Prepare for 1.1.0-pre3 release

Reviewed-by: Stephen Henson <steve@openssl.org>
Correct deprecation of OPENSSL_config
2016-02-15 19:37:20 +01:00 · 2016-02-15 16:25:10 +01:00 · 2016-02-15 10:17:12 -05:00 · 2016-02-15 14:16:07 +01:00 · 2016-02-15 12:15:45 +00:00 · 2016-02-15 12:09:58 +00:00
1425 changed files with 46461 additions and 35101 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -11,7 +11,6 @@

 # Top level excludes
 /Makefile.orig
-/Makefile
 /MINFO
 /TABLE
 /*.a
@@ -21,8 +20,10 @@
 /makefile.*
 /out.*
 /tmp.*
+/configdata.pm

-**/Makefile
+# *all* Makefiles
+Makefile

 /test/*.ss
 /test/*.srl
@@ -41,7 +42,9 @@

 # Auto generated headers
 /crypto/buildinf.h
-/crypto/opensslconf.h
+/openssl/include/opensslconf.h
+/crypto/include/internal/*_conf.h
+util/domd

 # Auto generated assembly language source files
 *.s
@@ -75,17 +78,19 @@
 !/crypto/des/times/486-50.sol

 # Misc auto generated files
-include/openssl/opensslconf.h
+/include/openssl/opensslconf.h
 /tools/c_rehash
-lib
+/crypto/**/lib
+/engines/**/lib
+/ssl/**/lib
 Makefile.save
 *.bak
-tags
-TAGS
+/tags
+/TAGS
 cscope.out
 *.d
-crypto.map
-ssl.map
+/crypto.map
+/ssl.map

 # Windows
 /tmp32
@@ -98,35 +103,35 @@ ssl.map
 /out32dll.dbg
 /inc32
 /MINFO
-ms/bcb.mak
-ms/libeay32.def
-ms/nt.mak
-ms/ntdll.mak
-ms/ssleay32.def
-ms/version32.rc
+/ms/bcb.mak
+/ms/libeay32.def
+/ms/nt.mak
+/ms/ntdll.mak
+/ms/ssleay32.def
+/ms/version32.rc

 # Files created on other branches that are not held in git, and are not
 # needed on this branch
-include/openssl/asn1_mac.h
-include/openssl/des_old.h
-include/openssl/fips.h
-include/openssl/fips_rand.h
-include/openssl/krb5_asn.h
-include/openssl/kssl.h
-include/openssl/pq_compat.h
-include/openssl/ssl23.h
-include/openssl/tmdiff.h
-include/openssl/ui_compat.h
-test/fips_aesavs.c
-test/fips_desmovs.c
-test/fips_dsatest.c
-test/fips_dssvs.c
-test/fips_hmactest.c
-test/fips_randtest.c
-test/fips_rngvs.c
-test/fips_rsagtest.c
-test/fips_rsastest.c
-test/fips_rsavtest.c
-test/fips_shatest.c
-test/fips_test_suite.c
-test/shatest.c
+/include/openssl/asn1_mac.h
+/include/openssl/des_old.h
+/include/openssl/fips.h
+/include/openssl/fips_rand.h
+/include/openssl/krb5_asn.h
+/include/openssl/kssl.h
+/include/openssl/pq_compat.h
+/include/openssl/ssl23.h
+/include/openssl/tmdiff.h
+/include/openssl/ui_compat.h
+/test/fips_aesavs.c
+/test/fips_desmovs.c
+/test/fips_dsatest.c
+/test/fips_dssvs.c
+/test/fips_hmactest.c
+/test/fips_randtest.c
+/test/fips_rngvs.c
+/test/fips_rsagtest.c
+/test/fips_rsastest.c
+/test/fips_rsavtest.c
+/test/fips_shatest.c
+/test/fips_test_suite.c
+/test/shatest.c
--- a/.travis-create-release.sh
+++ b/.travis-create-release.sh
@@ -2,9 +2,11 @@

 # $1 is expected to be $TRAVIS_OS_NAME

+./Configure dist
 if [ "$1" == osx ]; then
-    make -f Makefile.in \
-	 DISTTARVARS="NAME=_srcdist TAR_COMMAND='\$\$(TAR) \$\$(TARFLAGS) -s \"|^|\$\$(NAME)/|\" -T \$\$(TARFILE).list -cvf -' TARFLAGS='-n' TARFILE=_srcdist.tar" SHELL='sh -vx' dist
+    make NAME='_srcdist' TARFLAGS='-n' TARFILE='_srcdist.tar' \
+	 TAR_COMMAND='$(TAR) $(TARFLAGS) -s "|^|$(NAME)/|" -T $(TARFILE).list -cvf -' \
+	 SHELL='sh -vx' tar
 else
-    make -f Makefile.in DISTTARVARS='TARFILE=_srcdist.tar NAME=_srcdist' SHELL='sh -v' dist
+    make TARFILE='_srcdist.tar' NAME='_srcdist' SHELL='sh -v' dist
 fi
--- a/.travis.yml
+++ b/.travis.yml
@@ -28,7 +28,11 @@ env:
    - CONFIG_OPTS=""
    - CONFIG_OPTS="shared"
    - CONFIG_OPTS="no-asm"
-    - CONFIG_OPTS="--debug --strict-warnings"
+    - CONFIG_OPTS="--debug --strict-warnings enable-crypto-mdebug enable-rc5 enable-md2"
+    - CONFIG_OPTS="--unified"
+    - CONFIG_OPTS="--unified shared"
+    - CONFIG_OPTS="--unified no-asm"
+    - CONFIG_OPTS="--unified --debug --strict-warnings enable-crypto-mdebug enable-rc5 enable-md2"

 matrix:
    include:
@@ -37,16 +41,18 @@ matrix:
          env: CONFIG_OPTS="-fsanitize=address"
        - os: linux
          compiler: clang-3.6
-          env: CONFIG_OPTS="no-asm --debug --strict-warnings -fno-sanitize-recover -fsanitize=address -fsanitize=undefined"
+          env: CONFIG_OPTS="no-asm --debug --strict-warnings -fno-sanitize-recover -fsanitize=address -fsanitize=undefined enable-crypto-mdebug enable-rc5 enable-md2"
        - os: linux
          compiler: gcc-5
          env: CONFIG_OPTS="-fsanitize=address"
        - os: linux
          compiler: gcc-5
-          env: CONFIG_OPTS="no-asm --debug --strict-warnings -fno-sanitize-recover -fsanitize=address -fsanitize=undefined"
+          env: CONFIG_OPTS="no-asm --debug --strict-warnings -fno-sanitize-recover -fsanitize=address -fsanitize=undefined enable-crypto-mdebug enable-rc5 enable-md2"
    exclude:
        - os: osx
          compiler: clang-3.6
+        - os: osx
+          compiler: gcc
        - os: osx
          compiler: gcc-5
        - os: osx
@@ -61,11 +67,23 @@ matrix:
          env: CONFIG_OPTS="no-asm"
        - compiler: x86_64-w64-mingw32-gcc
          env: CONFIG_OPTS="no-asm"
+        - compiler: i686-w64-mingw32-gcc
+          env: CONFIG_OPTS="--unified shared"
+        - compiler: x86_64-w64-mingw32-gcc
+          env: CONFIG_OPTS="--unified shared"
+        - compiler: i686-w64-mingw32-gcc
+          env: CONFIG_OPTS="--unified no-asm"
+        - compiler: x86_64-w64-mingw32-gcc
+          env: CONFIG_OPTS="--unified no-asm"
    allow_failures:
        - compiler: i686-w64-mingw32-gcc
-          env: CONFIG_OPTS="--debug --strict-warnings"
+          env: CONFIG_OPTS="--debug --strict-warnings enable-crypto-mdebug enable-rc5 enable-md2"
        - compiler: x86_64-w64-mingw32-gcc
-          env: CONFIG_OPTS="--debug --strict-warnings"
+          env: CONFIG_OPTS="--debug --strict-warnings enable-crypto-mdebug enable-rc5 enable-md2"
+        - compiler: i686-w64-mingw32-gcc
+          env: CONFIG_OPTS="--unified --debug --strict-warnings enable-crypto-mdebug enable-rc5 enable-md2"
+        - compiler: x86_64-w64-mingw32-gcc
+          env: CONFIG_OPTS="--unified --debug --strict-warnings enable-crypto-mdebug enable-rc5 enable-md2"

 before_script:
    - sh .travis-create-release.sh $TRAVIS_OS_NAME
@@ -88,7 +106,7 @@ script:
    - if [ -n "$CROSS_COMPILE" ]; then
          export EXE_SHELL="wine" WINEPREFIX=`pwd`;
      fi
-    - make test
+    - HARNESS_VERBOSE=yes make test
    - cd ..

 notifications:
--- a/186
+++ b/186
@@ -2,7 +2,135 @@
 OpenSSL CHANGES
 _______________

- Changes between 1.0.2e and 1.1.0  [xx XXX xxxx]
+ Changes between 1.0.2f and 1.1.0  [xx XXX xxxx]
+
+  *) The INSTALL_PREFIX Makefile variable has been renamed to
+     DESTDIR.  That makes for less confusion on what this variable
+     is for.  Also, the configuration option --install_prefix is
+     removed.
+     [Richard Levitte]
+
+  *) Heartbeat for TLS has been removed and is disabled by default
+     for DTLS; configure with enable-heartbeats.  Code that uses the
+     old #define's might need to be updated.
+     [Emilia Käsper, Rich Salz]
+
+  *) Rename REF_CHECK to REF_DEBUG.
+     [Rich Salz]
+
+  *) New "unified" build system
+
+     The "unified" build system is aimed to be a common system for all
+     platforms we support.  With it comes new support for VMS.
+
+     This system builds supports building in a differnt directory tree
+     than the source tree.  It produces one Makefile (for unix family
+     or lookalikes), or one descrip.mms (for VMS).
+
+     The source of information to make the Makefile / descrip.mms is
+     small files called 'build.info', holding the necessary
+     information for each directory with source to compile, and a
+     template in Configurations, like unix-Makefile.tmpl or
+     descrip.mms.tmpl.
+
+     We rely heavily on the perl module Text::Template.
+     [Richard Levitte]
+
+  *) Added support for auto-initialisation and de-initialisation of the library.
+     OpenSSL no longer requires explicit init or deinit routines to be called,
+     except in certain circumstances. See the OPENSSL_init_crypto() and
+     OPENSSL_init_ssl() man pages for further information.
+     [Matt Caswell]
+
+  *) The arguments to the DTLSv1_listen function have changed. Specifically the
+     "peer" argument is now expected to be a BIO_ADDR object.
+
+  *) Rewrite of BIO networking library. The BIO library lacked consistent
+     support of IPv6, and adding it required some more extensive
+     modifications.  This introduces the BIO_ADDR and BIO_ADDRINFO types,
+     which hold all types of addresses and chains of address information.
+     It also introduces a new API, with functions like BIO_socket,
+     BIO_connect, BIO_listen, BIO_lookup and a rewrite of BIO_accept.
+     The source/sink BIOs BIO_s_connect, BIO_s_accept and BIO_s_datagram
+     have been adapted accordingly.
+     [Richard Levitte]
+
+  *) RSA_padding_check_PKCS1_type_1 now accepts inputs with and without
+     the leading 0-byte.
+     [Emilia Käsper]
+
+  *) CRIME protection: disable compression by default, even if OpenSSL is
+     compiled with zlib enabled. Applications can still enable compression
+     by calling SSL_CTX_clear_options(ctx, SSL_OP_NO_COMPRESSION), or by
+     using the SSL_CONF library to configure compression.
+     [Emilia Käsper]
+
+  *) The signature of the session callback configured with
+     SSL_CTX_sess_set_get_cb was changed. The read-only input buffer
+     was explicitly marked as 'const unsigned char*' instead of
+     'unsigned char*'.
+     [Emilia Käsper]
+
+  *) Always DPURIFY. Remove the use of uninitialized memory in the
+     RNG, and other conditional uses of DPURIFY. This makes -DPURIFY a no-op.
+     [Emilia Käsper]
+
+  *) Removed many obsolete configuration items, including
+        DES_PTR, DES_RISC1, DES_RISC2, DES_INT
+        MD2_CHAR, MD2_INT, MD2_LONG
+        BF_PTR, BF_PTR2
+        IDEA_SHORT, IDEA_LONG
+        RC2_SHORT, RC2_LONG, RC4_LONG, RC4_CHUNK, RC4_INDEX
+     [Rich Salz, with advice from Andy Polyakov]
+
+  *) Many BN internals have been moved to an internal header file.
+     [Rich Salz with help from Andy Polyakov]
+
+  *) Configuration and writing out the results from it has changed.
+     Files such as Makefile include/openssl/opensslconf.h and are now
+     produced through general templates, such as Makefile.in and
+     crypto/opensslconf.h.in and some help from the perl module
+     Text::Template.
+
+     Also, the center of configuration information is no longer
+     Makefile.  Instead, Configure produces a perl module in
+     configdata.pm which holds most of the config data (in the hash
+     table %config), the target data that comes from the target
+     configuration in one of the Configurations/*.conf files (in
+     %target).
+     [Richard Levitte]
+
+  *) To clarify their intended purposes, the Configure options
+     --prefix and --openssldir change their semantics, and become more
+     straightforward and less interdependent.
+
+     --prefix shall be used exclusively to give the location INSTALLTOP
+     where programs, scripts, libraries, include files and manuals are
+     going to be installed.  The default is now /usr/local.
+
+     --openssldir shall be used exclusively to give the default
+     location OPENSSLDIR where certificates, private keys, CRLs are
+     managed.  This is also where the default openssl.cnf gets
+     installed.
+     If the directory given with this option is a relative path, the
+     values of both the --prefix value and the --openssldir value will
+     be combined to become OPENSSLDIR.
+     The default for --openssldir is INSTALLTOP/ssl.
+
+     Anyone who uses --openssldir to specify where OpenSSL is to be
+     installed MUST change to use --prefix instead.
+     [Richard Levitte]
+
+  *) The GOST engine was out of date and therefore it has been removed. An up
+     to date GOST engine is now being maintained in an external repository.
+     See: https://wiki.openssl.org/index.php/Binaries. Libssl still retains
+     support for GOST ciphersuites (these are only activated if a GOST engine
+     is present).
+     [Matt Caswell]
+
+  *) EGD is no longer supported by default; use enable-egd when
+     configuring.
+     [Ben Kaduk and Rich Salz]

  *) The distribution now has Makefile.in files, which are used to
     create Makefile's when Configure is run.  *Configure must be run
@@ -666,6 +794,50 @@
     whose return value is often ignored. 
     [Steve Henson]

+ Changes between 1.0.2e and 1.0.2f [28 Jan 2016]
+  *) DH small subgroups
+
+     Historically OpenSSL only ever generated DH parameters based on "safe"
+     primes. More recently (in version 1.0.2) support was provided for
+     generating X9.42 style parameter files such as those required for RFC 5114
+     support. The primes used in such files may not be "safe". Where an
+     application is using DH configured with parameters based on primes that are
+     not "safe" then an attacker could use this fact to find a peer's private
+     DH exponent. This attack requires that the attacker complete multiple
+     handshakes in which the peer uses the same private DH exponent. For example
+     this could be used to discover a TLS server's private DH exponent if it's
+     reusing the private DH exponent or it's using a static DH ciphersuite.
+
+     OpenSSL provides the option SSL_OP_SINGLE_DH_USE for ephemeral DH (DHE) in
+     TLS. It is not on by default. If the option is not set then the server
+     reuses the same private DH exponent for the life of the server process and
+     would be vulnerable to this attack. It is believed that many popular
+     applications do set this option and would therefore not be at risk.
+
+     The fix for this issue adds an additional check where a "q" parameter is
+     available (as is the case in X9.42 based parameters). This detects the
+     only known attack, and is the only possible defense for static DH
+     ciphersuites. This could have some performance impact.
+
+     Additionally the SSL_OP_SINGLE_DH_USE option has been switched on by
+     default and cannot be disabled. This could have some performance impact.
+
+     This issue was reported to OpenSSL by Antonio Sanso (Adobe).
+     (CVE-2016-0701)
+     [Matt Caswell]
+
+  *) SSLv2 doesn't block disabled ciphers
+
+     A malicious client can negotiate SSLv2 ciphers that have been disabled on
+     the server and complete SSLv2 handshakes even if all SSLv2 ciphers have
+     been disabled, provided that the SSLv2 protocol was not also disabled via
+     SSL_OP_NO_SSLv2.
+
+     This issue was reported to OpenSSL on 26th December 2015 by Nimrod Aviram
+     and Sebastian Schinzel.
+     (CVE-2015-3197)
+     [Viktor Dukhovni]
+
 Changes between 1.0.2d and 1.0.2e [3 Dec 2015]

  *) BN_mod_exp may produce incorrect results on x86_64
@@ -2616,7 +2788,7 @@

  *) New option -sigopt to dgst utility. Update dgst to use
     EVP_Digest{Sign,Verify}*. These two changes make it possible to use
-     alternative signing paramaters such as X9.31 or PSS in the dgst 
+     alternative signing parameters such as X9.31 or PSS in the dgst 
     utility.
     [Steve Henson]

@@ -3823,7 +3995,7 @@
     unofficial, and the ID has long expired.
     [Bodo Moeller]

-  *) Fix RSA blinding Heisenbug (problems sometimes occured on
+  *) Fix RSA blinding Heisenbug (problems sometimes occurred on
     dual-core machines) and other potential thread-safety issues.
     [Bodo Moeller]

@@ -4838,7 +5010,7 @@
     unofficial, and the ID has long expired.
     [Bodo Moeller]

-  *) Fix RSA blinding Heisenbug (problems sometimes occured on
+  *) Fix RSA blinding Heisenbug (problems sometimes occurred on
     dual-core machines) and other potential thread-safety issues.
     [Bodo Moeller]

@@ -4943,7 +5115,7 @@

  *) Added support for proxy certificates according to RFC 3820.
     Because they may be a security thread to unaware applications,
-     they must be explicitely allowed in run-time.  See
+     they must be explicitly allowed in run-time.  See
     docs/HOWTO/proxy_certificates.txt for further information.
     [Richard Levitte]

@@ -7520,7 +7692,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k

  *) Fix ssl/s3_enc.c, ssl/t1_enc.c and ssl/s3_pkt.c so that we don't
     reveal whether illegal block cipher padding was found or a MAC
-     verification error occured.  (Neither SSLerr() codes nor alerts
+     verification error occurred.  (Neither SSLerr() codes nor alerts
     are directly visible to potential attackers, but the information
     may leak via logfiles.)

@@ -9927,7 +10099,7 @@ des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
  *) Bugfix: ssl23_get_client_hello did not work properly when called in
     state SSL23_ST_SR_CLNT_HELLO_B, i.e. when the first 7 bytes of
     a SSLv2-compatible client hello for SSLv3 or TLSv1 could be read,
-     but a retry condition occured while trying to read the rest.
+     but a retry condition occurred while trying to read the rest.
     [Bodo Moeller]

  *) The PKCS7_ENC_CONTENT_new() function was setting the content type as
--- a/4
+++ b/4
@@ -22,6 +22,10 @@ current Git or the last snapshot. They should follow our coding style
 warnings using the --strict-warnings flag.  OpenSSL compiles on many varied
 platforms: try to ensure you only use portable features.

+When at all possible, patches should include tests. These can either be
+added to an existing test, or completely new.  Please see test/README for
+information on the test framework.
+
 Our preferred format for patch files is "git format-patch" output. For example
 to provide a patch file containing the last commit in your local git repository
 use the following command:
--- a/Configurations/00-base-templates.conf
+++ b/Configurations/00-base-templates.conf
@@ -0,0 +1,200 @@
+# -*- Mode: perl -*-
+%targets=(
+    BASE => {
+	template	=> 1,
+
+	cflags		=> "",
+	defines		=> [],
+	debug_cflags	=> "",
+	debug_defines	=> [],
+	release_cflags	=> "",
+	release_defines => [],
+	thread_cflags	=> "",
+	thread_defines	=> [],
+
+	apps_extra_src	=> "",
+	cpuid_asm_src	=> "mem_clr.c",
+	bn_asm_src	=> "bn_asm.c",
+	ec_asm_src	=> "",
+	des_asm_src	=> "des_enc.c fcrypt_b.c",
+	aes_asm_src	=> "aes_core.c aes_cbc.c",
+	bf_asm_src	=> "bf_enc.c",
+	md5_asm_src	=> "",
+	cast_asm_src	=> "c_enc.c",
+	rc4_asm_src	=> "rc4_enc.c rc4_skey.c",
+	rmd160_asm_src	=> "",
+	rc5_asm_src	=> "rc5_enc.c",
+	wp_asm_src	=> "wp_block.c",
+	cmll_asm_src	=> "camellia.c cmll_misc.c cmll_cbc.c",
+	modes_asm_src	=> "",
+	padlock_asm_src	=> "",
+	chacha_asm_src	=> "chacha_enc.c",
+	poly1305_asm_src	=> "",
+
+	unistd		=> "<unistd.h>",
+	shared_target	=> "",
+	shared_cflag	=> "",
+	shared_ldflag	=> "",
+	shared_rcflag	=> "",
+	shared_extension	=> "",
+	build_scheme	=> "unixmake",
+	build_file      => "Makefile",
+    },
+
+    x86_asm => {
+	template	=> 1,
+	cpuid_asm_src	=> "x86cpuid.s",
+	bn_asm_src	=> "bn-586.s co-586.s x86-mont.s x86-gf2m.s",
+	ec_asm_src	=> "ecp_nistz256.c ecp_nistz256-x86.s",
+	des_asm_src	=> "des-586.s crypt586.s",
+	aes_asm_src	=> "aes-586.s vpaes-x86.s aesni-x86.s",
+	bf_asm_src	=> "bf-586.s",
+	md5_asm_src	=> "md5-586.s",
+	cast_asm_src	=> "cast-586.s",
+	sha1_asm_src	=> "sha1-586.s sha256-586.s sha512-586.s",
+	rc4_asm_src	=> "rc4-586.s",
+	rmd160_asm_src	=> "rmd-586.s",
+	rc5_asm_src	=> "rc5-586.s",
+	wp_asm_src	=> "wp_block.c wp-mmx.s",
+	cmll_asm_src	=> "cmll-x86.s",
+	modes_asm_src	=> "ghash-x86.s",
+	padlock_asm_src	=> "e_padlock-x86.s",
+	chacha_asm_src	=> "chacha-x86.s",
+	poly1305_asm_src=> "poly1305-x86.s",
+    },
+    x86_elf_asm => {
+	template	=> 1,
+	inherit_from	=> [ "x86_asm" ],
+	perlasm_scheme	=> "elf"
+    },
+    x86_64_asm => {
+	template	=> 1,
+	cpuid_asm_src   => "x86_64cpuid.s",
+	bn_asm_src      => "asm/x86_64-gcc.c x86_64-mont.s x86_64-mont5.s x86_64-gf2m.s rsaz_exp.c rsaz-x86_64.s rsaz-avx2.s",
+	ec_asm_src      => "ecp_nistz256.c ecp_nistz256-x86_64.s",
+	aes_asm_src     => "aes-x86_64.s vpaes-x86_64.s bsaes-x86_64.s aesni-x86_64.s aesni-sha1-x86_64.s aesni-sha256-x86_64.s aesni-mb-x86_64.s",
+	md5_asm_src     => "md5-x86_64.s",
+	sha1_asm_src    => "sha1-x86_64.s sha256-x86_64.s sha512-x86_64.s sha1-mb-x86_64.s sha256-mb-x86_64.s",
+	rc4_asm_src     => "rc4-x86_64.s rc4-md5-x86_64.s",
+	wp_asm_src      => "wp-x86_64.s",
+	cmll_asm_src    => "cmll-x86_64.s cmll_misc.c",
+	modes_asm_src   => "ghash-x86_64.s aesni-gcm-x86_64.s",
+	padlock_asm_src => "e_padlock-x86_64.s",
+	chacha_asm_src	=> "chacha-x86_64.s",
+	poly1305_asm_src=> "poly1305-x86_64.s",
+    },
+    ia64_asm => {
+	template	=> 1,
+	cpuid_asm_src   => "ia64cpuid.s",
+	bn_asm_src      => "bn-ia64.s ia64-mont.s",
+	aes_asm_src     => "aes_core.c aes_cbc.c aes-ia64.s",
+	md5_asm_src     => "md5-ia64.s",
+	sha1_asm_src    => "sha1-ia64.s sha256-ia64.s sha512-ia64.s",
+	rc4_asm_src     => "rc4-ia64.s rc4_skey.c",
+	modes_asm_src   => "ghash-ia64.s",
+	perlasm_scheme	=> "void"
+    },
+    sparcv9_asm => {
+	template	=> 1,
+	cpuid_asm_src   => "sparcv9cap.c sparccpuid.S",
+	bn_asm_src      => "asm/sparcv8plus.S sparcv9-mont.s sparcv9a-mont.s vis3-mont.s sparct4-mont.S sparcv9-gf2m.S",
+	ec_asm_src      => "ecp_nistz256.c ecp_nistz256-sparcv9.S",
+	des_asm_src     => "des_enc-sparc.S fcrypt_b.c dest4-sparcv9.s",
+	aes_asm_src     => "aes_core.c aes_cbc.c aes-sparcv9.s aest4-sparcv9.s",
+	md5_asm_src     => "md5-sparcv9.S",
+	sha1_asm_src    => "sha1-sparcv9.S sha256-sparcv9.S sha512-sparcv9.S",
+	cmll_asm_src    => "camellia.c cmll_misc.c cmll_cbc.c cmllt4-sparcv9.s",
+	modes_asm_src   => "ghash-sparcv9.s",
+	poly1305_asm_src=> "poly1305-sparcv9.S",
+	perlasm_scheme	=> "void"
+    },
+    sparcv8_asm => {
+	template	=> 1,
+	cpuid_asm_src   => "",
+	bn_asm_src      => "asm/sparcv8.S",
+	des_asm_src     => "des_enc-sparc.S fcrypt_b.c",
+	perlasm_scheme	=> "void"
+    },
+    alpha_asm => {
+	template	=> 1,
+	cpuid_asm_src   => "alphacpuid.s",
+	bn_asm_src      => "bn_asm.c alpha-mont.s",
+	sha1_asm_src    => "sha1-alpha.s",
+	modes_asm_src   => "ghash-alpha.s",
+	perlasm_scheme	=> "void"
+    },
+    mips32_asm => {
+	template	=> 1,
+	bn_asm_src      => "bn-mips.s mips-mont.s",
+	aes_asm_src     => "aes_cbc.c aes-mips.S",
+	sha1_asm_src    => "sha1-mips.S sha256-mips.S",
+    },
+    mips64_asm => {
+	inherit_from	=> [ "mips32_asm" ],
+	template	=> 1,
+	sha1_asm_src    => add("sha512-mips.S")
+    },
+    s390x_asm => {
+	template	=> 1,
+	cpuid_asm_src   => "s390xcap.c s390xcpuid.s",
+	bn_asm_src      => "asm/s390x.S s390x-mont.S s390x-gf2m.s",
+	aes_asm_src     => "aes-s390x.S aes-ctr.fake aes-xts.fake",
+	sha1_asm_src    => "sha1-s390x.S sha256-s390x.S sha512-s390x.S",
+	rc4_asm_src     => "rc4-s390x.s",
+	modes_asm_src   => "ghash-s390x.S",
+	chacha_asm_src  => "chacha-s390x.S",
+	poly1305_asm_src=> "poly1305-s390x.S",
+    },
+    armv4_asm => {
+	template	=> 1,
+	cpuid_asm_src   => "armcap.c armv4cpuid.S",
+	bn_asm_src      => "bn_asm.c armv4-mont.S armv4-gf2m.S",
+	ec_asm_src      => "ecp_nistz256.c ecp_nistz256-armv4.S",
+	aes_asm_src     => "aes_cbc.c aes-armv4.S bsaes-armv7.S aesv8-armx.S",
+	sha1_asm_src    => "sha1-armv4-large.S sha256-armv4.S sha512-armv4.S",
+	modes_asm_src   => "ghash-armv4.S ghashv8-armx.S",
+	chacha_asm_src  => "chacha-armv4.S",
+	poly1305_asm_src=> "poly1305-armv4.S", 
+	perlasm_scheme	=> "void"
+    },
+    aarch64_asm => {
+	template	=> 1,
+	cpuid_asm_src   => "armcap.c arm64cpuid.S mem_clr.c",
+	ec_asm_src      => "ecp_nistz256.c ecp_nistz256-armv8.S",
+	bn_asm_src      => "bn_asm.c armv8-mont.S",
+	aes_asm_src     => "aes_core.c aes_cbc.c aesv8-armx.S vpaes-armv8.S",
+	sha1_asm_src    => "sha1-armv8.S sha256-armv8.S sha512-armv8.S",
+	modes_asm_src   => "ghashv8-armx.S",
+	chacha_asm_src  => "chacha-armv8.S",
+	poly1305_asm_src=> "poly1305-armv8.S",
+    },
+    parisc11_asm => {
+	template	=> 1,
+	cpuid_asm_src   => "pariscid.s",
+	bn_asm_src      => "bn_asm.c parisc-mont.s",
+	aes_asm_src     => "aes_core.c aes_cbc.c aes-parisc.s",
+	sha1_asm_src    => "sha1-parisc.s sha256-parisc.s sha512-parisc.s",
+	rc4_asm_src     => "rc4-parisc.s",
+	modes_asm_src   => "ghash-parisc.s",
+	perlasm_scheme	=> "32"
+    },
+    parisc20_64_asm => {
+	template	=> 1,
+	inherit_from	=> [ "parisc11_asm" ],
+	perlasm_scheme	=> "64",
+    },
+    ppc64_asm => {
+	template	=> 1,
+	cpuid_asm_src   => "ppccpuid.s ppccap.c",
+	bn_asm_src      => "bn-ppc.s ppc-mont.s ppc64-mont.s",
+	aes_asm_src     => "aes_core.c aes_cbc.c aes-ppc.s vpaes-ppc.s aesp8-ppc.s",
+	sha1_asm_src    => "sha1-ppc.s sha256-ppc.s sha512-ppc.s sha256p8-ppc.s sha512p8-ppc.s",
+	modes_asm_src   => "ghashp8-ppc.s",
+	chacha_asm_src	=> "chacha-ppc.s",
+	poly1305_asm_src=> "poly1305-ppc.s poly1305-ppcfp.s",
+    },
+    ppc32_asm => {
+	inherit_from	=> [ "ppc64_asm" ],
+	template	=> 1
+    },
+);
--- a/Configurations/10-main.conf
+++ b/Configurations/10-main.conf
--- a/Configurations/90-team.conf
+++ b/Configurations/90-team.conf
@@ -8,23 +8,23 @@
 %targets = (
    "purify" => {
        cc               => "purify gcc",
-        cflags           => "-g -DPURIFY -Wall",
+        cflags           => "-g -Wall",
        thread_cflag     => "(unknown)",
-        lflags           => "-lsocket -lnsl",
+        ex_libs          => "-lsocket -lnsl",
    },
    "debug" => {
        cc               => "gcc",
-        cflags           => "-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DOPENSSL_NO_ASM -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror",
+        cflags           => "-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DOPENSSL_NO_ASM -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror",
        thread_cflag     => "(unknown)",
-        lflags           => "-lefence",
+        ex_libs          => "-lefence",
    },
    "debug-erbridge" => {
        inherit_from     => [ "x86_64_asm" ],
        cc               => "gcc",
        cflags           => "$gcc_devteam_warn -DBN_DEBUG -DCONF_DEBUG -m64 -DL_ENDIAN -DTERMIO -g",
        thread_cflag     => "-D_REENTRANT",
-        lflags           => "-ldl",
-        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
+        ex_libs          => "-ldl",
+        bn_ops           => "SIXTY_FOUR_BIT_LONG",
        perlasm_scheme   => "elf",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
@@ -36,28 +36,28 @@
    "debug-linux-pentium" => {
        inherit_from     => [ "x86_elf_asm" ],
        cc               => "gcc",
-        cflags           => "-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DL_ENDIAN -g -mcpu=pentium -Wall",
+        cflags           => "-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DL_ENDIAN -g -mcpu=pentium -Wall",
        thread_cflag     => "-D_REENTRANT",
-        lflags           => "-ldl",
-        bn_ops           => "BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}",
+        ex_libs          => "-ldl",
+        bn_ops           => "BN_LLONG",
        dso_scheme       => "dlfcn",
    },
    "debug-linux-ppro" => {
        inherit_from     => [ "x86_elf_asm" ],
        cc               => "gcc",
-        cflags           => "-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DL_ENDIAN -g -mcpu=pentiumpro -Wall",
+        cflags           => "-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DL_ENDIAN -g -mcpu=pentiumpro -Wall",
        thread_cflag     => "-D_REENTRANT",
-        lflags           => "-ldl",
-        bn_ops           => "BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}",
+        ex_libs          => "-ldl",
+        bn_ops           => "BN_LLONG",
        dso_scheme       => "dlfcn",
    },
    "debug-linux-elf-noefence" => {
        inherit_from     => [ "x86_elf_asm" ],
        cc               => "gcc",
-        cflags           => "-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DL_ENDIAN -g -march=i486 -Wall",
+        cflags           => "-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DL_ENDIAN -g -march=i486 -Wall",
        thread_cflag     => "-D_REENTRANT",
-        lflags           => "-ldl",
-        bn_ops           => "BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}",
+        ex_libs          => "-ldl",
+        bn_ops           => "BN_LLONG",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
        shared_cflag     => "-fPIC",
@@ -67,22 +67,22 @@
        cc               => "gcc",
        cflags           => "-DAES_EXPERIMENTAL -DL_ENDIAN -O3 -fomit-frame-pointer -Wall",
        thread_cflag     => "-D_REENTRANT",
-        lflags           => "-ldl",
-        bn_ops           => "BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}",
-        cpuid_obj        => "x86cpuid.o",
-        bn_obj           => "bn-586.o co-586.o x86-mont.o",
-        des_obj          => "des-586.o crypt586.o",
-        aes_obj          => "aes_x86core.o aes_cbc.o aesni-x86.o",
-        bf_obj           => "bf-586.o",
-        md5_obj          => "md5-586.o",
-        sha1_obj         => "sha1-586.o sha256-586.o sha512-586.o",
-        cast_obj         => "cast-586.o",
-        rc4_obj          => "rc4-586.o",
-        rmd160_obj       => "rmd-586.o",
-        rc5_obj          => "rc5-586.o",
-        wp_obj           => "wp_block.o wp-mmx.o",
-        modes_obj        => "ghash-x86.o",
-        engines_obj      => "e_padlock-x86.o",
+        ex_libs          => "-ldl",
+        bn_ops           => "BN_LLONG",
+        cpuid_asm_src    => "x86cpuid.s",
+        bn_asm_src       => "bn-586.s co-586.s x86-mont.s",
+        des_asm_src      => "des-586.s crypt586.s",
+        aes_asm_src      => "aes_x86core.s aes_cbc.s aesni-x86.s",
+        bf_asm_src       => "bf-586.s",
+        md5_asm_src      => "md5-586.s",
+        sha1_asm_src     => "sha1-586.s sha256-586.s sha512-586.s",
+        cast_asm_src     => "cast-586.s",
+        rc4_asm_src      => "rc4-586.s",
+        rmd160_asm_src   => "rmd-586.s",
+        rc5_asm_src      => "rc5-586.s",
+        wp_asm_src       => "wp_block.s wp-mmx.s",
+        modes_asm_src    => "ghash-x86.s",
+        padlock_asm_src  => "e_padlock-x86.s",
        perlasm_scheme   => "elf",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
@@ -99,7 +99,7 @@
        cc               => "clang",
        cflags           => "$gcc_devteam_warn -Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wno-error=unused-const-variable -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
        thread_cflag     => "${BSDthreads}",
-        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
+        bn_ops           => "SIXTY_FOUR_BIT_LONG",
        perlasm_scheme   => "elf",
        dso_scheme       => "dlfcn",
        shared_target    => "bsd-gcc-shared",
@@ -112,7 +112,7 @@
        cflags           => "-arch x86_64 -DL_ENDIAN $gcc_devteam_warn -Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wno-error=unused-const-variable -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
        thread_cflag     => "${BSDthreads}",
        sys_id           => "MACOSX",
-        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
+        bn_ops           => "SIXTY_FOUR_BIT_LONG",
        perlasm_scheme   => "macosx",
        dso_scheme       => "dlfcn",
        shared_target    => "darwin-shared",
--- a/Configurations/99-personal-ben.conf
+++ b/Configurations/99-personal-ben.conf
@@ -8,17 +8,17 @@
 %targets = (
    "debug-ben" => {
        cc               => "gcc",
-        cflags           => "$gcc_devteam_warn -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -O2 -pipe",
+        cflags           => "$gcc_devteam_warn -DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -O2 -pipe",
        thread_cflag     => "(unknown)",
    },
    "debug-ben-openbsd" => {
        cc               => "gcc",
-        cflags           => "-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe",
+        cflags           => "-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe",
        thread_cflag     => "(unknown)",
    },
    "debug-ben-openbsd-debug" => {
        cc               => "gcc",
-        cflags           => "-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe",
+        cflags           => "-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe",
        thread_cflag     => "(unknown)",
    },
    "debug-ben-debug" => {
@@ -31,7 +31,7 @@
        cc               => "gcc",
        cflags           => "$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
        thread_cflag     => "${BSDthreads}",
-        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
+        bn_ops           => "SIXTY_FOUR_BIT_LONG",
        perlasm_scheme   => "elf",
        dso_scheme       => "dlfcn",
        shared_target    => "bsd-gcc-shared",
@@ -43,7 +43,7 @@
        cc               => "clang",
        cflags           => "$gcc_devteam_warn -Wno-error=overlength-strings -Wno-error=extended-offsetof -Wno-error=language-extension-token -Wstrict-overflow -Qunused-arguments -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -O3 -pipe",
        thread_cflag     => "${BSDthreads}",
-        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
+        bn_ops           => "SIXTY_FOUR_BIT_LONG",
        perlasm_scheme   => "elf",
        dso_scheme       => "dlfcn",
        shared_target    => "bsd-gcc-shared",
@@ -55,7 +55,7 @@
        cc               => "gcc",
        cflags           => "$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DCONF_DEBUG -DDEBUG_SAFESTACK -DDEBUG_UNUSED -g3 -pipe",
        thread_cflag     => "${BSDthreads}",
-        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
+        bn_ops           => "SIXTY_FOUR_BIT_LONG",
        perlasm_scheme   => "elf",
        dso_scheme       => "dlfcn",
        shared_target    => "bsd-gcc-shared",
@@ -74,7 +74,7 @@
    },
    "debug-ben-strict" => {
        cc               => "gcc",
-        cflags           => "-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe",
+        cflags           => "-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe",
        thread_cflag     => "(unknown)",
    },
    "debug-ben-darwin64" => {
@@ -83,8 +83,8 @@
        cflags           => "$gcc_devteam_warn -Wno-language-extension-token -Wno-extended-offsetof -arch x86_64 -O3 -DL_ENDIAN -DMD32_REG_T=int -Wall",
        thread_cflag     => "-D_REENTRANT",
        sys_id           => "MACOSX",
-        lflags           => "-Wl,-search_paths_first%",
-        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
+        plib_lflags      => "-Wl,-search_paths_first",
+        bn_ops           => "SIXTY_FOUR_BIT_LONG",
        perlasm_scheme   => "macosx",
        dso_scheme       => "dlfcn",
        shared_target    => "darwin-shared",
--- a/Configurations/99-personal-bodo.conf
+++ b/Configurations/99-personal-bodo.conf
@@ -9,10 +9,10 @@
    "debug-bodo" => {
        inherit_from     => [ "x86_64_asm" ],
        cc               => "gcc",
-        cflags           => "$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DBN_DEBUG_RAND -DCONF_DEBUG -DBIO_PAIR_DEBUG -m64 -DL_ENDIAN -DTERMIO -g -DMD32_REG_T=int",
+        cflags           => "$gcc_devteam_warn -Wno-error=overlength-strings -DBN_DEBUG -DBN_DEBUG_RAND -DCONF_DEBUG -m64 -DL_ENDIAN -DTERMIO -g -DMD32_REG_T=int",
        thread_cflag     => "-D_REENTRANT",
-        lflags           => "-ldl",
-        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
+        ex_libs          => "-ldl",
+        bn_ops           => "SIXTY_FOUR_BIT_LONG",
        perlasm_scheme   => "elf",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
--- a/Configurations/99-personal-geoff.conf
+++ b/Configurations/99-personal-geoff.conf
@@ -7,11 +7,10 @@

