9WFihysnGXnUGZlbwKBgE3fTAOmkYr1GW9QRiWZ
+cJVbUM1JAhUA9wcx7fpsBgPVhYocrJxl51BmZW8CgYBN30wDppGK9RlvUEYlmeVo
-5WhvMONp4eWzXZi7KIZI/N6ZBD9fiAyccyQNIF25Kpo/GJYn5GKHwXt0YlP8YSeo
+bzDjaeHls12YuyiGSPzemQQ/X4gMnHMkDSBduSqaPxiWJ+Rih8F7dGJT/GEnqHqR
-epEJnbbxTZxUD1gG7kl0B85VfiPOFvbK3FphAX7JcbVN9tw0KYdo9l4gk7Pb9eQJ
+CZ228U2cVA9YBu5JdAfOVX4jzhb2ytxaYQF+yXG1TfbcNCmHaPZeIJOz2/XkCWxB
-bEEXlZLrAbVzpWp+2DLtDgK4A4GEAAKBgBqmWXqKrP1etkWWTYYJVwH4qKHFacfs
+F5WS6wG1c6Vqftgy7Q4CuAOBhAACgYAapll6iqz9XrZFlk2GCVcB+KihxWnH7IuH
-i4e9IvD1hSslqFwEeZum+3j3iUXiALnDdY8z69cmh9u6yTgahAQSxA0wNpqHibj2
+vSLw9YUrJahcBHmbpvt494lF4gC5w3WPM+vXJofbusk4GoQEEsQNMDaah4m49uUq
-5SoDKU5UUkkle6KtUn6j7RO04UMhMQCX5hllquJc4Pu105I6X1Esw8Lr51ocpL17
+AylOVFJJJXuirVJ+o+0TtOFDITEAl+YZZariXOD7tdOSOl9RLMPC6+daHKS9e68u
-ry7d6fGGqcMZoAAwCwYJYIZIAWUDBAMCAzAAMC0CFCp7rUwGJNtxK6Aqo6k6US+S
+3enxhqnDGaAAMAkGBSsOAwIbBQADMAAwLQIVAJGVuFsG/0DBuSZ0jF7ypdU0/G0v
-KP8sAhUAyfSi8Zs3QAvkJoFG0IMRaq8M03I=
+AhQfeF5BoMMDbX/kidUVpQ6gadPlZA==
 -----END CERTIFICATE REQUEST-----
 -----BEGIN CERTIFICATE-----
-MIIDMDCCAuygAwIBAgIBAjALBglghkgBZQMEAwIwUzELMAkGA1UEBhMCQVUxEzAR
+MIIBrjCCAWwCAQswCQYFKw4DAhsFADBTMQswCQYDVQQGEwJBVTETMBEGA1UECBMK
-BgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5
+U29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQww
-IEx0ZDEMMAoGA1UEAwwDUENBMCAXDTE2MDExMzIxNDE0OVoYDzMwMTUwNTE2MjE0
+CgYDVQQDEwNQQ0EwHhcNOTcwNjE1MDIxNDI5WhcNOTcwNzE1MDIxNDI5WjBSMQsw
-MTQ5WjBSMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UE
+CQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJu
-CgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQswCQYDVQQDDAJDQTCCAbYwggEr
+ZXQgV2lkZ2l0cyBQdHkgTHRkMQswCQYDVQQDEwJDQTCBkjAJBgUrDgMCDAUAA4GE
-BgcqhkjOOAQBMIIBHgKBgQCnP26Fv0FqKX3wn0cZMJCaCR3aajMexT2GlrMV4FMu
+AAKBgBqmWXqKrP1etkWWTYYJVwH4qKHFacfsi4e9IvD1hSslqFwEeZum+3j3iUXi
-j+BZgnOQPnUxmUd6UvuF5NmmezibaIqEm4fGHrV+hktTW1nPcWUZiG7OZq5riDb7
+ALnDdY8z69cmh9u6yTgahAQSxA0wNpqHibj25SoDKU5UUkkle6KtUn6j7RO04UMh
-7Cjcwtelu+UsOSZL2ppwGJU3lRBWI/YV7boEXt45T/23Qx+1pGVvzYAR5HCVW1DN
+MQCX5hllquJc4Pu105I6X1Esw8Lr51ocpL17ry7d6fGGqcMZMAkGBSsOAwIbBQAD
-SQIVAPcHMe36bAYD1YWKHKycZedQZmVvAoGATd9MA6aRivUZb1BGJZnlaG8w42nh
+MQAwLgIVAJ4wtQsANPxHo7Q4IQZYsL12SKdbAhUAjJ9n38zxT+iai2164xS+LIfa
-5bNdmLsohkj83pkEP1+IDJxzJA0gXbkqmj8YlifkYofBe3RiU/xhJ6h6kQmdtvFN
+C1Q=
 nFQPWAbuSXQHzlV+I84W9srcWmEBfslxtU323DQph2j2XiCTs9v15AlsQReVkusB
 tXOlan7YMu0OArgDgYQAAoGAGqZZeoqs/V62RZZNhglXAfioocVpx+yLh70i8PWF
 KyWoXAR5m6b7ePeJReIAucN1jzPr1yaH27rJOBqEBBLEDTA2moeJuPblKgMpTlRS
 SSV7oq1SfqPtE7ThQyExAJfmGWWq4lzg+7XTkjpfUSzDwuvnWhykvXuvLt3p8Yap
 wxmjUDBOMB0GA1UdDgQWBBTMZcORcBEVlqO/CD4pf4V6N1NM1zAfBgNVHSMEGDAW
 gBTGjwJ33uvjSa20RNrMKWoGptOLdDAMBgNVHRMEBTADAQH/MAsGCWCGSAFlAwQD
 AgMxADAuAhUA4V6MrHufG8R79E+AtVO02olPxK8CFQDkZyo/TWpavsUBRDJbCeD9
 jgjIkA==
 -----END CERTIFICATE-----
--- a/apps/dsa-pca.pem
+++ b/apps/dsa-pca.pem
@@ -11,37 +11,36 @@ umz6tl+iUcNe5EoxdsYV1IXSddjOi08LOLsZq7AQlNnKvbtlmMDULpqkZJD0bO7A
 6TicfImU7UFRn9h00j0lJQ==
 -----END DSA PRIVATE KEY-----
 -----BEGIN CERTIFICATE REQUEST-----
-MIICWDCCAhUCAQAwUzELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUx
+MIICVTCCAhMCAQAwUzELMAkGA1UEBhMCQVUxEzARBgNVBAgTClNvbWUtU3RhdGUx
-ITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEMMAoGA1UEAwwDUENB
+ITAfBgNVBAoTGEludGVybmV0IFdpZGdpdHMgUHR5IEx0ZDEMMAoGA1UEAxMDUENB
-MIIBtzCCASsGByqGSM44BAEwggEeAoGBAKc/boW/QWopffCfRxkwkJoJHdpqMx7F
+MIIBtTCCASkGBSsOAwIMMIIBHgKBgQCnP26Fv0FqKX3wn0cZMJCaCR3aajMexT2G
-PYaWsxXgUy6P4FmCc5A+dTGZR3pS+4Xk2aZ7OJtoioSbh8YetX6GS1NbWc9xZRmI
+lrMV4FMuj+BZgnOQPnUxmUd6UvuF5NmmezibaIqEm4fGHrV+hktTW1nPcWUZiG7O
-bs5mrmuINvvsKNzC16W75Sw5JkvamnAYlTeVEFYj9hXtugRe3jlP/bdDH7WkZW/N
+Zq5riDb77Cjcwtelu+UsOSZL2ppwGJU3lRBWI/YV7boEXt45T/23Qx+1pGVvzYAR
-gBHkcJVbUM1JAhUA9wcx7fpsBgPVhYocrJxl51BmZW8CgYBN30wDppGK9RlvUEYl
+5HCVW1DNSQIVAPcHMe36bAYD1YWKHKycZedQZmVvAoGATd9MA6aRivUZb1BGJZnl
-meVobzDjaeHls12YuyiGSPzemQQ/X4gMnHMkDSBduSqaPxiWJ+Rih8F7dGJT/GEn
+aG8w42nh5bNdmLsohkj83pkEP1+IDJxzJA0gXbkqmj8YlifkYofBe3RiU/xhJ6h6
-qHqRCZ228U2cVA9YBu5JdAfOVX4jzhb2ytxaYQF+yXG1TfbcNCmHaPZeIJOz2/Xk
+kQmdtvFNnFQPWAbuSXQHzlV+I84W9srcWmEBfslxtU323DQph2j2XiCTs9v15Als
-CWxBF5WS6wG1c6Vqftgy7Q4CuAOBhQACgYEApu25HkB1b4gKMIV7aLGNSIknMzYg
+QReVkusBtXOlan7YMu0OArgDgYUAAoGBAKbtuR5AdW+ICjCFe2ixjUiJJzM2IKwe
-rB7o1kQxeDf34dDVRM9OZ8tkumz6tl+iUcNe5EoxdsYV1IXSddjOi08LOLsZq7AQ
+6NZEMXg39+HQ1UTPTmfLZLps+rZfolHDXuRKMXbGFdSF0nXYzotPCzi7GauwEJTZ
-lNnKvbtlmMDULpqkZJD0bO7A29nisJfKy1URqABLw5DgfcPh1ZLXtmDfUgJvmjgT
+yr27ZZjA1C6apGSQ9GzuwNvZ4rCXystVEagAS8OQ4H3D4dWS17Zg31ICb5o4E5r0
-mvTPT2j9TPjq7RWgADALBglghkgBZQMEAwIDMAAwLQIVAPA6/jxCT1D2HgzE4iZR
+z09o/Uz46u0VoAAwCQYFKw4DAhsFAAMxADAuAhUArRubTxsbIXy3AhtjQ943AbNB
-AEup/C7YAhRPLTQvQnAiS5FRrA+8SwBLvDAsaw==
+nSICFQCu+g1iW3jwF+gOcbroD4S/ZcvB3w==
 -----END CERTIFICATE REQUEST-----
 -----BEGIN CERTIFICATE-----
-MIIDMDCCAu6gAwIBAgIBATALBglghkgBZQMEAwIwUzELMAkGA1UEBhMCQVUxEzAR
+MIIC0zCCApECAQAwCQYFKw4DAhsFADBTMQswCQYDVQQGEwJBVTETMBEGA1UECBMK
-BgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0IFdpZGdpdHMgUHR5
+U29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQww
-IEx0ZDEMMAoGA1UEAwwDUENBMCAXDTE2MDExMzIxNDE0OVoYDzMwMTUwNTE2MjE0
+CgYDVQQDEwNQQ0EwHhcNOTcwNjE0MjI1NDQ1WhcNOTcwNzE0MjI1NDQ1WjBTMQsw
-MTQ5WjBTMQswCQYDVQQGEwJBVTETMBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UE
+CQYDVQQGEwJBVTETMBEGA1UECBMKU29tZS1TdGF0ZTEhMB8GA1UEChMYSW50ZXJu
-CgwYSW50ZXJuZXQgV2lkZ2l0cyBQdHkgTHRkMQwwCgYDVQQDDANQQ0EwggG3MIIB
+ZXQgV2lkZ2l0cyBQdHkgTHRkMQwwCgYDVQQDEwNQQ0EwggG1MIIBKQYFKw4DAgww
-KwYHKoZIzjgEATCCAR4CgYEApz9uhb9Bail98J9HGTCQmgkd2mozHsU9hpazFeBT
+ggEeAoGBAKc/boW/QWopffCfRxkwkJoJHdpqMx7FPYaWsxXgUy6P4FmCc5A+dTGZ
-Lo/gWYJzkD51MZlHelL7heTZpns4m2iKhJuHxh61foZLU1tZz3FlGYhuzmaua4g2
+R3pS+4Xk2aZ7OJtoioSbh8YetX6GS1NbWc9xZRmIbs5mrmuINvvsKNzC16W75Sw5
-++wo3MLXpbvlLDkmS9qacBiVN5UQViP2Fe26BF7eOU/9t0MftaRlb82AEeRwlVtQ
+JkvamnAYlTeVEFYj9hXtugRe3jlP/bdDH7WkZW/NgBHkcJVbUM1JAhUA9wcx7fps
-zUkCFQD3BzHt+mwGA9WFihysnGXnUGZlbwKBgE3fTAOmkYr1GW9QRiWZ5WhvMONp
+BgPVhYocrJxl51BmZW8CgYBN30wDppGK9RlvUEYlmeVobzDjaeHls12YuyiGSPze
-4eWzXZi7KIZI/N6ZBD9fiAyccyQNIF25Kpo/GJYn5GKHwXt0YlP8YSeoepEJnbbx
+mQQ/X4gMnHMkDSBduSqaPxiWJ+Rih8F7dGJT/GEnqHqRCZ228U2cVA9YBu5JdAfO
-TZxUD1gG7kl0B85VfiPOFvbK3FphAX7JcbVN9tw0KYdo9l4gk7Pb9eQJbEEXlZLr
+VX4jzhb2ytxaYQF+yXG1TfbcNCmHaPZeIJOz2/XkCWxBF5WS6wG1c6Vqftgy7Q4C
-AbVzpWp+2DLtDgK4A4GFAAKBgQCm7bkeQHVviAowhXtosY1IiSczNiCsHujWRDF4
+uAOBhQACgYEApu25HkB1b4gKMIV7aLGNSIknMzYgrB7o1kQxeDf34dDVRM9OZ8tk
-N/fh0NVEz05ny2S6bPq2X6JRw17kSjF2xhXUhdJ12M6LTws4uxmrsBCU2cq9u2WY
+umz6tl+iUcNe5EoxdsYV1IXSddjOi08LOLsZq7AQlNnKvbtlmMDULpqkZJD0bO7A
-wNQumqRkkPRs7sDb2eKwl8rLVRGoAEvDkOB9w+HVkte2YN9SAm+aOBOa9M9PaP1M
+29nisJfKy1URqABLw5DgfcPh1ZLXtmDfUgJvmjgTmvTPT2j9TPjq7RUwCQYFKw4D
-+OrtFaNQME4wHQYDVR0OBBYEFMaPAnfe6+NJrbRE2swpagam04t0MB8GA1UdIwQY
+AhsFAAMxADAuAhUAvtv6AkMolix1Jvy3UnVEIUqdCUICFQC+jq8P49mwrY9oJ24n
-MBaAFMaPAnfe6+NJrbRE2swpagam04t0MAwGA1UdEwQFMAMBAf8wCwYJYIZIAWUD
+5rKUjNBhSg==
 BAMCAy8AMCwCFFhdz4fzQo9BBF20U1CHldYTi/D7AhQydDnDMj21y+U1UhDZJrvh
 lnt88g==
 -----END CERTIFICATE-----
--- a/apps/dsa.c
+++ b/apps/dsa.c
@@ -1,24 +1,25 @@
 /* apps/dsa.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
- *
+ * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
- *
+ * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
@@ -33,10 +34,10 @@
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -48,262 +49,328 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
+ * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
-#include <openssl/opensslconf.h> /* for OPENSSL_NO_DSA */
+#include <openssl/opensslconf.h>	/* for OPENSSL_NO_DSA */
 #ifndef OPENSSL_NO_DSA
-# include <stdio.h>
+#include <stdio.h>
-# include <stdlib.h>
+#include <stdlib.h>
-# include <string.h>
+#include <string.h>
-# include <time.h>
+#include <time.h>
-# include "apps.h"
+#include "apps.h"
-# include <openssl/bio.h>
+#include <openssl/bio.h>
-# include <openssl/err.h>
+#include <openssl/err.h>
-# include <openssl/dsa.h>
+#include <openssl/dsa.h>
-# include <openssl/evp.h>
+#include <openssl/evp.h>
-# include <openssl/x509.h>
+#include <openssl/x509.h>
-# include <openssl/pem.h>
+#include <openssl/pem.h>
-# include <openssl/bn.h>
+#include <openssl/bn.h>
-typedef enum OPTION_choice {
+#undef PROG
-    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+#define PROG	dsa_main
    OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT,
    OPT_ENGINE, OPT_PVK_STRONG, OPT_PVK_WEAK,
    OPT_PVK_NONE, OPT_NOOUT, OPT_TEXT, OPT_MODULUS, OPT_PUBIN,
    OPT_PUBOUT, OPT_CIPHER, OPT_PASSIN, OPT_PASSOUT
 } OPTION_CHOICE;
-OPTIONS dsa_options[] = {
+/* -inform arg	- input format - default PEM (one of DER, NET or PEM)
-    {"help", OPT_HELP, '-', "Display this summary"},
+ * -outform arg - output format - default PEM
-    {"inform", OPT_INFORM, 'F', "Input format, DER PEM PVK"},
+ * -in arg	- input file - default stdin
-    {"outform", OPT_OUTFORM, 'F', "Output format, DER PEM PVK"},
+ * -out arg	- output file - default stdout
-    {"in", OPT_IN, '<', "Input file"},
+ * -des		- encrypt output if PEM format with DES in cbc mode
-    {"out", OPT_OUT, '>', "Output file"},
+ * -des3	- encrypt output if PEM format
-    {"noout", OPT_NOOUT, '-', "Don't print key out"},
+ * -idea	- encrypt output if PEM format
-    {"text", OPT_TEXT, '-', "Print the key in text"},
+ * -aes128	- encrypt output if PEM format
-    {"modulus", OPT_MODULUS, '-', "Print the DSA public value"},
+ * -aes192	- encrypt output if PEM format
-    {"pubin", OPT_PUBIN, '-'},
+ * -aes256	- encrypt output if PEM format
-    {"pubout", OPT_PUBOUT, '-'},
+ * -camellia128 - encrypt output if PEM format
-    {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
+ * -camellia192 - encrypt output if PEM format
-    {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
+ * -camellia256 - encrypt output if PEM format
-    {"", OPT_CIPHER, '-', "Any supported cipher"},
+ * -seed        - encrypt output if PEM format
-# ifndef OPENSSL_NO_RC4
+ * -text	- print a text version
-    {"pvk-strong", OPT_PVK_STRONG, '-'},
+ * -modulus	- print the DSA public key
-    {"pvk-weak", OPT_PVK_WEAK, '-'},
+ */
    {"pvk-none", OPT_PVK_NONE, '-'},
 # endif
 # ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
 # endif
    {NULL}
 };
-int dsa_main(int argc, char **argv)
+int MAIN(int, char **);
 {
    BIO *out = NULL;
    DSA *dsa = NULL;
    ENGINE *e = NULL;
    const EVP_CIPHER *enc = NULL;
    char *infile = NULL, *outfile = NULL, *prog;
    char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL;
    OPTION_CHOICE o;
    int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0;
    int i, modulus = 0, pubin = 0, pubout = 0, pvk_encr = 2, ret = 1;
    int private = 0;
-    prog = opt_init(argc, argv, dsa_options);
+int MAIN(int argc, char **argv)
-    while ((o = opt_next()) != OPT_EOF) {
+	{
-        switch (o) {
+	ENGINE *e = NULL;
-        case OPT_EOF:
+	int ret=1;
-        case OPT_ERR:
+	DSA *dsa=NULL;
- opthelp:
+	int i,badops=0;
-            ret = 0;
+	const EVP_CIPHER *enc=NULL;
-            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+	BIO *in=NULL,*out=NULL;
-            goto end;
+	int informat,outformat,text=0,noout=0;
-        case OPT_HELP:
+	int pubin = 0, pubout = 0;
-            opt_help(dsa_options);
+	char *infile,*outfile,*prog;
-            ret = 0;
+#ifndef OPENSSL_NO_ENGINE
-            goto end;
+	char *engine;
        case OPT_INFORM:
            if (!opt_format
                (opt_arg(), OPT_FMT_PEMDER | OPT_FMT_PVK, &informat))
                goto opthelp;
            break;
        case OPT_IN:
            infile = opt_arg();
            break;
        case OPT_OUTFORM:
            if (!opt_format
                (opt_arg(), OPT_FMT_PEMDER | OPT_FMT_PVK, &outformat))
                goto opthelp;
            break;
        case OPT_OUT:
            outfile = opt_arg();
            break;
        case OPT_ENGINE:
            e = setup_engine(opt_arg(), 0);
            break;
        case OPT_PASSIN:
            passinarg = opt_arg();
            break;
        case OPT_PASSOUT:
            passoutarg = opt_arg();
            break;
 #ifndef OPENSSL_NO_RC4
        case OPT_PVK_STRONG:
            pvk_encr = 2;
            break;
        case OPT_PVK_WEAK:
            pvk_encr = 1;
            break;
        case OPT_PVK_NONE:
            pvk_encr = 0;
            break;
 #else
        case OPT_PVK_STRONG:
        case OPT_PVK_WEAK:
        case OPT_PVK_NONE:
            break;
 #endif
-        case OPT_NOOUT:
+	char *passargin = NULL, *passargout = NULL;
-            noout = 1;
+	char *passin = NULL, *passout = NULL;
-            break;
+	int modulus=0;
        case OPT_TEXT:
            text = 1;
            break;
        case OPT_MODULUS:
            modulus = 1;
            break;
        case OPT_PUBIN:
            pubin = 1;
            break;
        case OPT_PUBOUT:
            pubout = 1;
            break;
        case OPT_CIPHER:
            if (!opt_cipher(opt_unknown(), &enc))
                goto end;
            break;
        }
    }
    argc = opt_num_rest();
    argv = opt_rest();
    private = pubin || pubout ? 0 : 1;
    if (text && !pubin)
        private = 1;
-    if (!app_passwd(passinarg, passoutarg, &passin, &passout)) {
+	int pvk_encr = 2;
        BIO_printf(bio_err, "Error getting passwords\n");
        goto end;
    }
-    BIO_printf(bio_err, "read DSA key\n");
+	apps_startup();
    {
        EVP_PKEY *pkey;
-        if (pubin)
+	if (bio_err == NULL)
-            pkey = load_pubkey(infile, informat, 1, passin, e, "Public Key");
+		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
-        else
+			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
            pkey = load_key(infile, informat, 1, passin, e, "Private Key");
-        if (pkey) {
+	if (!load_config(bio_err, NULL))
-            dsa = EVP_PKEY_get1_DSA(pkey);
+		goto end;
            EVP_PKEY_free(pkey);
        }
    }
    if (dsa == NULL) {
        BIO_printf(bio_err, "unable to load Key\n");
        ERR_print_errors(bio_err);
        goto end;
    }
-    out = bio_open_owner(outfile, outformat, private);
+#ifndef OPENSSL_NO_ENGINE
-    if (out == NULL)
+	engine=NULL;
-        goto end;
+#endif
 	infile=NULL;
 	outfile=NULL;
 	informat=FORMAT_PEM;
 	outformat=FORMAT_PEM;
-    if (text) {
+	prog=argv[0];
-        assert(pubin || private);
+	argc--;
-        if (!DSA_print(out, dsa, 0)) {
+	argv++;
-            perror(outfile);
+	while (argc >= 1)
-            ERR_print_errors(bio_err);
+		{
-            goto end;
+		if 	(strcmp(*argv,"-inform") == 0)
-        }
+			{
-    }
+			if (--argc < 1) goto bad;
 			informat=str2fmt(*(++argv));
 			}
 		else if (strcmp(*argv,"-outform") == 0)
 			{
 			if (--argc < 1) goto bad;
 			outformat=str2fmt(*(++argv));
 			}
 		else if (strcmp(*argv,"-in") == 0)
 			{
 			if (--argc < 1) goto bad;
 			infile= *(++argv);
 			}
 		else if (strcmp(*argv,"-out") == 0)
 			{
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
 		else if (strcmp(*argv,"-passin") == 0)
 			{
 			if (--argc < 1) goto bad;
 			passargin= *(++argv);
 			}
 		else if (strcmp(*argv,"-passout") == 0)
 			{
 			if (--argc < 1) goto bad;
 			passargout= *(++argv);
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 #endif
 		else if (strcmp(*argv,"-pvk-strong") == 0)
 			pvk_encr=2;
 		else if (strcmp(*argv,"-pvk-weak") == 0)
 			pvk_encr=1;
 		else if (strcmp(*argv,"-pvk-none") == 0)
 			pvk_encr=0;
 		else if (strcmp(*argv,"-noout") == 0)
 			noout=1;
 		else if (strcmp(*argv,"-text") == 0)
 			text=1;
 		else if (strcmp(*argv,"-modulus") == 0)
 			modulus=1;
 		else if (strcmp(*argv,"-pubin") == 0)
 			pubin=1;
 		else if (strcmp(*argv,"-pubout") == 0)
 			pubout=1;
 		else if ((enc=EVP_get_cipherbyname(&(argv[0][1]))) == NULL)
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
 			badops=1;
 			break;
 			}
 		argc--;
 		argv++;
 		}
-    if (modulus) {
+	if (badops)
-        BIO_printf(out, "Public Key=");
+		{
-        BN_print(out, dsa->pub_key);
+bad:
-        BIO_printf(out, "\n");
+		BIO_printf(bio_err,"%s [options] <infile >outfile\n",prog);
-    }
+		BIO_printf(bio_err,"where options are\n");
 		BIO_printf(bio_err," -inform arg     input format - DER or PEM\n");
 		BIO_printf(bio_err," -outform arg    output format - DER or PEM\n");
 		BIO_printf(bio_err," -in arg         input file\n");
 		BIO_printf(bio_err," -passin arg     input file pass phrase source\n");
 		BIO_printf(bio_err," -out arg        output file\n");
 		BIO_printf(bio_err," -passout arg    output file pass phrase source\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," -engine e       use engine e, possibly a hardware device.\n");
 #endif
 		BIO_printf(bio_err," -des            encrypt PEM output with cbc des\n");
 		BIO_printf(bio_err," -des3           encrypt PEM output with ede cbc des using 168 bit key\n");
 #ifndef OPENSSL_NO_IDEA
 		BIO_printf(bio_err," -idea           encrypt PEM output with cbc idea\n");
 #endif
 #ifndef OPENSSL_NO_AES
 		BIO_printf(bio_err," -aes128, -aes192, -aes256\n");
 		BIO_printf(bio_err,"                 encrypt PEM output with cbc aes\n");
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
 		BIO_printf(bio_err," -camellia128, -camellia192, -camellia256\n");
 		BIO_printf(bio_err,"                 encrypt PEM output with cbc camellia\n");
 #endif
 #ifndef OPENSSL_NO_SEED
 		BIO_printf(bio_err," -seed           encrypt PEM output with cbc seed\n");
 #endif
 		BIO_printf(bio_err," -text           print the key in text\n");
 		BIO_printf(bio_err," -noout          don't print key out\n");
 		BIO_printf(bio_err," -modulus        print the DSA public value\n");
 		goto end;
 		}
-    if (noout) {
+	ERR_load_crypto_strings();
-        ret = 0;
+
-        goto end;
+#ifndef OPENSSL_NO_ENGINE
-    }
+        e = setup_engine(bio_err, engine, 0);
-    BIO_printf(bio_err, "writing DSA key\n");
+#endif
-    if (outformat == FORMAT_ASN1) {
+
-        if (pubin || pubout)
+	if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
-            i = i2d_DSA_PUBKEY_bio(out, dsa);
+		BIO_printf(bio_err, "Error getting passwords\n");
-        else {
+		goto end;
-            assert(private);
+	}
-            i = i2d_DSAPrivateKey_bio(out, dsa);
+
-        }
+	in=BIO_new(BIO_s_file());
-    } else if (outformat == FORMAT_PEM) {
+	out=BIO_new(BIO_s_file());
-        if (pubin || pubout)
+	if ((in == NULL) || (out == NULL))
-            i = PEM_write_bio_DSA_PUBKEY(out, dsa);
+		{
-        else {
+		ERR_print_errors(bio_err);
-            assert(private);
+		goto end;
-            i = PEM_write_bio_DSAPrivateKey(out, dsa, enc,
+		}
-                                            NULL, 0, NULL, passout);
+
-        }
+	if (infile == NULL)
-# if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_RC4)
+		BIO_set_fp(in,stdin,BIO_NOCLOSE);
-    } else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) {
+	else
-        EVP_PKEY *pk;
+		{
-        pk = EVP_PKEY_new();
+		if (BIO_read_filename(in,infile) <= 0)
-        EVP_PKEY_set1_DSA(pk, dsa);
+			{
-        if (outformat == FORMAT_PVK) {
+			perror(infile);
-            if (pubin) {
+			goto end;
-                BIO_printf(bio_err, "PVK form impossible with public key input\n");
+			}
-                EVP_PKEY_free(pk);
+		}
-                goto end;
+
-            }
+	BIO_printf(bio_err,"read DSA key\n");
-            assert(private);
+
-            i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout);
+		{
-        }
+		EVP_PKEY	*pkey;
-        else if (pubin || pubout)
+
-            i = i2b_PublicKey_bio(out, pk);
+		if (pubin)
-        else {
+			pkey = load_pubkey(bio_err, infile, informat, 1,
-            assert(private);
+				passin, e, "Public Key");
-            i = i2b_PrivateKey_bio(out, pk);
+		else
-        }
+			pkey = load_key(bio_err, infile, informat, 1,
-        EVP_PKEY_free(pk);
+				passin, e, "Private Key");
-# endif
+
-    } else {
+		if (pkey)
-        BIO_printf(bio_err, "bad output format specified for outfile\n");
+			{
-        goto end;
+			dsa = EVP_PKEY_get1_DSA(pkey);
-    }
+			EVP_PKEY_free(pkey);
-    if (i <= 0) {
+			}
-        BIO_printf(bio_err, "unable to write private key\n");
+		}
-        ERR_print_errors(bio_err);
+	if (dsa == NULL)
-        goto end;
+		{
-    }
+		BIO_printf(bio_err,"unable to load Key\n");
-    ret = 0;
+		ERR_print_errors(bio_err);
- end:
+		goto end;
-    BIO_free_all(out);
+		}
-    DSA_free(dsa);
+
-    OPENSSL_free(passin);
+	if (outfile == NULL)
-    OPENSSL_free(passout);
+		{
-    return (ret);
+		BIO_set_fp(out,stdout,BIO_NOCLOSE);
-}
+#ifdef OPENSSL_SYS_VMS
-#else                           /* !OPENSSL_NO_DSA */
+		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
 			{
 			perror(outfile);
 			goto end;
 			}
 		}
 	if (text) 
 		if (!DSA_print(out,dsa,0))
 			{
 			perror(outfile);
 			ERR_print_errors(bio_err);
 			goto end;
 			}
 	if (modulus)
 		{
 		fprintf(stdout,"Public Key=");
 		BN_print(out,dsa->pub_key);
 		fprintf(stdout,"\n");
 		}
 	if (noout) goto end;
 	BIO_printf(bio_err,"writing DSA key\n");
 	if 	(outformat == FORMAT_ASN1) {
 		if(pubin || pubout) i=i2d_DSA_PUBKEY_bio(out,dsa);
 		else i=i2d_DSAPrivateKey_bio(out,dsa);
 	} else if (outformat == FORMAT_PEM) {
 		if(pubin || pubout)
 			i=PEM_write_bio_DSA_PUBKEY(out,dsa);
 		else i=PEM_write_bio_DSAPrivateKey(out,dsa,enc,
 							NULL,0,NULL, passout);
 #if !defined(OPENSSL_NO_RSA) && !defined(OPENSSL_NO_RC4)
 	} else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) {
 		EVP_PKEY *pk;
 		pk = EVP_PKEY_new();
 		EVP_PKEY_set1_DSA(pk, dsa);
 		if (outformat == FORMAT_PVK)
 			i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout);
 		else if (pubin || pubout)
 			i = i2b_PublicKey_bio(out, pk);
 		else
 			i = i2b_PrivateKey_bio(out, pk);
 		EVP_PKEY_free(pk);
 #endif
 	} else {
 		BIO_printf(bio_err,"bad output format specified for outfile\n");
 		goto end;
 		}
 	if (i <= 0)
 		{
 		BIO_printf(bio_err,"unable to write private key\n");
 		ERR_print_errors(bio_err);
 		}
 	else
 		ret=0;
 end:
 	if(in != NULL) BIO_free(in);
 	if(out != NULL) BIO_free_all(out);
 	if(dsa != NULL) DSA_free(dsa);
 	if(passin) OPENSSL_free(passin);
 	if(passout) OPENSSL_free(passout);
 	apps_shutdown();
 	OPENSSL_EXIT(ret);
 	}
 #else /* !OPENSSL_NO_DSA */
 # if PEDANTIC
-static void *dummy = &dummy;
+static void *dummy=&dummy;
 # endif
 #endif
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -1,24 +1,25 @@
 /* apps/dsaparam.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
- *
+ * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
- *
+ * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
@@ -33,10 +34,10 @@
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -48,309 +49,445 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
+ * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
-#include <openssl/opensslconf.h> /* for OPENSSL_NO_DSA */
+#include <openssl/opensslconf.h>	/* for OPENSSL_NO_DSA */
 /* Until the key-gen callbacks are modified to use newer prototypes, we allow
 * deprecated functions for openssl-internal code */
 #ifdef OPENSSL_NO_DEPRECATED
 #undef OPENSSL_NO_DEPRECATED
 #endif
 #ifndef OPENSSL_NO_DSA
-# include <stdio.h>
+#include <assert.h>
-# include <stdlib.h>
+#include <stdio.h>
-# include <time.h>
+#include <stdlib.h>
-# include <string.h>
+#include <time.h>
-# include "apps.h"
+#include <string.h>
-# include <openssl/bio.h>
+#include "apps.h"
-# include <openssl/err.h>
+#include <openssl/bio.h>
-# include <openssl/bn.h>
+#include <openssl/err.h>
-# include <openssl/dsa.h>
+#include <openssl/bn.h>
-# include <openssl/x509.h>
+#include <openssl/dsa.h>
-# include <openssl/pem.h>
+#include <openssl/x509.h>
 #include <openssl/pem.h>
-# ifdef GENCB_TEST
+#undef PROG
 #define PROG	dsaparam_main
 /* -inform arg	- input format - default PEM (DER or PEM)
 * -outform arg - output format - default PEM
 * -in arg	- input file - default stdin
 * -out arg	- output file - default stdout
 * -noout
 * -text
 * -C
 * -noout
 * -genkey
 *  #ifdef GENCB_TEST
 * -timebomb n  - interrupt keygen after <n> seconds
 *  #endif
 */
 #ifdef GENCB_TEST
 static int stop_keygen_flag = 0;
 static void timebomb_sigalarm(int foo)
-{
+	{
-    stop_keygen_flag = 1;
+	stop_keygen_flag = 1;
-}
+	}
-# endif
+#endif
-static int dsa_cb(int p, int n, BN_GENCB *cb);
+static int MS_CALLBACK dsa_cb(int p, int n, BN_GENCB *cb);
-typedef enum OPTION_choice {
+int MAIN(int, char **);
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_TEXT, OPT_C,
    OPT_NOOUT, OPT_GENKEY, OPT_RAND, OPT_ENGINE,
    OPT_TIMEBOMB
 } OPTION_CHOICE;
-OPTIONS dsaparam_options[] = {
+int MAIN(int argc, char **argv)
-    {"help", OPT_HELP, '-', "Display this summary"},
+	{
-    {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
+	DSA *dsa=NULL;
-    {"in", OPT_IN, '<', "Input file"},
+	int i,badops=0,text=0;
-    {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
+	BIO *in=NULL,*out=NULL;
-    {"out", OPT_OUT, '>', "Output file"},
+	int informat,outformat,noout=0,C=0,ret=1;
-    {"text", OPT_TEXT, '-', "Print as text"},
+	char *infile,*outfile,*prog,*inrand=NULL;
-    {"C", OPT_C, '-', "Output C code"},
+	int numbits= -1,num,genkey=0;
-    {"noout", OPT_NOOUT, '-', "No output"},
+	int need_rand=0;
-    {"genkey", OPT_GENKEY, '-', "Generate a DSA key"},
+	int non_fips_allow = 0;
-    {"rand", OPT_RAND, 's', "Files to use for random number input"},
+#ifndef OPENSSL_NO_ENGINE
-# ifdef GENCB_TEST
+	char *engine=NULL;
-    {"timebomb", OPT_TIMEBOMB, 'p', "Interrupt keygen after 'pnum' seconds"},
+#endif
-# endif
+#ifdef GENCB_TEST
-# ifndef OPENSSL_NO_ENGINE
+	int timebomb=0;
-    {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
+#endif
 # endif
    {NULL}
 };
-int dsaparam_main(int argc, char **argv)
+	apps_startup();
 {
    DSA *dsa = NULL;
    BIO *in = NULL, *out = NULL;
    BN_GENCB *cb = NULL;
    int numbits = -1, num = 0, genkey = 0, need_rand = 0;
    int informat = FORMAT_PEM, outformat = FORMAT_PEM, noout = 0, C = 0;
    int ret = 1, i, text = 0, private = 0;
 # ifdef GENCB_TEST
    int timebomb = 0;
 # endif
    char *infile = NULL, *outfile = NULL, *prog, *inrand = NULL;
    OPTION_CHOICE o;
-    prog = opt_init(argc, argv, dsaparam_options);
+	if (bio_err == NULL)
-    while ((o = opt_next()) != OPT_EOF) {
+		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
-        switch (o) {
+			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
        case OPT_EOF:
        case OPT_ERR:
 opthelp:
            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
            goto end;
        case OPT_HELP:
            opt_help(dsaparam_options);
            ret = 0;
            goto end;
        case OPT_INFORM:
            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
                goto opthelp;
            break;
        case OPT_IN:
            infile = opt_arg();
            break;
        case OPT_OUTFORM:
            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
                goto opthelp;
            break;
        case OPT_OUT:
            outfile = opt_arg();
            break;
        case OPT_ENGINE:
            (void)setup_engine(opt_arg(), 0);
            break;
        case OPT_TIMEBOMB:
 # ifdef GENCB_TEST
            timebomb = atoi(opt_arg());
            break;
 # endif
        case OPT_TEXT:
            text = 1;
            break;
        case OPT_C:
            C = 1;
            break;
        case OPT_GENKEY:
            genkey = need_rand = 1;
            break;
        case OPT_RAND:
            inrand = opt_arg();
            need_rand = 1;
            break;
        case OPT_NOOUT:
            noout = 1;
            break;
        }
    }
    argc = opt_num_rest();
    argv = opt_rest();
-    if (argc == 1) {
+	if (!load_config(bio_err, NULL))
-        if (!opt_int(argv[0], &num) || num < 0)
+		goto end;
            goto end;
        /* generate a key */
        numbits = num;
        need_rand = 1;
    }
    private = genkey ? 1 : 0;
-    in = bio_open_default(infile, 'r', informat);
+	infile=NULL;
-    if (in == NULL)
+	outfile=NULL;
-        goto end;
+	informat=FORMAT_PEM;
-    out = bio_open_owner(outfile, outformat, private);
+	outformat=FORMAT_PEM;
    if (out == NULL)
        goto end;
-    if (need_rand) {
+	prog=argv[0];
-        app_RAND_load_file(NULL, (inrand != NULL));
+	argc--;
-        if (inrand != NULL)
+	argv++;
-            BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
+	while (argc >= 1)
-                       app_RAND_load_files(inrand));
+		{
-    }
+		if 	(strcmp(*argv,"-inform") == 0)
 			{
 			if (--argc < 1) goto bad;
 			informat=str2fmt(*(++argv));
 			}
 		else if (strcmp(*argv,"-outform") == 0)
 			{
 			if (--argc < 1) goto bad;
 			outformat=str2fmt(*(++argv));
 			}
 		else if (strcmp(*argv,"-in") == 0)
 			{
 			if (--argc < 1) goto bad;
 			infile= *(++argv);
 			}
 		else if (strcmp(*argv,"-out") == 0)
 			{
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if(strcmp(*argv, "-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine = *(++argv);
 			}
 #endif
 #ifdef GENCB_TEST
 		else if(strcmp(*argv, "-timebomb") == 0)
 			{
 			if (--argc < 1) goto bad;
 			timebomb = atoi(*(++argv));
 			}
 #endif
 		else if (strcmp(*argv,"-text") == 0)
 			text=1;
 		else if (strcmp(*argv,"-C") == 0)
 			C=1;
 		else if (strcmp(*argv,"-genkey") == 0)
 			{
 			genkey=1;
 			need_rand=1;
 			}
 		else if (strcmp(*argv,"-rand") == 0)
 			{
 			if (--argc < 1) goto bad;
 			inrand= *(++argv);
 			need_rand=1;
 			}
 		else if (strcmp(*argv,"-noout") == 0)
 			noout=1;
 		else if (strcmp(*argv,"-non-fips-allow") == 0)
 			non_fips_allow = 1;
 		else if (sscanf(*argv,"%d",&num) == 1)
 			{
 			/* generate a key */
 			numbits=num;
 			need_rand=1;
 			}
 		else
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
 			badops=1;
 			break;
 			}
 		argc--;
 		argv++;
 		}
-    if (numbits > 0) {
+	if (badops)
-        cb = BN_GENCB_new();
+		{
-        if (cb == NULL) {
+bad:
-            BIO_printf(bio_err, "Error allocating BN_GENCB object\n");
+		BIO_printf(bio_err,"%s [options] [bits] <infile >outfile\n",prog);
-            goto end;
+		BIO_printf(bio_err,"where options are\n");
-        }
+		BIO_printf(bio_err," -inform arg   input format - DER or PEM\n");
-        BN_GENCB_set(cb, dsa_cb, bio_err);
+		BIO_printf(bio_err," -outform arg  output format - DER or PEM\n");
-        assert(need_rand);
+		BIO_printf(bio_err," -in arg       input file\n");
-        dsa = DSA_new();
+		BIO_printf(bio_err," -out arg      output file\n");
-        if (dsa == NULL) {
+		BIO_printf(bio_err," -text         print as text\n");
-            BIO_printf(bio_err, "Error allocating DSA object\n");
+		BIO_printf(bio_err," -C            Output C code\n");
-            goto end;
+		BIO_printf(bio_err," -noout        no output\n");
-        }
+		BIO_printf(bio_err," -genkey       generate a DSA key\n");
-        BIO_printf(bio_err, "Generating DSA parameters, %d bit long prime\n",
+		BIO_printf(bio_err," -rand         files to use for random number input\n");
-                   num);
+#ifndef OPENSSL_NO_ENGINE
-        BIO_printf(bio_err, "This could take some time\n");
+		BIO_printf(bio_err," -engine e     use engine e, possibly a hardware device.\n");
-# ifdef GENCB_TEST
+#endif
-        if (timebomb > 0) {
+#ifdef GENCB_TEST
-            struct sigaction act;
+		BIO_printf(bio_err," -timebomb n   interrupt keygen after <n> seconds\n");
-            act.sa_handler = timebomb_sigalarm;
+#endif
-            act.sa_flags = 0;
+		BIO_printf(bio_err," number        number of bits to use for generating private key\n");
-            BIO_printf(bio_err,
+		goto end;
-                       "(though I'll stop it if not done within %d secs)\n",
+		}
                       timebomb);
            if (sigaction(SIGALRM, &act, NULL) != 0) {
                BIO_printf(bio_err, "Error, couldn't set SIGALRM handler\n");
                goto end;
            }
            alarm(timebomb);
        }
 # endif
        if (!DSA_generate_parameters_ex(dsa, num, NULL, 0, NULL, NULL, cb)) {
 # ifdef GENCB_TEST
            if (stop_keygen_flag) {
                BIO_printf(bio_err, "DSA key generation time-stopped\n");
                /* This is an asked-for behaviour! */
                ret = 0;
                goto end;
            }
 # endif
            ERR_print_errors(bio_err);
            BIO_printf(bio_err, "Error, DSA key generation failed\n");
            goto end;
        }
    } else if (informat == FORMAT_ASN1)
        dsa = d2i_DSAparams_bio(in, NULL);
    else
        dsa = PEM_read_bio_DSAparams(in, NULL, NULL, NULL);
    if (dsa == NULL) {
        BIO_printf(bio_err, "unable to load DSA parameters\n");
        ERR_print_errors(bio_err);
        goto end;
    }
-    if (text) {
+	ERR_load_crypto_strings();
        DSAparams_print(out, dsa);
    }
-    if (C) {
+	in=BIO_new(BIO_s_file());
-        int len = BN_num_bytes(dsa->p);
+	out=BIO_new(BIO_s_file());
-        int bits_p = BN_num_bits(dsa->p);
+	if ((in == NULL) || (out == NULL))
-        unsigned char *data = app_malloc(len + 20, "BN space");
+		{
 		ERR_print_errors(bio_err);
 		goto end;
 		}
-        BIO_printf(bio_out, "DSA *get_dsa%d()\n{\n", bits_p);
+	if (infile == NULL)
-        print_bignum_var(bio_out, dsa->p, "dsap", len, data);
+		BIO_set_fp(in,stdin,BIO_NOCLOSE);
-        print_bignum_var(bio_out, dsa->q, "dsaq", len, data);
+	else
-        print_bignum_var(bio_out, dsa->g, "dsag", len, data);
+		{
-        BIO_printf(bio_out, "    DSA *dsa = DSA_new();\n"
+		if (BIO_read_filename(in,infile) <= 0)
-                            "\n");
+			{
-        BIO_printf(bio_out, "    if (dsa == NULL)\n"
+			perror(infile);
-                            "        return NULL;\n");
+			goto end;
-        BIO_printf(bio_out, "    dsa->p = BN_bin2bn(dsap_%d, sizeof (dsap_%d), NULL);\n",
+			}
-               bits_p, bits_p);
+		}
-        BIO_printf(bio_out, "    dsa->q = BN_bin2bn(dsaq_%d, sizeof (dsaq_%d), NULL);\n",
+	if (outfile == NULL)
-               bits_p, bits_p);
+		{
-        BIO_printf(bio_out, "    dsa->g = BN_bin2bn(dsag_%d, sizeof (dsag_%d), NULL);\n",
+		BIO_set_fp(out,stdout,BIO_NOCLOSE);
-               bits_p, bits_p);
+#ifdef OPENSSL_SYS_VMS
-        BIO_printf(bio_out, "    if (!dsa->p || !dsa->q || !dsa->g) {\n"
+		{
-                            "        DSA_free(dsa);\n"
+		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-                            "        return NULL;\n"
+		out = BIO_push(tmpbio, out);
-                            "    }\n"
+		}
-                            "    return(dsa);\n}\n");
+#endif
-    }
+		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
 			{
 			perror(outfile);
 			goto end;
 			}
 		}
-    if (!noout) {
+#ifndef OPENSSL_NO_ENGINE
-        if (outformat == FORMAT_ASN1)
+        setup_engine(bio_err, engine, 0);
-            i = i2d_DSAparams_bio(out, dsa);
+#endif
        else
            i = PEM_write_bio_DSAparams(out, dsa);
        if (!i) {
            BIO_printf(bio_err, "unable to write DSA parameters\n");
            ERR_print_errors(bio_err);
            goto end;
        }
    }
    if (genkey) {
        DSA *dsakey;
-        assert(need_rand);
+	if (need_rand)
-        if ((dsakey = DSAparams_dup(dsa)) == NULL)
+		{
-            goto end;
+		app_RAND_load_file(NULL, bio_err, (inrand != NULL));
-        if (!DSA_generate_key(dsakey)) {
+		if (inrand != NULL)
-            ERR_print_errors(bio_err);
+			BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
-            DSA_free(dsakey);
+				app_RAND_load_files(inrand));
-            goto end;
+		}
        }
        assert(private);
        if (outformat == FORMAT_ASN1)
            i = i2d_DSAPrivateKey_bio(out, dsakey);
        else
            i = PEM_write_bio_DSAPrivateKey(out, dsakey, NULL, NULL, 0, NULL,
                                            NULL);
        DSA_free(dsakey);
    }
    if (need_rand)
        app_RAND_write_file(NULL);
    ret = 0;
 end:
    BN_GENCB_free(cb);
    BIO_free(in);
    BIO_free_all(out);
    DSA_free(dsa);
    return (ret);
 }
-static int dsa_cb(int p, int n, BN_GENCB *cb)
+	if (numbits > 0)
-{
+		{
-    char c = '*';
+		BN_GENCB cb;
 		BN_GENCB_set(&cb, dsa_cb, bio_err);
 		assert(need_rand);
 		dsa = DSA_new();
 		if(!dsa)
 			{
 			BIO_printf(bio_err,"Error allocating DSA object\n");
 			goto end;
 			}
 		if (non_fips_allow)
 			dsa->flags |= DSA_FLAG_NON_FIPS_ALLOW;
 		BIO_printf(bio_err,"Generating DSA parameters, %d bit long prime\n",num);
 	        BIO_printf(bio_err,"This could take some time\n");
 #ifdef GENCB_TEST
 		if(timebomb > 0)
 	{
 		struct sigaction act;
 		act.sa_handler = timebomb_sigalarm;
 		act.sa_flags = 0;
 		BIO_printf(bio_err,"(though I'll stop it if not done within %d secs)\n",
 				timebomb);
 		if(sigaction(SIGALRM, &act, NULL) != 0)
 			{
 			BIO_printf(bio_err,"Error, couldn't set SIGALRM handler\n");
 			goto end;
 			}
 		alarm(timebomb);
 	}
 #endif
 	        if(!DSA_generate_parameters_ex(dsa,num,NULL,0,NULL,NULL, &cb))
 			{
 #ifdef GENCB_TEST
 			if(stop_keygen_flag)
 				{
 				BIO_printf(bio_err,"DSA key generation time-stopped\n");
 				/* This is an asked-for behaviour! */
 				ret = 0;
 				goto end;
 				}
 #endif
 			ERR_print_errors(bio_err);
 			BIO_printf(bio_err,"Error, DSA key generation failed\n");
 			goto end;
 			}
 		}
 	else if	(informat == FORMAT_ASN1)
 		dsa=d2i_DSAparams_bio(in,NULL);
 	else if (informat == FORMAT_PEM)
 		dsa=PEM_read_bio_DSAparams(in,NULL,NULL,NULL);
 	else
 		{
 		BIO_printf(bio_err,"bad input format specified\n");
 		goto end;
 		}
 	if (dsa == NULL)
 		{
 		BIO_printf(bio_err,"unable to load DSA parameters\n");
 		ERR_print_errors(bio_err);
 		goto end;
 		}
-    if (p == 0)
+	if (text)
-        c = '.';
+		{
-    if (p == 1)
+		DSAparams_print(out,dsa);
-        c = '+';
+		}
-    if (p == 2)
+	
-        c = '*';
+	if (C)
-    if (p == 3)
+		{
-        c = '\n';
+		unsigned char *data;
-    BIO_write(BN_GENCB_get_arg(cb), &c, 1);
+		int l,len,bits_p;
-    (void)BIO_flush(BN_GENCB_get_arg(cb));
+
-# ifdef GENCB_TEST
+		len=BN_num_bytes(dsa->p);
-    if (stop_keygen_flag)
+		bits_p=BN_num_bits(dsa->p);
-        return 0;
+		data=(unsigned char *)OPENSSL_malloc(len+20);
-# endif
+		if (data == NULL)
-    return 1;
+			{
-}
+			perror("OPENSSL_malloc");
-#else                           /* !OPENSSL_NO_DSA */
+			goto end;
 			}
 		l=BN_bn2bin(dsa->p,data);
 		printf("static unsigned char dsa%d_p[]={",bits_p);
 		for (i=0; i<l; i++)
 			{
 			if ((i%12) == 0) printf("\n\t");
 			printf("0x%02X,",data[i]);
 			}
 		printf("\n\t};\n");
 		l=BN_bn2bin(dsa->q,data);
 		printf("static unsigned char dsa%d_q[]={",bits_p);
 		for (i=0; i<l; i++)
 			{
 			if ((i%12) == 0) printf("\n\t");
 			printf("0x%02X,",data[i]);
 			}
 		printf("\n\t};\n");
 		l=BN_bn2bin(dsa->g,data);
 		printf("static unsigned char dsa%d_g[]={",bits_p);
 		for (i=0; i<l; i++)
 			{
 			if ((i%12) == 0) printf("\n\t");
 			printf("0x%02X,",data[i]);
 			}
 		printf("\n\t};\n\n");
 		printf("DSA *get_dsa%d()\n\t{\n",bits_p);
 		printf("\tDSA *dsa;\n\n");
 		printf("\tif ((dsa=DSA_new()) == NULL) return(NULL);\n");
 		printf("\tdsa->p=BN_bin2bn(dsa%d_p,sizeof(dsa%d_p),NULL);\n",
 			bits_p,bits_p);
 		printf("\tdsa->q=BN_bin2bn(dsa%d_q,sizeof(dsa%d_q),NULL);\n",
 			bits_p,bits_p);
 		printf("\tdsa->g=BN_bin2bn(dsa%d_g,sizeof(dsa%d_g),NULL);\n",
 			bits_p,bits_p);
 		printf("\tif ((dsa->p == NULL) || (dsa->q == NULL) || (dsa->g == NULL))\n");
 		printf("\t\t{ DSA_free(dsa); return(NULL); }\n");
 		printf("\treturn(dsa);\n\t}\n");
 		}
 	if (!noout)
 		{
 		if 	(outformat == FORMAT_ASN1)
 			i=i2d_DSAparams_bio(out,dsa);
 		else if (outformat == FORMAT_PEM)
 			i=PEM_write_bio_DSAparams(out,dsa);
 		else	{
 			BIO_printf(bio_err,"bad output format specified for outfile\n");
 			goto end;
 			}
 		if (!i)
 			{
 			BIO_printf(bio_err,"unable to write DSA parameters\n");
 			ERR_print_errors(bio_err);
 			goto end;
 			}
 		}
 	if (genkey)
 		{
 		DSA *dsakey;
 		assert(need_rand);
 		if ((dsakey=DSAparams_dup(dsa)) == NULL) goto end;
 		if (non_fips_allow)
 			dsakey->flags |= DSA_FLAG_NON_FIPS_ALLOW;
 		if (!DSA_generate_key(dsakey))
 			{
 			ERR_print_errors(bio_err);
 			DSA_free(dsakey);
 			goto end;
 			}
 		if 	(outformat == FORMAT_ASN1)
 			i=i2d_DSAPrivateKey_bio(out,dsakey);
 		else if (outformat == FORMAT_PEM)
 			i=PEM_write_bio_DSAPrivateKey(out,dsakey,NULL,NULL,0,NULL,NULL);
 		else	{
 			BIO_printf(bio_err,"bad output format specified for outfile\n");
 			DSA_free(dsakey);
 			goto end;
 			}
 		DSA_free(dsakey);
 		}
 	if (need_rand)
 		app_RAND_write_file(NULL, bio_err);
 	ret=0;
 end:
 	if (in != NULL) BIO_free(in);
 	if (out != NULL) BIO_free_all(out);
 	if (dsa != NULL) DSA_free(dsa);
 	apps_shutdown();
 	OPENSSL_EXIT(ret);
 	}
 static int MS_CALLBACK dsa_cb(int p, int n, BN_GENCB *cb)
 	{
 	char c='*';
 	if (p == 0) c='.';
 	if (p == 1) c='+';
 	if (p == 2) c='*';
 	if (p == 3) c='\n';
 	BIO_write(cb->arg,&c,1);
 	(void)BIO_flush(cb->arg);
 #ifdef LINT
 	p=n;
 #endif
 #ifdef GENCB_TEST
 	if(stop_keygen_flag)
 		return 0;
 #endif
 	return 1;
 	}
 #else /* !OPENSSL_NO_DSA */
 # if PEDANTIC
-static void *dummy = &dummy;
+static void *dummy=&dummy;
 # endif
 #endif
--- a/apps/ec.c
+++ b/apps/ec.c
@@ -1,3 +1,4 @@
 /* apps/ec.c */
 /*
 * Written by Nils Larsch for the OpenSSL project.
 */
@@ -9,7 +10,7 @@
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
+ *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
@@ -57,238 +58,349 @@
 #include <openssl/opensslconf.h>
 #ifndef OPENSSL_NO_EC
-# include <stdio.h>
+#include <stdio.h>
-# include <stdlib.h>
+#include <stdlib.h>
-# include <string.h>
+#include <string.h>
-# include "apps.h"
+#include "apps.h"
-# include <openssl/bio.h>
+#include <openssl/bio.h>
-# include <openssl/err.h>
+#include <openssl/err.h>
-# include <openssl/evp.h>
+#include <openssl/evp.h>
-# include <openssl/pem.h>
+#include <openssl/pem.h>
-static OPT_PAIR conv_forms[] = {
+#undef PROG
-    {"compressed", POINT_CONVERSION_COMPRESSED},
+#define PROG	ec_main
    {"uncompressed", POINT_CONVERSION_UNCOMPRESSED},
    {"hybrid", POINT_CONVERSION_HYBRID},
    {NULL}
 };
-static OPT_PAIR param_enc[] = {
+/* -inform arg    - input format - default PEM (one of DER, NET or PEM)
-    {"named_curve", OPENSSL_EC_NAMED_CURVE},
+ * -outform arg   - output format - default PEM
-    {"explicit", 0},
+ * -in arg        - input file - default stdin
-    {NULL}
+ * -out arg       - output file - default stdout
-};
+ * -des           - encrypt output if PEM format with DES in cbc mode
 * -text          - print a text version
 * -param_out     - print the elliptic curve parameters
 * -conv_form arg - specifies the point encoding form
 * -param_enc arg - specifies the parameter encoding
 */
-typedef enum OPTION_choice {
+int MAIN(int, char **);
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT,
    OPT_NOOUT, OPT_TEXT, OPT_PARAM_OUT, OPT_PUBIN, OPT_PUBOUT,
    OPT_PASSIN, OPT_PASSOUT, OPT_PARAM_ENC, OPT_CONV_FORM, OPT_CIPHER
 } OPTION_CHOICE;
-OPTIONS ec_options[] = {
+int MAIN(int argc, char **argv)
    {"help", OPT_HELP, '-', "Display this summary"},
    {"in", OPT_IN, '<', "Input file"},
    {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
    {"out", OPT_OUT, '>', "Output file"},
    {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
    {"noout", OPT_NOOUT, '-', "Don't print key out"},
    {"text", OPT_TEXT, '-', "Print the key"},
    {"param_out", OPT_PARAM_OUT, '-', "Print the elliptic curve parameters"},
    {"pubin", OPT_PUBIN, '-'},
    {"pubout", OPT_PUBOUT, '-'},
    {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
    {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
    {"param_enc", OPT_PARAM_ENC, 's',
     "Specifies the way the ec parameters are encoded"},
    {"conv_form", OPT_CONV_FORM, 's', "Specifies the point conversion form "},
    {"", OPT_CIPHER, '-', "Any supported cipher"},
 # ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 # endif
    {NULL}
 };
 int ec_main(int argc, char **argv)
 {
-    BIO *in = NULL, *out = NULL;
+	int 	ret = 1;
-    EC_KEY *eckey = NULL;
+	EC_KEY 	*eckey = NULL;
-    const EC_GROUP *group;
+	const EC_GROUP *group;
-    const EVP_CIPHER *enc = NULL;
+	int 	i, badops = 0;
-    point_conversion_form_t form = POINT_CONVERSION_UNCOMPRESSED;
+	const EVP_CIPHER *enc = NULL;
-    char *infile = NULL, *outfile = NULL, *prog;
+	BIO 	*in = NULL, *out = NULL;
-    char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL;
+	int 	informat, outformat, text=0, noout=0;
-    OPTION_CHOICE o;
+	int  	pubin = 0, pubout = 0, param_out = 0;
-    int asn1_flag = OPENSSL_EC_NAMED_CURVE, new_form = 0, new_asn1_flag = 0;
+	char 	*infile, *outfile, *prog, *engine;
-    int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0;
+	char 	*passargin = NULL, *passargout = NULL;
-    int pubin = 0, pubout = 0, param_out = 0, i, ret = 1, private = 0;
+	char 	*passin = NULL, *passout = NULL;
 	point_conversion_form_t form = POINT_CONVERSION_UNCOMPRESSED;
 	int	new_form = 0;
 	int	asn1_flag = OPENSSL_EC_NAMED_CURVE;
 	int 	new_asn1_flag = 0;
-    prog = opt_init(argc, argv, ec_options);
+	apps_startup();
    while ((o = opt_next()) != OPT_EOF) {
        switch (o) {
        case OPT_EOF:
        case OPT_ERR:
 opthelp:
            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
            goto end;
        case OPT_HELP:
            opt_help(ec_options);
            ret = 0;
            goto end;
        case OPT_INFORM:
            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
                goto opthelp;
            break;
        case OPT_IN:
            infile = opt_arg();
            break;
        case OPT_OUTFORM:
            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
                goto opthelp;
            break;
        case OPT_OUT:
            outfile = opt_arg();
            break;
        case OPT_NOOUT:
            noout = 1;
            break;
        case OPT_TEXT:
            text = 1;
            break;
        case OPT_PARAM_OUT:
            param_out = 1;
            break;
        case OPT_PUBIN:
            pubin = 1;
            break;
        case OPT_PUBOUT:
            pubout = 1;
            break;
        case OPT_PASSIN:
            passinarg = opt_arg();
            break;
        case OPT_PASSOUT:
            passoutarg = opt_arg();
            break;
        case OPT_ENGINE:
            (void)setup_engine(opt_arg(), 0);
            break;
        case OPT_CIPHER:
            if (!opt_cipher(opt_unknown(), &enc))
                goto opthelp;
            break;
        case OPT_CONV_FORM:
            if (!opt_pair(opt_arg(), conv_forms, &i))
                goto opthelp;
            new_form = 1;
            form = i;
            break;
        case OPT_PARAM_ENC:
            if (!opt_pair(opt_arg(), param_enc, &i))
                goto opthelp;
            new_asn1_flag = 1;
            asn1_flag = i;
            break;
        }
    }
    argc = opt_num_rest();
    argv = opt_rest();
    private = param_out || pubin || pubout ? 0 : 1;
    if (text && !pubin)
        private = 1;
-    if (!app_passwd(passinarg, passoutarg, &passin, &passout)) {
+	if (bio_err == NULL)
-        BIO_printf(bio_err, "Error getting passwords\n");
+		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
-        goto end;
+			BIO_set_fp(bio_err, stderr, BIO_NOCLOSE|BIO_FP_TEXT);
    }
-    in = bio_open_default(infile, 'r', informat);
+	if (!load_config(bio_err, NULL))
-    if (in == NULL)
+		goto end;
        goto end;
-    BIO_printf(bio_err, "read EC key\n");
+	engine = NULL;
-    if (informat == FORMAT_ASN1) {
+	infile = NULL;
-        if (pubin)
+	outfile = NULL;
-            eckey = d2i_EC_PUBKEY_bio(in, NULL);
+	informat = FORMAT_PEM;
-        else
+	outformat = FORMAT_PEM;
            eckey = d2i_ECPrivateKey_bio(in, NULL);
    } else {
        if (pubin)
            eckey = PEM_read_bio_EC_PUBKEY(in, NULL, NULL, NULL);
        else
            eckey = PEM_read_bio_ECPrivateKey(in, NULL, NULL, passin);
    }
    if (eckey == NULL) {
        BIO_printf(bio_err, "unable to load Key\n");
        ERR_print_errors(bio_err);
        goto end;
    }
-    out = bio_open_owner(outfile, outformat, private);
+	prog = argv[0];
-    if (out == NULL)
+	argc--;
-        goto end;
+	argv++;
 	while (argc >= 1)
 		{
 		if (strcmp(*argv,"-inform") == 0)
 			{
 			if (--argc < 1) goto bad;
 			informat=str2fmt(*(++argv));
 			}
 		else if (strcmp(*argv,"-outform") == 0)
 			{
 			if (--argc < 1) goto bad;
 			outformat=str2fmt(*(++argv));
 			}
 		else if (strcmp(*argv,"-in") == 0)
 			{
 			if (--argc < 1) goto bad;
 			infile= *(++argv);
 			}
 		else if (strcmp(*argv,"-out") == 0)
 			{
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
 		else if (strcmp(*argv,"-passin") == 0)
 			{
 			if (--argc < 1) goto bad;
 			passargin= *(++argv);
 			}
 		else if (strcmp(*argv,"-passout") == 0)
 			{
 			if (--argc < 1) goto bad;
 			passargout= *(++argv);
 			}
 		else if (strcmp(*argv, "-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 		else if (strcmp(*argv, "-noout") == 0)
 			noout = 1;
 		else if (strcmp(*argv, "-text") == 0)
 			text = 1;
 		else if (strcmp(*argv, "-conv_form") == 0)
 			{
 			if (--argc < 1)
 				goto bad;
 			++argv;
 			new_form = 1;
 			if (strcmp(*argv, "compressed") == 0)
 				form = POINT_CONVERSION_COMPRESSED;
 			else if (strcmp(*argv, "uncompressed") == 0)
 				form = POINT_CONVERSION_UNCOMPRESSED;
 			else if (strcmp(*argv, "hybrid") == 0)
 				form = POINT_CONVERSION_HYBRID;
 			else
 				goto bad;
 			}
 		else if (strcmp(*argv, "-param_enc") == 0)
 			{
 			if (--argc < 1)
 				goto bad;
 			++argv;
 			new_asn1_flag = 1;
 			if (strcmp(*argv, "named_curve") == 0)
 				asn1_flag = OPENSSL_EC_NAMED_CURVE;
 			else if (strcmp(*argv, "explicit") == 0)
 				asn1_flag = 0;
 			else
 				goto bad;
 			}
 		else if (strcmp(*argv, "-param_out") == 0)
 			param_out = 1;
 		else if (strcmp(*argv, "-pubin") == 0)
 			pubin=1;
 		else if (strcmp(*argv, "-pubout") == 0)
 			pubout=1;
 		else if ((enc=EVP_get_cipherbyname(&(argv[0][1]))) == NULL)
 			{
 			BIO_printf(bio_err, "unknown option %s\n", *argv);
 			badops=1;
 			break;
 			}
 		argc--;
 		argv++;
 		}
-    group = EC_KEY_get0_group(eckey);
+	if (badops)
 		{
 bad:
 		BIO_printf(bio_err, "%s [options] <infile >outfile\n", prog);
 		BIO_printf(bio_err, "where options are\n");
 		BIO_printf(bio_err, " -inform arg     input format - "
 				"DER or PEM\n");
 		BIO_printf(bio_err, " -outform arg    output format - "
 				"DER or PEM\n");
 		BIO_printf(bio_err, " -in arg         input file\n");
 		BIO_printf(bio_err, " -passin arg     input file pass "
 				"phrase source\n");
 		BIO_printf(bio_err, " -out arg        output file\n");
 		BIO_printf(bio_err, " -passout arg    output file pass "
 				"phrase source\n");
 		BIO_printf(bio_err, " -engine e       use engine e, "
 				"possibly a hardware device.\n");
 		BIO_printf(bio_err, " -des            encrypt PEM output, "
 				"instead of 'des' every other \n"
 				"                 cipher "
 				"supported by OpenSSL can be used\n");
 		BIO_printf(bio_err, " -text           print the key\n");
 		BIO_printf(bio_err, " -noout          don't print key out\n");
 		BIO_printf(bio_err, " -param_out      print the elliptic "
 				"curve parameters\n");
 		BIO_printf(bio_err, " -conv_form arg  specifies the "
 				"point conversion form \n");
 		BIO_printf(bio_err, "                 possible values:"
 				" compressed\n");
 		BIO_printf(bio_err, "                                 "
 				" uncompressed (default)\n");
 		BIO_printf(bio_err, "                                  "
 				" hybrid\n");
 		BIO_printf(bio_err, " -param_enc arg  specifies the way"
 				" the ec parameters are encoded\n");
 		BIO_printf(bio_err, "                 in the asn1 der "
 				"encoding\n");
 		BIO_printf(bio_err, "                 possible values:"
 				" named_curve (default)\n");
 		BIO_printf(bio_err,"                                  "
 				"explicit\n");
 		goto end;
 		}
-    if (new_form)
+	ERR_load_crypto_strings();
        EC_KEY_set_conv_form(eckey, form);
-    if (new_asn1_flag)
+#ifndef OPENSSL_NO_ENGINE
-        EC_KEY_set_asn1_flag(eckey, asn1_flag);
+        setup_engine(bio_err, engine, 0);
 #endif
-    if (text) {
+	if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) 
-        assert(pubin || private);
+		{
-        if (!EC_KEY_print(out, eckey, 0)) {
+		BIO_printf(bio_err, "Error getting passwords\n");
-            perror(outfile);
+		goto end;
-            ERR_print_errors(bio_err);
+		}
            goto end;
        }
    }
-    if (noout) {
+	in = BIO_new(BIO_s_file());
-        ret = 0;
+	out = BIO_new(BIO_s_file());
-        goto end;
+	if ((in == NULL) || (out == NULL))
-    }
+		{
 		ERR_print_errors(bio_err);
 		goto end;
 		}
-    BIO_printf(bio_err, "writing EC key\n");
+	if (infile == NULL)
-    if (outformat == FORMAT_ASN1) {
+		BIO_set_fp(in, stdin, BIO_NOCLOSE);
-        if (param_out)
+	else
-            i = i2d_ECPKParameters_bio(out, group);
+		{
-        else if (pubin || pubout)
+		if (BIO_read_filename(in, infile) <= 0)
-            i = i2d_EC_PUBKEY_bio(out, eckey);
+			{
-        else {
+			perror(infile);
-            assert(private);
+			goto end;
-            i = i2d_ECPrivateKey_bio(out, eckey);
+			}
-        }
+		}
    } else {
        if (param_out)
            i = PEM_write_bio_ECPKParameters(out, group);
        else if (pubin || pubout)
            i = PEM_write_bio_EC_PUBKEY(out, eckey);
        else {
            assert(private);
            i = PEM_write_bio_ECPrivateKey(out, eckey, enc,
                                           NULL, 0, NULL, passout);
        }
    }
-    if (!i) {
+	BIO_printf(bio_err, "read EC key\n");
-        BIO_printf(bio_err, "unable to write private key\n");
+	if (informat == FORMAT_ASN1) 
-        ERR_print_errors(bio_err);
+		{
-    } else
+		if (pubin) 
-        ret = 0;
+			eckey = d2i_EC_PUBKEY_bio(in, NULL);
- end:
+		else 
-    BIO_free(in);
+			eckey = d2i_ECPrivateKey_bio(in, NULL);
-    BIO_free_all(out);
+		} 
-    EC_KEY_free(eckey);
+	else if (informat == FORMAT_PEM) 
-    OPENSSL_free(passin);
+		{
-    OPENSSL_free(passout);
+		if (pubin) 
-    return (ret);
+			eckey = PEM_read_bio_EC_PUBKEY(in, NULL, NULL, 
 				NULL);
 		else 
 			eckey = PEM_read_bio_ECPrivateKey(in, NULL, NULL,
 				passin);
 		} 
 	else
 		{
 		BIO_printf(bio_err, "bad input format specified for key\n");
 		goto end;
 		}
 	if (eckey == NULL)
 		{
 		BIO_printf(bio_err,"unable to load Key\n");
 		ERR_print_errors(bio_err);
 		goto end;
 		}
 	if (outfile == NULL)
 		{
 		BIO_set_fp(out, stdout, BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 			{
 			BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 			out = BIO_push(tmpbio, out);
 			}
 #endif
 		}
 	else
 		{
 		if (BIO_write_filename(out, outfile) <= 0)
 			{
 			perror(outfile);
 			goto end;
 			}
 		}
 	group = EC_KEY_get0_group(eckey);
 	if (new_form)
 		EC_KEY_set_conv_form(eckey, form);
 	if (new_asn1_flag)
 		EC_KEY_set_asn1_flag(eckey, asn1_flag);
 	if (text) 
 		if (!EC_KEY_print(out, eckey, 0))
 			{
 			perror(outfile);
 			ERR_print_errors(bio_err);
 			goto end;
 			}
 	if (noout) 
 		{
 		ret = 0;
 		goto end;
 		}
 	BIO_printf(bio_err, "writing EC key\n");
 	if (outformat == FORMAT_ASN1) 
 		{
 		if (param_out)
 			i = i2d_ECPKParameters_bio(out, group);
 		else if (pubin || pubout) 
 			i = i2d_EC_PUBKEY_bio(out, eckey);
 		else 
 			i = i2d_ECPrivateKey_bio(out, eckey);
 		} 
 	else if (outformat == FORMAT_PEM) 
 		{
 		if (param_out)
 			i = PEM_write_bio_ECPKParameters(out, group);
 		else if (pubin || pubout)
 			i = PEM_write_bio_EC_PUBKEY(out, eckey);
 		else 
 			i = PEM_write_bio_ECPrivateKey(out, eckey, enc,
 						NULL, 0, NULL, passout);
 		} 
 	else 
 		{
 		BIO_printf(bio_err, "bad output format specified for "
 			"outfile\n");
 		goto end;
 		}
 	if (!i)
 		{
 		BIO_printf(bio_err, "unable to write private key\n");
 		ERR_print_errors(bio_err);
 		}
 	else
 		ret=0;
 end:
 	if (in)
 		BIO_free(in);
 	if (out)
 		BIO_free_all(out);
 	if (eckey)
 		EC_KEY_free(eckey);
 	if (passin)
 		OPENSSL_free(passin);
 	if (passout)
 		OPENSSL_free(passout);
 	apps_shutdown();
 	OPENSSL_EXIT(ret);
 }
-#else                           /* !OPENSSL_NO_EC */
+#else /* !OPENSSL_NO_EC */
 # if PEDANTIC
-static void *dummy = &dummy;
+static void *dummy=&dummy;
 # endif
 #endif
--- a/apps/ecparam.c
+++ b/apps/ecparam.c
--- a/apps/enc.c
+++ b/apps/enc.c
--- a/apps/engine.c
+++ b/apps/engine.c
@@ -1,6 +1,6 @@
-/*
+/* apps/engine.c -*- mode: C; c-file-style: "eay" -*- */
- * Written by Richard Levitte <richard@levitte.org> for the OpenSSL project
+/* Written by Richard Levitte <richard@levitte.org> for the OpenSSL
- * 2000.
+ * project 2000.
 */
 /* ====================================================================
 * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
@@ -10,7 +10,7 @@
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
+ *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
@@ -56,417 +56,494 @@
 *
 */
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #ifdef OPENSSL_NO_STDIO
 #define APPS_WIN16
 #endif
 #include "apps.h"
 #include <openssl/err.h>
 #ifndef OPENSSL_NO_ENGINE
-# include <openssl/engine.h>
+#include <openssl/engine.h>
-# include <openssl/ssl.h>
+#include <openssl/ssl.h>
-typedef enum OPTION_choice {
+#undef PROG
-    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+#define PROG	engine_main
    OPT_C, OPT_T, OPT_TT, OPT_PRE, OPT_POST,
    OPT_V = 100, OPT_VV, OPT_VVV, OPT_VVVV
 } OPTION_CHOICE;
-OPTIONS engine_options[] = {
+static const char *engine_usage[]={
-    {"help", OPT_HELP, '-', "Display this summary"},
+"usage: engine opts [engine ...]\n",
-    {"vvvv", OPT_VVVV, '-', "Also show internal input flags"},
+" -v[v[v[v]]] - verbose mode, for each engine, list its 'control commands'\n",
-    {"vvv", OPT_VVV, '-', "Also add the input flags for each command"},
+"               -vv will additionally display each command's description\n",
-    {"vv", OPT_VV, '-', "Also display each command's description"},
+"               -vvv will also add the input flags for each command\n",
-    {"v", OPT_V, '-', "For each engine, list its 'control commands'"},
+"               -vvvv will also show internal input flags\n",
-    {"c", OPT_C, '-', "List the capabilities of each engine"},
+" -c          - for each engine, also list the capabilities\n",
-    {"t", OPT_T, '-', "Check that each engine is available"},
+" -t[t]       - for each engine, check that they are really available\n",
-    {"tt", OPT_TT, '-', "Display error trace for unavailable engines"},
+"               -tt will display error trace for unavailable engines\n",
-    {"pre", OPT_PRE, 's', "Run command against the ENGINE before loading it"},
+" -pre <cmd>  - runs command 'cmd' against the ENGINE before any attempts\n",
-    {"post", OPT_POST, 's', "Run command against the ENGINE after loading it"},
+"               to load it (if -t is used)\n",
-    {OPT_MORE_STR, OPT_EOF, 1,
+" -post <cmd> - runs command 'cmd' against the ENGINE after loading it\n",
-     "Commands are like \"SO_PATH:/lib/libdriver.so\""},
+"               (only used if -t is also provided)\n",
-    {NULL}
+" NB: -pre and -post will be applied to all ENGINEs supplied on the command\n",
 " line, or all supported ENGINEs if none are specified.\n",
 " Eg. '-pre \"SO_PATH:/lib/libdriver.so\"' calls command \"SO_PATH\" with\n",
 " argument \"/lib/libdriver.so\".\n",
 NULL
 };
 static void identity(char *ptr)
-{
+	{
-    return;
+	return;
-}
+	}
 static int append_buf(char **buf, const char *s, int *size, int step)
-{
+	{
-    if (*buf == NULL) {
+	int l = strlen(s);
        *size = step;
        *buf = app_malloc(*size, "engine buffer");
        **buf = '\0';
    }
-    if (strlen(*buf) + strlen(s) >= (unsigned int)*size) {
+	if (*buf == NULL)
-        *size += step;
+		{
-        *buf = OPENSSL_realloc(*buf, *size);
+		*size = step;
-    }
+		*buf = OPENSSL_malloc(*size);
 		if (*buf == NULL)
 			return 0;
 		**buf = '\0';
 		}
-    if (*buf == NULL)
+	if (**buf != '\0')
-        return 0;
+		l += 2;		/* ", " */
-    if (**buf != '\0')
+	if (strlen(*buf) + strlen(s) >= (unsigned int)*size)
-        OPENSSL_strlcat(*buf, ", ", *size);
+		{
-    OPENSSL_strlcat(*buf, s, *size);
+		*size += step;
 		*buf = OPENSSL_realloc(*buf, *size);
 		}
-    return 1;
+	if (*buf == NULL)
-}
+		return 0;
-static int util_flags(BIO *out, unsigned int flags, const char *indent)
+	if (**buf != '\0')
-{
+		BUF_strlcat(*buf, ", ", *size);
-    int started = 0, err = 0;
+	BUF_strlcat(*buf, s, *size);
    /* Indent before displaying input flags */
    BIO_printf(out, "%s%s(input flags): ", indent, indent);
    if (flags == 0) {
        BIO_printf(out, "<no flags>\n");
        return 1;
    }
    /*
     * If the object is internal, mark it in a way that shows instead of
     * having it part of all the other flags, even if it really is.
     */
    if (flags & ENGINE_CMD_FLAG_INTERNAL) {
        BIO_printf(out, "[Internal] ");
    }
-    if (flags & ENGINE_CMD_FLAG_NUMERIC) {
+	return 1;
-        BIO_printf(out, "NUMERIC");
+	}
        started = 1;
    }
    /*
     * Now we check that no combinations of the mutually exclusive NUMERIC,
     * STRING, and NO_INPUT flags have been used. Future flags that can be
     * OR'd together with these would need to added after these to preserve
     * the testing logic.
     */
    if (flags & ENGINE_CMD_FLAG_STRING) {
        if (started) {
            BIO_printf(out, "|");
            err = 1;
        }
        BIO_printf(out, "STRING");
        started = 1;
    }
    if (flags & ENGINE_CMD_FLAG_NO_INPUT) {
        if (started) {
            BIO_printf(out, "|");
            err = 1;
        }
        BIO_printf(out, "NO_INPUT");
        started = 1;
    }
    /* Check for unknown flags */
    flags = flags & ~ENGINE_CMD_FLAG_NUMERIC &
        ~ENGINE_CMD_FLAG_STRING &
        ~ENGINE_CMD_FLAG_NO_INPUT & ~ENGINE_CMD_FLAG_INTERNAL;
    if (flags) {
        if (started)
            BIO_printf(out, "|");
        BIO_printf(out, "<0x%04X>", flags);
    }
    if (err)
        BIO_printf(out, "  <illegal flags!>");
    BIO_printf(out, "\n");
    return 1;
 }
-static int util_verbose(ENGINE *e, int verbose, BIO *out, const char *indent)
+static int util_flags(BIO *bio_out, unsigned int flags, const char *indent)
-{
+	{
-    static const int line_wrap = 78;
+	int started = 0, err = 0;
-    int num;
+	/* Indent before displaying input flags */
-    int ret = 0;
+	BIO_printf(bio_out, "%s%s(input flags): ", indent, indent);
-    char *name = NULL;
+	if(flags == 0)
-    char *desc = NULL;
+		{
-    int flags;
+		BIO_printf(bio_out, "<no flags>\n");
-    int xpos = 0;
+		return 1;
-    STACK_OF(OPENSSL_STRING) *cmds = NULL;
+		}
-    if (!ENGINE_ctrl(e, ENGINE_CTRL_HAS_CTRL_FUNCTION, 0, NULL, NULL) ||
+        /* If the object is internal, mark it in a way that shows instead of
-        ((num = ENGINE_ctrl(e, ENGINE_CTRL_GET_FIRST_CMD_TYPE,
+         * having it part of all the other flags, even if it really is. */
-                            0, NULL, NULL)) <= 0)) {
+	if(flags & ENGINE_CMD_FLAG_INTERNAL)
-        return 1;
+		{
-    }
+		BIO_printf(bio_out, "[Internal] ");
 		}
-    cmds = sk_OPENSSL_STRING_new_null();
+	if(flags & ENGINE_CMD_FLAG_NUMERIC)
-    if (!cmds)
+		{
-        goto err;
+		BIO_printf(bio_out, "NUMERIC");
 		started = 1;
 		}
 	/* Now we check that no combinations of the mutually exclusive NUMERIC,
 	 * STRING, and NO_INPUT flags have been used. Future flags that can be
 	 * OR'd together with these would need to added after these to preserve
 	 * the testing logic. */
 	if(flags & ENGINE_CMD_FLAG_STRING)
 		{
 		if(started)
 			{
 			BIO_printf(bio_out, "|");
 			err = 1;
 			}
 		BIO_printf(bio_out, "STRING");
 		started = 1;
 		}
 	if(flags & ENGINE_CMD_FLAG_NO_INPUT)
 		{
 		if(started)
 			{
 			BIO_printf(bio_out, "|");
 			err = 1;
 			}
 		BIO_printf(bio_out, "NO_INPUT");
 		started = 1;
 		}
 	/* Check for unknown flags */
 	flags = flags & ~ENGINE_CMD_FLAG_NUMERIC &
 			~ENGINE_CMD_FLAG_STRING &
 			~ENGINE_CMD_FLAG_NO_INPUT &
 			~ENGINE_CMD_FLAG_INTERNAL;
 	if(flags)
 		{
 		if(started) BIO_printf(bio_out, "|");
 		BIO_printf(bio_out, "<0x%04X>", flags);
 		}
 	if(err)
 		BIO_printf(bio_out, "  <illegal flags!>");
 	BIO_printf(bio_out, "\n");
 	return 1;
 	}
-    do {
+static int util_verbose(ENGINE *e, int verbose, BIO *bio_out, const char *indent)
-        int len;
+	{
-        /* Get the command input flags */
+	static const int line_wrap = 78;
-        if ((flags = ENGINE_ctrl(e, ENGINE_CTRL_GET_CMD_FLAGS, num,
+	int num;
-                                 NULL, NULL)) < 0)
+	int ret = 0;
-            goto err;
+	char *name = NULL;
-        if (!(flags & ENGINE_CMD_FLAG_INTERNAL) || verbose >= 4) {
+	char *desc = NULL;
-            /* Get the command name */
+	int flags;
-            if ((len = ENGINE_ctrl(e, ENGINE_CTRL_GET_NAME_LEN_FROM_CMD, num,
+	int xpos = 0;
-                                   NULL, NULL)) <= 0)
+	STACK_OF(OPENSSL_STRING) *cmds = NULL;
-                goto err;
+	if(!ENGINE_ctrl(e, ENGINE_CTRL_HAS_CTRL_FUNCTION, 0, NULL, NULL) ||
-            name = app_malloc(len + 1, "name buffer");
+			((num = ENGINE_ctrl(e, ENGINE_CTRL_GET_FIRST_CMD_TYPE,
-            if (ENGINE_ctrl(e, ENGINE_CTRL_GET_NAME_FROM_CMD, num, name,
+					0, NULL, NULL)) <= 0))
-                            NULL) <= 0)
+		{
-                goto err;
+#if 0
-            /* Get the command description */
+		BIO_printf(bio_out, "%s<no control commands>\n", indent);
-            if ((len = ENGINE_ctrl(e, ENGINE_CTRL_GET_DESC_LEN_FROM_CMD, num,
+#endif
-                                   NULL, NULL)) < 0)
+		return 1;
-                goto err;
+		}
-            if (len > 0) {
+
-                desc = app_malloc(len + 1, "description buffer");
+	cmds = sk_OPENSSL_STRING_new_null();
-                if (ENGINE_ctrl(e, ENGINE_CTRL_GET_DESC_FROM_CMD, num, desc,
+
 	if(!cmds)
 		goto err;
 	do {
 		int len;
 		/* Get the command input flags */
 		if((flags = ENGINE_ctrl(e, ENGINE_CTRL_GET_CMD_FLAGS, num,
 					NULL, NULL)) < 0)
 			goto err;
                if (!(flags & ENGINE_CMD_FLAG_INTERNAL) || verbose >= 4)
                        {
                        /* Get the command name */
                        if((len = ENGINE_ctrl(e, ENGINE_CTRL_GET_NAME_LEN_FROM_CMD, num,
                                NULL, NULL)) <= 0)
                                goto err;
                        if((name = OPENSSL_malloc(len + 1)) == NULL)
                                goto err;
                        if(ENGINE_ctrl(e, ENGINE_CTRL_GET_NAME_FROM_CMD, num, name,
                                NULL) <= 0)
-                    goto err;
+                                goto err;
-            }
+                        /* Get the command description */
-            /* Now decide on the output */
+                        if((len = ENGINE_ctrl(e, ENGINE_CTRL_GET_DESC_LEN_FROM_CMD, num,
-            if (xpos == 0)
+                                NULL, NULL)) < 0)
-                /* Do an indent */
+                                goto err;
-                xpos = BIO_puts(out, indent);
+                        if(len > 0)
-            else
+                                {
-                /* Otherwise prepend a ", " */
+                                if((desc = OPENSSL_malloc(len + 1)) == NULL)
-                xpos += BIO_printf(out, ", ");
+                                        goto err;
-            if (verbose == 1) {
+                                if(ENGINE_ctrl(e, ENGINE_CTRL_GET_DESC_FROM_CMD, num, desc,
-                /*
+                                        NULL) <= 0)
-                 * We're just listing names, comma-delimited
+                                        goto err;
-                 */
+                                }
-                if ((xpos > (int)strlen(indent)) &&
+                        /* Now decide on the output */
-                    (xpos + (int)strlen(name) > line_wrap)) {
+                        if(xpos == 0)
-                    BIO_printf(out, "\n");
+                                /* Do an indent */
-                    xpos = BIO_puts(out, indent);
+                                xpos = BIO_puts(bio_out, indent);
-                }
+                        else
-                xpos += BIO_printf(out, "%s", name);
+                                /* Otherwise prepend a ", " */
-            } else {
+                                xpos += BIO_printf(bio_out, ", ");
-                /* We're listing names plus descriptions */
+                        if(verbose == 1)
-                BIO_printf(out, "%s: %s\n", name,
+                                {
-                           (desc == NULL) ? "<no description>" : desc);
+                                /* We're just listing names, comma-delimited */
-                /* ... and sometimes input flags */
+                                if((xpos > (int)strlen(indent)) &&
-                if ((verbose >= 3) && !util_flags(out, flags, indent))
+					(xpos + (int)strlen(name) > line_wrap))
-                    goto err;
+                                        {
-                xpos = 0;
+                                        BIO_printf(bio_out, "\n");
-            }
+                                        xpos = BIO_puts(bio_out, indent);
-        }
+                                        }
-        OPENSSL_free(name);
+                                xpos += BIO_printf(bio_out, "%s", name);
-        name = NULL;
+                                }
-        OPENSSL_free(desc);
+                        else
-        desc = NULL;
+                                {
-        /* Move to the next command */
+                                /* We're listing names plus descriptions */
-        num = ENGINE_ctrl(e, ENGINE_CTRL_GET_NEXT_CMD_TYPE, num, NULL, NULL);
+                                BIO_printf(bio_out, "%s: %s\n", name,
-    } while (num > 0);
+                                        (desc == NULL) ? "<no description>" : desc);
-    if (xpos > 0)
+                                /* ... and sometimes input flags */
-        BIO_printf(out, "\n");
+                                if((verbose >= 3) && !util_flags(bio_out, flags,
-    ret = 1;
+                                        indent))
- err:
+                                        goto err;
-    sk_OPENSSL_STRING_pop_free(cmds, identity);
+                                xpos = 0;
-    OPENSSL_free(name);
+                                }
-    OPENSSL_free(desc);
+                        }
-    return ret;
+		OPENSSL_free(name); name = NULL;
-}
+		if(desc) { OPENSSL_free(desc); desc = NULL; }
 		/* Move to the next command */
 		num = ENGINE_ctrl(e, ENGINE_CTRL_GET_NEXT_CMD_TYPE,
 					num, NULL, NULL);
 		} while(num > 0);
 	if(xpos > 0)
 		BIO_printf(bio_out, "\n");
 	ret = 1;
 err:
 	if(cmds) sk_OPENSSL_STRING_pop_free(cmds, identity);
 	if(name) OPENSSL_free(name);
 	if(desc) OPENSSL_free(desc);
 	return ret;
 	}
 static void util_do_cmds(ENGINE *e, STACK_OF(OPENSSL_STRING) *cmds,
-                         BIO *out, const char *indent)
+			BIO *bio_out, const char *indent)
-{
+	{
-    int loop, res, num = sk_OPENSSL_STRING_num(cmds);
+	int loop, res, num = sk_OPENSSL_STRING_num(cmds);
-    if (num < 0) {
+	if(num < 0)
-        BIO_printf(out, "[Error]: internal stack error\n");
+		{
-        return;
+		BIO_printf(bio_out, "[Error]: internal stack error\n");
-    }
+		return;
-    for (loop = 0; loop < num; loop++) {
+		}
-        char buf[256];
+	for(loop = 0; loop < num; loop++)
-        const char *cmd, *arg;
+		{
-        cmd = sk_OPENSSL_STRING_value(cmds, loop);
+		char buf[256];
-        res = 1;                /* assume success */
+		const char *cmd, *arg;
-        /* Check if this command has no ":arg" */
+		cmd = sk_OPENSSL_STRING_value(cmds, loop);
-        if ((arg = strstr(cmd, ":")) == NULL) {
+		res = 1; /* assume success */
-            if (!ENGINE_ctrl_cmd_string(e, cmd, NULL, 0))
+		/* Check if this command has no ":arg" */
-                res = 0;
+		if((arg = strstr(cmd, ":")) == NULL)
-        } else {
+			{
-            if ((int)(arg - cmd) > 254) {
+			if(!ENGINE_ctrl_cmd_string(e, cmd, NULL, 0))
-                BIO_printf(out, "[Error]: command name too long\n");
+				res = 0;
-                return;
+			}
-            }
+		else
-            memcpy(buf, cmd, (int)(arg - cmd));
+			{
-            buf[arg - cmd] = '\0';
+			if((int)(arg - cmd) > 254)
-            arg++;              /* Move past the ":" */
+				{
-            /* Call the command with the argument */
+				BIO_printf(bio_out,"[Error]: command name too long\n");
-            if (!ENGINE_ctrl_cmd_string(e, buf, arg, 0))
+				return;
-                res = 0;
+				}
-        }
+			memcpy(buf, cmd, (int)(arg - cmd));
-        if (res)
+			buf[arg-cmd] = '\0';
-            BIO_printf(out, "[Success]: %s\n", cmd);
+			arg++; /* Move past the ":" */
-        else {
+			/* Call the command with the argument */
-            BIO_printf(out, "[Failure]: %s\n", cmd);
+			if(!ENGINE_ctrl_cmd_string(e, buf, arg, 0))
-            ERR_print_errors(out);
+				res = 0;
-        }
+			}
-    }
+		if(res)
-}
+			BIO_printf(bio_out, "[Success]: %s\n", cmd);
 		else
 			{
 			BIO_printf(bio_out, "[Failure]: %s\n", cmd);
 			ERR_print_errors(bio_out);
 			}
 		}
 	}
-int engine_main(int argc, char **argv)
+int MAIN(int, char **);
 {
    int ret = 1, i;
    int verbose = 0, list_cap = 0, test_avail = 0, test_avail_noise = 0;
    ENGINE *e;
    STACK_OF(OPENSSL_STRING) *engines = sk_OPENSSL_STRING_new_null();
    STACK_OF(OPENSSL_STRING) *pre_cmds = sk_OPENSSL_STRING_new_null();
    STACK_OF(OPENSSL_STRING) *post_cmds = sk_OPENSSL_STRING_new_null();
    BIO *out;
    const char *indent = "     ";
    OPTION_CHOICE o;
    char *prog;
-    out = dup_bio_out(FORMAT_TEXT);
+int MAIN(int argc, char **argv)
-    prog = opt_init(argc, argv, engine_options);
+	{
-    if (!engines || !pre_cmds || !post_cmds)
+	int ret=1,i;
-        goto end;
+	const char **pp;
-    while ((o = opt_next()) != OPT_EOF) {
+	int verbose=0, list_cap=0, test_avail=0, test_avail_noise = 0;
-        switch (o) {
+	ENGINE *e;
-        case OPT_EOF:
+	STACK_OF(OPENSSL_STRING) *engines = sk_OPENSSL_STRING_new_null();
-        case OPT_ERR:
+	STACK_OF(OPENSSL_STRING) *pre_cmds = sk_OPENSSL_STRING_new_null();
-            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+	STACK_OF(OPENSSL_STRING) *post_cmds = sk_OPENSSL_STRING_new_null();
-            goto end;
+	int badops=1;
-        case OPT_HELP:
+	BIO *bio_out=NULL;
-            opt_help(engine_options);
+	const char *indent = "     ";
            ret = 0;
            goto end;
        case OPT_VVVV:
        case OPT_VVV:
        case OPT_VV:
        case OPT_V:
            /* Convert to an integer from one to four. */
            i = (int)(o - OPT_V) + 1;
            if (verbose < i)
                verbose = i;
            break;
        case OPT_C:
            list_cap = 1;
            break;
        case OPT_TT:
            test_avail_noise++;
        case OPT_T:
            test_avail++;
            break;
        case OPT_PRE:
            sk_OPENSSL_STRING_push(pre_cmds, opt_arg());
            break;
        case OPT_POST:
            sk_OPENSSL_STRING_push(post_cmds, opt_arg());
            break;
        }
    }
    argc = opt_num_rest();
    argv = opt_rest();
    for ( ; *argv; argv++)
        sk_OPENSSL_STRING_push(engines, *argv);
-    if (sk_OPENSSL_STRING_num(engines) == 0) {
+	apps_startup();
-        for (e = ENGINE_get_first(); e != NULL; e = ENGINE_get_next(e)) {
+	SSL_load_error_strings();
            sk_OPENSSL_STRING_push(engines, (char *)ENGINE_get_id(e));
        }
    }
-    for (i = 0; i < sk_OPENSSL_STRING_num(engines); i++) {
+	if (bio_err == NULL)
-        const char *id = sk_OPENSSL_STRING_value(engines, i);
+		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
        if ((e = ENGINE_by_id(id)) != NULL) {
            const char *name = ENGINE_get_name(e);
            /*
             * Do "id" first, then "name". Easier to auto-parse.
             */
            BIO_printf(out, "(%s) %s\n", id, name);
            util_do_cmds(e, pre_cmds, out, indent);
            if (strcmp(ENGINE_get_id(e), id) != 0) {
                BIO_printf(out, "Loaded: (%s) %s\n",
                           ENGINE_get_id(e), ENGINE_get_name(e));
            }
            if (list_cap) {
                int cap_size = 256;
                char *cap_buf = NULL;
                int k, n;
                const int *nids;
                ENGINE_CIPHERS_PTR fn_c;
                ENGINE_DIGESTS_PTR fn_d;
                ENGINE_PKEY_METHS_PTR fn_pk;
-                if (ENGINE_get_RSA(e) != NULL
+	if (!load_config(bio_err, NULL))
-                    && !append_buf(&cap_buf, "RSA", &cap_size, 256))
+		goto end;
-                    goto end;
+	bio_out=BIO_new_fp(stdout,BIO_NOCLOSE);
-                if (ENGINE_get_DSA(e) != NULL
+#ifdef OPENSSL_SYS_VMS
-                    && !append_buf(&cap_buf, "DSA", &cap_size, 256))
+	{
-                    goto end;
+	BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-                if (ENGINE_get_DH(e) != NULL
+	bio_out = BIO_push(tmpbio, bio_out);
-                    && !append_buf(&cap_buf, "DH", &cap_size, 256))
+	}
-                    goto end;
+#endif
                if (ENGINE_get_RAND(e) != NULL
                    && !append_buf(&cap_buf, "RAND", &cap_size, 256))
                    goto end;
-                fn_c = ENGINE_get_ciphers(e);
+	argc--;
-                if (!fn_c)
+	argv++;
-                    goto skip_ciphers;
+	while (argc >= 1)
-                n = fn_c(e, NULL, &nids, 0);
+		{
-                for (k = 0; k < n; ++k)
+		if (strncmp(*argv,"-v",2) == 0)
-                    if (!append_buf(&cap_buf,
+			{
-                                    OBJ_nid2sn(nids[k]), &cap_size, 256))
+			if(strspn(*argv + 1, "v") < strlen(*argv + 1))
-                        goto end;
+				goto skip_arg_loop;
 			if((verbose=strlen(*argv + 1)) > 4)
 				goto skip_arg_loop;
 			}
 		else if (strcmp(*argv,"-c") == 0)
 			list_cap=1;
 		else if (strncmp(*argv,"-t",2) == 0)
 			{
 			test_avail=1;
 			if(strspn(*argv + 1, "t") < strlen(*argv + 1))
 				goto skip_arg_loop;
 			if((test_avail_noise = strlen(*argv + 1) - 1) > 1)
 				goto skip_arg_loop;
 			}
 		else if (strcmp(*argv,"-pre") == 0)
 			{
 			argc--; argv++;
 			if (argc == 0)
 				goto skip_arg_loop;
 			sk_OPENSSL_STRING_push(pre_cmds,*argv);
 			}
 		else if (strcmp(*argv,"-post") == 0)
 			{
 			argc--; argv++;
 			if (argc == 0)
 				goto skip_arg_loop;
 			sk_OPENSSL_STRING_push(post_cmds,*argv);
 			}
 		else if ((strncmp(*argv,"-h",2) == 0) ||
 				(strcmp(*argv,"-?") == 0))
 			goto skip_arg_loop;
 		else
 			sk_OPENSSL_STRING_push(engines,*argv);
 		argc--;
 		argv++;
 		}
 	/* Looks like everything went OK */
 	badops = 0;
 skip_arg_loop:
- skip_ciphers:
+	if (badops)
-                fn_d = ENGINE_get_digests(e);
+		{
-                if (!fn_d)
+		for (pp=engine_usage; (*pp != NULL); pp++)
-                    goto skip_digests;
+			BIO_printf(bio_err,"%s",*pp);
-                n = fn_d(e, NULL, &nids, 0);
+		goto end;
-                for (k = 0; k < n; ++k)
+		}
                    if (!append_buf(&cap_buf,
                                    OBJ_nid2sn(nids[k]), &cap_size, 256))
                        goto end;
- skip_digests:
+	if (sk_OPENSSL_STRING_num(engines) == 0)
-                fn_pk = ENGINE_get_pkey_meths(e);
+		{
-                if (!fn_pk)
+		for(e = ENGINE_get_first(); e != NULL; e = ENGINE_get_next(e))
-                    goto skip_pmeths;
+			{
-                n = fn_pk(e, NULL, &nids, 0);
+			sk_OPENSSL_STRING_push(engines,(char *)ENGINE_get_id(e));
-                for (k = 0; k < n; ++k)
+			}
-                    if (!append_buf(&cap_buf,
+		}
                                    OBJ_nid2sn(nids[k]), &cap_size, 256))
                        goto end;
 skip_pmeths:
                if (cap_buf && (*cap_buf != '\0'))
                    BIO_printf(out, " [%s]\n", cap_buf);
-                OPENSSL_free(cap_buf);
+	for (i=0; i<sk_OPENSSL_STRING_num(engines); i++)
-            }
+		{
-            if (test_avail) {
+		const char *id = sk_OPENSSL_STRING_value(engines,i);
-                BIO_printf(out, "%s", indent);
+		if ((e = ENGINE_by_id(id)) != NULL)
-                if (ENGINE_init(e)) {
+			{
-                    BIO_printf(out, "[ available ]\n");
+			const char *name = ENGINE_get_name(e);
-                    util_do_cmds(e, post_cmds, out, indent);
+			/* Do "id" first, then "name". Easier to auto-parse. */
-                    ENGINE_finish(e);
+			BIO_printf(bio_out, "(%s) %s\n", id, name);
-                } else {
+			util_do_cmds(e, pre_cmds, bio_out, indent);
-                    BIO_printf(out, "[ unavailable ]\n");
+			if (strcmp(ENGINE_get_id(e), id) != 0)
-                    if (test_avail_noise)
+				{
-                        ERR_print_errors_fp(stdout);
+				BIO_printf(bio_out, "Loaded: (%s) %s\n",
-                    ERR_clear_error();
+					ENGINE_get_id(e), ENGINE_get_name(e));
-                }
+				}
-            }
+			if (list_cap)
-            if ((verbose > 0) && !util_verbose(e, verbose, out, indent))
+				{
-                goto end;
+				int cap_size = 256;
-            ENGINE_free(e);
+				char *cap_buf = NULL;
-        } else
+				int k,n;
-            ERR_print_errors(bio_err);
+				const int *nids;
-    }
+				ENGINE_CIPHERS_PTR fn_c;
 				ENGINE_DIGESTS_PTR fn_d;
 				ENGINE_PKEY_METHS_PTR fn_pk;
-    ret = 0;
+				if (ENGINE_get_RSA(e) != NULL
- end:
+					&& !append_buf(&cap_buf, "RSA",
 						&cap_size, 256))
 					goto end;
 				if (ENGINE_get_DSA(e) != NULL
 					&& !append_buf(&cap_buf, "DSA",
 						&cap_size, 256))
 					goto end;
 				if (ENGINE_get_DH(e) != NULL
 					&& !append_buf(&cap_buf, "DH",
 						&cap_size, 256))
 					goto end;
 				if (ENGINE_get_RAND(e) != NULL
 					&& !append_buf(&cap_buf, "RAND",
 						&cap_size, 256))
 					goto end;
-    ERR_print_errors(bio_err);
+				fn_c = ENGINE_get_ciphers(e);
-    sk_OPENSSL_STRING_pop_free(engines, identity);
+				if(!fn_c) goto skip_ciphers;
-    sk_OPENSSL_STRING_pop_free(pre_cmds, identity);
+				n = fn_c(e, NULL, &nids, 0);
-    sk_OPENSSL_STRING_pop_free(post_cmds, identity);
+				for(k=0 ; k < n ; ++k)
-    BIO_free_all(out);
+					if(!append_buf(&cap_buf,
-    return (ret);
+						       OBJ_nid2sn(nids[k]),
-}
+						       &cap_size, 256))
 						goto end;
 skip_ciphers:
 				fn_d = ENGINE_get_digests(e);
 				if(!fn_d) goto skip_digests;
 				n = fn_d(e, NULL, &nids, 0);
 				for(k=0 ; k < n ; ++k)
 					if(!append_buf(&cap_buf,
 						       OBJ_nid2sn(nids[k]),
 						       &cap_size, 256))
 						goto end;
 skip_digests:
 				fn_pk = ENGINE_get_pkey_meths(e);
 				if(!fn_pk) goto skip_pmeths;
 				n = fn_pk(e, NULL, &nids, 0);
 				for(k=0 ; k < n ; ++k)
 					if(!append_buf(&cap_buf,
 						       OBJ_nid2sn(nids[k]),
 						       &cap_size, 256))
 						goto end;
 skip_pmeths:
 				if (cap_buf && (*cap_buf != '\0'))
 					BIO_printf(bio_out, " [%s]\n", cap_buf);
 				OPENSSL_free(cap_buf);
 				}
 			if(test_avail)
 				{
 				BIO_printf(bio_out, "%s", indent);
 				if (ENGINE_init(e))
 					{
 					BIO_printf(bio_out, "[ available ]\n");
 					util_do_cmds(e, post_cmds, bio_out, indent);
 					ENGINE_finish(e);
 					}
 				else
 					{
 					BIO_printf(bio_out, "[ unavailable ]\n");
 					if(test_avail_noise)
 						ERR_print_errors_fp(stdout);
 					ERR_clear_error();
 					}
 				}
 			if((verbose > 0) && !util_verbose(e, verbose, bio_out, indent))
 				goto end;
 			ENGINE_free(e);
 			}
 		else
 			ERR_print_errors(bio_err);
 		}
 	ret=0;
 end:
 	ERR_print_errors(bio_err);
 	sk_OPENSSL_STRING_pop_free(engines, identity);
 	sk_OPENSSL_STRING_pop_free(pre_cmds, identity);
 	sk_OPENSSL_STRING_pop_free(post_cmds, identity);
 	if (bio_out != NULL) BIO_free_all(bio_out);
 	apps_shutdown();
 	OPENSSL_EXIT(ret);
 	}
 #else
 # if PEDANTIC
-static void *dummy = &dummy;
+static void *dummy=&dummy;
 # endif
 #endif
--- a/apps/errstr.c
+++ b/apps/errstr.c
@@ -1,24 +1,25 @@
 /* apps/errstr.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
- *
+ * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
- *
+ * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
@@ -33,10 +34,10 @@
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -48,7 +49,7 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
+ * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
@@ -64,60 +65,64 @@
 #include <openssl/err.h>
 #include <openssl/ssl.h>
-typedef enum OPTION_choice {
+#undef PROG
-    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+#define PROG	errstr_main
    OPT_STATS
 } OPTION_CHOICE;
-OPTIONS errstr_options[] = {
+int MAIN(int, char **);
    {OPT_HELP_STR, 1, '-', "Usage: %s [options] errnum...\n"},
    {OPT_HELP_STR, 1, '-', "  errnum  Error number\n"},
    {"help", OPT_HELP, '-', "Display this summary"},
    {"stats", OPT_STATS, '-',
     "Print internal hashtable statistics (long!)"},
    {NULL}
 };
-int errstr_main(int argc, char **argv)
+int MAIN(int argc, char **argv)
-{
+	{
-    OPTION_CHOICE o;
+	int i,ret=0;
-    char buf[256], *prog;
+	char buf[256];
-    int ret = 1;
+	unsigned long l;
    unsigned long l;
-    prog = opt_init(argc, argv, errstr_options);
+	apps_startup();
    while ((o = opt_next()) != OPT_EOF) {
        switch (o) {
        case OPT_EOF:
        case OPT_ERR:
            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
            goto end;
        case OPT_HELP:
            opt_help(errstr_options);
            ret = 0;
            goto end;
        case OPT_STATS:
            lh_ERR_STRING_DATA_node_stats_bio(ERR_get_string_table(),
                                              bio_out);
            lh_ERR_STRING_DATA_stats_bio(ERR_get_string_table(), bio_out);
            lh_ERR_STRING_DATA_node_usage_stats_bio(ERR_get_string_table(),
                                                    bio_out);
            ret = 0;
            goto end;
        }
    }
    argc = opt_num_rest();
    argv = opt_rest();
-    ret = 0;
+	if (bio_err == NULL)
-    for (argv = opt_rest(); *argv; argv++) {
+		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
-        if (!opt_ulong(*argv, &l))
+			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
-            ret++;
+
-        else {
+	SSL_load_error_strings();
-            ERR_error_string_n(l, buf, sizeof buf);
+
-            BIO_printf(bio_out, "%s\n", buf);
+	if ((argc > 1) && (strcmp(argv[1],"-stats") == 0))
-        }
+		{
-    }
+		BIO *out=NULL;
- end:
+
-    return (ret);
+		out=BIO_new(BIO_s_file());
-}
+		if ((out != NULL) && BIO_set_fp(out,stdout,BIO_NOCLOSE))
 			{
 #ifdef OPENSSL_SYS_VMS
 			{
 			BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 			out = BIO_push(tmpbio, out);
 			}
 #endif
 			lh_ERR_STRING_DATA_node_stats_bio(
 						  ERR_get_string_table(), out);
 			lh_ERR_STRING_DATA_stats_bio(ERR_get_string_table(),
 						     out);
 			lh_ERR_STRING_DATA_node_usage_stats_bio(
 						    ERR_get_string_table(),out);
 			}
 		if (out != NULL) BIO_free_all(out);
 		argc--;
 		argv++;
 		}
 	for (i=1; i<argc; i++)
 		{
 		if (sscanf(argv[i],"%lx",&l))
 			{
 			ERR_error_string_n(l, buf, sizeof buf);
 			printf("%s\n",buf);
 			}
 		else
 			{
 			printf("%s: bad error code\n",argv[i]);
 			printf("usage: errstr [-stats] <errno> ...\n");
 			ret++;
 			}
 		}
 	apps_shutdown();
 	OPENSSL_EXIT(ret);
 	}
--- a/apps/gendh.c
+++ b/apps/gendh.c
@@ -0,0 +1,241 @@
 /* apps/gendh.c */
 /* obsoleted by dhparam.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
 * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
 * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. All advertising materials mentioning features or use of this software
 *    must display the following acknowledgement:
 *    "This product includes cryptographic software written by
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
 * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
 * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
 #include <openssl/opensslconf.h>
 /* Until the key-gen callbacks are modified to use newer prototypes, we allow
 * deprecated functions for openssl-internal code */
 #ifdef OPENSSL_NO_DEPRECATED
 #undef OPENSSL_NO_DEPRECATED
 #endif
 #ifndef OPENSSL_NO_DH
 #include <stdio.h>
 #include <string.h>
 #include <sys/types.h>
 #include <sys/stat.h>
 #include "apps.h"
 #include <openssl/bio.h>
 #include <openssl/rand.h>
 #include <openssl/err.h>
 #include <openssl/bn.h>
 #include <openssl/dh.h>
 #include <openssl/x509.h>
 #include <openssl/pem.h>
 #define DEFBITS	512
 #undef PROG
 #define PROG gendh_main
 static int MS_CALLBACK dh_cb(int p, int n, BN_GENCB *cb);
 int MAIN(int, char **);
 int MAIN(int argc, char **argv)
 	{
 	BN_GENCB cb;
 	DH *dh=NULL;
 	int ret=1,num=DEFBITS;
 	int g=2;