 %targets = (
    "debug-geoff32" => {
-        inherit_from     => [ "no_asm_filler" ],
        cc               => "gcc",
-        cflags           => "-DBN_DEBUG -DBN_DEBUG_RAND -DBN_STRICT -DPURIFY -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_ASM -DOPENSSL_NO_INLINE_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -O1 -ggdb2 -Wall -Werror -Wundef -pedantic -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wsign-compare -Wmissing-prototypes -Wmissing-declarations -Wno-long-long",
+        cflags           => "-DBN_DEBUG -DBN_DEBUG_RAND -DBN_STRICT -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_ASM -DOPENSSL_NO_INLINE_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -O1 -ggdb2 -Wall -Werror -Wundef -pedantic -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wsign-compare -Wmissing-prototypes -Wmissing-declarations -Wno-long-long",
        thread_cflag     => "-D_REENTRANT",
-        lflags           => "-ldl",
+        ex_libs          => "-ldl",
        bn_ops           => "BN_LLONG",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
@@ -19,12 +18,11 @@
        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
    },
    "debug-geoff64" => {
-        inherit_from     => [ "no_asm_filler" ],
        cc               => "gcc",
-        cflags           => "-DBN_DEBUG -DBN_DEBUG_RAND -DBN_STRICT -DPURIFY -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_ASM -DOPENSSL_NO_INLINE_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -O1 -ggdb2 -Wall -Werror -Wundef -pedantic -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wsign-compare -Wmissing-prototypes -Wmissing-declarations -Wno-long-long",
+        cflags           => "-DBN_DEBUG -DBN_DEBUG_RAND -DBN_STRICT -DOPENSSL_NO_DEPRECATED -DOPENSSL_NO_ASM -DOPENSSL_NO_INLINE_ASM -DL_ENDIAN -DTERMIO -DPEDANTIC -O1 -ggdb2 -Wall -Werror -Wundef -pedantic -Wshadow -Wpointer-arith -Wbad-function-cast -Wcast-align -Wsign-compare -Wmissing-prototypes -Wmissing-declarations -Wno-long-long",
        thread_cflag     => "-D_REENTRANT",
-        lflags           => "-ldl",
-        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_UNROLL BF_PTR",
+        ex_libs          => "-ldl",
+        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHAR",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
        shared_cflag     => "-fPIC",
--- a/Configurations/99-personal-levitte.conf
+++ b/Configurations/99-personal-levitte.conf
@@ -7,54 +7,17 @@