 	char *outfile=NULL;
 	char *inrand=NULL;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine=NULL;
 #endif
 	BIO *out=NULL;
 	apps_startup();
 	BN_GENCB_set(&cb, dh_cb, bio_err);
 	if (bio_err == NULL)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
 	if (!load_config(bio_err, NULL))
 		goto end;
 	argv++;
 	argc--;
 	for (;;)
 		{
 		if (argc <= 0) break;
 		if (strcmp(*argv,"-out") == 0)
 			{
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
 		else if (strcmp(*argv,"-2") == 0)
 			g=2;
 	/*	else if (strcmp(*argv,"-3") == 0)
 			g=3; */
 		else if (strcmp(*argv,"-5") == 0)
 			g=5;
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 #endif
 		else if (strcmp(*argv,"-rand") == 0)
 			{
 			if (--argc < 1) goto bad;
 			inrand= *(++argv);
 			}
 		else
 			break;
 		argv++;
 		argc--;
 		}
 	if ((argc >= 1) && ((sscanf(*argv,"%d",&num) == 0) || (num < 0)))
 		{
 bad:
 		BIO_printf(bio_err,"usage: gendh [args] [numbits]\n");
 		BIO_printf(bio_err," -out file - output the key to 'file\n");
 		BIO_printf(bio_err," -2        - use 2 as the generator value\n");
 	/*	BIO_printf(bio_err," -3        - use 3 as the generator value\n"); */
 		BIO_printf(bio_err," -5        - use 5 as the generator value\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," -engine e - use engine e, possibly a hardware device.\n");
 #endif
 		BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err,"           - load the file (or the files in the directory) into\n");
 		BIO_printf(bio_err,"             the random number generator\n");
 		goto end;
 		}
 #ifndef OPENSSL_NO_ENGINE
        setup_engine(bio_err, engine, 0);
 #endif
 	out=BIO_new(BIO_s_file());
 	if (out == NULL)
 		{
 		ERR_print_errors(bio_err);
 		goto end;
 		}
 	if (outfile == NULL)
 		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
 			{
 			perror(outfile);
 			goto end;
 			}
 		}
 	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL)
 		{
 		BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
 		}
 	if (inrand != NULL)
 		BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
 			app_RAND_load_files(inrand));
 	BIO_printf(bio_err,"Generating DH parameters, %d bit long safe prime, generator %d\n",num,g);
 	BIO_printf(bio_err,"This is going to take a long time\n");
 	if(((dh = DH_new()) == NULL) || !DH_generate_parameters_ex(dh, num, g, &cb))
 		goto end;
 	app_RAND_write_file(NULL, bio_err);
 	if (!PEM_write_bio_DHparams(out,dh))
 		goto end;
 	ret=0;
 end:
 	if (ret != 0)
 		ERR_print_errors(bio_err);
 	if (out != NULL) BIO_free_all(out);
 	if (dh != NULL) DH_free(dh);
 	apps_shutdown();
 	OPENSSL_EXIT(ret);
 	}
 static int MS_CALLBACK dh_cb(int p, int n, BN_GENCB *cb)
 	{
 	char c='*';
 	if (p == 0) c='.';
 	if (p == 1) c='+';
 	if (p == 2) c='*';
 	if (p == 3) c='\n';
 	BIO_write(cb->arg,&c,1);
 	(void)BIO_flush(cb->arg);
 #ifdef LINT
 	p=n;
 #endif
 	return 1;
 	}
 #else /* !OPENSSL_NO_DH */
 # if PEDANTIC
 static void *dummy=&dummy;
 # endif
 #endif
--- a/apps/gendsa.c
+++ b/apps/gendsa.c
@@ -1,24 +1,25 @@
 /* apps/gendsa.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
- *
+ * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
- *
+ * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
@@ -33,10 +34,10 @@
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -48,147 +49,237 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
+ * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
-#include <openssl/opensslconf.h> /* for OPENSSL_NO_DSA */
+#include <openssl/opensslconf.h>	/* for OPENSSL_NO_DSA */
 #ifndef OPENSSL_NO_DSA
-# include <stdio.h>
+#include <stdio.h>
-# include <string.h>
+#include <string.h>
-# include <sys/types.h>
+#include <sys/types.h>
-# include <sys/stat.h>
+#include <sys/stat.h>
-# include "apps.h"
+#include "apps.h"
-# include <openssl/bio.h>
+#include <openssl/bio.h>
-# include <openssl/err.h>
+#include <openssl/err.h>
-# include <openssl/bn.h>
+#include <openssl/bn.h>
-# include <openssl/dsa.h>
+#include <openssl/dsa.h>
-# include <openssl/x509.h>
+#include <openssl/x509.h>
-# include <openssl/pem.h>
+#include <openssl/pem.h>
-typedef enum OPTION_choice {
+#define DEFBITS	512
-    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+#undef PROG
-    OPT_OUT, OPT_PASSOUT, OPT_ENGINE, OPT_RAND, OPT_CIPHER
+#define PROG gendsa_main
 } OPTION_CHOICE;
-OPTIONS gendsa_options[] = {
+int MAIN(int, char **);
    {OPT_HELP_STR, 1, '-', "Usage: %s [args] dsaparam-file\n"},
    {OPT_HELP_STR, 1, '-', "Valid options are:\n"},
    {"help", OPT_HELP, '-', "Display this summary"},
    {"out", OPT_OUT, '>', "Output the key to the specified file"},
    {"passout", OPT_PASSOUT, 's'},
    {"rand", OPT_RAND, 's',
     "Load the file(s) into the random number generator"},
    {"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"},
 # ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 # endif
    {NULL}
 };
-int gendsa_main(int argc, char **argv)
+int MAIN(int argc, char **argv)
-{
+	{
-    BIO *out = NULL, *in = NULL;
+	DSA *dsa=NULL;
-    DSA *dsa = NULL;
+	int ret=1;
-    const EVP_CIPHER *enc = NULL;
+	char *outfile=NULL;
-    char *inrand = NULL, *dsaparams = NULL;
+	char *inrand=NULL,*dsaparams=NULL;
-    char *outfile = NULL, *passoutarg = NULL, *passout = NULL, *prog;
+	char *passargout = NULL, *passout = NULL;
-    OPTION_CHOICE o;
+	BIO *out=NULL,*in=NULL;
-    int ret = 1, private = 0;
+	const EVP_CIPHER *enc=NULL;
 #ifndef OPENSSL_NO_ENGINE
 	char *engine=NULL;
 #endif
-    prog = opt_init(argc, argv, gendsa_options);
+	apps_startup();
    while ((o = opt_next()) != OPT_EOF) {
        switch (o) {
        case OPT_EOF:
        case OPT_ERR:
 opthelp:
            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
            goto end;
        case OPT_HELP:
            ret = 0;
            opt_help(gendsa_options);
            goto end;
        case OPT_OUT:
            outfile = opt_arg();
            break;
        case OPT_PASSOUT:
            passoutarg = opt_arg();
            break;
        case OPT_ENGINE:
            (void)setup_engine(opt_arg(), 0);
            break;
        case OPT_RAND:
            inrand = opt_arg();
            break;
        case OPT_CIPHER:
            if (!opt_cipher(opt_unknown(), &enc))
                goto end;
            break;
        }
    }
    argc = opt_num_rest();
    argv = opt_rest();
    private = 1;
-    if (argc != 1)
+	if (bio_err == NULL)
-        goto opthelp;
+		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
-    dsaparams = *argv;
+			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
-    if (!app_passwd(NULL, passoutarg, NULL, &passout)) {
+	if (!load_config(bio_err, NULL))
-        BIO_printf(bio_err, "Error getting password\n");
+		goto end;
        goto end;
    }
-    in = bio_open_default(dsaparams, 'r', FORMAT_PEM);
+	argv++;
-    if (in == NULL)
+	argc--;
-        goto end2;
+	for (;;)
 		{
 		if (argc <= 0) break;
 		if (strcmp(*argv,"-out") == 0)
 			{
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
 		else if (strcmp(*argv,"-passout") == 0)
 			{
 			if (--argc < 1) goto bad;
 			passargout= *(++argv);
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 #endif
 		else if (strcmp(*argv,"-rand") == 0)
 			{
 			if (--argc < 1) goto bad;
 			inrand= *(++argv);
 			}
 		else if (strcmp(*argv,"-") == 0)
 			goto bad;
 #ifndef OPENSSL_NO_DES
 		else if (strcmp(*argv,"-des") == 0)
 			enc=EVP_des_cbc();
 		else if (strcmp(*argv,"-des3") == 0)
 			enc=EVP_des_ede3_cbc();
 #endif
 #ifndef OPENSSL_NO_IDEA
 		else if (strcmp(*argv,"-idea") == 0)
 			enc=EVP_idea_cbc();
 #endif
 #ifndef OPENSSL_NO_SEED
 		else if (strcmp(*argv,"-seed") == 0)
 			enc=EVP_seed_cbc();
 #endif
 #ifndef OPENSSL_NO_AES
 		else if (strcmp(*argv,"-aes128") == 0)
 			enc=EVP_aes_128_cbc();
 		else if (strcmp(*argv,"-aes192") == 0)
 			enc=EVP_aes_192_cbc();
 		else if (strcmp(*argv,"-aes256") == 0)
 			enc=EVP_aes_256_cbc();
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
 		else if (strcmp(*argv,"-camellia128") == 0)
 			enc=EVP_camellia_128_cbc();
 		else if (strcmp(*argv,"-camellia192") == 0)
 			enc=EVP_camellia_192_cbc();
 		else if (strcmp(*argv,"-camellia256") == 0)
 			enc=EVP_camellia_256_cbc();
 #endif
 		else if (**argv != '-' && dsaparams == NULL)
 			{
 			dsaparams = *argv;
 			}
 		else
 			goto bad;
 		argv++;
 		argc--;
 		}
-    if ((dsa = PEM_read_bio_DSAparams(in, NULL, NULL, NULL)) == NULL) {
+	if (dsaparams == NULL)
-        BIO_printf(bio_err, "unable to load DSA parameter file\n");
+		{
-        goto end;
+bad:
-    }
+		BIO_printf(bio_err,"usage: gendsa [args] dsaparam-file\n");
-    BIO_free(in);
+		BIO_printf(bio_err," -out file - output the key to 'file'\n");
-    in = NULL;
+#ifndef OPENSSL_NO_DES
 		BIO_printf(bio_err," -des      - encrypt the generated key with DES in cbc mode\n");
 		BIO_printf(bio_err," -des3     - encrypt the generated key with DES in ede cbc mode (168 bit key)\n");
 #endif
 #ifndef OPENSSL_NO_IDEA
 		BIO_printf(bio_err," -idea     - encrypt the generated key with IDEA in cbc mode\n");
 #endif
 #ifndef OPENSSL_NO_SEED
 		BIO_printf(bio_err," -seed\n");
 		BIO_printf(bio_err,"                 encrypt PEM output with cbc seed\n");
 #endif
 #ifndef OPENSSL_NO_AES
 		BIO_printf(bio_err," -aes128, -aes192, -aes256\n");
 		BIO_printf(bio_err,"                 encrypt PEM output with cbc aes\n");
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
 		BIO_printf(bio_err," -camellia128, -camellia192, -camellia256\n");
 		BIO_printf(bio_err,"                 encrypt PEM output with cbc camellia\n");
 #endif
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," -engine e - use engine e, possibly a hardware device.\n");
 #endif
 		BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err,"           - load the file (or the files in the directory) into\n");
 		BIO_printf(bio_err,"             the random number generator\n");
 		BIO_printf(bio_err," dsaparam-file\n");
 		BIO_printf(bio_err,"           - a DSA parameter file as generated by the dsaparam command\n");
 		goto end;
 		}
-    out = bio_open_owner(outfile, FORMAT_PEM, private);
+#ifndef OPENSSL_NO_ENGINE
-    if (out == NULL)
+        setup_engine(bio_err, engine, 0);
-        goto end2;
+#endif
-    if (!app_RAND_load_file(NULL, 1) && inrand == NULL) {
+	if(!app_passwd(bio_err, NULL, passargout, NULL, &passout)) {
-        BIO_printf(bio_err,
+		BIO_printf(bio_err, "Error getting password\n");
-                   "warning, not much extra random data, consider using the -rand option\n");
+		goto end;
-    }
+	}
    if (inrand != NULL)
        BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
                   app_RAND_load_files(inrand));
    BIO_printf(bio_err, "Generating DSA key, %d bits\n", BN_num_bits(dsa->p));
    if (!DSA_generate_key(dsa))
        goto end;
-    app_RAND_write_file(NULL);
+	in=BIO_new(BIO_s_file());
 	if (!(BIO_read_filename(in,dsaparams)))
 		{
 		perror(dsaparams);
 		goto end;
 		}
-    assert(private);
+	if ((dsa=PEM_read_bio_DSAparams(in,NULL,NULL,NULL)) == NULL)
-    if (!PEM_write_bio_DSAPrivateKey(out, dsa, enc, NULL, 0, NULL, passout))
+		{
-        goto end;
+		BIO_printf(bio_err,"unable to load DSA parameter file\n");
-    ret = 0;
+		goto end;
- end:
+		}
-    if (ret != 0)
+	BIO_free(in);
-        ERR_print_errors(bio_err);
+	in = NULL;
- end2:
+		
-    BIO_free(in);
+	out=BIO_new(BIO_s_file());
-    BIO_free_all(out);
+	if (out == NULL) goto end;
-    DSA_free(dsa);
+
-    OPENSSL_free(passout);
+	if (outfile == NULL)
-    return (ret);
+		{
-}
+		BIO_set_fp(out,stdout,BIO_NOCLOSE);
-#else                           /* !OPENSSL_NO_DSA */
+#ifdef OPENSSL_SYS_VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
 			{
 			perror(outfile);
 			goto end;
 			}
 		}
 	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL)
 		{
 		BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
 		}
 	if (inrand != NULL)
 		BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
 			app_RAND_load_files(inrand));
 	BIO_printf(bio_err,"Generating DSA key, %d bits\n",
 							BN_num_bits(dsa->p));
 	if (!DSA_generate_key(dsa)) goto end;
 	app_RAND_write_file(NULL, bio_err);
 	if (!PEM_write_bio_DSAPrivateKey(out,dsa,enc,NULL,0,NULL, passout))
 		goto end;
 	ret=0;
 end:
 	if (ret != 0)
 		ERR_print_errors(bio_err);
 	if (in != NULL) BIO_free(in);
 	if (out != NULL) BIO_free_all(out);
 	if (dsa != NULL) DSA_free(dsa);
 	if(passout) OPENSSL_free(passout);
 	apps_shutdown();
 	OPENSSL_EXIT(ret);
 	}
 #else /* !OPENSSL_NO_DSA */
 # if PEDANTIC
-static void *dummy = &dummy;
+static void *dummy=&dummy;
 # endif
 #endif
--- a/apps/genpkey.c
+++ b/apps/genpkey.c
@@ -1,6 +1,6 @@
-/*
+/* apps/genpkey.c */
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * 2006
+ * project 2006
 */
 /* ====================================================================
 * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
@@ -10,7 +10,7 @@
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
+ *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
@@ -62,300 +62,379 @@
 #include <openssl/err.h>
 #include <openssl/evp.h>
 #ifndef OPENSSL_NO_ENGINE
-# include <openssl/engine.h>
+#include <openssl/engine.h>
 #endif
-static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, ENGINE *e);
+static int init_keygen_file(BIO *err, EVP_PKEY_CTX **pctx,
 				const char *file, ENGINE *e);
 static int genpkey_cb(EVP_PKEY_CTX *ctx);
-typedef enum OPTION_choice {
+#define PROG genpkey_main
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_ENGINE, OPT_OUTFORM, OPT_OUT, OPT_PASS, OPT_PARAMFILE,
    OPT_ALGORITHM, OPT_PKEYOPT, OPT_GENPARAM, OPT_TEXT, OPT_CIPHER
 } OPTION_CHOICE;
-OPTIONS genpkey_options[] = {
+int MAIN(int, char **);
-    {"help", OPT_HELP, '-', "Display this summary"},
+
-    {"out", OPT_OUT, '>', "Output file"},
+int MAIN(int argc, char **argv)
-    {"outform", OPT_OUTFORM, 'F', "output format (DER or PEM)"},
+	{
-    {"pass", OPT_PASS, 's', "Output file pass phrase source"},
+	ENGINE *e = NULL;
-    {"paramfile", OPT_PARAMFILE, '<', "Parameters file"},
+	char **args, *outfile = NULL;
-    {"algorithm", OPT_ALGORITHM, 's', "The public key algorithm"},
+	char *passarg = NULL;
-    {"pkeyopt", OPT_PKEYOPT, 's',
+	BIO *in = NULL, *out = NULL;
-     "Set the public key algorithm option as opt:value"},
+	const EVP_CIPHER *cipher = NULL;
-    {"genparam", OPT_GENPARAM, '-', "Generate parameters, not key"},
+	int outformat;
-    {"text", OPT_TEXT, '-', "Print the in text"},
+	int text = 0;
-    {"", OPT_CIPHER, '-', "Cipher to use to encrypt the key"},
+	EVP_PKEY *pkey=NULL;
 	EVP_PKEY_CTX *ctx = NULL;
 	char *pass = NULL;
 	int badarg = 0;
 	int ret = 1, rv;
 	int do_param = 0;
 	if (bio_err == NULL)
 		bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
 	if (!load_config(bio_err, NULL))
 		goto end;
 	outformat=FORMAT_PEM;
 	ERR_load_crypto_strings();
 	OpenSSL_add_all_algorithms();
 	args = argv + 1;
 	while (!badarg && *args && *args[0] == '-')
 		{
 		if (!strcmp(*args,"-outform"))
 			{
 			if (args[1])
 				{
 				args++;
 				outformat=str2fmt(*args);
 				}
 			else badarg = 1;
 			}
 		else if (!strcmp(*args,"-pass"))
 			{
 			if (!args[1]) goto bad;
 			passarg= *(++args);
 			}
 #ifndef OPENSSL_NO_ENGINE
-    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+		else if (strcmp(*args,"-engine") == 0)
 			{
 			if (!args[1])
 				goto bad;
        		e = setup_engine(bio_err, *(++args), 0);
 			}
 #endif
-    /* This is deliberately last. */
+		else if (!strcmp (*args, "-paramfile"))
-    {OPT_HELP_STR, 1, 1,
+			{
-     "Order of options may be important!  See the documentation.\n"},
+			if (!args[1])
-    {NULL}
+				goto bad;
-};
+			args++;
 			if (do_param == 1)
 				goto bad;
 			if (!init_keygen_file(bio_err, &ctx, *args, e))
 				goto end;
 			}
 		else if (!strcmp (*args, "-out"))
 			{
 			if (args[1])
 				{
 				args++;
 				outfile = *args;
 				}
 			else badarg = 1;
 			}
 		else if (strcmp(*args,"-algorithm") == 0)
 			{
 			if (!args[1])
 				goto bad;
 			if (!init_gen_str(bio_err, &ctx, *(++args),e, do_param))
 				goto end;
 			}
 		else if (strcmp(*args,"-pkeyopt") == 0)
 			{
 			if (!args[1])
 				goto bad;
 			if (!ctx)
 				{
 				BIO_puts(bio_err, "No keytype specified\n");
 				goto bad;
 				}
 			else if (pkey_ctrl_string(ctx, *(++args)) <= 0)
 				{
 				BIO_puts(bio_err, "parameter setting error\n");
 				ERR_print_errors(bio_err);
 				goto end;
 				}
 			}
 		else if (strcmp(*args,"-genparam") == 0)
 			{
 			if (ctx)
 				goto bad;
 			do_param = 1;
 			}
 		else if (strcmp(*args,"-text") == 0)
 			text=1;
 		else
 			{
 			cipher = EVP_get_cipherbyname(*args + 1);
 			if (!cipher)
 				{
 				BIO_printf(bio_err, "Unknown cipher %s\n",
 								*args + 1);
 				badarg = 1;
 				}
 			if (do_param == 1)
 				badarg = 1;
 			}
 		args++;
 		}
-int genpkey_main(int argc, char **argv)
+	if (!ctx)
-{
+		badarg = 1;
    BIO *in = NULL, *out = NULL;
    ENGINE *e = NULL;
    EVP_PKEY *pkey = NULL;
    EVP_PKEY_CTX *ctx = NULL;
    char *outfile = NULL, *passarg = NULL, *pass = NULL, *prog;
    const EVP_CIPHER *cipher = NULL;
    OPTION_CHOICE o;
    int outformat = FORMAT_PEM, text = 0, ret = 1, rv, do_param = 0;
    int private = 0;
-    prog = opt_init(argc, argv, genpkey_options);
+	if (badarg)
-    while ((o = opt_next()) != OPT_EOF) {
+		{
-        switch (o) {
+		bad:
-        case OPT_EOF:
+		BIO_printf(bio_err, "Usage: genpkey [options]\n");
-        case OPT_ERR:
+		BIO_printf(bio_err, "where options may be\n");
- opthelp:
+		BIO_printf(bio_err, "-out file          output file\n");
-            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+		BIO_printf(bio_err, "-outform X         output format (DER or PEM)\n");
-            goto end;
+		BIO_printf(bio_err, "-pass arg          output file pass phrase source\n");
-        case OPT_HELP:
+		BIO_printf(bio_err, "-<cipher>          use cipher <cipher> to encrypt the key\n");
-            ret = 0;
+#ifndef OPENSSL_NO_ENGINE
-            opt_help(genpkey_options);
+		BIO_printf(bio_err, "-engine e          use engine e, possibly a hardware device.\n");
-            goto end;
+#endif
-        case OPT_OUTFORM:
+		BIO_printf(bio_err, "-paramfile file    parameters file\n");
-            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
+		BIO_printf(bio_err, "-algorithm alg     the public key algorithm\n");
-                goto opthelp;
+		BIO_printf(bio_err, "-pkeyopt opt:value set the public key algorithm option <opt>\n"
-            break;
+				            "                   to value <value>\n");
-        case OPT_OUT:
+		BIO_printf(bio_err, "-genparam          generate parameters, not key\n");
-            outfile = opt_arg();
+		BIO_printf(bio_err, "-text              print the in text\n");
-            break;
+		BIO_printf(bio_err, "NB: options order may be important!  See the manual page.\n");
-        case OPT_PASS:
+		goto end;
-            passarg = opt_arg();
+		}
            break;
        case OPT_ENGINE:
            e = setup_engine(opt_arg(), 0);
            break;
        case OPT_PARAMFILE:
            if (do_param == 1)
                goto opthelp;
            if (!init_keygen_file(&ctx, opt_arg(), e))
                goto end;
            break;
        case OPT_ALGORITHM:
            if (!init_gen_str(&ctx, opt_arg(), e, do_param))
                goto end;
            break;
        case OPT_PKEYOPT:
            if (ctx == NULL) {
                BIO_printf(bio_err, "%s: No keytype specified.\n", prog);
                goto opthelp;
            }
            if (pkey_ctrl_string(ctx, opt_arg()) <= 0) {
                BIO_printf(bio_err,
                           "%s: Error setting %s parameter:\n",
                           prog, opt_arg());
                ERR_print_errors(bio_err);
                goto end;
            }
            break;
        case OPT_GENPARAM:
            if (ctx != NULL)
                goto opthelp;
            do_param = 1;
            break;
        case OPT_TEXT:
            text = 1;
            break;
        case OPT_CIPHER:
            if (!opt_cipher(opt_unknown(), &cipher)
                || do_param == 1)
                goto opthelp;
        }
    }
    argc = opt_num_rest();
    argv = opt_rest();
    private = do_param ? 0 : 1;
-    if (ctx == NULL)
+	if (!app_passwd(bio_err, passarg, NULL, &pass, NULL))
-        goto opthelp;
+		{
 		BIO_puts(bio_err, "Error getting password\n");
 		goto end;
 		}
-    if (!app_passwd(passarg, NULL, &pass, NULL)) {
+	if (outfile)
-        BIO_puts(bio_err, "Error getting password\n");
+		{
-        goto end;
+		if (!(out = BIO_new_file (outfile, "wb")))
-    }
+			{
 			BIO_printf(bio_err,
 				 "Can't open output file %s\n", outfile);
 			goto end;
 			}
 		}
 	else
 		{
 		out = BIO_new_fp (stdout, BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 			{
 			BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 			out = BIO_push(tmpbio, out);
 			}
 #endif
 		}
-    out = bio_open_owner(outfile, outformat, private);
+	EVP_PKEY_CTX_set_cb(ctx, genpkey_cb);
-    if (out == NULL)
+	EVP_PKEY_CTX_set_app_data(ctx, bio_err);
        goto end;
-    EVP_PKEY_CTX_set_cb(ctx, genpkey_cb);
+	if (do_param)
-    EVP_PKEY_CTX_set_app_data(ctx, bio_err);
+		{
 		if (EVP_PKEY_paramgen(ctx, &pkey) <= 0)
 			{
 			BIO_puts(bio_err, "Error generating parameters\n");
 			ERR_print_errors(bio_err);
 			goto end;
 			}
 		}
 	else
 		{
 		if (EVP_PKEY_keygen(ctx, &pkey) <= 0)
 			{
 			BIO_puts(bio_err, "Error generating key\n");
 			ERR_print_errors(bio_err);
 			goto end;
 			}
 		}
-    if (do_param) {
+	if (do_param)
-        if (EVP_PKEY_paramgen(ctx, &pkey) <= 0) {
+		rv = PEM_write_bio_Parameters(out, pkey);
-            BIO_puts(bio_err, "Error generating parameters\n");
+	else if (outformat == FORMAT_PEM) 
-            ERR_print_errors(bio_err);
+		rv = PEM_write_bio_PrivateKey(out, pkey, cipher, NULL, 0,
-            goto end;
+								NULL, pass);
-        }
+	else if (outformat == FORMAT_ASN1)
-    } else {
+		rv = i2d_PrivateKey_bio(out, pkey);
-        if (EVP_PKEY_keygen(ctx, &pkey) <= 0) {
+	else
-            BIO_puts(bio_err, "Error generating key\n");
+		{
-            ERR_print_errors(bio_err);
+		BIO_printf(bio_err, "Bad format specified for key\n");
-            goto end;
+		goto end;
-        }
+		}
    }
-    if (do_param)
+	if (rv <= 0)
-        rv = PEM_write_bio_Parameters(out, pkey);
+		{
-    else if (outformat == FORMAT_PEM) {
+		BIO_puts(bio_err, "Error writing key\n");
-        assert(private);
+		ERR_print_errors(bio_err);
-        rv = PEM_write_bio_PrivateKey(out, pkey, cipher, NULL, 0, NULL, pass);
+		}
    } else if (outformat == FORMAT_ASN1) {
        assert(private);
        rv = i2d_PrivateKey_bio(out, pkey);
    } else {
        BIO_printf(bio_err, "Bad format specified for key\n");
        goto end;
    }
-    if (rv <= 0) {
+	if (text)
-        BIO_puts(bio_err, "Error writing key\n");
+		{
-        ERR_print_errors(bio_err);
+		if (do_param)
-    }
+			rv = EVP_PKEY_print_params(out, pkey, 0, NULL);
 		else
 			rv = EVP_PKEY_print_private(out, pkey, 0, NULL);
-    if (text) {
+		if (rv <= 0)
-        if (do_param)
+			{
-            rv = EVP_PKEY_print_params(out, pkey, 0, NULL);
+			BIO_puts(bio_err, "Error printing key\n");
-        else
+			ERR_print_errors(bio_err);
-            rv = EVP_PKEY_print_private(out, pkey, 0, NULL);
+			}
 		}
-        if (rv <= 0) {
+	ret = 0;
            BIO_puts(bio_err, "Error printing key\n");
            ERR_print_errors(bio_err);
        }
    }
-    ret = 0;
+	end:
 	if (pkey)
 		EVP_PKEY_free(pkey);
 	if (ctx)
 		EVP_PKEY_CTX_free(ctx);
 	if (out)
 		BIO_free_all(out);
 	BIO_free(in);
 	if (pass)
 		OPENSSL_free(pass);
- end:
+	return ret;
-    EVP_PKEY_free(pkey);
+	}
    EVP_PKEY_CTX_free(ctx);
    BIO_free_all(out);
    BIO_free(in);
    OPENSSL_free(pass);
-    return ret;
+static int init_keygen_file(BIO *err, EVP_PKEY_CTX **pctx,
-}
+				const char *file, ENGINE *e)
 	{
 	BIO *pbio;
 	EVP_PKEY *pkey = NULL;
 	EVP_PKEY_CTX *ctx = NULL;
 	if (*pctx)
 		{
 		BIO_puts(err, "Parameters already set!\n");
 		return 0;
 		}
-static int init_keygen_file(EVP_PKEY_CTX **pctx, const char *file, ENGINE *e)
+	pbio = BIO_new_file(file, "r");
-{
+	if (!pbio)
-    BIO *pbio;
+		{
-    EVP_PKEY *pkey = NULL;
+		BIO_printf(err, "Can't open parameter file %s\n", file);
-    EVP_PKEY_CTX *ctx = NULL;
+		return 0;
-    if (*pctx) {
+		}
        BIO_puts(bio_err, "Parameters already set!\n");
        return 0;
    }
-    pbio = BIO_new_file(file, "r");
+	pkey = PEM_read_bio_Parameters(pbio, NULL);
-    if (!pbio) {
+	BIO_free(pbio);
        BIO_printf(bio_err, "Can't open parameter file %s\n", file);
        return 0;
    }
-    pkey = PEM_read_bio_Parameters(pbio, NULL);
+	if (!pkey)
-    BIO_free(pbio);
+		{
 		BIO_printf(bio_err, "Error reading parameter file %s\n", file);
 		return 0;
 		}
-    if (!pkey) {
+	ctx = EVP_PKEY_CTX_new(pkey, e);
-        BIO_printf(bio_err, "Error reading parameter file %s\n", file);
+	if (!ctx)
-        return 0;
+		goto err;
-    }
+	if (EVP_PKEY_keygen_init(ctx) <= 0)
 		goto err;
 	EVP_PKEY_free(pkey);
 	*pctx = ctx;
 	return 1;
-    ctx = EVP_PKEY_CTX_new(pkey, e);
+	err:
-    if (ctx == NULL)
+	BIO_puts(err, "Error initializing context\n");
-        goto err;
+	ERR_print_errors(err);
-    if (EVP_PKEY_keygen_init(ctx) <= 0)
+	if (ctx)
-        goto err;
+		EVP_PKEY_CTX_free(ctx);
-    EVP_PKEY_free(pkey);
+	if (pkey)
-    *pctx = ctx;
+		EVP_PKEY_free(pkey);
-    return 1;
+	return 0;
- err:
+	}
    BIO_puts(bio_err, "Error initializing context\n");
    ERR_print_errors(bio_err);
    EVP_PKEY_CTX_free(ctx);
    EVP_PKEY_free(pkey);
    return 0;
-}
+int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx,
 			const char *algname, ENGINE *e, int do_param)
 	{
 	EVP_PKEY_CTX *ctx = NULL;
 	const EVP_PKEY_ASN1_METHOD *ameth;
 	ENGINE *tmpeng = NULL;
 	int pkey_id;
-int init_gen_str(EVP_PKEY_CTX **pctx,
+	if (*pctx)
-                 const char *algname, ENGINE *e, int do_param)
+		{
-{
+		BIO_puts(err, "Algorithm already set!\n");
-    EVP_PKEY_CTX *ctx = NULL;
+		return 0;
-    const EVP_PKEY_ASN1_METHOD *ameth;
+		}
    ENGINE *tmpeng = NULL;
    int pkey_id;
-    if (*pctx) {
+	ameth = EVP_PKEY_asn1_find_str(&tmpeng, algname, -1);
        BIO_puts(bio_err, "Algorithm already set!\n");
        return 0;
    }
    ameth = EVP_PKEY_asn1_find_str(&tmpeng, algname, -1);
 #ifndef OPENSSL_NO_ENGINE
-    if (!ameth && e)
+	if (!ameth && e)
-        ameth = ENGINE_get_pkey_asn1_meth_str(e, algname, -1);
+		ameth = ENGINE_get_pkey_asn1_meth_str(e, algname, -1);
 #endif
-    if (!ameth) {
+	if (!ameth)
-        BIO_printf(bio_err, "Algorithm %s not found\n", algname);
+		{
-        return 0;
+		BIO_printf(bio_err, "Algorithm %s not found\n", algname);
-    }
+		return 0;
 		}
-    ERR_clear_error();
+	ERR_clear_error();
-    EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth);
+	EVP_PKEY_asn1_get0_info(&pkey_id, NULL, NULL, NULL, NULL, ameth);
 #ifndef OPENSSL_NO_ENGINE
-    if (tmpeng)
+	if (tmpeng)
-        ENGINE_finish(tmpeng);
+		ENGINE_finish(tmpeng);
 #endif
-    ctx = EVP_PKEY_CTX_new_id(pkey_id, e);
+	ctx = EVP_PKEY_CTX_new_id(pkey_id, e);
-    if (!ctx)
+	if (!ctx)
-        goto err;
+		goto err;
-    if (do_param) {
+	if (do_param)
-        if (EVP_PKEY_paramgen_init(ctx) <= 0)
+		{
-            goto err;
+		if (EVP_PKEY_paramgen_init(ctx) <= 0)
-    } else {
+			goto err;
-        if (EVP_PKEY_keygen_init(ctx) <= 0)
+		}
-            goto err;
+	else
-    }
+		{
 		if (EVP_PKEY_keygen_init(ctx) <= 0)
 			goto err;
 		}
-    *pctx = ctx;
+	*pctx = ctx;
-    return 1;
+	return 1;
- err:
+	err:
-    BIO_printf(bio_err, "Error initializing %s context\n", algname);
+	BIO_printf(err, "Error initializing %s context\n", algname);
-    ERR_print_errors(bio_err);
+	ERR_print_errors(err);
-    EVP_PKEY_CTX_free(ctx);
+	if (ctx)
-    return 0;
+		EVP_PKEY_CTX_free(ctx);
 	return 0;
-}
+	}
 static int genpkey_cb(EVP_PKEY_CTX *ctx)
-{
+	{
-    char c = '*';
+	char c='*';
-    BIO *b = EVP_PKEY_CTX_get_app_data(ctx);
+	BIO *b = EVP_PKEY_CTX_get_app_data(ctx);
-    int p;
+	int p;
-    p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
+	p = EVP_PKEY_CTX_get_keygen_info(ctx, 0);
-    if (p == 0)
+	if (p == 0) c='.';
-        c = '.';
+	if (p == 1) c='+';
-    if (p == 1)
+	if (p == 2) c='*';
-        c = '+';
+	if (p == 3) c='\n';
-    if (p == 2)
+	BIO_write(b,&c,1);
-        c = '*';
+	(void)BIO_flush(b);
-    if (p == 3)
+#ifdef LINT
-        c = '\n';
+	p=n;
-    BIO_write(b, &c, 1);
+#endif
-    (void)BIO_flush(b);
+	return 1;
-    return 1;
+	}
 }
--- a/apps/genrsa.c
+++ b/apps/genrsa.c
@@ -1,24 +1,25 @@
 /* apps/genrsa.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
- *
+ * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
- *
+ * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
@@ -33,10 +34,10 @@
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -48,7 +49,7 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
+ * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
@@ -56,186 +57,285 @@
 */
 #include <openssl/opensslconf.h>
 /* Until the key-gen callbacks are modified to use newer prototypes, we allow
 * deprecated functions for openssl-internal code */
 #ifdef OPENSSL_NO_DEPRECATED
 #undef OPENSSL_NO_DEPRECATED
 #endif
 #ifndef OPENSSL_NO_RSA
-# include <stdio.h>
+#include <stdio.h>
-# include <string.h>
+#include <string.h>
-# include <sys/types.h>
+#include <sys/types.h>
-# include <sys/stat.h>
+#include <sys/stat.h>
-# include "apps.h"
+#include "apps.h"
-# include <openssl/bio.h>
+#include <openssl/bio.h>
-# include <openssl/err.h>
+#include <openssl/err.h>
-# include <openssl/bn.h>
+#include <openssl/bn.h>
-# include <openssl/rsa.h>
+#include <openssl/rsa.h>
-# include <openssl/evp.h>
+#include <openssl/evp.h>
-# include <openssl/x509.h>
+#include <openssl/x509.h>
-# include <openssl/pem.h>
+#include <openssl/pem.h>
-# include <openssl/rand.h>
+#include <openssl/rand.h>
-# define DEFBITS 2048
+#define DEFBITS	512
 #undef PROG
 #define PROG genrsa_main
-static int genrsa_cb(int p, int n, BN_GENCB *cb);
+static int MS_CALLBACK genrsa_cb(int p, int n, BN_GENCB *cb);
-typedef enum OPTION_choice {
+int MAIN(int, char **);
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_3, OPT_F4, OPT_ENGINE,
    OPT_OUT, OPT_RAND, OPT_PASSOUT, OPT_CIPHER
 } OPTION_CHOICE;
-OPTIONS genrsa_options[] = {
+int MAIN(int argc, char **argv)
-    {"help", OPT_HELP, '-', "Display this summary"},
+	{
-    {"3", OPT_3, '-', "Use 3 for the E value"},
+	BN_GENCB cb;
-    {"F4", OPT_F4, '-', "Use F4 (0x10001) for the E value"},
+#ifndef OPENSSL_NO_ENGINE
-    {"f4", OPT_F4, '-', "Use F4 (0x10001) for the E value"},
+	ENGINE *e = NULL;
-    {"out", OPT_OUT, 's', "Output the key to specified file"},
+#endif
-    {"rand", OPT_RAND, 's',
+	int ret=1;
-     "Load the file(s) into the random number generator"},
+	int non_fips_allow = 0;
-    {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
+	int i,num=DEFBITS;
-    {"", OPT_CIPHER, '-', "Encrypt the output with any supported cipher"},
+	long l;
-# ifndef OPENSSL_NO_ENGINE
+	const EVP_CIPHER *enc=NULL;
-    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+	unsigned long f4=RSA_F4;
-# endif
+	char *outfile=NULL;
-    {NULL}
+	char *passargout = NULL, *passout = NULL;
-};
+#ifndef OPENSSL_NO_ENGINE
 	char *engine=NULL;
 #endif
 	char *inrand=NULL;
 	BIO *out=NULL;
 	BIGNUM *bn = BN_new();
 	RSA *rsa = NULL;
-int genrsa_main(int argc, char **argv)
+	if(!bn) goto err;
 {
    BN_GENCB *cb = BN_GENCB_new();
    PW_CB_DATA cb_data;
    ENGINE *e = NULL;
    BIGNUM *bn = BN_new();
    BIO *out = NULL;
    RSA *rsa = NULL;
    const EVP_CIPHER *enc = NULL;
    int ret = 1, num = DEFBITS, private = 0;
    unsigned long f4 = RSA_F4;
    char *outfile = NULL, *passoutarg = NULL, *passout = NULL;
    char *inrand = NULL, *prog, *hexe, *dece;
    OPTION_CHOICE o;
-    if (bn == NULL || cb == NULL)
+	apps_startup();
-        goto end;
+	BN_GENCB_set(&cb, genrsa_cb, bio_err);
-    BN_GENCB_set(cb, genrsa_cb, bio_err);
+	if (bio_err == NULL)
 		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
-    prog = opt_init(argc, argv, genrsa_options);
+	if (!load_config(bio_err, NULL))
-    while ((o = opt_next()) != OPT_EOF) {
+		goto err;
-        switch (o) {
+	if ((out=BIO_new(BIO_s_file())) == NULL)
-        case OPT_EOF:
+		{
-        case OPT_ERR:
+		BIO_printf(bio_err,"unable to create BIO for output\n");
-            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+		goto err;
-            goto end;
+		}
        case OPT_HELP:
            ret = 0;
            opt_help(genrsa_options);
            goto end;
        case OPT_3:
            f4 = 3;
            break;
        case OPT_F4:
            f4 = RSA_F4;
            break;
        case OPT_OUT:
            outfile = opt_arg();
            break;
        case OPT_ENGINE:
            e = setup_engine(opt_arg(), 0);
            break;
        case OPT_RAND:
            inrand = opt_arg();
            break;
        case OPT_PASSOUT:
            passoutarg = opt_arg();
            break;
        case OPT_CIPHER:
            if (!opt_cipher(opt_unknown(), &enc))
                goto end;
            break;
        }
    }
    argc = opt_num_rest();
    argv = opt_rest();
    private = 1;
-    if (argv[0] && (!opt_int(argv[0], &num) || num <= 0))
+	argv++;
-        goto end;
+	argc--;
 	for (;;)
 		{
 		if (argc <= 0) break;
 		if (strcmp(*argv,"-out") == 0)
 			{
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
 		else if (strcmp(*argv,"-3") == 0)
 			f4=3;
 		else if (strcmp(*argv,"-F4") == 0 || strcmp(*argv,"-f4") == 0)
 			f4=RSA_F4;
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 #endif
 		else if (strcmp(*argv,"-rand") == 0)
 			{
 			if (--argc < 1) goto bad;
 			inrand= *(++argv);
 			}
 #ifndef OPENSSL_NO_DES
 		else if (strcmp(*argv,"-des") == 0)
 			enc=EVP_des_cbc();
 		else if (strcmp(*argv,"-des3") == 0)
 			enc=EVP_des_ede3_cbc();
 #endif
 #ifndef OPENSSL_NO_IDEA
 		else if (strcmp(*argv,"-idea") == 0)
 			enc=EVP_idea_cbc();
 #endif
 #ifndef OPENSSL_NO_SEED
 		else if (strcmp(*argv,"-seed") == 0)
 			enc=EVP_seed_cbc();
 #endif
 #ifndef OPENSSL_NO_AES
 		else if (strcmp(*argv,"-aes128") == 0)
 			enc=EVP_aes_128_cbc();
 		else if (strcmp(*argv,"-aes192") == 0)
 			enc=EVP_aes_192_cbc();
 		else if (strcmp(*argv,"-aes256") == 0)
 			enc=EVP_aes_256_cbc();
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
 		else if (strcmp(*argv,"-camellia128") == 0)
 			enc=EVP_camellia_128_cbc();
 		else if (strcmp(*argv,"-camellia192") == 0)
 			enc=EVP_camellia_192_cbc();
 		else if (strcmp(*argv,"-camellia256") == 0)
 			enc=EVP_camellia_256_cbc();
 #endif
 		else if (strcmp(*argv,"-passout") == 0)
 			{
 			if (--argc < 1) goto bad;
 			passargout= *(++argv);
 			}
 		else if (strcmp(*argv,"-non-fips-allow") == 0)
 			non_fips_allow = 1;
 		else
 			break;
 		argv++;
 		argc--;
 		}
 	if ((argc >= 1) && ((sscanf(*argv,"%d",&num) == 0) || (num < 0)))
 		{
 bad:
 		BIO_printf(bio_err,"usage: genrsa [args] [numbits]\n");
 		BIO_printf(bio_err," -des            encrypt the generated key with DES in cbc mode\n");
 		BIO_printf(bio_err," -des3           encrypt the generated key with DES in ede cbc mode (168 bit key)\n");
 #ifndef OPENSSL_NO_IDEA
 		BIO_printf(bio_err," -idea           encrypt the generated key with IDEA in cbc mode\n");
 #endif
 #ifndef OPENSSL_NO_SEED
 		BIO_printf(bio_err," -seed\n");
 		BIO_printf(bio_err,"                 encrypt PEM output with cbc seed\n");
 #endif
 #ifndef OPENSSL_NO_AES
 		BIO_printf(bio_err," -aes128, -aes192, -aes256\n");
 		BIO_printf(bio_err,"                 encrypt PEM output with cbc aes\n");
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
 		BIO_printf(bio_err," -camellia128, -camellia192, -camellia256\n");
 		BIO_printf(bio_err,"                 encrypt PEM output with cbc camellia\n");
 #endif
 		BIO_printf(bio_err," -out file       output the key to 'file\n");
 		BIO_printf(bio_err," -passout arg    output file pass phrase source\n");
 		BIO_printf(bio_err," -f4             use F4 (0x10001) for the E value\n");
 		BIO_printf(bio_err," -3              use 3 for the E value\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," -engine e       use engine e, possibly a hardware device.\n");
 #endif
 		BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err,"                 load the file (or the files in the directory) into\n");
 		BIO_printf(bio_err,"                 the random number generator\n");
 		goto err;
 		}
 	ERR_load_crypto_strings();
-    if (!app_passwd(NULL, passoutarg, NULL, &passout)) {
+	if(!app_passwd(bio_err, NULL, passargout, NULL, &passout)) {
-        BIO_printf(bio_err, "Error getting password\n");
+		BIO_printf(bio_err, "Error getting password\n");
-        goto end;
+		goto err;
-    }
+	}
-    out = bio_open_owner(outfile, FORMAT_PEM, private);
+#ifndef OPENSSL_NO_ENGINE
-    if (out == NULL)
+        e = setup_engine(bio_err, engine, 0);
-        goto end;
+#endif
-    if (!app_RAND_load_file(NULL, 1) && inrand == NULL
+	if (outfile == NULL)
-        && !RAND_status()) {
+		{
-        BIO_printf(bio_err,
+		BIO_set_fp(out,stdout,BIO_NOCLOSE);
-                   "warning, not much extra random data, consider using the -rand option\n");
+#ifdef OPENSSL_SYS_VMS
-    }
+		{
-    if (inrand != NULL)
+		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-        BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
+		out = BIO_push(tmpbio, out);
-                   app_RAND_load_files(inrand));
+		}
 #endif
 		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
 			{
 			perror(outfile);
 			goto err;
 			}
 		}
-    BIO_printf(bio_err, "Generating RSA private key, %d bit long modulus\n",
+	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
-               num);
+		&& !RAND_status())
-    rsa = e ? RSA_new_method(e) : RSA_new();
+		{
-    if (rsa == NULL)
+		BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
-        goto end;
+		}
 	if (inrand != NULL)
 		BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
 			app_RAND_load_files(inrand));
-    if (!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, cb))
+	BIO_printf(bio_err,"Generating RSA private key, %d bit long modulus\n",
-        goto end;
+		num);
 #ifdef OPENSSL_NO_ENGINE
 	rsa = RSA_new();
 #else
 	rsa = RSA_new_method(e);
 #endif
 	if (!rsa)
 		goto err;
-    app_RAND_write_file(NULL);
+	if (non_fips_allow)
 		rsa->flags |= RSA_FLAG_NON_FIPS_ALLOW;
-    hexe = BN_bn2hex(rsa->e);
+	if(!BN_set_word(bn, f4) || !RSA_generate_key_ex(rsa, num, bn, &cb))
-    dece = BN_bn2dec(rsa->e);
+		goto err;
-    if (hexe && dece) {
+		
-        BIO_printf(bio_err, "e is %s (0x%s)\n", dece, hexe);
+	app_RAND_write_file(NULL, bio_err);
    }
    OPENSSL_free(hexe);
    OPENSSL_free(dece);
    cb_data.password = passout;
    cb_data.prompt_info = outfile;
    assert(private);
    if (!PEM_write_bio_RSAPrivateKey(out, rsa, enc, NULL, 0,
                                     (pem_password_cb *)password_callback,
                                     &cb_data))
        goto end;
-    ret = 0;
+	/* We need to do the following for when the base number size is <
- end:
+	 * long, esp windows 3.1 :-(. */
-    BN_free(bn);
+	l=0L;
-    BN_GENCB_free(cb);
+	for (i=0; i<rsa->e->top; i++)
-    RSA_free(rsa);
+		{
-    BIO_free_all(out);
+#ifndef SIXTY_FOUR_BIT
-    OPENSSL_free(passout);
+		l<<=BN_BITS4;
-    if (ret != 0)
+		l<<=BN_BITS4;
-        ERR_print_errors(bio_err);
+#endif
-    return (ret);
+		l+=rsa->e->d[i];
-}
+		}
 	BIO_printf(bio_err,"e is %ld (0x%lX)\n",l,l);
 	{
 	PW_CB_DATA cb_data;
 	cb_data.password = passout;
 	cb_data.prompt_info = outfile;
 	if (!PEM_write_bio_RSAPrivateKey(out,rsa,enc,NULL,0,
 		(pem_password_cb *)password_callback,&cb_data))
 		goto err;
 	}
-static int genrsa_cb(int p, int n, BN_GENCB *cb)
+	ret=0;
-{
+err:
-    char c = '*';
+	if (bn) BN_free(bn);
 	if (rsa) RSA_free(rsa);
 	if (out) BIO_free_all(out);
 	if(passout) OPENSSL_free(passout);
 	if (ret != 0)
 		ERR_print_errors(bio_err);
 	apps_shutdown();
 	OPENSSL_EXIT(ret);
 	}
-    if (p == 0)
+static int MS_CALLBACK genrsa_cb(int p, int n, BN_GENCB *cb)
-        c = '.';
+	{
-    if (p == 1)
+	char c='*';
-        c = '+';
+
-    if (p == 2)
+	if (p == 0) c='.';
-        c = '*';
+	if (p == 1) c='+';
-    if (p == 3)
+	if (p == 2) c='*';
-        c = '\n';
+	if (p == 3) c='\n';
-    BIO_write(BN_GENCB_get_arg(cb), &c, 1);
+	BIO_write(cb->arg,&c,1);
-    (void)BIO_flush(BN_GENCB_get_arg(cb));
+	(void)BIO_flush(cb->arg);
-    return 1;
+#ifdef LINT
-}
+	p=n;
-#else                           /* !OPENSSL_NO_RSA */
+#endif
 	return 1;
 	}
 #else /* !OPENSSL_NO_RSA */
 # if PEDANTIC
-static void *dummy = &dummy;
+static void *dummy=&dummy;
 # endif
 #endif
--- a/apps/makeapps.com
+++ b/apps/makeapps.com
@@ -178,7 +178,7 @@ $! NOTE: Some might think this list ugly.  However, it's made this way to
 $! reflect the E_OBJ variable in Makefile as closely as possible, thereby
 $! making it fairly easy to verify that the lists are the same.
 $!
-$ LIB_OPENSSL = "VERIFY,ASN1PARS,REQ,DGST,DHPARAM,ENC,PASSWD,ERRSTR,"+-
+$ LIB_OPENSSL = "VERIFY,ASN1PARS,REQ,DGST,DH,DHPARAM,ENC,PASSWD,GENDH,ERRSTR,"+-
 	     	"CA,PKCS7,CRL2P7,CRL,"+-
 	      	"RSA,RSAUTL,DSA,DSAPARAM,EC,ECPARAM,"+-
 	      	"X509,GENRSA,GENDSA,GENPKEY,S_SERVER,S_CLIENT,SPEED,"+-
--- a/apps/nseq.c
+++ b/apps/nseq.c
@@ -1,6 +1,6 @@
-/*
+/* nseq.c */
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * 1999.
+ * project 1999.
 */
 /* ====================================================================
 * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
@@ -10,7 +10,7 @@
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
+ *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
@@ -62,99 +62,106 @@
 #include <openssl/pem.h>
 #include <openssl/err.h>
-typedef enum OPTION_choice {
+#undef PROG
-    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+#define PROG nseq_main
    OPT_TOSEQ, OPT_IN, OPT_OUT
 } OPTION_CHOICE;
-OPTIONS nseq_options[] = {
+int MAIN(int, char **);
    {"help", OPT_HELP, '-', "Display this summary"},
    {"toseq", OPT_TOSEQ, '-', "Output NS Sequence file"},
    {"in", OPT_IN, '<', "Input file"},
    {"out", OPT_OUT, '>', "Output file"},
    {NULL}
 };
-int nseq_main(int argc, char **argv)
+int MAIN(int argc, char **argv)
 {
-    BIO *in = NULL, *out = NULL;
+	char **args, *infile = NULL, *outfile = NULL;
-    X509 *x509 = NULL;
+	BIO *in = NULL, *out = NULL;
-    NETSCAPE_CERT_SEQUENCE *seq = NULL;
+	int toseq = 0;
-    OPTION_CHOICE o;
+	X509 *x509 = NULL;
-    int toseq = 0, ret = 1, i;
+	NETSCAPE_CERT_SEQUENCE *seq = NULL;
-    char *infile = NULL, *outfile = NULL, *prog;
+	int i, ret = 1;
 	int badarg = 0;
 	if (bio_err == NULL) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
 	ERR_load_crypto_strings();
 	args = argv + 1;
 	while (!badarg && *args && *args[0] == '-') {
 		if (!strcmp (*args, "-toseq")) toseq = 1;
 		else if (!strcmp (*args, "-in")) {
 			if (args[1]) {
 				args++;
 				infile = *args;
 			} else badarg = 1;
 		} else if (!strcmp (*args, "-out")) {
 			if (args[1]) {
 				args++;
 				outfile = *args;
 			} else badarg = 1;
 		} else badarg = 1;
 		args++;
 	}
-    prog = opt_init(argc, argv, nseq_options);
+	if (badarg) {
-    while ((o = opt_next()) != OPT_EOF) {
+		BIO_printf (bio_err, "Netscape certificate sequence utility\n");
-        switch (o) {
+		BIO_printf (bio_err, "Usage nseq [options]\n");
-        case OPT_EOF:
+		BIO_printf (bio_err, "where options are\n");
-        case OPT_ERR:
+		BIO_printf (bio_err, "-in file  input file\n");
-            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+		BIO_printf (bio_err, "-out file output file\n");
-            goto end;
+		BIO_printf (bio_err, "-toseq    output NS Sequence file\n");
-        case OPT_HELP:
+		OPENSSL_EXIT(1);
-            ret = 0;
+	}
            opt_help(nseq_options);
            goto end;
        case OPT_TOSEQ:
            toseq = 1;
            break;
        case OPT_IN:
            infile = opt_arg();
            break;
        case OPT_OUT:
            outfile = opt_arg();
            break;
        }
    }
    argc = opt_num_rest();
    argv = opt_rest();
-    in = bio_open_default(infile, 'r', FORMAT_PEM);
+	if (infile) {
-    if (in == NULL)
+		if (!(in = BIO_new_file (infile, "r"))) {
-        goto end;
+			BIO_printf (bio_err,
-    out = bio_open_default(outfile, 'w', FORMAT_PEM);
+				 "Can't open input file %s\n", infile);
-    if (out == NULL)
+			goto end;
-        goto end;
+		}
 	} else in = BIO_new_fp(stdin, BIO_NOCLOSE);
-    if (toseq) {
+	if (outfile) {
-        seq = NETSCAPE_CERT_SEQUENCE_new();
+		if (!(out = BIO_new_file (outfile, "w"))) {
-        if (seq == NULL)
+			BIO_printf (bio_err,
-            goto end;
+				 "Can't open output file %s\n", outfile);
-        seq->certs = sk_X509_new_null();
+			goto end;
-        if (seq->certs == NULL)
+		}
-            goto end;
+	} else {
-        while ((x509 = PEM_read_bio_X509(in, NULL, NULL, NULL)))
+		out = BIO_new_fp(stdout, BIO_NOCLOSE);
-            sk_X509_push(seq->certs, x509);
+#ifdef OPENSSL_SYS_VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 	}
 	if (toseq) {
 		seq = NETSCAPE_CERT_SEQUENCE_new();
 		seq->certs = sk_X509_new_null();
 		while((x509 = PEM_read_bio_X509(in, NULL, NULL, NULL))) 
 		    sk_X509_push(seq->certs,x509);
-        if (!sk_X509_num(seq->certs)) {
+		if(!sk_X509_num(seq->certs))
-            BIO_printf(bio_err, "%s: Error reading certs file %s\n",
+		{
-                       prog, infile);
+			BIO_printf (bio_err, "Error reading certs file %s\n", infile);
-            ERR_print_errors(bio_err);
+			ERR_print_errors(bio_err);
-            goto end;
+			goto end;
-        }
+		}
-        PEM_write_bio_NETSCAPE_CERT_SEQUENCE(out, seq);
+		PEM_write_bio_NETSCAPE_CERT_SEQUENCE(out, seq);
-        ret = 0;
+		ret = 0;
-        goto end;
+		goto end;
-    }
+	}
-    seq = PEM_read_bio_NETSCAPE_CERT_SEQUENCE(in, NULL, NULL, NULL);
+	if (!(seq = PEM_read_bio_NETSCAPE_CERT_SEQUENCE(in, NULL, NULL, NULL))) {
-    if (seq == NULL) {
+		BIO_printf (bio_err, "Error reading sequence file %s\n", infile);
-        BIO_printf(bio_err, "%s: Error reading sequence file %s\n",
+		ERR_print_errors(bio_err);
-                   prog, infile);
+		goto end;
-        ERR_print_errors(bio_err);
+	}
        goto end;
    }
-    for (i = 0; i < sk_X509_num(seq->certs); i++) {
+	for(i = 0; i < sk_X509_num(seq->certs); i++) {
-        x509 = sk_X509_value(seq->certs, i);
+		x509 = sk_X509_value(seq->certs, i);
-        dump_cert_text(out, x509);
+		dump_cert_text(out, x509);
-        PEM_write_bio_X509(out, x509);
+		PEM_write_bio_X509(out, x509);
-    }
+	}
-    ret = 0;
+	ret = 0;
- end:
+end:
-    BIO_free(in);
+	BIO_free(in);
-    BIO_free_all(out);
+	BIO_free_all(out);
-    NETSCAPE_CERT_SEQUENCE_free(seq);
+	NETSCAPE_CERT_SEQUENCE_free(seq);
-    return (ret);
+	OPENSSL_EXIT(ret);
 }
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
--- a/apps/oid.cnf
+++ b/apps/oid.cnf
@@ -0,0 +1,6 @@
 2.99999.1       SET.ex1         SET x509v3 extension 1
 2.99999.2       SET.ex2         SET x509v3 extension 2
 2.99999.3       SET.ex3         SET x509v3 extension 3
 2.99999.4       SET.ex4         SET x509v3 extension 4
 2.99999.5       SET.ex5         SET x509v3 extension 5
 2.99999.6       SET.ex6         SET x509v3 extension 6
--- a/apps/openssl-vms.cnf
+++ b/apps/openssl-vms.cnf
@@ -44,7 +44,7 @@ certs		= $dir.certs]		# Where the issued certs are kept
 crl_dir		= $dir.crl]		# Where the issued crl are kept
 database	= $dir]index.txt	# database index file.
 #unique_subject	= no			# Set to 'no' to allow creation of
-					# several certs with same subject.