 %targets = (
    "levitte-linux-elf" => {
-        inherit_from     => [ "x86_elf_asm" ],
-        cc               => "gcc",
-        cflags           => "-DL_ENDIAN -Wall",
-        debug_cflags     => "-DLEVITTE_DEBUG -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -ggdb -g3",
-        thread_cflag     => "-D_REENTRANT",
-        lflags           => "-ldl",
-        bn_ops           => "BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT",
-        dso_scheme       => "dlfcn",
-        shared_target    => "linux-shared",
-        shared_cflag     => "-fPIC",
-        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+        inherit_from     => [ "linux-elf" ],
+        debug_cflags     => add("-ggdb -g3"),
+        debug_defines    => add(undef, "LEVITTE_DEBUG"),
+        build_scheme     => [ "unified", "unix" ],
+        build_file       => "Makefile",
    },
-    "debug-levitte-linux-noasm" => {
-        inherit_from     => [ "no_asm_filler" ],
-        cc               => "gcc",
-        cflags           => "-DLEVITTE_DEBUG -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -ggdb -g3 -Wall",
-        thread_cflag     => "-D_REENTRANT",
-        lflags           => "-ldl",
-        bn_ops           => "BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT",
-        dso_scheme       => "dlfcn",
-        shared_target    => "linux-shared",
-        shared_cflag     => "-fPIC",
-        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-    },
-    "debug-levitte-linux-elf-extreme" => {
-        inherit_from     => [ "x86_elf_asm" ],
-        cc               => "gcc",
-        cflags           => "-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DENGINE_CONF_DEBUG -DL_ENDIAN -DPEDANTIC -ggdb -g3 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe",
-        thread_cflag     => "-D_REENTRANT",
-        lflags           => "-ldl",
-        bn_ops           => "BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT",
-        perlasm_scheme   => "elf",
-        dso_scheme       => "dlfcn",
-        shared_target    => "linux-shared",
-        shared_cflag     => "-fPIC",
-        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-    },
-    "debug-levitte-linux-noasm-extreme" => {
-        inherit_from     => [ "no_asm_filler" ],
-        cc               => "gcc",
-        cflags           => "-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_DEBUG_RAND -DENGINE_CONF_DEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DPEDANTIC -ggdb -g3 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -Wundef -Wconversion -pipe",
-        thread_cflag     => "-D_REENTRANT",
-        lflags           => "-ldl",
-        bn_ops           => "BN_LLONG DES_PTR DES_RISC1 DES_UNROLL RC4_INDEX MD2_INT",
-        perlasm_scheme   => "void",
-        dso_scheme       => "dlfcn",
-        shared_target    => "linux-shared",
-        shared_cflag     => "-fPIC",
-        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+    "levitte-linux-x86_64" => {
+        inherit_from     => [ "linux-x86_64" ],
+        debug_cflags     => add("-ggdb -g3"),
+        debug_defines    => add(undef, "LEVITTE_DEBUG"),
+        build_scheme     => [ "unified", "unix" ],
+        build_file       => "Makefile",
    },
 );
--- a/Configurations/99-personal-rse.conf
+++ b/Configurations/99-personal-rse.conf
@@ -11,6 +11,6 @@
        cc               => "cc",
        cflags           => "-DL_ENDIAN -pipe -O -g -ggdb3 -Wall",
        thread_cflag     => "(unknown)",
-        bn_ops           => "BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}",
+        bn_ops           => "BN_LLONG",
    },
 );
--- a/Configurations/99-personal-steve.conf
+++ b/Configurations/99-personal-steve.conf
@@ -11,8 +11,8 @@
        cc               => "gcc",
        cflags           => "$gcc_devteam_warn -pthread -m64 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -g",
        thread_cflag     => "-D_REENTRANT",
-        lflags           => "-ldl",
-        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
+        ex_libs          => "-ldl",
+        bn_ops           => "SIXTY_FOUR_BIT_LONG",
        perlasm_scheme   => "elf",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
@@ -25,8 +25,9 @@
        cc               => "gcc",
        cflags           => "$gcc_devteam_warn -pthread -m32 -DL_ENDIAN -DCONF_DEBUG -g",
        thread_cflag     => "-D_REENTRANT",
-        lflags           => "-rdynamic -ldl",
-        bn_ops           => "BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}",
+        lflags           => "-rdynamic",
+        ex_libs          => "-ldl",
+        bn_ops           => "BN_LLONG",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
        shared_cflag     => "-fPIC",
@@ -38,8 +39,8 @@
        cc               => "gcc",
        cflags           => "$gcc_devteam_warn -pthread -m64 -O3 -DL_ENDIAN -DTERMIO -DCONF_DEBUG -g",
        thread_cflag     => "-D_REENTRANT",
-        lflags           => "-ldl",
-        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_UNROLL",
+        ex_libs          => "-ldl",
+        bn_ops           => "SIXTY_FOUR_BIT_LONG",
        perlasm_scheme   => "elf",
        dso_scheme       => "dlfcn",
        shared_target    => "linux-shared",
--- a/Configurations/README
+++ b/Configurations/README
@@ -0,0 +1,621 @@
+Configurations of OpenSSL target platforms
+==========================================
+
+Target configurations are a collection of facts that we know about
+different platforms and their capabilities.  We organise them in a
+hash table, where each entry represent a specific target.
+
+In each table entry, the following keys are significant:
+
+        inherit_from    => Other targets to inherit values from.
+                           Explained further below. [1]
+        template        => Set to 1 if this isn't really a platform
+                           target.  Instead, this target is a template
+                           upon which other targets can be built.
+                           Explained further below.  [1]
+
+        sys_id          => System identity for systems where that
+                           is difficult to determine automatically.
+
+        cc              => The compiler command, usually one of "cc",
+                           "gcc" or "clang".  This command is normally
+                           also used to link object files and
+                           libraries into the final program.
+        cflags          => Flags that are used at all times when
+                           compiling.
+        defines         => As an alternative, macro definitions may be
+                           present here instead of in `cflags'.  If
+                           given here, they MUST be as an array of the
+                           string such as "MACRO=value", or just
+                           "MACRO" for definitions without value.
+        debug_cflags    => Extra compilation flags used when making a
+                           debug build (when Configure receives the
+                           --debug option).  Typically something like
+                           "-g -O0".
+        debug_defines   => Similarly to `debug_cflags', this gets
+                           combined with `defines' during a debug
+                           build.  The value here MUST also be an
+                           array of the same form as for `defines'.
+        release_cflags  => Extra compilation flags used when making a
+                           release build (when Configure receives the
+                           --release option, or doesn't receive the
+                           --debug option).  Typically something like
+                           "-O" or "-O3".
+        release_defines => Similarly to `release_cflags', this gets
+                           combined with `defines' during a release
+                           build.  The value here MUST also be an
+                           array of the same form as for `defines'.
+        thread_cflags   => Extra compilation flags used when
+                           compiling with threading enabled.
+                           Explained further below.  [2]
+        thread_defines  => Similarly to `thread_cflags', this gets
+                           combined with `defines' when threading is
+                           enabled.  The value here MUST also be an
+                           array of the same form as for `defines'.
+        shared_cflag    => Extra compilation flags used when
+                           compiling for shared libraries, typically
+                           something like "-fPIC".
+
+        (linking is a complex thing, see [3] below)
+        ld              => Linker command, usually not defined
+                           (meaning the compiler command is used
+                           instead).
+                           (NOTE: this is here for future use, it's
+                           not implemented yet)
+        lflags          => Flags that are used when linking apps.
+        shared_ldflag   => Flags that are used when linking shared
+                           or dynamic libraries.
+        plib_lflags     => Extra linking flags to appear just before
+                           the libraries on the command line.
+        ex_libs         => Extra libraries that are needed when
+                           linking.
+
+        debug_lflags    => Like debug_cflags, but used when linking.
+        release_lflags  => Like release_cflags, but used when linking.
+
+        ar              => The library archive command, the default is
+                           "ar".
+                           (NOTE: this is here for future use, it's
+                           not implemented yet)
+        arflags         => Flags to be used with the library archive
+                           command.
+
+        ranlib          => The library archive indexing command, the
+                           default is 'ranlib' it it exists.
+
+        unistd          => An alternative header to the typical
+                           '<unistd.h>'.  This is very rarely needed.
+
+        shared_extension => File name extension used for shared
+                            libraries. 
+        obj_extension   => File name extension used for object files.
+                           On unix, this defaults to ".o" (NOTE: this
+                           is here for future use, it's not
+                           implemented yet)
+        exe_extension   => File name extension used for executable
+                           files.  On unix, this defaults to "" (NOTE:
+                           this is here for future use, it's not
+                           implemented yet)
+
+        dso_scheme      => The type of dynamic shared objects to build
+                           for.  This mostly comes into play with
+                           engines, but can be used for other purposes
+                           as well.  Valid values are "DLFCN"
+                           (dlopen() et al), "DLFCN_NO_H" (for systems
+                           that use dlopen() et al but do not have
+                           fcntl.h), "DL" (shl_load() et al), "WIN32"
+                           and "VMS".
+        perlasm_scheme  => The perlasm method used to created the
+                           assembler files used when compiling with
+                           assembler implementations.
+        shared_target   => The shared library building method used.
+                           This is a target found in Makefile.shared.
+        build_scheme    => The scheme used to build up a Makefile.
+                           In its simplest form, the value is a string
+                           with the name of the build scheme.
+                           The value may also take the form of a list
+                           of strings, if the build_scheme is to have
+                           some options.  In this case, the first
+                           string in the list is the name of the build
+                           scheme.
+                           Currently recognised build schemes are
+                           "mk1mf" and "unixmake" and "unified".
+                           For the "unified" build scheme, this item
+                           *must* be an array with the first being the
+                           word "unified" and the second being a word
+                           to identify the platform family.
+
+        multilib        => On systems that support having multiple
+                           implementations of a library (typically a
+                           32-bit and a 64-bit variant), this is used
+                           to have the different variants in different
+                           directories.
+
+        bn_ops          => Building options (was just bignum options
+                           in the earlier history of this option,
+                           hence the name).  This a string of words
+                           that describe properties on the designated
+                           target platform, such as the type of
+                           integers used to build up the bitnum,
+                           different ways to implement certain ciphers
+                           and so on.  To fully comprehend the
+                           meaning, the best is to read the affected
+                           source.
+                           The valid words are:
+
+                           BN_LLONG     use 'unsigned long long' in
+                                        some bignum calculations.
+                                        This has no value when
+                                        SIXTY_FOUR_BIT or
+                                        SIXTY_FOUR_BIT_LONG is given.
+                           RC4_CHAR     makes the basic RC4 unit of
+                                        calculation an unsigned char.
+                           SIXTY_FOUR_BIT       processor registers
+                                                are 64 bits, long is
+                                                32 bits, long long is
+                                                64 bits.
+                           SIXTY_FOUR_BIT_LONG  processor registers
+                                                are 64 bits, long is
+                                                64 bits.
+                           THIRTY_TWO_BIT       processor registers
+                                                are 32 bits.
+                           EXPORT_VAR_AS_FN     for shared libraries,
+                                                export vars as
+                                                accessor functions.
+
+        apps_extra_src  => Extra source to build apps/openssl, as
+                           needed by the target.
+        cpuid_asm_src   => assembler implementation of cpuid code as
+                           well as OPENSSL_cleanse().
+                           Default to mem_clr.c
+        bn_asm_src      => Assembler implementation of core bignum
+                           functions.
+                           Defaults to bn_asm.c
+        ec_asm_src      => Assembler implementation of core EC
+                           functions.
+        des_asm_src     => Assembler implementation of core DES
+                           encryption functions.
+                           Defaults to 'des_enc.c fcrypt_b.c'
+        aes_asm_src     => Assembler implementation of core AES
+                           functions.
+                           Defaults to 'aes_core.c aes_cbc.c'
+        bf_asm_src      => Assembler implementation of core BlowFish
+                           functions.
+                           Defaults to 'bf_enc.c'
+        md5_asm_src     => Assembler implementation of core MD5
+                           functions.
+        sha1_asm_src    => Assembler implementation of core SHA1,
+                           functions, and also possibly SHA256 and
+                           SHA512 ones.
+        cast_asm_src    => Assembler implementation of core CAST
+                           functions.
+                           Defaults to 'c_enc.c'
+        rc4_asm_src     => Assembler implementation of core RC4
+                           functions.
+                           Defaults to 'rc4_enc.c rc4_skey.c'
+        rmd160_asm_src  => Assembler implementation of core RMD160
+                           functions.
+        rc5_asm_src     => Assembler implementation of core RC5
+                           functions.
+                           Defaults to 'rc5_enc.c'
+        wp_asm_src      => Assembler implementation of core WHIRLPOOL
+                           functions.
+        cmll_asm_src    => Assembler implementation of core CAMELLIA
+                           functions.
+                           Defaults to 'camellia.c cmll_misc.c cmll_cbc.c'
+        modes_asm_src   => Assembler implementation of cipher modes,
+                           currently the functions gcm_gmult_4bit and
+                           gcm_ghash_4bit.
+        padlock_asm_src => Assembler implementation of core parts of
+                           the padlock engine.  This is mandatory on
+                           any platform where the padlock engine might
+                           actually be built.
+
+
+[1] as part of the target configuration, one can have a key called
+    'inherit_from' that indicate what other configurations to inherit
+    data from.  These are resolved recursively.
+
+    Inheritance works as a set of default values that can be overriden
+    by corresponding key values in the inheriting configuration.
+
+    Note 1: any configuration table can be used as a template.
+    Note 2: pure templates have the attribute 'template => 1' and
+            cannot be used as build targets.
+
+    If several configurations are given in the 'inherit_from' array,
+    the values of same attribute are concatenated with space
+    separation.  With this, it's possible to have several smaller
+    templates for different configuration aspects that can be combined
+    into a complete configuration.
+
+    instead of a scalar value or an array, a value can be a code block
+    of the form 'sub { /* your code here */ }'.  This code block will
+    be called with the list of inherited values for that key as
+    arguments.  In fact, the concatenation of strings is really done
+    by using 'sub { join(" ",@_) }' on the list of inherited values.
+
+    An example:
+
+        "foo" => {
+                template => 1,
+                haha => "ha ha",
+                hoho => "ho",
+                ignored => "This should not appear in the end result",
+        },
+        "bar" => {
+                template => 1,
+                haha => "ah",
+                hoho => "haho",
+                hehe => "hehe"
+        },
+        "laughter" => {
+                inherit_from => [ "foo", "bar" ],
+                hehe => sub { join(" ",(@_,"!!!")) },
+                ignored => "",
+        }
+
+        The entry for "laughter" will become as follows after processing:
+
+        "laughter" => {
+                haha => "ha ha ah",
+                hoho => "ho haho",
+                hehe => "hehe !!!",
+                ignored => ""
+        }
+
+[2] OpenSSL is built with threading capabilities unless the user
+    specifies 'no-threads'.  The value of the key 'thread_cflags' may
+    be "(unknown)", in which case the user MUST give some compilation
+    flags to Configure.
+
+[3] OpenSSL has three types of things to link from object files or
+    static libraries:
+
+    - shared libraries; that would be libcrypto and libssl.
+    - shared objects (sometimes called dynamic libraries);  that would
+      be the engines.
+    - applications; those are apps/openssl and all the test apps.
+
+    Very roughly speaking, linking is done like this (words in braces
+    represent the configuration settings documented at the beginning
+    of this file):
+
+    shared libraries:
+        {ld} $(CFLAGS) {shared_ldflag} -shared -o libfoo.so \
+            -Wl,--whole-archive libfoo.a -Wl,--no-whole-archive \
+            {plib_lflags} -lcrypto {ex_libs}
+
+    shared objects:
+        {ld} $(CFLAGS) {shared_ldflag} -shared -o libeng.so \
+            blah1.o blah2.o {plib_lflags} -lcrypto {ex_libs}
+
+    applications:
+        {ld} $(CFLAGS) {lflags} -o app \
+            app1.o utils.o {plib_lflags} -lssl -lcrypto {ex_libs}
+
+
+Historically, the target configurations came in form of a string with
+values separated by colons.  This use is deprecated.  The string form
+looked like this:
+
+   "target" => "{cc}:{cflags}:{unistd}:{thread_cflag}:{sys_id}:{lflags}:{bn_ops}:{cpuid_obj}:{bn_obj}:{ec_obj}:{des_obj}:{aes_obj}:{bf_obj}:{md5_obj}:{sha1_obj}:{cast_obj}:{rc4_obj}:{rmd160_obj}:{rc5_obj}:{wp_obj}:{cmll_obj}:{modes_obj}:{padlock_obj}:{perlasm_scheme}:{dso_scheme}:{shared_target}:{shared_cflag}:{shared_ldflag}:{shared_extension}:{ranlib}:{arflags}:{multilib}"
+
+
+Build info files
+================
+
+The build.info files that are spread over the source tree contain the
+minimum information needed to build and distribute OpenSSL.  It uses a
+simple and yet fairly powerful language to determine what needs to be
+built, from what sources, and other relationships between files.
+
+For every build.info file, all file references are relative to the
+directory of the build.info file for source files, and the
+corresponding build directory for built files if the build tree
+differs from the source tree.
+
+When processed, every line is processed with the perl module
+Text::Template, using the delimiters "{-" and "-}".  The hashes
+%config and %target are passed to the perl fragments, along with
+$sourcedir and $builddir, which are the locations of the source
+directory for the current build.info file and the corresponding build
+directory, all relative to the top of the build tree.
+
+To begin with, things to be built are declared by setting specific
+variables:
+
+    PROGRAMS=foo bar
+    LIBS=libsomething
+    ENGINES=libeng
+    SCRIPTS=myhack
+    EXTRA=file1 file2
+
+Note that the files mentioned for PROGRAMS, LIBS and ENGINES *must* be
+without extensions.  The build file templates will figure them out.
+
+For each thing to be built, it is then possible to say what sources
+they are built from:
+
+    PROGRAMS=foo bar
+    SOURCE[foo]=foo.c common.c
+    SOURCE[bar]=bar.c extra.c common.c
+
+It's also possible to tell some other dependencies:
+
+    DEPEND[foo]=libsomething
+    DEPEND[libbar]=libsomethingelse
+
+(it could be argued that 'libsomething' and 'libsomethingelse' are
+source as well.  However, the files given through SOURCE are expected
+to be located in the source tree while files given through DEPEND are
+expected to be located in the build tree)
+
+For some libraries, we maintain files with public symbols and their
+slot in a transfer vector (important on some platforms).  It can be
+declared like this:
+
+    ORDINALS[libcrypto]=crypto
+
+The value is not the name of the file in question, but rather the
+argument to util/mkdef.pl that indicates which file to use.
+
+One some platforms, shared libraries come with a name that's different
+from their static counterpart.  That's declared as follows:
+
+    SHARED_NAME[libfoo]=cygfoo-{- $config{shlibver} -}
+
+The example is from Cygwin, which has a required naming convention.
+
+Sometimes, it makes sense to rename an output file, for example a
+library:
+
+    RENAME[libfoo]=libbar
+
+That lines has "libfoo" get renamed to "libbar".  While it makes no
+sense at all to just have a rename like that (why not just use
+"libbar" everywhere?), it does make sense when it can be used
+conditionally.  See a little further below for an example.
+
+For any file to be built, it's also possible to tell what extra
+include paths the build of their source files should use:
+
+    INCLUDE[foo]=include
+
+It's possible to have raw build file lines, between BEGINRAW and
+ENDRAW lines as follows:
+
+    BEGINRAW[Makefile(unix)]
+    haha.h: {- $builddir -}/Makefile
+        echo "/* haha */" > haha.h
+    ENDRAW[Makefile(unix)]
+
+The word withing square brackets is the build_file configuration item
+or the build_file configuration item followed by the second word in the
+build_scheme configuration item for the configured target within
+parenthesis as shown above.  For example, with the following relevant
+configuration items:
+
+   build_file   => "build.ninja"
+   build_scheme => [ "unified", "unix" ]
+
+... these lines will be considered:
+
+   BEGINRAW[build.ninja]
+   build haha.h: echo "/* haha */" > haha.h
+   ENDRAW[build.ninja]
+
+   BEGINRAW[build.ninja(unix)]
+   build hoho.h: echo "/* hoho */" > hoho.h
+   ENDRAW[build.ninja(unix)]
+
+See the documentation further up for more information on configuration
+items.
+
+Finally, you can have some simple conditional use of the build.info
+information, looking like this:
+
+    IF[1]
+     something
+    ELSIF[2]
+     something other
+    ELSE
+     something else
+    ENDIF
+
+The expression in square brackets is interpreted as a string in perl,
+and will be seen as true if perl thinks it is, otherwise false.  For
+example, the above would have "something" used, since 1 is true.
+
+Together with the use of Text::Template, this can be used as
+conditions based on something in the passed variables, for example:
+
+    IF[{- $config{no_shared} -}]
+      LIBS=libcrypto
+      SOURCE[libcrypto]=...
+    ELSE
+      LIBS=libfoo
+      SOURCE[libfoo]=...
+    ENDIF
+
+or:
+
+    # VMS has a cultural standard where all libraries are prefixed.
+    # For OpenSSL, the choice is 'ossl_'
+    IF[{- $config{target} =~ /^vms/ -}]
+     RENAME[libcrypto]=ossl_libcrypto
+     RENAME[libssl]=ossl_libssl
+    ENDIF
+
+
+Build-file programming with the "unified" build system
+======================================================
+
+"Build files" are called "Makefile" on Unix-like operating systems,
+"descrip.mms" for MMS on VMS, "makefile" for nmake on Windows, etc.
+
+To use the "unified" build system, the target configuration needs to
+set the three items 'build_scheme', 'build_file' and 'build_command'.
+In the rest of this section, we will assume that 'build_scheme' is set
+to "unified" (see the configurations documentation above for the
+details).
+
+For any name given by 'build_file', the "unified" system expects a
+template file in Configurations/ named like the build file, with
+".tmpl" appended, or in case of possible ambiguity, a combination of
+the second 'build_scheme' list item and the 'build_file' name.  For
+example, if 'build_file' is set to "Makefile", the template could be
+Configurations/Makefile.tmpl or Configurations/unix-Makefile.tmpl.
+In case both Configurations/unix-Makefile.tmpl and
+Configurations/Makefile.tmpl are present, the former takes
+precedence.
+
+The build-file template is processed with the perl module
+Text::Template, using "{-" and "-}" as delimiters that enclose the
+perl code fragments that generate configuration-dependent content.
+Those perl fragments have access to all the hash variables from
+configdata.pem.
+
+The build-file template is expected to define at least the following
+perl functions in a perl code fragment enclosed with "{-" and "-}".
+They are all expected to return a string with the lines they produce.
+
+    src2dep     - function that produces build file lines to get the
+                  dependencies for an object file into a dependency
+                  file.
+
+                  It's called like this:
+
+                        src2dep(obj => "PATH/TO/objectfile",
+                                srcs => [ "PATH/TO/sourcefile", ... ],
+                                deps => [ "dep1", ... ],
+                                incs => [ "INCL/PATH", ... ]);
+
+                  'obj' has the dependent object file as well as
+                  object file the dependencies are for; it's *without*
+                  extension, src2dep() is expected to add that.
+                  'srcs' has the list of source files to build the
+                  object file, with the first item being the source
+                  file that directly corresponds to the object file.
+                  'deps' is a list of explicit dependencies.  'incs'
+                  is a list of include file directories.
+
+    src2obj     - function that produces build file lines to build an
+                  object file from source files and associated data.
+
+                  It's called like this:
+
+                        src2obj(obj => "PATH/TO/objectfile",
+                                srcs => [ "PATH/TO/sourcefile", ... ],
+                                deps => [ "dep1", ... ],
+                                incs => [ "INCL/PATH", ... ]);
+
+                  'obj' has the intended object file *without*
+                  extension, src2obj() is expected to add that.
+                  'srcs' has the list of source files to build the
+                  object file, with the first item being the source
+                  file that directly corresponds to the object file.
+                  'deps' is a list of explicit dependencies.  'incs'
+                  is a list of include file directories.
+
+    obj2lib     - function that produces build file lines to build a
+                  static library file ("libfoo.a" in Unix terms) from
+                  object files.
+
+                  called like this:
+
+                        obj2lib(lib => "PATH/TO/libfile",
+                                objs => [ "PATH/TO/objectfile", ... ]);
+
+                  'lib' has the intended library file name *without*
+                  extension, obj2lib is expected to add that.  'objs'
+                  has the list of object files (also *without*
+                  extension) to build this library.
+
+    libobj2shlib - function that produces build file lines to build a
+                  shareable object library file ("libfoo.so" in Unix
+                  terms) from the corresponding static library file
+                  or object files.
+
+                  called like this:
+
+                        libobj2shlib(shlib => "PATH/TO/shlibfile",
+                                     lib => "PATH/TO/libfile",
+                                     objs => [ "PATH/TO/objectfile", ... ],
+                                     deps => [ "PATH/TO/otherlibfile", ... ],
+                                     ordinals => [ "word", "/PATH/TO/ordfile" ]);
+
+                  'lib' has the intended library file name *without*
+                  extension, libobj2shlib is expected to add that.
+                  'shlib' has the correcponding shared library name
+                  *without* extension.  'deps' has the list of other
+                  libraries (also *without* extension) this library
+                  needs to be linked with.  'objs' has the list of
+                  object files (also *without* extension) to build
+                  this library.  'ordinals' MAY be present, and when
+                  it is, its value is an array where the word is
+                  "crypto" or "ssl" and the file is one of the ordinal
+                  files util/libeay.num or util/ssleay.num in the
+                  source directory.
+
+                  This function has a choice; it can use the
+                  corresponding static library as input to make the
+                  shared library, or the list of object files.
+
+    obj2dynlib  - function that produces build file lines to build a
+                  dynamically loadable library file ("libfoo.so" on
+                  Unix) from object files.
+
+                  called like this:
+
+                        obj2dynlib(lib => "PATH/TO/libfile",
+                                   objs => [ "PATH/TO/objectfile", ... ],
+                                   deps => [ "PATH/TO/otherlibfile",
+                                   ... ]);
+
+                  This is almost the same as libobj2shlib, but the
+                  intent is to build a shareable library that can be
+                  loaded in runtime (a "plugin"...).  The differences
+                  are subtle, one of the most visible ones is that the
+                  resulting shareable library is produced from object
+                  files only.
+
+    obj2bin     - function that produces build file lines to build an
+                  executable file from object files.
+
+                  called like this:
+
+                        obj2bin(bin => "PATH/TO/binfile",
+                                objs => [ "PATH/TO/objectfile", ... ],
+                                deps => [ "PATH/TO/libfile", ... ]);
+
+                  'bin' has the intended executable file name
+                  *without* extension, obj2bin is expected to add
+                  that.  'objs' has the list of object files (also
+                  *without* extension) to build this library.  'deps'
+                  has the list of library files (also *without*
+                  extension) that the programs needs to be linked
+                  with.
+
+    in2script   - function that produces build file lines to build a
+                  script file from some input.
+
+                  called like this:
+
+                        in2script(script => "PATH/TO/scriptfile",
+                                  sources => [ "PATH/TO/infile", ... ]);
+
+                  'script' has the intended script file name.
+                  'sources' has the list of source files to build the
+                  resulting script from.
+
+In all cases, file file paths are relative to the build tree top, and
+the build file actions run with the build tree top as current working
+directory.
+
+Make sure to end the section with these functions with a string that
+you thing is apropriate for the resulting build file.  If nothing
+else, end it like this:
+
+      "";       # Make sure no lingering values end up in the Makefile
+    -}
--- a/Configurations/README.design
+++ b/Configurations/README.design
@@ -0,0 +1,550 @@
+Design document for the unified scheme data
+===========================================
+
+How are things connected?
+-------------------------
+
+The unified scheme takes all its data from the build.info files seen
+throughout the source tree.  These files hold the minimum information
+needed to build end product files from diverse sources.  See the
+section on build.info files below.
+
+From the information in build.info files, Configure builds up an
+information database as a hash table called %unified_info, which is
+stored in configdata.pm, found at the top of the build tree (which may
+or may not be the same as the source tree).
+
+Configurations/common.tmpl uses the data from %unified_info to
+generate the rules for building end product files as well as
+intermediary files with the help of a few functions found in the
+build-file templates.  See the section on build-file templates further
+down for more information.
+
+build.info files
+----------------
+
+As mentioned earlier, build.info files are meant to hold the minimum
+information needed to build output files, and therefore only (with a
+few possible exceptions [1]) have information about end products (such
+as scripts, library files and programs) and source files (such as C
+files, C header files, assembler files, etc).  Intermediate files such
+as object files are rarely directly refered to in build.info files (and
+when they are, it's always with the file name extension .o), they are
+infered by Configure.  By the same rule of minimalism, end product
+file name extensions (such as .so, .a, .exe, etc) are never mentioned
+in build.info.  Their file name extensions will be infered by the
+build-file templates, adapted for the platform they are meant for (see
+sections on %unified_info and build-file templates further down).
+
+The variables PROGRAMS, LIBS, ENGINES and SCRIPTS are used to declare
+end products.
+
+The variables SOURCE, DEPEND, INCLUDE and ORDINALS are indexed by a
+produced file, and their values are the source used to produce that
+particular produced file, extra dependencies, include directories
+needed, and ordinal files (explained further below.
+
+All their values in all the build.info throughout the source tree are
+collected together and form a set of programs, libraries, engines and
+scripts to be produced, source files, dependencies, etc etc etc.
+
+Let's have a pretend example, a very limited contraption of OpenSSL,
+composed of the program 'apps/openssl', the libraries 'libssl' and
+'libcrypto', an engine 'engines/ossltest' and their sources and
+dependencies.
+
+    # build.info
+    LIBS=libcrypto libssl
+    ORDINALS[libcrypto]=crypto
+    ORDINALS[libssl]=ssl
+    INCLUDE[libcrypto]=include
+    INCLUDE[libssl]=include
+    DEPEND[libssl]=libcrypto
+
+This is the top directory build.info file, and it tells us that two
+libraries are to be built, there are some ordinals to be used to
+declare what symbols in those libraries are seen as public, the
+include directory 'include/' shall be used throughout when building
+anything that will end up in each library, and that the library
+'libssl' depend on the library 'libcrypto' to function properly.
+
+    # apps/build.info
+    PROGRAMS=openssl
+    SOURCE[openssl]=openssl.c
+    INCLUDE[openssl]=.. ../include
+    DEPEND[openssl]=../libssl
+
+This is the build.info file in 'apps/', one may notice that all file
+paths mentioned are relative to the directory the build.info file is
+located in.  This one tells us that there's a program to be built
+called 'apps/openssl' (the file name extension will depend on the
+platform and is therefore not mentioned in the build.info file).  It's
+built from one source file, 'apps/openssl.c', and building it requires
+the use of '.' and 'include' include directories (both are declared
+from the point of view of the 'apps/' directory), and that the program
+depends on the library 'libssl' to function properly.
+
+    # crypto/build.info
+    LIBS=../libcrypto
+    SOURCE[../libcrypto]=aes.c evp.c cversion.c
+    DEPEND[cversion.o]=buildinf.h
+    
+    BEGINRAW[Makefile(unix)]
+    crypto/buildinf.h : Makefile
+    	perl util/mkbuildinf.h "$(CC) $(CFLAGS)" "$(PLATFORM)" \
+    	    > crypto/buildinf.h
+    ENDRAW[Makefile(unix)]
+
+This is the build.info file in 'crypto', and it tells us a little more
+about what's needed to produce 'libcrypto'.  LIBS is used again to
+declare that 'libcrypto' is to be produced.  This declaration is
+really unnecessary as it's already mentioned in the top build.info
+file, but can make the info file easier to understand.  This is to
+show that duplicate information isn't an issue.
+
+This build.info file informs us that 'libcrypto' is built from a few
+source files, 'crypto/aes.c', 'crypto/evp.c' and 'crypto/cversion.c'.
+It also shows us that building the object file inferred from
+'crypto/cversion.c' depends on 'crypto/buildinf.h'.  Finally, it 
+also shows the possibility to include raw build-file statements in a
+build.info file, in this case showing how 'buildinf.h' is built on
+Unix-like operating systems.
+
+Two things are worth an extra note:
+
+'DEPEND[cversion.o]' mentiones an object file.  DEPEND indexes is the
+only location where it's valid to mention them
+
+Lines in 'BEGINRAW'..'ENDRAW' sections must always mention files as
+seen from the top directory, no exception.
+
+    # ssl/build.info
+    LIBS=../libssl
+    SOURCE[../libssl]=tls.c
+
+This is the build.info file in 'ssl/', and it tells us that the
+library 'libssl' is built from the source file 'ssl/tls.c'.
+
+    # engines/build.info
+    ENGINES=libossltest
+    SOURCE[libossltest]=e_ossltest.c
+    DEPEND[libossltest]=../libcrypto
+    INCLUDE[libossltest]=../include
+
+This is the build.info file in 'engines/', telling us that an engine
+called 'engines/libossltest' shall be built, that it's source is
+'engines/e_ossltest.c' and that the include directory 'include/' may
+be used when building anything that will be part of this engine.
+Finally, the engine 'engines/libossltest' depends on the library
+'libcrypto' to function properly.
+
+When Configure digests these build.info files, the accumulated
+information comes down to this:
+
+    LIBS=libcrypto libssl
+    ORDINALS[libcrypto]=crypto
+    SOURCE[libcrypto]=crypto/aes.c crypto/evp.c crypto/cversion.c
+    DEPEND[crypto/cversion.o]=crypto/buildinf.h
+    INCLUDE[libcrypto]=include
+    ORDINALS[libssl]=ssl
+    SOURCE[libssl]=ssl/tls.c
+    INCLUDE[libssl]=include
+    DEPEND[libssl]=libcrypto
+    
+    PROGRAMS=apps/openssl
+    SOURCE[apps/openssl]=apps/openssl.c
+    INCLUDE[apps/openssl]=. include
+    DEPEND[apps/openssl]=libssl
+
+    ENGINES=engines/libossltest
+    SOURCE[engines/libossltest]=engines/e_ossltest.c
+    DEPEND[engines/libossltest]=libcrypto
+    INCLUDE[engines/libossltest]=include
+    
+    BEGINRAW[Makefile(unix)]
+    crypto/buildinf.h : Makefile
+    	perl util/mkbuildinf.h "$(CC) $(CFLAGS)" "$(PLATFORM)" \
+    	    > crypto/buildinf.h
+    ENDRAW[Makefile(unix)]
+
+
+A few notes worth mentioning:
+
+LIBS may be used to declare routine libraries only.
+
+PROGRAMS may be used to declare programs only.
+
+ENGINES may be used to declare engines only.
+
+The indexes for SOURCE, INCLUDE and ORDINALS must only be end product
+files, such as libraries, programs or engines.  The values of SOURCE
+variables must only be source files (possibly generated)
+
+DEPEND shows a relationship between different end product files, such
+as a program depending on a library, or between an object file and
+some extra source file.
+
+When Configure processes the build.info files, it will take it as
+truth without question, and will therefore perform very few checks.
+If the build tree is separate from the source tree, it will assume
+that all built files and up in the build directory and that all source