+					# several ctificates with same subject.
 new_certs_dir	= $dir.newcerts]		# default place for new certs.
 certificate	= $dir]cacert.pem 	# The CA certificate
@@ -55,7 +55,7 @@ crl		= $dir]crl.pem 		# The current CRL
 private_key	= $dir.private]cakey.pem# The private key
 RANDFILE	= $dir.private].rand	# private random number file
-x509_extensions	= usr_cert		# The extensions to add to the cert
+x509_extensions	= usr_cert		# The extentions to add to the cert
 # Comment out the following two lines for the "traditional"
 # (and highly broken) format.
@@ -103,11 +103,11 @@ emailAddress		= optional
 ####################################################################
 [ req ]
-default_bits		= 2048
+default_bits		= 1024
 default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
-x509_extensions	= v3_ca	# The extensions to add to the self signed cert
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
 # Passwords for private keys if not present they will be prompted for
 # input_password = secret
@@ -145,7 +145,7 @@ localityName			= Locality Name (eg, city)
 organizationalUnitName		= Organizational Unit Name (eg, section)
 #organizationalUnitName_default	=
-commonName			= Common Name (e.g. server FQDN or YOUR name)
+commonName			= Common Name (eg, YOUR name)
 commonName_max			= 64
 emailAddress			= Email Address
@@ -335,12 +335,11 @@ signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
 certs		= $dir.cacert.pem]	# Certificate chain to include in reply
 					# (optional)
 signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
 signer_digest  = sha256			# Signing digest to use. (Optional)
 default_policy	= tsa_policy1		# Policy if request did not specify it
 					# (optional)
 other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
-digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
+digests		= md5, sha1		# Acceptable message digests (mandatory)
 accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
 clock_precision_digits  = 0	# number of digits after dot. (optional)
 ordering		= yes	# Is ordering defined for timestamps?
--- a/apps/openssl.c
+++ b/apps/openssl.c
--- a/apps/openssl.cnf
+++ b/apps/openssl.cnf
@@ -44,7 +44,7 @@ certs		= $dir/certs		# Where the issued certs are kept
 crl_dir		= $dir/crl		# Where the issued crl are kept
 database	= $dir/index.txt	# database index file.
 #unique_subject	= no			# Set to 'no' to allow creation of
-					# several certs with same subject.
+					# several ctificates with same subject.
 new_certs_dir	= $dir/newcerts		# default place for new certs.
 certificate	= $dir/cacert.pem 	# The CA certificate
@@ -55,7 +55,7 @@ crl		= $dir/crl.pem 		# The current CRL
 private_key	= $dir/private/cakey.pem# The private key
 RANDFILE	= $dir/private/.rand	# private random number file
-x509_extensions	= usr_cert		# The extensions to add to the cert
+x509_extensions	= usr_cert		# The extentions to add to the cert
 # Comment out the following two lines for the "traditional"
 # (and highly broken) format.
@@ -103,11 +103,11 @@ emailAddress		= optional
 ####################################################################
 [ req ]
-default_bits		= 2048
+default_bits		= 1024
 default_keyfile 	= privkey.pem
 distinguished_name	= req_distinguished_name
 attributes		= req_attributes
-x509_extensions	= v3_ca	# The extensions to add to the self signed cert
+x509_extensions	= v3_ca	# The extentions to add to the self signed cert
 # Passwords for private keys if not present they will be prompted for
 # input_password = secret
@@ -145,7 +145,7 @@ localityName			= Locality Name (eg, city)
 organizationalUnitName		= Organizational Unit Name (eg, section)
 #organizationalUnitName_default	=
-commonName			= Common Name (e.g. server FQDN or YOUR name)
+commonName			= Common Name (eg, YOUR name)
 commonName_max			= 64
 emailAddress			= Email Address
@@ -335,11 +335,11 @@ signer_cert	= $dir/tsacert.pem 	# The TSA signing certificate
 certs		= $dir/cacert.pem	# Certificate chain to include in reply
 					# (optional)
 signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
-signer_digest  = sha256			# Signing digest to use. (Optional)
+
 default_policy	= tsa_policy1		# Policy if request did not specify it
 					# (optional)
 other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
-digests     = sha1, sha256, sha384, sha512  # Acceptable message digests (mandatory)
+digests		= md5, sha1		# Acceptable message digests (mandatory)
 accuracy	= secs:1, millisecs:500, microsecs:100	# (optional)
 clock_precision_digits  = 0	# number of digits after dot. (optional)
 ordering		= yes	# Is ordering defined for timestamps?
--- a/apps/opt.c
+++ b/apps/opt.c
@@ -1,990 +0,0 @@
 /* ====================================================================
 * Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    licensing@OpenSSL.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 */
 /* #define COMPILE_STANDALONE_TEST_DRIVER  */
 #include "apps.h"
 #include <string.h>
 #if !defined(OPENSSL_SYS_MSDOS)
 # include OPENSSL_UNISTD
 #endif
 #include <stdlib.h>
 #include <errno.h>
 #include <ctype.h>
 #include <limits.h>
 #include <openssl/bio.h>
 #define MAX_OPT_HELP_WIDTH 30
 const char OPT_HELP_STR[] = "--";
 const char OPT_MORE_STR[] = "---";
 /* Our state */
 static char **argv;
 static int argc;
 static int opt_index;
 static char *arg;
 static char *flag;
 static char *dunno;
 static const OPTIONS *unknown;
 static const OPTIONS *opts;
 static char prog[40];
 #if !defined(__STDC_VERSION__) || __STDC_VERSION__ < 199901L || \
    !defined(INTMAX_MAX) && !defined(UINTMAX_MAX)
 #define opt_imax opt_long
 #define opt_umax opt_ulong
 #endif
 /*
 * Return the simple name of the program; removing various platform gunk.
 */
 #if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_NETWARE)
 char *opt_progname(const char *argv0)
 {
    size_t i, n;
    const char *p;
    char *q;
    /* find the last '/', '\' or ':' */
    for (p = argv0 + strlen(argv0); --p > argv0;)
        if (*p == '/' || *p == '\\' || *p == ':') {
            p++;
            break;
        }
    /* Strip off trailing nonsense. */
    n = strlen(p);
    if (n > 4 &&
        (strcmp(&p[n - 4], ".exe") == 0 || strcmp(&p[n - 4], ".EXE") == 0))
        n -= 4;
 #if defined(OPENSSL_SYS_NETWARE)
    if (n > 4 &&
        (strcmp(&p[n - 4], ".nlm") == 0 || strcmp(&p[n - 4], ".NLM") == 0))
        n -= 4;
 #endif
    /* Copy over the name, in lowercase. */
    if (n > sizeof prog - 1)
        n = sizeof prog - 1;
    for (q = prog, i = 0; i < n; i++, p++)
        *q++ = isupper(*p) ? tolower(*p) : *p;
    *q = '\0';
    return prog;
 }
 #elif defined(OPENSSL_SYS_VMS)
 char *opt_progname(const char *argv0)
 {
    const char *p, *q;
    /* Find last special charcter sys:[foo.bar]openssl */
    for (p = argv0 + strlen(argv0); --p > argv0;)
        if (*p == ':' || *p == ']' || *p == '>') {
            p++;
            break;
        }
    q = strrchr(p, '.');
    strncpy(prog, p, sizeof prog - 1);
    prog[sizeof prog - 1] = '\0';
    if (q != NULL && q - p < sizeof prog)
        prog[q - p] = '\0';
    return prog;
 }
 #else
 char *opt_progname(const char *argv0)
 {
    const char *p;
    /* Could use strchr, but this is like the ones above. */
    for (p = argv0 + strlen(argv0); --p > argv0;)
        if (*p == '/') {
            p++;
            break;
        }
    strncpy(prog, p, sizeof prog - 1);
    prog[sizeof prog - 1] = '\0';
    return prog;
 }
 #endif
 char *opt_getprog(void)
 {
    return prog;
 }
 /* Set up the arg parsing. */
 char *opt_init(int ac, char **av, const OPTIONS *o)
 {
    /* Store state. */
    argc = ac;
    argv = av;
    opt_index = 1;
    opts = o;
    opt_progname(av[0]);
    unknown = NULL;
    for (; o->name; ++o) {
        const OPTIONS *next;
 #ifndef NDEBUG
        int duplicated, i;
 #endif
        if (o->name == OPT_HELP_STR || o->name == OPT_MORE_STR)
            continue;
 #ifndef NDEBUG
        i = o->valtype;
        /* Make sure options are legit. */
        assert(o->name[0] != '-');
        assert(o->retval > 0);
        switch (i) {
        case   0: case '-': case '/': case '<': case '>': case 'F': case 'M':
        case 'L': case 'U': case 'f': case 'n': case 'p': case 's': case 'u':
            break;
        default:
            assert(0);
        }
        /* Make sure there are no duplicates. */
        for (next = o + 1; next->name; ++next) {
            /*
             * Some compilers inline strcmp and the assert string is too long.
             */
            duplicated = strcmp(o->name, next->name) == 0;
            assert(!duplicated);
        }
 #endif
        if (o->name[0] == '\0') {
            assert(unknown == NULL);
            unknown = o;
            assert(unknown->valtype == 0 || unknown->valtype == '-');
        }
    }
    return prog;
 }
 static OPT_PAIR formats[] = {
    {"PEM/DER", OPT_FMT_PEMDER},
    {"pkcs12", OPT_FMT_PKCS12},
    {"smime", OPT_FMT_SMIME},
    {"engine", OPT_FMT_ENGINE},
    {"msblob", OPT_FMT_MSBLOB},
    {"netscape", OPT_FMT_NETSCAPE},
    {"nss", OPT_FMT_NSS},
    {"text", OPT_FMT_TEXT},
    {"http", OPT_FMT_HTTP},
    {"pvk", OPT_FMT_PVK},
    {NULL}
 };
 /* Print an error message about a failed format parse. */
 int opt_format_error(const char *s, unsigned long flags)
 {
    OPT_PAIR *ap;
    if (flags == OPT_FMT_PEMDER)
        BIO_printf(bio_err, "%s: Bad format \"%s\"; must be pem or der\n",
                   prog, s);
    else {
        BIO_printf(bio_err, "%s: Bad format \"%s\"; must be one of:\n",
                   prog, s);
        for (ap = formats; ap->name; ap++)
            if (flags & ap->retval)
                BIO_printf(bio_err, "   %s\n", ap->name);
    }
    return 0;
 }
 /* Parse a format string, put it into *result; return 0 on failure, else 1. */
 int opt_format(const char *s, unsigned long flags, int *result)
 {
    switch (*s) {
    default:
        return 0;
    case 'D':
    case 'd':
        if ((flags & OPT_FMT_PEMDER) == 0)
            return opt_format_error(s, flags);
        *result = FORMAT_ASN1;
        break;
    case 'T':
    case 't':
        if ((flags & OPT_FMT_TEXT) == 0)
            return opt_format_error(s, flags);
        *result = FORMAT_TEXT;
        break;
    case 'N':
    case 'n':
        if ((flags & OPT_FMT_NSS) == 0)
            return opt_format_error(s, flags);
        if (strcmp(s, "NSS") != 0 && strcmp(s, "nss") != 0)
            return opt_format_error(s, flags);
        *result = FORMAT_NSS;
        break;
    case 'S':
    case 's':
        if ((flags & OPT_FMT_SMIME) == 0)
            return opt_format_error(s, flags);
        *result = FORMAT_SMIME;
        break;
    case 'M':
    case 'm':
        if ((flags & OPT_FMT_MSBLOB) == 0)
            return opt_format_error(s, flags);
        *result = FORMAT_MSBLOB;
        break;
    case 'E':
    case 'e':
        if ((flags & OPT_FMT_ENGINE) == 0)
            return opt_format_error(s, flags);
        *result = FORMAT_ENGINE;
        break;
    case 'H':
    case 'h':
        if ((flags & OPT_FMT_HTTP) == 0)
            return opt_format_error(s, flags);
        *result = FORMAT_HTTP;
        break;
    case '1':
        if ((flags & OPT_FMT_PKCS12) == 0)
            return opt_format_error(s, flags);
        *result = FORMAT_PKCS12;
        break;
    case 'P':
    case 'p':
        if (s[1] == '\0' || strcmp(s, "PEM") == 0 || strcmp(s, "pem") == 0) {
            if ((flags & OPT_FMT_PEMDER) == 0)
                return opt_format_error(s, flags);
            *result = FORMAT_PEM;
        } else if (strcmp(s, "PVK") == 0 || strcmp(s, "pvk") == 0) {
            if ((flags & OPT_FMT_PVK) == 0)
                return opt_format_error(s, flags);
            *result = FORMAT_PVK;
        } else if (strcmp(s, "P12") == 0 || strcmp(s, "p12") == 0
                   || strcmp(s, "PKCS12") == 0 || strcmp(s, "pkcs12") == 0) {
            if ((flags & OPT_FMT_PKCS12) == 0)
                return opt_format_error(s, flags);
            *result = FORMAT_PKCS12;
        } else
            return 0;
        break;
    }
    return 1;
 }
 /* Parse a cipher name, put it in *EVP_CIPHER; return 0 on failure, else 1. */
 int opt_cipher(const char *name, const EVP_CIPHER **cipherp)
 {
    *cipherp = EVP_get_cipherbyname(name);
    if (*cipherp)
        return 1;
    BIO_printf(bio_err, "%s: Unknown cipher %s\n", prog, name);
    return 0;
 }
 /*
 * Parse message digest name, put it in *EVP_MD; return 0 on failure, else 1.
 */
 int opt_md(const char *name, const EVP_MD **mdp)
 {
    *mdp = EVP_get_digestbyname(name);
    if (*mdp)
        return 1;
    BIO_printf(bio_err, "%s: Unknown digest %s\n", prog, name);
    return 0;
 }
 /* Look through a list of name/value pairs. */
 int opt_pair(const char *name, const OPT_PAIR* pairs, int *result)
 {
    const OPT_PAIR *pp;
    for (pp = pairs; pp->name; pp++)
        if (strcmp(pp->name, name) == 0) {
            *result = pp->retval;
            return 1;
        }
    BIO_printf(bio_err, "%s: Value must be one of:\n", prog);
    for (pp = pairs; pp->name; pp++)
        BIO_printf(bio_err, "\t%s\n", pp->name);
    return 0;
 }
 /* Parse an int, put it into *result; return 0 on failure, else 1. */
 int opt_int(const char *value, int *result)
 {
    long l;
    if (!opt_long(value, &l))
        return 0;
    *result = (int)l;
    if (*result != l) {
        BIO_printf(bio_err, "%s: Value \"%s\" outside integer range\n",
                   prog, value);
        return 0;
    }
    return 1;
 }
 /* Parse a long, put it into *result; return 0 on failure, else 1. */
 int opt_long(const char *value, long *result)
 {
    int oerrno = errno;
    long l;
    char *endp;
    l = strtol(value, &endp, 0);
    if (*endp
            || endp == value
            || ((l == LONG_MAX || l == LONG_MIN) && errno == ERANGE)
            || (l == 0 && errno != 0)) {
        BIO_printf(bio_err, "%s: Can't parse \"%s\" as a number\n",
                   prog, value);
        errno = oerrno;
        return 0;
    }
    *result = l;
    errno = oerrno;
    return 1;
 }
 #if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L && \
    defined(INTMAX_MAX) && defined(UINTMAX_MAX)
 /* Parse an intmax_t, put it into *result; return 0 on failure, else 1. */
 int opt_imax(const char *value, intmax_t *result)
 {
    int oerrno = errno;
    intmax_t m;
    char *endp;
    m = strtoimax(value, &endp, 0);
    if (*endp
            || endp == value
            || ((m == INTMAX_MAX || m == INTMAX_MIN) && errno == ERANGE)
            || (m == 0 && errno != 0)) {
        BIO_printf(bio_err, "%s: Can't parse \"%s\" as a number\n",
                   prog, value);
        errno = oerrno;
        return 0;
    }
    *result = m;
    errno = oerrno;
    return 1;
 }
 /* Parse a uintmax_t, put it into *result; return 0 on failure, else 1. */
 int opt_umax(const char *value, uintmax_t *result)
 {
    int oerrno = errno;
    uintmax_t m;
    char *endp;
    m = strtoumax(value, &endp, 0);
    if (*endp
            || endp == value
            || (m == UINTMAX_MAX && errno == ERANGE)
            || (m == 0 && errno != 0)) {
        BIO_printf(bio_err, "%s: Can't parse \"%s\" as a number\n",
                   prog, value);
        errno = oerrno;
        return 0;
    }
    *result = m;
    errno = oerrno;
    return 1;
 }
 #endif
 /*
 * Parse an unsigned long, put it into *result; return 0 on failure, else 1.
 */
 int opt_ulong(const char *value, unsigned long *result)
 {
    int oerrno = errno;
    char *endptr;
    unsigned long l;
    l = strtoul(value, &endptr, 0);
    if (*endptr
            || endptr == value
            || ((l == ULONG_MAX) && errno == ERANGE)
            || (l == 0 && errno != 0)) {
        BIO_printf(bio_err, "%s: Can't parse \"%s\" as an unsigned number\n",
                   prog, value);
        errno = oerrno;
        return 0;
    }
    *result = l;
    errno = oerrno;
    return 1;
 }
 /*
 * We pass opt as an int but cast it to "enum range" so that all the
 * items in the OPT_V_ENUM enumeration are caught; this makes -Wswitch
 * in gcc do the right thing.
 */
 enum range { OPT_V_ENUM };
 int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
 {
    int i;
    ossl_intmax_t t = 0;
    ASN1_OBJECT *otmp;
    X509_PURPOSE *xptmp;
    const X509_VERIFY_PARAM *vtmp;
    assert(vpm != NULL);
    assert(opt > OPT_V__FIRST);
    assert(opt < OPT_V__LAST);
    switch ((enum range)opt) {
    case OPT_V__FIRST:
    case OPT_V__LAST:
        return 0;
    case OPT_V_POLICY:
        otmp = OBJ_txt2obj(opt_arg(), 0);
        if (otmp == NULL) {
            BIO_printf(bio_err, "%s: Invalid Policy %s\n", prog, opt_arg());
            return 0;
        }
        X509_VERIFY_PARAM_add0_policy(vpm, otmp);
        break;
    case OPT_V_PURPOSE:
        i = X509_PURPOSE_get_by_sname(opt_arg());
        if (i < 0) {
            BIO_printf(bio_err, "%s: Invalid purpose %s\n", prog, opt_arg());
            return 0;
        }
        xptmp = X509_PURPOSE_get0(i);
        i = X509_PURPOSE_get_id(xptmp);
        X509_VERIFY_PARAM_set_purpose(vpm, i);
        break;
    case OPT_V_VERIFY_NAME:
        vtmp = X509_VERIFY_PARAM_lookup(opt_arg());
        if (vtmp == NULL) {
            BIO_printf(bio_err, "%s: Invalid verify name %s\n",
                       prog, opt_arg());
            return 0;
        }
        X509_VERIFY_PARAM_set1(vpm, vtmp);
        break;
    case OPT_V_VERIFY_DEPTH:
        i = atoi(opt_arg());
        if (i >= 0)
            X509_VERIFY_PARAM_set_depth(vpm, i);
        break;
    case OPT_V_ATTIME:
        if (!opt_imax(opt_arg(), &t))
            return 0;
        if (t != (time_t)t) {
            BIO_printf(bio_err, "%s: epoch time out of range %s\n",
                       prog, opt_arg());
            return 0;
        }
        X509_VERIFY_PARAM_set_time(vpm, (time_t)t);
        break;
    case OPT_V_VERIFY_HOSTNAME:
        if (!X509_VERIFY_PARAM_set1_host(vpm, opt_arg(), 0))
            return 0;
        break;
    case OPT_V_VERIFY_EMAIL:
        if (!X509_VERIFY_PARAM_set1_email(vpm, opt_arg(), 0))
            return 0;
        break;
    case OPT_V_VERIFY_IP:
        if (!X509_VERIFY_PARAM_set1_ip_asc(vpm, opt_arg()))
            return 0;
        break;
    case OPT_V_IGNORE_CRITICAL:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_IGNORE_CRITICAL);
        break;
    case OPT_V_ISSUER_CHECKS:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CB_ISSUER_CHECK);
        break;
    case OPT_V_CRL_CHECK:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CRL_CHECK);
        break;
    case OPT_V_CRL_CHECK_ALL:
        X509_VERIFY_PARAM_set_flags(vpm,
                                    X509_V_FLAG_CRL_CHECK |
                                    X509_V_FLAG_CRL_CHECK_ALL);
        break;
    case OPT_V_POLICY_CHECK:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_POLICY_CHECK);
        break;
    case OPT_V_EXPLICIT_POLICY:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_EXPLICIT_POLICY);
        break;
    case OPT_V_INHIBIT_ANY:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_INHIBIT_ANY);
        break;
    case OPT_V_INHIBIT_MAP:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_INHIBIT_MAP);
        break;
    case OPT_V_X509_STRICT:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_X509_STRICT);
        break;
    case OPT_V_EXTENDED_CRL:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_EXTENDED_CRL_SUPPORT);
        break;
    case OPT_V_USE_DELTAS:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_USE_DELTAS);
        break;
    case OPT_V_POLICY_PRINT:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NOTIFY_POLICY);
        break;
    case OPT_V_CHECK_SS_SIG:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CHECK_SS_SIGNATURE);
        break;
    case OPT_V_TRUSTED_FIRST:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_TRUSTED_FIRST);
        break;
    case OPT_V_SUITEB_128_ONLY:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_SUITEB_128_LOS_ONLY);
        break;
    case OPT_V_SUITEB_128:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_SUITEB_128_LOS);
        break;
    case OPT_V_SUITEB_192:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_SUITEB_192_LOS);
        break;
    case OPT_V_PARTIAL_CHAIN:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_PARTIAL_CHAIN);
        break;
    case OPT_V_NO_ALT_CHAINS:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NO_ALT_CHAINS);
 	break;
    case OPT_V_NO_CHECK_TIME:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_NO_CHECK_TIME);
 	break;
    }
    return 1;
 }
 /*
 * Parse the next flag (and value if specified), return 0 if done, -1 on
 * error, otherwise the flag's retval.
 */
 int opt_next(void)
 {
    char *p;
    const OPTIONS *o;
    int ival;
    long lval;
    unsigned long ulval;
    ossl_intmax_t imval;
    ossl_uintmax_t umval;
    /* Look at current arg; at end of the list? */
    arg = NULL;
    p = argv[opt_index];
    if (p == NULL)
        return 0;
    /* If word doesn't start with a -, we're done. */
    if (*p != '-')
        return 0;
    /* Hit "--" ? We're done. */
    opt_index++;
    if (strcmp(p, "--") == 0)
        return 0;
    /* Allow -nnn and --nnn */
    if (*++p == '-')
        p++;
    flag = p - 1;
    /* If we have --flag=foo, snip it off */
    if ((arg = strchr(p, '=')) != NULL)
        *arg++ = '\0';
    for (o = opts; o->name; ++o) {
        /* If not this option, move on to the next one. */
        if (strcmp(p, o->name) != 0)
            continue;
        /* If it doesn't take a value, make sure none was given. */
        if (o->valtype == 0 || o->valtype == '-') {
            if (arg) {
                BIO_printf(bio_err,
                           "%s: Option -%s does not take a value\n", prog, p);
                return -1;
            }
            return o->retval;
        }
        /* Want a value; get the next param if =foo not used. */
        if (arg == NULL) {
            if (argv[opt_index] == NULL) {
                BIO_printf(bio_err,
                           "%s: Option -%s needs a value\n", prog, o->name);
                return -1;
            }
            arg = argv[opt_index++];
        }
        /* Syntax-check value. */
        switch (o->valtype) {
        default:
        case 's':
            /* Just a string. */
            break;
        case '/':
            if (app_isdir(arg) >= 0)
                break;
            BIO_printf(bio_err, "%s: Not a directory: %s\n", prog, arg);
            return -1;
        case '<':
            /* Input file. */
            if (strcmp(arg, "-") == 0 || app_access(arg, R_OK) >= 0)
                break;
            BIO_printf(bio_err,
                       "%s: Cannot open input file %s, %s\n",
                       prog, arg, strerror(errno));
            return -1;
        case '>':
            /* Output file. */
            if (strcmp(arg, "-") == 0 || app_access(arg, W_OK) >= 0 || errno == ENOENT)
                break;
            BIO_printf(bio_err,
                       "%s: Cannot open output file %s, %s\n",
                       prog, arg, strerror(errno));
            return -1;
        case 'p':
        case 'n':
            if (!opt_int(arg, &ival)
                    || (o->valtype == 'p' && ival <= 0)) {
                BIO_printf(bio_err,
                           "%s: Non-positive number \"%s\" for -%s\n",
                           prog, arg, o->name);
                return -1;
            }
            break;
        case 'M':
            if (!opt_imax(arg, &imval)) {
                BIO_printf(bio_err,
                           "%s: Invalid number \"%s\" for -%s\n",
                           prog, arg, o->name);
                return -1;
            }
            break;
        case 'U':
            if (!opt_umax(arg, &umval)) {
                BIO_printf(bio_err,
                           "%s: Invalid number \"%s\" for -%s\n",
                           prog, arg, o->name);
                return -1;
            }
            break;
        case 'L':
            if (!opt_long(arg, &lval)) {
                BIO_printf(bio_err,
                           "%s: Invalid number \"%s\" for -%s\n",
                           prog, arg, o->name);
                return -1;
            }
            break;
        case 'u':
            if (!opt_ulong(arg, &ulval)) {
                BIO_printf(bio_err,
                           "%s: Invalid number \"%s\" for -%s\n",
                           prog, arg, o->name);
                return -1;
            }
            break;
        case 'f':
        case 'F':
            if (opt_format(arg,
                           o->valtype == 'F' ? OPT_FMT_PEMDER
                           : OPT_FMT_ANY, &ival))
                break;
            BIO_printf(bio_err,
                       "%s: Invalid format \"%s\" for -%s\n",
                       prog, arg, o->name);
            return -1;
        }
        /* Return the flag value. */
        return o->retval;
    }
    if (unknown != NULL) {
        dunno = p;
        return unknown->retval;
    }
    BIO_printf(bio_err, "%s: Option unknown option -%s\n", prog, p);
    return -1;
 }
 /* Return the most recent flag parameter. */
 char *opt_arg(void)
 {
    return arg;
 }
 /* Return the most recent flag. */
 char *opt_flag(void)
 {
    return flag;
 }
 /* Return the unknown option. */
 char *opt_unknown(void)
 {
    return dunno;
 }
 /* Return the rest of the arguments after parsing flags. */
 char **opt_rest(void)
 {
    return &argv[opt_index];
 }
 /* How many items in remaining args? */
 int opt_num_rest(void)
 {
    int i = 0;
    char **pp;
    for (pp = opt_rest(); *pp; pp++, i++)
        continue;
    return i;
 }
 /* Return a string describing the parameter type. */
 static const char *valtype2param(const OPTIONS *o)
 {
    switch (o->valtype) {
    case '-':
        return "";
    case 's':
        return "val";
    case '/':
        return "dir";
    case '<':
        return "infile";
    case '>':
        return "outfile";
    case 'p':
        return "pnum";
    case 'n':
        return "num";
    case 'u':
        return "unum";
    case 'F':
        return "der/pem";
    case 'f':
        return "format";
    }
    return "parm";
 }
 void opt_help(const OPTIONS *list)
 {
    const OPTIONS *o;
    int i;
    int standard_prolog;
    int width = 5;
    char start[80 + 1];
    char *p;
    const char *help;
    /* Starts with its own help message? */
    standard_prolog = list[0].name != OPT_HELP_STR;
    /* Find the widest help. */
    for (o = list; o->name; o++) {
        if (o->name == OPT_MORE_STR)
            continue;
        i = 2 + (int)strlen(o->name);
        if (o->valtype != '-')
            i += 1 + strlen(valtype2param(o));
        if (i < MAX_OPT_HELP_WIDTH && i > width)
            width = i;
        assert(i < (int)sizeof start);
    }
    if (standard_prolog)
        BIO_printf(bio_err, "Usage: %s [options]\nValid options are:\n",
                   prog);
    /* Now let's print. */
    for (o = list; o->name; o++) {
        help = o->helpstr ? o->helpstr : "(No additional info)";
        if (o->name == OPT_HELP_STR) {
            BIO_printf(bio_err, help, prog);
            continue;
        }
        /* Pad out prefix */
        memset(start, ' ', sizeof(start) - 1);
        start[sizeof start - 1] = '\0';
        if (o->name == OPT_MORE_STR) {
            /* Continuation of previous line; padd and print. */
            start[width] = '\0';
            BIO_printf(bio_err, "%s  %s\n", start, help);
            continue;
        }
        /* Build up the "-flag [param]" part. */
        p = start;
        *p++ = ' ';
        *p++ = '-';
        if (o->name[0])
            p += strlen(strcpy(p, o->name));
        else
            *p++ = '*';
        if (o->valtype != '-') {
            *p++ = ' ';
            p += strlen(strcpy(p, valtype2param(o)));
        }
        *p = ' ';
        if ((int)(p - start) >= MAX_OPT_HELP_WIDTH) {
            *p = '\0';
            BIO_printf(bio_err, "%s\n", start);
            memset(start, ' ', sizeof(start));
        }
        start[width] = '\0';
        BIO_printf(bio_err, "%s  %s\n", start, help);
    }
 }
 #ifdef COMPILE_STANDALONE_TEST_DRIVER
 # include <sys/stat.h>
 typedef enum OPTION_choice {
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_IN, OPT_INFORM, OPT_OUT, OPT_COUNT, OPT_U, OPT_FLAG,
    OPT_STR, OPT_NOTUSED
 } OPTION_CHOICE;
 static OPTIONS options[] = {
    {OPT_HELP_STR, 1, '-', "Usage: %s flags\n"},
    {OPT_HELP_STR, 1, '-', "Valid options are:\n"},
    {"help", OPT_HELP, '-', "Display this summary"},
    {"in", OPT_IN, '<', "input file"},
    {OPT_MORE_STR, 1, '-', "more detail about input"},
    {"inform", OPT_INFORM, 'f', "input file format; defaults to pem"},
    {"out", OPT_OUT, '>', "output file"},
    {"count", OPT_COUNT, 'p', "a counter greater than zero"},
    {"u", OPT_U, 'u', "an unsigned number"},
    {"flag", OPT_FLAG, 0, "just some flag"},
    {"str", OPT_STR, 's', "the magic word"},
    {"areallyverylongoption", OPT_HELP, '-', "long way for help"},
    {NULL}
 };
 BIO *bio_err;
 int app_isdir(const char *name)
 {
    struct stat sb;
    return name != NULL && stat(name, &sb) >= 0 && S_ISDIR(sb.st_mode);
 }
 int main(int ac, char **av)
 {
    OPTION_CHOICE o;
    char **rest;
    char *prog;
    bio_err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT);
    prog = opt_init(ac, av, options);
    while ((o = opt_next()) != OPT_EOF) {
        switch (c) {
        case OPT_NOTUSED:
        case OPT_EOF:
        case OPT_ERR:
            printf("%s: Usage error; try -help.\n", prog);
            return 1;
        case OPT_HELP:
            opt_help(options);
            return 0;
        case OPT_IN:
            printf("in %s\n", opt_arg());
            break;
        case OPT_INFORM:
            printf("inform %s\n", opt_arg());
            break;
        case OPT_OUT:
            printf("out %s\n", opt_arg());
            break;
        case OPT_COUNT:
            printf("count %s\n", opt_arg());
            break;
        case OPT_U:
            printf("u %s\n", opt_arg());
            break;
        case OPT_FLAG:
            printf("flag\n");
            break;
        case OPT_STR:
            printf("str %s\n", opt_arg());
            break;
        }
    }
    argc = opt_num_rest();
    argv = opt_rest();
    printf("args = %d\n", argc);
    if (argc)
        while (*argv)
            printf("  %s\n", *argv++);
    return 0;
 }
 #endif
--- a/apps/passwd.c
+++ b/apps/passwd.c
@@ -1,51 +1,4 @@
-/* ====================================================================
+/* apps/passwd.c */
 * Copyright (c) 2000-2015 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    licensing@OpenSSL.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 */
 #if defined OPENSSL_NO_MD5 || defined CHARSET_EBCDIC
 # define NO_MD5CRYPT_1
@@ -53,450 +6,507 @@
 #if !defined(OPENSSL_NO_DES) || !defined(NO_MD5CRYPT_1)
-# include <string.h>
+#include <assert.h>
 #include <string.h>
-# include "apps.h"
+#include "apps.h"
-# include <openssl/bio.h>
+#include <openssl/bio.h>
-# include <openssl/err.h>
+#include <openssl/err.h>
-# include <openssl/evp.h>
+#include <openssl/evp.h>
-# include <openssl/rand.h>
+#include <openssl/rand.h>
-# ifndef OPENSSL_NO_DES
+#ifndef OPENSSL_NO_DES
-#  include <openssl/des.h>
+# include <openssl/des.h>
-# endif
+#endif
-# ifndef NO_MD5CRYPT_1
+#ifndef NO_MD5CRYPT_1
-#  include <openssl/md5.h>
+# include <openssl/md5.h>
-# endif
+#endif
-static unsigned const char cov_2char[64] = {
+
-    /* from crypto/des/fcrypt.c */
+#undef PROG
-    0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34, 0x35,
+#define PROG passwd_main
-    0x36, 0x37, 0x38, 0x39, 0x41, 0x42, 0x43, 0x44,
+
-    0x45, 0x46, 0x47, 0x48, 0x49, 0x4A, 0x4B, 0x4C,
+
-    0x4D, 0x4E, 0x4F, 0x50, 0x51, 0x52, 0x53, 0x54,
+static unsigned const char cov_2char[64]={
-    0x55, 0x56, 0x57, 0x58, 0x59, 0x5A, 0x61, 0x62,
+	/* from crypto/des/fcrypt.c */
-    0x63, 0x64, 0x65, 0x66, 0x67, 0x68, 0x69, 0x6A,
+	0x2E,0x2F,0x30,0x31,0x32,0x33,0x34,0x35,
-    0x6B, 0x6C, 0x6D, 0x6E, 0x6F, 0x70, 0x71, 0x72,
+	0x36,0x37,0x38,0x39,0x41,0x42,0x43,0x44,
-    0x73, 0x74, 0x75, 0x76, 0x77, 0x78, 0x79, 0x7A
+	0x45,0x46,0x47,0x48,0x49,0x4A,0x4B,0x4C,
 	0x4D,0x4E,0x4F,0x50,0x51,0x52,0x53,0x54,
 	0x55,0x56,0x57,0x58,0x59,0x5A,0x61,0x62,
 	0x63,0x64,0x65,0x66,0x67,0x68,0x69,0x6A,
 	0x6B,0x6C,0x6D,0x6E,0x6F,0x70,0x71,0x72,
 	0x73,0x74,0x75,0x76,0x77,0x78,0x79,0x7A
 };
 static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
-                     char *passwd, BIO *out, int quiet, int table,
+	char *passwd, BIO *out, int quiet, int table, int reverse,
-                     int reverse, size_t pw_maxlen, int usecrypt, int use1,
+	size_t pw_maxlen, int usecrypt, int use1, int useapr1);
                     int useapr1);
-typedef enum OPTION_choice {
+/* -crypt        - standard Unix password algorithm (default)
-    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+ * -1            - MD5-based password algorithm
-    OPT_IN,
+ * -apr1         - MD5-based password algorithm, Apache variant
-    OPT_NOVERIFY, OPT_QUIET, OPT_TABLE, OPT_REVERSE, OPT_APR1,
+ * -salt string  - salt
-    OPT_1, OPT_CRYPT, OPT_SALT, OPT_STDIN
+ * -in file      - read passwords from file
-} OPTION_CHOICE;
+ * -stdin        - read passwords from stdin
 * -noverify     - never verify when reading password from terminal
 * -quiet        - no warnings
 * -table        - format output as table
 * -reverse      - switch table columns
 */
-OPTIONS passwd_options[] = {
+int MAIN(int, char **);
    {"help", OPT_HELP, '-', "Display this summary"},
    {"in", OPT_IN, '<', "Pead passwords from file"},
    {"noverify", OPT_NOVERIFY, '-',
     "Never verify when reading password from terminal"},
    {"quiet", OPT_QUIET, '-', "No warnings"},
    {"table", OPT_TABLE, '-', "Format output as table"},
    {"reverse", OPT_REVERSE, '-', "Switch table columns"},
    {"salt", OPT_SALT, 's', "Use provided salt"},
    {"stdin", OPT_STDIN, '-', "Read passwords from stdin"},
 # ifndef NO_MD5CRYPT_1
    {"apr1", OPT_APR1, '-', "MD5-based password algorithm, Apache variant"},
    {"1", OPT_1, '-', "MD5-based password algorithm"},
 # endif
 # ifndef OPENSSL_NO_DES
    {"crypt", OPT_CRYPT, '-', "Standard Unix password algorithm (default)"},
 # endif
    {NULL}
 };
-int passwd_main(int argc, char **argv)
+int MAIN(int argc, char **argv)
-{
+	{
-    BIO *in = NULL;
+	int ret = 1;
-    char *infile = NULL, *salt = NULL, *passwd = NULL, **passwds = NULL;
+	char *infile = NULL;
-    char *salt_malloc = NULL, *passwd_malloc = NULL, *prog;
+	int in_stdin = 0;
-    OPTION_CHOICE o;
+	int in_noverify = 0;
-    int in_stdin = 0, in_noverify = 0, pw_source_defined = 0;
+	char *salt = NULL, *passwd = NULL, **passwds = NULL;
-    int passed_salt = 0, quiet = 0, table = 0, reverse = 0;
+	char *salt_malloc = NULL, *passwd_malloc = NULL;
-    int ret = 1, usecrypt = 0, use1 = 0, useapr1 = 0;
+	size_t passwd_malloc_size = 0;
-    size_t passwd_malloc_size = 0, pw_maxlen = 256;
+	int pw_source_defined = 0;
 	BIO *in = NULL, *out = NULL;
 	int i, badopt, opt_done;
 	int passed_salt = 0, quiet = 0, table = 0, reverse = 0;
 	int usecrypt = 0, use1 = 0, useapr1 = 0;
 	size_t pw_maxlen = 0;
-    prog = opt_init(argc, argv, passwd_options);
+	apps_startup();
    while ((o = opt_next()) != OPT_EOF) {
        switch (o) {
        case OPT_EOF:
        case OPT_ERR:
 opthelp:
            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
            goto end;
        case OPT_HELP:
            opt_help(passwd_options);
            ret = 0;
            goto end;
        case OPT_IN:
            if (pw_source_defined)
                goto opthelp;
            infile = opt_arg();
            pw_source_defined = 1;
            break;
        case OPT_NOVERIFY:
            in_noverify = 1;
            break;
        case OPT_QUIET:
            quiet = 1;
            break;
        case OPT_TABLE:
            table = 1;
            break;
        case OPT_REVERSE:
            reverse = 1;
            break;
        case OPT_1:
            use1 = 1;
            break;
        case OPT_APR1:
            useapr1 = 1;
            break;
        case OPT_CRYPT:
            usecrypt = 1;
            break;
        case OPT_SALT:
            passed_salt = 1;
            salt = opt_arg();
            break;
        case OPT_STDIN:
            if (pw_source_defined)
                goto opthelp;
            in_stdin = 1;
            break;
        }
    }
    argc = opt_num_rest();
    argv = opt_rest();
-    if (*argv) {
+	if (bio_err == NULL)
-        if (pw_source_defined)
+		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
-            goto opthelp;
+			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
        pw_source_defined = 1;
        passwds = argv;
    }
-    if (!usecrypt && !use1 && !useapr1) {
+	if (!load_config(bio_err, NULL))
-        /* use default */
+		goto err;
-        usecrypt = 1;
+	out = BIO_new(BIO_s_file());
-    }
+	if (out == NULL)
-    if (usecrypt + use1 + useapr1 > 1) {
+		goto err;
-        /* conflict */
+	BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
-        goto opthelp;
+#ifdef OPENSSL_SYS_VMS
-    }
+	{
 	BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 	out = BIO_push(tmpbio, out);
 	}
 #endif
-# ifdef OPENSSL_NO_DES
+	badopt = 0, opt_done = 0;
-    if (usecrypt)
+	i = 0;
-        goto opthelp;
+	while (!badopt && !opt_done && argv[++i] != NULL)
-# endif
+		{
-# ifdef NO_MD5CRYPT_1
+		if (strcmp(argv[i], "-crypt") == 0)
-    if (use1 || useapr1)
+			usecrypt = 1;
-        goto opthelp;
+		else if (strcmp(argv[i], "-1") == 0)
-# endif
+			use1 = 1;
 		else if (strcmp(argv[i], "-apr1") == 0)
 			useapr1 = 1;
 		else if (strcmp(argv[i], "-salt") == 0)
 			{
 			if ((argv[i+1] != NULL) && (salt == NULL))
 				{
 				passed_salt = 1;
 				salt = argv[++i];
 				}
 			else
 				badopt = 1;
 			}
 		else if (strcmp(argv[i], "-in") == 0)
 			{
 			if ((argv[i+1] != NULL) && !pw_source_defined)
 				{
 				pw_source_defined = 1;
 				infile = argv[++i];
 				}
 			else
 				badopt = 1;
 			}
 		else if (strcmp(argv[i], "-stdin") == 0)
 			{
 			if (!pw_source_defined)
 				{
 				pw_source_defined = 1;
 				in_stdin = 1;
 				}
 			else
 				badopt = 1;
 			}
 		else if (strcmp(argv[i], "-noverify") == 0)
 			in_noverify = 1;
 		else if (strcmp(argv[i], "-quiet") == 0)
 			quiet = 1;
 		else if (strcmp(argv[i], "-table") == 0)
 			table = 1;
 		else if (strcmp(argv[i], "-reverse") == 0)
 			reverse = 1;
 		else if (argv[i][0] == '-')
 			badopt = 1;
 		else if (!pw_source_defined)
 			/* non-option arguments, use as passwords */
 			{
 			pw_source_defined = 1;
 			passwds = &argv[i];
 			opt_done = 1;
 			}
 		else
 			badopt = 1;
 		}
-    if (infile && in_stdin) {
+	if (!usecrypt && !use1 && !useapr1) /* use default */
-        BIO_printf(bio_err, "%s: Can't combine -in and -stdin\n", prog);
+		usecrypt = 1;
-        goto end;
+	if (usecrypt + use1 + useapr1 > 1) /* conflict */
-    }
+		badopt = 1;
-    in = bio_open_default(infile, 'r', FORMAT_TEXT);
+	/* reject unsupported algorithms */
-    if (in == NULL)
+#ifdef OPENSSL_NO_DES
-        goto end;
+	if (usecrypt) badopt = 1;
 #endif
 #ifdef NO_MD5CRYPT_1
 	if (use1 || useapr1) badopt = 1;
 #endif
-    if (usecrypt)
+	if (badopt) 
-        pw_maxlen = 8;
+		{
-    else if (use1 || useapr1)
+		BIO_printf(bio_err, "Usage: passwd [options] [passwords]\n");
-        pw_maxlen = 256;        /* arbitrary limit, should be enough for most
+		BIO_printf(bio_err, "where options are\n");
-                                 * passwords */
+#ifndef OPENSSL_NO_DES
 		BIO_printf(bio_err, "-crypt             standard Unix password algorithm (default)\n");
 #endif
 #ifndef NO_MD5CRYPT_1
 		BIO_printf(bio_err, "-1                 MD5-based password algorithm\n");
 		BIO_printf(bio_err, "-apr1              MD5-based password algorithm, Apache variant\n");
 #endif
 		BIO_printf(bio_err, "-salt string       use provided salt\n");
 		BIO_printf(bio_err, "-in file           read passwords from file\n");
 		BIO_printf(bio_err, "-stdin             read passwords from stdin\n");
 		BIO_printf(bio_err, "-noverify          never verify when reading password from terminal\n");
 		BIO_printf(bio_err, "-quiet             no warnings\n");
 		BIO_printf(bio_err, "-table             format output as table\n");
 		BIO_printf(bio_err, "-reverse           switch table columns\n");
 		goto err;
 		}
-    if (passwds == NULL) {
+	if ((infile != NULL) || in_stdin)
-        /* no passwords on the command line */
+		{
 		in = BIO_new(BIO_s_file());
 		if (in == NULL)
 			goto err;
 		if (infile != NULL)
 			{
 			assert(in_stdin == 0);
 			if (BIO_read_filename(in, infile) <= 0)
 				goto err;
 			}
 		else
 			{
 			assert(in_stdin);
 			BIO_set_fp(in, stdin, BIO_NOCLOSE);
 			}
 		}
 	if (usecrypt)
 		pw_maxlen = 8;
 	else if (use1 || useapr1)
 		pw_maxlen = 256; /* arbitrary limit, should be enough for most passwords */
-        passwd_malloc_size = pw_maxlen + 2;
+	if (passwds == NULL)
-        /* longer than necessary so that we can warn about truncation */
+		{
-        passwd = passwd_malloc =
+		/* no passwords on the command line */
            app_malloc(passwd_malloc_size, "password buffer");
    }
-    if ((in == NULL) && (passwds == NULL)) {
+		passwd_malloc_size = pw_maxlen + 2;
-        /* build a null-terminated list */
+		/* longer than necessary so that we can warn about truncation */
-        static char *passwds_static[2] = { NULL, NULL };
+		passwd = passwd_malloc = OPENSSL_malloc(passwd_malloc_size);
 		if (passwd_malloc == NULL)
 			goto err;
 		}
-        passwds = passwds_static;
+	if ((in == NULL) && (passwds == NULL))
-        if (in == NULL)
+		{
-            if (EVP_read_pw_string
+		/* build a null-terminated list */
-                (passwd_malloc, passwd_malloc_size, "Password: ",
+		static char *passwds_static[2] = {NULL, NULL};
-                 !(passed_salt || in_noverify)) != 0)
+		
-                goto end;
+		passwds = passwds_static;
-        passwds[0] = passwd_malloc;
+		if (in == NULL)
-    }
+			if (EVP_read_pw_string(passwd_malloc, passwd_malloc_size, "Password: ", !(passed_salt || in_noverify)) != 0)
 				goto err;
 		passwds[0] = passwd_malloc;
 		}
-    if (in == NULL) {
+	if (in == NULL)
-        assert(passwds != NULL);
+		{
-        assert(*passwds != NULL);
+		assert(passwds != NULL);
 		assert(*passwds != NULL);
 		do /* loop over list of passwords */
 			{
 			passwd = *passwds++;
 			if (!do_passwd(passed_salt, &salt, &salt_malloc, passwd, out,
 				quiet, table, reverse, pw_maxlen, usecrypt, use1, useapr1))
 				goto err;
 			}
 		while (*passwds != NULL);
 		}
 	else
 		/* in != NULL */
 		{
 		int done;
-        do {                    /* loop over list of passwords */
+		assert (passwd != NULL);
-            passwd = *passwds++;
+		do
-            if (!do_passwd(passed_salt, &salt, &salt_malloc, passwd, bio_out,
+			{
-                           quiet, table, reverse, pw_maxlen, usecrypt, use1,
+			int r = BIO_gets(in, passwd, pw_maxlen + 1);
-                           useapr1))
+			if (r > 0)
-                goto end;
+				{
-        }
+				char *c = (strchr(passwd, '\n')) ;
-        while (*passwds != NULL);
+				if (c != NULL)
-    } else
+					*c = 0; /* truncate at newline */
-        /* in != NULL */
+				else
-    {
+					{
-        int done;
+					/* ignore rest of line */
 					char trash[BUFSIZ];
 					do
 						r = BIO_gets(in, trash, sizeof trash);
 					while ((r > 0) && (!strchr(trash, '\n')));
 					}
 				if (!do_passwd(passed_salt, &salt, &salt_malloc, passwd, out,
 					quiet, table, reverse, pw_maxlen, usecrypt, use1, useapr1))
 					goto err;
 				}
 			done = (r <= 0);
 			}
 		while (!done);
 		}
 	ret = 0;
-        assert(passwd != NULL);
+err:
-        do {
+	ERR_print_errors(bio_err);
-            int r = BIO_gets(in, passwd, pw_maxlen + 1);
+	if (salt_malloc)
-            if (r > 0) {
+		OPENSSL_free(salt_malloc);
-                char *c = (strchr(passwd, '\n'));
+	if (passwd_malloc)
-                if (c != NULL)
+		OPENSSL_free(passwd_malloc);
-                    *c = 0;     /* truncate at newline */
+	if (in)
-                else {
+		BIO_free(in);
-                    /* ignore rest of line */
+	if (out)
-                    char trash[BUFSIZ];
+		BIO_free_all(out);
-                    do
+	apps_shutdown();
-                        r = BIO_gets(in, trash, sizeof trash);
+	OPENSSL_EXIT(ret);
-                    while ((r > 0) && (!strchr(trash, '\n')));
+	}
                }
                if (!do_passwd
                    (passed_salt, &salt, &salt_malloc, passwd, bio_out, quiet,
                     table, reverse, pw_maxlen, usecrypt, use1, useapr1))
                    goto end;
            }
            done = (r <= 0);
        }
        while (!done);
    }
    ret = 0;
- end:
+#ifndef NO_MD5CRYPT_1
-    ERR_print_errors(bio_err);
+/* MD5-based password algorithm (should probably be available as a library
-    OPENSSL_free(salt_malloc);
+ * function; then the static buffer would not be acceptable).
-    OPENSSL_free(passwd_malloc);
+ * For magic string "1", this should be compatible to the MD5-based BSD
-    BIO_free(in);
+ * password algorithm.
-    return (ret);
+ * For 'magic' string "apr1", this is compatible to the MD5-based Apache
-}
+ * password algorithm.
-
+ * (Apparently, the Apache password algorithm is identical except that the
-# ifndef NO_MD5CRYPT_1
+ * 'magic' string was changed -- the laziest application of the NIH principle
-/*
+ * I've ever encountered.)
 * MD5-based password algorithm (should probably be available as a library
 * function; then the static buffer would not be acceptable). For magic
 * string "1", this should be compatible to the MD5-based BSD password
 * algorithm. For 'magic' string "apr1", this is compatible to the MD5-based
 * Apache password algorithm. (Apparently, the Apache password algorithm is
 * identical except that the 'magic' string was changed -- the laziest
 * application of the NIH principle I've ever encountered.)
 */
 static char *md5crypt(const char *passwd, const char *magic, const char *salt)
-{
+	{
-    /* "$apr1$..salt..$.......md5hash..........\0" */
+	static char out_buf[6 + 9 + 24 + 2]; /* "$apr1$..salt..$.......md5hash..........\0" */
-    static char out_buf[6 + 9 + 24 + 2];
+	unsigned char buf[MD5_DIGEST_LENGTH];
-    unsigned char buf[MD5_DIGEST_LENGTH];
+	char *salt_out;
-    char *salt_out;
+	int n;
-    int n;
+	unsigned int i;
-    unsigned int i;
+	EVP_MD_CTX md,md2;
-    EVP_MD_CTX *md, *md2;
+	size_t passwd_len, salt_len;
    size_t passwd_len, salt_len;
-    passwd_len = strlen(passwd);
+	passwd_len = strlen(passwd);
-    out_buf[0] = '$';
+	out_buf[0] = '$';
-    out_buf[1] = 0;
+	out_buf[1] = 0;
-    assert(strlen(magic) <= 4); /* "1" or "apr1" */
+	assert(strlen(magic) <= 4); /* "1" or "apr1" */
-    OPENSSL_strlcat(out_buf, magic, sizeof out_buf);
+	strncat(out_buf, magic, 4);
-    OPENSSL_strlcat(out_buf, "$", sizeof out_buf);
+	strncat(out_buf, "$", 1);
-    OPENSSL_strlcat(out_buf, salt, sizeof out_buf);
+	strncat(out_buf, salt, 8);
-    assert(strlen(out_buf) <= 6 + 8); /* "$apr1$..salt.." */
+	assert(strlen(out_buf) <= 6 + 8); /* "$apr1$..salt.." */
-    salt_out = out_buf + 2 + strlen(magic);
+	salt_out = out_buf + 2 + strlen(magic);
-    salt_len = strlen(salt_out);
+	salt_len = strlen(salt_out);
-    assert(salt_len <= 8);
+	assert(salt_len <= 8);
 	EVP_MD_CTX_init(&md);
 	EVP_DigestInit_ex(&md,EVP_md5(), NULL);
 	EVP_DigestUpdate(&md, passwd, passwd_len);
 	EVP_DigestUpdate(&md, "$", 1);
 	EVP_DigestUpdate(&md, magic, strlen(magic));
 	EVP_DigestUpdate(&md, "$", 1);
 	EVP_DigestUpdate(&md, salt_out, salt_len);
 	EVP_MD_CTX_init(&md2);
 	EVP_DigestInit_ex(&md2,EVP_md5(), NULL);
 	EVP_DigestUpdate(&md2, passwd, passwd_len);
 	EVP_DigestUpdate(&md2, salt_out, salt_len);
 	EVP_DigestUpdate(&md2, passwd, passwd_len);
 	EVP_DigestFinal_ex(&md2, buf, NULL);
-    md = EVP_MD_CTX_new();
+	for (i = passwd_len; i > sizeof buf; i -= sizeof buf)
-    if (md == NULL)
+		EVP_DigestUpdate(&md, buf, sizeof buf);
-        return NULL;
+	EVP_DigestUpdate(&md, buf, i);
-    EVP_DigestInit_ex(md, EVP_md5(), NULL);
+	
-    EVP_DigestUpdate(md, passwd, passwd_len);
+	n = passwd_len;
-    EVP_DigestUpdate(md, "$", 1);
+	while (n)
-    EVP_DigestUpdate(md, magic, strlen(magic));
+		{
-    EVP_DigestUpdate(md, "$", 1);
+		EVP_DigestUpdate(&md, (n & 1) ? "\0" : passwd, 1);
-    EVP_DigestUpdate(md, salt_out, salt_len);
+		n >>= 1;
 		}
 	EVP_DigestFinal_ex(&md, buf, NULL);
-    md2 = EVP_MD_CTX_new();
+	for (i = 0; i < 1000; i++)
-    if (md2 == NULL)
+		{
-        return NULL;
+		EVP_DigestInit_ex(&md2,EVP_md5(), NULL);
-    EVP_DigestInit_ex(md2, EVP_md5(), NULL);
+		EVP_DigestUpdate(&md2, (i & 1) ? (unsigned const char *) passwd : buf,
-    EVP_DigestUpdate(md2, passwd, passwd_len);
+		                       (i & 1) ? passwd_len : sizeof buf);
-    EVP_DigestUpdate(md2, salt_out, salt_len);
+		if (i % 3)
-    EVP_DigestUpdate(md2, passwd, passwd_len);
+			EVP_DigestUpdate(&md2, salt_out, salt_len);
-    EVP_DigestFinal_ex(md2, buf, NULL);
+		if (i % 7)
 			EVP_DigestUpdate(&md2, passwd, passwd_len);
 		EVP_DigestUpdate(&md2, (i & 1) ? buf : (unsigned const char *) passwd,
 		                       (i & 1) ? sizeof buf : passwd_len);
 		EVP_DigestFinal_ex(&md2, buf, NULL);
 		}
 	EVP_MD_CTX_cleanup(&md2);
 	 {
 		/* transform buf into output string */
 		unsigned char buf_perm[sizeof buf];
 		int dest, source;
 		char *output;
-    for (i = passwd_len; i > sizeof buf; i -= sizeof buf)
+		/* silly output permutation */
-        EVP_DigestUpdate(md, buf, sizeof buf);
+		for (dest = 0, source = 0; dest < 14; dest++, source = (source + 6) % 17)
-    EVP_DigestUpdate(md, buf, i);
+			buf_perm[dest] = buf[source];
 		buf_perm[14] = buf[5];
 		buf_perm[15] = buf[11];
 #ifndef PEDANTIC /* Unfortunately, this generates a "no effect" warning */
 		assert(16 == sizeof buf_perm);
 #endif
 		output = salt_out + salt_len;
 		assert(output == out_buf + strlen(out_buf));
 		*output++ = '$';
-    n = passwd_len;
+		for (i = 0; i < 15; i += 3)
-    while (n) {
+			{
-        EVP_DigestUpdate(md, (n & 1) ? "\0" : passwd, 1);
+			*output++ = cov_2char[buf_perm[i+2] & 0x3f];
-        n >>= 1;
+			*output++ = cov_2char[((buf_perm[i+1] & 0xf) << 2) |
-    }
+				                  (buf_perm[i+2] >> 6)];
-    EVP_DigestFinal_ex(md, buf, NULL);
+			*output++ = cov_2char[((buf_perm[i] & 3) << 4) |
 				                  (buf_perm[i+1] >> 4)];
 			*output++ = cov_2char[buf_perm[i] >> 2];
 			}
 		assert(i == 15);
 		*output++ = cov_2char[buf_perm[i] & 0x3f];
 		*output++ = cov_2char[buf_perm[i] >> 6];
 		*output = 0;
 		assert(strlen(out_buf) < sizeof(out_buf));
 	 }
 	EVP_MD_CTX_cleanup(&md);
-    for (i = 0; i < 1000; i++) {
+	return out_buf;
-        EVP_DigestInit_ex(md2, EVP_md5(), NULL);
+	}
-        EVP_DigestUpdate(md2, (i & 1) ? (unsigned const char *)passwd : buf,
+#endif
                         (i & 1) ? passwd_len : sizeof buf);
        if (i % 3)
            EVP_DigestUpdate(md2, salt_out, salt_len);
        if (i % 7)
            EVP_DigestUpdate(md2, passwd, passwd_len);
        EVP_DigestUpdate(md2, (i & 1) ? buf : (unsigned const char *)passwd,
                         (i & 1) ? sizeof buf : passwd_len);
        EVP_DigestFinal_ex(md2, buf, NULL);
    }
    EVP_MD_CTX_free(md2);
    EVP_MD_CTX_free(md);
    {
        /* transform buf into output string */
        unsigned char buf_perm[sizeof buf];
        int dest, source;
        char *output;
        /* silly output permutation */
        for (dest = 0, source = 0; dest < 14;
             dest++, source = (source + 6) % 17)
            buf_perm[dest] = buf[source];
        buf_perm[14] = buf[5];
        buf_perm[15] = buf[11];
 #  ifndef PEDANTIC              /* Unfortunately, this generates a "no
                                 * effect" warning */
        assert(16 == sizeof buf_perm);
 #  endif
        output = salt_out + salt_len;
        assert(output == out_buf + strlen(out_buf));
        *output++ = '$';
        for (i = 0; i < 15; i += 3) {
            *output++ = cov_2char[buf_perm[i + 2] & 0x3f];
            *output++ = cov_2char[((buf_perm[i + 1] & 0xf) << 2) |
                                  (buf_perm[i + 2] >> 6)];
            *output++ = cov_2char[((buf_perm[i] & 3) << 4) |
                                  (buf_perm[i + 1] >> 4)];
            *output++ = cov_2char[buf_perm[i] >> 2];
        }
        assert(i == 15);
        *output++ = cov_2char[buf_perm[i] & 0x3f];
        *output++ = cov_2char[buf_perm[i] >> 6];
        *output = 0;
        assert(strlen(out_buf) < sizeof(out_buf));
    }
    return out_buf;
 }
 # endif
 static int do_passwd(int passed_salt, char **salt_p, char **salt_malloc_p,
-                     char *passwd, BIO *out, int quiet, int table,
+	char *passwd, BIO *out,	int quiet, int table, int reverse,
-                     int reverse, size_t pw_maxlen, int usecrypt, int use1,
+	size_t pw_maxlen, int usecrypt, int use1, int useapr1)
-                     int useapr1)
+	{
-{
+	char *hash = NULL;
    char *hash = NULL;
-    assert(salt_p != NULL);
+	assert(salt_p != NULL);
-    assert(salt_malloc_p != NULL);
+	assert(salt_malloc_p != NULL);
-    /* first make sure we have a salt */
+	/* first make sure we have a salt */
-    if (!passed_salt) {
+	if (!passed_salt)
-# ifndef OPENSSL_NO_DES
+		{
-        if (usecrypt) {
+#ifndef OPENSSL_NO_DES
-            if (*salt_malloc_p == NULL) {
+		if (usecrypt)
-                *salt_p = *salt_malloc_p = app_malloc(3, "salt buffer");
+			{
-            }
+			if (*salt_malloc_p == NULL)
-            if (RAND_bytes((unsigned char *)*salt_p, 2) <= 0)
+				{
-                goto end;
+				*salt_p = *salt_malloc_p = OPENSSL_malloc(3);
-            (*salt_p)[0] = cov_2char[(*salt_p)[0] & 0x3f]; /* 6 bits */
+				if (*salt_malloc_p == NULL)
-            (*salt_p)[1] = cov_2char[(*salt_p)[1] & 0x3f]; /* 6 bits */
+					goto err;
-            (*salt_p)[2] = 0;
+				}
-#  ifdef CHARSET_EBCDIC
+			if (RAND_pseudo_bytes((unsigned char *)*salt_p, 2) < 0)
-            ascii2ebcdic(*salt_p, *salt_p, 2); /* des_crypt will convert back
+				goto err;
-                                                * to ASCII */
+			(*salt_p)[0] = cov_2char[(*salt_p)[0] & 0x3f]; /* 6 bits */
-#  endif
+			(*salt_p)[1] = cov_2char[(*salt_p)[1] & 0x3f]; /* 6 bits */
-        }
+			(*salt_p)[2] = 0;
-# endif                         /* !OPENSSL_NO_DES */
+#ifdef CHARSET_EBCDIC
 			ascii2ebcdic(*salt_p, *salt_p, 2); /* des_crypt will convert
 			                                    * back to ASCII */
 #endif
 			}
 #endif /* !OPENSSL_NO_DES */
-# ifndef NO_MD5CRYPT_1
+#ifndef NO_MD5CRYPT_1
-        if (use1 || useapr1) {
+		if (use1 || useapr1)
-            int i;
+			{
 			int i;
 			if (*salt_malloc_p == NULL)
 				{
 				*salt_p = *salt_malloc_p = OPENSSL_malloc(9);
 				if (*salt_malloc_p == NULL)
 					goto err;
 				}
 			if (RAND_pseudo_bytes((unsigned char *)*salt_p, 8) < 0)
 				goto err;
 			for (i = 0; i < 8; i++)
 				(*salt_p)[i] = cov_2char[(*salt_p)[i] & 0x3f]; /* 6 bits */
 			(*salt_p)[8] = 0;
 			}
 #endif /* !NO_MD5CRYPT_1 */
 		}
 	assert(*salt_p != NULL);
 	/* truncate password if necessary */
 	if ((strlen(passwd) > pw_maxlen))
 		{
 		if (!quiet)
 			/* XXX: really we should know how to print a size_t, not cast it */
 			BIO_printf(bio_err, "Warning: truncating password to %u characters\n", (unsigned)pw_maxlen);
 		passwd[pw_maxlen] = 0;
 		}
 	assert(strlen(passwd) <= pw_maxlen);
 	/* now compute password hash */
 #ifndef OPENSSL_NO_DES
 	if (usecrypt)
 		hash = DES_crypt(passwd, *salt_p);
 #endif
 #ifndef NO_MD5CRYPT_1
 	if (use1 || useapr1)
 		hash = md5crypt(passwd, (use1 ? "1" : "apr1"), *salt_p);
 #endif
 	assert(hash != NULL);
-            if (*salt_malloc_p == NULL) {
+	if (table && !reverse)
-                *salt_p = *salt_malloc_p = app_malloc(9, "salt buffer");
+		BIO_printf(out, "%s\t%s\n", passwd, hash);
-            }
+	else if (table && reverse)
-            if (RAND_bytes((unsigned char *)*salt_p, 8) <= 0)
+		BIO_printf(out, "%s\t%s\n", hash, passwd);
-                goto end;
+	else
-
+		BIO_printf(out, "%s\n", hash);
-            for (i = 0; i < 8; i++)
+	return 1;
-                (*salt_p)[i] = cov_2char[(*salt_p)[i] & 0x3f]; /* 6 bits */
+	
-            (*salt_p)[8] = 0;
+err:
-        }
+	return 0;
-# endif                         /* !NO_MD5CRYPT_1 */
+	}
    }
    assert(*salt_p != NULL);
    /* truncate password if necessary */
    if ((strlen(passwd) > pw_maxlen)) {
        if (!quiet)
            /*
             * XXX: really we should know how to print a size_t, not cast it
             */
            BIO_printf(bio_err,
                       "Warning: truncating password to %u characters\n",
                       (unsigned)pw_maxlen);
        passwd[pw_maxlen] = 0;
    }
    assert(strlen(passwd) <= pw_maxlen);
    /* now compute password hash */
 # ifndef OPENSSL_NO_DES
    if (usecrypt)
        hash = DES_crypt(passwd, *salt_p);
 # endif
 # ifndef NO_MD5CRYPT_1
    if (use1 || useapr1)
        hash = md5crypt(passwd, (use1 ? "1" : "apr1"), *salt_p);
 # endif
    assert(hash != NULL);
    if (table && !reverse)
        BIO_printf(out, "%s\t%s\n", passwd, hash);
    else if (table && reverse)
        BIO_printf(out, "%s\t%s\n", hash, passwd);
    else
        BIO_printf(out, "%s\n", hash);
    return 0;
 end:
    return 1;
 }
 #else
-int passwd_main(int argc, char **argv)
+int MAIN(int argc, char **argv)
-{
+	{
-    BIO_printf(bio_err, "Program not available.\n");
+	fputs("Program not available.\n", stderr)
-    return (1);
+	OPENSSL_EXIT(1);
-}
+	}
 #endif
--- a/apps/pca-key.pem
+++ b/apps/pca-key.pem
@@ -1,16 +1,15 @@
-----BEGIN PRIVATE KEY-----
+-----BEGIN RSA PRIVATE KEY-----
-MIICdgIBADANBgkqhkiG9w0BAQEFAASCAmAwggJcAgEAAoGBALYYjjtpLs/lfkPF
+MIICXAIBAAKBgQCdoWk/3+WcMlfjIrkg40ketmnQaEogQe1LLcuOJV6rKfUSAsPg
-xAFZ4V3He5mZFbsEakK9bA2fQaryreRwyfhbXbDJHyBV+c4xI5fbmmVd2t/us4k4
+wgsabJ/wn8TxA1yy3eKJbFl3OiUXMRsp22Jp85PmemiDzyUIStwk72qhp1imbANZ
-rMhGsBtL89SqCEHhPJpLFywiQVmJTAjANYrWkZK5uR/++YmZyzuLfPHLButuK6cF
+vlmlCFKiQrjUyuDfu4TABmn+kkt3vR1YBEOGt+IFye1UBVSATVdRJ2UVhwIDAQAB
-GKXw3NNToxjYooMf0mad2rPX3cKTAgMBAAECgYBvrJ+Nz/Pli9jjt2V9bqHH4Y7r
+AoGAba4fTtuap5l7/8ZsbE7Z1O32KJY4ZcOZukLOLUUhXxXduT+FTgGWujc0/rgc
-o/avuwVv6Ltbn0+mhy4d6w3yQhYzVSTBr/iDe59YglUt1WFl8/4nKZrNOIzHJlav
+z9qYCLlNZHOouMYTgtSfYvuMuLZ11VIt0GYH+nRioLShE59Yy+zCRyC+gPigS1kz
-Sw4hd3fYBHxbT+DgZMQ9ikjHECWRdDffrnlTLsSJAcxnpMJBPe3dKCRDMUrqWUvB
+xvo14AsOIPYV14Tk/SsHyq6E0eTk7VzaIE197giiINUERPECQQDSKmtPTh/lRKw7
-IIKaxyqmXJms5Y/wAQJBAPFL9NMKJcWBftMKXCasxsV0ZGjgqHGZODYjtGFN9jJO
+HSZSM0I1mFWn/1zqrAbontRQY5w98QWIOe5qmzYyFbPXYT3d9BzlsMyhgiRNoBbD
-6AbZrxfCcapTWG4RCC2o/EDEMN8aArEhfdrYY3lhXGsCQQDBMRzFevkD7SYXTw5G
+yvohSHXJAkEAwAHx6ezAZeWWzD5yXD36nyjpkVCw7Tk7TSmOceLJMWt1QcrCfqlS
-NA/gJOAsFMYbt7tebcCRsHT7t3ymVfO2QwK7ZF0f/SYvi7cMAPraHvO7s3kFdGTB
+xA5jjpQ6Z8suU5DdtWAryM2sAir1WisYzwJAd6Zcx56jvAQ3xcPXsE6scBTVFzrj
-kDx5AkAHBICASsFCdzurA5gef9PgFjx9WFtNwnkCChPK6KuKVwUkfdw7wqnvnDDs
+7FqZ6E+cclPzfLQ+QQsyOBE7bpI6e/FJppY26XGZXo3YGzV8IGXrt40oOQJALETG
-Mo6cVVfQwmPxeR4u7JxuavCprQ01AkEAp5ZGAh1J9Jj9CQ1AMbAp8WOrvzGKJTM9
+h86EFXo3qGOFbmsDy4pdP5nBERCu8X1xUCSfintiD4c2DInxgS5oGclnJeMcjTvL
-641Dll4/LLif/d7j2kDJFuvaSMyeGnKVqGkVMq/U+QeYPR4Z5TuM6QJAWK05qFed
+QjQoJCX3UJCi/OUO1QJBAKgcDHWjMvt+l1pjJBsSEZ0HX9AAIIVx0RQmbFGS+F2Q
-wYgTZyVN0MY53ZOMAIWwjz0cr24TvDfmsZqIvguGL616GKQZKdKDZQyQHg+dCzqJ
+hhu5l77WnnZOQ9vvhV5u7NPCUF9nhU3jh60qWWO8mkc=
-HgIoacuFDKz5CA==
+-----END RSA PRIVATE KEY-----
 -----END PRIVATE KEY-----
--- a/apps/pca-req.pem
+++ b/apps/pca-req.pem
@@ -1,11 +1,11 @@
 -----BEGIN CERTIFICATE REQUEST-----
-MIIBnDCCAQUCAQAwXDELMAkGA1UEBhMCQVUxEzARBgNVBAgMClF1ZWVuc2xhbmQx
+MIIBmjCCAQMCAQAwXDELMAkGA1UEBhMCQVUxEzARBgNVBAgTClF1ZWVuc2xhbmQx
-GjAYBgNVBAoMEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYDVQQDDBNUZXN0IFBDQSAo
+GjAYBgNVBAoTEUNyeXB0U29mdCBQdHkgTHRkMRwwGgYDVQQDExNUZXN0IFBDQSAo
-MTAyNCBiaXQpMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC2GI47aS7P5X5D
+MTAyNCBiaXQpMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCdoWk/3+WcMlfj
-xcQBWeFdx3uZmRW7BGpCvWwNn0Gq8q3kcMn4W12wyR8gVfnOMSOX25plXdrf7rOJ
+Irkg40ketmnQaEogQe1LLcuOJV6rKfUSAsPgwgsabJ/wn8TxA1yy3eKJbFl3OiUX
-OKzIRrAbS/PUqghB4TyaSxcsIkFZiUwIwDWK1pGSubkf/vmJmcs7i3zxywbrbiun
+MRsp22Jp85PmemiDzyUIStwk72qhp1imbANZvlmlCFKiQrjUyuDfu4TABmn+kkt3
-BRil8NzTU6MY2KKDH9Jmndqz193CkwIDAQABoAAwDQYJKoZIhvcNAQELBQADgYEA
+vR1YBEOGt+IFye1UBVSATVdRJ2UVhwIDAQABMA0GCSqGSIb3DQEBBAUAA4GBAEzz
-eJdCB0nHnFK0hek4biAxX0GuJXkknuUy46NKEhv3GBwt4gtO29bfkbQTGOsBBKNs
+IG8NnfpnPTQSCN5zJhOfy6p9AcDyQzuJirYv1HR/qoYWalPh/U2uiK0lAim7qMcv
-KptlnkItscOXY+0lSva9K3XlwD9do7k2IZFtXJVayZVw1GcKybIY0l7B6kcSxG7T
+wOlK3I7A8B7/4dLqvIqgtUj9b1WT8zIrnwdvJI4osLI2BY+c1pVlp174DHLMol1L
-f3CsO+ifdrsJKtyoZNs96lBMrtXyGybt3mgQNdZauQU=
+Cl1e3N5BTm7lCitTYjuUhsw6hiA8IcdNKDo6sktV
 -----END CERTIFICATE REQUEST-----
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
--- a/apps/pkcs7.c
+++ b/apps/pkcs7.c
@@ -1,24 +1,25 @@
 /* apps/pkcs7.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
- *
+ * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
- *
+ * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
@@ -33,10 +34,10 @@
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -48,60 +49,12 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
+ * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
 /* ====================================================================
 * Copyright (c) 1999-2015 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    licensing@OpenSSL.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 */
 #include <stdio.h>
 #include <stdlib.h>
@@ -115,172 +68,253 @@
 #include <openssl/pkcs7.h>
 #include <openssl/pem.h>
-typedef enum OPTION_choice {
+#undef PROG
-    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+#define PROG	pkcs7_main
    OPT_INFORM, OPT_OUTFORM, OPT_IN, OPT_OUT, OPT_NOOUT,
    OPT_TEXT, OPT_PRINT, OPT_PRINT_CERTS, OPT_ENGINE
 } OPTION_CHOICE;
-OPTIONS pkcs7_options[] = {
+/* -inform arg	- input format - default PEM (DER or PEM)
-    {"help", OPT_HELP, '-', "Display this summary"},
+ * -outform arg - output format - default PEM
-    {"inform", OPT_INFORM, 'F', "Input format - DER or PEM"},
+ * -in arg	- input file - default stdin
-    {"in", OPT_IN, '<', "Input file"},
+ * -out arg	- output file - default stdout
-    {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
+ * -print_certs
-    {"out", OPT_OUT, '>', "Output file"},
+ */
-    {"noout", OPT_NOOUT, '-', "Don't output encoded data"},
+
-    {"text", OPT_TEXT, '-', "Print full details of certificates"},
+int MAIN(int, char **);
-    {"print", OPT_PRINT, '-'},
+
-    {"print_certs", OPT_PRINT_CERTS, '-',
+int MAIN(int argc, char **argv)
-     "Print_certs  print any certs or crl in the input"},
+	{
 	PKCS7 *p7=NULL;
 	int i,badops=0;
 	BIO *in=NULL,*out=NULL;
 	int informat,outformat;
 	char *infile,*outfile,*prog;
 	int print_certs=0,text=0,noout=0,p7_print=0;
 	int ret=1;
 #ifndef OPENSSL_NO_ENGINE
-    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+	char *engine=NULL;
 #endif
    {NULL}
 };
-int pkcs7_main(int argc, char **argv)
+	apps_startup();
 {
    PKCS7 *p7 = NULL;
    BIO *in = NULL, *out = NULL;
    int informat = FORMAT_PEM, outformat = FORMAT_PEM;
    char *infile = NULL, *outfile = NULL, *prog;
    int i, print_certs = 0, text = 0, noout = 0, p7_print = 0, ret = 1;
    OPTION_CHOICE o;
-    prog = opt_init(argc, argv, pkcs7_options);
+	if (bio_err == NULL)
-    while ((o = opt_next()) != OPT_EOF) {
+		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
-        switch (o) {
+			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
        case OPT_EOF:
        case OPT_ERR:
 opthelp:
            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
            goto end;
        case OPT_HELP:
            opt_help(pkcs7_options);
            ret = 0;
            goto end;
        case OPT_INFORM:
            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
                goto opthelp;
            break;
        case OPT_OUTFORM:
            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
                goto opthelp;
            break;
        case OPT_IN:
            infile = opt_arg();
            break;
        case OPT_OUT:
            outfile = opt_arg();
            break;
        case OPT_NOOUT:
            noout = 1;
            break;
        case OPT_TEXT:
            text = 1;
            break;
        case OPT_PRINT:
            p7_print = 1;
            break;
        case OPT_PRINT_CERTS:
            print_certs = 1;
            break;
        case OPT_ENGINE:
            (void)setup_engine(opt_arg(), 0);
            break;
        }
    }
    argc = opt_num_rest();
    argv = opt_rest();
-    in = bio_open_default(infile, 'r', informat);
+	if (!load_config(bio_err, NULL))
-    if (in == NULL)
+		goto end;
        goto end;
-    if (informat == FORMAT_ASN1)
+	infile=NULL;
-        p7 = d2i_PKCS7_bio(in, NULL);
+	outfile=NULL;
-    else
+	informat=FORMAT_PEM;
-        p7 = PEM_read_bio_PKCS7(in, NULL, NULL, NULL);
+	outformat=FORMAT_PEM;
    if (p7 == NULL) {
        BIO_printf(bio_err, "unable to load PKCS7 object\n");
        ERR_print_errors(bio_err);
        goto end;
    }
-    out = bio_open_default(outfile, 'w', outformat);
+	prog=argv[0];
-    if (out == NULL)
+	argc--;
-        goto end;
+	argv++;
 	while (argc >= 1)
 		{
 		if 	(strcmp(*argv,"-inform") == 0)
 			{
 			if (--argc < 1) goto bad;
 			informat=str2fmt(*(++argv));
 			}
 		else if (strcmp(*argv,"-outform") == 0)
 			{
 			if (--argc < 1) goto bad;
 			outformat=str2fmt(*(++argv));
 			}
 		else if (strcmp(*argv,"-in") == 0)
 			{
 			if (--argc < 1) goto bad;
 			infile= *(++argv);
 			}
 		else if (strcmp(*argv,"-out") == 0)
 			{
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
 		else if (strcmp(*argv,"-noout") == 0)
 			noout=1;
 		else if (strcmp(*argv,"-text") == 0)
 			text=1;
 		else if (strcmp(*argv,"-print") == 0)
 			p7_print=1;
 		else if (strcmp(*argv,"-print_certs") == 0)
 			print_certs=1;
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 #endif
 		else
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
 			badops=1;
 			break;
 			}
 		argc--;
 		argv++;
 		}
-    if (p7_print)
+	if (badops)
-        PKCS7_print_ctx(out, p7, 0, NULL);
+		{
 bad:
 		BIO_printf(bio_err,"%s [options] <infile >outfile\n",prog);
 		BIO_printf(bio_err,"where options are\n");
 		BIO_printf(bio_err," -inform arg   input format - DER or PEM\n");
 		BIO_printf(bio_err," -outform arg  output format - DER or PEM\n");
 		BIO_printf(bio_err," -in arg       input file\n");
 		BIO_printf(bio_err," -out arg      output file\n");
 		BIO_printf(bio_err," -print_certs  print any certs or crl in the input\n");
 		BIO_printf(bio_err," -text         print full details of certificates\n");
 		BIO_printf(bio_err," -noout        don't output encoded data\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," -engine e     use engine e, possibly a hardware device.\n");
 #endif
 		ret = 1;
 		goto end;
 		}
-    if (print_certs) {
+	ERR_load_crypto_strings();
        STACK_OF(X509) *certs = NULL;
        STACK_OF(X509_CRL) *crls = NULL;
-        i = OBJ_obj2nid(p7->type);
+#ifndef OPENSSL_NO_ENGINE
-        switch (i) {
+        setup_engine(bio_err, engine, 0);
-        case NID_pkcs7_signed:
+#endif
            certs = p7->d.sign->cert;
            crls = p7->d.sign->crl;
            break;
        case NID_pkcs7_signedAndEnveloped:
            certs = p7->d.signed_and_enveloped->cert;
            crls = p7->d.signed_and_enveloped->crl;
            break;
        default:
            break;
        }
-        if (certs != NULL) {
+	in=BIO_new(BIO_s_file());
-            X509 *x;
+	out=BIO_new(BIO_s_file());
 	if ((in == NULL) || (out == NULL))
 		{
 		ERR_print_errors(bio_err);
                goto end;
                }
-            for (i = 0; i < sk_X509_num(certs); i++) {
+	if (infile == NULL)
-                x = sk_X509_value(certs, i);
+		BIO_set_fp(in,stdin,BIO_NOCLOSE);
-                if (text)
+	else
-                    X509_print(out, x);
+		{
-                else
+		if (BIO_read_filename(in,infile) <= 0)
-                    dump_cert_text(out, x);
+		if (in == NULL)
 			{
 			perror(infile);
 			goto end;
 			}
 		}
-                if (!noout)
+	if	(informat == FORMAT_ASN1)
-                    PEM_write_bio_X509(out, x);
+		p7=d2i_PKCS7_bio(in,NULL);
-                BIO_puts(out, "\n");
+	else if (informat == FORMAT_PEM)
-            }
+		p7=PEM_read_bio_PKCS7(in,NULL,NULL,NULL);
-        }
+	else
-        if (crls != NULL) {
+		{
-            X509_CRL *crl;
+		BIO_printf(bio_err,"bad input format specified for pkcs7 object\n");
 		goto end;
 		}
 	if (p7 == NULL)
 		{
 		BIO_printf(bio_err,"unable to load PKCS7 object\n");
 		ERR_print_errors(bio_err);
 		goto end;
 		}
-            for (i = 0; i < sk_X509_CRL_num(crls); i++) {
+	if (outfile == NULL)
-                crl = sk_X509_CRL_value(crls, i);
+		{
 		BIO_set_fp(out,stdout,BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 		}
 	else
 		{
 		if (BIO_write_filename(out,outfile) <= 0)
 			{
 			perror(outfile);
 			goto end;
 			}
 		}
-                X509_CRL_print(out, crl);
+	if (p7_print)
 		PKCS7_print_ctx(out, p7, 0, NULL);
-                if (!noout)
+	if (print_certs)
-                    PEM_write_bio_X509_CRL(out, crl);
+		{
-                BIO_puts(out, "\n");
+		STACK_OF(X509) *certs=NULL;
-            }
+		STACK_OF(X509_CRL) *crls=NULL;
        }
-        ret = 0;
+		i=OBJ_obj2nid(p7->type);
-        goto end;
+		switch (i)
-    }
+			{
 		case NID_pkcs7_signed:
 			certs=p7->d.sign->cert;
 			crls=p7->d.sign->crl;
 			break;
 		case NID_pkcs7_signedAndEnveloped:
 			certs=p7->d.signed_and_enveloped->cert;
 			crls=p7->d.signed_and_enveloped->crl;
 			break;
 		default:
 			break;
 			}
-    if (!noout) {
+		if (certs != NULL)
-        if (outformat == FORMAT_ASN1)
+			{
-            i = i2d_PKCS7_bio(out, p7);
+			X509 *x;
        else
            i = PEM_write_bio_PKCS7(out, p7);
-        if (!i) {
+			for (i=0; i<sk_X509_num(certs); i++)
-            BIO_printf(bio_err, "unable to write pkcs7 object\n");
+				{
-            ERR_print_errors(bio_err);
+				x=sk_X509_value(certs,i);
-            goto end;
+				if(text) X509_print(out, x);
-        }
+				else dump_cert_text(out, x);
-    }
+
-    ret = 0;
+				if(!noout) PEM_write_bio_X509(out,x);
- end:
+				BIO_puts(out,"\n");
-    PKCS7_free(p7);
+				}
-    BIO_free(in);
+			}
-    BIO_free_all(out);
+		if (crls != NULL)
-    return (ret);
+			{
-}
+			X509_CRL *crl;
 			for (i=0; i<sk_X509_CRL_num(crls); i++)
 				{
 				crl=sk_X509_CRL_value(crls,i);
 				X509_CRL_print(out, crl);
 				if(!noout)PEM_write_bio_X509_CRL(out,crl);
 				BIO_puts(out,"\n");
 				}
 			}
 		ret=0;
 		goto end;
 		}
 	if(!noout) {
 		if 	(outformat == FORMAT_ASN1)
 			i=i2d_PKCS7_bio(out,p7);
 		else if (outformat == FORMAT_PEM)
 			i=PEM_write_bio_PKCS7(out,p7);
 		else	{
 			BIO_printf(bio_err,"bad output format specified for outfile\n");
 			goto end;
 			}
 		if (!i)
 			{
 			BIO_printf(bio_err,"unable to write pkcs7 object\n");
 			ERR_print_errors(bio_err);
 			goto end;
 			}
 	}
 	ret=0;
 end:
 	if (p7 != NULL) PKCS7_free(p7);
 	if (in != NULL) BIO_free(in);
 	if (out != NULL) BIO_free_all(out);
 	apps_shutdown();
 	OPENSSL_EXIT(ret);
 	}
--- a/apps/pkcs8.c
+++ b/apps/pkcs8.c
@@ -1,6 +1,6 @@
-/*
+/* pkcs8.c */
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * 1999-2004.
+ * project 1999-2004.
 */
 /* ====================================================================
 * Copyright (c) 1999 The OpenSSL Project.  All rights reserved.
@@ -10,7 +10,7 @@
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
+ *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
@@ -56,7 +56,6 @@
 *
 */
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include "apps.h"
 #include <openssl/pem.h>
@@ -64,346 +63,377 @@
 #include <openssl/evp.h>
 #include <openssl/pkcs12.h>
-typedef enum OPTION_choice {
+#define PROG pkcs8_main
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT,
    OPT_TOPK8, OPT_NOITER, OPT_NOCRYPT, OPT_NOOCT, OPT_NSDB, OPT_EMBED,
 #ifndef OPENSSL_NO_SCRYPT
    OPT_SCRYPT, OPT_SCRYPT_N, OPT_SCRYPT_R, OPT_SCRYPT_P,
 #endif
    OPT_V2, OPT_V1, OPT_V2PRF, OPT_ITER, OPT_PASSIN, OPT_PASSOUT
 } OPTION_CHOICE;
-OPTIONS pkcs8_options[] = {
+int MAIN(int, char **);
-    {"help", OPT_HELP, '-', "Display this summary"},
+
-    {"inform", OPT_INFORM, 'F', "Input format (DER or PEM)"},
+int MAIN(int argc, char **argv)
-    {"outform", OPT_OUTFORM, 'F', "Output format (DER or PEM)"},
+	{
-    {"in", OPT_IN, '<', "Input file"},
+	ENGINE *e = NULL;
-    {"out", OPT_OUT, '>', "Output file"},
+	char **args, *infile = NULL, *outfile = NULL;
-    {"topk8", OPT_TOPK8, '-', "Output PKCS8 file"},
+	char *passargin = NULL, *passargout = NULL;
-    {"noiter", OPT_NOITER, '-', "Use 1 as iteration count"},
+	BIO *in = NULL, *out = NULL;
-    {"nocrypt", OPT_NOCRYPT, '-', "Use or expect unencrypted private key"},
+	int topk8 = 0;
-    {"nooct", OPT_NOOCT, '-', "Use (nonstandard) no octet format"},
+	int pbe_nid = -1;
-    {"nsdb", OPT_NSDB, '-', "Use (nonstandard) DSA Netscape DB format"},
+	const EVP_CIPHER *cipher = NULL;
-    {"embed", OPT_EMBED, '-',
+	int iter = PKCS12_DEFAULT_ITER;
-     "Use (nonstandard) embedded DSA parameters format"},
+	int informat, outformat;
-    {"v2", OPT_V2, 's', "Use PKCS#5 v2.0 and cipher"},
+	int p8_broken = PKCS8_OK;
-    {"v1", OPT_V1, 's', "Use PKCS#5 v1.5 and cipher"},
+	int nocrypt = 0;
-    {"v2prf", OPT_V2PRF, 's'},
+	X509_SIG *p8 = NULL;
-    {"iter", OPT_ITER, 'p', "Specify the iteration count"},
+	PKCS8_PRIV_KEY_INFO *p8inf = NULL;
-    {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
+	EVP_PKEY *pkey=NULL;
-    {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
+	char pass[50], *passin = NULL, *passout = NULL, *p8pass = NULL;
 	int badarg = 0;
 	int ret = 1;
 #ifndef OPENSSL_NO_ENGINE
-    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+	char *engine=NULL;
 #endif
 #ifndef OPENSSL_NO_SCRYPT
    {"scrypt", OPT_SCRYPT, '-', "Use scrypt algorithm"},
    {"scrypt_N", OPT_SCRYPT_N, 's', "Set scrypt N parameter"},
    {"scrypt_r", OPT_SCRYPT_R, 's', "Set scrypt r parameter"},
    {"scrypt_p", OPT_SCRYPT_P, 's', "Set scrypt p parameter"},
 #endif
    {NULL}
 };
 int pkcs8_main(int argc, char **argv)
 {
    BIO *in = NULL, *out = NULL;
    ENGINE *e = NULL;
    EVP_PKEY *pkey = NULL;
    PKCS8_PRIV_KEY_INFO *p8inf = NULL;
    X509_SIG *p8 = NULL;
    const EVP_CIPHER *cipher = NULL;
    char *infile = NULL, *outfile = NULL;
    char *passinarg = NULL, *passoutarg = NULL, *prog;
    char pass[50], *passin = NULL, *passout = NULL, *p8pass = NULL;
    OPTION_CHOICE o;
    int nocrypt = 0, ret = 1, iter = PKCS12_DEFAULT_ITER, p8_broken = PKCS8_OK;
    int informat = FORMAT_PEM, outformat = FORMAT_PEM, topk8 = 0, pbe_nid = -1;
    int private = 0;
 #ifndef OPENSSL_NO_SCRYPT
    long scrypt_N = 0, scrypt_r = 0, scrypt_p = 0;
 #endif
-    prog = opt_init(argc, argv, pkcs8_options);
+	if (bio_err == NULL) bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
-    while ((o = opt_next()) != OPT_EOF) {
+
-        switch (o) {
+	if (!load_config(bio_err, NULL))
-        case OPT_EOF:
+		goto end;
-        case OPT_ERR:
+
- opthelp:
+	informat=FORMAT_PEM;
-            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+	outformat=FORMAT_PEM;
-            goto end;
+
-        case OPT_HELP:
+	ERR_load_crypto_strings();
-            opt_help(pkcs8_options);
+	OpenSSL_add_all_algorithms();
-            ret = 0;
+	args = argv + 1;
-            goto end;
+	while (!badarg && *args && *args[0] == '-')
-        case OPT_INFORM:
+		{
-            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
+		if (!strcmp(*args,"-v2"))
-                goto opthelp;
+			{
-            break;
+			if (args[1])
-        case OPT_IN:
+				{
-            infile = opt_arg();
+				args++;
-            break;
+				cipher=EVP_get_cipherbyname(*args);
-        case OPT_OUTFORM:
+				if (!cipher)
-            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
+					{
-                goto opthelp;
+					BIO_printf(bio_err,
-            break;
+						 "Unknown cipher %s\n", *args);
-        case OPT_OUT:
+					badarg = 1;
-            outfile = opt_arg();
+					}
-            break;
+				}
-        case OPT_TOPK8:
+			else
-            topk8 = 1;
+				badarg = 1;
-            break;
+			}
-        case OPT_NOITER:
+		else if (!strcmp(*args,"-v1"))
-            iter = 1;
+			{
-            break;
+			if (args[1])
-        case OPT_NOCRYPT:
+				{
-            nocrypt = 1;
+				args++;
-            break;
+				pbe_nid=OBJ_txt2nid(*args);
-        case OPT_NOOCT:
+				if (pbe_nid == NID_undef)
-            p8_broken = PKCS8_NO_OCTET;
+					{
-            break;
+					BIO_printf(bio_err,
-        case OPT_NSDB:
+						 "Unknown PBE algorithm %s\n", *args);
-            p8_broken = PKCS8_NS_DB;
+					badarg = 1;
-            break;
+					}
-        case OPT_EMBED:
+				}
-            p8_broken = PKCS8_EMBEDDED_PARAM;
+			else
-            break;
+				badarg = 1;
-        case OPT_V2:
+			}
-            if (!opt_cipher(opt_arg(), &cipher))
+		else if (!strcmp(*args,"-inform"))
-                goto opthelp;
+			{
-            break;
+			if (args[1])
-        case OPT_V1:
+				{
-            pbe_nid = OBJ_txt2nid(opt_arg());
+				args++;
-            if (pbe_nid == NID_undef) {
+				informat=str2fmt(*args);
-                BIO_printf(bio_err,
+				}
-                           "%s: Unknown PBE algorithm %s\n", prog, opt_arg());
+			else badarg = 1;
-                goto opthelp;
+			}
-            }
+		else if (!strcmp(*args,"-outform"))
-            break;
+			{
-        case OPT_V2PRF:
+			if (args[1])
-            pbe_nid = OBJ_txt2nid(opt_arg());
+				{
-            if (!EVP_PBE_find(EVP_PBE_TYPE_PRF, pbe_nid, NULL, NULL, 0)) {
+				args++;
-                BIO_printf(bio_err,
+				outformat=str2fmt(*args);
-                           "%s: Unknown PRF algorithm %s\n", prog, opt_arg());
+				}
-                goto opthelp;
+			else badarg = 1;
-            }
+			}
-            break;
+		else if (!strcmp (*args, "-topk8"))
-        case OPT_ITER:
+			topk8 = 1;
-            if (!opt_int(opt_arg(), &iter))
+		else if (!strcmp (*args, "-noiter"))
-                goto opthelp;
+			iter = 1;
-            break;
+		else if (!strcmp (*args, "-nocrypt"))
-        case OPT_PASSIN:
+			nocrypt = 1;
-            passinarg = opt_arg();
+		else if (!strcmp (*args, "-nooct"))
-            break;
+			p8_broken = PKCS8_NO_OCTET;
-        case OPT_PASSOUT:
+		else if (!strcmp (*args, "-nsdb"))
-            passoutarg = opt_arg();
+			p8_broken = PKCS8_NS_DB;
-            break;
+		else if (!strcmp (*args, "-embed"))
-        case OPT_ENGINE:
+			p8_broken = PKCS8_EMBEDDED_PARAM;
-            e = setup_engine(opt_arg(), 0);
+		else if (!strcmp(*args,"-passin"))
-            break;
+			{
-#ifndef OPENSSL_NO_SCRYPT
+			if (!args[1]) goto bad;
-        case OPT_SCRYPT:
+			passargin= *(++args);
-            scrypt_N = 1024;
+			}
-            scrypt_r = 8;
+		else if (!strcmp(*args,"-passout"))
-            scrypt_p = 16;
+			{
-            if (cipher == NULL)
+			if (!args[1]) goto bad;
-                cipher = EVP_aes_256_cbc();
+			passargout= *(++args);
-            break;
+			}
-        case OPT_SCRYPT_N:
+#ifndef OPENSSL_NO_ENGINE
-            if (!opt_long(opt_arg(), &scrypt_N) || scrypt_N <= 0)
+		else if (strcmp(*args,"-engine") == 0)
-                goto opthelp;
+			{
-            break;
+			if (!args[1]) goto bad;
-        case OPT_SCRYPT_R:
+			engine= *(++args);
-            if (!opt_long(opt_arg(), &scrypt_r) || scrypt_r <= 0)
+			}
                goto opthelp;
            break;
        case OPT_SCRYPT_P:
            if (!opt_long(opt_arg(), &scrypt_p) || scrypt_p <= 0)
                goto opthelp;
            break;
 #endif
-        }
+		else if (!strcmp (*args, "-in"))
-    }
+			{
-    argc = opt_num_rest();
+			if (args[1])
-    argv = opt_rest();
+				{
-    private = 1;
+				args++;
 				infile = *args;
 				}
 			else badarg = 1;
 			}
 		else if (!strcmp (*args, "-out"))
 			{
 			if (args[1])
 				{
 				args++;
 				outfile = *args;
 				}
 			else badarg = 1;
 			}
 		else badarg = 1;
 		args++;
 		}
-    if (!app_passwd(passinarg, passoutarg, &passin, &passout)) {
+	if (badarg)
-        BIO_printf(bio_err, "Error getting passwords\n");
+		{
-        goto end;
+		bad:
-    }
+		BIO_printf(bio_err, "Usage pkcs8 [options]\n");
-
+		BIO_printf(bio_err, "where options are\n");
-    if ((pbe_nid == -1) && !cipher)
+		BIO_printf(bio_err, "-in file        input file\n");
-        pbe_nid = NID_pbeWithMD5AndDES_CBC;
+		BIO_printf(bio_err, "-inform X       input format (DER or PEM)\n");
-
+		BIO_printf(bio_err, "-passin arg     input file pass phrase source\n");
-    in = bio_open_default(infile, 'r', informat);
+		BIO_printf(bio_err, "-outform X      output format (DER or PEM)\n");
-    if (in == NULL)
+		BIO_printf(bio_err, "-out file       output file\n");
-        goto end;
+		BIO_printf(bio_err, "-passout arg    output file pass phrase source\n");
-    out = bio_open_owner(outfile, outformat, private);
+		BIO_printf(bio_err, "-topk8          output PKCS8 file\n");
-    if (out == NULL)
+		BIO_printf(bio_err, "-nooct          use (nonstandard) no octet format\n");
-        goto end;
+		BIO_printf(bio_err, "-embed          use (nonstandard) embedded DSA parameters format\n");
-
+		BIO_printf(bio_err, "-nsdb           use (nonstandard) DSA Netscape DB format\n");
-    if (topk8) {
+		BIO_printf(bio_err, "-noiter         use 1 as iteration count\n");
-        pkey = load_key(infile, informat, 1, passin, e, "key");
+		BIO_printf(bio_err, "-nocrypt        use or expect unencrypted private key\n");
-        if (!pkey)
+		BIO_printf(bio_err, "-v2 alg         use PKCS#5 v2.0 and cipher \"alg\"\n");
-            goto end;
+		BIO_printf(bio_err, "-v1 obj         use PKCS#5 v1.5 and cipher \"alg\"\n");
-        if ((p8inf = EVP_PKEY2PKCS8_broken(pkey, p8_broken)) == NULL) {
+#ifndef OPENSSL_NO_ENGINE
-            BIO_printf(bio_err, "Error converting key\n");
+		BIO_printf(bio_err," -engine e       use engine e, possibly a hardware device.\n");
            ERR_print_errors(bio_err);
            goto end;
        }
        if (nocrypt) {
            assert(private);
            if (outformat == FORMAT_PEM)
                PEM_write_bio_PKCS8_PRIV_KEY_INFO(out, p8inf);
            else if (outformat == FORMAT_ASN1)
                i2d_PKCS8_PRIV_KEY_INFO_bio(out, p8inf);
            else {
                BIO_printf(bio_err, "Bad format specified for key\n");
                goto end;
            }
        } else {
            X509_ALGOR *pbe;
            if (cipher) {
 #ifndef OPENSSL_NO_SCRYPT
                if (scrypt_N && scrypt_r && scrypt_p)
                    pbe = PKCS5_pbe2_set_scrypt(cipher, NULL, 0, NULL,
                                                scrypt_N, scrypt_r, scrypt_p);
                else
 #endif
-                    pbe = PKCS5_pbe2_set_iv(cipher, iter, NULL, 0, NULL,
+		goto end;
-                                            pbe_nid);
+		}
            } else {
                pbe = PKCS5_pbe_set(pbe_nid, iter, NULL, 0);
            }
            if (pbe == NULL) {
                BIO_printf(bio_err, "Error setting PBE algorithm\n");
                ERR_print_errors(bio_err);
                goto end;
            }
            if (passout)
                p8pass = passout;
            else {
                p8pass = pass;
                if (EVP_read_pw_string
                    (pass, sizeof pass, "Enter Encryption Password:", 1)) {
                    X509_ALGOR_free(pbe);
                    goto end;
                }
            }
            app_RAND_load_file(NULL, 0);
            p8 = PKCS8_set0_pbe(p8pass, strlen(p8pass), p8inf, pbe);
            if (p8 == NULL) {
                X509_ALGOR_free(pbe);
                BIO_printf(bio_err, "Error encrypting key\n");
                ERR_print_errors(bio_err);
                goto end;
            }
            app_RAND_write_file(NULL);
            assert(private);
            if (outformat == FORMAT_PEM)
                PEM_write_bio_PKCS8(out, p8);
            else if (outformat == FORMAT_ASN1)
                i2d_PKCS8_bio(out, p8);
            else {
                BIO_printf(bio_err, "Bad format specified for key\n");
                goto end;
            }
        }
-        ret = 0;
+#ifndef OPENSSL_NO_ENGINE
-        goto end;
+        e = setup_engine(bio_err, engine, 0);
-    }
+#endif
-    if (nocrypt) {
+	if (!app_passwd(bio_err, passargin, passargout, &passin, &passout))
-        if (informat == FORMAT_PEM)
+		{
-            p8inf = PEM_read_bio_PKCS8_PRIV_KEY_INFO(in, NULL, NULL, NULL);
+		BIO_printf(bio_err, "Error getting passwords\n");
-        else if (informat == FORMAT_ASN1)
+		goto end;
-            p8inf = d2i_PKCS8_PRIV_KEY_INFO_bio(in, NULL);
+		}
        else {
            BIO_printf(bio_err, "Bad format specified for key\n");
            goto end;
        }
    } else {
        if (informat == FORMAT_PEM)
            p8 = PEM_read_bio_PKCS8(in, NULL, NULL, NULL);
        else if (informat == FORMAT_ASN1)
            p8 = d2i_PKCS8_bio(in, NULL);
        else {
            BIO_printf(bio_err, "Bad format specified for key\n");
            goto end;
        }
-        if (!p8) {
+	if ((pbe_nid == -1) && !cipher)
-            BIO_printf(bio_err, "Error reading key\n");
+		pbe_nid = NID_pbeWithMD5AndDES_CBC;
            ERR_print_errors(bio_err);
            goto end;
        }
        if (passin)
            p8pass = passin;
        else {
            p8pass = pass;
            EVP_read_pw_string(pass, sizeof pass, "Enter Password:", 0);
        }
        p8inf = PKCS8_decrypt(p8, p8pass, strlen(p8pass));
    }
-    if (!p8inf) {
+	if (infile)
-        BIO_printf(bio_err, "Error decrypting key\n");
+		{
-        ERR_print_errors(bio_err);
+		if (!(in = BIO_new_file(infile, "rb")))
-        goto end;
+			{
-    }
+			BIO_printf(bio_err,
 				 "Can't open input file %s\n", infile);
 			goto end;
 			}
 		}
 	else
 		in = BIO_new_fp (stdin, BIO_NOCLOSE);
-    if ((pkey = EVP_PKCS82PKEY(p8inf)) == NULL) {
+	if (outfile)
-        BIO_printf(bio_err, "Error converting key\n");
+		{
-        ERR_print_errors(bio_err);
+		if (!(out = BIO_new_file (outfile, "wb")))
-        goto end;
+			{
-    }
+			BIO_printf(bio_err,
 				 "Can't open output file %s\n", outfile);
 			goto end;
 			}
 		}
 	else
 		{
 		out = BIO_new_fp (stdout, BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 			{
 			BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 			out = BIO_push(tmpbio, out);
 			}
 #endif
 		}
 	if (topk8)
 		{
 		pkey = load_key(bio_err, infile, informat, 1,
 			passin, e, "key");
 		if (!pkey)
 			goto end;
 		if (!(p8inf = EVP_PKEY2PKCS8_broken(pkey, p8_broken)))
 			{
 			BIO_printf(bio_err, "Error converting key\n");
 			ERR_print_errors(bio_err);
 			goto end;
 			}
 		if (nocrypt)
 			{
 			if (outformat == FORMAT_PEM) 
 				PEM_write_bio_PKCS8_PRIV_KEY_INFO(out, p8inf);
 			else if (outformat == FORMAT_ASN1)
 				i2d_PKCS8_PRIV_KEY_INFO_bio(out, p8inf);
 			else
 				{
 				BIO_printf(bio_err, "Bad format specified for key\n");
 				goto end;
 				}
 			}
 		else
 			{
 			if (passout)
 				p8pass = passout;
 			else
 				{
 				p8pass = pass;
 				if (EVP_read_pw_string(pass, sizeof pass, "Enter Encryption Password:", 1))
 					goto end;
 				}
 			app_RAND_load_file(NULL, bio_err, 0);
 			if (!(p8 = PKCS8_encrypt(pbe_nid, cipher,
 					p8pass, strlen(p8pass),
 					NULL, 0, iter, p8inf)))
 				{
 				BIO_printf(bio_err, "Error encrypting key\n");
 				ERR_print_errors(bio_err);
 				goto end;
 				}
 			app_RAND_write_file(NULL, bio_err);
 			if (outformat == FORMAT_PEM) 
 				PEM_write_bio_PKCS8(out, p8);
 			else if (outformat == FORMAT_ASN1)
 				i2d_PKCS8_bio(out, p8);
 			else
 				{
 				BIO_printf(bio_err, "Bad format specified for key\n");
 				goto end;
 				}
 			}
-    if (p8inf->broken) {
+		ret = 0;
-        BIO_printf(bio_err, "Warning: broken key encoding: ");
+		goto end;
-        switch (p8inf->broken) {
+		}
        case PKCS8_NO_OCTET:
            BIO_printf(bio_err, "No Octet String in PrivateKey\n");
            break;
-        case PKCS8_EMBEDDED_PARAM:
+	if (nocrypt)
-            BIO_printf(bio_err, "DSA parameters included in PrivateKey\n");
+		{
-            break;
+		if (informat == FORMAT_PEM) 
 			p8inf = PEM_read_bio_PKCS8_PRIV_KEY_INFO(in,NULL,NULL, NULL);
 		else if (informat == FORMAT_ASN1)
 			p8inf = d2i_PKCS8_PRIV_KEY_INFO_bio(in, NULL);
 		else
 			{
 			BIO_printf(bio_err, "Bad format specified for key\n");
 			goto end;
 			}
 		}
 	else
 		{
 		if (informat == FORMAT_PEM) 
 			p8 = PEM_read_bio_PKCS8(in, NULL, NULL, NULL);
 		else if (informat == FORMAT_ASN1)
 			p8 = d2i_PKCS8_bio(in, NULL);
 		else
 			{
 			BIO_printf(bio_err, "Bad format specified for key\n");
 			goto end;
 			}
-        case PKCS8_NS_DB:
+		if (!p8)
-            BIO_printf(bio_err, "DSA public key include in PrivateKey\n");
+			{
-            break;
+			BIO_printf (bio_err, "Error reading key\n");
 			ERR_print_errors(bio_err);
 			goto end;
 			}
 		if (passin)
 			p8pass = passin;
 		else
 			{
 			p8pass = pass;
 			EVP_read_pw_string(pass, sizeof pass, "Enter Password:", 0);
 			}
 		p8inf = PKCS8_decrypt(p8, p8pass, strlen(p8pass));
 		}
-        case PKCS8_NEG_PRIVKEY:
+	if (!p8inf)
-            BIO_printf(bio_err, "DSA private key value is negative\n");
+		{
-            break;
+		BIO_printf(bio_err, "Error decrypting key\n");
 		ERR_print_errors(bio_err);
 		goto end;
 		}
-        default:
+	if (!(pkey = EVP_PKCS82PKEY(p8inf)))
-            BIO_printf(bio_err, "Unknown broken type\n");
+		{
-            break;
+		BIO_printf(bio_err, "Error converting key\n");
-        }
+		ERR_print_errors(bio_err);
-    }
+		goto end;
 		}
 	if (p8inf->broken)
 		{
 		BIO_printf(bio_err, "Warning: broken key encoding: ");
 		switch (p8inf->broken)
 			{
 			case PKCS8_NO_OCTET:
 			BIO_printf(bio_err, "No Octet String in PrivateKey\n");
 			break;
-    assert(private);
+			case PKCS8_EMBEDDED_PARAM:
-    if (outformat == FORMAT_PEM)
+			BIO_printf(bio_err, "DSA parameters included in PrivateKey\n");
-        PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, NULL, passout);
+			break;
    else if (outformat == FORMAT_ASN1)
        i2d_PrivateKey_bio(out, pkey);
    else {
        BIO_printf(bio_err, "Bad format specified for key\n");
        goto end;
    }
    ret = 0;
- end:
+			case PKCS8_NS_DB:
-    X509_SIG_free(p8);
+			BIO_printf(bio_err, "DSA public key include in PrivateKey\n");
-    PKCS8_PRIV_KEY_INFO_free(p8inf);
+			break;
    EVP_PKEY_free(pkey);
    BIO_free_all(out);
    BIO_free(in);
    OPENSSL_free(passin);
    OPENSSL_free(passout);
-    return ret;
+			case PKCS8_NEG_PRIVKEY:
-}
+			BIO_printf(bio_err, "DSA private key value is negative\n");
 			break;
 			default:
 			BIO_printf(bio_err, "Unknown broken type\n");
 			break;
 		}
 	}
 	if (outformat == FORMAT_PEM) 
 		PEM_write_bio_PrivateKey(out, pkey, NULL, NULL, 0, NULL, passout);
 	else if (outformat == FORMAT_ASN1)
 		i2d_PrivateKey_bio(out, pkey);
 	else
 		{
 		BIO_printf(bio_err, "Bad format specified for key\n");
 			goto end;
 		}
 	ret = 0;
 	end:
 	X509_SIG_free(p8);
 	PKCS8_PRIV_KEY_INFO_free(p8inf);
 	EVP_PKEY_free(pkey);
 	BIO_free_all(out);
 	BIO_free(in);
 	if (passin)
 		OPENSSL_free(passin);
 	if (passout)
 		OPENSSL_free(passout);
 	return ret;
 	}
--- a/apps/pkey.c
+++ b/apps/pkey.c
@@ -1,6 +1,6 @@
-/*
+/* apps/pkey.c */
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * 2006
+ * project 2006
 */
 /* ====================================================================
 * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
@@ -10,7 +10,7 @@
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
+ *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
@@ -62,164 +62,223 @@
 #include <openssl/err.h>
 #include <openssl/evp.h>
-typedef enum OPTION_choice {
+#define PROG pkey_main
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_INFORM, OPT_OUTFORM, OPT_PASSIN, OPT_PASSOUT, OPT_ENGINE,
    OPT_IN, OPT_OUT, OPT_PUBIN, OPT_PUBOUT, OPT_TEXT_PUB,
    OPT_TEXT, OPT_NOOUT, OPT_MD
 } OPTION_CHOICE;
-OPTIONS pkey_options[] = {
+int MAIN(int, char **);
-    {"help", OPT_HELP, '-', "Display this summary"},
+
-    {"inform", OPT_INFORM, 'F', "Input format (DER or PEM)"},
+int MAIN(int argc, char **argv)
-    {"outform", OPT_OUTFORM, 'F', "Output format (DER or PEM)"},
+	{
-    {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
+	ENGINE *e = NULL;
-    {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
+	char **args, *infile = NULL, *outfile = NULL;
-    {"in", OPT_IN, '<', "Input file"},
+	char *passargin = NULL, *passargout = NULL;
-    {"out", OPT_OUT, '>', "Output file"},
+	BIO *in = NULL, *out = NULL;
-    {"pubin", OPT_PUBIN, '-',
+	const EVP_CIPHER *cipher = NULL;
-     "Read public key from input (default is private key)"},
+	int informat, outformat;
-    {"pubout", OPT_PUBOUT, '-', "Output public key, not private"},
+	int pubin = 0, pubout = 0, pubtext = 0, text = 0, noout = 0;
-    {"text_pub", OPT_TEXT_PUB, '-', "Only output public key components"},
+	EVP_PKEY *pkey=NULL;
-    {"text", OPT_TEXT, '-', "Output in plaintext as well"},
+	char *passin = NULL, *passout = NULL;
-    {"noout", OPT_NOOUT, '-', "Don't output the key"},
+	int badarg = 0;
    {"", OPT_MD, '-', "Any supported cipher"},
 #ifndef OPENSSL_NO_ENGINE
-    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+	char *engine=NULL;
 #endif
-    {NULL}
+	int ret = 1;
 };
-int pkey_main(int argc, char **argv)
+	if (bio_err == NULL)
-{
+		bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
    BIO *in = NULL, *out = NULL;
    ENGINE *e = NULL;
    EVP_PKEY *pkey = NULL;
    const EVP_CIPHER *cipher = NULL;
    char *infile = NULL, *outfile = NULL, *passin = NULL, *passout = NULL;
    char *passinarg = NULL, *passoutarg = NULL, *prog;
    OPTION_CHOICE o;
    int informat = FORMAT_PEM, outformat = FORMAT_PEM;
    int pubin = 0, pubout = 0, pubtext = 0, text = 0, noout = 0, ret = 1;
    int private = 0;
-    prog = opt_init(argc, argv, pkey_options);
+	if (!load_config(bio_err, NULL))
-    while ((o = opt_next()) != OPT_EOF) {
+		goto end;
        switch (o) {
        case OPT_EOF:
        case OPT_ERR:
 opthelp:
            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
            goto end;
        case OPT_HELP:
            opt_help(pkey_options);
            ret = 0;
            goto end;
        case OPT_INFORM:
            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
                goto opthelp;
            break;
        case OPT_OUTFORM:
            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &outformat))
                goto opthelp;
            break;
        case OPT_PASSIN:
            passinarg = opt_arg();
            break;
        case OPT_PASSOUT:
            passoutarg = opt_arg();
            break;
        case OPT_ENGINE:
            e = setup_engine(opt_arg(), 0);
            break;
        case OPT_IN:
            infile = opt_arg();
            break;
        case OPT_OUT:
            outfile = opt_arg();
            break;
        case OPT_PUBIN:
            pubin = pubout = pubtext = 1;
            break;
        case OPT_PUBOUT:
            pubout = 1;
            break;
        case OPT_TEXT_PUB:
            pubtext = text = 1;
            break;
        case OPT_TEXT:
            text = 1;
            break;
        case OPT_NOOUT:
            noout = 1;
            break;
        case OPT_MD:
            if (!opt_cipher(opt_unknown(), &cipher))
                goto opthelp;
        }
    }
    argc = opt_num_rest();
    argv = opt_rest();
    private = !noout && !pubout ? 1 : 0;
    if (text && !pubtext)
        private = 1;
-    if (!app_passwd(passinarg, passoutarg, &passin, &passout)) {
+	informat=FORMAT_PEM;
-        BIO_printf(bio_err, "Error getting passwords\n");
+	outformat=FORMAT_PEM;
        goto end;
    }
-    out = bio_open_owner(outfile, outformat, private);
+	ERR_load_crypto_strings();
-    if (out == NULL)
+	OpenSSL_add_all_algorithms();
-        goto end;
+	args = argv + 1;
 	while (!badarg && *args && *args[0] == '-')
 		{
 		if (!strcmp(*args,"-inform"))
 			{
 			if (args[1])
 				{
 				args++;
 				informat=str2fmt(*args);
 				}
 			else badarg = 1;
 			}
 		else if (!strcmp(*args,"-outform"))
 			{
 			if (args[1])
 				{
 				args++;
 				outformat=str2fmt(*args);
 				}
 			else badarg = 1;
 			}
 		else if (!strcmp(*args,"-passin"))
 			{
 			if (!args[1]) goto bad;
 			passargin= *(++args);
 			}
 		else if (!strcmp(*args,"-passout"))
 			{
 			if (!args[1]) goto bad;
 			passargout= *(++args);
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(*args,"-engine") == 0)
 			{
 			if (!args[1]) goto bad;
 			engine= *(++args);
 			}
 #endif
 		else if (!strcmp (*args, "-in"))
 			{
 			if (args[1])
 				{
 				args++;
 				infile = *args;
 				}
 			else badarg = 1;
 			}
 		else if (!strcmp (*args, "-out"))
 			{
 			if (args[1])
 				{
 				args++;
 				outfile = *args;
 				}
 			else badarg = 1;
 			}
 		else if (strcmp(*args,"-pubin") == 0)
 			{
 			pubin=1;
 			pubout=1;
 			pubtext=1;
 			}
 		else if (strcmp(*args,"-pubout") == 0)
 			pubout=1;
 		else if (strcmp(*args,"-text_pub") == 0)
 			{
 			pubtext=1;
 			text=1;
 			}
 		else if (strcmp(*args,"-text") == 0)
 			text=1;
 		else if (strcmp(*args,"-noout") == 0)
 			noout=1;
 		else
 			{
 			cipher = EVP_get_cipherbyname(*args + 1);
 			if (!cipher)
 				{
 				BIO_printf(bio_err, "Unknown cipher %s\n",
 								*args + 1);
 				badarg = 1;
 				}
 			}
 		args++;
 		}
-    if (pubin)
+	if (badarg)
-        pkey = load_pubkey(infile, informat, 1, passin, e, "Public Key");
+		{
-    else
+		bad:
-        pkey = load_key(infile, informat, 1, passin, e, "key");
+		BIO_printf(bio_err, "Usage pkey [options]\n");
-    if (!pkey)
+		BIO_printf(bio_err, "where options are\n");
-        goto end;
+		BIO_printf(bio_err, "-in file        input file\n");
 		BIO_printf(bio_err, "-inform X       input format (DER or PEM)\n");
 		BIO_printf(bio_err, "-passin arg     input file pass phrase source\n");
 		BIO_printf(bio_err, "-outform X      output format (DER or PEM)\n");
 		BIO_printf(bio_err, "-out file       output file\n");
 		BIO_printf(bio_err, "-passout arg    output file pass phrase source\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err, "-engine e       use engine e, possibly a hardware device.\n");
 #endif
 		return 1;
 		}
-    if (!noout) {
+#ifndef OPENSSL_NO_ENGINE
-        if (outformat == FORMAT_PEM) {
+        e = setup_engine(bio_err, engine, 0);
-            if (pubout)
+#endif
                PEM_write_bio_PUBKEY(out, pkey);
            else {
                assert(private);
                PEM_write_bio_PrivateKey(out, pkey, cipher,
                                         NULL, 0, NULL, passout);
            }
        } else if (outformat == FORMAT_ASN1) {
            if (pubout)
                i2d_PUBKEY_bio(out, pkey);
            else {
                assert(private);
                i2d_PrivateKey_bio(out, pkey);
            }
        } else {
            BIO_printf(bio_err, "Bad format specified for key\n");
            goto end;
        }
-    }
+	if (!app_passwd(bio_err, passargin, passargout, &passin, &passout))
 		{
 		BIO_printf(bio_err, "Error getting passwords\n");
 		goto end;
 		}
-    if (text) {
+	if (outfile)
-        if (pubtext)
+		{
-            EVP_PKEY_print_public(out, pkey, 0, NULL);
+		if (!(out = BIO_new_file (outfile, "wb")))
-        else {
+			{
-            assert(private);
+			BIO_printf(bio_err,
-            EVP_PKEY_print_private(out, pkey, 0, NULL);
+				 "Can't open output file %s\n", outfile);
-        }
+			goto end;
-    }
+			}
 		}
 	else
 		{
 		out = BIO_new_fp (stdout, BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 			{
 			BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 			out = BIO_push(tmpbio, out);
 			}
 #endif
 		}
-    ret = 0;
+	if (pubin)
 		pkey = load_pubkey(bio_err, infile, informat, 1,
 			passin, e, "Public Key");
 	else
 		pkey = load_key(bio_err, infile, informat, 1,
 			passin, e, "key");
 	if (!pkey)
 		goto end;
- end:
+	if (!noout)
-    EVP_PKEY_free(pkey);
+		{
-    BIO_free_all(out);
+		if (outformat == FORMAT_PEM) 
-    BIO_free(in);
+			{
-    OPENSSL_free(passin);
+			if (pubout)
-    OPENSSL_free(passout);
+				PEM_write_bio_PUBKEY(out,pkey);
 			else
 				PEM_write_bio_PrivateKey(out, pkey, cipher,
 							NULL, 0, NULL, passout);
 			}
 		else if (outformat == FORMAT_ASN1)
 			{
 			if (pubout)
 				i2d_PUBKEY_bio(out, pkey);
 			else
 				i2d_PrivateKey_bio(out, pkey);
 			}
 		else
 			{
 			BIO_printf(bio_err, "Bad format specified for key\n");
 			goto end;
 			}
-    return ret;
+		}
-}
+
 	if (text)
 		{
 		if (pubtext)
 			EVP_PKEY_print_public(out, pkey, 0, NULL);
 		else
 			EVP_PKEY_print_private(out, pkey, 0, NULL);
 		}
 	ret = 0;
 	end:
 	EVP_PKEY_free(pkey);
 	BIO_free_all(out);
 	BIO_free(in);
 	if (passin)
 		OPENSSL_free(passin);
 	if (passout)
 		OPENSSL_free(passout);
 	return ret;
 	}
--- a/apps/pkeyparam.c
+++ b/apps/pkeyparam.c
@@ -1,6 +1,6 @@
-/*
+/* apps/pkeyparam.c */
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * 2006
+ * project 2006
 */
 /* ====================================================================
 * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
@@ -10,7 +10,7 @@
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
+ *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
@@ -62,87 +62,139 @@
 #include <openssl/err.h>
 #include <openssl/evp.h>
-typedef enum OPTION_choice {
+#define PROG pkeyparam_main
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_IN, OPT_OUT, OPT_TEXT, OPT_NOOUT, OPT_ENGINE
 } OPTION_CHOICE;
-OPTIONS pkeyparam_options[] = {
+int MAIN(int, char **);
-    {"help", OPT_HELP, '-', "Display this summary"},
+
-    {"in", OPT_IN, '<', "Input file"},
+int MAIN(int argc, char **argv)
-    {"out", OPT_OUT, '>', "Output file"},
+	{
-    {"text", OPT_TEXT, '-', "Print parameters as text"},
+	char **args, *infile = NULL, *outfile = NULL;
-    {"noout", OPT_NOOUT, '-', "Don't output encoded parameters"},
+	BIO *in = NULL, *out = NULL;
 	int text = 0, noout = 0;
 	EVP_PKEY *pkey=NULL;
 	int badarg = 0;
 #ifndef OPENSSL_NO_ENGINE
-    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+	char *engine=NULL;
 #endif
-    {NULL}
+	int ret = 1;
 };
-int pkeyparam_main(int argc, char **argv)
+	if (bio_err == NULL)
-{
+		bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
    BIO *in = NULL, *out = NULL;
    EVP_PKEY *pkey = NULL;
    int text = 0, noout = 0, ret = 1;
    OPTION_CHOICE o;
    char *infile = NULL, *outfile = NULL, *prog;
-    prog = opt_init(argc, argv, pkeyparam_options);
+	if (!load_config(bio_err, NULL))
-    while ((o = opt_next()) != OPT_EOF) {
+		goto end;
        switch (o) {
        case OPT_EOF:
        case OPT_ERR:
            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
            goto end;
        case OPT_HELP:
            opt_help(pkeyparam_options);
            ret = 0;
            goto end;
        case OPT_IN:
            infile = opt_arg();
            break;
        case OPT_OUT:
            outfile = opt_arg();
            break;
        case OPT_ENGINE:
            (void)setup_engine(opt_arg(), 0);
            break;
        case OPT_TEXT:
            text = 1;
            break;
        case OPT_NOOUT:
            noout = 1;
            break;
        }
    }
    argc = opt_num_rest();
    argv = opt_rest();
-    in = bio_open_default(infile, 'r', FORMAT_PEM);
+	ERR_load_crypto_strings();
-    if (in == NULL)
+	OpenSSL_add_all_algorithms();
-        goto end;
+	args = argv + 1;
-    out = bio_open_default(outfile, 'w', FORMAT_PEM);
+	while (!badarg && *args && *args[0] == '-')
-    if (out == NULL)
+		{
-        goto end;
+		if (!strcmp (*args, "-in"))
-    pkey = PEM_read_bio_Parameters(in, NULL);
+			{
-    if (!pkey) {
+			if (args[1])
-        BIO_printf(bio_err, "Error reading parameters\n");
+				{
-        ERR_print_errors(bio_err);
+				args++;
-        goto end;
+				infile = *args;
-    }
+				}
 			else badarg = 1;
 			}
 		else if (!strcmp (*args, "-out"))
 			{
 			if (args[1])
 				{
 				args++;
 				outfile = *args;
 				}
 			else badarg = 1;
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(*args,"-engine") == 0)
 			{
 			if (!args[1]) goto bad;
 			engine= *(++args);
 			}
 #endif
-    if (!noout)
+		else if (strcmp(*args,"-text") == 0)
-        PEM_write_bio_Parameters(out, pkey);
+			text=1;
 		else if (strcmp(*args,"-noout") == 0)
 			noout=1;
 		args++;
 		}
-    if (text)
+	if (badarg)
-        EVP_PKEY_print_params(out, pkey, 0, NULL);
+		{
 #ifndef OPENSSL_NO_ENGINE
 		bad:
 #endif
 		BIO_printf(bio_err, "Usage pkeyparam [options]\n");
 		BIO_printf(bio_err, "where options are\n");
 		BIO_printf(bio_err, "-in file        input file\n");
 		BIO_printf(bio_err, "-out file       output file\n");
 		BIO_printf(bio_err, "-text           print parameters as text\n");
 		BIO_printf(bio_err, "-noout          don't output encoded parameters\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err, "-engine e       use engine e, possibly a hardware device.\n");
 #endif
 		return 1;
 		}
-    ret = 0;
+#ifndef OPENSSL_NO_ENGINE
        setup_engine(bio_err, engine, 0);
 #endif
- end:
+	if (infile)
-    EVP_PKEY_free(pkey);
+		{
-    BIO_free_all(out);
+		if (!(in = BIO_new_file (infile, "r")))
-    BIO_free(in);
+			{
 			BIO_printf(bio_err,
 				 "Can't open input file %s\n", infile);
 			goto end;
 			}
 		}
 	else
 		in = BIO_new_fp (stdin, BIO_NOCLOSE);
-    return ret;
+	if (outfile)
-}
+		{
 		if (!(out = BIO_new_file (outfile, "w")))
 			{
 			BIO_printf(bio_err,
 				 "Can't open output file %s\n", outfile);
 			goto end;
 			}
 		}
 	else
 		{
 		out = BIO_new_fp (stdout, BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 			{
 			BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 			out = BIO_push(tmpbio, out);
 			}
 #endif
 		}
 	pkey = PEM_read_bio_Parameters(in, NULL);
 	if (!pkey)
 		{
 		BIO_printf(bio_err, "Error reading parameters\n");
 		ERR_print_errors(bio_err);
 		goto end;
 		}
 	if (!noout)
 		PEM_write_bio_Parameters(out,pkey);
 	if (text)
 		EVP_PKEY_print_params(out, pkey, 0, NULL);
 	ret = 0;
 	end:
 	EVP_PKEY_free(pkey);
 	BIO_free_all(out);
 	BIO_free(in);
 	return ret;
 	}
--- a/apps/pkeyutl.c
+++ b/apps/pkeyutl.c
@@ -1,6 +1,5 @@
-/*
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+ * project 2006.