+files are to be found in the source tree, if they can be found there.
+Configure will assume that source files that can't be found in the
+source tree (such as 'crypto/bildinf.h' in the example above) are
+generated and will be found in the build tree.
+
+
+The %unified_info database
+--------------------------
+
+The information in all the build.info get digested by Configure and
+collected into the %unified_info database, divided into the following
+indexes:
+
+  depends   => a hash table containing 'file' => [ 'dependency' ... ]
+               pairs.  These are directly inferred from the DEPEND
+               variables in build.info files.
+
+  engines   => a list of engines.  These are directly inferred from
+               the ENGINES variable in build.info files.
+
+  includes  => a hash table containing 'file' => [ 'include' ... ]
+               pairs.  These are directly inferred from the INCLUDE
+               variables in build.info files.
+
+  libraries => a list of libraries.  These are directly inferred from
+               the LIBS variable in build.info files.
+
+  ordinals  => a hash table containing 'file' => [ 'word', 'ordfile' ]
+               pairs.  'file' and 'word' are directly inferred from
+               the ORDINALS variables in build.info files, while the
+               file 'ofile' comes from internal knowledge in
+               Configure.
+
+  programs  => a list of programs.  These are directly inferred from
+               the PROGRAMS variable in build.info files.
+
+  rawlines  => a list of build-file lines.  These are a direct copy of
+               the BEGINRAW..ENDRAW lines in build.info files.  Note:
+               only the BEGINRAW..ENDRAW section for the current
+               platform are copied, the rest are ignored.
+
+  scripts   => a list of scripts.  There are directly inferred from
+               the SCRIPTS variable in build.info files.
+
+  sources   => a hash table containing 'file' => [ 'sourcefile' ... ]
+               pairs.  These are indirectly inferred from the SOURCE
+               variables in build.info files.  Object files are
+               mentioned in this hash table, with source files from
+               SOURCE variables, and AS source files for programs and
+               libraries.
+
+As an example, here is how the build.info files example from the
+section above would be digested into a %unified_info table:
+
+    our %unified_info = (
+        "depends" =>
+            {
+                "apps/openssl" =>
+                    [
+                        "libssl",
+                    ],
+                "crypto/cversion.o" =>
+                    [
+                        "crypto/buildinf.h",
+                    ],
+                "engines/libossltest" =>
+                    [
+                        "libcrypto",
+                    ],
+                "libssl" =>
+                    [
+                        "libcrypto",
+                    ],
+            },
+        "engines" =>
+            [
+                "engines/libossltest",
+            ],
+        "includes" =>
+            {
+                "apps/openssl" =>
+                    [
+                        ".",
+                        "include",
+                    ],
+                "engines/libossltest" =>
+                    [
+                        "include"
+                    ],
+                "libcrypto" =>
+                    [
+                        "include",
+                    ],
+                "libssl" =>
+                    [
+                        "include",
+                    ],
+            }
+        "libraries" =>
+            [
+                "libcrypto",
+                "libssl",
+            ],
+        "ordinals" =>
+            {
+                "libcrypto" =>
+                    [
+                        "crypto",
+                        "util/libeay.num",
+                    ],
+                "libssl" =>
+                    [
+                        "ssl",
+                        "util/ssleay.num",
+                    ],
+            },
+        "programs" =>
+            [
+                "apps/openssl",
+            ],
+        "rawlines" =>
+            [
+                "crypto/buildinf.h : Makefile",
+                "	perl util/mkbuildinf.h \"\$(CC) \$(CFLAGS)\" \"\$(PLATFORM)\" \\"
+                "	    > crypto/buildinf.h"
+            ],
+        "sources" =>
+            {
+                "apps/openssl" =>
+                    [
+                        "apps/openssl.o",
+                    ],
+                "apps/openssl.o" =>
+                    [
+                        "apps/openssl.c",
+                    ],
+                "crypto/aes.o" =>
+                    [
+                        "crypto/aes.c",
+                    ],
+                "crypto/cversion.o" =>
+                    [
+                        "crypto/cversion.c",
+                    ],
+                "crypto/evp.o" =>
+                    [
+                        "crypto/evp.c",
+                    ],
+                "engines/e_ossltest.o" =>
+                    [
+                        "engines/e_ossltest.c",
+                    ],
+                "engines/libossltest" =>
+                    [
+                        "engines/e_ossltest.o",
+                    ],
+                "libcrypto" =>
+                    [
+                        "crypto/aes.c",
+                        "crypto/cversion.c",
+                        "crypto/evp.c",
+                    ],
+                "libssl" =>
+                    [
+                        "ssl/tls.c",
+                    ],
+                "ssl/tls.o" =>
+                    [
+                        "ssl/tls.c",
+                    ],
+            },
+    );
+
+As can be seen, everything in %unified_info is fairly simple nuggest
+of information.  Still, it tells us that to build all programs, we
+must build 'apps/openssl', and to build the latter, we will need to
+build all its sources ('apps/openssl.o' in this case) and all the
+other things it depends on (such as 'libssl').  All those dependencies
+need to be built as well, using the same logic, so to build 'libssl',
+we need to build 'ssl/tls.o' as well as 'libcrypto', and to build the
+latter...
+
+
+Build-file templates
+--------------------
+
+Build-file templates are essentially build-files (such as Makefile on
+Unix) with perl code fragments mixed in.  Those perl code fragment
+will generate all the configuration dependent data, including all the
+rules needed to build end product files and intermediary files alike.
+At a minimum, there must be a perl code fragment that defines a set of
+functions that are used to generates specific build-file rules, to
+build static libraries from object files, to build shared libraries
+from static libraries, to programs from object files and libraries,
+etc.
+
+    src2dep     - function that produces build file lines to get the
+                  dependencies for an object file into a dependency
+                  file.
+
+                  It's called like this:
+
+                        src2dep(obj => "PATH/TO/objectfile",
+                                srcs => [ "PATH/TO/sourcefile", ... ],
+                                incs => [ "INCL/PATH", ... ]);
+
+                  'obj' has the dependent object file as well as
+                  object file the dependencies are for; it's *without*
+                  extension, src2dep() is expected to add that.
+                  'srcs' has the list of source files to build the
+                  object file, with the first item being the source
+                  file that directly corresponds to the object file.
+                  'incs' is a list of include file directories.
+
+    src2obj     - function that produces build file lines to build an
+                  object file from source files and associated data.
+
+                  It's called like this:
+
+                        src2obj(obj => "PATH/TO/objectfile",
+                                srcs => [ "PATH/TO/sourcefile", ... ],
+                                deps => [ "dep1", ... ],
+                                incs => [ "INCL/PATH", ... ]);
+
+                  'obj' has the intended object file *without*
+                  extension, src2obj() is expected to add that.
+                  'srcs' has the list of source files to build the
+                  object file, with the first item being the source
+                  file that directly corresponds to the object file.
+                  'deps' is a list of dependencies.  'incs' is a list
+                  of include file directories.
+
+    obj2lib     - function that produces build file lines to build a
+                  static library file ("libfoo.a" in Unix terms) from
+                  object files.
+
+                  called like this:
+
+                        obj2lib(lib => "PATH/TO/libfile",
+                                objs => [ "PATH/TO/objectfile", ... ]);
+
+                  'lib' has the intended library file name *without*
+                  extension, obj2lib is expected to add that.  'objs'
+                  has the list of object files (also *without*
+                  extension) to build this library.
+
+    libobj2shlib - function that produces build file lines to build a
+                  shareable object library file ("libfoo.so" in Unix
+                  terms) from the corresponding static library file
+                  or object files.
+
+                  called like this:
+
+                        libobj2shlib(shlib => "PATH/TO/shlibfile",
+                                     lib => "PATH/TO/libfile",
+                                     objs => [ "PATH/TO/objectfile", ... ],
+                                     deps => [ "PATH/TO/otherlibfile", ... ],
+                                     ordinals => [ "word", "/PATH/TO/ordfile" ]);
+
+                  'lib' has the intended library file name *without*
+                  extension, libobj2shlib is expected to add that.
+                  'shlib' has the correcponding shared library name
+                  *without* extension.  'deps' has the list of other
+                  libraries (also *without* extension) this library
+                  needs to be linked with.  'objs' has the list of
+                  object files (also *without* extension) to build
+                  this library.  'ordinals' MAY be present, and when
+                  it is, its value is an array where the word is
+                  "crypto" or "ssl" and the file is one of the ordinal
+                  files util/libeay.num or util/ssleay.num in the
+                  source directory.
+
+                  This function has a choice; it can use the
+                  corresponding static library as input to make the
+                  shared library, or the list of object files.
+
+    obj2dynlib  - function that produces build file lines to build a
+                  dynamically loadable library file ("libfoo.so" on
+                  Unix) from object files.
+
+                  called like this:
+
+                        obj2dynlib(lib => "PATH/TO/libfile",
+                                   objs => [ "PATH/TO/objectfile", ... ],
+                                   deps => [ "PATH/TO/otherlibfile",
+                                   ... ]);
+
+                  This is almost the same as libobj2shlib, but the
+                  intent is to build a shareable library that can be
+                  loaded in runtime (a "plugin"...).  The differences
+                  are subtle, one of the most visible ones is that the
+                  resulting shareable library is produced from object
+                  files only.
+
+    obj2bin     - function that produces build file lines to build an
+                  executable file from object files.
+
+                  called like this:
+
+                        obj2bin(bin => "PATH/TO/binfile",
+                                objs => [ "PATH/TO/objectfile", ... ],
+                                deps => [ "PATH/TO/libfile", ... ]);
+
+                  'bin' has the intended executable file name
+                  *without* extension, obj2bin is expected to add
+                  that.  'objs' has the list of object files (also
+                  *without* extension) to build this library.  'deps'
+                  has the list of library files (also *without*
+                  extension) that the programs needs to be linked
+                  with.
+
+    in2script   - function that produces build file lines to build a
+                  script file from some input.
+
+                  called like this:
+
+                        in2script(script => "PATH/TO/scriptfile",
+                                  sources => [ "PATH/TO/infile", ... ]);
+
+                  'script' has the intended script file name.
+                  'sources' has the list of source files to build the
+                  resulting script from.
+
+Along with the build-file templates is the driving engine
+Configurations/common.tmpl, which looks through all the information in
+%unified_info and generates all the rulesets to build libraries,
+programs and all intermediate files, using the rule generating
+functions defined in the build-file template.
+
+As an example with the smaller build.info set we've seen as an
+example, producing the rules to build 'libssl' would result in the
+following calls:
+
+    # Note: libobj2shlib will only be called if shared libraries are
+    # to be produced.
+    # Note 2: libobj2shlib gets both the name of the static library
+    # and the names of all the object files that go into it.  It's up
+    # to the implementation to decide which to use as input.
+    libobj2shlib(shlib => "libssl",
+                 lib => "libssl",
+                 objs => [ "ssl/tls.o" ],
+                 deps => [ "libcrypto" ]
+                 ordinals => [ "ssl", "util/ssleay.num" ]);
+
+    obj2lib(lib => "libssl"
+            objs => [ "ssl/tls.o" ]);
+
+    # Note 3: common.tmpl peals off the ".o" extension, as the
+    # platform at hand may have a different one.
+    src2obj(obj => "ssl/tls"
+            srcs => [ "ssl/tls.c" ],
+            deps => [ ],
+            incs => [ "include" ]);
+
+    src2dep(obj => "ssl/tls"
+            srcs => [ "ssl/tls.c" ],
+            incs => [ "include" ]);
+
+The returned strings from all those calls are then concatenated
+together and written to the resulting build-file.
--- a/Configurations/common.tmpl
+++ b/Configurations/common.tmpl
@@ -0,0 +1,119 @@
+{- # -*- Mode: perl -*-
+
+     my $a;
+
+ # resolvedepends and reducedepends work in tandem to make sure
+ # there are no duplicate dependencies and that they are in the
+ # right order.  This is especially used to sort the list of
+ # libraries that a build depends on.
+ sub resolvedepends {
+     my $thing = shift;
+     my @listsofar = @_;    # to check if we're looping
+     my @list = @{$unified_info{depends}->{$thing}};
+     my @newlist = ();
+     if (scalar @list) {
+         foreach my $item (@list) {
+             # It's time to break off when the dependency list starts looping
+             next if grep { $_ eq $item } @listsofar;
+             push @newlist, $item, resolvedepends($item, @listsofar, $item);
+         }
+     }
+     @newlist;
+ }
+ sub reducedepends {
+     my @list = @_;
+     my @newlist = ();
+     while (@list) {
+         my $item = shift @list;
+         push @newlist, $item
+             unless grep { $item eq $_ } @list;
+     }
+     @newlist;
+ }
+
+ # doobj is responsible for producing all the recipes that build
+ # object files as well as dependency files.
+ sub doobj {
+     my $obj = shift;
+     (my $obj_no_o = $obj) =~ s|\.o$||;
+     my $bin = shift;
+     if (@{$unified_info{sources}->{$obj}}) {
+         $OUT .= src2obj(obj => $obj_no_o,
+                         srcs => $unified_info{sources}->{$obj},
+                         deps => [ reducedepends(resolvedepends($obj)) ],
+                         incs => [ @{$unified_info{includes}->{$bin}},
+                                   @{$unified_info{includes}->{$obj}} ]);
+         $OUT .= src2dep(obj => $obj_no_o,
+                         srcs => $unified_info{sources}->{$obj},
+                         deps => [ reducedepends(resolvedepends($obj)) ],
+                         incs => [ @{$unified_info{includes}->{$bin}},
+                                   @{$unified_info{includes}->{$obj}} ]);
+     }
+ }
+
+ # dolib is responsible for building libraries.  It will call
+ # libobj2shlib is shared libraries are produced, and obj2lib in all
+ # cases.  It also makes sure all object files for the library are
+ # built.
+ sub dolib {
+     my $lib = shift;
+     if (!$config{no_shared}) {
+         my %ordinals =
+             $unified_info{ordinals}->{$lib}
+             ? (ordinals => $unified_info{ordinals}->{$lib}) : ();
+         $OUT .= libobj2shlib(shlib => $unified_info{sharednames}->{$lib},
+                              lib => $lib,
+                              objs => [ map { (my $x = $_) =~ s|\.o$||; $x }
+                                        @{$unified_info{sources}->{$lib}} ],
+                              deps => [ reducedepends(resolvedepends($lib)) ],
+                              %ordinals);
+     }
+     $OUT .= obj2lib(lib => $lib,
+                     objs => [ map { (my $x = $_) =~ s|\.o$||; $x }
+                               @{$unified_info{sources}->{$lib}} ]);
+     map { doobj($_, $lib, intent => "lib") } @{$unified_info{sources}->{$lib}};
+ }
+
+ # doengine is responsible for building engines.  It will call
+ # obj2dynlib, and also makes sure all object files for the library
+ # are built.
+ sub doengine {
+     my $lib = shift;
+     $OUT .= obj2dynlib(lib => $lib,
+                        objs => [ map { (my $x = $_) =~ s|\.o$||; $x }
+                                  @{$unified_info{sources}->{$lib}} ],
+                        deps => [ resolvedepends($lib) ]);
+     map { doobj($_, $lib, intent => "lib") } @{$unified_info{sources}->{$lib}};
+ }
+
+ # dobin is responsible for building programs.  It will call obj2bin,
+ # and also makes sure all object files for the library are built.
+ sub dobin {
+     my $bin = shift;
+     my $deps = [ reducedepends(resolvedepends($bin)) ];
+     $OUT .= obj2bin(bin => $bin,
+                     objs => [ map { (my $x = $_) =~ s|\.o$||; $x }
+                               @{$unified_info{sources}->{$bin}} ],
+                     deps => $deps);
+     map { doobj($_, $bin, intent => "bin") } @{$unified_info{sources}->{$bin}};
+ }
+
+ # dobin is responsible for building scripts from templates.  It will
+ # call in2script.
+ sub doscript {
+     my $script = shift;
+     $OUT .= in2script(script => $script,
+                       sources => $unified_info{sources}->{$script});
+ }
+
+ # Build all known libraries, engines, programs and scripts.
+ # Everything else will be handled as a consequence.
+ map { dolib($_) } @{$unified_info{libraries}};
+ map { doengine($_) } @{$unified_info{engines}};
+ map { dobin($_) } @{$unified_info{programs}};
+ map { doscript($_) } @{$unified_info{scripts}};
+
+ # Finally, should there be any applicable BEGINRAW/ENDRAW sections,
+ # they are added here.
+ $OUT .= $_."\n" foreach(@{$unified_info{rawlines}});
+-}
--- a/Configurations/descrip.mms.tmpl
+++ b/Configurations/descrip.mms.tmpl
@@ -0,0 +1,639 @@
+## descrip.mms to build OpenSSL on OpenVMS
+##
+## {- join("\n## ", @autowarntext) -}
+{-
+  use File::Spec::Functions qw/:DEFAULT abs2rel rel2abs/;
+
+  # Our prefix, claimed when speaking with the VSI folks Tuesday
+  # January 26th 2016
+  our $osslprefix = 'OSSL$';
+  (our $osslprefix_q = $osslprefix) =~ s/\$/\\\$/;
+
+  our $sourcedir = $config{sourcedir};
+  our $builddir = $config{builddir};
+  sub sourcefile {
+      catfile($sourcedir, @_);
+  }
+  sub buildfile {
+      catfile($builddir, @_);
+  }
+  sub sourcedir {
+      catdir($sourcedir, @_);
+  }
+  sub builddir {
+      catdir($builddir, @_);
+  }
+  sub tree {
+      (my $x = shift) =~ s|\]$|...]|;
+      $x
+  }
+  sub move {
+      my $f = catdir(@_);
+      my $b = abs2rel(rel2abs("."),rel2abs($f));
+      $sourcedir = catdir($b,$sourcedir)
+          if !file_name_is_absolute($sourcedir);
+      $builddir = catdir($b,$builddir)
+          if !file_name_is_absolute($builddir);
+      "";
+  }
+
+  # This is a horrible hack, but is needed because recursive inclusion of files
+  # in different directories does not work well with HP C.
+  my $sd = sourcedir("crypto", "async", "arch");
+  foreach (grep /\[\.crypto\.async\.arch\].*\.o$/, keys %{$unified_info{sources}}) {
+      (my $x = $_) =~ s|\.o$|.OBJ|;
+      $unified_info{before}->{$x}
+          = qq(arch = F\$PARSE("$sd","A.;",,,"SYNTAX_ONLY") - "A.;"
+        define arch 'arch');
+      $unified_info{after}->{$x}
+          = qq(deassign arch);
+  }
+  my $sd1 = sourcedir("ssl","record");
+  my $sd2 = sourcedir("ssl","statem");
+  $unified_info{before}->{"[.crypto.ct]ct_lib.OBJ"}
+      = $unified_info{before}->{"[.test]heartbeat_test.OBJ"}
+      = $unified_info{before}->{"[.test]ssltest.OBJ"}
+      = qq(record = F\$PARSE("$sd1","A.;",,,"SYNTAX_ONLY") - "A.;"
+        define record 'record'
+        statem = F\$PARSE("$sd2","A.;",,,"SYNTAX_ONLY") - "A.;"
+        define statem 'statem');
+  $unified_info{after}->{"[.crypto.ct]ct_lib.OBJ"}
+      = $unified_info{after}->{"[.test]heartbeat_test.OBJ"}
+      = $unified_info{after}->{"[.test]ssltest.OBJ"}
+      = qq(deassign statem
+        deassign record);
+  foreach (grep /^\[\.ssl\.(?:record|statem)\].*\.o$/, keys %{$unified_info{sources}}) {
+      (my $x = $_) =~ s|\.o$|.OBJ|;
+      $unified_info{before}->{$x}
+          = qq(record = F\$PARSE("$sd1","A.;",,,"SYNTAX_ONLY") - "A.;"
+        define record 'record'
+        statem = F\$PARSE("$sd2","A.;",,,"SYNTAX_ONLY") - "A.;"
+        define statem 'statem');
+      $unified_info{after}->{$x}
+          = qq(deassign statem
+        deassign record);
+  }
+  #use Data::Dumper;
+  #print STDERR "DEBUG: before:\n", Dumper($unified_info{before});
+  #print STDERR "DEBUG: after:\n", Dumper($unified_info{after});
+  "";
+-}
+PLATFORM={- $config{target} -}
+OPTIONS={- $config{options} -}
+CONFIGURE_ARGS=({- join(", ",quotify_l(@{$config{perlargv}})) -})
+SRCDIR={- $config{sourcedir} -}
+BUILDDIR={- $config{builddir} -}
+
+VERSION={- $config{version} -}
+MAJOR={- $config{major} -}
+MINOR={- $config{minor} -}
+SHLIB_VERSION_NUMBER={- $config{shlib_version_number} -}
+SHLIB_VERSION_HISTORY={- $config{shlib_version_history} -}
+SHLIB_MAJOR={- $config{shlib_major} -}
+SHLIB_MINOR={- $config{shlib_minor} -}
+SHLIB_TARGET={- $target{shared_target} -}
+
+EXE_EXT=.EXE
+LIB_EXT=.OLB
+SHLIB_EXT=.EXE
+OBJ_EXT=.OBJ
+DEP_EXT=.MMS
+
+LIBS={- join(", ", map { "-\n\t".$_.".OLB" } @{$unified_info{libraries}}) -}
+SHLIBS={- join(" ", map { $_."\$(SHLIB_EXT)" } map { $unified_info{sharednames}->{$_} || () } @{$unified_info{libraries}}) -}
+ENGINES={- join(", ", map { "-\n\t".$_.".EXE" } @{$unified_info{engines}}) -}
+PROGRAMS={- join(", ", map { "-\n\t".$_.".EXE" } grep { !m|^\[\.test\]| } @{$unified_info{programs}}) -}
+TESTPROGS={- join(", ", map { "-\n\t".$_.".EXE" } grep { m|^\[\.test\]| } @{$unified_info{programs}}) -}
+SCRIPTS={- join(", ", map { "-\n\t".$_ } @{$unified_info{scripts}}) -}
+
+# DESTDIR is for package builders so that they can configure for, say,
+# SYS$COMMON:[OPENSSL] and yet have everything installed in STAGING:[USER].
+# In that case, configure with --prefix=SYS$COMMON:[OPENSSL] and then run
+# MMS with /MACROS=(DESTDIR=STAGING:[USER]).  The result will end up in
+# STAGING:[USER.OPENSSL].
+# Normally it is left empty.
+DESTDIR=
+
+# Do not edit this manually. Use Configure --prefix=DIR to change this!
+INSTALLTOP={- catdir($config{prefix}) || "SYS\$COMMON:[OPENSSL-\$(MAJOR).\$(MINOR)]" -}
+# This is the standard central area to store certificates, private keys...
+OPENSSLDIR={- catdir($config{openssldir}) ||
+              $config{prefix} ? catdir($config{prefix},"SSL")
+                              : "SYS\$COMMON:[SSL]" -}
+# Where installed engines reside
+ENGINESDIR={- $osslprefix -}ENGINES:
+
+CC= {- $target{cc} -}
+CFLAGS= /DEFINE=({- join(",", @{$config{defines}},"OPENSSLDIR=\"\"\"\$(OPENSSLDIR)\"\"\"","ENGINESDIR=\"\"\"\$(ENGINESDIR)\"\"\"") -}) {- $config{cflags} -}
+DEPFLAG= /DEFINE=({- join(",", @{$config{depdefines}}) -})
+LDFLAGS= {- $config{lflags} -}
+EX_LIBS= {- $config{ex_libs} ? ",".$config{ex_libs} : "" -}
+
+PERL={- $config{perl} -}
+
+# We let the C compiler driver to take care of .s files. This is done in
+# order to be excused from maintaining a separate set of architecture
+# dependent assembler flags. E.g. if you throw -mcpu=ultrasparc at SPARC
+# gcc, then the driver will automatically translate it to -xarch=v8plus
+# and pass it down to assembler.
+AS={- $target{as} -}
+ASFLAG={- $target{asflags} -}
+
+# .FIRST and .LAST are special targets with MMS and MMK.
+# The defines in there are for C.  includes that look like
+# this:
+#
+#    #include <openssl/foo.h>
+#    #include "internal/bar.h"
+#
+# will use the logical names to find the files.  Expecting
+# DECompHP C to find files in subdirectories of whatever was
+# given with /INCLUDE is a fantasy, unfortunately.
+NODEBUG=@
+.FIRST :
+        $(NODEBUG) openssl_inc1 = F$PARSE("[.include.openssl]","A.;",,,"syntax_only") - "A.;"
+        $(NODEBUG) openssl_inc2 = F$PARSE("{- catdir($config{sourcedir},"[.include.openssl]") -}","a.;",,,"SYNTAX_ONLY") - "A.;"
+        $(NODEBUG) internal_inc1 = F$PARSE("[.crypto.include.internal]","A.;",,,"SYNTAX_ONLY") - "A.;"
+        $(NODEBUG) internal_inc2 = F$PARSE("{- catdir($config{sourcedir},"[.include.internal]") -}","A.;",,,"SYNTAX_ONLY") - "A.;"
+        $(NODEBUG) internal_inc3 = F$PARSE("{- catdir($config{sourcedir},"[.crypto.include.internal]") -}","A.;",,,"SYNTAX_ONLY") - "A.;"
+        $(NODEBUG) DEFINE openssl 'openssl_inc1','openssl_inc2'
+        $(NODEBUG) DEFINE internal 'internal_inc1','internal_inc2','internal_inc3'
+        $(NODEBUG) staging_dir = "$(DESTDIR)"
+        $(NODEBUG) IF staging_dir .NES. "" THEN -
+                staging_dir = F$PARSE("A.;",staging_dir,"[]",,"SYNTAX_ONLY") - "A.;"
+        $(NODEBUG) !
+        $(NODEBUG) ! Installation logical names
+        $(NODEBUG) !
+        $(NODEBUG) installtop_dev = F$PARSE(staging_dir,"$(INSTALLTOP)",,"DEVICE","SYNTAX_ONLY")
+        $(NODEBUG) ! Because there are no routines to merge directories, we have to
+        $(NODEBUG) ! do it ourselves
+        $(NODEBUG) IF staging_dir .NES. "" THEN -
+                staging_dir = F$PARSE(staging_dir,"[000000]",,"DIRECTORY","SYNTAX_ONLY")
+        $(NODEBUG) installtop_dir = F$PARSE("$(INSTALLTOP)","[000000]",,"DIRECTORY","SYNTAX_ONLY")
+        $(NODEBUG) IF staging_dir .NES. "" .AND. staging_dir .NES. "[000000]" THEN -
+                installtop_dir = staging_dir - "]" + "." + (installtop_dir - "[")
+        $(NODEBUG) installtop_dir = installtop_dir - "]" + ".]"
+        $(NODEBUG) DEFINE ossl_installroot 'installtop_dev''installtop_dir'
+        $(NODEBUG) !
+        $(NODEBUG) datatop = F$PARSE("$(OPENSSLDIR)","[000000]A.;",,,"SYNTAX_ONLY") -
+                - "]A.;" + ".]"
+        $(NODEBUG) IF "$(DESTDIR)" .EQS. "" THEN -
+                DEFINE ossl_dataroot 'datatop'
+        $(NODEBUG) !
+        $(NODEBUG) ! Figure out the architecture
+        $(NODEBUG) !
+        $(NODEBUG) arch == f$edit( f$getsyi( "arch_name"), "upcase")
+        $(NODEBUG) !
+        $(NODEBUG) ! Set up logical names for the libraries, so LINK and
+        $(NODEBUG) ! running programs can use them.
+        $(NODEBUG) !
+        $(NODEBUG) {- join("\n\t\$(NODEBUG) ", map { "DEFINE ".uc($_)." 'F\$ENV(\"DEFAULT\")'".uc($_)."\$(SHLIB_EXT)" } map { $unified_info{sharednames}->{$_} || () } @{$unified_info{libraries}}) || "!" -}
+
+.LAST :
+        $(NODEBUG) {- join("\n\t\$(NODEBUG) ", map { "DEASSIGN ".uc($_) } map { $unified_info{sharednames}->{$_} || () } @{$unified_info{libraries}}) || "!" -}
+        $(NODEBUG) IF "$(DESTDIR)" .EQS. "" THEN DEASSIGN ossl_dataroot
+        $(NODEBUG) DEASSIGN ossl_installroot
+        $(NODEBUG) DEASSIGN internal
+        $(NODEBUG) DEASSIGN openssl
+.DEFAULT :
+        @ ! MMS cannot handle no actions...
+
+# The main targets ###################################################
+
+all : descrip.mms, build_libs, build_engines, build_apps
+
+build_libs : $(LIBS)
+build_engines : $(ENGINES)
+build_apps : $(PROGRAMS), $(SCRIPTS)
+build_tests : $(TESTPROGS)
+
+test tests : build_apps, build_engines, build_tests, rehash
+        SET DEFAULT [.test]{- move("test") -}
+        DEFINE SRCTOP {- sourcedir() -}
+        DEFINE BLDTOP {- builddir() -}
+        $(PERL) {- sourcefile("test", "run_tests.pl") -} $(TESTS)
+        DEASSIGN BLDTOP
+        DEASSIGN SRCTOP
+        SET DEFAULT [-]{- move("..") -}
+
+list-tests :
+        @ TOP=$(SRCDIR) PERL=$(PERL) $(PERL) {- catfile($config{sourcedir},"test", "run_tests.pl") -} list
+
+# Because VMS wants the generation number (or *) to delete files, we can't
+# use $(LIBS), $(PROGRAMS) and $(TESTPROGS) directly.
+libclean :
+        - DELETE []OSSL$LIB*.OLB;*,OSSL$LIB*.LIS;*
+        - DELETE [.crypto...]*.OBJ;*,*.LIS;*
+        - DELETE [.ssl...]*.OBJ;*,*.LIS;*
+        - DELETE [.engines...]*.OBJ;*,*.LIS;*
+        - DELETE []CXX$DEMANGLER_DB.;*
+
+install : install_sw install_docs
+
+uninstall : uninstall_docs uninstall_sw
+
+clean : libclean
+        - DELETE []OSSL$LIB*.EXE;*,OSSL$LIB*.MAP;*,OSSL$LIB*.OPT;*
+        - DELETE [.engines...]LIB*.EXE;*,LIB*.MAP;*,LIB*.OPT;*
+        - DELETE [.apps]*.EXE;*,*.MAP;*,*.OPT;*
+        - DELETE [.apps]*.OBJ;*,*.LIS;*
+        - DELETE [.test]*.EXE;*,*.MAP;*,*.OPT;*
+        - DELETE [.test]*.OBJ;*,*.LIS;*
+        - DELETE [.test]*.LOG;*
+        - DELETE []*.MAP;*
+
+DCLEAN_CMD=$(PERL) -pe "if (/^# DO NOT DELETE.*/) { exit(0); }"
+dclean :
+        $(DCLEAN_CMD) < descrip.mms > descrip.mms.new
+        RENAME descrip.mms.new descrip.mms
+        PURGE descrip.mms
+
+{- our @deps = map { (my $x = $_) =~ s|\.o$|\$(DEP_EXT)|; $x; }
+               grep { $unified_info{sources}->{$_}->[0] =~ /\.c$/ }
+               keys %{$unified_info{sources}};
+   ""; -}
+depend : {- join(",-\n\t", @deps); -}
+        $(DCLEAN_CMD) < descrip.mms > descrip.mms.new
+        OPEN/APPEND DESCRIP descrip.mms.new
+        WRITE DESCRIP "# DO NOT DELETE THIS LINE -- make depend depends on it."
+        {- join("\n\t", map { "TYPE $_ /OUTPUT=DESCRIP:" } @deps); -}
+        CLOSE DESCRIP
+        RENAME descrip.mms.new descrip.mms
+        PURGE descrip.mms
+
+# Install helper targets #############################################
+
+install_sw : all install_dev install_engines install_runtime install_config
+        @ WRITE SYS$OUTPUT ""
+        @ WRITE SYS$OUTPUT "######################################################################"
+        @ WRITE SYS$OUTPUT ""
+        @ WRITE SYS$OUTPUT "Installation complete"
+        @ WRITE SYS$OUTPUT ""
+        @ IF "$(DESTDIR)" .NES. "" THEN EXIT 1
+        @ WRITE SYS$OUTPUT "Run @$(INSTALLTOP)openssl_startup to set up logical names"
+        @ WRITE SYS$OUTPUT "then run @$(INSTALLTOP)openssl_setup to define commands"
+        @ WRITE SYS$OUTPUT ""
+
+uninstall_sw : uninstall_dev uninstall_engines uninstall_runtime uninstall_config
+
+install_docs : install_man_docs install_html_docs
+
+uninstall_docs : uninstall_man_docs uninstall_html_docs
+
+install_dev : check_INSTALLTOP
+        @ WRITE SYS$OUTPUT "*** Installing development files"
+        @ ! Install header files
+        CREATE/DIR ossl_installroot:[include.openssl]
+        COPY/PROT=W:R openssl:*.h ossl_installroot:[include.openssl]
+        @ ! Install libraries
+        CREATE/DIR ossl_installroot:['arch'.LIB]
+        {- join("\n        ",
+                map { "COPY/PROT=W:R $_.OLB ossl_installroot:['arch'.LIB]" }
+                @{$unified_info{libraries}}) -}
+        @ {- output_off() if $config{no_shared}; "" -} !
+        {- join("\n        ",
+                map { "COPY/PROT=W:RE $_.EXE ossl_installroot:['arch'.LIB]" }
+                map { $unified_info{sharednames}->{$_} || () }
+                @{$unified_info{libraries}}) -}
+        @ {- output_on() if $config{no_shared}; "" -} !
+
+install_runtime : check_INSTALLTOP
+        @ WRITE SYS$OUTPUT "*** Installing runtime files"
+        @ ! Install the main program
+        CREATE/DIR ossl_installroot:['arch'.EXE]
+        COPY/PROT=W:RE [.APPS]openssl.EXE ossl_installroot:['arch'.EXE]
+        @ ! Install scripts
+        CREATE/DIR ossl_installroot:[EXE]
+        COPY/PROT=W:RE [.APPS]CA.pl ossl_installroot:[EXE]
+        COPY/PROT=W:RE [.TOOLS]c_rehash. ossl_installroot:[EXE]c_rehash.pl
+        @ ! Install configuration file
+        COPY/PROT=W:RE {- sourcefile("apps", "openssl-vms.cnf") -} -
+                ossl_installroot:[000000]openssl.cnf
+
+install_engines : check_INSTALLTOP
+        @ {- output_off() if $config{no_shared}; "" -} !
+        @ WRITE SYS$OUTPUT "*** Installing engines"
+        CREATE/DIR ossl_installroot:['arch'.ENGINES]
+        COPY/PROT=W:RE [.ENGINES]*.EXE ossl_installroot:['arch'.ENGINES]
+        @ {- output_on() if $config{no_shared}; "" -} !
+
+install_config : [.VMS]openssl_startup.com [.VMS]openssl_shutdown.com -
+                 check_INSTALLTOP
+        IF "$(DESTDIR)" .EQS. "" THEN -
+                IF F$SEARCH("OSSL_DATAROOT:[000000]CERTS.DIR;1") .EQS. "" THEN -
+                CREATE/DIR/PROT=(S:RWED,O:RWE,G:RE,W:RE) OSSL_DATAROOT:[CERTS]
+        IF "$(DESTDIR)" .EQS. "" THEN -
+                IF F$SEARCH("OSSL_DATAROOT:[000000]PRIVATE.DIR;1") .EQS. "" THEN -
+                CREATE/DIR/PROT=(S:RWED,O:RWE,G:,W:) OSSL_DATAROOT:[PRIVATE]
+        CREATE/DIR ossl_installroot:[SYS$STARTUP]
+        COPY/PROT=W:RE -
+                [.VMS]openssl_startup.com,openssl_shutdown.com -
+                ossl_installroot:[SYS$STARTUP]
+        COPY/PROT=W:RE -
+                {- sourcefile("VMS", "openssl_utils.com") -} -
+                ossl_installroot:[SYS$STARTUP]
+
+[.VMS]openssl_startup.com : vmsconfig.pm
+        CREATE/DIR [.VMS]
+        $(PERL) "-I." "-Mvmsconfig" {- sourcefile("util", "dofile.pl") -} -
+                {- sourcefile("VMS", "openssl_startup.com.in") -} -
+                > [.VMS]openssl_startup.com
+
+[.VMS]openssl_shutdown.com : vmsconfig.pm
+        CREATE/DIR [.VMS]
+        $(PERL) "-I." "-Mvmsconfig" {- sourcefile("util", "dofile.pl") -} -
+                {- sourcefile("VMS", "openssl_shutdown.com.in") -} -
+                > [.VMS]openssl_shutdown.com
+
+vmsconfig.pm : descrip.mms
+        OPEN/WRITE/SHARE=READ CONFIG []vmsconfig.pm
+        WRITE CONFIG "package vmsconfig;"
+        WRITE CONFIG "use strict; use warnings;"
+        WRITE CONFIG "use Exporter;"
+        WRITE CONFIG "our @ISA = qw(Exporter);"
+        WRITE CONFIG "our @EXPORT = qw(%config %target %withargs %unified_info);"
+        WRITE CONFIG "our %config = ("
+        WRITE CONFIG "  target => '{- $config{target} -}',"
+        WRITE CONFIG "  version => '$(MAJOR).$(MINOR)',"
+        WRITE CONFIG "  no_shared => '","{- $config{no_shared} -}","',"
+        WRITE CONFIG "  INSTALLTOP => '$(INSTALLTOP)',"
+        WRITE CONFIG "  OPENSSLDIR => '$(OPENSSLDIR)',"
+        WRITE CONFIG "  pointersize => '","{- $target{pointersize} -}","',"
+        WRITE CONFIG "  shared_libs => ["
+        {- join("\n        ", map { "WRITE CONFIG \"    '$_'," } map { $unified_info{sharednames}->{$_} || () } @{$unified_info{libraries}}) || "\@ !" -}
+        WRITE CONFIG "  ],"
+        WRITE CONFIG ");"
+        WRITE CONFIG "our %target = ();"
+        WRITE CONFIG "our %withargs = ();"
+        WRITE CONFIG "our %unified_info = ();"
+        WRITE CONFIG "1;"
+        CLOSE CONFIG
+
+check_INSTALLTOP :
+        @ IF "$(INSTALLTOP)" .EQS. "" THEN -
+                WRITE SYS$ERROR "INSTALLTOP should not be empty"
+        @ IF "$(INSTALLTOP)" .EQS. "" THEN -
+                EXIT %x10000002
+
+# Helper targets #####################################################
+
+rehash : [.apps]openssl.exe, copy-certs
+        !MCR [.apps]openssl.exe rehash {- builddir("certs", "demo") -}
+        $(PERL) [.tools]c_rehash. [.certs.demo]
+
+copy-certs :
+        @ IF F$SEARCH("{- buildfile("certs.dir") -}") .EQS. "" THEN -
+             CREATE/DIR {- builddir("certs") -}
+        -@ IF "{- sourcedir("certs") -}" .NES. "{- builddir("certs") -}" THEN -
+             COPY {- tree(sourcedir("certs")) -}*.* {- tree(builddir("certs")) -}
+
+# Developer targets ##################################################
+
+debug_logicals :
+        SH LOGICAL/PROC openssl,internal,ossl_installroot
+        IF "$(DESTDIR)" .EQS. "" THEN -
+                SH LOGICAL/PROC ossl_dataroot
+
+# Building targets ###################################################
+
+descrip.mms : {- sourcefile("Configurations", "descrip.mms.tmpl") -} $(SRCDIR)Configure ! $(SRCDIR)config.com
+        @ WRITE SYS$OUTPUT "descrip.mms is older than $?."
+        @ WRITE SYS$OUTPUT "Reconfiguring..."
+        perl $(SRCDIR)Configure reconf
+        @ WRITE SYS$OUTPUT "*************************************************"
+        @ WRITE SYS$OUTPUT "***                                           ***"
+        @ WRITE SYS$OUTPUT "***   Please run the same mms command again   ***"
+        @ WRITE SYS$OUTPUT "***                                           ***"
+        @ WRITE SYS$OUTPUT "*************************************************"
+        @ exit %10000000
+
+{-
+  use File::Basename;
+  use File::Spec::Functions qw/abs2rel rel2abs catfile catdir/;
+  sub src2dep {
+      my %args = @_;
+      my $dep = $args{obj};
+      my $deps = join(", -\n\t\t", @{$args{srcs}}, @{$args{deps}});
+
+      # Because VMS C isn't very good at combining a /INCLUDE path with
+      # #includes having a relative directory (like '#include "../foo.h"),
+      # the best choice is to move to the first source file's intended
+      # directory before compiling, and make sure to write the object file
+      # in the correct position (important when the object tree is other
+      # than the source tree).
+      my $forward = dirname($args{srcs}->[0]);
+      my $backward = abs2rel(rel2abs("."), rel2abs($forward));
+      my $depd = abs2rel(rel2abs(dirname($dep)), rel2abs($forward));
+      my $depn = basename($dep);
+      my $srcs =
+          join(", ",
+               map { abs2rel(rel2abs($_), rel2abs($forward)) } @{$args{srcs}});
+      my $incs =
+          "/INCLUDE=(".join(",",
+                            map {
+                               file_name_is_absolute($_)
+                               ? $_ : catdir($backward,$_)
+                            } @{$args{incs}}).")";
+      my $before = $unified_info{before}->{$dep.".OBJ"} || "\@ !";
+      my $after = $unified_info{after}->{$dep.".OBJ"} || "\@ !";
+
+      return <<"EOF";
+$dep.MMS : $deps
+        ${before}
+        SET DEFAULT $forward
+        \$(CC) \$(CFLAGS)${incs} /MMS=(TARGET=.OBJ)/OBJECT=${depd}${depn}.MMS $srcs
+        SET DEFAULT $backward
+        ${after}
+        - PURGE $dep.MMS
+EOF
+  }
+  sub src2obj {
+      my %args = @_;
+      my $obj = $args{obj};
+      my $deps = join(", -\n\t\t", @{$args{srcs}}, @{$args{deps}});
+
+      # Because VMS C isn't very good at combining a /INCLUDE path with
+      # #includes having a relative directory (like '#include "../foo.h"),
+      # the best choice is to move to the first source file's intended
+      # directory before compiling, and make sure to write the object file
+      # in the correct position (important when the object tree is other
+      # than the source tree).
+      my $forward = dirname($args{srcs}->[0]);
+      my $backward = abs2rel(rel2abs("."), rel2abs($forward));
+      my $objd = abs2rel(rel2abs(dirname($obj)), rel2abs($forward));
+      my $objn = basename($obj);
+      my $srcs =
+          join(", ",
+               map { abs2rel(rel2abs($_), rel2abs($forward)) } @{$args{srcs}});
+      my $incs =
+          "/INCLUDE=(".join(",",
+                            map {
+                               file_name_is_absolute($_)
+                               ? $_ : catdir($backward,$_)
+                            } @{$args{incs}}).")";
+      my $before = $unified_info{before}->{$obj.".OBJ"} || "\@ !";
+      my $after = $unified_info{after}->{$obj.".OBJ"} || "\@ !";
+
+      return <<"EOF";
+$obj.OBJ : $deps
+        ${before}
+        SET DEFAULT $forward
+        \$(CC) \$(CFLAGS)${incs} /OBJECT=${objd}${objn}.OBJ /REPOSITORY=$backward $srcs
+        SET DEFAULT $backward
+        ${after}
+        - PURGE $obj.OBJ
+EOF
+  }
+  sub libobj2shlib {
+      my %args = @_;
+      my $lib = $args{lib};
+      my $shlib = $args{shlib};
+      my $libd = dirname($lib);
+      my $libn = basename($lib);
+      (my $mkdef_key = $libn) =~ s/^${osslprefix_q}lib//i;
+      my @deps = map {
+          $config{no_shared} ? $_.".OLB"
+              : $unified_info{sharednames}->{$_}.".EXE"; } @{$args{deps}};
+      my $deps = join(", -\n\t\t", @deps);
+      my $shlib_target = $config{no_shared} ? "" : $target{shared_target};
+      my $ordinalsfile = defined($args{ordinals}) ? $args{ordinals}->[1] : "";
+      my $engine_opt = abs2rel(rel2abs(catfile($config{sourcedir},
+                                               "VMS", "engine.opt")),
+                               rel2abs($config{builddir}));
+      my $mkdef_pl = abs2rel(rel2abs(catfile($config{sourcedir},
+                                             "util", "mkdef.pl")),
+                             rel2abs($config{builddir}));
+      my $translatesyms_pl = abs2rel(rel2abs(catfile($config{sourcedir},
+                                                     "VMS", "translatesyms.pl")),
+                                     rel2abs($config{builddir}));
+      # The "[]" hack is because in .OPT files, each line inherits the
+      # previous line's file spec as default, so if no directory spec