 * 2006.
 */
 /* ====================================================================
 * Copyright (c) 2006 The OpenSSL Project.  All rights reserved.
@@ -10,7 +9,7 @@
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
+ *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
@@ -56,417 +55,516 @@
 *
 */
 #include "apps.h"
 #include <string.h>
 #include <openssl/err.h>
 #include <openssl/pem.h>
 #include <openssl/evp.h>
-#define KEY_PRIVKEY     1
+#define KEY_PRIVKEY	1
-#define KEY_PUBKEY      2
+#define KEY_PUBKEY	2
-#define KEY_CERT        3
+#define KEY_CERT	3
 static void usage(void);
 #undef PROG
 #define PROG pkeyutl_main
 static EVP_PKEY_CTX *init_ctx(int *pkeysize,
-                              char *keyfile, int keyform, int key_type,
+				char *keyfile, int keyform, int key_type,
-                              char *passinarg, int pkey_op, ENGINE *e);
+				char *passargin, int pkey_op, ENGINE *e);
-static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file);
+static int setup_peer(BIO *err, EVP_PKEY_CTX *ctx, int peerform,
 							const char *file);
 static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
-                    unsigned char *out, size_t *poutlen,
+		unsigned char *out, size_t *poutlen,
-                    unsigned char *in, size_t inlen);
+		unsigned char *in, size_t inlen);
-typedef enum OPTION_choice {
+int MAIN(int argc, char **);
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_ENGINE, OPT_IN, OPT_OUT,
    OPT_PUBIN, OPT_CERTIN, OPT_ASN1PARSE, OPT_HEXDUMP, OPT_SIGN,
    OPT_VERIFY, OPT_VERIFYRECOVER, OPT_REV, OPT_ENCRYPT, OPT_DECRYPT,
    OPT_DERIVE, OPT_SIGFILE, OPT_INKEY, OPT_PEERKEY, OPT_PASSIN,
    OPT_PEERFORM, OPT_KEYFORM, OPT_PKEYOPT
 } OPTION_CHOICE;
-OPTIONS pkeyutl_options[] = {
+int MAIN(int argc, char **argv)
    {"help", OPT_HELP, '-', "Display this summary"},
    {"in", OPT_IN, '<', "Input file"},
    {"out", OPT_OUT, '>', "Output file"},
    {"pubin", OPT_PUBIN, '-', "Input is a public key"},
    {"certin", OPT_CERTIN, '-', "Input is a cert with a public key"},
    {"asn1parse", OPT_ASN1PARSE, '-'},
    {"hexdump", OPT_HEXDUMP, '-', "Hex dump output"},
    {"sign", OPT_SIGN, '-', "Sign with private key"},
    {"verify", OPT_VERIFY, '-', "Verify with public key"},
    {"verifyrecover", OPT_VERIFYRECOVER, '-',
     "Verify with public key, recover original data"},
    {"rev", OPT_REV, '-'},
    {"encrypt", OPT_ENCRYPT, '-', "Encrypt with public key"},
    {"decrypt", OPT_DECRYPT, '-', "Decrypt with private key"},
    {"derive", OPT_DERIVE, '-', "Derive shared secret"},
    {"sigfile", OPT_SIGFILE, '<', "Signature file (verify operation only)"},
    {"inkey", OPT_INKEY, 's', "Input key"},
    {"peerkey", OPT_PEERKEY, 's'},
    {"passin", OPT_PASSIN, 's', "Pass phrase source"},
    {"peerform", OPT_PEERFORM, 'F'},
    {"keyform", OPT_KEYFORM, 'F', "Private key format - default PEM"},
    {"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"},
 #ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 #endif
    {NULL}
 };
 int pkeyutl_main(int argc, char **argv)
 {
-    BIO *in = NULL, *out = NULL;
+	BIO *in = NULL, *out = NULL;
-    ENGINE *e = NULL;
+	char *infile = NULL, *outfile = NULL, *sigfile = NULL;
-    EVP_PKEY_CTX *ctx = NULL;
+	ENGINE *e = NULL;
-    char *infile = NULL, *outfile = NULL, *sigfile = NULL, *passinarg = NULL;
+	int pkey_op = EVP_PKEY_OP_SIGN, key_type = KEY_PRIVKEY;
-    char hexdump = 0, asn1parse = 0, rev = 0, *prog;
+	int keyform = FORMAT_PEM, peerform = FORMAT_PEM;
-    unsigned char *buf_in = NULL, *buf_out = NULL, *sig = NULL;
+	char badarg = 0, rev = 0;
-    OPTION_CHOICE o;
+	char hexdump = 0, asn1parse = 0;
-    int buf_inlen = 0, siglen = -1, keyform = FORMAT_PEM, peerform =
+	EVP_PKEY_CTX *ctx = NULL;
-        FORMAT_PEM;
+	char *passargin = NULL;
-    int keysize = -1, pkey_op = EVP_PKEY_OP_SIGN, key_type = KEY_PRIVKEY;
+	int keysize = -1;
    int ret = 1, rv = -1;
    size_t buf_outlen;
-    prog = opt_init(argc, argv, pkeyutl_options);
+	unsigned char *buf_in = NULL, *buf_out = NULL, *sig = NULL;
-    while ((o = opt_next()) != OPT_EOF) {
+	size_t buf_outlen;
-        switch (o) {
+	int buf_inlen = 0, siglen = -1;
        case OPT_EOF:
        case OPT_ERR:
 opthelp:
            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
            goto end;
        case OPT_HELP:
            opt_help(pkeyutl_options);
            ret = 0;
            goto end;
        case OPT_IN:
            infile = opt_arg();
            break;
        case OPT_OUT:
            outfile = opt_arg();
            break;
        case OPT_SIGFILE:
            sigfile = opt_arg();
            break;
        case OPT_INKEY:
            ctx = init_ctx(&keysize, opt_arg(), keyform, key_type,
                           passinarg, pkey_op, e);
            if (ctx == NULL) {
                BIO_puts(bio_err, "%s: Error initializing context\n");
                ERR_print_errors(bio_err);
                goto opthelp;
            }
            break;
        case OPT_PEERKEY:
            if (!setup_peer(ctx, peerform, opt_arg()))
                goto opthelp;
            break;
        case OPT_PASSIN:
            passinarg = opt_arg();
            break;
        case OPT_PEERFORM:
            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &peerform))
                goto opthelp;
            break;
        case OPT_KEYFORM:
            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &keyform))
                goto opthelp;
            break;
        case OPT_ENGINE:
            e = setup_engine(opt_arg(), 0);
            break;
        case OPT_PUBIN:
            key_type = KEY_PUBKEY;
            break;
        case OPT_CERTIN:
            key_type = KEY_CERT;
            break;
        case OPT_ASN1PARSE:
            asn1parse = 1;
            break;
        case OPT_HEXDUMP:
            hexdump = 1;
            break;
        case OPT_SIGN:
            pkey_op = EVP_PKEY_OP_SIGN;
            break;
        case OPT_VERIFY:
            pkey_op = EVP_PKEY_OP_VERIFY;
            break;
        case OPT_VERIFYRECOVER:
            pkey_op = EVP_PKEY_OP_VERIFYRECOVER;
            break;
        case OPT_REV:
            rev = 1;
            break;
        case OPT_ENCRYPT:
            pkey_op = EVP_PKEY_OP_ENCRYPT;
            break;
        case OPT_DECRYPT:
            pkey_op = EVP_PKEY_OP_DECRYPT;
            break;
        case OPT_DERIVE:
            pkey_op = EVP_PKEY_OP_DERIVE;
            break;
        case OPT_PKEYOPT:
            if (ctx == NULL) {
                BIO_printf(bio_err,
                           "%s: Must have -inkey before -pkeyopt\n", prog);
                goto opthelp;
            }
            if (pkey_ctrl_string(ctx, opt_arg()) <= 0) {
                BIO_printf(bio_err, "%s: Can't set parameter:\n", prog);
                ERR_print_errors(bio_err);
                goto end;
            }
            break;
        }
    }
    argc = opt_num_rest();
    argv = opt_rest();
-    if (ctx == NULL)
+	int ret = 1, rv = -1;
        goto opthelp;
-    if (sigfile && (pkey_op != EVP_PKEY_OP_VERIFY)) {
+	argc--;
-        BIO_printf(bio_err,
+	argv++;
                   "%s: Signature file specified for non verify\n", prog);
        goto end;
    }
-    if (!sigfile && (pkey_op == EVP_PKEY_OP_VERIFY)) {
+	if(!bio_err) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
-        BIO_printf(bio_err,
+
-                   "%s: No signature file specified for verify\n", prog);
+	if (!load_config(bio_err, NULL))
-        goto end;
+		goto end;
-    }
+	ERR_load_crypto_strings();
 	OpenSSL_add_all_algorithms();
 	while(argc >= 1)
 		{
 		if (!strcmp(*argv,"-in"))
 			{
 			if (--argc < 1) badarg = 1;
                        else infile= *(++argv);
 			}
 		else if (!strcmp(*argv,"-out"))
 			{
 			if (--argc < 1) badarg = 1;
 			else outfile= *(++argv);
 			}
 		else if (!strcmp(*argv,"-sigfile"))
 			{
 			if (--argc < 1) badarg = 1;
 			else sigfile= *(++argv);
 			}
 		else if(!strcmp(*argv, "-inkey"))
 			{
 			if (--argc < 1)
 				badarg = 1;
 			else
 				{
 				ctx = init_ctx(&keysize,
 						*(++argv), keyform, key_type,
 						passargin, pkey_op, e);
 				if (!ctx)
 					{
 					BIO_puts(bio_err,
 						"Error initializing context\n");
 					ERR_print_errors(bio_err);
 					badarg = 1;
 					}
 				}
 			}
 		else if (!strcmp(*argv,"-peerkey"))
 			{
 			if (--argc < 1)
 				badarg = 1;
 			else if (!setup_peer(bio_err, ctx, peerform, *(++argv)))
 				badarg = 1;
 			}
 		else if (!strcmp(*argv,"-passin"))
 			{
 			if (--argc < 1) badarg = 1;
 			else passargin= *(++argv);
 			}
 		else if (strcmp(*argv,"-peerform") == 0)
 			{
 			if (--argc < 1) badarg = 1;
 			else peerform=str2fmt(*(++argv));
 			}
 		else if (strcmp(*argv,"-keyform") == 0)
 			{
 			if (--argc < 1) badarg = 1;
 			else keyform=str2fmt(*(++argv));
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if(!strcmp(*argv, "-engine"))
 			{
 			if (--argc < 1)
 				badarg = 1;
 			else
 				e = setup_engine(bio_err, *(++argv), 0);
 			}
 #endif
 		else if(!strcmp(*argv, "-pubin"))
 			key_type = KEY_PUBKEY;
 		else if(!strcmp(*argv, "-certin"))
 			key_type = KEY_CERT;
 		else if(!strcmp(*argv, "-asn1parse"))
 			asn1parse = 1;
 		else if(!strcmp(*argv, "-hexdump"))
 			hexdump = 1;
 		else if(!strcmp(*argv, "-sign"))
 			pkey_op = EVP_PKEY_OP_SIGN;
 		else if(!strcmp(*argv, "-verify"))
 			pkey_op = EVP_PKEY_OP_VERIFY;
 		else if(!strcmp(*argv, "-verifyrecover"))
 			pkey_op = EVP_PKEY_OP_VERIFYRECOVER;
 		else if(!strcmp(*argv, "-rev"))
 			rev = 1;
 		else if(!strcmp(*argv, "-encrypt"))
 			pkey_op = EVP_PKEY_OP_ENCRYPT;
 		else if(!strcmp(*argv, "-decrypt"))
 			pkey_op = EVP_PKEY_OP_DECRYPT;
 		else if(!strcmp(*argv, "-derive"))
 			pkey_op = EVP_PKEY_OP_DERIVE;
 		else if (strcmp(*argv,"-pkeyopt") == 0)
 			{
 			if (--argc < 1)
 				badarg = 1;
 			else if (!ctx)
 				{
 				BIO_puts(bio_err,
 					"-pkeyopt command before -inkey\n");
 				badarg = 1;
 				}
 			else if (pkey_ctrl_string(ctx, *(++argv)) <= 0)
 				{
 				BIO_puts(bio_err, "parameter setting error\n");
 				ERR_print_errors(bio_err);
 				goto end;
 				}
 			}
 		else badarg = 1;
 		if(badarg)
 			{
 			usage();
 			goto end;
 			}
 		argc--;
 		argv++;
 		}
 	if (!ctx)
 		{
 		usage();
 		goto end;
 		}
 	if (sigfile && (pkey_op != EVP_PKEY_OP_VERIFY))
 		{
 		BIO_puts(bio_err, "Signature file specified for non verify\n");
 		goto end;
 		}
 	if (!sigfile && (pkey_op == EVP_PKEY_OP_VERIFY))
 		{
 		BIO_puts(bio_err, "No signature file specified for verify\n");
 		goto end;
 		}
 /* FIXME: seed PRNG only if needed */
-    app_RAND_load_file(NULL, 0);
+	app_RAND_load_file(NULL, bio_err, 0);
-    if (pkey_op != EVP_PKEY_OP_DERIVE) {
+	if (pkey_op != EVP_PKEY_OP_DERIVE)
-        in = bio_open_default(infile, 'r', FORMAT_BINARY);
+		{
-        if (in == NULL)
+		if(infile)
-            goto end;
+			{
-    }
+			if(!(in = BIO_new_file(infile, "rb")))
-    out = bio_open_default(outfile, 'w', FORMAT_BINARY);
+				{
-    if (out == NULL)
+				BIO_puts(bio_err,
-        goto end;
+					"Error Opening Input File\n");
 				ERR_print_errors(bio_err);	
 				goto end;
 				}
 			}
 		else
 			in = BIO_new_fp(stdin, BIO_NOCLOSE);
 		}
-    if (sigfile) {
+	if(outfile)
-        BIO *sigbio = BIO_new_file(sigfile, "rb");
+		{
-        if (!sigbio) {
+		if(!(out = BIO_new_file(outfile, "wb")))
-            BIO_printf(bio_err, "Can't open signature file %s\n", sigfile);
+			{
-            goto end;
+			BIO_printf(bio_err, "Error Creating Output File\n");
-        }
+			ERR_print_errors(bio_err);	
-        siglen = bio_to_mem(&sig, keysize * 10, sigbio);
+			goto end;
-        BIO_free(sigbio);
+			}
-        if (siglen <= 0) {
+		}
-            BIO_printf(bio_err, "Error reading signature data\n");
+	else
-            goto end;
+		{
-        }
+		out = BIO_new_fp(stdout, BIO_NOCLOSE);
-    }
+#ifdef OPENSSL_SYS_VMS
 		{
 		    BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		    out = BIO_push(tmpbio, out);
 		}
 #endif
 	}
-    if (in) {
+	if (sigfile)
-        /* Read the input data */
+		{
-        buf_inlen = bio_to_mem(&buf_in, keysize * 10, in);
+		BIO *sigbio = BIO_new_file(sigfile, "rb");
-        if (buf_inlen <= 0) {
+		if (!sigbio)
-            BIO_printf(bio_err, "Error reading input Data\n");
+			{
-            exit(1);
+			BIO_printf(bio_err, "Can't open signature file %s\n",
-        }
+								sigfile);
-        if (rev) {
+			goto end;
-            size_t i;
+			}
-            unsigned char ctmp;
+		siglen = bio_to_mem(&sig, keysize * 10, sigbio);
-            size_t l = (size_t)buf_inlen;
+		BIO_free(sigbio);
-            for (i = 0; i < l / 2; i++) {
+		if (siglen <= 0)
-                ctmp = buf_in[i];
+			{
-                buf_in[i] = buf_in[l - 1 - i];
+			BIO_printf(bio_err, "Error reading signature data\n");
-                buf_in[l - 1 - i] = ctmp;
+			goto end;
-            }
+			}
-        }
+		}
-    }
+	
 	if (in)
 		{
 		/* Read the input data */
 		buf_inlen = bio_to_mem(&buf_in, keysize * 10, in);
 		if(buf_inlen <= 0)
 			{
 			BIO_printf(bio_err, "Error reading input Data\n");
 			exit(1);
 			}
 		if(rev)
 			{
 			size_t i;
 			unsigned char ctmp;
 			size_t l = (size_t)buf_inlen;
 			for(i = 0; i < l/2; i++)
 				{
 				ctmp = buf_in[i];
 				buf_in[i] = buf_in[l - 1 - i];
 				buf_in[l - 1 - i] = ctmp;
 				}
 			}
 		}
-    if (pkey_op == EVP_PKEY_OP_VERIFY) {
+	if(pkey_op == EVP_PKEY_OP_VERIFY)
-        rv = EVP_PKEY_verify(ctx, sig, (size_t)siglen,
+		{
-                             buf_in, (size_t)buf_inlen);
+		rv  = EVP_PKEY_verify(ctx, sig, (size_t)siglen,
-        if (rv == 1) {
+				      buf_in, (size_t)buf_inlen);
-            BIO_puts(out, "Signature Verified Successfully\n");
+		if (rv == 0)
-            ret = 0;
+			BIO_puts(out, "Signature Verification Failure\n");
-        } else
+		else if (rv == 1)
-            BIO_puts(out, "Signature Verification Failure\n");
+			BIO_puts(out, "Signature Verified Successfully\n");
-        goto end;
+		if (rv >= 0)
-    }
+			goto end;
-    rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen,
+		}
-                  buf_in, (size_t)buf_inlen);
+	else
-    if (rv > 0) {
+		{	
-        buf_out = app_malloc(buf_outlen, "buffer output");
+		rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen,
-        rv = do_keyop(ctx, pkey_op,
+			      buf_in, (size_t)buf_inlen);
-                      buf_out, (size_t *)&buf_outlen,
+		if (rv > 0)
-                      buf_in, (size_t)buf_inlen);
+			{
-    }
+			buf_out = OPENSSL_malloc(buf_outlen);
-    if (rv <= 0) {
+			if (!buf_out)
-        ERR_print_errors(bio_err);
+				rv = -1;
-        goto end;
+			else
-    }
+				rv = do_keyop(ctx, pkey_op,
-    ret = 0;
+						buf_out, (size_t *)&buf_outlen,
 						buf_in, (size_t)buf_inlen);
 			}
 		}
-    if (asn1parse) {
+	if(rv <= 0)
-        if (!ASN1_parse_dump(out, buf_out, buf_outlen, 1, -1))
+		{
-            ERR_print_errors(bio_err);
+		BIO_printf(bio_err, "Public Key operation error\n");
-    } else if (hexdump)
+		ERR_print_errors(bio_err);
-        BIO_dump(out, (char *)buf_out, buf_outlen);
+		goto end;
-    else
+		}
-        BIO_write(out, buf_out, buf_outlen);
+	ret = 0;
 	if(asn1parse)
 		{
 		if(!ASN1_parse_dump(out, buf_out, buf_outlen, 1, -1))
 			ERR_print_errors(bio_err);
 		}
 	else if(hexdump)
 		BIO_dump(out, (char *)buf_out, buf_outlen);
 	else
 		BIO_write(out, buf_out, buf_outlen);
 	end:
 	if (ctx)
 		EVP_PKEY_CTX_free(ctx);
 	BIO_free(in);
 	BIO_free_all(out);
 	if (buf_in)
 		OPENSSL_free(buf_in);
 	if (buf_out)
 		OPENSSL_free(buf_out);
 	if (sig)
 		OPENSSL_free(sig);
 	return ret;
 }
 static void usage()
 {
 	BIO_printf(bio_err, "Usage: pkeyutl [options]\n");
 	BIO_printf(bio_err, "-in file        input file\n");
 	BIO_printf(bio_err, "-out file       output file\n");
 	BIO_printf(bio_err, "-sigfile file signature file (verify operation only)\n");
 	BIO_printf(bio_err, "-inkey file     input key\n");
 	BIO_printf(bio_err, "-keyform arg    private key format - default PEM\n");
 	BIO_printf(bio_err, "-pubin          input is a public key\n");
 	BIO_printf(bio_err, "-certin         input is a certificate carrying a public key\n");
 	BIO_printf(bio_err, "-pkeyopt X:Y    public key options\n");
 	BIO_printf(bio_err, "-sign           sign with private key\n");
 	BIO_printf(bio_err, "-verify         verify with public key\n");
 	BIO_printf(bio_err, "-verifyrecover  verify with public key, recover original data\n");
 	BIO_printf(bio_err, "-encrypt        encrypt with public key\n");
 	BIO_printf(bio_err, "-decrypt        decrypt with private key\n");
 	BIO_printf(bio_err, "-derive         derive shared secret\n");
 	BIO_printf(bio_err, "-hexdump        hex dump output\n");
 #ifndef OPENSSL_NO_ENGINE
 	BIO_printf(bio_err, "-engine e       use engine e, possibly a hardware device.\n");
 #endif
 	BIO_printf(bio_err, "-passin arg     pass phrase source\n");
 end:
    EVP_PKEY_CTX_free(ctx);
    BIO_free(in);
    BIO_free_all(out);
    OPENSSL_free(buf_in);
    OPENSSL_free(buf_out);
    OPENSSL_free(sig);
    return ret;
 }
 static EVP_PKEY_CTX *init_ctx(int *pkeysize,
-                              char *keyfile, int keyform, int key_type,
+				char *keyfile, int keyform, int key_type,
-                              char *passinarg, int pkey_op, ENGINE *e)
+				char *passargin, int pkey_op, ENGINE *e)
-{
+	{
-    EVP_PKEY *pkey = NULL;
+	EVP_PKEY *pkey = NULL;
-    EVP_PKEY_CTX *ctx = NULL;
+	EVP_PKEY_CTX *ctx = NULL;
-    char *passin = NULL;
+	char *passin = NULL;
-    int rv = -1;
+	int rv = -1;
-    X509 *x;
+	X509 *x;
-    if (((pkey_op == EVP_PKEY_OP_SIGN) || (pkey_op == EVP_PKEY_OP_DECRYPT)
+	if(((pkey_op == EVP_PKEY_OP_SIGN) || (pkey_op == EVP_PKEY_OP_DECRYPT) 
-         || (pkey_op == EVP_PKEY_OP_DERIVE))
+		|| (pkey_op == EVP_PKEY_OP_DERIVE))
-        && (key_type != KEY_PRIVKEY)) {
+		&& (key_type != KEY_PRIVKEY))
-        BIO_printf(bio_err, "A private key is needed for this operation\n");
+		{
-        goto end;
+		BIO_printf(bio_err, "A private key is needed for this operation\n");
-    }
+		goto end;
-    if (!app_passwd(passinarg, NULL, &passin, NULL)) {
+		}
-        BIO_printf(bio_err, "Error getting password\n");
+	if(!app_passwd(bio_err, passargin, NULL, &passin, NULL))
-        goto end;
+		{
-    }
+		BIO_printf(bio_err, "Error getting password\n");
-    switch (key_type) {
+		goto end;
-    case KEY_PRIVKEY:
+		}
-        pkey = load_key(keyfile, keyform, 0, passin, e, "Private Key");
+	switch(key_type)
-        break;
+		{
 		case KEY_PRIVKEY:
 		pkey = load_key(bio_err, keyfile, keyform, 0,
 			passin, e, "Private Key");
 		break;
-    case KEY_PUBKEY:
+		case KEY_PUBKEY:
-        pkey = load_pubkey(keyfile, keyform, 0, NULL, e, "Public Key");
+		pkey = load_pubkey(bio_err, keyfile, keyform, 0,
-        break;
+			NULL, e, "Public Key");
 		break;
-    case KEY_CERT:
+		case KEY_CERT:
-        x = load_cert(keyfile, keyform, NULL, e, "Certificate");
+		x = load_cert(bio_err, keyfile, keyform,
-        if (x) {
+			NULL, e, "Certificate");
-            pkey = X509_get_pubkey(x);
+		if(x)
-            X509_free(x);
+			{
-        }
+			pkey = X509_get_pubkey(x);
-        break;
+			X509_free(x);
 			}
 		break;
-    }
+		}
-    *pkeysize = EVP_PKEY_size(pkey);
+	*pkeysize = EVP_PKEY_size(pkey);
-    if (!pkey)
+	if (!pkey)
-        goto end;
+		goto end;
-    ctx = EVP_PKEY_CTX_new(pkey, e);
+	ctx = EVP_PKEY_CTX_new(pkey, e);
-    EVP_PKEY_free(pkey);
+	EVP_PKEY_free(pkey);
-    if (ctx == NULL)
+	if (!ctx)
-        goto end;
+		goto end;
-    switch (pkey_op) {
+	switch(pkey_op)
-    case EVP_PKEY_OP_SIGN:
+		{
-        rv = EVP_PKEY_sign_init(ctx);
+		case EVP_PKEY_OP_SIGN:
-        break;
+		rv = EVP_PKEY_sign_init(ctx);
 		break;
-    case EVP_PKEY_OP_VERIFY:
+		case EVP_PKEY_OP_VERIFY:
-        rv = EVP_PKEY_verify_init(ctx);
+		rv = EVP_PKEY_verify_init(ctx);
-        break;
+		break;
-    case EVP_PKEY_OP_VERIFYRECOVER:
+		case EVP_PKEY_OP_VERIFYRECOVER:
-        rv = EVP_PKEY_verify_recover_init(ctx);
+		rv = EVP_PKEY_verify_recover_init(ctx);
-        break;
+		break;
-    case EVP_PKEY_OP_ENCRYPT:
+		case EVP_PKEY_OP_ENCRYPT:
-        rv = EVP_PKEY_encrypt_init(ctx);
+		rv = EVP_PKEY_encrypt_init(ctx);
-        break;
+		break;
-    case EVP_PKEY_OP_DECRYPT:
+		case EVP_PKEY_OP_DECRYPT:
-        rv = EVP_PKEY_decrypt_init(ctx);
+		rv = EVP_PKEY_decrypt_init(ctx);
-        break;
+		break;
-    case EVP_PKEY_OP_DERIVE:
+		case EVP_PKEY_OP_DERIVE:
-        rv = EVP_PKEY_derive_init(ctx);
+		rv = EVP_PKEY_derive_init(ctx);
-        break;
+		break;
-    }
+		}
-    if (rv <= 0) {
+	if (rv <= 0)
-        EVP_PKEY_CTX_free(ctx);
+		{
-        ctx = NULL;
+		EVP_PKEY_CTX_free(ctx);
-    }
+		ctx = NULL;
 		}
- end:
+	end:
    OPENSSL_free(passin);
    return ctx;
-}
+	if (passin)
 		OPENSSL_free(passin);
-static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file)
+	return ctx;
 {
    EVP_PKEY *peer = NULL;
    int ret;
    if (!ctx) {
        BIO_puts(bio_err, "-peerkey command before -inkey\n");
        return 0;
    }
    peer = load_pubkey(file, peerform, 0, NULL, NULL, "Peer Key");
-    if (!peer) {
+	}
        BIO_printf(bio_err, "Error reading peer key %s\n", file);
        ERR_print_errors(bio_err);
        return 0;
    }
-    ret = EVP_PKEY_derive_set_peer(ctx, peer);
+static int setup_peer(BIO *err, EVP_PKEY_CTX *ctx, int peerform,
 							const char *file)
 	{
 	EVP_PKEY *peer = NULL;
 	int ret;
 	if (!ctx)
 		{
 		BIO_puts(err, "-peerkey command before -inkey\n");
 		return 0;
 		}
 	peer = load_pubkey(bio_err, file, peerform, 0, NULL, NULL, "Peer Key");
-    EVP_PKEY_free(peer);
+	if (!peer)
-    if (ret <= 0)
+		{
-        ERR_print_errors(bio_err);
+		BIO_printf(bio_err, "Error reading peer key %s\n", file);
-    return ret;
+		ERR_print_errors(err);
-}
+		return 0;
 		}
 	ret = EVP_PKEY_derive_set_peer(ctx, peer);
 	EVP_PKEY_free(peer);
 	if (ret <= 0)
 		ERR_print_errors(err);
 	return ret;
 	}
 static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
-                    unsigned char *out, size_t *poutlen,
+		unsigned char *out, size_t *poutlen,
-                    unsigned char *in, size_t inlen)
+		unsigned char *in, size_t inlen)
-{
+	{
-    int rv = 0;
+	int rv = 0;
-    switch (pkey_op) {
+	switch(pkey_op)
-    case EVP_PKEY_OP_VERIFYRECOVER:
+		{
-        rv = EVP_PKEY_verify_recover(ctx, out, poutlen, in, inlen);
+		case EVP_PKEY_OP_VERIFYRECOVER:
-        break;
+		rv  = EVP_PKEY_verify_recover(ctx, out, poutlen, in, inlen);
 		break;
-    case EVP_PKEY_OP_SIGN:
+		case EVP_PKEY_OP_SIGN:
-        rv = EVP_PKEY_sign(ctx, out, poutlen, in, inlen);
+		rv  = EVP_PKEY_sign(ctx, out, poutlen, in, inlen);
-        break;
+		break;
-    case EVP_PKEY_OP_ENCRYPT:
+		case EVP_PKEY_OP_ENCRYPT:
-        rv = EVP_PKEY_encrypt(ctx, out, poutlen, in, inlen);
+		rv  = EVP_PKEY_encrypt(ctx, out, poutlen, in, inlen);
-        break;
+		break;
-    case EVP_PKEY_OP_DECRYPT:
+		case EVP_PKEY_OP_DECRYPT:
-        rv = EVP_PKEY_decrypt(ctx, out, poutlen, in, inlen);
+		rv  = EVP_PKEY_decrypt(ctx, out, poutlen, in, inlen);
-        break;
+		break; 
-    case EVP_PKEY_OP_DERIVE:
+		case EVP_PKEY_OP_DERIVE:
-        rv = EVP_PKEY_derive(ctx, out, poutlen);
+		rv  = EVP_PKEY_derive(ctx, out, poutlen);
-        break;
+		break;
-    }
+		}
-    return rv;
+	return rv;
-}
+	}
--- a/apps/prime.c
+++ b/apps/prime.c
@@ -6,7 +6,7 @@
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
+ *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
@@ -52,97 +52,109 @@
 #include "apps.h"
 #include <openssl/bn.h>
 typedef enum OPTION_choice {
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_HEX, OPT_GENERATE, OPT_BITS, OPT_SAFE, OPT_CHECKS
 } OPTION_CHOICE;
-OPTIONS prime_options[] = {
+#undef PROG
-    {OPT_HELP_STR, 1, '-', "Usage: %s [options] [number...]\n"},
+#define PROG prime_main
    {OPT_HELP_STR, 1, '-',
        "  number Number to check for primality\n"},
    {"help", OPT_HELP, '-', "Display this summary"},
    {"hex", OPT_HEX, '-', "Hex output"},
    {"generate", OPT_GENERATE, '-', "Generate a prime"},
    {"bits", OPT_BITS, 'p', "Size of number in bits"},
    {"safe", OPT_SAFE, '-',
     "When used with -generate, generate a safe prime"},
    {"checks", OPT_CHECKS, 'p', "Number of checks"},
    {NULL}
 };
-int prime_main(int argc, char **argv)
+int MAIN(int, char **);
 {
    BIGNUM *bn = NULL;
    int hex = 0, checks = 20, generate = 0, bits = 0, safe = 0, ret = 1;
    char *prog;
    OPTION_CHOICE o;
-    prog = opt_init(argc, argv, prime_options);
+int MAIN(int argc, char **argv)
-    while ((o = opt_next()) != OPT_EOF) {
+    {
-        switch (o) {
+    int hex=0;
-        case OPT_EOF:
+    int checks=20;
-        case OPT_ERR:
+    int generate=0;
-            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+    int bits=0;
-            goto end;
+    int safe=0;
-        case OPT_HELP:
+    BIGNUM *bn=NULL;
-            opt_help(prime_options);
+    BIO *bio_out;
            ret = 0;
            goto end;
        case OPT_HEX:
            hex = 1;
            break;
        case OPT_GENERATE:
            generate = 1;
            break;
        case OPT_BITS:
            bits = atoi(opt_arg());
            break;
        case OPT_SAFE:
            safe = 1;
            break;
        case OPT_CHECKS:
            checks = atoi(opt_arg());
            break;
        }
    }
    argc = opt_num_rest();
    argv = opt_rest();
-    if (argc == 0 && !generate) {
+    apps_startup();
        BIO_printf(bio_err, "%s: No prime specified\n", prog);
        goto end;
    }
-    if (generate) {
+    if (bio_err == NULL)
-        char *s;
+	if ((bio_err=BIO_new(BIO_s_file())) != NULL)
 	    BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
-        if (!bits) {
+    --argc;
-            BIO_printf(bio_err, "Specify the number of bits.\n");
+    ++argv;
-            goto end;
+    while (argc >= 1 && **argv == '-')
-        }
+	{
-        bn = BN_new();
+	if(!strcmp(*argv,"-hex"))
-        BN_generate_prime_ex(bn, bits, safe, NULL, NULL, NULL);
+	    hex=1;
-        s = hex ? BN_bn2hex(bn) : BN_bn2dec(bn);
+	else if(!strcmp(*argv,"-generate"))
-        BIO_printf(bio_out, "%s\n", s);
+	    generate=1;
-        OPENSSL_free(s);
+	else if(!strcmp(*argv,"-bits"))
-    } else {
+	    if(--argc < 1)
-        for ( ; *argv; argv++) {
+		goto bad;
-            if (hex)
+	    else
-                BN_hex2bn(&bn, argv[0]);
+		bits=atoi(*++argv);
-            else
+	else if(!strcmp(*argv,"-safe"))
-                BN_dec2bn(&bn, argv[0]);
+	    safe=1;
 	else if(!strcmp(*argv,"-checks"))
 	    if(--argc < 1)
 		goto bad;
 	    else
 		checks=atoi(*++argv);
 	else
 	    {
 	    BIO_printf(bio_err,"Unknown option '%s'\n",*argv);
 	    goto bad;
 	    }
 	--argc;
 	++argv;
 	}
-            BN_print(bio_out, bn);
+    if (argv[0] == NULL && !generate)
-            BIO_printf(bio_out, " (%s) %s prime\n",
+	{
-                       argv[0],
+	BIO_printf(bio_err,"No prime specified\n");
-                       BN_is_prime_ex(bn, checks, NULL, NULL)
+	goto bad;
-                           ? "is" : "is not");
+	}
-        }
+
-    }
+    if ((bio_out=BIO_new(BIO_s_file())) != NULL)
 	{
 	BIO_set_fp(bio_out,stdout,BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 	    {
 	    BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 	    bio_out = BIO_push(tmpbio, bio_out);
 	    }
 #endif
 	}
    if(generate)
 	{
 	char *s;
 	if(!bits)
 	    {
 	    BIO_printf(bio_err,"Specifiy the number of bits.\n");
 	    return 1;
 	    }
 	bn=BN_new();
 	BN_generate_prime_ex(bn,bits,safe,NULL,NULL,NULL);
 	s=hex ? BN_bn2hex(bn) : BN_bn2dec(bn);
 	BIO_printf(bio_out,"%s\n",s);
 	OPENSSL_free(s);
 	}
    else
 	{
 	if(hex)
 	    BN_hex2bn(&bn,argv[0]);
 	else
 	    BN_dec2bn(&bn,argv[0]);
 	BN_print(bio_out,bn);
 	BIO_printf(bio_out," is %sprime\n",
 		   BN_is_prime_ex(bn,checks,NULL,NULL) ? "" : "not ");
 	}
    BN_free(bn);
    BIO_free_all(bio_out);
- end:
+    return 0;
-    return ret;
+
-}
+    bad:
    BIO_printf(bio_err,"options are\n");
    BIO_printf(bio_err,"%-14s hex\n","-hex");
    BIO_printf(bio_err,"%-14s number of checks\n","-checks <n>");
    return 1;
    }
--- a/apps/progs.h
+++ b/apps/progs.h
@@ -1,421 +1,366 @@
-/*
+/* apps/progs.h */
- * Automatically generated by progs.pl for openssl.c
+/* automatically generated by progs.pl for openssl.c */
 * Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
 * See the openssl.c for copyright details.