+      # is present in the current line and the previous line has one that
+      # doesn't apply, you're in for a surprise.
+      my $write_opt =
+          join("\n\t", map { my $x = $_ =~ /\[/ ? $_ : "[]".$_;
+                             $x =~ s|(\.EXE)|$1/SHARE|;
+                             $x =~ s|(\.LIB)|$1/LIB|;
+                             "WRITE OPT_FILE \"$x\"" } @deps)
+          || "\@ !";
+      return <<"EOF";
+$shlib.EXE : $lib.OLB $deps $ordinalsfile
+        IF "$mkdef_key" .EQS. "ssl" .OR. "$mkdef_key" .EQS. "crypto" THEN -
+           \$(PERL) $mkdef_pl "$mkdef_key" "VMS" > $shlib.SYMVEC-tmp
+        IF "$mkdef_key" .EQS. "ssl" .OR. "$mkdef_key" .EQS. "crypto" THEN -
+           \$(PERL) $translatesyms_pl \$(BUILDDIR)CXX\$DEMANGLER_DB. < $shlib.SYMVEC-tmp > $shlib.SYMVEC
+        OPEN/WRITE/SHARE=READ OPT_FILE $shlib.OPT
+        WRITE OPT_FILE "IDENTIFICATION=""V$config{version}"""
+        IF "$mkdef_key" .NES. "ssl" .AND. "$mkdef_key" .NES. "crypto" THEN -
+           TYPE $engine_opt /OUTPUT=OPT_FILE:
+        IF "$mkdef_key" .EQS. "ssl" .OR. "$mkdef_key" .EQS. "crypto" THEN -
+           TYPE $shlib.SYMVEC /OUTPUT=OPT_FILE:
+        WRITE OPT_FILE "$lib.OLB/LIBRARY"
+        $write_opt ! Comment to protect from empty line
+        CLOSE OPT_FILE
+        LINK /MAP=$shlib.MAP /FULL/SHARE=$shlib.EXE $shlib.OPT/OPT \$(EX_LIBS)
+        - DELETE $shlib.SYMVEC;*
+        - PURGE $shlib.EXE,$shlib.OPT,$shlib.MAP
+EOF
+  }
+  sub obj2dynlib {
+      my %args = @_;
+      my $lib = $args{lib};
+      my $libd = dirname($lib);
+      my $libn = basename($lib);
+      (my $libn_nolib = $libn) =~ s/^lib//;
+      my @objs = map { "$_.OBJ" } @{$args{objs}};
+      my @deps = map {
+          $config{no_shared} ? $_.".OLB"
+              : $unified_info{sharednames}->{$_}.".EXE"; } @{$args{deps}};
+      my $deps = join(", -\n\t\t", @objs, @deps);
+      my $shlib_target = $config{no_shared} ? "" : $target{shared_target};
+      my $engine_opt = abs2rel(rel2abs(catfile($config{sourcedir},
+                                               "VMS", "engine.opt")),
+                               rel2abs($config{builddir}));
+      # The "[]" hack is because in .OPT files, each line inherits the
+      # previous line's file spec as default, so if no directory spec
+      # is present in the current line and the previous line has one that
+      # doesn't apply, you're in for a surprise.
+      my $write_opt =
+          join(",-\"\n\t", map { my $x = $_ =~ /\[/ ? $_ : "[]".$_;
+                                 "WRITE OPT_FILE \"$x" } @objs).
+          "\"\n\t".
+          join("\n\t", map { my $x = $_ =~ /\[/ ? $_ : "[]".$_;
+                             $x =~ s|(\.EXE)|$1/SHARE|;
+                             $x =~ s|(\.LIB)|$1/LIB|;
+                             "WRITE OPT_FILE \"$x\"" } @deps)
+          || "\@ !";
+      return <<"EOF";
+$lib.EXE : $deps
+        OPEN/WRITE/SHARE=READ OPT_FILE $lib.OPT
+        TYPE $engine_opt /OUTPUT=OPT_FILE:
+        $write_opt
+        CLOSE OPT_FILE
+        LINK /MAP=$lib.MAP /FULL/SHARE=$lib.EXE $lib.OPT/OPT \$(EX_LIBS)
+        - PURGE $lib.EXE,$lib.OPT,$lib.MAP
+EOF
+  }
+  sub obj2lib {
+      my %args = @_;
+      my $lib = $args{lib};
+      my $objs = join(", -\n\t\t", map { $_.".OBJ" } (@{$args{objs}}));
+      my $fill_lib = join("\n\t", (map { "LIBRARY/REPLACE $lib.OLB $_.OBJ" }
+                                    @{$args{objs}}));
+      return <<"EOF";
+$lib.OLB : $objs
+        LIBRARY/CREATE/OBJECT $lib
+        $fill_lib
+        - PURGE $lib.OLB
+EOF
+  }
+  sub obj2bin {
+      my %args = @_;
+      my $bin = $args{bin};
+      my $bind = dirname($bin);
+      my $binn = basename($bin);
+      my @objs = map { "$_.OBJ" } @{$args{objs}};
+      my @deps = map {
+          $config{no_shared} ? $_.".OLB"
+              : $unified_info{sharednames}->{$_}.".EXE"; } @{$args{deps}};
+      my $deps = join(", -\n\t\t", @objs, @deps);
+      # The "[]" hack is because in .OPT files, each line inherits the
+      # previous line's file spec as default, so if no directory spec
+      # is present in the current line and the previous line has one that
+      # doesn't apply, you're in for a surprise.
+      my $write_opt =
+          join(",-\"\n\t", map { my $x = $_ =~ /\[/ ? $_ : "[]".$_;
+                                 "WRITE OPT_FILE \"$x" } @objs).
+          "\"\n\t".
+          join("\n\t", map { my $x = $_ =~ /\[/ ? $_ : "[]".$_;
+                             $x =~ s|(\.EXE)|$1/SHARE|;
+                             $x =~ s|(\.OLB)|$1/LIB|;
+                             "WRITE OPT_FILE \"$x\"" } @deps)
+          || "\@ !";
+      return <<"EOF";
+$bin.EXE : $deps
+        OPEN/WRITE/SHARE=READ OPT_FILE $bin.OPT
+        $write_opt
+        CLOSE OPT_FILE
+        LINK/EXEC=$bin.EXE \$(LDFLAGS) $bin.OPT/OPT \$(EX_LIBS)
+        - PURGE $bin.EXE,$bin.OPT
+EOF
+  }
+  sub in2script {
+      my %args = @_;
+      my $script = $args{script};
+      return "" if grep { $_ eq $script } @{$args{sources}}; # No overwrite!
+      my $sources = join(" ", @{$args{sources}});
+      my $dofile = abs2rel(rel2abs(catfile($config{sourcedir},
+                                           "util", "dofile.pl")),
+                           rel2abs($config{builddir}));
+      return <<"EOF";
+$script : $sources
+        \$(PERL) "-I\$(BUILDDIR)" "-Mconfigdata" $dofile -
+	    "-o$target{build_file}" $sources > $script
+        SET FILE/PROT=(S:RWED,O:RWED,G:RE,W:RE) $script
+        PURGE $script
+EOF
+  }
+  ""    # Important!  This becomes part of the template result.
+-}
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -0,0 +1,894 @@
+##
+## Makefile for OpenSSL
+##
+## {- join("\n## ", @autowarntext) -}
+{-
+     sub windowsdll { $config{target} =~ /^(?:Cygwin|mingw)/ }
+     sub shlib_ext { $target{shared_extension} || ".so" }
+     sub shlib_ext_simple { (my $x = $target{shared_extension})
+                                =~ s/\.\$\(SHLIB_MAJOR\)\.\$\(SHLIB_MINOR\)//;
+                            $x }
+-}
+PLATFORM={- $config{target} -}
+OPTIONS={- $config{options} -}
+CONFIGURE_ARGS=({- join(", ",quotify_l(@{$config{perlargv}})) -})
+SRCDIR={- $config{sourcedir} -}
+BLDDIR={- $config{builddir} -}
+
+VERSION={- $config{version} -}
+MAJOR={- $config{major} -}
+MINOR={- $config{minor} -}
+SHLIB_VERSION_NUMBER={- $config{shlib_version_number} -}
+SHLIB_VERSION_HISTORY={- $config{shlib_version_history} -}
+SHLIB_MAJOR={- $config{shlib_major} -}
+SHLIB_MINOR={- $config{shlib_minor} -}
+SHLIB_TARGET={- $target{shared_target} -}
+
+EXE_EXT={- $target{exe_extension} || "" -}
+LIB_EXT={- $target{lib_extension} || ".a" -}
+SHLIB_EXT={- shlib_ext() -}
+SHLIB_EXT_SIMPLE={- shlib_ext_simple() -}
+OBJ_EXT={- $target{obj_extension} || ".o" -}
+DEP_EXT={- $target{dep_extension} || ".d" -}
+
+LIBS={- join(" ", map { $_."\$(LIB_EXT)" } @{$unified_info{libraries}}) -}
+SHLIBS={- join(" ", map { $_."\$(SHLIB_EXT)" } map { $unified_info{sharednames}->{$_} || () } @{$unified_info{libraries}}) -}
+ENGINES={- join(" ", map { $_."\$(SHLIB_EXT_SIMPLE)" } @{$unified_info{engines}}) -}
+PROGRAMS={- join(" ", map { $_."\$(EXE_EXT)" } grep { !m|^test/| } @{$unified_info{programs}}) -}
+TESTPROGS={- join(" ", map { $_."\$(EXE_EXT)" } grep { m|^test/| } @{$unified_info{programs}}) -}
+SCRIPTS={- join(" ", @{$unified_info{scripts}}) -}
+BIN_SCRIPTS=$(BLDDIR)/tools/c_rehash
+MISC_SCRIPTS=$(SRCDIR)/tools/c_hash $(SRCDIR)/tools/c_info \
+	     $(SRCDIR)/tools/c_issuer $(SRCDIR)/tools/c_name \
+	     $(BLDDIR)/apps/CA.pl $(SRCDIR)/apps/tsget
+
+# DESTDIR is for package builders so that they can configure for, say,
+# /usr/ and yet have everything installed to /tmp/somedir/usr/.
+# Normally it is left empty.
+DESTDIR=
+
+# Do not edit these manually. Use Configure with --prefix or --openssldir
+# to change this!  Short explanation in the top comment in Configure
+INSTALLTOP={- # $prefix is used in the OPENSSLDIR perl snippet
+	      #
+	      our $prefix = $config{prefix} || "/usr/local";
+              $prefix -}
+OPENSSLDIR={- #
+	      # The logic here is that if no --openssldir was given,
+	      # OPENSSLDIR will get the value from $prefix plus "/ssl".
+	      # If --openssldir was given and the value is an absolute
+	      # path, OPENSSLDIR will get its value without change.
+	      # If the value from --openssldir is a relative path,
+	      # OPENSSLDIR will get $prefix with the --openssldir
+	      # value appended as a subdirectory.
+	      #
+              use File::Spec::Functions;
+              our $openssldir =
+                  $config{openssldir} ?
+                      (file_name_is_absolute($config{openssldir}) ?
+                           $config{openssldir}
+                           : catdir($prefix, $config{openssldir}))
+                      : catdir($prefix, "ssl");
+              $openssldir -}
+LIBDIR={- #
+          # if $prefix/lib$target{multilib} is not an existing
+          # directory, then assume that it's not searched by linker
+          # automatically, in which case adding $target{multilib} suffix
+          # causes more grief than we're ready to tolerate, so don't...
+          our $multilib =
+              -d "$prefix/lib$target{multilib}" ? $target{multilib} : "";
+          our $libdir = $config{libdir} || "lib$multilib";
+          $libdir -}
+ENGINESDIR={- use File::Spec::Functions;
+              catdir($prefix,$libdir,"engines") -}
+
+MANDIR=$(INSTALLTOP)/share/man
+HTMLDIR=$(INSTALLTOP)/share/doc/$(BASENAME)/html
+
+# MANSUFFIX is for the benefit of anyone who may want to have a suffix
+# appended after the manpage file section number.  "ssl" is popular,
+# resulting in files such as config.5ssl rather than config.5.
+MANSUFFIX=
+HTMLSUFFIX=html
+
+
+
+CROSS_COMPILE= {- $config{cross_compile_prefix} -}
+CC= $(CROSS_COMPILE){- $target{cc} -}
+CFLAGS={- our $cflags2 = join(" ",(map { "-D".$_} @{$config{defines}}),"-DOPENSSLDIR=\"\\\"\$(OPENSSLDIR)\\\"\"","-DENGINESDIR=\"\\\"\$(ENGINESDIR)\\\"\"") -} {- $config{cflags} -}
+CFLAGS_Q={- $cflags2 =~ s|([\\"])|\\$1|g; $cflags2 -} {- $config{cflags} -}
+DEPFLAGS= {- join(" ",map { "-D".$_} @{$config{depdefines}}) -}
+LDFLAGS= {- $config{lflags} -}
+PLIB_LDFLAGS= {- $config{plib_lflags} -}
+EX_LIBS= {- $config{ex_libs} -}
+SHARED_LDFLAGS={- $target{shared_ldflag}
+                  # Unlike other OSes (like Solaris, Linux, Tru64,
+                  # IRIX) BSD run-time linkers (tested OpenBSD, NetBSD
+                  # and FreeBSD) "demand" RPATH set on .so objects.
+                  # Apparently application RPATH is not global and
+                  # does not apply to .so linked with other .so.
+                  # Problem manifests itself when libssl.so fails to
+                  # load libcrypto.so. One can argue that we should
+                  # engrave this into Makefile.shared rules or into
+                  # BSD-* config lines above. Meanwhile let's try to
+                  # be cautious and pass -rpath to linker only when
+                  # $prefix is not /usr.
+                  . ($config{target} =~ m|^BSD-| && $prefix !~ m|^/usr/.*$|
+                     ? " -Wl,-rpath,\$\$(LIBRPATH)" : "") -}
+SHARED_RCFLAGS={- $target{shared_rcflag} -}
+
+PERL={- $config{perl} -}
+
+ARFLAGS= {- $target{arflags} -}
+AR=$(CROSS_COMPILE){- $target{ar} || "ar" -} $(ARFLAGS) r
+RANLIB= {- $target{ranlib} -}
+NM= $(CROSS_COMPILE){- $target{nm} || "nm" -}
+RM= rm -f
+TAR= {- $target{tar} || "tar" -}
+TARFLAGS= {- $target{tarflags} -}
+
+BASENAME=       openssl
+NAME=           $(BASENAME)-$(VERSION)
+TARFILE=        ../$(NAME).tar
+
+# We let the C compiler driver to take care of .s files. This is done in
+# order to be excused from maintaining a separate set of architecture
+# dependent assembler flags. E.g. if you throw -mcpu=ultrasparc at SPARC
+# gcc, then the driver will automatically translate it to -xarch=v8plus
+# and pass it down to assembler.
+AS=$(CC) -c
+ASFLAG=$(CFLAGS)
+PERLASM_SCHEME= {- $target{perlasm_scheme} -}
+
+# For x86 assembler: Set PROCESSOR to 386 if you want to support
+# the 80386.
+PROCESSOR= {- $config{processor} -}
+
+# The main targets ###################################################
+
+all: build_libs build_engines build_apps link-utils
+
+# The pkg-config files depend on the libraries as well as Makefile
+build_libs: libcrypto.pc libssl.pc openssl.pc
+build_engines: $(ENGINES)
+build_apps: $(PROGRAMS) $(SCRIPTS)
+build_tests: $(TESTPROGS)
+
+test tests: build_tests build_apps build_engines rehash
+	( cd test; \
+	  SRCTOP=../$(SRCDIR) \
+	  BLDTOP=../$(BLDDIR) \
+	    $(PERL) ../$(SRCDIR)/test/run_tests.pl $(TESTS) )
+
+list-tests:
+	@TOP=$(SRCDIR) PERL=$(PERL) $(PERL) $(SRCDIR)/test/run_tests.pl list
+
+libclean:
+	-rm -f `find $(BLDDIR) -name '*$(LIB_EXT)' -o -name '*$(SHLIB_EXT)'`
+
+install: install_sw install_ssldirs install_docs
+
+uninstall: uninstall_docs uninstall_sw
+
+clean: libclean
+	rm -f $(PROGRAMS) $(TESTPROGS)
+	rm -f `find $(BLDDIR) -name '*$(DEP_EXT)'`
+	rm -f `find $(BLDDIR) -name '*$(OBJ_EXT)'`
+	rm -f $(BLDDIR)/core $(BLDDIR)/rehash.time
+	rm -f $(BLDDIR)/tags $(BLDDIR)/TAGS
+	rm -f $(BLDDIR)/openssl.pc $(BLDDIR)/libcrypto.pc $(BLDDIR)/libssl.pc
+	-rm -f `find $(BLDDIR) -type l`
+	rm -f $(TARFILE)
+
+DCLEAN_CMD=sed -e '/^DO NOT DELETE.*/,$$d'
+dclean:
+	$(DCLEAN_CMD) < Makefile >Makefile.new
+	mv -f Makefile.new Makefile
+
+DEPS={- join(" ", map { (my $x = $_) =~ s|\.o$|\$(DEP_EXT)|; $x; }
+                  grep { $unified_info{sources}->{$_}->[0] =~ /\.c$/ }
+                  keys %{$unified_info{sources}}); -}
+depend: $(DEPS)
+	( $(DCLEAN_CMD) < Makefile; \
+	  echo '# DO NOT DELETE THIS LINE -- make depend depends on it.'; \
+	  echo; \
+	  cat `find . -name '*$(DEP_EXT)'` ) > Makefile.new
+	mv -f Makefile.new Makefile
+
+# Install helper targets #############################################
+
+install_sw: all install_dev install_engines install_runtime
+
+uninstall_sw: uninstall_dev uninstall_engines uninstall_runtime
+
+install_docs: install_man_docs install_html_docs
+
+uninstall_docs: uninstall_man_docs uninstall_html_docs
+
+install_ssldirs:
+	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(OPENSSLDIR)/certs
+	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(OPENSSLDIR)/private
+
+install_dev:
+	@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
+	@echo "*** Installing development files"
+	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/include/openssl
+	@set -e; for i in $(SRCDIR)/include/openssl/*.h \
+			  $(BLDDIR)/include/openssl/*.h; do \
+		fn=`basename $$i`; \
+		echo "install $$i -> $(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn"; \
+		cp $$i $(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn; \
+		chmod 644 $(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn; \
+	done
+	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)
+	@set -e; for l in $(LIBS); do \
+		fn=`basename $$l`; \
+		echo "install $$l -> $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn"; \
+		cp $$l $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.new; \
+		$(RANLIB) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.new; \
+		chmod 644 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.new; \
+		mv -f $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.new \
+		      $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn; \
+	done
+	@ : {- output_off() if $config{no_shared}; "" -}
+	@set -e; for s in $(SHLIBS); do \
+		fn=`basename $$s`; \
+		echo "install $$s -> $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn"; \
+		cp $$s $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.new; \
+		chmod 644 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.new; \
+		mv -f $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.new \
+		      $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn; \
+		if [ "$(SHLIB_EXT)" != "$(SHLIB_EXT_SIMPLE)" ]; then \
+			echo "link $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn2 -> $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn"; \
+			fn2=`basename $$fn $(SHLIB_EXT)`$(SHLIB_EXT_SIMPLE); \
+			ln -sf $$fn $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn2; \
+		fi; \
+		: {- output_off() unless windowsdll(); "" -}; \
+		echo "install $$s.a -> $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.a"; \
+		cp $$s.a $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.a.new; \
+		chmod 644 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.a.new; \
+		mv -f $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.a.new \
+		      $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.a; \
+		: {- output_on() unless windowsdll(); "" -}; \
+	done
+	@ : {- output_on() if $config{no_shared}; "" -}
+	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
+	@echo "install libcrypto.pc -> $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libcrypto.pc"
+	@cp libcrypto.pc $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
+	@chmod 644 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libcrypto.pc
+	@echo "install libssl.pc -> $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libssl.pc"
+	@cp libssl.pc $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
+	@chmod 644 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libssl.pc
+	@echo "install openssl.pc -> $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/openssl.pc"
+	@cp openssl.pc $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
+	@chmod 644 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/openssl.pc
+
+uninstall_dev:
+	@echo "*** Uninstalling development files"
+	@set -e; for i in $(SRCDIR)/include/openssl/*.h \
+			  $(BLDDIR)/include/openssl/*.h; do \
+		fn=`basename $$i`; \
+		echo "$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn"; \
+		$(RM) $(DESTDIR)$(INSTALLTOP)/include/openssl/$$fn; \
+	done
+	@set -e; for l in $(LIBS); do \
+		fn=`basename $$l`; \
+		echo "$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn"; \
+		$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn; \
+	done
+	@set -e; for s in $(SHLIBS); do \
+		fn=`basename $$s`; \
+		if [ "$(SHLIB_EXT)" != "$(SHLIB_EXT_SIMPLE)" ]; then \
+			fn2=`basename $$fn $(SHLIB_EXT)`$(SHLIB_EXT_SIMPLE); \
+			echo "$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn2"; \
+			$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn2; \
+		fi; \
+		echo "$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn"; \
+		$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn; \
+		: {- output_off() unless windowsdll(); "" -}; \
+		echo "$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.a"; \
+		$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$fn.a; \
+		: {- output_on() unless windowsdll(); "" -}; \
+	done
+	@echo "$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libcrypto.pc"
+	@$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libcrypto.pc
+	@echo "$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libssl.pc"
+	@$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libssl.pc
+	@echo "$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/openssl.pc"
+	@$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/openssl.pc
+
+install_engines:
+	@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
+	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines/
+	@echo "*** Installing engines"
+	@set -e; for e in $(ENGINES); do \
+		fn=`basename $$e`; \
+		echo "install $$e -> $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
+		cp $$e $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines/$$fn.new; \
+		chmod 755 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines/$$fn.new; \
+		mv -f $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines/$$fn.new \
+		      $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines/$$fn; \
+	done
+
+uninstall_engines:
+	@echo "*** Uninstalling engines"
+	@set -e; for e in $(ENGINES); do \
+		fn=`basename $$e`; \
+		echo "$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
+		$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines/$$fn; \
+	done
+
+install_runtime:
+	@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
+	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/bin
+	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(OPENSSLDIR)/misc
+	@echo "*** Installing runtime files"
+	: {- output_off() unless windowsdll(); "" -};
+	@set -e; for s in $(SHLIBS); do \
+		fn=`basename $$i`; \
+		echo "install $$s -> $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
+		cp $$s $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \
+		chmod 644 $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \
+		mv -f $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new \
+		      $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
+	done
+	: {- output_on() unless windowsdll(); "" -};
+	@set -e; for x in $(PROGRAMS); do \
+		fn=`basename $$x`; \
+		echo "install $$x -> $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
+		cp $$x $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \
+		chmod 755 $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \
+		mv -f $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new \
+		      $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
+	done
+	@set -e; for x in $(BIN_SCRIPTS); do \
+		fn=`basename $$x`; \
+		echo "install $$x -> $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
+		cp $$x $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \
+		chmod 755 $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \
+		mv -f $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new \
+		      $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
+	done
+	@set -e; for x in $(MISC_SCRIPTS); do \
+		fn=`basename $$x`; \
+		echo "install $$x -> $(DESTDIR)$(OPENSSLDIR)/misc/$$fn"; \
+		cp $$x $(DESTDIR)$(OPENSSLDIR)/misc/$$fn.new; \
+		chmod 755 $(DESTDIR)$(OPENSSLDIR)/misc/$$fn.new; \
+		mv -f $(DESTDIR)$(OPENSSLDIR)/misc/$$fn.new \
+		      $(DESTDIR)$(OPENSSLDIR)/misc/$$fn; \
+	done
+	@echo "install $(SRCDIR)/apps/openssl.cnf -> $(DESTDIR)$(OPENSSLDIR)/openssl.cnf"
+	@cp $(SRCDIR)/apps/openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new
+	@chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new
+	@mv -f  $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new $(DESTDIR)$(OPENSSLDIR)/openssl.cnf
+
+uninstall_runtime:
+	@echo "*** Uninstalling runtime files"
+	@set -e; for x in $(PROGRAMS); \
+	do  \
+		fn=`basename $$x`; \
+		echo "$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
+		$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
+	done;
+	@set -e; for x in $(BIN_SCRIPTS); \
+	do  \
+		fn=`basename $$x`; \
+		echo "$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
+		$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
+	done
+	@set -e; for x in $(MISC_SCRIPTS); \
+	do  \
+		fn=`basename $$x`; \
+		echo "$(RM) $(DESTDIR)$(OPENSSLDIR)/misc/$$fn"; \
+		$(RM) $(DESTDIR)$(OPENSSLDIR)/misc/$$fn; \
+	done
+	: {- output_off() unless windowsdll(); "" -};
+	@set -e; for s in $(SHLIBS); do \
+		fn=`basename $$i`; \
+		echo "$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
+		$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
+	done
+	: {- output_on() unless windowsdll(); "" -};
+	$(RM) $(DESTDIR)$(OPENSSLDIR)/openssl.cnf
+
+# A method to extract all names from a .pod file
+# The first sed extracts everything between "=head1 NAME" and the next =head1
+# The second sed joins all the lines into one
+# The third sed removes the description and turns all commas into spaces
+# Voilà, you have a space separated list of names!
+EXTRACT_NAMES=sed -e '1,/^=head1  *NAME *$$/d;/^=head1/,$$d' | \
+              sed -e ':a;{N;s/\n/ /;ba}' | \
+              sed -e 's/ - .*$$//;s/,/ /g'
+PROCESS_PODS=\
+	set -e; \
+	here=`cd $(SRCDIR); pwd`; \
+	point=$$here/util/point.sh; \
+	for ds in apps:1 crypto:3 ssl:3; do \
+	    defdir=`echo $$ds | cut -f1 -d:`; \
+	    defsec=`echo $$ds | cut -f2 -d:`; \
+	    for p in $(SRCDIR)/doc/$$defdir/*.pod; do \
+		SEC=`sed -ne 's/^=for  *comment  *openssl_manual_section: *\([0-9]\) *$$/\1/p' $$p`; \
+		[ -z "$$SEC" ] && SEC=$$defsec; \
+		fn=`basename $$p .pod`; \
+		NAME=`echo $$fn | tr [a-z] [A-Z]`; \
+		suf=`eval "echo $$OUTSUFFIX"`; \
+		top=`eval "echo $$OUTTOP"`; \
+		$(PERL) $(SRCDIR)/util/mkdir-p.pl $$top/man$$SEC; \
+		echo "install $$p -> $$top/man$$SEC/$$fn$$suf"; \
+		cat $$p | eval "$$GENERATE" \
+			>  $$top/man$$SEC/$$fn$$suf; \
+		names=`cat $$p | $(EXTRACT_NAMES)`; \
+		( cd $$top/man$$SEC; \
+		  for n in $$names; do \
+		      comp_n="$$n"; \
+		      comp_fn="$$fn"; \
+		      case "$(PLATFORM)" in DJGPP|Cygwin*|mingw*|darwin*-*-cc) \
+			  comp_n=`echo "$$n" | tr [A-Z] [a-z]`; \
+			  comp_fn=`echo "$$fn" | tr [A-Z] [a-z]`; \
+			  ;; \
+		      esac; \
+		      if [ "$$comp_n" != "$$comp_fn" ]; then \
+			  echo "link $$top/man$$SEC/$$n$$suf -> $$top/man$$SEC/$$fn$$suf"; \
+			  PLATFORM=$(PLATFORM) $$point $$fn$$suf $$n$$suf; \
+		      fi; \
+		  done ); \
+	    done; \
+	done
+UNINSTALL_DOCS=\
+	set -e; \
+	here=`cd $(SRCDIR); pwd`; \
+	for ds in apps:1 crypto:3 ssl:3; do \
+	    defdir=`echo $$ds | cut -f1 -d:`; \
+	    defsec=`echo $$ds | cut -f2 -d:`; \
+	    for p in $(SRCDIR)/doc/$$defdir/*.pod; do \
+		SEC=`sed -ne 's/^=for  *comment  *openssl_manual_section: *\([0-9]\) *$$/\1/p' $$p`; \
+		[ -z "$$SEC" ] && SEC=$$defsec; \
+		fn=`basename $$p .pod`; \
+		suf=`eval "echo $$OUTSUFFIX"`; \
+		top=`eval "echo $$OUTTOP"`; \
+		echo "$(RM) $$top/man$$SEC/$$fn$$suf"; \
+	        $(RM) $$top/man$$SEC/$$fn$$suf; \
+		names=`cat $$p | $(EXTRACT_NAMES)`; \
+		for n in $$names; do \
+		    comp_n="$$n"; \
+		    comp_fn="$$fn"; \
+		    case "$(PLATFORM)" in DJGPP|Cygwin*|mingw*|darwin*-*-cc) \
+			comp_n=`echo "$$n" | tr [A-Z] [a-z]`; \
+			comp_fn=`echo "$$fn" | tr [A-Z] [a-z]`; \
+			;; \
+		    esac; \
+		    if [ "$$comp_n" != "$$comp_fn" ]; then \
+			echo "$(RM) $$top/man$$SEC/$$n$$suf"; \
+			$(RM) $$top/man$$SEC/$$n$$suf; \
+		    fi; \
+		done; \
+	    done; \
+	done
+
+install_man_docs:
+	@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
+	@echo "*** Installing manpages"
+	@\
+	OUTSUFFIX='.$${SEC}$(MANSUFFIX)'; \
+	OUTTOP="$(DESTDIR)$(MANDIR)"; \
+	GENERATE='pod2man --name=$$NAME --section=$$SEC --center=OpenSSL --release=$(VERSION)'; \
+	$(PROCESS_PODS)
+
+uninstall_man_docs:
+	@echo "*** Uninstalling manpages"
+	@\
+	OUTSUFFIX='.$${SEC}$(MANSUFFIX)'; \
+	OUTTOP="$(DESTDIR)$(MANDIR)"; \
+	$(UNINSTALL_DOCS)
+
+install_html_docs:
+	@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
+	@echo "*** Installing HTML manpages"
+	@\
+	OUTSUFFIX='.$(HTMLSUFFIX)'; \
+	OUTTOP="$(DESTDIR)$(HTMLDIR)"; \
+	GENERATE="pod2html --podroot=$(SRCDIR)/doc --htmldir=.. \
+			   --podpath=apps:crypto:ssl \
+		  | sed -e 's|href=\"http://man.he.net/man|href=\"../man|g'"; \
+	$(PROCESS_PODS)
+
+uninstall_html_docs:
+	@echo "*** Uninstalling manpages"
+	@\
+	OUTSUFFIX='.$(HTMLSUFFIX)'; \
+	OUTTOP="$(DESTDIR)$(HTMLDIR)"; \
+	$(UNINSTALL_DOCS)
+
+
+# Developer targets (note: these are only available on Unix) #########
+
+update: generate errors ordinals
+
+generate: generate_apps generate_crypto_bn generate_crypto_objects
+
+# Test coverage is a good idea for the future
+#coverage: $(PROGRAMS) $(TESTPROGRAMS)
+#	...
+
+# Currently disabled, util/selftest.pl needs a rewrite
+#report:
+#	SRCDIR=$(SRCDIR) @$(PERL) util/selftest.pl
+
+lint:
+	lint -DLINT $(INCLUDES) $(SRCS)
+
+generate_apps: $(SRCDIR)/apps/openssl-vms.cnf $(SRCDIR)/apps/progs.h
+
+generate_crypto_bn: $(SRCDIR)/crypto/bn/bn_prime.h
+
+generate_crypto_objects: $(SRCDIR)/crypto/objects/obj_dat.h \
+                         $(SRCDIR)/include/openssl/obj_mac.h \
+                         $(SRCDIR)/crypto/objects/obj_xref.h
+
+errors:
+	( cd $(SRCDIR); $(PERL) util/ck_errf.pl -strict */*.c */*/*.c )
+	( cd $(SRCDIR); $(PERL) util/mkerr.pl -recurse -write )
+	( cd $(SRCDIR)/engines; \
+	  for e in *.ec; do \
+	      $(PERL) ../util/mkerr.pl -conf $$e \
+		      -nostatic -staticloader -write *.c; \
+	  done )
+	( cd $(SRCDIR)/crypto/ct; \
+	  $(PERL) ../../util/mkerr.pl -conf ct.ec -hprefix internal/ -write *.c )
+
+ordinals:
+	( b=`pwd`; cd $(SRCDIR); $(PERL) -I$$b util/mkdef.pl crypto update )
+	( b=`pwd`; cd $(SRCDIR); $(PERL) -I$$b util/mkdef.pl ssl update )
+
+test_ordinals:
+	( cd test; \
+	  SRCTOP=../$(SRCDIR) \
+	  BLDTOP=../$(BLDDIR) \
+	    $(PERL) ../$(SRCDIR)/test/run_tests.pl test_ordinals )
+
+tags TAGS: FORCE
+	rm -f TAGS tags
+	-ctags -R .
+	-etags `find . -name '*.[ch]' -o -name '*.pm'`
+
+# Release targets (note: only available on Unix) #####################
+
+tar:
+	TMPDIR=/var/tmp/openssl-copy.$$$$; \
+	DISTDIR=openssl-$(VERSION); \
+	mkdir -p $$TMPDIR/$$DISTDIR; \
+	(cd $(SRCDIR); \
+	 git ls-tree -r --name-only --full-tree HEAD \
+	 | while read F; do \
+	       mkdir -p $$TMPDIR/$$DISTDIR/`dirname $$F`; \
+	       cp $$F $$TMPDIR/$$DISTDIR/$$F; \
+	   done); \
+	(cd $$TMPDIR; \
+	 [ -n "$(PREPARE_CMD)" ] && $(PREPARE_CMD); \
+	 find $$TMPDIR/$$DISTDIR -type d -print | xargs chmod 755; \
+	 find $$TMPDIR/$$DISTDIR -type f -print | xargs chmod a+r; \
+	 find $$TMPDIR/$$DISTDIR -type f -perm -0100 -print | xargs chmod a+x; \
+	 $(TAR) $(TARFLAGS) --owner 0 --group 0 -cvf - $$DISTDIR) \
+	| (cd $(SRCDIR); gzip --best > $(TARFILE).gz); \
+	rm -rf $$TMPDIR
+	cd $(SRCDIR); ls -l $(TARFILE).gz
+
+dist:
+	@$(MAKE) PREPARE_CMD='./Configure dist' tar
+
+# Helper targets #####################################################
+
+rehash: link-utils copy-certs build_apps
+	@if [ -z "$(CROSS_COMPILE)" ]; then \
+		(OPENSSL="$(BLDDIR)/util/shlib_wrap.sh apps/openssl"; \
+		[ -x "$(BLDDIR)/openssl.exe" ] && OPENSSL="$(BLDDIR)/openssl.exe" || :; \
+		OPENSSL_DEBUG_MEMORY=on; OPENSSL_CONF=/dev/null ; \
+		export OPENSSL OPENSSL_DEBUG_MEMORY OPENSSL_CONF; \
+		$$OPENSSL rehash certs/demo \
+		|| $(PERL) tools/c_rehash certs/demo) && \
+		touch rehash.time; \
+	else :; fi
+
+link-utils: $(BLDDIR)/util/opensslwrap.sh $(BLDDIR)/util/shlib_wrap.sh
+
+$(BLDDIR)/util/opensslwrap.sh: Makefile
+	@if [ "$(SRCDIR)" != "$(BLDDIR)" ]; then \
+	    mkdir -p "$(BLDDIR)/util"; \
+	    ln -sf "../$(SRCDIR)/util/opensslwrap.sh" "$(BLDDIR)/util"; \
+	fi
+$(BLDDIR)/util/shlib_wrap.sh: Makefile
+	@if [ "$(SRCDIR)" != "$(BLDDIR)" ]; then \
+	    mkdir -p "$(BLDDIR)/util"; \
+	    ln -sf "../$(SRCDIR)/util/shlib_wrap.sh" "$(BLDDIR)/util"; \
+	fi
+
+copy-certs: FORCE
+	@if [ "$(SRCDIR)" != "$(BLDDIR)" ]; then \
+	    cp -R "$(SRCDIR)/certs" "$(BLDDIR)/"; \
+	fi
+
+$(SRCDIR)/apps/openssl-vms.cnf: $(SRCDIR)/apps/openssl.cnf
+	$(PERL) $(SRCDIR)/VMS/VMSify-conf.pl \
+                < $(SRCDIR)/apps/openssl.cnf > $(SRCDIR)/apps/openssl-vms.cnf
+
+{- # because the program apps/openssl has object files as sources, and
+   # they then have the corresponding C files as source, we need to chain
+   # the lookups in %unified_info
+   my $apps_openssl = catfile("apps","openssl");
+   our @openssl_source = map { @{$unified_info{sources}->{$_}} }
+                         @{$unified_info{sources}->{$apps_openssl}};
+   ""; -}
+$(SRCDIR)/apps/progs.h:
+	$(RM) $@
+	$(PERL) $(SRCDIR)/apps/progs.pl {- join(" ", @openssl_source) -} > $@
+
+$(SRCDIR)/crypto/bn/bn_prime.h: $(SRCDIR)/crypto/bn/bn_prime.pl
+	$(PERL) $(SRCDIR)/crypto/bn/bn_prime.pl > $(SRCDIR)/crypto/bn/bn_prime.h
+
+$(SRCDIR)/crypto/objects/obj_dat.h: $(SRCDIR)/crypto/objects/obj_dat.pl \
+                                    $(SRCDIR)/include/openssl/obj_mac.h
+	$(PERL) $(SRCDIR)/crypto/objects/obj_dat.pl \
+                $(SRCDIR)/include/openssl/obj_mac.h \
+                $(SRCDIR)/crypto/objects/obj_dat.h
+
+# objects.pl both reads and writes obj_mac.num
+$(SRCDIR)/include/openssl/obj_mac.h: $(SRCDIR)/crypto/objects/objects.pl \
+                                     $(SRCDIR)/crypto/objects/objects.txt \
+                                     $(SRCDIR)/crypto/objects/obj_mac.num
+	$(PERL) $(SRCDIR)/crypto/objects/objects.pl \
+                $(SRCDIR)/crypto/objects/objects.txt \
+                $(SRCDIR)/crypto/objects/obj_mac.num \
+                $(SRCDIR)/include/openssl/obj_mac.h
+	@sleep 1; touch $(SRCDIR)/include/openssl/obj_mac.h; sleep 1
+
+$(SRCDIR)/crypto/objects/obj_xref.h: $(SRCDIR)/crypto/objects/objxref.pl \
+                                     $(SRCDIR)/crypto/objects/obj_xref.txt \
+                                     $(SRCDIR)/crypto/objects/obj_mac.num
+	$(PERL) $(SRCDIR)/crypto/objects/objxref.pl \
+                $(SRCDIR)/crypto/objects/obj_mac.num \
+                $(SRCDIR)/crypto/objects/obj_xref.txt \
+                > $(SRCDIR)/crypto/objects/obj_xref.h
+	@sleep 1; touch $(SRCDIR)/crypto/objects/obj_xref.h; sleep 1
+
+FORCE :
+
+# Building targets ###################################################
+
+libcrypto.pc libssl.pc openssl.pc: Makefile $(LIBS)
+libcrypto.pc:
+	@ ( echo 'prefix=$(INSTALLTOP)'; \
+	    echo 'exec_prefix=$${prefix}'; \
+	    echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
+	    echo 'includedir=$${prefix}/include'; \
+	    echo ''; \
+	    echo 'Name: OpenSSL-libcrypto'; \
+	    echo 'Description: OpenSSL cryptography library'; \
+	    echo 'Version: '$(VERSION); \
+	    echo 'Libs: -L$${libdir} -lcrypto'; \
+	    echo 'Libs.private: $(EX_LIBS)'; \
+	    echo 'Cflags: -I$${includedir}' ) > libcrypto.pc
+
+libssl.pc:
+	@ ( echo 'prefix=$(INSTALLTOP)'; \
+	    echo 'exec_prefix=$${prefix}'; \
+	    echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
+	    echo 'includedir=$${prefix}/include'; \
+	    echo ''; \
+	    echo 'Name: OpenSSL-libssl'; \
+	    echo 'Description: Secure Sockets Layer and cryptography libraries'; \
+	    echo 'Version: '$(VERSION); \
+	    echo 'Requires.private: libcrypto'; \
+	    echo 'Libs: -L$${libdir} -lssl'; \
+	    echo 'Libs.private: $(EX_LIBS)'; \
+	    echo 'Cflags: -I$${includedir}' ) > libssl.pc
+
+openssl.pc:
+	@ ( echo 'prefix=$(INSTALLTOP)'; \
+	    echo 'exec_prefix=$${prefix}'; \
+	    echo 'libdir=$${exec_prefix}/$(LIBDIR)'; \
+	    echo 'includedir=$${prefix}/include'; \
+	    echo ''; \
+	    echo 'Name: OpenSSL'; \
+	    echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \
+	    echo 'Version: '$(VERSION); \
+	    echo 'Requires: libssl libcrypto' ) > openssl.pc
+
+# Note on the use of $(MFLAGS): this was an older variant of MAKEFLAGS which
+# wasn't passed down automatically.  It's quite safe to use it like we do
+# below; if it doesn't exist, the result will be empty and 'make' will pick
+# up $(MAKEFLAGS) which is passed down as an environment variable.
+Makefile: {- $config{build_file_template} -} $(SRCDIR)/Configure $(SRCDIR)/config
+	@echo "Makefile is older than {- $config{build_file_template} -}, $(SRCDIR)/Configure or $(SRCDIR)/config."
+	@echo "Reconfiguring..."
+	$(SRCDIR)/Configure reconf
+	@echo "**************************************************"
+	@echo "***                                            ***"
+	@echo "***   Please run the same make command again   ***"
+	@echo "***                                            ***"
+	@echo "**************************************************"
+	@false
+
+{-
+  use File::Basename;
+  use File::Spec::Functions qw/:DEFAULT abs2rel rel2abs/;
+
+  # Helper function to figure out dependencies on libraries
+  # It takes a list of library names and outputs a list of dependencies
+  sub compute_lib_depends {
+      if ($config{no_shared}) {
+          return map { $_."\$(LIB_EXT)" } @_;
+      }
+
+      # Depending on shared libraries:
+      # On Windows POSIX layers, we depend on {libname}.dll.a
+      # On Unix platforms, we depend on {shlibname}.so
+      return map { if (windowsdll()) {
+                       "$_\$(SHLIB_EXT_SIMPLE).a"
+		   } else {
+		       my $libname =
+		           $unified_info{sharednames}->{$_} || $_;
+		       "$libname\$(SHLIB_EXT_SIMPLE)"
+		   } } @_;
+  }
+
+  sub src2dep {
+      my %args = @_;
+      my $dep = $args{obj}.'$(DEP_EXT)';
+      my $obj = $args{obj}.'$(OBJ_EXT)';
+      my $srcs = join(" ", @{$args{srcs}});
+      my $deps = join(" ", @{$args{srcs}}, @{$args{deps}});
+      my $incs = join(" ", map { " -I".$_ } @{$args{incs}});
+      my $makedepprog = $config{makedepprog};
+      if ($makedepprog eq "makedepend") {
+          return <<"EOF";
+$dep : $deps
+	rm -f \$\@.tmp; touch \$\@.tmp
+	\$(MAKEDEPEND) -f\$\@.tmp -o"|$obj"\
+	    -- -DOPENSSL_DOING_MAKEDEPEND \$(DEPFLAGS)$incs \
+	    -- $srcs
+	sed -e 's/^.*|//' -e 's/ \\/\\(\\\\.\\|[^ ]\\)*//g' -e '/: *\$/d' -e '/^\\(#.*\\| *\\)\$/d' \$\@.tmp > \$\@
+	rm \$\@.tmp
+EOF
+      }
+      return <<"EOF";
+$dep : $deps Makefile
+	\$(CC) -DOPENSSL_DOING_MAKEDEPEND \$(DEPFLAGS)$incs -MM -MF \$\@ -MQ $obj $srcs
+EOF
+  }
+  sub src2obj {
+      my %args = @_;
+      my $obj = $args{obj}.'$(OBJ_EXT)';
+      my $srcs = join(" ", @{$args{srcs}});
+      my $deps = join(" ", @{$args{srcs}}, @{$args{deps}});
+      my $incs = join(" ", map { " -I".$_ } @{$args{incs}});
+      return <<"EOF";
+$obj : $deps
+	\$(CC) \$(CFLAGS)$incs -c -o \$\@ $srcs
+EOF
+  }
+  # On Unix, we build shlibs from static libs, so we're ignoring the
+  # object file array.  We *know* this routine is only called when we've
+  # configure 'shared'.
+  sub libobj2shlib {
+      my %args = @_;
+      my $lib = $args{lib};
+      my $shlib = $args{shlib};
+      my $libd = dirname($lib);
+      my $libn = basename($lib);
+      (my $libname = $libn) =~ s/^lib//;
+      my $linklibs = join("", map { my $d = dirname($_);
+                                    my $f = basename($_);
+                                    (my $l = $f) =~ s/^lib//;
+                                    " -L$d -l$l" } @{$args{deps}});
+      my $deps = join(" ",compute_lib_depends(@{$args{deps}}));
+      my $shlib_target = $target{shared_target};
+      my $ordinalsfile = defined($args{ordinals}) ? $args{ordinals}->[1] : "";
+      my $shlibtarget = windowsdll() ?
+	  "$lib\$(SHLIB_EXT_SIMPLE).a" : "$shlib\$(SHLIB_EXT_SIMPLE)";
+      return <<"EOF"
+# With a build on a Windows POSIX layer (Cygwin or Mingw), we know for a fact
+# that two files get produced, {shlibname}.dll and {libname}.dll.a.
+# With all other Unix platforms, we often build a shared library with the
+# SO version built into the file name and a symlink without the SO version
+# It's not necessary to have both as targets.  The choice falls on the
+# simplest, {libname}\$(SHLIB_EXT_SIMPLE).a for Windows POSIX layers and
+# {libname}\$(SHLIB_EXT_SIMPLE) for the Unix platforms.
+$shlibtarget : $lib\$(LIB_EXT) $deps $ordinalsfile
+	\$(MAKE) -f \$(SRCDIR)/Makefile.shared -e \\
+		PLATFORM=\$(PLATFORM) \\
+		PERL=\$(PERL) SRCDIR="\$(SRCDIR)" DSTDIR="$libd" \\
+		INSTALLTOP="\$(INSTALLTOP)" LIBDIR="\$(LIBDIR)" \\
+		LIBDEPS="\$(PLIB_LDFLAGS) $linklibs \$(EX_LIBS)" \\
+		LIBNAME=$libname LIBVERSION=\$(SHLIB_MAJOR).\$(SHLIB_MINOR) \\
+		LIBCOMPATVERSIONS=";\$(SHLIB_VERSION_HISTORY)" \\
+		CC="\$(CC)" CFLAGS="\$(CFLAGS)" LDFLAGS="\$(LDFLAGS)" \\
+		CROSS_COMPILE="\$(CROSS_COMPILE)" \\
+		SHARED_LDFLAGS="\$(SHARED_LDFLAGS)" SHLIB_EXT=\$(SHLIB_EXT) \\
+		SHARED_RCFLAGS="\$(SHARED_RCFLAGS)" \\
+		link_a.$shlib_target
+EOF
+	  . (windowsdll() ? <<"EOF" : "");
+	rm -f apps/$shlib\$(SHLIB_EXT)
+	rm -f test/$shlib\$(SHLIB_EXT)
+	cp -p $shlib\$(SHLIB_EXT) apps/
+	cp -p $shlib\$(SHLIB_EXT) test/
+EOF
+  }
+  sub obj2dynlib {
+      my %args = @_;
+      my $lib = $args{lib};
+      my $libd = dirname($lib);
+      my $libn = basename($lib);
+      (my $libname = $libn) =~ s/^lib//;
+      my $shlibdeps = join("", map { my $d = dirname($_);
+                                     my $f = basename($_);
+                                     (my $l = $f) =~ s/^lib//;
+                                     " -L$d -l$l" } @{$args{deps}});
+      my $deps = join(" ",compute_lib_depends(@{$args{deps}}));
+      my $shlib_target = $target{shared_target};
+      my $objs = join(" ", map { $_."\$(OBJ_EXT)" } @{$args{objs}});
+      return <<"EOF";
+$lib\$(SHLIB_EXT_SIMPLE): $objs $deps
+	\$(MAKE) -f \$(SRCDIR)/Makefile.shared -e \\
+		PLATFORM=\$(PLATFORM) \\
+		PERL=\$(PERL) SRCDIR="\$(SRCDIR)" DSTDIR="$libd" \\
+		LIBDEPS="\$(PLIB_LDFLAGS) $shlibdeps \$(EX_LIBS)" \\
+		LIBNAME=$libname LDFLAGS="\$(LDFLAGS)" \\
+		CC="\$(CC)" CFLAGS="\$(CFLAGS)" \\
+		SHARED_LDFLAGS="\$(SHARED_LDFLAGS)" \\
+		SHLIB_EXT=\$(SHLIB_EXT_SIMPLE) \\
+		LIBEXTRAS="$objs" \\
+		link_o.$shlib_target
+EOF
+  }
+  sub obj2lib {
+      my %args = @_;
+      my $lib = $args{lib};
+      my $objs = join(" ", map { $_."\$(OBJ_EXT)" } @{$args{objs}});
+      return <<"EOF";
+$lib\$(LIB_EXT) : $objs
+	\$(AR) \$\@ $objs
+	\$(RANLIB) \$\@ || echo Never mind.
+EOF
+  }
+  sub obj2bin {
+      my %args = @_;
+      my $bin = $args{bin};
+      my $bind = dirname($bin);
+      my $binn = basename($bin);
+      my $objs = join(" ", map { $_."\$(OBJ_EXT)" } @{$args{objs}});
+      my $deps = join(" ",compute_lib_depends(@{$args{deps}}));
+      my $linklibs = join("", map { my $d = dirname($_);
+                                    my $f = basename($_);
+                                    $d = "." if $d eq $f;
+                                    (my $l = $f) =~ s/^lib//;
+                                    " -L$d -l$l" } @{$args{deps}});
+      my $shlib_target = $config{no_shared} ? "" : $target{shared_target};
+      return <<"EOF";
+$bin\$(EXE_EXT) : $objs $deps
+	\$(RM) $bin\$(EXE_EXT)
+	\$(MAKE) -f \$(SRCDIR)/Makefile.shared -e \\
+		PERL=\$(PERL) SRCDIR=\$(SRCDIR) \\
+		APPNAME=$bin OBJECTS="$objs" \\
+		LIBDEPS="\$(PLIB_LDFLAGS) $linklibs \$(EX_LIBS)" \\
+		CC="\$(CC)" CFLAGS="\$(CFLAGS)" LDFLAGS="\$(LDFLAGS)" \\
+		LIBRPATH="\$(INSTALLTOP)/\$(LIBDIR)" \\
+		link_app.$shlib_target
+EOF
+  }
+  sub in2script {
+      my %args = @_;
+      my $script = $args{script};
+      my $sources = join(" ", @{$args{sources}});
+      my $dofile = abs2rel(rel2abs(catfile($config{sourcedir},
+                                           "util", "dofile.pl")),
+                           rel2abs($config{builddir}));
+      return <<"EOF";
+$script : $sources
+	\$(PERL) "-I\$(BLDDIR)" -Mconfigdata "$dofile" \\
+	    "-o$target{build_file}" $sources > "$script"
+	chmod a+x $script
+EOF
+  }
+  ""    # Important!  This becomes part of the template result.
+-}
--- a/3744
+++ b/3744
--- a/53
+++ b/53
@@ -3,7 +3,7 @@
 ---------------------------------