 */
-typedef enum FUNC_TYPE {
+extern int verify_main(int argc,char *argv[]);
-    FT_none, FT_general, FT_md, FT_cipher, FT_pkey,
+extern int asn1parse_main(int argc,char *argv[]);
-    FT_md_alg, FT_cipher_alg
+extern int req_main(int argc,char *argv[]);
-} FUNC_TYPE;
+extern int dgst_main(int argc,char *argv[]);
 extern int dh_main(int argc,char *argv[]);
 extern int dhparam_main(int argc,char *argv[]);
 extern int enc_main(int argc,char *argv[]);
 extern int passwd_main(int argc,char *argv[]);
 extern int gendh_main(int argc,char *argv[]);
 extern int errstr_main(int argc,char *argv[]);
 extern int ca_main(int argc,char *argv[]);
 extern int crl_main(int argc,char *argv[]);
 extern int rsa_main(int argc,char *argv[]);
 extern int rsautl_main(int argc,char *argv[]);
 extern int dsa_main(int argc,char *argv[]);
 extern int dsaparam_main(int argc,char *argv[]);
 extern int ec_main(int argc,char *argv[]);
 extern int ecparam_main(int argc,char *argv[]);
 extern int x509_main(int argc,char *argv[]);
 extern int genrsa_main(int argc,char *argv[]);
 extern int gendsa_main(int argc,char *argv[]);
 extern int genpkey_main(int argc,char *argv[]);
 extern int s_server_main(int argc,char *argv[]);
 extern int s_client_main(int argc,char *argv[]);
 extern int speed_main(int argc,char *argv[]);
 extern int s_time_main(int argc,char *argv[]);
 extern int version_main(int argc,char *argv[]);
 extern int pkcs7_main(int argc,char *argv[]);
 extern int cms_main(int argc,char *argv[]);
 extern int crl2pkcs7_main(int argc,char *argv[]);
 extern int sess_id_main(int argc,char *argv[]);
 extern int ciphers_main(int argc,char *argv[]);
 extern int nseq_main(int argc,char *argv[]);
 extern int pkcs12_main(int argc,char *argv[]);
 extern int pkcs8_main(int argc,char *argv[]);
 extern int pkey_main(int argc,char *argv[]);
 extern int pkeyparam_main(int argc,char *argv[]);
 extern int pkeyutl_main(int argc,char *argv[]);
 extern int spkac_main(int argc,char *argv[]);
 extern int smime_main(int argc,char *argv[]);
 extern int rand_main(int argc,char *argv[]);
 extern int engine_main(int argc,char *argv[]);
 extern int ocsp_main(int argc,char *argv[]);
 extern int srp_main(int argc,char *argv[]);
 extern int prime_main(int argc,char *argv[]);
 extern int ts_main(int argc,char *argv[]);
-typedef struct function_st {
+#define FUNC_TYPE_GENERAL	1
-    FUNC_TYPE type;
+#define FUNC_TYPE_MD		2
-    const char *name;
+#define FUNC_TYPE_CIPHER	3
-    int (*func)(int argc,char *argv[]);
+#define FUNC_TYPE_PKEY		4
-    const OPTIONS *help;
+#define FUNC_TYPE_MD_ALG	5
-} FUNCTION;
+#define FUNC_TYPE_CIPHER_ALG	6
-DEFINE_LHASH_OF(FUNCTION);
+typedef struct {
 	int type;
 	const char *name;
 	int (*func)(int argc,char *argv[]);
 	} FUNCTION;
 DECLARE_LHASH_OF(FUNCTION);
-extern int asn1parse_main(int argc, char *argv[]);
+FUNCTION functions[] = {
-extern int ca_main(int argc, char *argv[]);
+	{FUNC_TYPE_GENERAL,"verify",verify_main},
-extern int ciphers_main(int argc, char *argv[]);
+	{FUNC_TYPE_GENERAL,"asn1parse",asn1parse_main},
-extern int cms_main(int argc, char *argv[]);
+	{FUNC_TYPE_GENERAL,"req",req_main},
-extern int crl_main(int argc, char *argv[]);
+	{FUNC_TYPE_GENERAL,"dgst",dgst_main},
 extern int crl2pkcs7_main(int argc, char *argv[]);
 extern int dgst_main(int argc, char *argv[]);
 extern int dhparam_main(int argc, char *argv[]);
 extern int dsa_main(int argc, char *argv[]);
 extern int dsaparam_main(int argc, char *argv[]);
 extern int ec_main(int argc, char *argv[]);
 extern int ecparam_main(int argc, char *argv[]);
 extern int enc_main(int argc, char *argv[]);
 extern int engine_main(int argc, char *argv[]);
 extern int errstr_main(int argc, char *argv[]);
 extern int gendsa_main(int argc, char *argv[]);
 extern int genpkey_main(int argc, char *argv[]);
 extern int genrsa_main(int argc, char *argv[]);
 extern int nseq_main(int argc, char *argv[]);
 extern int ocsp_main(int argc, char *argv[]);
 extern int passwd_main(int argc, char *argv[]);
 extern int pkcs12_main(int argc, char *argv[]);
 extern int pkcs7_main(int argc, char *argv[]);
 extern int pkcs8_main(int argc, char *argv[]);
 extern int pkey_main(int argc, char *argv[]);
 extern int pkeyparam_main(int argc, char *argv[]);
 extern int pkeyutl_main(int argc, char *argv[]);
 extern int prime_main(int argc, char *argv[]);
 extern int rand_main(int argc, char *argv[]);
 extern int req_main(int argc, char *argv[]);
 extern int rsa_main(int argc, char *argv[]);
 extern int rsautl_main(int argc, char *argv[]);
 extern int s_client_main(int argc, char *argv[]);
 extern int s_server_main(int argc, char *argv[]);
 extern int s_time_main(int argc, char *argv[]);
 extern int sess_id_main(int argc, char *argv[]);
 extern int smime_main(int argc, char *argv[]);
 extern int speed_main(int argc, char *argv[]);
 extern int spkac_main(int argc, char *argv[]);
 extern int srp_main(int argc, char *argv[]);
 extern int ts_main(int argc, char *argv[]);
 extern int verify_main(int argc, char *argv[]);
 extern int version_main(int argc, char *argv[]);
 extern int x509_main(int argc, char *argv[]);
 extern int rehash_main(int argc, char *argv[]);
 extern int list_main(int argc, char *argv[]);
 extern int help_main(int argc, char *argv[]);
 extern int exit_main(int argc, char *argv[]);
 extern OPTIONS asn1parse_options[];
 extern OPTIONS ca_options[];
 extern OPTIONS ciphers_options[];
 extern OPTIONS cms_options[];
 extern OPTIONS crl_options[];
 extern OPTIONS crl2pkcs7_options[];
 extern OPTIONS dgst_options[];
 extern OPTIONS dhparam_options[];
 extern OPTIONS dsa_options[];
 extern OPTIONS dsaparam_options[];
 extern OPTIONS ec_options[];
 extern OPTIONS ecparam_options[];
 extern OPTIONS enc_options[];
 extern OPTIONS engine_options[];
 extern OPTIONS errstr_options[];
 extern OPTIONS gendsa_options[];
 extern OPTIONS genpkey_options[];
 extern OPTIONS genrsa_options[];
 extern OPTIONS nseq_options[];
 extern OPTIONS ocsp_options[];
 extern OPTIONS passwd_options[];
 extern OPTIONS pkcs12_options[];
 extern OPTIONS pkcs7_options[];
 extern OPTIONS pkcs8_options[];
 extern OPTIONS pkey_options[];
 extern OPTIONS pkeyparam_options[];
 extern OPTIONS pkeyutl_options[];
 extern OPTIONS prime_options[];
 extern OPTIONS rand_options[];
 extern OPTIONS req_options[];
 extern OPTIONS rsa_options[];
 extern OPTIONS rsautl_options[];
 extern OPTIONS s_client_options[];
 extern OPTIONS s_server_options[];
 extern OPTIONS s_time_options[];
 extern OPTIONS sess_id_options[];
 extern OPTIONS smime_options[];
 extern OPTIONS speed_options[];
 extern OPTIONS spkac_options[];
 extern OPTIONS srp_options[];
 extern OPTIONS ts_options[];
 extern OPTIONS verify_options[];
 extern OPTIONS version_options[];
 extern OPTIONS x509_options[];
 extern OPTIONS rehash_options[];
 extern OPTIONS list_options[];
 extern OPTIONS help_options[];
 extern OPTIONS exit_options[];
 #ifdef INCLUDE_FUNCTION_TABLE
 static FUNCTION functions[] = {
    { FT_general, "asn1parse", asn1parse_main, asn1parse_options },
    { FT_general, "ca", ca_main, ca_options },
 #if !defined(OPENSSL_NO_SOCK)
    { FT_general, "ciphers", ciphers_main, ciphers_options },
 #endif
 #ifndef OPENSSL_NO_CMS
    { FT_general, "cms", cms_main, cms_options },
 #endif
    { FT_general, "crl", crl_main, crl_options },
    { FT_general, "crl2pkcs7", crl2pkcs7_main, crl2pkcs7_options },
    { FT_general, "dgst", dgst_main, dgst_options },
 #ifndef OPENSSL_NO_DH
-    { FT_general, "dhparam", dhparam_main, dhparam_options },
+	{FUNC_TYPE_GENERAL,"dh",dh_main},
 #endif
 #ifndef OPENSSL_NO_DH
 	{FUNC_TYPE_GENERAL,"dhparam",dhparam_main},
 #endif
 	{FUNC_TYPE_GENERAL,"enc",enc_main},
 	{FUNC_TYPE_GENERAL,"passwd",passwd_main},
 #ifndef OPENSSL_NO_DH
 	{FUNC_TYPE_GENERAL,"gendh",gendh_main},
 #endif
 	{FUNC_TYPE_GENERAL,"errstr",errstr_main},
 	{FUNC_TYPE_GENERAL,"ca",ca_main},
 	{FUNC_TYPE_GENERAL,"crl",crl_main},
 #ifndef OPENSSL_NO_RSA
 	{FUNC_TYPE_GENERAL,"rsa",rsa_main},
 #endif
 #ifndef OPENSSL_NO_RSA
 	{FUNC_TYPE_GENERAL,"rsautl",rsautl_main},
 #endif
 #ifndef OPENSSL_NO_DSA
-    { FT_general, "dsa", dsa_main, dsa_options },
+	{FUNC_TYPE_GENERAL,"dsa",dsa_main},
 #endif
 #ifndef OPENSSL_NO_DSA
-    { FT_general, "dsaparam", dsaparam_main, dsaparam_options },
+	{FUNC_TYPE_GENERAL,"dsaparam",dsaparam_main},
 #endif
 #ifndef OPENSSL_NO_EC
-    { FT_general, "ec", ec_main, ec_options },
+	{FUNC_TYPE_GENERAL,"ec",ec_main},
 #endif
 #ifndef OPENSSL_NO_EC
-    { FT_general, "ecparam", ecparam_main, ecparam_options },
+	{FUNC_TYPE_GENERAL,"ecparam",ecparam_main},
 #endif
-    { FT_general, "enc", enc_main, enc_options },
+	{FUNC_TYPE_GENERAL,"x509",x509_main},
 #ifndef OPENSSL_NO_RSA
 	{FUNC_TYPE_GENERAL,"genrsa",genrsa_main},
 #endif
 #ifndef OPENSSL_NO_DSA
 	{FUNC_TYPE_GENERAL,"gendsa",gendsa_main},
 #endif
 	{FUNC_TYPE_GENERAL,"genpkey",genpkey_main},
 #if !defined(OPENSSL_NO_SOCK) && !(defined(OPENSSL_NO_SSL2) && defined(OPENSSL_NO_SSL3))
 	{FUNC_TYPE_GENERAL,"s_server",s_server_main},
 #endif
 #if !defined(OPENSSL_NO_SOCK) && !(defined(OPENSSL_NO_SSL2) && defined(OPENSSL_NO_SSL3))
 	{FUNC_TYPE_GENERAL,"s_client",s_client_main},
 #endif
 #ifndef OPENSSL_NO_SPEED
 	{FUNC_TYPE_GENERAL,"speed",speed_main},
 #endif
 #if !defined(OPENSSL_NO_SOCK) && !(defined(OPENSSL_NO_SSL2) && defined(OPENSSL_NO_SSL3))
 	{FUNC_TYPE_GENERAL,"s_time",s_time_main},
 #endif
 	{FUNC_TYPE_GENERAL,"version",version_main},
 	{FUNC_TYPE_GENERAL,"pkcs7",pkcs7_main},
 #ifndef OPENSSL_NO_CMS
 	{FUNC_TYPE_GENERAL,"cms",cms_main},
 #endif
 	{FUNC_TYPE_GENERAL,"crl2pkcs7",crl2pkcs7_main},
 	{FUNC_TYPE_GENERAL,"sess_id",sess_id_main},
 #if !defined(OPENSSL_NO_SOCK) && !(defined(OPENSSL_NO_SSL2) && defined(OPENSSL_NO_SSL3))
 	{FUNC_TYPE_GENERAL,"ciphers",ciphers_main},
 #endif
 	{FUNC_TYPE_GENERAL,"nseq",nseq_main},
 #if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_SHA1)
 	{FUNC_TYPE_GENERAL,"pkcs12",pkcs12_main},
 #endif
 	{FUNC_TYPE_GENERAL,"pkcs8",pkcs8_main},
 	{FUNC_TYPE_GENERAL,"pkey",pkey_main},
 	{FUNC_TYPE_GENERAL,"pkeyparam",pkeyparam_main},
 	{FUNC_TYPE_GENERAL,"pkeyutl",pkeyutl_main},
 	{FUNC_TYPE_GENERAL,"spkac",spkac_main},
 	{FUNC_TYPE_GENERAL,"smime",smime_main},
 	{FUNC_TYPE_GENERAL,"rand",rand_main},
 #ifndef OPENSSL_NO_ENGINE
-    { FT_general, "engine", engine_main, engine_options },
+	{FUNC_TYPE_GENERAL,"engine",engine_main},
 #endif
    { FT_general, "errstr", errstr_main, errstr_options },
 #ifndef OPENSSL_NO_DSA
    { FT_general, "gendsa", gendsa_main, gendsa_options },
 #endif
    { FT_general, "genpkey", genpkey_main, genpkey_options },
 #ifndef OPENSSL_NO_RSA
    { FT_general, "genrsa", genrsa_main, genrsa_options },
 #endif
    { FT_general, "nseq", nseq_main, nseq_options },
 #ifndef OPENSSL_NO_OCSP
-    { FT_general, "ocsp", ocsp_main, ocsp_options },
+	{FUNC_TYPE_GENERAL,"ocsp",ocsp_main},
 #endif
    { FT_general, "passwd", passwd_main, passwd_options },
 #if !defined(OPENSSL_NO_DES)
    { FT_general, "pkcs12", pkcs12_main, pkcs12_options },
 #endif
    { FT_general, "pkcs7", pkcs7_main, pkcs7_options },
    { FT_general, "pkcs8", pkcs8_main, pkcs8_options },
    { FT_general, "pkey", pkey_main, pkey_options },
    { FT_general, "pkeyparam", pkeyparam_main, pkeyparam_options },
    { FT_general, "pkeyutl", pkeyutl_main, pkeyutl_options },
    { FT_general, "prime", prime_main, prime_options },
    { FT_general, "rand", rand_main, rand_options },
    { FT_general, "req", req_main, req_options },
 #ifndef OPENSSL_NO_RSA
    { FT_general, "rsa", rsa_main, rsa_options },
 #endif
 #ifndef OPENSSL_NO_RSA
    { FT_general, "rsautl", rsautl_main, rsautl_options },
 #endif
 #if !defined(OPENSSL_NO_SOCK)
    { FT_general, "s_client", s_client_main, s_client_options },
 #endif
 #if !defined(OPENSSL_NO_SOCK)
    { FT_general, "s_server", s_server_main, s_server_options },
 #endif
 #if !defined(OPENSSL_NO_SOCK)
    { FT_general, "s_time", s_time_main, s_time_options },
 #endif
    { FT_general, "sess_id", sess_id_main, sess_id_options },
    { FT_general, "smime", smime_main, smime_options },
    { FT_general, "speed", speed_main, speed_options },
    { FT_general, "spkac", spkac_main, spkac_options },
 #ifndef OPENSSL_NO_SRP
-    { FT_general, "srp", srp_main, srp_options },
+	{FUNC_TYPE_GENERAL,"srp",srp_main},
 #endif
-    { FT_general, "ts", ts_main, ts_options },
+	{FUNC_TYPE_GENERAL,"prime",prime_main},
-    { FT_general, "verify", verify_main, verify_options },
+	{FUNC_TYPE_GENERAL,"ts",ts_main},
    { FT_general, "version", version_main, version_options },
    { FT_general, "x509", x509_main, x509_options },
    { FT_general, "rehash", rehash_main, rehash_options },
    { FT_general, "list", list_main, list_options },
    { FT_general, "help", help_main, help_options },
    { FT_general, "exit", exit_main, exit_options },
 #ifndef OPENSSL_NO_MD2
-    { FT_md, "md2", dgst_main},
+	{FUNC_TYPE_MD,"md2",dgst_main},
 #endif
 #ifndef OPENSSL_NO_MD4
-    { FT_md, "md4", dgst_main},
+	{FUNC_TYPE_MD,"md4",dgst_main},
 #endif
 #ifndef OPENSSL_NO_MD5
-    { FT_md, "md5", dgst_main},
+	{FUNC_TYPE_MD,"md5",dgst_main},
 #endif
-#ifndef OPENSSL_NO_MD_GHOST94
+#ifndef OPENSSL_NO_SHA
-    { FT_md, "md_ghost94", dgst_main},
+	{FUNC_TYPE_MD,"sha",dgst_main},
 #endif
 #ifndef OPENSSL_NO_SHA1
 	{FUNC_TYPE_MD,"sha1",dgst_main},
 #endif
    { FT_md, "sha", dgst_main},
    { FT_md, "sha1", dgst_main},
    { FT_md, "sha224", dgst_main},
    { FT_md, "sha256", dgst_main},
    { FT_md, "sha384", dgst_main},
    { FT_md, "sha512", dgst_main},
 #ifndef OPENSSL_NO_MDC2
-    { FT_md, "mdc2", dgst_main},
+	{FUNC_TYPE_MD,"mdc2",dgst_main},
 #endif
 #ifndef OPENSSL_NO_RMD160
-    { FT_md, "rmd160", dgst_main},
+	{FUNC_TYPE_MD,"rmd160",dgst_main},
 #endif
 #ifndef OPENSSL_NO_AES
-    { FT_cipher, "aes-128-cbc", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"aes-128-cbc",enc_main},
 #endif
 #ifndef OPENSSL_NO_AES
-    { FT_cipher, "aes-128-ecb", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"aes-128-ecb",enc_main},
 #endif
 #ifndef OPENSSL_NO_AES
-    { FT_cipher, "aes-192-cbc", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"aes-192-cbc",enc_main},
 #endif
 #ifndef OPENSSL_NO_AES
-    { FT_cipher, "aes-192-ecb", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"aes-192-ecb",enc_main},
 #endif
 #ifndef OPENSSL_NO_AES
-    { FT_cipher, "aes-256-cbc", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"aes-256-cbc",enc_main},
 #endif
 #ifndef OPENSSL_NO_AES
-    { FT_cipher, "aes-256-ecb", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"aes-256-ecb",enc_main},
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
-    { FT_cipher, "camellia-128-cbc", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"camellia-128-cbc",enc_main},
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
-    { FT_cipher, "camellia-128-ecb", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"camellia-128-ecb",enc_main},
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
-    { FT_cipher, "camellia-192-cbc", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"camellia-192-cbc",enc_main},
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
-    { FT_cipher, "camellia-192-ecb", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"camellia-192-ecb",enc_main},
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
-    { FT_cipher, "camellia-256-cbc", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"camellia-256-cbc",enc_main},
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
-    { FT_cipher, "camellia-256-ecb", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"camellia-256-ecb",enc_main},
 #endif
-    { FT_cipher, "base64", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"base64",enc_main},
 #ifdef ZLIB
-    { FT_cipher, "zlib", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"zlib",enc_main},
 #endif
 #ifndef OPENSSL_NO_DES
-    { FT_cipher, "des", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"des",enc_main},
 #endif
 #ifndef OPENSSL_NO_DES
-    { FT_cipher, "des3", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"des3",enc_main},
 #endif
 #ifndef OPENSSL_NO_DES
-    { FT_cipher, "desx", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"desx",enc_main},
 #endif
 #ifndef OPENSSL_NO_IDEA
-    { FT_cipher, "idea", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"idea",enc_main},
 #endif
 #ifndef OPENSSL_NO_SEED
-    { FT_cipher, "seed", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"seed",enc_main},
 #endif
 #ifndef OPENSSL_NO_RC4
-    { FT_cipher, "rc4", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"rc4",enc_main},
 #endif
 #ifndef OPENSSL_NO_RC4
-    { FT_cipher, "rc4-40", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"rc4-40",enc_main},
 #endif
 #ifndef OPENSSL_NO_RC2
-    { FT_cipher, "rc2", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"rc2",enc_main},
 #endif
 #ifndef OPENSSL_NO_BF
-    { FT_cipher, "bf", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"bf",enc_main},
 #endif
 #ifndef OPENSSL_NO_CAST
-    { FT_cipher, "cast", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"cast",enc_main},
 #endif
 #ifndef OPENSSL_NO_RC5
-    { FT_cipher, "rc5", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"rc5",enc_main},
 #endif
 #ifndef OPENSSL_NO_DES
-    { FT_cipher, "des-ecb", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"des-ecb",enc_main},
 #endif
 #ifndef OPENSSL_NO_DES
-    { FT_cipher, "des-ede", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"des-ede",enc_main},
 #endif
 #ifndef OPENSSL_NO_DES
-    { FT_cipher, "des-ede3", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"des-ede3",enc_main},
 #endif
 #ifndef OPENSSL_NO_DES
-    { FT_cipher, "des-cbc", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"des-cbc",enc_main},
 #endif
 #ifndef OPENSSL_NO_DES
-    { FT_cipher, "des-ede-cbc", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"des-ede-cbc",enc_main},
 #endif
 #ifndef OPENSSL_NO_DES
-    { FT_cipher, "des-ede3-cbc", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"des-ede3-cbc",enc_main},
 #endif
 #ifndef OPENSSL_NO_DES
-    { FT_cipher, "des-cfb", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"des-cfb",enc_main},
 #endif
 #ifndef OPENSSL_NO_DES
-    { FT_cipher, "des-ede-cfb", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"des-ede-cfb",enc_main},
 #endif
 #ifndef OPENSSL_NO_DES
-    { FT_cipher, "des-ede3-cfb", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"des-ede3-cfb",enc_main},
 #endif
 #ifndef OPENSSL_NO_DES
-    { FT_cipher, "des-ofb", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"des-ofb",enc_main},
 #endif
 #ifndef OPENSSL_NO_DES
-    { FT_cipher, "des-ede-ofb", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"des-ede-ofb",enc_main},
 #endif
 #ifndef OPENSSL_NO_DES
-    { FT_cipher, "des-ede3-ofb", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"des-ede3-ofb",enc_main},
 #endif
 #ifndef OPENSSL_NO_IDEA
-    { FT_cipher, "idea-cbc", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"idea-cbc",enc_main},
 #endif
 #ifndef OPENSSL_NO_IDEA
-    { FT_cipher, "idea-ecb", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"idea-ecb",enc_main},
 #endif
 #ifndef OPENSSL_NO_IDEA
-    { FT_cipher, "idea-cfb", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"idea-cfb",enc_main},
 #endif
 #ifndef OPENSSL_NO_IDEA
-    { FT_cipher, "idea-ofb", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"idea-ofb",enc_main},
 #endif
 #ifndef OPENSSL_NO_SEED
-    { FT_cipher, "seed-cbc", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"seed-cbc",enc_main},
 #endif
 #ifndef OPENSSL_NO_SEED
-    { FT_cipher, "seed-ecb", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"seed-ecb",enc_main},
 #endif
 #ifndef OPENSSL_NO_SEED
-    { FT_cipher, "seed-cfb", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"seed-cfb",enc_main},
 #endif
 #ifndef OPENSSL_NO_SEED
-    { FT_cipher, "seed-ofb", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"seed-ofb",enc_main},
 #endif
 #ifndef OPENSSL_NO_RC2
-    { FT_cipher, "rc2-cbc", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"rc2-cbc",enc_main},
 #endif
 #ifndef OPENSSL_NO_RC2
-    { FT_cipher, "rc2-ecb", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"rc2-ecb",enc_main},
 #endif
 #ifndef OPENSSL_NO_RC2
-    { FT_cipher, "rc2-cfb", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"rc2-cfb",enc_main},
 #endif
 #ifndef OPENSSL_NO_RC2
-    { FT_cipher, "rc2-ofb", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"rc2-ofb",enc_main},
 #endif
 #ifndef OPENSSL_NO_RC2
-    { FT_cipher, "rc2-64-cbc", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"rc2-64-cbc",enc_main},
 #endif
 #ifndef OPENSSL_NO_RC2
-    { FT_cipher, "rc2-40-cbc", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"rc2-40-cbc",enc_main},
 #endif
 #ifndef OPENSSL_NO_BF
-    { FT_cipher, "bf-cbc", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"bf-cbc",enc_main},
 #endif
 #ifndef OPENSSL_NO_BF
-    { FT_cipher, "bf-ecb", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"bf-ecb",enc_main},
 #endif
 #ifndef OPENSSL_NO_BF
-    { FT_cipher, "bf-cfb", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"bf-cfb",enc_main},
 #endif
 #ifndef OPENSSL_NO_BF
-    { FT_cipher, "bf-ofb", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"bf-ofb",enc_main},
 #endif
 #ifndef OPENSSL_NO_CAST
-    { FT_cipher, "cast5-cbc", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"cast5-cbc",enc_main},
 #endif
 #ifndef OPENSSL_NO_CAST
-    { FT_cipher, "cast5-ecb", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"cast5-ecb",enc_main},
 #endif
 #ifndef OPENSSL_NO_CAST
-    { FT_cipher, "cast5-cfb", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"cast5-cfb",enc_main},
 #endif
 #ifndef OPENSSL_NO_CAST
-    { FT_cipher, "cast5-ofb", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"cast5-ofb",enc_main},
 #endif
 #ifndef OPENSSL_NO_CAST
-    { FT_cipher, "cast-cbc", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"cast-cbc",enc_main},
 #endif
 #ifndef OPENSSL_NO_RC5
-    { FT_cipher, "rc5-cbc", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"rc5-cbc",enc_main},
 #endif
 #ifndef OPENSSL_NO_RC5
-    { FT_cipher, "rc5-ecb", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"rc5-ecb",enc_main},
 #endif
 #ifndef OPENSSL_NO_RC5
-    { FT_cipher, "rc5-cfb", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"rc5-cfb",enc_main},
 #endif
 #ifndef OPENSSL_NO_RC5
-    { FT_cipher, "rc5-ofb", enc_main, enc_options },
+	{FUNC_TYPE_CIPHER,"rc5-ofb",enc_main},
 #endif
    { 0, NULL, NULL}
 };
 #endif
 	{0,NULL,NULL}
 	};
--- a/apps/progs.pl
+++ b/apps/progs.pl
@@ -1,84 +1,65 @@
 #!/usr/local/bin/perl
-# Generate progs.h file from list of "programs" passed on the command line.
+
 print "/* apps/progs.h */\n";
 print "/* automatically generated by progs.pl for openssl.c */\n\n";
 grep(s/^asn1pars$/asn1parse/,@ARGV);
 foreach (@ARGV)
 	{ printf "extern int %s_main(int argc,char *argv[]);\n",$_; }
 print <<'EOF';
 /*
 * Automatically generated by progs.pl for openssl.c
 * Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
 * See the openssl.c for copyright details.
 */
-typedef enum FUNC_TYPE {
+#define FUNC_TYPE_GENERAL	1
-    FT_none, FT_general, FT_md, FT_cipher, FT_pkey,
+#define FUNC_TYPE_MD		2
-    FT_md_alg, FT_cipher_alg
+#define FUNC_TYPE_CIPHER	3
-} FUNC_TYPE;
+#define FUNC_TYPE_PKEY		4
 #define FUNC_TYPE_MD_ALG	5
 #define FUNC_TYPE_CIPHER_ALG	6
-typedef struct function_st {
+typedef struct {
-    FUNC_TYPE type;
+	int type;
-    const char *name;
+	const char *name;
-    int (*func)(int argc,char *argv[]);
+	int (*func)(int argc,char *argv[]);
-    const OPTIONS *help;
+	} FUNCTION;
-} FUNCTION;
+DECLARE_LHASH_OF(FUNCTION);
 DEFINE_LHASH_OF(FUNCTION);
 FUNCTION functions[] = {
 EOF
-grep(s/\.o//, @ARGV);
+foreach (@ARGV)
-grep(s/^asn1pars$/asn1parse/, @ARGV);
+	{
-grep(s/^crl2p7$/crl2pkcs7/, @ARGV);
+	push(@files,$_);
-push @ARGV, 'list';
+	$str="\t{FUNC_TYPE_GENERAL,\"$_\",${_}_main},\n";
-push @ARGV, 'help';
+	if (($_ =~ /^s_/) || ($_ =~ /^ciphers$/))
-push @ARGV, 'exit';
+		{ print "#if !defined(OPENSSL_NO_SOCK) && !(defined(OPENSSL_NO_SSL2) && defined(OPENSSL_NO_SSL3))\n${str}#endif\n"; } 
-
+	elsif ( ($_ =~ /^speed$/))
-foreach (@ARGV) {
+		{ print "#ifndef OPENSSL_NO_SPEED\n${str}#endif\n"; }
-	printf "extern int %s_main(int argc, char *argv[]);\n", $_;
+	elsif ( ($_ =~ /^engine$/))
-}
+		{ print "#ifndef OPENSSL_NO_ENGINE\n${str}#endif\n"; }
-
+	elsif ( ($_ =~ /^rsa$/) || ($_ =~ /^genrsa$/) || ($_ =~ /^rsautl$/)) 
-print "\n";
+		{ print "#ifndef OPENSSL_NO_RSA\n${str}#endif\n";  }
-
+	elsif ( ($_ =~ /^dsa$/) || ($_ =~ /^gendsa$/) || ($_ =~ /^dsaparam$/))
-foreach (@ARGV) {
+		{ print "#ifndef OPENSSL_NO_DSA\n${str}#endif\n"; }
-	printf "extern OPTIONS %s_options[];\n", $_;
+	elsif ( ($_ =~ /^ec$/) || ($_ =~ /^ecparam$/))
-}
+		{ print "#ifndef OPENSSL_NO_EC\n${str}#endif\n";}
-print "\n#ifdef INCLUDE_FUNCTION_TABLE\n";
+	elsif ( ($_ =~ /^dh$/) || ($_ =~ /^gendh$/) || ($_ =~ /^dhparam$/))
-print "static FUNCTION functions[] = {\n";
+		{ print "#ifndef OPENSSL_NO_DH\n${str}#endif\n"; }
-foreach (@ARGV) {
+	elsif ( ($_ =~ /^pkcs12$/))
-	$str="    { FT_general, \"$_\", ${_}_main, ${_}_options },\n";
+		{ print "#if !defined(OPENSSL_NO_DES) && !defined(OPENSSL_NO_SHA1)\n${str}#endif\n"; }
-	if (/^s_/ || /^ciphers$/) {
+	elsif ( ($_ =~ /^cms$/))
-		print "#if !defined(OPENSSL_NO_SOCK)\n${str}#endif\n";
+		{ print "#ifndef OPENSSL_NO_CMS\n${str}#endif\n"; }
-	} elsif (/^engine$/) {
+	elsif ( ($_ =~ /^ocsp$/))
-		print "#ifndef OPENSSL_NO_ENGINE\n${str}#endif\n";
+		{ print "#ifndef OPENSSL_NO_OCSP\n${str}#endif\n"; }
-	} elsif (/^rsa$/ || /^genrsa$/ || /^rsautl$/) {
+	else
-		print "#ifndef OPENSSL_NO_RSA\n${str}#endif\n";
+		{ print $str; }
 	} elsif (/^dsa$/ || /^gendsa$/ || /^dsaparam$/) {
 		print "#ifndef OPENSSL_NO_DSA\n${str}#endif\n";
 	} elsif (/^ec$/ || /^ecparam$/) {
 		print "#ifndef OPENSSL_NO_EC\n${str}#endif\n";
 	} elsif (/^dh$/ || /^gendh$/ || /^dhparam$/) {
 		print "#ifndef OPENSSL_NO_DH\n${str}#endif\n";
 	} elsif (/^pkcs12$/) {
 		print "#if !defined(OPENSSL_NO_DES)\n${str}#endif\n";
 	} elsif (/^cms$/) {
 		print "#ifndef OPENSSL_NO_CMS\n${str}#endif\n";
 	} elsif (/^ocsp$/) {
 		print "#ifndef OPENSSL_NO_OCSP\n${str}#endif\n";
 	} elsif (/^srp$/) {
 		print "#ifndef OPENSSL_NO_SRP\n${str}#endif\n";
 	} else {
 		print $str;
 	}
 }
-foreach (
+foreach ("md2","md4","md5","sha","sha1","mdc2","rmd160")
-	"md2", "md4", "md5",
+	{
-	"md_ghost94",
+	push(@files,$_);
-	"sha", "sha1", "sha224", "sha256", "sha384", "sha512",
+	printf "#ifndef OPENSSL_NO_".uc($_)."\n\t{FUNC_TYPE_MD,\"".$_."\",dgst_main},\n#endif\n";
-	"mdc2", "rmd160"
+	}
 ) {
        printf "#ifndef OPENSSL_NO_".uc($_)."\n" if ! /sha/;
        printf "    { FT_md, \"".$_."\", dgst_main},\n";
        printf "#endif\n" if ! /sha/;
 }
 foreach (
 	"aes-128-cbc", "aes-128-ecb",
@@ -99,35 +80,23 @@ foreach (
 	"rc2-cbc", "rc2-ecb", "rc2-cfb","rc2-ofb", "rc2-64-cbc", "rc2-40-cbc",
 	"bf-cbc",  "bf-ecb",     "bf-cfb",   "bf-ofb",
 	"cast5-cbc","cast5-ecb", "cast5-cfb","cast5-ofb",
-	"cast-cbc", "rc5-cbc",   "rc5-ecb",  "rc5-cfb",  "rc5-ofb"
+	"cast-cbc", "rc5-cbc",   "rc5-ecb",  "rc5-cfb",  "rc5-ofb")
-) {
+	{
-	$str="    { FT_cipher, \"$_\", enc_main, enc_options },\n";
+	push(@files,$_);
 	if (/des/) {
 		printf "#ifndef OPENSSL_NO_DES\n${str}#endif\n";
 	} elsif (/aes/) {
 		printf "#ifndef OPENSSL_NO_AES\n${str}#endif\n";
 	} elsif (/camellia/) {
 		printf "#ifndef OPENSSL_NO_CAMELLIA\n${str}#endif\n";
 	} elsif (/idea/) {
 		printf "#ifndef OPENSSL_NO_IDEA\n${str}#endif\n";
 	} elsif (/seed/) {
 		printf "#ifndef OPENSSL_NO_SEED\n${str}#endif\n";
 	} elsif (/rc4/) {
 		printf "#ifndef OPENSSL_NO_RC4\n${str}#endif\n";
 	} elsif (/rc2/) {
 		printf "#ifndef OPENSSL_NO_RC2\n${str}#endif\n";
 	} elsif (/bf/) {
 		printf "#ifndef OPENSSL_NO_BF\n${str}#endif\n";
 	} elsif (/cast/) {
 		printf "#ifndef OPENSSL_NO_CAST\n${str}#endif\n";
 	} elsif (/rc5/) {
 		printf "#ifndef OPENSSL_NO_RC5\n${str}#endif\n";
 	} elsif (/zlib/) {
 		printf "#ifdef ZLIB\n${str}#endif\n";
 	} else {
 		print $str;
 	}
 }
-print "    { 0, NULL, NULL}\n};\n";
+	$t=sprintf("\t{FUNC_TYPE_CIPHER,\"%s\",enc_main},\n",$_);
-printf "#endif\n";
+	if    ($_ =~ /des/)  { $t="#ifndef OPENSSL_NO_DES\n${t}#endif\n"; }
 	elsif ($_ =~ /aes/)  { $t="#ifndef OPENSSL_NO_AES\n${t}#endif\n"; }
 	elsif ($_ =~ /camellia/)  { $t="#ifndef OPENSSL_NO_CAMELLIA\n${t}#endif\n"; }
 	elsif ($_ =~ /idea/) { $t="#ifndef OPENSSL_NO_IDEA\n${t}#endif\n"; }
 	elsif ($_ =~ /seed/) { $t="#ifndef OPENSSL_NO_SEED\n${t}#endif\n"; }
 	elsif ($_ =~ /rc4/)  { $t="#ifndef OPENSSL_NO_RC4\n${t}#endif\n"; }
 	elsif ($_ =~ /rc2/)  { $t="#ifndef OPENSSL_NO_RC2\n${t}#endif\n"; }
 	elsif ($_ =~ /bf/)   { $t="#ifndef OPENSSL_NO_BF\n${t}#endif\n"; }
 	elsif ($_ =~ /cast/) { $t="#ifndef OPENSSL_NO_CAST\n${t}#endif\n"; }
 	elsif ($_ =~ /rc5/)  { $t="#ifndef OPENSSL_NO_RC5\n${t}#endif\n"; }
 	elsif ($_ =~ /zlib/)  { $t="#ifdef ZLIB\n${t}#endif\n"; }
 	print $t;
 	}
 print "\t{0,NULL,NULL}\n\t};\n";
--- a/apps/rand.c
+++ b/apps/rand.c
@@ -1,3 +1,4 @@
 /* apps/rand.c */
 /* ====================================================================
 * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
 *
@@ -6,7 +7,7 @@
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
+ *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
@@ -62,110 +63,183 @@
 #include <openssl/err.h>
 #include <openssl/rand.h>
-typedef enum OPTION_choice {
+#undef PROG
-    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+#define PROG rand_main
    OPT_OUT, OPT_ENGINE, OPT_RAND, OPT_BASE64, OPT_HEX
 } OPTION_CHOICE;
-OPTIONS rand_options[] = {
+/* -out file         - write to file
-    {OPT_HELP_STR, 1, '-', "Usage: %s [flags] num\n"},
+ * -rand file:file   - PRNG seed files
-    {OPT_HELP_STR, 1, '-', "Valid options are:\n"},
+ * -base64           - base64 encode output
-    {"help", OPT_HELP, '-', "Display this summary"},
+ * -hex              - hex encode output
-    {"out", OPT_OUT, '>', "Output file"},
+ * num               - write 'num' bytes
-    {"rand", OPT_RAND, 's',
+ */
-     "Load the file(s) into the random number generator"},
+
-    {"base64", OPT_BASE64, '-', "Base64 encode output"},
+int MAIN(int, char **);
-    {"hex", OPT_HEX, '-', "Hex encode output"},
+
 int MAIN(int argc, char **argv)
 	{
 	int i, r, ret = 1;
 	int badopt;
 	char *outfile = NULL;
 	char *inrand = NULL;
 	int base64 = 0;
 	int hex = 0;
 	BIO *out = NULL;
 	int num = -1;
 #ifndef OPENSSL_NO_ENGINE
-    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+	char *engine=NULL;
 #endif
    {NULL}
 };
-int rand_main(int argc, char **argv)
+	apps_startup();
 {
    BIO *out = NULL;
    char *inrand = NULL, *outfile = NULL, *prog;
    OPTION_CHOICE o;
    int format = FORMAT_BINARY, i, num = -1, r, ret = 1;
-    prog = opt_init(argc, argv, rand_options);
+	if (bio_err == NULL)
-    while ((o = opt_next()) != OPT_EOF) {
+		if ((bio_err = BIO_new(BIO_s_file())) != NULL)
-        switch (o) {
+			BIO_set_fp(bio_err, stderr, BIO_NOCLOSE|BIO_FP_TEXT);
        case OPT_EOF:
        case OPT_ERR:
 opthelp:
            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
            goto end;
        case OPT_HELP:
            opt_help(rand_options);
            ret = 0;
            goto end;
        case OPT_OUT:
            outfile = opt_arg();
            break;
        case OPT_ENGINE:
            (void)setup_engine(opt_arg(), 0);
            break;
        case OPT_RAND:
            inrand = opt_arg();
            break;
        case OPT_BASE64:
            format = FORMAT_BASE64;
            break;
        case OPT_HEX:
            format = FORMAT_TEXT;
            break;
        }
    }
    argc = opt_num_rest();
    argv = opt_rest();
-    if (argc != 1 || !opt_int(argv[0], &num) || num < 0)
+	if (!load_config(bio_err, NULL))
-        goto opthelp;
+		goto err;
-    app_RAND_load_file(NULL, (inrand != NULL));
+	badopt = 0;
-    if (inrand != NULL)
+	i = 0;
-        BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
+	while (!badopt && argv[++i] != NULL)
-                   app_RAND_load_files(inrand));
+		{
 		if (strcmp(argv[i], "-out") == 0)
 			{
 			if ((argv[i+1] != NULL) && (outfile == NULL))
 				outfile = argv[++i];
 			else
 				badopt = 1;
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(argv[i], "-engine") == 0)
 			{
 			if ((argv[i+1] != NULL) && (engine == NULL))
 				engine = argv[++i];
 			else
 				badopt = 1;
 			}
 #endif
 		else if (strcmp(argv[i], "-rand") == 0)
 			{
 			if ((argv[i+1] != NULL) && (inrand == NULL))
 				inrand = argv[++i];
 			else
 				badopt = 1;
 			}
 		else if (strcmp(argv[i], "-base64") == 0)
 			{
 			if (!base64)
 				base64 = 1;
 			else
 				badopt = 1;
 			}
 		else if (strcmp(argv[i], "-hex") == 0)
 			{
 			if (!hex)
 				hex = 1;
 			else
 				badopt = 1;
 			}
 		else if (isdigit((unsigned char)argv[i][0]))
 			{
 			if (num < 0)
 				{
 				r = sscanf(argv[i], "%d", &num);
 				if (r == 0 || num < 0)
 					badopt = 1;
 				}
 			else
 				badopt = 1;
 			}
 		else
 			badopt = 1;
 		}
-    out = bio_open_default(outfile, 'w', format);
+	if (hex && base64)
-    if (out == NULL)
+		badopt = 1;
        goto end;
-    if (format == FORMAT_BASE64) {
+	if (num < 0)
-        BIO *b64 = BIO_new(BIO_f_base64());
+		badopt = 1;
-        if (b64 == NULL)
+	
-            goto end;
+	if (badopt) 
-        out = BIO_push(b64, out);
+		{
-    }
+		BIO_printf(bio_err, "Usage: rand [options] num\n");
 		BIO_printf(bio_err, "where options are\n");
 		BIO_printf(bio_err, "-out file             - write to file\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err, "-engine e             - use engine e, possibly a hardware device.\n");
 #endif
 		BIO_printf(bio_err, "-rand file%cfile%c... - seed PRNG from files\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
 		BIO_printf(bio_err, "-base64               - base64 encode output\n");
 		BIO_printf(bio_err, "-hex                  - hex encode output\n");
 		goto err;
 		}
-    while (num > 0) {
+#ifndef OPENSSL_NO_ENGINE
-        unsigned char buf[4096];
+        setup_engine(bio_err, engine, 0);
-        int chunk;
+#endif
-        chunk = num;
+	app_RAND_load_file(NULL, bio_err, (inrand != NULL));
-        if (chunk > (int)sizeof(buf))
+	if (inrand != NULL)
-            chunk = sizeof buf;
+		BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
-        r = RAND_bytes(buf, chunk);
+			app_RAND_load_files(inrand));
        if (r <= 0)
            goto end;
        if (format != FORMAT_TEXT) /* hex */
            BIO_write(out, buf, chunk);
        else {
            for (i = 0; i < chunk; i++)
                BIO_printf(out, "%02x", buf[i]);
        }
        num -= chunk;
    }
    if (format == FORMAT_TEXT)
        BIO_puts(out, "\n");
    (void)BIO_flush(out);
-    app_RAND_write_file(NULL);
+	out = BIO_new(BIO_s_file());
-    ret = 0;
+	if (out == NULL)
 		goto err;
 	if (outfile != NULL)
 		r = BIO_write_filename(out, outfile);
 	else
 		{
 		r = BIO_set_fp(out, stdout, BIO_NOCLOSE | BIO_FP_TEXT);
 #ifdef OPENSSL_SYS_VMS
 		{
 		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		out = BIO_push(tmpbio, out);
 		}
 #endif
 		}
 	if (r <= 0)
 		goto err;
- end:
+	if (base64)
-    BIO_free_all(out);
+		{
-    return (ret);
+		BIO *b64 = BIO_new(BIO_f_base64());
-}
+		if (b64 == NULL)
 			goto err;
 		out = BIO_push(b64, out);
 		}
 	while (num > 0) 
 		{
 		unsigned char buf[4096];
 		int chunk;
 		chunk = num;
 		if (chunk > (int)sizeof(buf))
 			chunk = sizeof buf;
 		r = RAND_bytes(buf, chunk);
 		if (r <= 0)
 			goto err;
 		if (!hex) 
 			BIO_write(out, buf, chunk);
 		else
 			{
 			for (i = 0; i < chunk; i++)
 				BIO_printf(out, "%02x", buf[i]);
 			}
 		num -= chunk;
 		}
 	if (hex)
 		BIO_puts(out, "\n");
 	(void)BIO_flush(out);
 	app_RAND_write_file(NULL, bio_err);
 	ret = 0;
 err:
 	ERR_print_errors(bio_err);
 	if (out)
 		BIO_free_all(out);
 	apps_shutdown();
 	OPENSSL_EXIT(ret);
 	}
--- a/apps/rehash.c
+++ b/apps/rehash.c
@@ -1,494 +0,0 @@
 /*
 * C implementation based on the original Perl and shell versions
 *
 * Copyright (c) 2013-2014 Timo Teräs <timo.teras@iki.fi>
 */
 /* ====================================================================
 * Copyright (c) 2015 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    licensing@OpenSSL.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 *
 * This product includes cryptographic software written by Eric Young
 * (eay@cryptsoft.com).  This product includes software written by Tim
 * Hudson (tjh@cryptsoft.com).
 *
 */
 #include "apps.h"
 #if defined(OPENSSL_SYS_UNIX) || defined(__APPLE__)
 # include <unistd.h>
 # include <stdio.h>
 # include <limits.h>
 # include <errno.h>
 # include <string.h>
 # include <ctype.h>
 # include <sys/stat.h>
 # include "internal/o_dir.h"
 # include <openssl/evp.h>
 # include <openssl/pem.h>
 # include <openssl/x509.h>
 # ifndef NAME_MAX
 #  define NAME_MAX 255
 # endif
 # define MAX_COLLISIONS  256
 typedef struct hentry_st {
    struct hentry_st *next;
    char *filename;
    unsigned short old_id;
    unsigned char need_symlink;
    unsigned char digest[EVP_MAX_MD_SIZE];
 } HENTRY;
 typedef struct bucket_st {
    struct bucket_st *next;
    HENTRY *first_entry, *last_entry;
    unsigned int hash;
    unsigned short type;
    unsigned short num_needed;
 } BUCKET;
 enum Type {
    /* Keep in sync with |suffixes|, below. */
    TYPE_CERT=0, TYPE_CRL=1
 };
 enum Hash {
    HASH_OLD, HASH_NEW, HASH_BOTH
 };
 static int evpmdsize;
 static const EVP_MD *evpmd;
 static int remove_links = 1;
 static int verbose = 0;
 static BUCKET *hash_table[257];
 static const char *suffixes[] = { "", "r" };
 static const char *extensions[] = { "pem", "crt", "cer", "crl" };
 static void bit_set(unsigned char *set, unsigned int bit)
 {
    set[bit >> 3] |= 1 << (bit & 0x7);
 }
 static int bit_isset(unsigned char *set, unsigned int bit)
 {
    return set[bit >> 3] & (1 << (bit & 0x7));
 }
 /*
 * Process an entry; return number of errors.
 */
 static int add_entry(enum Type type, unsigned int hash, const char *filename,
                      const unsigned char *digest, int need_symlink,
                      unsigned short old_id)
 {
    static BUCKET nilbucket;
    static HENTRY nilhentry;
    BUCKET *bp;
    HENTRY *ep, *found = NULL;
    unsigned int ndx = (type + hash) % OSSL_NELEM(hash_table);
    for (bp = hash_table[ndx]; bp; bp = bp->next)
        if (bp->type == type && bp->hash == hash)
            break;
    if (bp == NULL) {
        bp = app_malloc(sizeof(*bp), "hash bucket");
        *bp = nilbucket;
        bp->next = hash_table[ndx];
        bp->type = type;
        bp->hash = hash;
        hash_table[ndx] = bp;
    }
    for (ep = bp->first_entry; ep; ep = ep->next) {
        if (digest && memcmp(digest, ep->digest, evpmdsize) == 0) {
            BIO_printf(bio_err,
                       "%s: skipping duplicate certificate in %s\n",
                       opt_getprog(), filename);
            return 1;
        }
        if (strcmp(filename, ep->filename) == 0) {
            found = ep;
            if (digest == NULL)
                break;
        }
    }
    ep = found;
    if (ep == NULL) {
        if (bp->num_needed >= MAX_COLLISIONS) {
            BIO_printf(bio_err,
                       "%s: hash table overflow for %s\n",
                       opt_getprog(), filename);
            return 1;
        }
        ep = app_malloc(sizeof(*ep), "collision bucket");
        *ep = nilhentry;
        ep->old_id = ~0;
        ep->filename = OPENSSL_strdup(filename);
        if (bp->last_entry)
            bp->last_entry->next = ep;
        if (bp->first_entry == NULL)
            bp->first_entry = ep;
        bp->last_entry = ep;
    }
    if (old_id < ep->old_id)
        ep->old_id = old_id;
    if (need_symlink && !ep->need_symlink) {
        ep->need_symlink = 1;
        bp->num_needed++;
        memcpy(ep->digest, digest, evpmdsize);
    }
    return 0;
 }
 /*
 * Check if a symlink goes to the right spot; return 0 if okay.
 * This can be -1 if bad filename, or an error count.
 */
 static int handle_symlink(const char *filename, const char *fullpath)
 {
    unsigned int hash = 0;
    int i, type, id;
    unsigned char ch;
    char linktarget[PATH_MAX], *endptr;
    ssize_t n;
    for (i = 0; i < 8; i++) {
        ch = filename[i];
        if (!isxdigit(ch))
            return -1;
        hash <<= 4;
        hash += app_hex(ch);
    }
    if (filename[i++] != '.')
        return -1;
    for (type = OSSL_NELEM(suffixes) - 1; type > 0; type--)
        if (strcasecmp(suffixes[type], &filename[i]) == 0)
            break;
    i += strlen(suffixes[type]);
    id = strtoul(&filename[i], &endptr, 10);
    if (*endptr != '\0')
        return -1;
    n = readlink(fullpath, linktarget, sizeof(linktarget));
    if (n < 0 || n >= (int)sizeof(linktarget))
        return -1;
    linktarget[n] = 0;
    return add_entry(type, hash, linktarget, NULL, 0, id);
 }
 /*
 * process a file, return number of errors.
 */
 static int do_file(const char *filename, const char *fullpath, enum Hash h)
 {
    STACK_OF (X509_INFO) *inf = NULL;
    X509_INFO *x;
    X509_NAME *name = NULL;
    BIO *b;
    const char *ext;
    unsigned char digest[EVP_MAX_MD_SIZE];
    int type, errs = 0;
    size_t i;
    /* Does it end with a recognized extension? */
    if ((ext = strrchr(filename, '.')) == NULL)
        goto end;
    for (i = 0; i < OSSL_NELEM(extensions); i++) {
        if (strcasecmp(extensions[i], ext + 1) == 0)
            break;
    }
    if (i >= OSSL_NELEM(extensions))
        goto end;
    /* Does it have X.509 data in it? */
    if ((b = BIO_new_file(fullpath, "r")) == NULL) {
        BIO_printf(bio_err, "%s: skipping %s, cannot open file\n",
                   opt_getprog(), filename);
        errs++;
        goto end;
    }
    inf = PEM_X509_INFO_read_bio(b, NULL, NULL, NULL);
    BIO_free(b);
    if (inf == NULL)
        goto end;
    if (sk_X509_INFO_num(inf) != 1) {
        BIO_printf(bio_err,
                   "%s: skipping %s,"
                   "it does not contain exactly one certificate or CRL\n",
                   opt_getprog(), filename);
        /* This is not an error. */
        goto end;
    }
    x = sk_X509_INFO_value(inf, 0);
    if (x->x509) {
        type = TYPE_CERT;
        name = X509_get_subject_name(x->x509);
        X509_digest(x->x509, evpmd, digest, NULL);
    } else if (x->crl) {
        type = TYPE_CRL;
        name = X509_CRL_get_issuer(x->crl);
        X509_CRL_digest(x->crl, evpmd, digest, NULL);
    } else {
        ++errs;
        goto end;
    }
    if (name) {
        if ((h == HASH_NEW) || (h == HASH_BOTH))
            errs += add_entry(type, X509_NAME_hash(name), filename, digest, 1, ~0);
        if ((h == HASH_OLD) || (h == HASH_BOTH))
            errs += add_entry(type, X509_NAME_hash_old(name), filename, digest, 1, ~0);
    }
 end:
    sk_X509_INFO_pop_free(inf, X509_INFO_free);
    return errs;
 }
 /*
 * Process a directory; return number of errors found.
 */
 static int do_dir(const char *dirname, enum Hash h)
 {
    BUCKET *bp, *nextbp;
    HENTRY *ep, *nextep;
    OPENSSL_DIR_CTX *d = NULL;
    struct stat st;
    unsigned char idmask[MAX_COLLISIONS / 8];
    int n, nextid, buflen, errs = 0;
    size_t i;
    const char *pathsep;
    const char *filename;
    char *buf;
    if (app_access(dirname, W_OK) < 0) {
        BIO_printf(bio_err, "Skipping %s, can't write\n", dirname);
        return 1;
    }
    buflen = strlen(dirname);
    pathsep = (buflen && dirname[buflen - 1] == '/') ? "" : "/";
    buflen += NAME_MAX + 1 + 1;
    buf = app_malloc(buflen, "filename buffer");
    if (verbose)
        BIO_printf(bio_out, "Doing %s\n", dirname);
    while ((filename = OPENSSL_DIR_read(&d, dirname)) != NULL) {
        if (snprintf(buf, buflen, "%s%s%s",
                    dirname, pathsep, filename) >= buflen)
            continue;
        if (lstat(buf, &st) < 0)
            continue;
        if (S_ISLNK(st.st_mode) && handle_symlink(filename, buf) == 0)
            continue;
        errs += do_file(filename, buf, h);
    }
    OPENSSL_DIR_end(&d);
    for (i = 0; i < OSSL_NELEM(hash_table); i++) {
        for (bp = hash_table[i]; bp; bp = nextbp) {
            nextbp = bp->next;
            nextid = 0;
            memset(idmask, 0, (bp->num_needed + 7) / 8);
            for (ep = bp->first_entry; ep; ep = ep->next)
                if (ep->old_id < bp->num_needed)
                    bit_set(idmask, ep->old_id);
            for (ep = bp->first_entry; ep; ep = nextep) {
                nextep = ep->next;
                if (ep->old_id < bp->num_needed) {
                    /* Link exists, and is used as-is */
                    snprintf(buf, buflen, "%08x.%s%d", bp->hash,
                             suffixes[bp->type], ep->old_id);
                    if (verbose)
                        BIO_printf(bio_out, "link %s -> %s\n",
                                   ep->filename, buf);
                } else if (ep->need_symlink) {
                    /* New link needed (it may replace something) */
                    while (bit_isset(idmask, nextid))
                        nextid++;
                    snprintf(buf, buflen, "%s%s%n%08x.%s%d",
                             dirname, pathsep, &n, bp->hash,
                             suffixes[bp->type], nextid);
                    if (verbose)
                        BIO_printf(bio_out, "link %s -> %s\n",
                                   ep->filename, &buf[n]);
                    if (unlink(buf) < 0 && errno != ENOENT) {
                        BIO_printf(bio_err,
                                   "%s: Can't unlink %s, %s\n",
                                   opt_getprog(), buf, strerror(errno));
                        errs++;
                    }
                    if (symlink(ep->filename, buf) < 0) {
                        BIO_printf(bio_err,
                                   "%s: Can't symlink %s, %s\n",
                                   opt_getprog(), ep->filename,
                                   strerror(errno));
                        errs++;
                    }
                } else if (remove_links) {
                    /* Link to be deleted */
                    snprintf(buf, buflen, "%s%s%n%08x.%s%d",
                             dirname, pathsep, &n, bp->hash,
                             suffixes[bp->type], ep->old_id);
                    if (verbose)
                        BIO_printf(bio_out, "unlink %s\n",
                                   &buf[n]);
                    if (unlink(buf) < 0 && errno != ENOENT) {
                        BIO_printf(bio_err,
                                   "%s: Can't unlink %s, %s\n",
                                   opt_getprog(), buf, strerror(errno));
                        errs++;
                    }
                }
                OPENSSL_free(ep->filename);
                OPENSSL_free(ep);
            }
            OPENSSL_free(bp);
        }
        hash_table[i] = NULL;
    }
    OPENSSL_free(buf);
    return errs;
 }
 typedef enum OPTION_choice {
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_COMPAT, OPT_OLD, OPT_N, OPT_VERBOSE
 } OPTION_CHOICE;
 OPTIONS rehash_options[] = {
    {OPT_HELP_STR, 1, '-', "Usage: %s [options] [cert-directory...]\n"},
    {OPT_HELP_STR, 1, '-', "Valid options are:\n"},
    {"help", OPT_HELP, '-', "Display this summary"},
    {"compat", OPT_COMPAT, '-', "Create both new- and old-style hash links"},
    {"old", OPT_OLD, '-', "Use old-style hash to generate links"},
    {"n", OPT_N, '-', "Do not remove existing links"},
    {"v", OPT_VERBOSE, '-', "Verbose output"},
    {NULL}
 };
 int rehash_main(int argc, char **argv)
 {
    const char *env, *prog;
    char *e, *m;
    int errs = 0;
    OPTION_CHOICE o;
    enum Hash h = HASH_NEW;
    prog = opt_init(argc, argv, rehash_options);
    while ((o = opt_next()) != OPT_EOF) {
        switch (o) {
        case OPT_EOF:
        case OPT_ERR:
            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
            goto end;
        case OPT_HELP:
            opt_help(rehash_options);
            goto end;
        case OPT_COMPAT:
            h = HASH_BOTH;
            break;
        case OPT_OLD:
            h = HASH_OLD;
            break;
        case OPT_N:
            remove_links = 0;
            break;
        case OPT_VERBOSE:
            verbose = 1;
            break;
        }
    }
    argc = opt_num_rest();
    argv = opt_rest();
    evpmd = EVP_sha1();
    evpmdsize = EVP_MD_size(evpmd);
    if (*argv) {
        while (*argv)
            errs += do_dir(*argv++, h);
    } else if ((env = getenv("SSL_CERT_DIR")) != NULL) {
        m = OPENSSL_strdup(env);
        for (e = strtok(m, ":"); e != NULL; e = strtok(NULL, ":"))
            errs += do_dir(e, h);
        OPENSSL_free(m);
    } else {
        errs += do_dir("/etc/ssl/certs", h);
    }
 end:
    return errs;
 }
 #else
 OPTIONS rehash_options[] = {
    {NULL}
 };
 int rehash_main(int argc, char **argv)
 {
    BIO_printf(bio_err, "Not available; use c_rehash script\n");
    return (1);
 }
 #endif /* defined(OPENSSL_SYS_UNIX) || defined(__APPLE__) */
--- a/apps/req.c
+++ b/apps/req.c
--- a/apps/rsa.c
+++ b/apps/rsa.c
@@ -1,24 +1,25 @@
 /* apps/rsa.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
- *
+ * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
- *
+ * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
@@ -33,10 +34,10 @@
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -48,358 +49,402 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
+ * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
 * [including the GNU Public Licence.]
 */
 /* ====================================================================
 * Copyright (c) 1999-2015 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
 *    the documentation and/or other materials provided with the
 *    distribution.
 *
 * 3. All advertising materials mentioning features or use of this
 *    software must display the following acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)"
 *
 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
 *    endorse or promote products derived from this software without
 *    prior written permission. For written permission, please contact
 *    licensing@OpenSSL.org.
 *
 * 5. Products derived from this software may not be called "OpenSSL"
 *    nor may "OpenSSL" appear in their names without prior written
 *    permission of the OpenSSL Project.
 *
 * 6. Redistributions of any form whatsoever must retain the following
 *    acknowledgment:
 *    "This product includes software developed by the OpenSSL Project
 *    for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)"
 *
 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
 * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
 * OF THE POSSIBILITY OF SUCH DAMAGE.
 * ====================================================================
 */
 #include <openssl/opensslconf.h>
 #ifndef OPENSSL_NO_RSA
-# include <stdio.h>
+#include <stdio.h>
-# include <stdlib.h>
+#include <stdlib.h>
-# include <string.h>
+#include <string.h>
-# include <time.h>
+#include <time.h>
-# include "apps.h"
+#include "apps.h"
-# include <openssl/bio.h>
+#include <openssl/bio.h>
-# include <openssl/err.h>
+#include <openssl/err.h>
-# include <openssl/rsa.h>
+#include <openssl/rsa.h>
-# include <openssl/evp.h>
+#include <openssl/evp.h>
-# include <openssl/x509.h>
+#include <openssl/x509.h>
-# include <openssl/pem.h>
+#include <openssl/pem.h>
-# include <openssl/bn.h>
+#include <openssl/bn.h>
-typedef enum OPTION_choice {
+#undef PROG
-    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+#define PROG	rsa_main
    OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT,
    OPT_PUBIN, OPT_PUBOUT, OPT_PASSOUT, OPT_PASSIN,
    OPT_RSAPUBKEY_IN, OPT_RSAPUBKEY_OUT, OPT_PVK_STRONG, OPT_PVK_WEAK,
    OPT_PVK_NONE, OPT_NOOUT, OPT_TEXT, OPT_MODULUS, OPT_CHECK, OPT_CIPHER
 } OPTION_CHOICE;
-OPTIONS rsa_options[] = {
+/* -inform arg	- input format - default PEM (one of DER, NET or PEM)
-    {"help", OPT_HELP, '-', "Display this summary"},
+ * -outform arg - output format - default PEM
-    {"inform", OPT_INFORM, 'f', "Input format, one of DER NET PEM"},
+ * -in arg	- input file - default stdin
-    {"outform", OPT_OUTFORM, 'f', "Output format, one of DER NET PEM PVK"},
+ * -out arg	- output file - default stdout
-    {"in", OPT_IN, '<', "Input file"},
+ * -des		- encrypt output if PEM format with DES in cbc mode
-    {"out", OPT_OUT, '>', "Output file"},
+ * -des3	- encrypt output if PEM format
-    {"pubin", OPT_PUBIN, '-', "Expect a public key in input file"},
+ * -idea	- encrypt output if PEM format
-    {"pubout", OPT_PUBOUT, '-', "Output a public key"},
+ * -seed	- encrypt output if PEM format
-    {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
+ * -aes128	- encrypt output if PEM format
-    {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
+ * -aes192	- encrypt output if PEM format
-    {"RSAPublicKey_in", OPT_RSAPUBKEY_IN, '-', "Input is an RSAPublicKey"},
+ * -aes256	- encrypt output if PEM format
-    {"RSAPublicKey_out", OPT_RSAPUBKEY_OUT, '-', "Output is an RSAPublicKey"},
+ * -camellia128 - encrypt output if PEM format
-    {"noout", OPT_NOOUT, '-', "Don't print key out"},
+ * -camellia192 - encrypt output if PEM format
-    {"text", OPT_TEXT, '-', "Print the key in text"},
+ * -camellia256 - encrypt output if PEM format
-    {"modulus", OPT_MODULUS, '-', "Print the RSA key modulus"},
+ * -text	- print a text version
-    {"check", OPT_CHECK, '-', "Verify key consistency"},
+ * -modulus	- print the RSA key modulus
-    {"", OPT_CIPHER, '-', "Any supported cipher"},
+ * -check	- verify key consistency
-# ifdef OPENSSL_NO_RC4
+ * -pubin	- Expect a public key in input file.