 [Installation on DOS (with djgpp), Windows, OpenVMS, MacOS (before MacOS X)
-  and NetWare is described in INSTALL.DJGPP, INSTALL.W32, INSTALL.VMS,
+  and NetWare is described in INSTALL.DJGPP, INSTALL.WIN, INSTALL.VMS,
  INSTALL.MacOS and INSTALL.NW.
  
  This document describes installation on operating systems in the Unix
@@ -12,7 +12,8 @@
 To install OpenSSL, you will need:

  * make
-  * Perl 5 with core modules (see 'Note on Perl' further down)
+  * Perl 5 with core modules (please read README.PERL)
+  * The perl module Text::Template (please read README.PERL)
  * an ANSI C compiler
  * a development environment in form of development libraries and C
    header files
@@ -50,6 +51,19 @@
  --openssldir=DIR Directory for OpenSSL files. If no prefix is specified,
                the library files and binaries are also installed there.

+  no-autoalginit Don't automatically load all supported ciphers and digests.
+                Typically OpenSSL will make available all of its supported
+                ciphers and digests. For a statically linked application this
+                may be undesirable if small executable size is an objective.
+                This only affects libcrypto. Ciphers and digests will have to be
+                loaded manually using EVP_add_cipher() and EVP_add_digest() if
+                this option is used.
+
+  no-autoerrinit Don't automatically load all libcrypto/libssl error strings.
+                Typically OpenSSL will automatically load human readable error
+                strings. For a statically linked application this may be
+                undesirable if small executable size is an objective.
+
  no-threads    Don't try to build with support for multi-threaded
                applications.

@@ -180,9 +194,6 @@

       $ HARNESS_VERBOSE=yes make test

-     Also, you will find logs for all commands the tests have executed
-     in logs, test/test_*.log, one for each individual test.
-
     If you want to run just one or a few specific tests, you can use
     the make variable TESTS to specify them, like this:

@@ -196,6 +207,9 @@

       $ make list-tests

+     Have a look at the manual for the perl module Test::Harness to
+     see what other HARNESS_* variables there are.
+
     If you find a problem with OpenSSL itself, try removing any
     compiler optimization flags from the CFLAG line in Makefile and
     run "make clean; make".
@@ -238,10 +252,9 @@
     locations, but have the package installed somewhere else so that
     it can easily be packaged, can use

-       $ make INSTALL_PREFIX=/tmp/package-root install
+       $ make DESTDIR=/tmp/package-root install

-     (or specify "--install_prefix=/tmp/package-root" as a configure
-     option).  The specified prefix will be prepended to all
+     The specified destination directory will be prepended to all
     installation target filenames.


@@ -310,26 +323,6 @@
     with names of the form <foo.h>.


- Note on Perl
- ------------
-
- For our scripts, we rely quite a bit on Perl, and increasingly on
- some core Perl modules.  These Perl modules are part of the Perl
- source, so if you build Perl on your own, you should be set.
-
- However, if you install Perl as binary packages, the outcome might
- differ, and you may have to check that you do get the core modules
- installed properly.  We do not claim to know them all, but experience
- has told us the following:
-
- - on Linux distributions based on Debian, the package 'perl' will
-   install the core Perl modules as well, so you will be fine.
- - on Linux distributions based on RPMs, you will need to install
-   'perl-core' rather than just 'perl'.
-
- It is highly recommended that you have at least Perl version 5.12
- installed.
-
 Note on multi-threading
 -----------------------

@@ -346,6 +339,10 @@
 you can still use "no-threads" to suppress an annoying warning message
 from the Configure script.)

+ OpenSSL provides built-in support for two threading models: pthreads (found on
+ most UNIX/Linux systems), and Windows threads. No other threading models are
+ supported. If your platform does not provide pthreads or Windows threads then
+ you should Configure with the "no-threads" option.

 Note on shared libraries
 ------------------------
--- a/INSTALL.DJGPP
+++ b/INSTALL.DJGPP
@@ -11,7 +11,8 @@

 You should have a full DJGPP environment installed, including the
 latest versions of DJGPP, GCC, BINUTILS, BASH, etc. This package
- requires that PERL and BC also be installed.
+ requires that PERL and the PERL module Text::Template also be
+ installed.

 All of these can be obtained from the usual DJGPP mirror sites or
 directly at "http://www.delorie.com/pub/djgpp". For help on which
--- a/INSTALL.VMS
+++ b/INSTALL.VMS
@@ -1,302 +1,66 @@
-			VMS Installation instructions
-			written by Richard Levitte
-			<richard@levitte.org>

+ INSTALLATION ON THE VMS PLATFORM
+ --------------------------------

-Intro:
-======
+ Intro
+ -----

-This file is divided in the following parts:
+ This file is divided in the following parts:

-  Requirements			- Mandatory reading.
-  Checking the distribution	- Mandatory reading.
-  Compilation			- Mandatory reading.
-  Logical names			- Mandatory reading.
-  Test				- Mandatory reading.
-  Installation			- Mandatory reading.
-  Backward portability		- Read if it's an issue.
-  Possible bugs or quirks	- A few warnings on things that
-				  may go wrong or may surprise you.
-  TODO				- Things that are to come.
+   Requirements                 - Mandatory reading.
+   Cheking the distribution     - Mandatory reading.
+   Quick start
+   Test                         <TO BE ADDED>
+   Installation                 <TO BE ADDED>
+   Backward portability         <TO BE ADDED>
+   Possible bugs and quirks     <TO BE ADDED>


-Requirements:
-=============
+ Requirements
+ ------------

-To build and install OpenSSL, you will need:
+ To build and install OpenSSL, you will need:

- * Perl 5 with core modules.  If you don't want to build it yourself,
-   we suggest you look here: http://sourceforge.net/projects/vmsperlkit/files/
- * DEC C or some other ANSI C compiler.  VAX C is *not* supported.
-   [Note: OpenSSL has only been tested with DEC C.  Compiling with 
-    a different ANSI C compiler may require some work]
+  * Perl 5 with core modules (please read README.PERL)
+  * The perl module Text::Template (please read README.PERL)
+  * DEC C or some other ANSI C compiler.  VAX C is *not* supported.
+    [Note: OpenSSL has only been tested with DEC C.  Compiling with 
+     a different ANSI C compiler may require some work]

-Checking the distribution:
-==========================
+ Checking the distribution
+ -------------------------

-There have been reports of places where the distribution didn't quite get
-through, for example if you've copied the tree from a NFS-mounted Unix
-mount point.
+ There have been reports of places where the distribution didn't quite
+ get through, for example if you've copied the tree from a NFS-mounted
+ Unix mount point.

-The easiest way to check if everything got through as it should is to check
-for one of the following files:
+ The easiest way to check if everything got through as it should is to
+ check for one of the following files:

-	[.CRYPTO]OPENSSLCONF.H_IN
-	[.CRYPTO]OPENSSLCONF_H.IN
+  [.crypto]opensslconf^.h.in

-They should never exist both at once, but one of them should (preferably
-the first variant).  If you can't find any of those two, something went
-wrong.
+ The best way to get a correct distribution is to download the gzipped
+ tar file from ftp://ftp.openssl.org/source/, use GUNZIP to uncompress
+ it and use VMSTAR to unpack the resulting tar file.

-The best way to get a correct distribution is to download the gzipped tar
-file from ftp://ftp.openssl.org/source/, use GUNZIP to uncompress it and
-use VMSTAR to unpack the resulting tar file.
+ GUNZIP is available {FIXME: where is it available?}

-GUNZIP is available in many places on the net.  One of the distribution
-points is the WKU software archive, ftp://ftp.wku.edu/vms/fileserv/ .
+ VMSTAR is available {FIXME: where is it available?}

-VMSTAR is also available in many places on the net.  The recommended place
-to find information about it is http://www.free.lp.se/vmstar/ .

+ Quick start
+ -----------

-Compilation:
-============
+ If you want to just get on with it, do this:

-I've used the very good command procedures written by Robert Byer
-<byer@mail.all-net.net>, and just slightly modified them, making
-them slightly more general and easier to maintain.
+  $ @config
+  $ mms
+  $ mms test
+  $ mmm install

-You can actually compile in almost any directory separately.  Look
-for a command procedure name xxx-LIB.COM (in the library directories)
-or MAKExxx.COM (in the program directories) and read the comments at
-the top to understand how to use them.  However, if you want to
-compile all you can get, the simplest is to use MAKEVMS.COM in the top
-directory.  The syntax is the following:
+ This will buidl and install OpenSSL in the default location, which is
+ SYS$COMMON:[OPENSSL-'VERSION'].  If you want it to be anywhere else,
+ run config.com like this:

-  @MAKEVMS <option> <bits> <debug-p> [<compiler>]
+  $ @config --prefix=PROGRAM:[OPENSSL]

-<option> must be one of the following:
-
-      ALL       Just build "everything".
-      CONFIG    Just build the "[.CRYPTO]OPENSSLCONF.H" file.
-      BUILDINF  Just build the "[.INCLUDE]BUILDINF.H" file.
-      SOFTLINKS Just copies some files, to simulate Unix soft links.
-      BUILDALL  Same as ALL, except CONFIG, BUILDINF and SOFTLINKS aren't done.
-      RSAREF    Just build the "[.xxx.EXE.RSAREF]LIBRSAGLUE.OLB" library.
-      CRYPTO    Just build the "[.xxx.EXE.CRYPTO]LIBCRYPTO.OLB" library.
-      SSL       Just build the "[.xxx.EXE.SSL]LIBSSL.OLB" library.
-      TEST      Just build the "[.xxx.EXE.TEST]" test programs for OpenSSL.
-      APPS      Just build the "[.xxx.EXE.APPS]" application programs for OpenSSL.
-
-<bits> must be one of the following:
-
-      ""        compile using default pointer size
-      32        compile using 32 bit pointer size
-      64        compile using 64 bit pointer size
-
-<debug-p> must be one of the following:
-
-      DEBUG     compile with debugging info (will not optimize)
-      NODEBUG   compile without debugging info (will optimize)
-
-<compiler> must be one of the following:
-
-      DECC      For DEC C.
-      GNUC      For GNU C.
-
-
-You will find the crypto library in [.xxx.EXE.CRYPTO] (where xxx is VAX,
-ALPHA or IA64), called SSL_LIBCRYPTO32.OLB or SSL_LIBCRYPTO.OLB depending
-on how it was built.  You will find the SSL library in [.xxx.EXE.SSL],
-named SSL_LIBSSL32.OLB or SSL_LIBSSL.OLB, and you will find a bunch of
-useful programs in [.xxx.EXE.APPS].  However, these shouldn't be used
-right off unless it's just to test them.  For production use, make sure
-you install first, see Installation below.
-
-Note 1: Some programs in this package require a TCP/IP library.
-
-Note 2: if you want to compile the crypto library only, please make sure
-        you have at least done a @MAKEVMS CONFIG, a @MAKEVMS BUILDINF and
-        a @MAKEVMS SOFTLINKS.  A lot of things will break if you don't.
-
-
-Logical names:
-==============
-
-There are a few things that can't currently be given through the command
-line.  Instead, logical names are used.
-
-Currently, the logical names supported are:
-
-      OPENSSL_NO_ASM    with value YES, the assembler parts of OpenSSL will
-                        not be used.  Instead, plain C implementations are
-                        used.  This is good to try if something doesn't work.
-      OPENSSL_NO_'alg'  with value YES, the corresponding crypto algorithm,
-                        protocol or other routine will not be implemented if
-                        disabling it is supported.  Supported algorithms to
-                        do this with are: AES, BF, CAMELLIA, CAST, CMS, COMP,
-                        DES, DGRAM, DH, DSA, EC, EC2M, ECDH, ECDSA, ENGINE,
-                        ERR, GOST, HEARTBEATS, HMAC, IDEA, MD2, MD4,
-                        MD5, OCB, OCSP, PSK, RC2, RC4, RC5, RMD160, RSA, SCTP,
-                        SEED, SOCK, SRP, SRTP, WHIRLPOOL.  So, for
-                        example, having the logical name OPENSSL_NO_RSA with
-                        the value YES means that the LIBCRYPTO.OLB library
-                        will not contain an RSA implementation.
-      OPENSSL_EXPERIMENTAL_'alg'
-                        with value YES, the corresponding experimental
-                        algorithm is enabled.  Note that is also requires
-                        the application using this to define the C macro
-                        OPENSSL_EXPERIMENTAL_'alg'.  Supported algorithms
-                        to do this with are: JPAKE, STORE.
-
-Test:
-=====
-
-Testing is very simple, just do the following:
-
-  @[.TEST]TESTS
-
-If a test fails, try with defining the logical name OPENSSL_NO_ASM (yes,
-it's an ugly hack!) and rebuild. Please send a bug report to
-<openssl-bugs@openssl.org>, including the output of "openssl version -a"
-and of the failed test.
-
-
-Installation:
-=============
-
-Installation is easy, just do the following:
-
-  @INSTALL <root> <bits>
-
-<root> is the directory in which everything will be installed,
-subdirectories, libraries, header files, programs and startup command
-procedures.
-
-<bits> works the same way as for MAKEVMS.COM
-
-N.B.: INSTALL.COM builds a new directory structure, different from
-the directory tree where you have now build OpenSSL.
-
-In the [.VMS] subdirectory of the installation, you will find the
-following command procedures:
-
-  OPENSSL_STARTUP.COM
-
-        defines all needed logical names.  Takes one argument that
-        tells it in what logical name table to insert the logical
-        names.  If you insert if it SYS$MANAGER:SYSTARTUP_VMS.COM, the
-        call should look like this: 
-
-          @openssldev:[openssldir.VMS]OPENSSL_STARTUP "/SYSTEM"
-
-  OPENSSL_UTILS.COM
-
-        sets up the symbols to the applications.  Should be called
-        from for example SYS$MANAGER:SYLOGIN.COM 
-
-  OPENSSL_UNDO.COM
-
-	deassigns the logical names created with OPENSSL_STARTUP.COM.
-
-The logical names that are set up are the following:
-
-  SSLROOT       a dotted concealed logical name pointing at the
-                root directory.
-
-  SSLCERTS      Initially an empty directory, this is the default
-		location for certificate files.
-  SSLPRIVATE	Initially an empty directory, this is the default
-		location for private key files.
-
-  SSLEXE        Contains the openssl binary and a few other utility
-		programs.
-  SSLINCLUDE    Contains the header files needed if you want to
-		compile programs with libcrypto or libssl.
-  SSLLIB        Contains the OpenSSL library files themselves:
-  		- SSL_LIBCRYPTO32.OLB and SSL_LIBSSL32.OLB or
-		- SSL_LIBCRYPTO.OLB and SSL_LIBSSL.OLB
-
-  OPENSSL	Same as SSLINCLUDE.  This is because the standard
-		way to include OpenSSL header files from version
-		0.9.3 and on is:
-
-			#include <openssl/header.h>
-
-		For more info on this issue, see the INSTALL. file
-		(the NOTE in section 4 of "Installation in Detail").
-		You don't need to "deleting old header files"!!!
-
-
-Backward portability:
-=====================
-
-One great problem when you build a library is making sure it will work
-on as many versions of VMS as possible.  Especially, code compiled on
-OpenVMS version 7.x and above tend to be unusable in version 6.x or
-lower, because some C library routines have changed names internally
-(the C programmer won't usually see it, because the old name is
-maintained through C macros).  One obvious solution is to make sure
-you have a development machine with an old enough version of OpenVMS.
-However, if you are stuck with a bunch of Alphas running OpenVMS version
-7.1, you seem to be out of luck.  Fortunately, the DEC C header files
-are cluttered with conditionals that make some declarations and definitions
-dependent on the OpenVMS version or the C library version, *and* you
-can use those macros to simulate older OpenVMS or C library versions,
-by defining the macros _VMS_V6_SOURCE, __VMS_VER and __CTRL_VER with
-correct values.  In the compilation scripts, I've provided the possibility
-for the user to influence the creation of such macros, through a bunch of
-symbols, all having names starting with USER_.  Here's the list of them:
-
-  USER_CCFLAGS		 - Used to give additional qualifiers to the
-			   compiler.  It can't be used to define macros
-			   since the scripts will do such things as well.
-			   To do such things, use USER_CCDEFS.
-  USER_CCDEFS		 - Used to define macros on the command line.  The
-			   value of this symbol will be inserted inside a
-			   /DEFINE=(...).
-  USER_CCDISABLEWARNINGS - Used to disable some warnings.  The value is
-			   inserted inside a /DISABLE=WARNING=(...).
-
-So, to maintain backward compatibility with older VMS versions, do the
-following before you start compiling:
-
-  $ USER_CCDEFS := _VMS_V6_SOURCE=1,__VMS_VER=60000000,__CRTL_VER=60000000
-  $ USER_CCDISABLEWARNINGS := PREOPTW
-
-The USER_CCDISABLEWARNINGS is there because otherwise, DEC C will complain
-that those macros have been changed.
-
-Note: Currently, this is only useful for library compilation.  The
-      programs will still be linked with the current version of the
-      C library shareable image, and will thus complain if they are
-      faced with an older version of the same C library shareable image.
-      This will probably be fixed in a future revision of OpenSSL.
-
-
-Possible bugs or quirks:
-========================
-
-I'm not perfectly sure all the programs will use the SSLCERTS:
-directory by default, it may very well be that you have to give them
-extra arguments.  Please experiment.
-
-
-TODO:
-=====
-
-There are a few things that need to be worked out in the VMS version of
-OpenSSL, still:
-
- Description files. ("Makefile's" :-))
- Script code to link an already compiled build tree.
- A VMSINSTALlable version (way in the future, unless someone else hacks).
- shareable images (DLL for you Windows folks).
-
-There may be other things that I have missed and that may be desirable.
-Please send mail to <openssl-users@openssl.org> or to me directly if you
-have any ideas.
-
--
-Richard Levitte <richard@levitte.org>
-2000-02-27, 2011-03-18
--- a/INSTALL.W32
+++ b/INSTALL.W32
@@ -1,325 +0,0 @@
- 
- INSTALLATION ON THE WIN32 PLATFORM
- ----------------------------------
-
- [Instructions for building for Windows CE can be found in INSTALL.WCE]
- [Instructions for building for Win64 can be found in INSTALL.W64]
-
- Here are a few comments about building OpenSSL for Win32 environments,
- such as Windows NT and Windows 9x. It should be noted though that
- Windows 9x are not ordinarily tested. Its mention merely means that we
- attempt to maintain certain programming discipline and pay attention
- to backward compatibility issues, in other words it's kind of expected
- to work on Windows 9x, but no regression tests are actually performed.
-
- On additional note newer OpenSSL versions are compiled and linked with
- Winsock 2. This means that minimum OS requirement was elevated to NT 4
- and Windows 98 [there is Winsock 2 update for Windows 95 though].
-
- - you need Perl for Win32.  Unless you will build on Cygwin, you will need
-   ActiveState Perl, available from http://www.activestate.com/ActivePerl.
-
- - one of the following C compilers:
-
-  * Visual C++
-  * Borland C
-  * GNU C (Cygwin or MinGW)
-
- Netwide Assembler, a.k.a. NASM, available from http://nasm.sourceforge.net/
-  is required if you intend to utilize assembler modules. Note that NASM
-  is now the only supported assembler.
-
- If you are compiling from a tarball or a Git snapshot then the Win32 files
- may well be not up to date. This may mean that some "tweaking" is required to
- get it all to work. See the trouble shooting section later on for if (when?)
- it goes wrong.
-
- Visual C++
- ----------
-
- If you want to compile in the assembly language routines with Visual
- C++, then you will need already mentioned Netwide Assembler binary,
- nasmw.exe or nasm.exe, to be available on your %PATH%.
-
- Firstly you should run Configure with platform VC-WIN32:
-
- > perl Configure VC-WIN32 --prefix=c:\some\openssl\dir
-
- Where the prefix argument specifies where OpenSSL will be installed to.
-
- Next you need to build the Makefiles and optionally the assembly
- language files:
-
- - If you are using NASM then run:
-
-   > ms\do_nasm
-
- - If you don't want to use the assembly language files at all then run:
-
-   > perl Configure VC-WIN32 no-asm --prefix=c:/some/openssl/dir
-   > ms\do_ms
-
- If you get errors about things not having numbers assigned then check the
- troubleshooting section: you probably won't be able to compile it as it
- stands.
-
- Then from the VC++ environment at a prompt do:
-
- > nmake -f ms\ntdll.mak
-
- If all is well it should compile and you will have some DLLs and
- executables in out32dll. If you want to try the tests then do:
- 
- > nmake -f ms\ntdll.mak test
-
-
- To install OpenSSL to the specified location do:
-
- > nmake -f ms\ntdll.mak install
-
- Tweaks:
-
- There are various changes you can make to the Win32 compile
- environment. By default the library is not compiled with debugging
- symbols. If you use the platform debug-VC-WIN32 instead of VC-WIN32
- then debugging symbols will be compiled in.
-
- By default in 1.0.0 OpenSSL will compile builtin ENGINES into the
- separate shared librariesy. If you specify the "enable-static-engine"
- option on the command line to Configure the shared library build
- (ms\ntdll.mak) will compile the engines into libeay32.dll instead.
-
- The default Win32 environment is to leave out any Windows NT specific
- features.
-
- If you want to enable the NT specific features of OpenSSL (currently
- only the logging BIO) follow the instructions above but call the batch
- file do_nt.bat instead of do_ms.bat.
-
- You can also build a static version of the library using the Makefile
- ms\nt.mak
-
-
- Borland C++ builder 5
- ---------------------
-
- * Configure for building with Borland Builder:
-   > perl Configure BC-32
-
- * Create the appropriate makefile
-   > ms\do_nasm
-
- * Build
-   > make -f ms\bcb.mak
-
- Borland C++ builder 3 and 4
- ---------------------------
-
- * Setup PATH. First must be GNU make then bcb4/bin 
-
- * Run ms\bcb4.bat
-
- * Run make:
-   > make -f bcb.mak
-
- GNU C (Cygwin)
- --------------
-
- Cygwin implements a Posix/Unix runtime system (cygwin1.dll) on top of
- Win32 subsystem and provides a bash shell and GNU tools environment.
- Consequently, a make of OpenSSL with Cygwin is virtually identical to
- Unix procedure. It is also possible to create Win32 binaries that only
- use the Microsoft C runtime system (msvcrt.dll or crtdll.dll) using
- MinGW. MinGW can be used in the Cygwin development environment or in a
- standalone setup as described in the following section.
-
- To build OpenSSL using Cygwin:
-
- * Install Cygwin (see http://cygwin.com/)
-
- * Install Perl and ensure it is in the path. Both Cygwin perl
-   (5.6.1-2 or newer) and ActivePerl work.
-
- * Run the Cygwin bash shell
-
- * $ tar zxvf openssl-x.x.x.tar.gz
-   $ cd openssl-x.x.x
-
-   To build the Cygwin version of OpenSSL:
-
-   $ ./config
-   [...]
-   $ make
-   [...]
-   $ make test
-   $ make install
-
-   This will create a default install in /usr/local/ssl.
-
-   To build the MinGW version (native Windows) in Cygwin:
-
-   $ ./Configure mingw
-   [...]
-   $ make
-   [...]
-   $ make test
-   $ make install
-
- Cygwin Notes:
-
- "make test" and normal file operations may fail in directories
- mounted as text (i.e. mount -t c:\somewhere /home) due to Cygwin
- stripping of carriage returns. To avoid this ensure that a binary
- mount is used, e.g. mount -b c:\somewhere /home.
-
- "bc" is not provided in older Cygwin distribution.  This causes a
- non-fatal error in "make test" but is otherwise harmless.  If
- desired and needed, GNU bc can be built with Cygwin without change.
-
- GNU C (MinGW/MSYS)
- -------------
-
- * Compiler and shell environment installation:
-
-   MinGW and MSYS are available from http://www.mingw.org/, both are
-   required. Run the installers and do whatever magic they say it takes
-   to start MSYS bash shell with GNU tools on its PATH.
-
-   N.B. Since source tar-ball can contain symbolic links, it's essential
-   that you use accompanying MSYS tar to unpack the source. It will
-   either handle them in one way or another or fail to extract them,
-   which does the trick too. Latter means that you may safely ignore all
-   "cannot create symlink" messages, as they will be "re-created" at
-   configure stage by copying corresponding files. Alternative programs
-   were observed to create empty files instead, which results in build
-   failure.
-
- * Compile OpenSSL:
-
-   $ ./config
-   [...]
-   $ make
-   [...]
-   $ make test
-
-   This will create the library and binaries in root source directory
-   and openssl.exe application in apps directory.
-
-   It is also possible to cross-compile it on Linux by configuring
-   with './Configure --cross-compile-prefix=i386-mingw32- mingw ...'.
-   'make test' is naturally not applicable then.
-
-   libcrypto.a and libssl.a are the static libraries. To use the DLLs,
-   link with libeay32.a and libssl32.a instead.
-
-   See troubleshooting if you get error messages about functions not
-   having a number assigned.
-
- Installation
- ------------
-
- If you used the Cygwin procedure above, you have already installed and
- can skip this section.  For all other procedures, there's currently no real
- installation procedure for Win32.  There are, however, some suggestions:
-
-    - do nothing.  The include files are found in the inc32/ subdirectory,
-      all binaries are found in out32dll/ or out32/ depending if you built
-      dynamic or static libraries.
-
-    - do as is written in INSTALL.Win32 that comes with modssl:
-
-	$ md c:\openssl 
-	$ md c:\openssl\bin
-	$ md c:\openssl\lib
-	$ md c:\openssl\include
-	$ md c:\openssl\include\openssl
-	$ copy /b inc32\openssl\*       c:\openssl\include\openssl
-	$ copy /b out32dll\ssleay32.lib c:\openssl\lib
-	$ copy /b out32dll\libeay32.lib c:\openssl\lib
-	$ copy /b out32dll\ssleay32.dll c:\openssl\bin
-	$ copy /b out32dll\libeay32.dll c:\openssl\bin
-	$ copy /b out32dll\openssl.exe  c:\openssl\bin
-
-      Of course, you can choose another device than c:.  C: is used here
-      because that's usually the first (and often only) harddisk device.
-      Note: in the modssl INSTALL.Win32, p: is used rather than c:.
-
-
- Troubleshooting
- ---------------
-
- Since the Win32 build is only occasionally tested it may not always compile
- cleanly.  If you get an error about functions not having numbers assigned
- when you run ms\do_ms then this means the Win32 ordinal files are not up to
- date. You can do:
-
- > perl util\mkdef.pl crypto ssl update
-
- then ms\do_XXX should not give a warning any more. However the numbers that
- get assigned by this technique may not match those that eventually get
- assigned in the Git tree: so anything linked against this version of the
- library may need to be recompiled.
-
- If you get errors about unresolved symbols there are several possible
- causes.
-
- If this happens when the DLL is being linked and you have disabled some
- ciphers then it is possible the DEF file generator hasn't removed all
- the disabled symbols: the easiest solution is to edit the DEF files manually
- to delete them. The DEF files are ms\libeay32.def ms\ssleay32.def.
-
- Another cause is if you missed or ignored the errors about missing numbers
- mentioned above.
-
- If you get warnings in the code then the compilation will halt.
-
- The default Makefile for Win32 halts whenever any warnings occur. Since VC++
- has its own ideas about warnings which don't always match up to other
- environments this can happen. The best fix is to edit the file with the
- warning in and fix it. Alternatively you can turn off the halt on warnings by
- editing the CFLAG line in the Makefile and deleting the /WX option.
-
- You might get compilation errors. Again you will have to fix these or report
- them.
-
- One final comment about compiling applications linked to the OpenSSL library.
- If you don't use the multithreaded DLL runtime library (/MD option) your
- program will almost certainly crash because malloc gets confused -- the
- OpenSSL DLLs are statically linked to one version, the application must
- not use a different one.  You might be able to work around such problems
- by adding CRYPTO_malloc_init() to your program before any calls to the
- OpenSSL libraries: This tells the OpenSSL libraries to use the same
- malloc(), free() and realloc() as the application.  However there are many
- standard library functions used by OpenSSL that call malloc() internally
- (e.g. fopen()), and OpenSSL cannot change these; so in general you cannot
- rely on CRYPTO_malloc_init() solving your problem, and you should
- consistently use the multithreaded library.
-
- Linking your application
- ------------------------
-
- If you link with static OpenSSL libraries [those built with ms/nt.mak],
- then you're expected to additionally link your application with
- WS2_32.LIB, ADVAPI32.LIB, GDI32.LIB and USER32.LIB. Those developing
- non-interactive service applications might feel concerned about linking
- with the latter two, as they are justly associated with interactive
- desktop, which is not available to service processes. The toolkit is
- designed to detect in which context it's currently executed, GUI,
- console app or service, and act accordingly, namely whether or not to
- actually make GUI calls. Additionally those who wish to
- /DELAYLOAD:GDI32.DLL and /DELAYLOAD:USER32.DLL and actually keep them
- off service process should consider implementing and exporting from
- .exe image in question own _OPENSSL_isservice not relying on USER32.DLL.
- E.g., on Windows Vista and later you could:
-
-	__declspec(dllexport) __cdecl BOOL _OPENSSL_isservice(void)
-	{   DWORD sess;
-	    if (ProcessIdToSessionId(GetCurrentProcessId(),&sess))
-	        return sess==0;
-	    return FALSE;
-	}
-
- If you link with OpenSSL .DLLs, then you're expected to include into
- your application code small "shim" snippet, which provides glue between
- OpenSSL BIO layer and your compiler run-time. Look up OPENSSL_Applink
- reference page for further details.
--- a/INSTALL.W64
+++ b/INSTALL.W64
@@ -1,66 +0,0 @@
-
- INSTALLATION ON THE WIN64 PLATFORM
- ----------------------------------
-
- Caveat lector
- -------------
-
- As of moment of this writing Win64 support is classified "initial"
- for the following reasons.
-
- - No assembler modules are engaged upon initial 0.9.8 release.
- - API might change within 0.9.8 life-span, *but* in a manner which
-   doesn't break backward binary compatibility. Or in other words,
-   application programs compiled with initial 0.9.8 headers will
-   be expected to work with future minor release .DLL without need
-   to re-compile, even if future minor release features modified API.
- - Above mentioned API modifications have everything to do with
-   elimination of a number of limitations, which are normally
-   considered inherent to 32-bit platforms. Which in turn is why they
-   are treated as limitations on 64-bit platform such as Win64:-)
-   The current list comprises [but not necessarily limited to]:
-
-   - null-terminated strings may not be longer than 2G-1 bytes,
-     longer strings are treated as zero-length;
-   - dynamically and *internally* allocated chunks can't be larger
-     than 2G-1 bytes;
-   - inability to encrypt/decrypt chunks of data larger than 4GB
-     [it's possibly to *hash* chunks of arbitrary size through];
-
-   Neither of these is actually big deal and hardly encountered
-   in real-life applications.
-
- Compiling procedure
- -------------------
-
- You will need Perl. You can run under Cygwin or you can download
- ActiveState Perl from http://www.activestate.com/ActivePerl.
-
- You will need Microsoft Platform SDK, available for download at
- http://www.microsoft.com/msdownload/platformsdk/sdkupdate/. As per
- April 2005 Platform SDK is equipped with Win64 compilers, as well
- as assemblers, but it might change in the future.
-
- To build for Win64/x64:
-
- > perl Configure VC-WIN64A
- > ms\do_win64a
- > nmake -f ms\ntdll.mak
- > cd out32dll
- > ..\ms\test
-
- To build for Win64/IA64:
-
- > perl Configure VC-WIN64I
- > ms\do_win64i
- > nmake -f ms\ntdll.mak
- > cd out32dll
- > ..\ms\test
-
- Naturally test-suite itself has to be executed on the target platform.
-
- Installation
- ------------
-
- TBD, for now see INSTALL.W32.
-
--- a/INSTALL.WCE
+++ b/INSTALL.WCE
@@ -8,6 +8,8 @@
  * Appropriate SDK might be required
  * Perl for Win32 [commonly recommended ActiveState Perl is available
    from http://www.activestate.com/Products/ActivePerl/]
+    You also need the perl module Text::Template.
+    Please read README.PERL for more information.

  * wcecompat compatibility library available at
    http://www.essemer.com.au/windowsce/
@@ -67,10 +69,6 @@

 > ms\do_ms

- If you get errors about things not having numbers assigned then check the
- troubleshooting section in INSTALL.W32: you probably won't be able to compile
- it as it stands.
-
 Then from the VC++ environment at a prompt do:

   > nmake -f ms\cedll.mak
--- a/INSTALL.WIN
+++ b/INSTALL.WIN
@@ -0,0 +1,192 @@
+
+ INSTALLATION ON WINDOWS PLATFORMS
+ ---------------------------------
+
+ [Instructions for building for Windows CE can be found in INSTALL.WCE]
+
+ Here are a few comments about building OpenSSL for Windows environments.
+
+ - you need Perl.  Unless you will build on Cygwin, you will need
+   ActiveState Perl, available from http://www.activestate.com/ActivePerl.  
+   You also need the perl module Text::Template, available on CPAN.
+   Please read README.PERL for more information.
+
+ - one of the following C compilers:
+
+  * Visual C++
+  * GNU C (Cygwin or MinGW)
+
+- Netwide Assembler, a.k.a. NASM, available from http://www.nasm.us,
+  is required if you intend to utilize assembler modules. Note that NASM
+  is now the only supported assembler. Without this the "Configure" step below
+  must be done with the "no-asm" option. The Microsoft provided assembler is NOT
+  supported.
+
+ Visual C++
+ ----------
+
+ If you want to compile in the assembly language routines with Visual
+ C++, then you will need the Netwide Assembler binary, nasmw.exe or nasm.exe, to
+ be available on your %PATH%.
+
+ Firstly you should run Configure and generate the Makefiles. If you don't want
+ the assembly language files then add the "no-asm" option (without quotes) to
+ the Configure lines below.
+
+ For Win32:
+
+ > perl Configure VC-WIN32 --prefix=c:\some\openssl\dir
+ > ms\do_nasm
+
+ Note: replace the last line above with the following if not using the assembly
+ language files:
+
+ > ms\do_ms
+
+ For Win64/x64:
+
+ > perl Configure VC-WIN64A --prefix=c:\some\openssl\dir
+ > ms\do_win64a
+
+ For Win64/IA64:
+
+ > perl Configure VC-WIN64I --prefix=c:\some\openssl\dir
+ > ms\do_win64i
+
+ Where the prefix argument specifies where OpenSSL will be installed to.
+
+ Then from the VC++ environment at a prompt do the following. Note, your %PATH%
+ and other environment variables should be set up for 32-bit or 64-bit
+ development as appropriate.
+
+ > nmake -f ms\ntdll.mak
+
+ If all is well it should compile and you will have some DLLs and
+ executables in out32dll. If you want to try the tests then do:
+
+ > nmake -f ms\ntdll.mak test
+
+ To install OpenSSL to the specified location do:
+
+ > nmake -f ms\ntdll.mak install
+
+ Tweaks:
+
+ There are various changes you can make to the Windows compile
+ environment. By default the library is not compiled with debugging
+ symbols. If you add --debug to the Configure lines above then debugging symbols
+ will be compiled in.
+
+ By default in 1.1.0 OpenSSL will compile builtin ENGINES into separate shared
+ libraries. If you specify the "enable-static-engine" option on the command line
+ to Configure the shared library build (ms\ntdll.mak) will compile the engines
+ into libeay32.dll instead.
+
+ You can also build a static version of the library using the Makefile
+ ms\nt.mak
+
+ GNU C (Cygwin)
+ --------------
+
+ Cygwin implements a Posix/Unix runtime system (cygwin1.dll) on top of the
+ Windows subsystem and provides a bash shell and GNU tools environment.
+ Consequently, a make of OpenSSL with Cygwin is virtually identical to the
+ Unix procedure. It is also possible to create Windows binaries that only
+ use the Microsoft C runtime system (msvcrt.dll or crtdll.dll) using
+ MinGW. MinGW can be used in the Cygwin development environment or in a
+ standalone setup as described in the following section.
+
+ To build OpenSSL using Cygwin:
+
+ * Install Cygwin (see http://cygwin.com/)
+
+ * Install Perl and ensure it is in the path. Both Cygwin perl
+   (5.6.1-2 or newer) and ActivePerl work.
+
+ * Run the Cygwin bash shell
+
+ * $ tar zxvf openssl-x.x.x.tar.gz
+   $ cd openssl-x.x.x
+
+   To build the Cygwin version of OpenSSL:
+
+   $ ./config
+   [...]
+   $ make
+   [...]
+   $ make test
+   $ make install
+
+   This will create a default install in /usr/local/ssl.
+
+   To build the MinGW version (native Windows) in Cygwin:
+
+   $ ./Configure mingw
+   [...]
+   $ make
+   [...]
+   $ make test
+   $ make install
+
+ Cygwin Notes:
+
+ "make test" and normal file operations may fail in directories
+ mounted as text (i.e. mount -t c:\somewhere /home) due to Cygwin
+ stripping of carriage returns. To avoid this ensure that a binary
+ mount is used, e.g. mount -b c:\somewhere /home.
+
+ GNU C (MinGW/MSYS)
+ -------------
+
+ * Compiler and shell environment installation:
+
+   MinGW and MSYS are available from http://www.mingw.org/, both are
+   required. Run the installers and do whatever magic they say it takes
+   to start MSYS bash shell with GNU tools on its PATH.
+
+ * Compile OpenSSL:
+
+   $ ./config
+   [...]
+   $ make
+   [...]
+   $ make test
+
+   This will create the library and binaries in root source directory
+   and openssl.exe application in apps directory.
+
+   It is also possible to cross-compile it on Linux by configuring
+   with './Configure --cross-compile-prefix=i386-mingw32- mingw ...'. Other
+   possible targets include x86_64-w64-mingw32- and i686-w64-mingw32-.
+
+   libcrypto.a and libssl.a are the static libraries. To use the DLLs,
+   link with libeay32.a and libssl32.a instead.
+
+ Linking your application
+ ------------------------
+
+ If you link with static OpenSSL libraries [those built with ms/nt.mak],
+ then you're expected to additionally link your application with
+ WS2_32.LIB, ADVAPI32.LIB, GDI32.LIB and USER32.LIB. Those developing
+ non-interactive service applications might feel concerned about linking
+ with the latter two, as they are justly associated with interactive
+ desktop, which is not available to service processes. The toolkit is
+ designed to detect in which context it's currently executed, GUI,
+ console app or service, and act accordingly, namely whether or not to
+ actually make GUI calls. Additionally those who wish to
+ /DELAYLOAD:GDI32.DLL and /DELAYLOAD:USER32.DLL and actually keep them
+ off service process should consider implementing and exporting from
+ .exe image in question own _OPENSSL_isservice not relying on USER32.DLL.
+ E.g., on Windows Vista and later you could:
+
+	__declspec(dllexport) __cdecl BOOL _OPENSSL_isservice(void)
+	{   DWORD sess;
+	    if (ProcessIdToSessionId(GetCurrentProcessId(),&sess))
+	        return sess==0;
+	    return FALSE;
+	}
+
+ If you link with OpenSSL .DLLs, then you're expected to include into
+ your application code small "shim" snippet, which provides glue between
+ OpenSSL BIO layer and your compiler run-time. See the OPENSSL_Applink
+ manual page for further details.
--- a/2
+++ b/2
@@ -12,7 +12,7 @@
  ---------------

 /* ====================================================================
- * Copyright (c) 1998-2011 The OpenSSL Project.  All rights reserved.
+ * Copyright (c) 1998-2016 The OpenSSL Project.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
--- a/Makefile.in
+++ b/Makefile.in
@@ -1,33 +1,65 @@
 ##
 ## Makefile for OpenSSL
 ##
+## {- join("\n## ", @autowarntext) -}

-VERSION=
-MAJOR=
-MINOR=
-SHLIB_VERSION_NUMBER=
-SHLIB_VERSION_HISTORY=
-SHLIB_MAJOR=
-SHLIB_MINOR=
-SHLIB_EXT=
-PLATFORM=dist
-OPTIONS=
-CONFIGURE_ARGS=
-SHLIB_TARGET=
+VERSION={- $config{version} -}
+MAJOR={- $config{major} -}
+MINOR={- $config{minor} -}
+SHLIB_VERSION_NUMBER={- $config{shlib_version_number} -}
+SHLIB_VERSION_HISTORY={- $config{shlib_version_history} -}
+SHLIB_MAJOR={- $config{shlib_major} -}
+SHLIB_MINOR={- $config{shlib_minor} -}
+SHLIB_EXT={- $target{shared_extension} -}
+PLATFORM={- $config{target} -}
+OPTIONS={- $config{options} -}
+CONFIGURE_ARGS=({- join(", ",quotify_l(@{$config{perlargv}})) -})
+SHLIB_TARGET={- $target{shared_target} -}

 # HERE indicates where this Makefile lives.  This can be used to indicate
 # where sub-Makefiles are expected to be.  Currently has very limited usage,
 # and should probably not be bothered with at all.
 HERE=.

-# INSTALL_PREFIX is for package builders so that they can configure
+# DESTDIR is for package builders so that they can configure
 # for, say, /usr/ and yet have everything installed to /tmp/somedir/usr/.
 # Normally it is left empty.
-INSTALL_PREFIX=
-INSTALLTOP=/usr/local/ssl
+DESTDIR=

-# Do not edit this manually. Use Configure --openssldir=DIR to change this!
-OPENSSLDIR=/usr/local/ssl
+# Do not edit these manually. Use Configure with --prefix or --openssldir
+# to change this!  Short explanation in the top comment in Configure
+INSTALLTOP={- # $prefix is used in the OPENSSLDIR perl snippet
+	      #
+	      our $prefix = $config{prefix} || "/usr/local";
+              $prefix -}
+OPENSSLDIR={- #
+	      # The logic here is that if no --openssldir was given,
+	      # OPENSSLDIR will get the value from $prefix plus "/ssl".
+	      # If --openssldir was given and the value is an absolute
+	      # path, OPENSSLDIR will get its value without change.
+	      # If the value from --openssldir is a relative path,
+	      # OPENSSLDIR will get $prefix with the --openssldir
+	      # value appended as a subdirectory.
+	      #
+              use File::Spec::Functions;
+              our $openssldir =
+                  $config{openssldir} ?
+                      (file_name_is_absolute($config{openssldir}) ?
+                           $config{openssldir}
+                           : catdir($prefix, $config{openssldir}))
+                      : catdir($prefix, "ssl");
+              $openssldir -}
+LIBDIR={- #
+          # if $prefix/lib$target{multilib} is not an existing
+          # directory, then assume that it's not searched by linker
+          # automatically, in which case adding $target{multilib} suffix
+          # causes more grief than we're ready to tolerate, so don't...
+          our $multilib =
+              -d "$prefix/lib$target{multilib}" ? $target{multilib} : "";
+          our $libdir = $config{libdir} || "lib$multilib";
+          $libdir -}
+ENGINESDIR={- use File::Spec::Functions;
+              catdir($prefix,$libdir,"engines") -}

 # NO_IDEA - Define to build without the IDEA algorithm
 # NO_RC4  - Define to build without the RC4 algorithm
@@ -44,7 +76,7 @@ OPENSSLDIR=/usr/local/ssl
 #           NULL encryption ciphers.
 #
 # LOCK_DEBUG - turns on lots of lock debug output :-)
-# REF_CHECK - turn on some xyz_free() assertions.
+# REF_DEBUG - turn on some xyz_free() assertions.
 # REF_PRINT - prints some stuff on structure free.
 # MFUNC - Make all Malloc/Free/Realloc calls call
 #       CRYPTO_malloc/CRYPTO_free/CRYPTO_realloc which can be setup to
@@ -56,23 +88,25 @@ OPENSSLDIR=/usr/local/ssl
 # equal 4.
 # PKCS1_CHECK - pkcs1 tests.

-CC= cc
-CFLAG= -O
-DEPFLAG= 
-PEX_LIBS= 
-EX_LIBS= 
-EXE_EXT= 
-ARFLAGS=
-AR=ar $(ARFLAGS) r
-RANLIB= ranlib
-NM= nm
-PERL= perl
+CROSS_COMPILE= {- $config{cross_compile_prefix} -}
+CC= $(CROSS_COMPILE){- $target{cc} -}
+CFLAG={- our $cflags2 = join(" ",(map { "-D".$_} @{$config{defines}}),"-DOPENSSLDIR=\"\\\"\$(OPENSSLDIR)\\\"\"","-DENGINESDIR=\"\\\"\$(ENGINESDIR)\\\"\"") -} {- $config{cflags} -}
+CFLAG_Q={- $cflags2 =~ s|([\\"])|\\$1|g; $cflags2 -} {- $config{cflags} -}
+DEPFLAG= {- join(" ",map { "-D".$_} @{$config{depdefines}}) -}
+LDFLAG= {- $config{lflags} -}
+PLIB_LDFLAG= {- $config{plib_lflags} -}
+EX_LIBS= {- $config{ex_libs} -}
+EXE_EXT= {- $target{exe_extension} -}
+ARFLAGS= {- $target{arflags} -}
+AR=$(CROSS_COMPILE){- $target{ar} -} $(ARFLAGS) r
+RANLIB= {- $target{ranlib} -}
+NM= $(CROSS_COMPILE){- $target{nm} -}
+PERL= {- $config{perl} -}
 #RM= echo --
 RM= rm -f
 TAR= tar
 TARFLAGS= --no-recursion
-MAKEDEPPROG=makedepend
-LIBDIR=lib
+MAKEDEPPROG=$(CROSS_COMPILE){- $config{makedepprog} -}

 # We let the C compiler driver to take care of .s files. This is done in
 # order to be excused from maintaining a separate set of architecture
@@ -84,32 +118,32 @@ ASFLAG=$(CFLAG)

 # For x86 assembler: Set PROCESSOR to 386 if you want to support
 # the 80386.
-PROCESSOR=
+PROCESSOR= {- $config{processor} -}

 # CPUID module collects small commonly used assembler snippets
-CPUID_OBJ= 
-BN_ASM= bn_asm.o
-EC_ASM=
-DES_ENC= des_enc.o fcrypt_b.o
-AES_ENC= aes_core.o aes_cbc.o
-BF_ENC= bf_enc.o
-CAST_ENC= c_enc.o
-RC4_ENC= rc4_enc.o
-RC5_ENC= rc5_enc.o
-MD5_ASM_OBJ= 
-SHA1_ASM_OBJ= 
-RMD160_ASM_OBJ= 
-WP_ASM_OBJ=
-CMLL_ENC=
-MODES_ASM_OBJ=
-ENGINES_ASM_OBJ=
-CHACHA_ENC= chacha_enc.o
-POLY1305_ASM_OBJ=
-PERLASM_SCHEME=
+CPUID_OBJ= {- $target{cpuid_obj} -}
+BN_ASM= {- $target{bn_obj} -}
+EC_ASM= {- $target{ec_obj} -}
+DES_ENC= {- $target{des_obj} -}
+AES_ENC= {- $target{aes_obj} -}
+BF_ENC= {- $target{bf_obj} -}
+CAST_ENC= {- $target{cast_obj} -}
+RC4_ENC= {- $target{rc4_obj} -}
+RC5_ENC= {- $target{rc5_obj} -}
+MD5_ASM_OBJ= {- $target{md5_obj} -}
+SHA1_ASM_OBJ= {- $target{sha1_obj} -}
+RMD160_ASM_OBJ= {- $target{rmd160_obj} -}
+WP_ASM_OBJ= {- $target{wp_obj} -}
+CMLL_ENC= {- $target{cmll_obj} -}
+MODES_ASM_OBJ= {- $target{modes_obj} -}
+PADLOCK_ASM_OBJ= {- $target{padlock_obj} -}
+CHACHA_ENC= {- $target{chacha_obj} -}
+POLY1305_ASM_OBJ= {- $target{poly1305_obj} -}
+PERLASM_SCHEME= {- $target{perlasm_scheme} -}

 # Zlib stuff
-ZLIB_INCLUDE=
-LIBZLIB=
+ZLIB_INCLUDE={- $withargs{zlib_include} -}
+LIBZLIB={- $withargs{zlib_lib} -}

 # This is the location of fipscanister.o and friends.
 # The FIPS module build will place it $(INSTALLTOP)/lib
@@ -118,35 +152,25 @@ LIBZLIB=
 # $(INSTALLTOP) for this build may be different so hard
 # code the path.

-FIPSLIBDIR=/usr/local/ssl/$(LIBDIR)/
+FIPSLIBDIR={- $config{fipslibdir} -}

 # The location of the library which contains fipscanister.o
 # normally it will be libcrypto. If not compiling in FIPS mode
 # at all this is empty making it a useful test for a FIPS compile.

-FIPSCANLIB=
+FIPSCANLIB={- $config{fips} ? "libcrypto" : "" -}

 # Shared library base address. Currently only used on Windows.
 #

-BASEADDR=
+BASEADDR={- $config{baseaddr} -}

-DIRS=   crypto ssl engines apps test tools
-ENGDIRS= ccgost
+DIRS=   {- join(" ", @{$config{dirs}}) -}
 SHLIBDIRS= crypto ssl
 INSTALL_SUBS= engines apps tools

 # dirs in crypto to build
-SDIRS=  \
-	objects \
-	md2 md4 md5 sha mdc2 hmac ripemd whrlpool poly1305 \
-	des aes rc2 rc4 rc5 idea bf cast camellia seed chacha modes \
-	bn ec rsa dsa dh dso engine \
-	buffer bio stack lhash rand err \
-	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui \
-	cms pqueue ts jpake srp store cmac ct async
-# keep in mind that the above list is adjusted by ./Configure
-# according to no-xxx arguments...
+SDIRS=  {- join(" ", @{$config{sdirs}}) -}

 # tests to perform.  "alltests" is a special word indicating that all tests
 # should be performed.
@@ -154,21 +178,34 @@ TESTS = alltests

 MAKEFILE= Makefile

-MANDIR=$(OPENSSLDIR)/man
+MANDIR=$(INSTALLTOP)/share/man
 MAN1=1
 MAN3=3
 MANSUFFIX=
 HTMLSUFFIX=html
-HTMLDIR=$(OPENSSLDIR)/html
+HTMLDIR=$(INSTALLTOP)/share/doc/$(BASENAME)/html
 SHELL=/bin/sh

 TOP=    .
 LIBS=   libcrypto.a libssl.a
 SHARED_CRYPTO=libcrypto$(SHLIB_EXT)
 SHARED_SSL=libssl$(SHLIB_EXT)
-SHARED_LIBS=
-SHARED_LIBS_LINK_EXTS=
-SHARED_LDFLAGS=
+SHARED_LIBS={- '$(SHARED_CRYPTO) $(SHARED_SSL)' if (!$config{no_shared}) -}
+SHARED_LDFLAG={- $target{shared_ldflag}
+                 # Unlike other OSes (like Solaris, Linux, Tru64,
+                 # IRIX) BSD run-time linkers (tested OpenBSD, NetBSD
+                 # and FreeBSD) "demand" RPATH set on .so objects.
+                 # Apparently application RPATH is not global and
+                 # does not apply to .so linked with other .so.
+                 # Problem manifests itself when libssl.so fails to
+                 # load libcrypto.so. One can argue that we should
+                 # engrave this into Makefile.shared rules or into
+                 # BSD-* config lines above. Meanwhile let's try to
+                 # be cautious and pass -rpath to linker only when
+                 # $prefix is not /usr.
+                 . ($config{target} =~ m|^BSD-| && $prefix !~ m|^/usr/.*$|
+                    ? " -Wl,-rpath,\$\$(LIBRPATH)" : "") -}
+SHARED_RCFLAG={- $target{shared_rcflag} -}

 GENERAL=        Makefile
 BASENAME=       openssl
@@ -178,16 +215,16 @@ HEADER=         e_os.h

 # Directories created on install if they don't exist.
 INSTALLDIRS=	\
-		$(INSTALL_PREFIX)$(INSTALLTOP)/bin \
-		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR) \
-		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/engines \
-		$(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig \
-		$(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \
-		$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
-		$(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
-		$(INSTALL_PREFIX)$(OPENSSLDIR)/private
+		$(DESTDIR)$(INSTALLTOP)/bin \
+		$(DESTDIR)$(INSTALLTOP)/$(LIBDIR) \
+		$(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines \
+		$(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig \
+		$(DESTDIR)$(INSTALLTOP)/include/openssl \
+		$(DESTDIR)$(OPENSSLDIR)/misc \
+		$(DESTDIR)$(OPENSSLDIR)/certs \
+		$(DESTDIR)$(OPENSSLDIR)/private

-all: Makefile build_all
+all: Makefile build_all_but_tests

 # as we stick to -e, CLEARENV ensures that local variables in lower
 # Makefiles remain local and variable. $${VAR+VAR} is tribute to Korn
@@ -208,23 +245,23 @@ CLEARENV=	TOP= && unset TOP $${LIB+LIB} $${LIBS+LIBS}	\
 # LC_ALL=C ensures that error [and other] messages are delivered in
 # same language for uniform treatment.
 BUILDENV=	LC_ALL=C PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)'\
-		CC='$(CC)' CFLAG='$(CFLAG)' 			\
+		CC='$(CC)' CFLAG='$(CFLAG)' CFLAG_Q='$(CFLAG_Q)'	\
 		AS='$(CC)' ASFLAG='$(CFLAG) -c'			\
 		AR='$(AR)' NM='$(NM)' RANLIB='$(RANLIB)'	\
 		CROSS_COMPILE='$(CROSS_COMPILE)'	\
-		PERL='$(PERL)' ENGDIRS='$(ENGDIRS)'		\
+		PERL='$(PERL)'	\
 		SDIRS='$(SDIRS)' LIBRPATH='$(INSTALLTOP)/$(LIBDIR)'	\
-		INSTALL_PREFIX='$(INSTALL_PREFIX)'		\
+		DESTDIR='$(DESTDIR)'		\
 		INSTALLTOP='$(INSTALLTOP)' OPENSSLDIR='$(OPENSSLDIR)'	\
 		LIBDIR='$(LIBDIR)'				\
-		MAKEDEPEND='$$$${TOP}/util/domd $$$${TOP} -MD $(MAKEDEPPROG)' \
 		DEPFLAG='$(DEPFLAG)'                    	\
-		MAKEDEPPROG='$(MAKEDEPPROG)'			\
-		SHARED_LDFLAGS='$(SHARED_LDFLAGS)'		\
+		SHARED_LDFLAG='$(SHARED_LDFLAG)'		\
+		SHARED_RCFLAG='$(SHARED_RCFLAG)'		\
 		ZLIB_INCLUDE='$(ZLIB_INCLUDE)' LIBZLIB='$(LIBZLIB)'	\
 		EXE_EXT='$(EXE_EXT)' SHARED_LIBS='$(SHARED_LIBS)'	\
 		SHLIB_EXT='$(SHLIB_EXT)' SHLIB_TARGET='$(SHLIB_TARGET)'	\
-		PEX_LIBS='$(PEX_LIBS)' EX_LIBS='$(EX_LIBS)'	\
+		LDFLAG='$(LDFLAG)'				\
+		PLIB_LDFLAG='$(PLIB_LDFLAG)' EX_LIBS='$(EX_LIBS)'	\
 		CPUID_OBJ='$(CPUID_OBJ)' BN_ASM='$(BN_ASM)'	\
 		EC_ASM='$(EC_ASM)' DES_ENC='$(DES_ENC)'		\
 		AES_ENC='$(AES_ENC)' CMLL_ENC='$(CMLL_ENC)'	\
@@ -235,7 +272,7 @@ BUILDENV=	LC_ALL=C PLATFORM='$(PLATFORM)' PROCESSOR='$(PROCESSOR)'\
 		RMD160_ASM_OBJ='$(RMD160_ASM_OBJ)'		\
 		WP_ASM_OBJ='$(WP_ASM_OBJ)'			\
 		MODES_ASM_OBJ='$(MODES_ASM_OBJ)'		\
-		ENGINES_ASM_OBJ='$(ENGINES_ASM_OBJ)'		\
+		PADLOCK_ASM_OBJ='$(PADLOCK_ASM_OBJ)'		\
 		CHACHA_ENC='$(CHACHA_ENC)'			\
 		POLY1305_ASM_OBJ='$(POLY1305_ASM_OBJ)'		\
 		PERLASM_SCHEME='$(PERLASM_SCHEME)'		\
@@ -274,7 +311,8 @@ reflect:

 sub_all: build_all

-build_all: build_libs build_apps build_tests build_tools
+build_all_but_tests: build_libs build_apps build_tools
+build_all: build_all_but_tests build_tests

 build_libs: build_libcrypto build_libssl openssl.pc

@@ -319,20 +357,6 @@ libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a
 		exit 1; \
 	fi

-clean-shared:
-	@set -e; for i in $(SHLIBDIRS); do \
-		if [ -n "$(SHARED_LIBS_LINK_EXTS)" ]; then \
-			tmp="$(SHARED_LIBS_LINK_EXTS)"; \
-			for j in $${tmp:-x}; do \
-				( set -x; rm -f lib$$i$$j ); \
-			done; \
-		fi; \
-		( set -x; rm -f lib$$i$(SHLIB_EXT) ); \
-		if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \
-			( set -x; rm -f cyg$$i$(SHLIB_EXT) lib$$i$(SHLIB_EXT).a ); \
-		fi; \
-	done
-
 link-shared:
 	@ set -e; for i in $(SHLIBDIRS); do \
 		$(MAKE) -f $(HERE)/Makefile.shared -e $(BUILDENV) \
@@ -352,6 +376,23 @@ do_$(SHLIB_TARGET):
 			LIBDEPS="$$libs $(EX_LIBS)" \
 			link_a.$(SHLIB_TARGET); \
 		libs="-l$$i $$libs"; \
+		case "$(PLATFORM)" in \
+		Cygwin*) \
+			rm -f apps/cyg$$i-$(SHLIB_MAJOR).$(SHLIB_MINOR).dll; \
+			rm -f test/cyg$$i-$(SHLIB_MAJOR).$(SHLIB_MINOR).dll; \
+			cp cyg$$i-$(SHLIB_MAJOR).$(SHLIB_MINOR).dll apps/; \
+			cp cyg$$i-$(SHLIB_MAJOR).$(SHLIB_MINOR).dll test/; \
+			;; \
+		mingw*) \
+			case $$i in \
+				crypto) i=libeay32;; \
+				ssl) i=ssleay32;; \
+			esac; \
+			rm -f apps/$$i.dll; \
+			rm -f test/$$i.dll; \
+			cp $$i.dll apps/; \
+			cp $$i.dll test/; \
+		esac; \
 	done

 libcrypto.pc: Makefile
@@ -422,11 +463,8 @@ gentests:
 	@(cd test && echo "generating dummy tests (if needed)..." && \
 	$(CLEARENV) && $(MAKE) -e $(BUILDENV) TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on generate );

-dclean:
-	@set -e; target=dclean; $(RECURSIVE_BUILD_CMD)
-
 rehash: rehash.time
-rehash.time: certs build_apps
+rehash.time: certs build_apps build_tools
 	@if [ -z "$(CROSS_COMPILE)" ]; then \
 		(OPENSSL="`pwd`/util/opensslwrap.sh"; \
 		[ -x "apps/openssl.exe" ] && OPENSSL="apps/openssl.exe" || :; \
@@ -437,12 +475,10 @@ rehash.time: certs build_apps
 		touch rehash.time; \
 	else :; fi

-test:   tests
+test:   files tests

-test_ordinals:
-	TOP=$(TOP) PERL=$(PERL) $(PERL) test/run_tests.pl test_ordinals

-tests: rehash
+tests:  build_tests rehash
 	@(cd test && echo "testing..." && \
 	$(CLEARENV) && $(MAKE) -e $(BUILDENV) TOP=.. TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on OPENSSL_CONF=../apps/openssl.cnf tests );
 	@if [ -z "$(CROSS_COMPILE)" ]; then \
@@ -456,15 +492,6 @@ list-tests:
 report:
 	@$(PERL) util/selftest.pl

-update: errors util/libeay.num util/ssleay.num TABLE test_ordinals
-	@set -e; target=update; $(RECURSIVE_BUILD_CMD)
-
-depend:
-	@set -e; target=depend; $(RECURSIVE_BUILD_CMD)
-
-lint:
-	@set -e; target=lint; $(RECURSIVE_BUILD_CMD)
-
 tags TAGS: FORCE
 	rm -f TAGS tags
 	-ctags -R .
@@ -472,17 +499,29 @@ tags TAGS: FORCE

 FORCE:

+depend:
+	@set -e; target=depend; $(RECURSIVE_BUILD_CMD)
+
+update: generate errors ordinals depend
+
+generate:
+	(cd apps && PERL='${PERL}' $(MAKE) generate)
+	(cd crypto/bn && PERL='${PERL}' $(MAKE) generate)
+	(cd crypto/objects && PERL='${PERL}' $(MAKE) generate)
+
 errors:
 	$(PERL) util/ck_errf.pl -strict */*.c */*/*.c
 	$(PERL) util/mkerr.pl -recurse -write
 	(cd engines; $(MAKE) PERL=$(PERL) errors)
 	(cd crypto/ct; $(MAKE) PERL=$(PERL) errors)

+ordinals: util/libeay.num util/ssleay.num test_ordinals TABLE
 util/libeay.num::
 	$(PERL) util/mkdef.pl crypto update
-
 util/ssleay.num::
 	$(PERL) util/mkdef.pl ssl update
+test_ordinals:
+	TOP=$(TOP) PERL=$(PERL) $(PERL) test/run_tests.pl test_ordinals

 TABLE: Configure Configurations/*.conf
 	(echo 'Output of `Configure TABLE'"':"; \
@@ -494,15 +533,13 @@ TABLE: Configure Configurations/*.conf
 # and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal
 # tar does not support the --files-from option.
 TAR_COMMAND=$(TAR) $(TARFLAGS) --files-from $(TARFILE).list \
-	                       --owner 0 --group 0 \
+			       --owner 0 --group 0 \
 			       --transform 's|^|$(NAME)/|' \
 			       -cvf -

 $(TARFILE).list:
-	find * \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \
-	       \! -name '*.so' \! -name '*.so.*'  \! -name 'openssl' \
-	       \! -name '*test' \! -name '.#*' \! -name '*~' \!	-type l \
-	    | sort > $(TARFILE).list
+	git diff --quiet HEAD
+	git ls-files | sort > $(TARFILE).list

 tar: $(TARFILE).list
 	find . -type d -print | xargs chmod 755
@@ -517,7 +554,7 @@ tar-snap: $(TARFILE).list
 	rm -f $(TARFILE).list
 	ls -l $(TARFILE)