-    {"pvk-strong", OPT_PVK_STRONG, '-'},
+ * -pubout	- Output a public key.
-    {"pvk-weak", OPT_PVK_WEAK, '-'},
+ */
    {"pvk-none", OPT_PVK_NONE, '-'},
 # endif
 # ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 # endif
    {NULL}
 };
-int rsa_main(int argc, char **argv)
+int MAIN(int, char **);
 {
    ENGINE *e = NULL;
    BIO *out = NULL;
    RSA *rsa = NULL;
    const EVP_CIPHER *enc = NULL;
    char *infile = NULL, *outfile = NULL, *prog;
    char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL;
    int i, private = 0;
    int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, check = 0;
    int noout = 0, modulus = 0, pubin = 0, pubout = 0, pvk_encr = 2, ret = 1;
    OPTION_CHOICE o;
-    prog = opt_init(argc, argv, rsa_options);
+int MAIN(int argc, char **argv)
-    while ((o = opt_next()) != OPT_EOF) {
+	{
-        switch (o) {
+	ENGINE *e = NULL;
-        case OPT_EOF:
+	int ret=1;
-        case OPT_ERR:
+	RSA *rsa=NULL;
- opthelp:
+	int i,badops=0, sgckey=0;
-            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+	const EVP_CIPHER *enc=NULL;
-            goto end;
+	BIO *out=NULL;
-        case OPT_HELP:
+	int informat,outformat,text=0,check=0,noout=0;
-            opt_help(rsa_options);
+	int pubin = 0, pubout = 0;
-            ret = 0;
+	char *infile,*outfile,*prog;
-            goto end;
+	char *passargin = NULL, *passargout = NULL;
-        case OPT_INFORM:
+	char *passin = NULL, *passout = NULL;
-            if (!opt_format(opt_arg(), OPT_FMT_ANY, &informat))
+#ifndef OPENSSL_NO_ENGINE
-                goto opthelp;
+	char *engine=NULL;
            break;
        case OPT_IN:
            infile = opt_arg();
            break;
        case OPT_OUTFORM:
            if (!opt_format(opt_arg(), OPT_FMT_ANY, &outformat))
                goto opthelp;
            break;
        case OPT_OUT:
            outfile = opt_arg();
            break;
        case OPT_PASSIN:
            passinarg = opt_arg();
            break;
        case OPT_PASSOUT:
            passoutarg = opt_arg();
            break;
        case OPT_ENGINE:
            e = setup_engine(opt_arg(), 0);
            break;
        case OPT_PUBIN:
            pubin = 1;
            break;
        case OPT_PUBOUT:
            pubout = 1;
            break;
        case OPT_RSAPUBKEY_IN:
            pubin = 2;
            break;
        case OPT_RSAPUBKEY_OUT:
            pubout = 2;
            break;
 #ifndef OPENSSL_NO_RC4
        case OPT_PVK_STRONG:
            pvk_encr = 2;
            break;
        case OPT_PVK_WEAK:
            pvk_encr = 1;
            break;
        case OPT_PVK_NONE:
            pvk_encr = 0;
            break;
 #else
        case OPT_PVK_STRONG:
        case OPT_PVK_WEAK:
        case OPT_PVK_NONE:
            break;
 #endif
-        case OPT_NOOUT:
+	int modulus=0;
            noout = 1;
            break;
        case OPT_TEXT:
            text = 1;
            break;
        case OPT_MODULUS:
            modulus = 1;
            break;
        case OPT_CHECK:
            check = 1;
            break;
        case OPT_CIPHER:
            if (!opt_cipher(opt_unknown(), &enc))
                goto opthelp;
            break;
        }
    }
    argc = opt_num_rest();
    argv = opt_rest();
    private = (text && !pubin) || (!pubout && !noout) ? 1 : 0;
-    if (!app_passwd(passinarg, passoutarg, &passin, &passout)) {
+	int pvk_encr = 2;
        BIO_printf(bio_err, "Error getting passwords\n");
        goto end;
    }
    if (check && pubin) {
        BIO_printf(bio_err, "Only private keys can be checked\n");
        goto end;
    }
-    {
+	apps_startup();
        EVP_PKEY *pkey;
-        if (pubin) {
+	if (bio_err == NULL)
-            int tmpformat = -1;
+		if ((bio_err=BIO_new(BIO_s_file())) != NULL)
-            if (pubin == 2) {
+			BIO_set_fp(bio_err,stderr,BIO_NOCLOSE|BIO_FP_TEXT);
                if (informat == FORMAT_PEM)
                    tmpformat = FORMAT_PEMRSA;
                else if (informat == FORMAT_ASN1)
                    tmpformat = FORMAT_ASN1RSA;
            } else
                tmpformat = informat;
-            pkey = load_pubkey(infile, tmpformat, 1, passin, e, "Public Key");
+	if (!load_config(bio_err, NULL))
-        } else
+		goto end;
            pkey = load_key(infile, informat, 1, passin, e, "Private Key");
-        if (pkey != NULL)
+	infile=NULL;
-            rsa = EVP_PKEY_get1_RSA(pkey);
+	outfile=NULL;
-        EVP_PKEY_free(pkey);
+	informat=FORMAT_PEM;
-    }
+	outformat=FORMAT_PEM;
-    if (rsa == NULL) {
+	prog=argv[0];
-        ERR_print_errors(bio_err);
+	argc--;
-        goto end;
+	argv++;
-    }
+	while (argc >= 1)
 		{
 		if 	(strcmp(*argv,"-inform") == 0)
 			{
 			if (--argc < 1) goto bad;
 			informat=str2fmt(*(++argv));
 			}
 		else if (strcmp(*argv,"-outform") == 0)
 			{
 			if (--argc < 1) goto bad;
 			outformat=str2fmt(*(++argv));
 			}
 		else if (strcmp(*argv,"-in") == 0)
 			{
 			if (--argc < 1) goto bad;
 			infile= *(++argv);
 			}
 		else if (strcmp(*argv,"-out") == 0)
 			{
 			if (--argc < 1) goto bad;
 			outfile= *(++argv);
 			}
 		else if (strcmp(*argv,"-passin") == 0)
 			{
 			if (--argc < 1) goto bad;
 			passargin= *(++argv);
 			}
 		else if (strcmp(*argv,"-passout") == 0)
 			{
 			if (--argc < 1) goto bad;
 			passargout= *(++argv);
 			}
 #ifndef OPENSSL_NO_ENGINE
 		else if (strcmp(*argv,"-engine") == 0)
 			{
 			if (--argc < 1) goto bad;
 			engine= *(++argv);
 			}
 #endif
 		else if (strcmp(*argv,"-sgckey") == 0)
 			sgckey=1;
 		else if (strcmp(*argv,"-pubin") == 0)
 			pubin=1;
 		else if (strcmp(*argv,"-pubout") == 0)
 			pubout=1;
 		else if (strcmp(*argv,"-RSAPublicKey_in") == 0)
 			pubin = 2;
 		else if (strcmp(*argv,"-RSAPublicKey_out") == 0)
 			pubout = 2;
 		else if (strcmp(*argv,"-pvk-strong") == 0)
 			pvk_encr=2;
 		else if (strcmp(*argv,"-pvk-weak") == 0)
 			pvk_encr=1;
 		else if (strcmp(*argv,"-pvk-none") == 0)
 			pvk_encr=0;
 		else if (strcmp(*argv,"-noout") == 0)
 			noout=1;
 		else if (strcmp(*argv,"-text") == 0)
 			text=1;
 		else if (strcmp(*argv,"-modulus") == 0)
 			modulus=1;
 		else if (strcmp(*argv,"-check") == 0)
 			check=1;
 		else if ((enc=EVP_get_cipherbyname(&(argv[0][1]))) == NULL)
 			{
 			BIO_printf(bio_err,"unknown option %s\n",*argv);
 			badops=1;
 			break;
 			}
 		argc--;
 		argv++;
 		}
-    out = bio_open_owner(outfile, outformat, private);
+	if (badops)
-    if (out == NULL)
+		{
-        goto end;
+bad:
 		BIO_printf(bio_err,"%s [options] <infile >outfile\n",prog);
 		BIO_printf(bio_err,"where options are\n");
 		BIO_printf(bio_err," -inform arg     input format - one of DER NET PEM\n");
 		BIO_printf(bio_err," -outform arg    output format - one of DER NET PEM\n");
 		BIO_printf(bio_err," -in arg         input file\n");
 		BIO_printf(bio_err," -sgckey         Use IIS SGC key format\n");
 		BIO_printf(bio_err," -passin arg     input file pass phrase source\n");
 		BIO_printf(bio_err," -out arg        output file\n");
 		BIO_printf(bio_err," -passout arg    output file pass phrase source\n");
 		BIO_printf(bio_err," -des            encrypt PEM output with cbc des\n");
 		BIO_printf(bio_err," -des3           encrypt PEM output with ede cbc des using 168 bit key\n");
 #ifndef OPENSSL_NO_IDEA
 		BIO_printf(bio_err," -idea           encrypt PEM output with cbc idea\n");
 #endif
 #ifndef OPENSSL_NO_SEED
 		BIO_printf(bio_err," -seed           encrypt PEM output with cbc seed\n");
 #endif
 #ifndef OPENSSL_NO_AES
 		BIO_printf(bio_err," -aes128, -aes192, -aes256\n");
 		BIO_printf(bio_err,"                 encrypt PEM output with cbc aes\n");
 #endif
 #ifndef OPENSSL_NO_CAMELLIA
 		BIO_printf(bio_err," -camellia128, -camellia192, -camellia256\n");
 		BIO_printf(bio_err,"                 encrypt PEM output with cbc camellia\n");
 #endif
 		BIO_printf(bio_err," -text           print the key in text\n");
 		BIO_printf(bio_err," -noout          don't print key out\n");
 		BIO_printf(bio_err," -modulus        print the RSA key modulus\n");
 		BIO_printf(bio_err," -check          verify key consistency\n");
 		BIO_printf(bio_err," -pubin          expect a public key in input file\n");
 		BIO_printf(bio_err," -pubout         output a public key\n");
 #ifndef OPENSSL_NO_ENGINE
 		BIO_printf(bio_err," -engine e       use engine e, possibly a hardware device.\n");
 #endif
 		goto end;
 		}
-    if (text) {
+	ERR_load_crypto_strings();
        assert(pubin || private);
        if (!RSA_print(out, rsa, 0)) {
            perror(outfile);
            ERR_print_errors(bio_err);
            goto end;
        }
    }
-    if (modulus) {
+#ifndef OPENSSL_NO_ENGINE
-        BIO_printf(out, "Modulus=");
+        e = setup_engine(bio_err, engine, 0);
-        BN_print(out, rsa->n);
+#endif
        BIO_printf(out, "\n");
    }
-    if (check) {
+	if(!app_passwd(bio_err, passargin, passargout, &passin, &passout)) {
-        int r = RSA_check_key(rsa);
+		BIO_printf(bio_err, "Error getting passwords\n");
 		goto end;
 	}
-        if (r == 1)
+	if(check && pubin) {
-            BIO_printf(out, "RSA key ok\n");
+		BIO_printf(bio_err, "Only private keys can be checked\n");
-        else if (r == 0) {
+		goto end;
-            unsigned long err;
+	}
-            while ((err = ERR_peek_error()) != 0 &&
+	out=BIO_new(BIO_s_file());
                   ERR_GET_LIB(err) == ERR_LIB_RSA &&
                   ERR_GET_FUNC(err) == RSA_F_RSA_CHECK_KEY &&
                   ERR_GET_REASON(err) != ERR_R_MALLOC_FAILURE) {
                BIO_printf(out, "RSA key error: %s\n",
                           ERR_reason_error_string(err));
                ERR_get_error(); /* remove e from error stack */
            }
        }
-        /* should happen only if r == -1 */
+	{
-        if (r == -1 || ERR_peek_error() != 0) {
+		EVP_PKEY	*pkey;
            ERR_print_errors(bio_err);
            goto end;
        }
    }
-    if (noout) {
+		if (pubin)
-        ret = 0;
+			{
-        goto end;
+			int tmpformat=-1;
-    }
+			if (pubin == 2)
-    BIO_printf(bio_err, "writing RSA key\n");
+				{
-    if (outformat == FORMAT_ASN1) {
+				if (informat == FORMAT_PEM)
-        if (pubout || pubin) {
+					tmpformat = FORMAT_PEMRSA;
-            if (pubout == 2)
+				else if (informat == FORMAT_ASN1)
-                i = i2d_RSAPublicKey_bio(out, rsa);
+					tmpformat = FORMAT_ASN1RSA;
-            else
+				}
-                i = i2d_RSA_PUBKEY_bio(out, rsa);
+			else if (informat == FORMAT_NETSCAPE && sgckey)
-        } else {
+				tmpformat = FORMAT_IISSGC;
-            assert(private);
+			else
-            i = i2d_RSAPrivateKey_bio(out, rsa);
+				tmpformat = informat;
-        }
+					
-    }
+			pkey = load_pubkey(bio_err, infile, tmpformat, 1,
-    else if (outformat == FORMAT_PEM) {
+				passin, e, "Public Key");
-        if (pubout || pubin) {
+			}
-            if (pubout == 2)
+		else
-                i = PEM_write_bio_RSAPublicKey(out, rsa);
+			pkey = load_key(bio_err, infile,
-            else
+				(informat == FORMAT_NETSCAPE && sgckey ?
-                i = PEM_write_bio_RSA_PUBKEY(out, rsa);
+					FORMAT_IISSGC : informat), 1,
-        } else {
+				passin, e, "Private Key");
-            assert(private);
+
-            i = PEM_write_bio_RSAPrivateKey(out, rsa,
+		if (pkey != NULL)
-                                            enc, NULL, 0, NULL, passout);
+			rsa = EVP_PKEY_get1_RSA(pkey);
-        }
+		EVP_PKEY_free(pkey);
-# if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_RC4)
+	}
-    } else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) {
+
-        EVP_PKEY *pk;
+	if (rsa == NULL)
-        pk = EVP_PKEY_new();
+		{
-        EVP_PKEY_set1_RSA(pk, rsa);
+		ERR_print_errors(bio_err);
-        if (outformat == FORMAT_PVK) {
+		goto end;
-            if (pubin) {
+		}
-                BIO_printf(bio_err, "PVK form impossible with public key input\n");
+
-                EVP_PKEY_free(pk);
+	if (outfile == NULL)
-                goto end;
+		{
-            }
+		BIO_set_fp(out,stdout,BIO_NOCLOSE);
-            assert(private);
+#ifdef OPENSSL_SYS_VMS
-            i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout);
+		{
-        } else if (pubin || pubout) {
+		BIO *tmpbio = BIO_new(BIO_f_linebuffer());
-            i = i2b_PublicKey_bio(out, pk);
+		out = BIO_push(tmpbio, out);
-        } else {
+		}
-            assert(private);
+#endif
-            i = i2b_PrivateKey_bio(out, pk);
+		}
-        }
+	else
-        EVP_PKEY_free(pk);
+		{
-# endif
+		if (BIO_write_filename(out,outfile) <= 0)
-    } else {
+			{
-        BIO_printf(bio_err, "bad output format specified for outfile\n");
+			perror(outfile);
-        goto end;
+			goto end;
-    }
+			}
-    if (i <= 0) {
+		}
-        BIO_printf(bio_err, "unable to write key\n");
+
-        ERR_print_errors(bio_err);
+	if (text) 
-    } else
+		if (!RSA_print(out,rsa,0))
-        ret = 0;
+			{
- end:
+			perror(outfile);
-    BIO_free_all(out);
+			ERR_print_errors(bio_err);
-    RSA_free(rsa);
+			goto end;
-    OPENSSL_free(passin);
+			}
-    OPENSSL_free(passout);
+
-    return (ret);
+	if (modulus)
-}
+		{
-#else                           /* !OPENSSL_NO_RSA */
+		BIO_printf(out,"Modulus=");
 		BN_print(out,rsa->n);
 		BIO_printf(out,"\n");
 		}
 	if (check)
 		{
 		int r = RSA_check_key(rsa);
 		if (r == 1)
 			BIO_printf(out,"RSA key ok\n");
 		else if (r == 0)
 			{
 			unsigned long err;
 			while ((err = ERR_peek_error()) != 0 &&
 				ERR_GET_LIB(err) == ERR_LIB_RSA &&
 				ERR_GET_FUNC(err) == RSA_F_RSA_CHECK_KEY &&
 				ERR_GET_REASON(err) != ERR_R_MALLOC_FAILURE)
 				{
 				BIO_printf(out, "RSA key error: %s\n", ERR_reason_error_string(err));
 				ERR_get_error(); /* remove e from error stack */
 				}
 			}
 		if (r == -1 || ERR_peek_error() != 0) /* should happen only if r == -1 */
 			{
 			ERR_print_errors(bio_err);
 			goto end;
 			}
 		}
 	if (noout)
 		{
 		ret = 0;
 		goto end;
 		}
 	BIO_printf(bio_err,"writing RSA key\n");
 	if 	(outformat == FORMAT_ASN1) {
 		if(pubout || pubin) 
 			{
 			if (pubout == 2)
 				i=i2d_RSAPublicKey_bio(out,rsa);
 			else
 				i=i2d_RSA_PUBKEY_bio(out,rsa);
 			}
 		else i=i2d_RSAPrivateKey_bio(out,rsa);
 	}
 #ifndef OPENSSL_NO_RC4
 	else if (outformat == FORMAT_NETSCAPE)
 		{
 		unsigned char *p,*pp;
 		int size;
 		i=1;
 		size=i2d_RSA_NET(rsa,NULL,NULL, sgckey);
 		if ((p=(unsigned char *)OPENSSL_malloc(size)) == NULL)
 			{
 			BIO_printf(bio_err,"Memory allocation failure\n");
 			goto end;
 			}
 		pp=p;
 		i2d_RSA_NET(rsa,&p,NULL, sgckey);
 		BIO_write(out,(char *)pp,size);
 		OPENSSL_free(pp);
 		}
 #endif
 	else if (outformat == FORMAT_PEM) {
 		if(pubout || pubin)
 			{
 			if (pubout == 2)
 		    		i=PEM_write_bio_RSAPublicKey(out,rsa);
 			else
 		    		i=PEM_write_bio_RSA_PUBKEY(out,rsa);
 			}
 		else i=PEM_write_bio_RSAPrivateKey(out,rsa,
 						enc,NULL,0,NULL,passout);
 #if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_RC4)
 	} else if (outformat == FORMAT_MSBLOB || outformat == FORMAT_PVK) {
 		EVP_PKEY *pk;
 		pk = EVP_PKEY_new();
 		EVP_PKEY_set1_RSA(pk, rsa);
 		if (outformat == FORMAT_PVK)
 			i = i2b_PVK_bio(out, pk, pvk_encr, 0, passout);
 		else if (pubin || pubout)
 			i = i2b_PublicKey_bio(out, pk);
 		else
 			i = i2b_PrivateKey_bio(out, pk);
 		EVP_PKEY_free(pk);
 #endif
 	} else	{
 		BIO_printf(bio_err,"bad output format specified for outfile\n");
 		goto end;
 		}
 	if (i <= 0)
 		{
 		BIO_printf(bio_err,"unable to write key\n");
 		ERR_print_errors(bio_err);
 		}
 	else
 		ret=0;
 end:
 	if(out != NULL) BIO_free_all(out);
 	if(rsa != NULL) RSA_free(rsa);
 	if(passin) OPENSSL_free(passin);
 	if(passout) OPENSSL_free(passout);
 	apps_shutdown();
 	OPENSSL_EXIT(ret);
 	}
 #else /* !OPENSSL_NO_RSA */
 # if PEDANTIC
-static void *dummy = &dummy;
+static void *dummy=&dummy;
 # endif
 #endif
--- a/apps/rsautl.c
+++ b/apps/rsautl.c
@@ -1,6 +1,6 @@
-/*
+/* rsautl.c */
- * Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL project
+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL
- * 2000.
+ * project 2000.
 */
 /* ====================================================================
 * Copyright (c) 2000 The OpenSSL Project.  All rights reserved.
@@ -10,7 +10,7 @@
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
+ *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
@@ -59,272 +59,293 @@
 #include <openssl/opensslconf.h>
 #ifndef OPENSSL_NO_RSA
-# include "apps.h"
+#include "apps.h"
-# include <string.h>
+#include <string.h>
-# include <openssl/err.h>
+#include <openssl/err.h>
-# include <openssl/pem.h>
+#include <openssl/pem.h>
-# include <openssl/rsa.h>
+#include <openssl/rsa.h>
-# define RSA_SIGN        1
+#define RSA_SIGN 	1
-# define RSA_VERIFY      2
+#define RSA_VERIFY 	2
-# define RSA_ENCRYPT     3
+#define RSA_ENCRYPT 	3
-# define RSA_DECRYPT     4
+#define RSA_DECRYPT 	4
-# define KEY_PRIVKEY     1
+#define KEY_PRIVKEY	1
-# define KEY_PUBKEY      2
+#define KEY_PUBKEY	2
-# define KEY_CERT        3
+#define KEY_CERT	3
-typedef enum OPTION_choice {
+static void usage(void);
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_ENGINE, OPT_IN, OPT_OUT, OPT_ASN1PARSE, OPT_HEXDUMP,
    OPT_RAW, OPT_OAEP, OPT_SSL, OPT_PKCS, OPT_X931,
    OPT_SIGN, OPT_VERIFY, OPT_REV, OPT_ENCRYPT, OPT_DECRYPT,
    OPT_PUBIN, OPT_CERTIN, OPT_INKEY, OPT_PASSIN, OPT_KEYFORM
 } OPTION_CHOICE;
-OPTIONS rsautl_options[] = {
+#undef PROG
    {"help", OPT_HELP, '-', "Display this summary"},
    {"in", OPT_IN, '<', "Input file"},
    {"out", OPT_OUT, '>', "Output file"},
    {"inkey", OPT_INKEY, '<', "Input key"},
    {"keyform", OPT_KEYFORM, 'F', "Private key format - default PEM"},
    {"pubin", OPT_PUBIN, '-', "Input is an RSA public"},
    {"certin", OPT_CERTIN, '-', "Input is a cert carrying an RSA public key"},
    {"ssl", OPT_SSL, '-', "Use SSL v2 padding"},
    {"raw", OPT_RAW, '-', "Use no padding"},
    {"pkcs", OPT_PKCS, '-', "Use PKCS#1 v1.5 padding (default)"},
    {"oaep", OPT_OAEP, '-', "Use PKCS#1 OAEP"},
    {"sign", OPT_SIGN, '-', "Sign with private key"},
    {"verify", OPT_VERIFY, '-', "Verify with public key"},
    {"asn1parse", OPT_ASN1PARSE, '-'},
    {"hexdump", OPT_HEXDUMP, '-', "Hex dump output"},
    {"x931", OPT_X931, '-', "Use ANSI X9.31 padding"},
    {"rev", OPT_REV, '-'},
    {"encrypt", OPT_ENCRYPT, '-', "Encrypt with public key"},
    {"decrypt", OPT_DECRYPT, '-', "Decrypt with private key"},
    {"passin", OPT_PASSIN, 's', "Pass phrase source"},
 # ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 # endif
    {NULL}
 };
-int rsautl_main(int argc, char **argv)
+#define PROG rsautl_main
 int MAIN(int argc, char **);
 int MAIN(int argc, char **argv)
 {
-    BIO *in = NULL, *out = NULL;
+	ENGINE *e = NULL;
-    ENGINE *e = NULL;
+	BIO *in = NULL, *out = NULL;
-    EVP_PKEY *pkey = NULL;
+	char *infile = NULL, *outfile = NULL;
-    RSA *rsa = NULL;
+#ifndef OPENSSL_NO_ENGINE
-    X509 *x;
+	char *engine = NULL;
-    char *infile = NULL, *outfile = NULL, *keyfile = NULL;
+#endif
-    char *passinarg = NULL, *passin = NULL, *prog;
+	char *keyfile = NULL;
-    char rsa_mode = RSA_VERIFY, key_type = KEY_PRIVKEY;
+	char rsa_mode = RSA_VERIFY, key_type = KEY_PRIVKEY;
-    unsigned char *rsa_in = NULL, *rsa_out = NULL, pad = RSA_PKCS1_PADDING;
+	int keyform = FORMAT_PEM;
-    int rsa_inlen, keyformat = FORMAT_PEM, keysize, ret = 1;
+	char need_priv = 0, badarg = 0, rev = 0;
-    int rsa_outlen = 0, hexdump = 0, asn1parse = 0, need_priv = 0, rev = 0;
+	char hexdump = 0, asn1parse = 0;
-    OPTION_CHOICE o;
+	X509 *x;
 	EVP_PKEY *pkey = NULL;
 	RSA *rsa = NULL;
 	unsigned char *rsa_in = NULL, *rsa_out = NULL, pad;
 	char *passargin = NULL, *passin = NULL;
 	int rsa_inlen, rsa_outlen = 0;
 	int keysize;
-    prog = opt_init(argc, argv, rsautl_options);
+	int ret = 1;
    while ((o = opt_next()) != OPT_EOF) {
        switch (o) {
        case OPT_EOF:
        case OPT_ERR:
 opthelp:
            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
            goto end;
        case OPT_HELP:
            opt_help(rsautl_options);
            ret = 0;
            goto end;
        case OPT_KEYFORM:
            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &keyformat))
                goto opthelp;
            break;
        case OPT_IN:
            infile = opt_arg();
            break;
        case OPT_OUT:
            outfile = opt_arg();
            break;
        case OPT_ENGINE:
            e = setup_engine(opt_arg(), 0);
            break;
        case OPT_ASN1PARSE:
            asn1parse = 1;
            break;
        case OPT_HEXDUMP:
            hexdump = 1;
            break;
        case OPT_RAW:
            pad = RSA_NO_PADDING;
            break;
        case OPT_OAEP:
            pad = RSA_PKCS1_OAEP_PADDING;
            break;
        case OPT_SSL:
            pad = RSA_SSLV23_PADDING;
            break;
        case OPT_PKCS:
            pad = RSA_PKCS1_PADDING;
            break;
        case OPT_X931:
            pad = RSA_X931_PADDING;
            break;
        case OPT_SIGN:
            rsa_mode = RSA_SIGN;
            need_priv = 1;
            break;
        case OPT_VERIFY:
            rsa_mode = RSA_VERIFY;
            break;
        case OPT_REV:
            rev = 1;
            break;
        case OPT_ENCRYPT:
            rsa_mode = RSA_ENCRYPT;
            break;
        case OPT_DECRYPT:
            rsa_mode = RSA_DECRYPT;
            need_priv = 1;
            break;
        case OPT_PUBIN:
            key_type = KEY_PUBKEY;
            break;
        case OPT_CERTIN:
            key_type = KEY_CERT;
            break;
        case OPT_INKEY:
            keyfile = opt_arg();
            break;
        case OPT_PASSIN:
            passinarg = opt_arg();
            break;
        }
    }
    argc = opt_num_rest();
    argv = opt_rest();
-    if (need_priv && (key_type != KEY_PRIVKEY)) {
+	argc--;
-        BIO_printf(bio_err, "A private key is needed for this operation\n");
+	argv++;
        goto end;
    }
-    if (!app_passwd(passinarg, NULL, &passin, NULL)) {
+	if(!bio_err) bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
-        BIO_printf(bio_err, "Error getting password\n");
+
-        goto end;
+	if (!load_config(bio_err, NULL))
-    }
+		goto end;
 	ERR_load_crypto_strings();
 	OpenSSL_add_all_algorithms();
 	pad = RSA_PKCS1_PADDING;
 	while(argc >= 1)
 	{
 		if (!strcmp(*argv,"-in")) {
 			if (--argc < 1)
 				badarg = 1;
 			else
 				infile= *(++argv);
 		} else if (!strcmp(*argv,"-out")) {
 			if (--argc < 1)
 				badarg = 1;
 			else
 				outfile= *(++argv);
 		} else if(!strcmp(*argv, "-inkey")) {
 			if (--argc < 1)
 				badarg = 1;
 			else
 				keyfile = *(++argv);
 		} else if (!strcmp(*argv,"-passin")) {
 			if (--argc < 1)
 				badarg = 1;
 			else
 				passargin= *(++argv);
 		} else if (strcmp(*argv,"-keyform") == 0) {
 			if (--argc < 1)
 				badarg = 1;
 			else
 				keyform=str2fmt(*(++argv));
 #ifndef OPENSSL_NO_ENGINE
 		} else if(!strcmp(*argv, "-engine")) {
 			if (--argc < 1)
 				badarg = 1;
 			else
 				engine = *(++argv);
 #endif
 		} else if(!strcmp(*argv, "-pubin")) {
 			key_type = KEY_PUBKEY;
 		} else if(!strcmp(*argv, "-certin")) {
 			key_type = KEY_CERT;
 		} 
 		else if(!strcmp(*argv, "-asn1parse")) asn1parse = 1;
 		else if(!strcmp(*argv, "-hexdump")) hexdump = 1;
 		else if(!strcmp(*argv, "-raw")) pad = RSA_NO_PADDING;
 		else if(!strcmp(*argv, "-oaep")) pad = RSA_PKCS1_OAEP_PADDING;
 		else if(!strcmp(*argv, "-ssl")) pad = RSA_SSLV23_PADDING;
 		else if(!strcmp(*argv, "-pkcs")) pad = RSA_PKCS1_PADDING;
 		else if(!strcmp(*argv, "-x931")) pad = RSA_X931_PADDING;
 		else if(!strcmp(*argv, "-sign")) {
 			rsa_mode = RSA_SIGN;
 			need_priv = 1;
 		} else if(!strcmp(*argv, "-verify")) rsa_mode = RSA_VERIFY;
 		else if(!strcmp(*argv, "-rev")) rev = 1;
 		else if(!strcmp(*argv, "-encrypt")) rsa_mode = RSA_ENCRYPT;
 		else if(!strcmp(*argv, "-decrypt")) {
 			rsa_mode = RSA_DECRYPT;
 			need_priv = 1;
 		} else badarg = 1;
 		if(badarg) {
 			usage();
 			goto end;
 		}
 		argc--;
 		argv++;
 	}
 	if(need_priv && (key_type != KEY_PRIVKEY)) {
 		BIO_printf(bio_err, "A private key is needed for this operation\n");
 		goto end;
 	}
 #ifndef OPENSSL_NO_ENGINE
        e = setup_engine(bio_err, engine, 0);
 #endif
 	if(!app_passwd(bio_err, passargin, NULL, &passin, NULL)) {
 		BIO_printf(bio_err, "Error getting password\n");
 		goto end;
 	}
 /* FIXME: seed PRNG only if needed */
-    app_RAND_load_file(NULL, 0);
+	app_RAND_load_file(NULL, bio_err, 0);
 	switch(key_type) {
 		case KEY_PRIVKEY:
 		pkey = load_key(bio_err, keyfile, keyform, 0,
 			passin, e, "Private Key");
 		break;
-    switch (key_type) {
+		case KEY_PUBKEY:
-    case KEY_PRIVKEY:
+		pkey = load_pubkey(bio_err, keyfile, keyform, 0,
-        pkey = load_key(keyfile, keyformat, 0, passin, e, "Private Key");
+			NULL, e, "Public Key");
-        break;
+		break;
-    case KEY_PUBKEY:
+		case KEY_CERT:
-        pkey = load_pubkey(keyfile, keyformat, 0, NULL, e, "Public Key");
+		x = load_cert(bio_err, keyfile, keyform,
-        break;
+			NULL, e, "Certificate");
 		if(x) {
 			pkey = X509_get_pubkey(x);
 			X509_free(x);
 		}
 		break;
 	}
-    case KEY_CERT:
+	if(!pkey) {
-        x = load_cert(keyfile, keyformat, NULL, e, "Certificate");
+		return 1;
-        if (x) {
+	}
            pkey = X509_get_pubkey(x);
            X509_free(x);
        }
        break;
    }
-    if (!pkey) {
+	rsa = EVP_PKEY_get1_RSA(pkey);
-        return 1;
+	EVP_PKEY_free(pkey);
    }
-    rsa = EVP_PKEY_get1_RSA(pkey);
+	if(!rsa) {
-    EVP_PKEY_free(pkey);
+		BIO_printf(bio_err, "Error getting RSA key\n");
 		ERR_print_errors(bio_err);
 		goto end;
 	}
    if (!rsa) {
        BIO_printf(bio_err, "Error getting RSA key\n");
        ERR_print_errors(bio_err);
        goto end;
    }
-    in = bio_open_default(infile, 'r', FORMAT_BINARY);
+	if(infile) {
-    if (in == NULL)
+		if(!(in = BIO_new_file(infile, "rb"))) {
-        goto end;
+			BIO_printf(bio_err, "Error Reading Input File\n");
-    out = bio_open_default(outfile, 'w', FORMAT_BINARY);
+			ERR_print_errors(bio_err);	
-    if (out == NULL)
+			goto end;
-        goto end;
+		}
 	} else in = BIO_new_fp(stdin, BIO_NOCLOSE);
-    keysize = RSA_size(rsa);
+	if(outfile) {
 		if(!(out = BIO_new_file(outfile, "wb"))) {
 			BIO_printf(bio_err, "Error Reading Output File\n");
 			ERR_print_errors(bio_err);	
 			goto end;
 		}
 	} else {
 		out = BIO_new_fp(stdout, BIO_NOCLOSE);
 #ifdef OPENSSL_SYS_VMS
 		{
 		    BIO *tmpbio = BIO_new(BIO_f_linebuffer());
 		    out = BIO_push(tmpbio, out);
 		}
 #endif
 	}
-    rsa_in = app_malloc(keysize * 2, "hold rsa key");
+	keysize = RSA_size(rsa);
    rsa_out = app_malloc(keysize, "output rsa key");
-    /* Read the input data */
+	rsa_in = OPENSSL_malloc(keysize * 2);
-    rsa_inlen = BIO_read(in, rsa_in, keysize * 2);
+	rsa_out = OPENSSL_malloc(keysize);
    if (rsa_inlen <= 0) {
        BIO_printf(bio_err, "Error reading input Data\n");
        goto end;
    }
    if (rev) {
        int i;
        unsigned char ctmp;
        for (i = 0; i < rsa_inlen / 2; i++) {
            ctmp = rsa_in[i];
            rsa_in[i] = rsa_in[rsa_inlen - 1 - i];
            rsa_in[rsa_inlen - 1 - i] = ctmp;
        }
    }
    switch (rsa_mode) {
-    case RSA_VERIFY:
+	/* Read the input data */
-        rsa_outlen = RSA_public_decrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad);
+	rsa_inlen = BIO_read(in, rsa_in, keysize * 2);
-        break;
+	if(rsa_inlen <= 0) {
 		BIO_printf(bio_err, "Error reading input Data\n");
 		exit(1);
 	}
 	if(rev) {
 		int i;
 		unsigned char ctmp;
 		for(i = 0; i < rsa_inlen/2; i++) {
 			ctmp = rsa_in[i];
 			rsa_in[i] = rsa_in[rsa_inlen - 1 - i];
 			rsa_in[rsa_inlen - 1 - i] = ctmp;
 		}
 	}
 	switch(rsa_mode) {
-    case RSA_SIGN:
+		case RSA_VERIFY:
-        rsa_outlen =
+			rsa_outlen  = RSA_public_decrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad);
-            RSA_private_encrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad);
+		break;
        break;
-    case RSA_ENCRYPT:
+		case RSA_SIGN:
-        rsa_outlen = RSA_public_encrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad);
+			rsa_outlen  = RSA_private_encrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad);
-        break;
+		break;
-    case RSA_DECRYPT:
+		case RSA_ENCRYPT:
-        rsa_outlen =
+			rsa_outlen  = RSA_public_encrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad);
-            RSA_private_decrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad);
+		break;
        break;
-    }
+		case RSA_DECRYPT:
 			rsa_outlen  = RSA_private_decrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad);
 		break;
-    if (rsa_outlen <= 0) {
+	}
-        BIO_printf(bio_err, "RSA operation error\n");
+
-        ERR_print_errors(bio_err);
+	if(rsa_outlen <= 0) {
-        goto end;
+		BIO_printf(bio_err, "RSA operation error\n");
-    }
+		ERR_print_errors(bio_err);
-    ret = 0;
+		goto end;
-    if (asn1parse) {
+	}
-        if (!ASN1_parse_dump(out, rsa_out, rsa_outlen, 1, -1)) {
+	ret = 0;
-            ERR_print_errors(bio_err);
+	if(asn1parse) {
-        }
+		if(!ASN1_parse_dump(out, rsa_out, rsa_outlen, 1, -1)) {
-    } else if (hexdump)
+			ERR_print_errors(bio_err);
-        BIO_dump(out, (char *)rsa_out, rsa_outlen);
+		}
-    else
+	} else if(hexdump) BIO_dump(out, (char *)rsa_out, rsa_outlen);
-        BIO_write(out, rsa_out, rsa_outlen);
+	else BIO_write(out, rsa_out, rsa_outlen);
- end:
+	end:
-    RSA_free(rsa);
+	RSA_free(rsa);
-    BIO_free(in);
+	BIO_free(in);
-    BIO_free_all(out);
+	BIO_free_all(out);
-    OPENSSL_free(rsa_in);
+	if(rsa_in) OPENSSL_free(rsa_in);
-    OPENSSL_free(rsa_out);
+	if(rsa_out) OPENSSL_free(rsa_out);
-    OPENSSL_free(passin);
+	if(passin) OPENSSL_free(passin);
-    return ret;
+	return ret;
 }
-#else                           /* !OPENSSL_NO_RSA */
+static void usage()
 {
 	BIO_printf(bio_err, "Usage: rsautl [options]\n");
 	BIO_printf(bio_err, "-in file        input file\n");
 	BIO_printf(bio_err, "-out file       output file\n");
 	BIO_printf(bio_err, "-inkey file     input key\n");
 	BIO_printf(bio_err, "-keyform arg    private key format - default PEM\n");
 	BIO_printf(bio_err, "-pubin          input is an RSA public\n");
 	BIO_printf(bio_err, "-certin         input is a certificate carrying an RSA public key\n");
 	BIO_printf(bio_err, "-ssl            use SSL v2 padding\n");
 	BIO_printf(bio_err, "-raw            use no padding\n");
 	BIO_printf(bio_err, "-pkcs           use PKCS#1 v1.5 padding (default)\n");
 	BIO_printf(bio_err, "-oaep           use PKCS#1 OAEP\n");
 	BIO_printf(bio_err, "-sign           sign with private key\n");
 	BIO_printf(bio_err, "-verify         verify with public key\n");
 	BIO_printf(bio_err, "-encrypt        encrypt with public key\n");
 	BIO_printf(bio_err, "-decrypt        decrypt with private key\n");
 	BIO_printf(bio_err, "-hexdump        hex dump output\n");
 #ifndef OPENSSL_NO_ENGINE
 	BIO_printf(bio_err, "-engine e       use engine e, possibly a hardware device.\n");
 	BIO_printf (bio_err, "-passin arg    pass phrase source\n");
 #endif
 }
 #else /* !OPENSSL_NO_RSA */
 # if PEDANTIC
-static void *dummy = &dummy;
+static void *dummy=&dummy;
 # endif
 #endif
--- a/apps/s_apps.h
+++ b/apps/s_apps.h
@@ -5,21 +5,21 @@
 * This package is an SSL implementation written
 * by Eric Young (eay@cryptsoft.com).
 * The implementation was written so as to conform with Netscapes SSL.
- *
+ * 
 * This library is free for commercial and non-commercial use as long as
 * the following conditions are aheared to.  The following conditions
 * apply to all code found in this distribution, be it the RC4, RSA,
 * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
 * included with this distribution is covered by the same copyright terms
 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
- *
+ * 
 * Copyright remains Eric Young's, and as such any Copyright notices in
 * the code are not to be removed.
 * If this package is used in a product, Eric Young should be given attribution
 * as the author of the parts of the library used.
 * This can be in the form of a textual message at program startup or
 * in documentation (online or textual) provided with the package.
- *
+ * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
@@ -34,10 +34,10 @@
 *     Eric Young (eay@cryptsoft.com)"
 *    The word 'cryptographic' can be left out if the rouines from the library
 *    being used are not cryptographic related :-).
- * 4. If you include any Windows specific code (or a derivative thereof) from
+ * 4. If you include any Windows specific code (or a derivative thereof) from 
 *    the apps directory (application code) you must include an acknowledgement:
 *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
- *
+ * 
 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -49,7 +49,7 @@
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
- *
+ * 
 * The licence and distribution terms for any publically available version or
 * derivative of this code cannot be changed.  i.e. this code cannot simply be
 * copied and put under another distribution licence
@@ -63,7 +63,7 @@
 * are met:
 *
 * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
+ *    notice, this list of conditions and the following disclaimer. 
 *
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in
@@ -108,111 +108,69 @@
 * Hudson (tjh@cryptsoft.com).
 *
 */
-/* conflicts with winsock2 stuff on netware */
+#if !defined(OPENSSL_SYS_NETWARE)  /* conflicts with winsock2 stuff on netware */
-#if !defined(OPENSSL_SYS_NETWARE)
+#include <sys/types.h>
 # include <sys/types.h>
 #endif
 #include <openssl/opensslconf.h>
 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
-# include <conio.h>
+#include <conio.h>
 #endif
 #if defined(OPENSSL_SYS_MSDOS) && !defined(_WIN32)
-# define _kbhit kbhit
+#define _kbhit kbhit
 #endif
 #if defined(OPENSSL_SYS_VMS) && !defined(FD_SET)
-/*
+/* VAX C does not defined fd_set and friends, but it's actually quite simple */
- * VAX C does not defined fd_set and friends, but it's actually quite simple
+/* These definitions are borrowed from SOCKETSHR.	/Richard Levitte */
- */
+#define MAX_NOFILE	32
-/* These definitions are borrowed from SOCKETSHR.       /Richard Levitte */
+#define	NBBY		 8		/* number of bits in a byte	*/
 # define MAX_NOFILE      32
 # define NBBY             8     /* number of bits in a byte */
-# ifndef FD_SETSIZE
+#ifndef	FD_SETSIZE
-#  define FD_SETSIZE      MAX_NOFILE
+#define	FD_SETSIZE	MAX_NOFILE
-# endif                         /* FD_SETSIZE */
+#endif	/* FD_SETSIZE */
 /* How many things we'll allow select to use. 0 if unlimited */
-# define MAXSELFD        MAX_NOFILE
+#define MAXSELFD	MAX_NOFILE
-typedef int fd_mask;            /* int here! VMS prototypes int, not long */
+typedef int	fd_mask;	/* int here! VMS prototypes int, not long */
-# define NFDBITS (sizeof(fd_mask) * NBBY)/* bits per mask (power of 2!) */
+#define NFDBITS	(sizeof(fd_mask) * NBBY)	/* bits per mask (power of 2!)*/
-# define NFDSHIFT 5             /* Shift based on above */
+#define NFDSHIFT 5				/* Shift based on above */
 typedef fd_mask fd_set;
-# define FD_SET(n, p)    (*(p) |= (1 << ((n) % NFDBITS)))
+#define	FD_SET(n, p)	(*(p) |= (1 << ((n) % NFDBITS)))
-# define FD_CLR(n, p)    (*(p) &= ~(1 << ((n) % NFDBITS)))
+#define	FD_CLR(n, p)	(*(p) &= ~(1 << ((n) % NFDBITS)))
-# define FD_ISSET(n, p)  (*(p) & (1 << ((n) % NFDBITS)))
+#define	FD_ISSET(n, p)	(*(p) & (1 << ((n) % NFDBITS)))
-# define FD_ZERO(p)      memset((p), 0, sizeof(*(p)))
+#define FD_ZERO(p)	memset((char *)(p), 0, sizeof(*(p)))
 #endif
 #define PORT            4433
 #define PORT_STR        "4433"
 #define PROTOCOL        "tcp"
-int do_server(int port, int type, int *ret,
+int do_server(int port, int type, int *ret, int (*cb) (char *hostname, int s, unsigned char *context), unsigned char *context);
              int (*cb) (char *hostname, int s, int stype,
                         unsigned char *context), unsigned char *context,
              int naccept);
 #ifndef NO_SYS_UN_H
 int do_server_unix(const char *path, int *ret,
                   int (*cb) (char *hostname, int s, int stype,
                              unsigned char *context), unsigned char *context,
                   int naccept);
 #endif
 #ifdef HEADER_X509_H
-int verify_callback(int ok, X509_STORE_CTX *ctx);
+int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
 #endif
 #ifdef HEADER_SSL_H
 int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
-int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
+int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key);
                       STACK_OF(X509) *chain, int build_chain);
 int ssl_print_sigalgs(BIO *out, SSL *s);
 int ssl_print_point_formats(BIO *out, SSL *s);
 int ssl_print_curves(BIO *out, SSL *s, int noshared);
 #endif
 int ssl_print_tmp_key(BIO *out, SSL *s);
 int init_client(int *sock, const char *server, int port, int type);
 #ifndef NO_SYS_UN_H
 int init_client_unix(int *sock, const char *server);
 #endif
 int init_client(int *sock, char *server, int port, int type);
 int should_retry(int i);
-int extract_port(const char *str, unsigned short *port_ptr);
+int extract_port(char *str, short *port_ptr);
-int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
+int extract_host_port(char *str,char **host_ptr,unsigned char *ip,short *p);
                      unsigned short *p);
-long bio_dump_callback(BIO *bio, int cmd, const char *argp,
+long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
-                       int argi, long argl, long ret);
+				   int argi, long argl, long ret);
 #ifdef HEADER_SSL_H
-void apps_ssl_info_callback(const SSL *s, int where, int ret);
+void MS_CALLBACK apps_ssl_info_callback(const SSL *s, int where, int ret);
-void msg_cb(int write_p, int version, int content_type, const void *buf,
+void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg);
-            size_t len, SSL *ssl, void *arg);
+void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type,
-void tlsext_cb(SSL *s, int client_server, int type, unsigned char *data,
+					unsigned char *data, int len,
-               int len, void *arg);
+					void *arg);
 #endif
-int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
+int MS_CALLBACK generate_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len);
-                             unsigned int *cookie_len);
+int MS_CALLBACK verify_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int cookie_len);
 int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
                           unsigned int cookie_len);
 typedef struct ssl_excert_st SSL_EXCERT;
 void ssl_ctx_set_excert(SSL_CTX *ctx, SSL_EXCERT *exc);
 void ssl_excert_free(SSL_EXCERT *exc);
 int args_excert(int option, SSL_EXCERT **pexc);
 int load_excert(SSL_EXCERT **pexc);
 void print_ssl_summary(SSL *s);
 #ifdef HEADER_SSL_H
 int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str,
               SSL_CTX *ctx, int no_jpake);
 int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls,
                     int crl_download);
 int ssl_load_stores(SSL_CTX *ctx, const char *vfyCApath,
                    const char *vfyCAfile, const char *chCApath,
                    const char *chCAfile, STACK_OF(X509_CRL) *crls,
                    int crl_download);
 void ssl_ctx_security_debug(SSL_CTX *ctx, int verbose);
 #endif
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
Dr. Stephen Henson	1de6a62222	revert fipslink.pl unlink retry change	2012-01-18 15:07:11 +00:00
Dr. Stephen Henson	ac381944ac	give a hand old assemblers assembling loop instruction. (original by Andy)	2012-01-18 14:54:20 +00:00
Dr. Stephen Henson	24fadf2a20	typo	2012-01-03 19:43:06 +00:00
Dr. Stephen Henson	409abd2fec	Prepare RC8	2012-01-03 14:23:54 +00:00
Dr. Stephen Henson	421de62232	unlink target and retry to avoid intermittent Win32 failures	2012-01-03 14:22:45 +00:00
Dr. Stephen Henson	c567812fa6	set version to rc8-dev	2011-12-12 14:02:57 +00:00
Dr. Stephen Henson	49dbcbaa4b	Prepare for RC7.	2011-12-12 13:44:05 +00:00
Dr. Stephen Henson	df0884ffb7	Retry rename operation with a slight delay to workaround problems on some versions of Windows.	2011-12-10 18:06:55 +00:00
Dr. Stephen Henson	0e480d5553	use different names for asm temp files to avoid problems on some platforms	2011-12-10 13:29:23 +00:00
Dr. Stephen Henson	7c0d30038f	Close file streams in FIPS algorithm test utilities.	2011-12-08 15:14:38 +00:00
Dr. Stephen Henson	81fc8cd029	prepare for RC6	2011-12-04 21:29:08 +00:00
Dr. Stephen Henson	1d235039d6	For FIPS builds we don't use the normal test files (and in the restricted tarball some don't exist) so set TEST='' to avoid linking to them. This also avoids problems on platforms that copy instead of symlink.	2011-12-04 15:26:26 +00:00
Dr. Stephen Henson	58886fdefc	use BUILD_ONE_CMD for fips specific links otherwise we effectively do 'make links' twice	2011-12-04 15:14:13 +00:00
Dr. Stephen Henson	61c3085d47	Workaround for VxWorks	2011-12-04 15:11:44 +00:00
Dr. Stephen Henson	32b56fe4d2	avoid use of symlinks on Windows: it causes problems on some build environments	2011-12-04 15:04:20 +00:00
Dr. Stephen Henson	efd031abca	Fix x86cpuid so it doesn't fail for some (currently theoretical) virtual machines.	2011-12-03 21:47:48 +00:00
Dr. Stephen Henson	dd4eefdb7b	Change EVP_MAXCHUNK so it doesn't wraparound to 0 on some platforms (IP32L64).	2011-12-03 21:44:01 +00:00
Dr. Stephen Henson	fcd3e8e97b	Prepare for RC6.	2011-12-03 19:51:52 +00:00
Dr. Stephen Henson	476e7e4972	Add tests to ensure ECDSA key gen and DSA signing fails if DRBG entropy source fails.	2011-12-03 19:41:28 +00:00
Dr. Stephen Henson	5e900f3cef	functions aren't unused: revert	2011-12-03 19:19:34 +00:00
Dr. Stephen Henson	75b250a4ed	remove unused functions from module	2011-12-03 18:27:31 +00:00
Dr. Stephen Henson	44cb365eaf	bn/asm/mips.pl: fix typos [from HEAD], original by Andy	2011-12-03 18:26:26 +00:00
Dr. Stephen Henson	9bd2dde42f	prepare for rc5	2011-11-25 16:27:19 +00:00
Dr. Stephen Henson	31bf5f13e0	return error if counter exceeds limit and seed value supplied	2011-11-25 16:03:27 +00:00
Dr. Stephen Henson	7dcdc0d94d	check counter value against 4 * L, not 4096	2011-11-25 15:00:20 +00:00
Dr. Stephen Henson	6ecd287acc	bump version for rc5-dev: hopefully will never be needed...	2011-11-21 00:05:15 +00:00
Dr. Stephen Henson	0e508c12e0	prepare for rc4	2011-11-19 17:04:28 +00:00
Dr. Stephen Henson	f6385248f6	Add flag to support cofactor ECDH	2011-11-19 17:03:44 +00:00
Dr. Stephen Henson	52876c3100	bump version to rc4-dev	2011-11-18 21:59:36 +00:00
Dr. Stephen Henson	c08128acc2	prepare for RC3	2011-11-18 18:50:57 +00:00
Dr. Stephen Henson	901b9b5c36	In EC_KEY_set_public_key_affine_coordinates include explicit check to see passed components do not exceed field order	2011-11-16 13:28:11 +00:00
Dr. Stephen Henson	9eca2399f1	portability fix for some perl versions	2011-11-11 19:01:11 +00:00
Dr. Stephen Henson	3b4fb53221	fclose streams in fips_drbvs.c Produced error message for unsupported curves in fips_ecdhvs.c	2011-11-09 14:23:17 +00:00
Dr. Stephen Henson	7437036cdf	Prepare for RC3 (which may never happen).	2011-11-08 19:08:40 +00:00
Andy Polyakov	ffa76736fa	Platform update from HEAD.	2011-11-08 14:44:55 +00:00
Dr. Stephen Henson	cbed6cfcaa	add fips_algvs.c to restricted tarball	2011-11-07 13:54:30 +00:00
Dr. Stephen Henson	be6dc7e56b	Prepare for RC2	2011-11-07 13:18:12 +00:00
Dr. Stephen Henson	bb25a72881	MacOS and iOS support	2011-11-07 13:16:55 +00:00
Andy Polyakov	1562ce17cb	fipsld, incore: switch to new cross-compile support [from HEAD].	2011-11-07 00:22:59 +00:00
Andy Polyakov	68b2f55b90	e_aes.c: fold aesni_xts_cipher and [most importantly] fix aes_xts_cipher's return value after custom flag was rightly reverted [from HEAD].	2011-11-06 19:49:58 +00:00
Dr. Stephen Henson	79f2c9d1cd	check for unset entropy and nonce callbacks	2011-11-06 13:08:54 +00:00
Dr. Stephen Henson	8a794abd9d	Update fips_test_suite to take multiple command line options and an induced error checking function.	2011-11-06 12:52:27 +00:00
Dr. Stephen Henson	03eae35352	typo	2011-11-05 18:25:16 +00:00
Dr. Stephen Henson	df64f34e84	make post failure simulation reversible in all cases	2011-11-05 18:15:01 +00:00
Dr. Stephen Henson	21a5cb2696	typo: use key for POST callback	2011-11-05 18:11:16 +00:00
Dr. Stephen Henson	01fc2c1598	fix set but unused warnings	2011-11-05 18:04:50 +00:00
Andy Polyakov	04c8062636	armv4cpuid.S, armv4-gf2m.pl: make newest code compilable by older assembler [from HEAD].	2011-11-05 13:57:02 +00:00
Andy Polyakov	6fcc2bbce8	x86cpuid.pl: don't punish "last-year" OSes on "this-year" CPUs [from HEAD]. PR: 2633	2011-11-05 13:56:10 +00:00
Andy Polyakov	f2b0cf9178	ppc.pl: fix bug in bn_mul_comba4 [from HEAD]. PR: 2636 Submitted by: Charles Bryant	2011-11-05 13:55:20 +00:00
Dr. Stephen Henson	485ef852ac	Add single call public key sign and verify functions.	2011-11-05 01:32:52 +00:00
Dr. Stephen Henson	b7de76b74d	Add support for memory leak checking in fips_algvs. Fix many memory leaks in algorithm test utilities.	2011-11-02 19:16:43 +00:00
Dr. Stephen Henson	8ab0d50c43	Remove duplicate test from health check. Fix memory leaks by uninstantiating DRBG before reinitialising it.	2011-11-02 16:35:24 +00:00
Dr. Stephen Henson	cb47a7107f	Print out an error for "make test" in FIPS builds.	2011-11-02 00:43:45 +00:00
Dr. Stephen Henson	d5939062d7	Replace exit calls with return in fips_test_suite	2011-11-02 00:07:15 +00:00
Dr. Stephen Henson	8b8096d082	Add support for multicall fips_algvs utility combining functionality of all fips test utilities in a single binary and some minimal script parsing for platforms lacking a suitable shell. In order to keep changes to the build system to a minimum it #includes all the utilities C source files (yuck).	2011-11-01 13:45:30 +00:00
Dr. Stephen Henson	9ab6d6813e	PR: 2632 Submitted by: emmanuel.azencot@bull.net Reviewed by: steve Return -1 immediately if not affine coordinates as BN_CTX has not been set up.	2011-10-26 16:46:20 +00:00
Dr. Stephen Henson	45e5f551ac	Prepare for RC2.	2011-10-24 16:58:49 +00:00
Dr. Stephen Henson	51035e733c	prepare for RC1	2011-10-24 16:53:59 +00:00
Dr. Stephen Henson	319c7264b0	typo	2011-10-24 13:24:28 +00:00
cvs2svn	0684e77866	This commit was manufactured by cvs2svn to create branch 'OpenSSL-fips- 2_0-stable'.	2011-10-24 06:00:07 +00:00
		`@@ -1,2 +0,0 @@`
			`Please https://www.openssl.org/community/thanks.html for the current`
			`acknowledgements.`