-dist:   
+dist:
 	$(PERL) Configure dist
 	@$(MAKE) SDIRS='$(SDIRS)' clean
 	@$(MAKE) TAR='$(TAR)' TARFLAGS='$(TARFLAGS)' $(DISTTARVARS) tar
@@ -529,18 +566,18 @@ uninstall: uninstall_sw uninstall_docs
 install_sw:
 	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALLDIRS)
 	@set -e; for i in include/openssl/*.h; do \
-	(cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$$i; \
-	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$$i ); \
+	(cp $$i $(DESTDIR)$(INSTALLTOP)/$$i; \
+	chmod 644 $(DESTDIR)$(INSTALLTOP)/$$i ); \
 	done;
 	@set -e; target=install; for dir in $(INSTALL_SUBS); do $(BUILD_CMD); done
 	@set -e; liblist="$(LIBS)"; for i in $$liblist ;\
 	do \
 		if [ -f "$$i" ]; then \
 		(       echo installing $$i; \
-			cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
-			$(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
-			chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
-			mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i ); \
+			cp $$i $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
+			$(RANLIB) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
+			chmod 644 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
+			mv -f $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i ); \
 		fi; \
 	done;
 	@set -e; if [ -n "$(SHARED_LIBS)" ]; then \
@@ -551,16 +588,16 @@ install_sw:
 			(       echo installing $$i; \
 				if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \
 					c=`echo $$i | sed 's/^lib\(.*\)\.dll\.a/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \
-					cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
-					chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
-					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
-					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
-					chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
-					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
+					cp $$c $(DESTDIR)$(INSTALLTOP)/bin/$$c.new; \
+					chmod 755 $(DESTDIR)$(INSTALLTOP)/bin/$$c.new; \
+					mv -f $(DESTDIR)$(INSTALLTOP)/bin/$$c.new $(DESTDIR)$(INSTALLTOP)/bin/$$c; \
+					cp $$i $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
+					chmod 644 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
+					mv -f $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i; \
 				else \
-					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
-					chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
-					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
+					cp $$i $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
+					chmod 555 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.new; \
+					mv -f $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i.new $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i; \
 				fi ); \
 				if expr $(PLATFORM) : 'mingw' > /dev/null; then \
 				(	case $$i in \
@@ -568,34 +605,34 @@ install_sw:
 						*ssl*)    i=ssleay32.dll;; \
 					esac; \
 					echo installing $$i; \
-					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
-					chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
-					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \
+					cp $$i $(DESTDIR)$(INSTALLTOP)/bin/$$i.new; \
+					chmod 755 $(DESTDIR)$(INSTALLTOP)/bin/$$i.new; \
+					mv -f $(DESTDIR)$(INSTALLTOP)/bin/$$i.new $(DESTDIR)$(INSTALLTOP)/bin/$$i ); \
 				fi; \
 			fi; \
 		done; \
 		(	here="`pwd`"; \
-			cd $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR); \
+			cd $(DESTDIR)$(INSTALLTOP)/$(LIBDIR); \
 			$(MAKE) -f $$here/Makefile HERE="$$here" link-shared ); \
 		if [ "$(INSTALLTOP)" != "/usr" ]; then \
 			echo 'OpenSSL shared libraries have been installed in:'; \
 			echo '  $(INSTALLTOP)'; \
 		fi; \
 	fi
-	cp libcrypto.pc $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
-	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libcrypto.pc
-	cp libssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
-	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libssl.pc
-	cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
-	chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/openssl.pc
+	cp libcrypto.pc $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
+	chmod 644 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libcrypto.pc
+	cp libssl.pc $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
+	chmod 644 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libssl.pc
+	cp openssl.pc $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig
+	chmod 644 $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/openssl.pc

 uninstall_sw:
-	cd include/openssl && files=* && cd $(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl && $(RM) $$files
+	cd include/openssl && files=* && cd $(DESTDIR)$(INSTALLTOP)/include/openssl && $(RM) $$files
 	@for i in $(LIBS) ;\
 	do \
 		test -f "$$i" && \
-		echo $(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i && \
-		$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
+		echo $(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i && \
+		$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i; \
 	done;
 	@if [ -n "$(SHARED_LIBS)" ]; then \
 		tmp="$(SHARED_LIBS)"; \
@@ -604,28 +641,28 @@ uninstall_sw:
 			if [ -f "$$i" -o -f "$$i.a" ]; then \
 				if expr "$(PLATFORM)" : "Cygwin" >/dev/null; then \
 					c=`echo $$i | sed 's/^lib\(.*\)\.dll\.a/cyg\1-$(SHLIB_VERSION_NUMBER).dll/'`; \
-					echo $(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
-					$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
-					echo $(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
-					$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
+					echo $(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$c; \
+					$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$c; \
+					echo $(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i; \
+					$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i; \
 				else \
-					echo $(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
-					$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/$$i; \
+					echo $(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i; \
+					$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/$$i; \
 				fi; \
 				if expr $(PLATFORM) : 'mingw' > /dev/null; then \
 					case $$i in \
 						*crypto*) i=libeay32.dll;; \
 						*ssl*)    i=ssleay32.dll;; \
 					esac; \
-					echo $(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i; \
-					$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i; \
+					echo $(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$i; \
+					$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$i; \
 				fi; \
 			fi; \
 		done; \
 	fi
-	$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libcrypto.pc
-	$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libssl.pc
-	$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/openssl.pc
+	$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libcrypto.pc
+	$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/libssl.pc
+	$(RM) $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/pkgconfig/openssl.pc
 	@target=uninstall; $(RECURSIVE_BUILD_CMD)

 install_html_docs:
@@ -635,7 +672,7 @@ install_html_docs:
 		filecase=-i; \
 	esac; \
 	for subdir in apps crypto ssl; do \
-		$(PERL) $(TOP)/util/mkdir-p $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir; \
+		$(PERL) $(TOP)/util/mkdir-p $(DESTDIR)$(HTMLDIR)/$$subdir; \
 		for i in doc/$$subdir/*.pod; do \
 			fn=`basename $$i .pod`; \
 			echo "installing html/$$fn.$(HTMLSUFFIX)"; \
@@ -643,10 +680,10 @@ install_html_docs:
 			| sed -r 's/L<([^)]*)(\([0-9]\))?\|([^)]*)(\([0-9]\))?>/L<\1|\3>/g' \
 			| pod2html --podroot=doc --htmlroot=.. --podpath=$$subdir:apps:crypto:ssl \
 			| sed -r 's/<!DOCTYPE.*//g' \
-			> $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir/$$fn.$(HTMLSUFFIX); \
+			> $(DESTDIR)$(HTMLDIR)/$$subdir/$$fn.$(HTMLSUFFIX); \
 			$(PERL) util/extract-names.pl < $$i | \
 				grep -v $$filecase "^$$fn\$$" | \
-				(cd $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir; \
+				(cd $(DESTDIR)$(HTMLDIR)/$$subdir; \
 				 while read n; do \
 					PLATFORM=$(PLATFORM) $$here/util/point.sh $$fn.$(HTMLSUFFIX) "$$n".$(HTMLSUFFIX); \
 				 done); \
@@ -662,21 +699,21 @@ uninstall_html_docs:
 	for subdir in apps crypto ssl; do \
 		for i in doc/$$subdir/*.pod; do \
 			fn=`basename $$i .pod`; \
-			$(RM) $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir/$$fn.$(HTMLSUFFIX); \
+			$(RM) $(DESTDIR)$(HTMLDIR)/$$subdir/$$fn.$(HTMLSUFFIX); \
 			$(PERL) util/extract-names.pl < $$i | \
 				grep -v $$filecase "^$$fn\$$" | \
 				while read n; do \
-					$(RM) $(INSTALL_PREFIX)$(HTMLDIR)/$$subdir/"$$n".$(HTMLSUFFIX); \
+					$(RM) $(DESTDIR)$(HTMLDIR)/$$subdir/"$$n".$(HTMLSUFFIX); \
 				done; \
 		done; \
 	done

 install_docs:
 	@$(PERL) $(TOP)/util/mkdir-p.pl \
-		$(INSTALL_PREFIX)$(MANDIR)/man1 \
-		$(INSTALL_PREFIX)$(MANDIR)/man3 \
-		$(INSTALL_PREFIX)$(MANDIR)/man5 \
-		$(INSTALL_PREFIX)$(MANDIR)/man7
+		$(DESTDIR)$(MANDIR)/man1 \
+		$(DESTDIR)$(MANDIR)/man3 \
+		$(DESTDIR)$(MANDIR)/man5 \
+		$(DESTDIR)$(MANDIR)/man7
 	here="`pwd`"; \
 	filecase=; \
 	case "$(PLATFORM)" in DJGPP|Cygwin*|mingw*|darwin*-*-cc) \
@@ -690,11 +727,11 @@ install_docs:
 		pod2man \
 			--section=$$sec --center=OpenSSL \
 			--release=$(VERSION) `basename $$i`) \
-			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
+			>  $(DESTDIR)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(PERL) util/extract-names.pl < $$i | \
 			(grep -v $$filecase "^$$fn\$$"; true) | \
 			(grep -v "[	]"; true) | \
-			(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
+			(cd $(DESTDIR)$(MANDIR)/man$$sec/; \
 			 while read n; do \
 				PLATFORM=$(PLATFORM) $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \
 			 done); \
@@ -707,11 +744,11 @@ install_docs:
 		pod2man \
 			--section=$$sec --center=OpenSSL \
 			--release=$(VERSION) `basename $$i`) \
-			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
+			>  $(DESTDIR)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(PERL) util/extract-names.pl < $$i | \
 			(grep -v $$filecase "^$$fn\$$"; true) | \
 			(grep -v "[	]"; true) | \
-			(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
+			(cd $(DESTDIR)$(MANDIR)/man$$sec/; \
 			 while read n; do \
 				PLATFORM=$(PLATFORM) $$here/util/point.sh $$fn.$${sec}$(MANSUFFIX) "$$n".$${sec}$(MANSUFFIX); \
 			 done); \
@@ -726,27 +763,27 @@ uninstall_docs:
 	for i in doc/apps/*.pod; do \
 		fn=`basename $$i .pod`; \
 		sec=`$(PERL) util/extract-section.pl 1 < $$i`; \
-		echo $(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
-		$(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
+		echo $(RM) $(DESTDIR)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
+		$(RM) $(DESTDIR)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(PERL) util/extract-names.pl < $$i | \
 			(grep -v $$filecase "^$$fn\$$"; true) | \
 			(grep -v "[	]"; true) | \
 			while read n; do \
-				echo $(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/"$$n".$${sec}$(MANSUFFIX); \
-				$(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/"$$n".$${sec}$(MANSUFFIX); \
+				echo $(RM) $(DESTDIR)$(MANDIR)/man$$sec/"$$n".$${sec}$(MANSUFFIX); \
+				$(RM) $(DESTDIR)$(MANDIR)/man$$sec/"$$n".$${sec}$(MANSUFFIX); \
 			done; \
 	done; \
 	for i in doc/crypto/*.pod doc/ssl/*.pod; do \
 		fn=`basename $$i .pod`; \
 		sec=`$(PERL) util/extract-section.pl 3 < $$i`; \
-		echo $(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
-		$(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
+		echo $(RM) $(DESTDIR)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
+		$(RM) $(DESTDIR)$(MANDIR)/man$$sec/$$fn.$${sec}$(MANSUFFIX); \
 		$(PERL) util/extract-names.pl < $$i | \
 			(grep -v $$filecase "^$$fn\$$"; true) | \
 			(grep -v "[	]"; true) | \
 			while read n; do \
-				echo $(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/"$$n".$${sec}$(MANSUFFIX); \
-				$(RM) $(INSTALL_PREFIX)$(MANDIR)/man$$sec/"$$n".$${sec}$(MANSUFFIX); \
+				echo $(RM) $(DESTDIR)$(MANDIR)/man$$sec/"$$n".$${sec}$(MANSUFFIX); \
+				$(RM) $(DESTDIR)$(MANDIR)/man$$sec/"$$n".$${sec}$(MANSUFFIX); \
 			done; \
 	done

--- a/Makefile.shared
+++ b/Makefile.shared
@@ -11,8 +11,12 @@ CFLAGS=$(CFLAG)
 # LDFLAGS contains flags to be used when temporary object files (when building
 # shared libraries) are created, or when an application is linked.
 # SHARED_LDFLAGS contains flags to be used when the shared library is created.
-LDFLAGS=
-SHARED_LDFLAGS=
+LDFLAGS=$(LDFLAG)
+SHARED_LDFLAGS=$(SHARED_LDFLAG)
+
+# SHARED_RCFLAGS are flags used with windres, i.e. when build for Cygwin
+# or Mingw.
+SHARED_RCFLAGS=$(SHARED_RCFLAG)

 NM=nm

@@ -31,6 +35,12 @@ LIBNAME=
 #APPNAME=foo
 APPNAME=

+# DSTDIR is the directory where the built file should end up in.
+DSTDIR=.
+
+# SRCDIR is the top directory of the source tree.
+SRCDIR=.
+
 # OBJECTS contains all the object files to link together into the application.
 # This must contain at least one object file.
 #OBJECTS=foo.o
@@ -92,9 +102,11 @@ CALC_VERSIONS=	\
 LINK_APP=	\
  ( $(SET_X);   \
    LIBDEPS="$${LIBDEPS:-$(LIBDEPS)}"; \
-    LDCMD="$${LDCMD:-$(CC)}"; LDFLAGS="$${LDFLAGS:-$(CFLAGS)}"; \
+    LDCMD="$${LDCMD:-$(CC)}"; LDFLAGS="$${LDFLAGS:-$(CFLAGS) $(LDFLAGS)}"; \
    LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \
    LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
+    echo LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
+        $${LDCMD} $${LDFLAGS} -o $${APPNAME:=$(APPNAME)} $(OBJECTS) $${LIBDEPS}; \
    LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
    $${LDCMD} $${LDFLAGS} -o $${APPNAME:=$(APPNAME)} $(OBJECTS) $${LIBDEPS} )

@@ -105,9 +117,13 @@ LINK_SO=	\
    SHAREDFLAGS="$${SHAREDFLAGS:-$(CFLAGS) $(SHARED_LDFLAGS)}"; \
    LIBPATH=`for x in $$LIBDEPS; do echo $$x; done | sed -e 's/^ *-L//;t' -e d | uniq`; \
    LIBPATH=`echo $$LIBPATH | sed -e 's/ /:/g'`; \
+    echo LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
+         $${SHAREDCMD} $${SHAREDFLAGS} \
+	     -o $(DSTDIR)/$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \
+	     $$ALLSYMSFLAGS $$SHOBJECTS $$NOALLSYMSFLAGS $$LIBDEPS; \
    LD_LIBRARY_PATH=$$LIBPATH:$$LD_LIBRARY_PATH \
    $${SHAREDCMD} $${SHAREDFLAGS} \
-	-o $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \
+	-o $(DSTDIR)/$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX \
 	$$ALLSYMSFLAGS $$SHOBJECTS $$NOALLSYMSFLAGS $$LIBDEPS \
  ) && $(SYMLINK_SO)

@@ -116,30 +132,30 @@ SYMLINK_SO=	\
 		prev=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX; \
 		if [ -n "$$SHLIB_COMPAT" ]; then \
 			for x in $$SHLIB_COMPAT; do \
-				( $(SET_X); rm -f $$SHLIB$$x$$SHLIB_SUFFIX; \
-				  ln -s $$prev $$SHLIB$$x$$SHLIB_SUFFIX ); \
+				( $(SET_X); rm -f $(DSTDIR)/$$SHLIB$$x$$SHLIB_SUFFIX; \
+				  ln -s $$prev $(DSTDIR)/$$SHLIB$$x$$SHLIB_SUFFIX ); \
 				prev=$$SHLIB$$x$$SHLIB_SUFFIX; \
 			done; \
 		fi; \
 		if [ -n "$$SHLIB_SOVER" ]; then \
-			( $(SET_X); rm -f $$SHLIB$$SHLIB_SUFFIX; \
-			  ln -s $$prev $$SHLIB$$SHLIB_SUFFIX ); \
+			( $(SET_X); rm -f $(DSTDIR)/$$SHLIB$$SHLIB_SUFFIX; \
+			  ln -s $$prev $(DSTDIR)/$$SHLIB$$SHLIB_SUFFIX ); \
 		fi; \
 	fi

-LINK_SO_A=	SHOBJECTS="lib$(LIBNAME).a $(LIBEXTRAS)"; $(LINK_SO)
+LINK_SO_A=	SHOBJECTS="$(DSTDIR)/lib$(LIBNAME).a $(LIBEXTRAS)"; $(LINK_SO)
 LINK_SO_O=	SHOBJECTS="$(LIBEXTRAS)"; $(LINK_SO)

 LINK_SO_A_VIA_O=	\
-  SHOBJECTS=lib$(LIBNAME).o; \
+  SHOBJECTS=$(DSTDIR)/lib$(LIBNAME).o; \
  ALL=$$ALLSYMSFLAGS; ALLSYMSFLAGS=; NOALLSYMSFLAGS=; \
-  ( $(SET_X); \
-    ld $(LDFLAGS) -r -o lib$(LIBNAME).o $$ALL lib$(LIBNAME).a $(LIBEXTRAS) ); \
-  $(LINK_SO) && rm -f lib$(LIBNAME).o
+  ( echo ld $(LDFLAGS) -r -o $$SHOBJECTS.o $$ALL lib$(LIBNAME).a $(LIBEXTRAS); \
+    ld $(LDFLAGS) -r -o $$SHOBJECTS.o $$ALL $(DSTDIR)/lib$(LIBNAME).a $(LIBEXTRAS) ); \
+  $(LINK_SO) && ( echo rm -f $$SHOBJECTS; rm -f $$SHOBJECTS )

 LINK_SO_A_UNPACKED=	\
  UNPACKDIR=link_tmp.$$$$; rm -rf $$UNPACKDIR; mkdir $$UNPACKDIR; \
-  (cd $$UNPACKDIR; ar x ../lib$(LIBNAME).a) && \
+  (cd $$UNPACKDIR; ar x ../$(DSTDIR)/lib$(LIBNAME).a) && \
  ([ -z "$(LIBEXTRAS)" ] || cp $(LIBEXTRAS) $$UNPACKDIR) && \
  SHOBJECTS=$$UNPACKDIR/*.o; \
  $(LINK_SO) && rm -rf $$UNPACKDIR
@@ -153,7 +169,7 @@ DO_GNU_SO=$(CALC_VERSIONS); \
 	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
 	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared -Wl,-Bsymbolic -Wl,-soname=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX"

-DO_GNU_APP=LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)"
+DO_GNU_APP=LDFLAGS="$(CFLAGS) $(LDFLAGS) -Wl,-rpath,$(LIBRPATH)"

 #This is rather special.  It's a special target with which one can link
 #applications without bothering with any features that have anything to
@@ -171,8 +187,8 @@ link_app.gnu:
 	@ $(DO_GNU_APP); $(LINK_APP)

 link_a.linux-shared:
-	@if [ $(LIBNAME) != "crypto" -a $(LIBNAME) != "ssl" ]; then echo libname is $(LIBNAME); sleep 2; $(DO_GNU_SO); else \
-	$(PERL) util/mkdef.pl $(LIBNAME) linux >$(LIBNAME).map; \
+	@if [ $(LIBNAME) != "crypto" -a $(LIBNAME) != "ssl" ]; then $(DO_GNU_SO); else \
+	$(PERL) $(SRCDIR)/util/mkdef.pl $(LIBNAME) linux >$(LIBNAME).map; \
 	$(CALC_VERSIONS); \
 	SHLIB=lib$(LIBNAME).so; \
 	SHLIB_SUFFIX=; \
@@ -203,7 +219,7 @@ link_a.bsd:
 	fi; $(LINK_SO_A)
 link_app.bsd:
 	@if $(DETECT_GNU_LD); then $(DO_GNU_APP); else \
-	LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBPATH)"; \
+	LDFLAGS="$(CFLAGS) $(LDFLAGS) -Wl,-rpath,$(LIBPATH)"; \
 	fi; $(LINK_APP)

 # For Darwin AKA Mac OS/X (dyld)
@@ -272,7 +288,7 @@ link_o.cygwin:
 	SHLIB_SOVER=${LIBVERSION:+"-$(LIBVERSION)"}; \
 	ALLSYMSFLAGS='-Wl,--whole-archive'; \
 	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
-	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared $$base $$deffile -Wl,-s,-Bsymbolic"; \
+	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared $$base $$deffile -Wl,-Bsymbolic"; \
 	$(LINK_SO_O)
 #for mingw target if def-file is in use dll-name should match library-name
 link_a.cygwin:
@@ -288,25 +304,23 @@ link_a.cygwin:
 		esac; \
 		SHLIB_SOVER=32; \
 		extras="$(LIBNAME).def"; \
-		$(PERL) util/mkdef.pl 32 $$SHLIB > $$extras; \
+		$(PERL) $(SRCDIR)/util/mkdef.pl 32 $$SHLIB > $$extras; \
 		base=; [ $(LIBNAME) = "crypto" ] && base=-Wl,--image-base,0x63000000; \
 	fi; \
 	dll_name=$$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX; \
-	$(PERL) util/mkrc.pl $$dll_name | \
-		$(CROSS_COMPILE)windres -o rc.o; \
+	echo "$(PERL) $(SRCDIR)/util/mkrc.pl $$dll_name |" \
+		     "$(CROSS_COMPILE)windres $(SHARED_RCFLAGS) -o rc.o"; \
+	$(PERL) $(SRCDIR)/util/mkrc.pl $$dll_name | \
+		$(CROSS_COMPILE)windres $(SHARED_RCFLAGS) -o rc.o; \
 	extras="$$extras rc.o"; \
 	ALLSYMSFLAGS='-Wl,--whole-archive'; \
 	NOALLSYMSFLAGS='-Wl,--no-whole-archive'; \
-	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared $$base -Wl,-s,-Bsymbolic -Wl,--out-implib,lib$(LIBNAME).dll.a $$extras"; \
-	[ -f apps/$$dll_name ] && rm apps/$$dll_name; \
-	[ -f test/$$dll_name ] && rm test/$$dll_name; \
+	SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -shared $$base -Wl,-Bsymbolic -Wl,--out-implib,lib$(LIBNAME).dll.a $$extras"; \
 	$(LINK_SO_A) || exit 1; \
-	rm $$extras; \
-	cp -p $$dll_name apps/; \
-	cp -p $$dll_name test/
+	rm $$extras
 link_app.cygwin:
 	@if expr "$(CFLAGS)" : '.*OPENSSL_USE_APPLINK' > /dev/null; then \
-		LIBDEPS="$(TOP)/crypto/applink.o $${LIBDEPS:-$(LIBDEPS)}"; \
+		LIBDEPS="$(SRCDIR)/crypto/applink.o $${LIBDEPS:-$(LIBDEPS)}"; \
 		export LIBDEPS; \
 	fi; \
 	$(LINK_APP)
@@ -357,7 +371,7 @@ link_app.alpha-osf1:
 	@if $(DETECT_GNU_LD); then \
 		$(DO_GNU_APP); \
 	else \
-		LDFLAGS="$(CFLAGS) -rpath $(LIBRPATH)"; \
+		LDFLAGS="$(CFLAGS) $(LDFLAGS) -rpath $(LIBRPATH)"; \
 	fi; \
 	$(LINK_APP)

@@ -384,7 +398,12 @@ link_a.solaris:
 		($(CC) -v 2>&1 | grep gcc) > /dev/null && MINUSZ='-Wl,-z,'; \
 		SHLIB=lib$(LIBNAME).so; \
 		SHLIB_SUFFIX=;\
-		ALLSYMSFLAGS="$${MINUSZ}allextract"; \
+		if [ $(LIBNAME) != "crypto" -a $(LIBNAME) != "ssl" ]; then \
+			ALLSYMSFLAGS="$${MINUSZ}allextract"; \
+		else \
+			$(PERL) $(SRCDIR)/util/mkdef.pl $(LIBNAME) linux >$(LIBNAME).map; \
+			ALLSYMSFLAGS="$${MINUSZ}allextract,-M,$(LIBNAME).map"; \
+		fi; \
 		NOALLSYMSFLAGS="$${MINUSZ}defaultextract"; \
 		SHAREDFLAGS="$(CFLAGS) $(SHARED_LDFLAGS) -h $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX -Wl,-Bsymbolic"; \
 	fi; \
@@ -393,7 +412,7 @@ link_app.solaris:
 	@ if $(DETECT_GNU_LD); then \
 		$(DO_GNU_APP); \
 	else \
-		LDFLAGS="$(CFLAGS) -R $(LIBRPATH)"; \
+		LDFLAGS="$(CFLAGS) $(LDFLAGS) -R $(LIBRPATH)"; \
 	fi; \
 	$(LINK_APP)

@@ -488,7 +507,7 @@ link_a.irix:
 	fi; \
 	$(LINK_SO_A)
 link_app.irix:
-	@LDFLAGS="$(CFLAGS) -Wl,-rpath,$(LIBRPATH)"; \
+	@LDFLAGS="$(CFLAGS) $(LDFLAGS) -Wl,-rpath,$(LIBRPATH)"; \
 	$(LINK_APP)

 # 32-bit PA-RISC HP-UX embeds the -L pathname of libs we link with, so
@@ -527,7 +546,7 @@ link_a.hpux:
 	$(LINK_SO_A) && chmod a=rx $$SHLIB$$SHLIB_SOVER$$SHLIB_SUFFIX
 link_app.hpux:
 	@if $(DETECT_GNU_LD); then $(DO_GNU_APP); else \
-	LDFLAGS="$(CFLAGS) -Wl,+s,+cdp,../:,+cdp,./:,+b,$(LIBRPATH)"; \
+	LDFLAGS="$(CFLAGS) $(LDFLAGS) -Wl,+s,+cdp,../:,+cdp,./:,+b,$(LIBRPATH)"; \
 	fi; \
 	$(LINK_APP)

@@ -552,7 +571,7 @@ link_a.aix:
 	SHAREDFLAGS='$(CFLAGS) $(SHARED_LDFLAGS) -Wl,-bexpall,-bnolibpath,-bM:SRE'; \
 	$(LINK_SO_A_VIA_O)
 link_app.aix:
-	LDFLAGS="$(CFLAGS) -Wl,-brtl,-blibpath:$(LIBRPATH):$${LIBPATH:-/usr/lib:/lib}"; \
+	LDFLAGS="$(CFLAGS) $(LDFLAGS) -Wl,-brtl,-blibpath:$(LIBRPATH):$${LIBPATH:-/usr/lib:/lib}"; \
 	$(LINK_APP)


--- a/20
+++ b/20
@@ -5,13 +5,13 @@
  This file gives a brief overview of the major changes between each OpenSSL
  release. For more details please read the CHANGES file.

-  Major changes between OpenSSL 1.0.2e and OpenSSL 1.1.0 [in pre-release]
+  Major changes between OpenSSL 1.0.2f and OpenSSL 1.1.0 [in pre-release]

      o Support for ChaCha20 and Poly1305 added to libcrypto and libssl
      o Support for extended master secret
      o CCM ciphersuites
      o Reworked test suite, now based on perl, Test::Harness and Test::More
-      o Varous libcrypto structures made opaque including: BIGNUM, EVP_MD,
+      o Various libcrypto structures made opaque including: BIGNUM, EVP_MD,
        EVP_MD_CTX, HMAC_CTX, EVP_CIPHER and EVP_CIPHER_CTX.
      o libssl internal structures made opaque
      o SSLv2 support removed
@@ -24,11 +24,21 @@
      o Support for OCB mode added to libcrypto
      o Support for asynchronous crypto operations added to libcrypto and libssl
      o Deprecated interfaces can now be disabled at build time either
-        relative to the latest relate via the "no-deprecated" Configure
+        relative to the latest release via the "no-deprecated" Configure
        argument, or via the "--api=1.1.0|1.0.0|0.9.8" option.
      o Application software can be compiled with -DOPENSSL_API_COMPAT=version
-        to ensure that features deprecated before that version are not exposed.
+        to ensure that features deprecated in that version are not exposed.
      o Support for RFC6698/RFC7671 DANE TLSA peer authentication
+      o Change of Configure to use --prefix as the main installation
+        directory location rather than --openssldir.  The latter becomes
+        the directory for certs, private key and openssl.cnf exclusively.
+      o Reworked BIO networking library, with full support for IPv6.
+      o New "unified" build system
+
+  Major changes between OpenSSL 1.0.2e and OpenSSL 1.0.2f [28 Jan 2016]
+
+      o DH small subgroups (CVE-2016-0701)
+      o SSLv2 doesn't block disabled ciphers (CVE-2015-3197)

  Major changes between OpenSSL 1.0.2d and OpenSSL 1.0.2e [3 Dec 2015]

@@ -299,7 +309,7 @@
  Major changes between OpenSSL 0.9.8e and OpenSSL 0.9.8f [11 Oct 2007]:

      o Add gcc 4.2 support.
-      o Add support for AES and SSE2 assembly lanugauge optimization
+      o Add support for AES and SSE2 assembly language optimization
        for VC++ build.
      o Support for RFC4507bis and server name extensions if explicitly 
        selected at compile time.
--- a/Netware/set_env.bat
+++ b/Netware/set_env.bat
@@ -1,7 +1,7 @@
@echo off

 rem ========================================================================
-rem   Batch file to assist in setting up the necessary enviroment for
+rem   Batch file to assist in setting up the necessary environment for
 rem   building OpenSSL for NetWare.
 rem
 rem   usage:
@@ -84,10 +84,10 @@ echo using GNU GCC Compiler
 :info
 echo.

-if "%LIBC_BUILD%" == "Y" echo Enviroment configured for LibC build
+if "%LIBC_BUILD%" == "Y" echo Environment configured for LibC build
 if "%LIBC_BUILD%" == "Y" echo use "netware\build.bat netware-libc ..." 

-if "%CLIB_BUILD%" == "Y" echo Enviroment configured for CLib build
+if "%CLIB_BUILD%" == "Y" echo Environment configured for CLib build
 if "%CLIB_BUILD%" == "Y" echo use "netware\build.bat netware-clib ..." 

 goto end
--- a/7
+++ b/7
@@ -1,5 +1,5 @@

- OpenSSL 1.1.0-pre2 (alpha) 14 Jan 2016
+ OpenSSL 1.1.0-pre3 (alpha) 15 Feb 2016

 Copyright (c) 1998-2016 The OpenSSL Project
 Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
@@ -11,7 +11,7 @@
 The OpenSSL Project is a collaborative effort to develop a robust,
 commercial-grade, fully featured, and Open Source toolkit implementing the
 Secure Sockets Layer (SSLv3) and Transport Layer Security (TLS) protocols as
- well as a full-strength general purpose cryptograpic library. The project is
+ well as a full-strength general purpose cryptographic library. The project is
 managed by a worldwide community of volunteers that use the Internet to
 communicate, plan, and develop the OpenSSL toolkit and its related
 documentation.
@@ -53,8 +53,7 @@
        INSTALL.NW      Netware
        INSTALL.OS2     OS/2
        INSTALL.VMS     VMS
-        INSTALL.W32     Windows (32bit)
-        INSTALL.W64     Windows (64bit)
+        INSTALL.WIN     Windows
        INSTALL.WCE     Windows CE

 SUPPORT
--- a/README.PERL
+++ b/README.PERL
@@ -0,0 +1,118 @@
+ TOC
+ ===
+
+ - Notes on Perl
+ - Notes on Perl on Windows
+ - Notes on Perl modules we use
+ - Notes on installing a perl module
+
+ Notes on Perl
+ -------------
+
+ For our scripts, we rely quite a bit on Perl, and increasingly on
+ some core Perl modules.  These Perl modules are part of the Perl
+ source, so if you build Perl on your own, you should be set.
+
+ However, if you install Perl as binary packages, the outcome might
+ differ, and you may have to check that you do get the core modules
+ installed properly.  We do not claim to know them all, but experience
+ has told us the following:
+
+ - on Linux distributions based on Debian, the package 'perl' will
+   install the core Perl modules as well, so you will be fine.
+ - on Linux distributions based on RPMs, you will need to install
+   'perl-core' rather than just 'perl'.
+
+ You MUST have at least Perl version 5.10.0 installed.  This minimum
+ requirement is due to our use of regexp backslash sequence \R among
+ other features that didn't exist in core Perl before that version.
+
+ Notes on Perl on Windows
+ ------------------------
+
+ If you will build on Cygwin (and possibly some other POSIX layers),
+ Perl is already part of your distribution.  Simply use the Cygwin
+ package manager to make sure Perl gets installed.
+
+ Otherwise, you will need to install Perl separately.  The Perl
+ package that we know of is ActiveState Perl, available from
+ http://www.activestate.com/ActivePerl.
+
+ Notes on Perl on VMS
+ --------------------
+
+ You will need to install Perl separately.  One way to do so is to
+ download the source from http://perl.org/, unpacking it, reading
+ README.vms and follow instructions.  Another way is to download a
+ .PCSI file from http://www.vmsperl.com/ and install it using the
+ POLYCENTER install tool.
+
+ Notes on Perl modules we use
+ ----------------------------
+
+ We make increasing use of Perl modules, and do our best to limit
+ ourselves to core Perl modules to keep the requirements down.  There
+ are just a few exceptions:
+
+ Test::More         We require the minimum version to be 0.96, which
+                    appeared in Perl 5.13.4, because that version was
+                    the first to have all the features we're using.
+                    This module is required for testing only!  If you
+                    don't plan on running the tests, you don't need to
+                    bother with this one.
+
+ Text::Template     This module is not part of the core Perl modules.
+                    As a matter of fact, the core Perl modules do not
+                    include any templating module to date.
+                    This module is absolutely needed, configuration
+                    depends on it.
+
+ To avoid unnecessary initial hurdles, we have bundled a copy of the
+ following modules in our source.  They will work as fallbacks if
+ these modules aren't already installed on the system.
+
+    Text::Template
+
+ Notes on installing a perl module
+ ---------------------------------
+
+ There are a number of ways to install a perl module.  In all
+ descriptions below, Text::Template will server as an example.
+
+ 1. for Linux users, the easiest is to install with the use of your
+    favorite package manager.  Usually, all you need to do is search
+    for the module name and to install the package that comes up.
+
+    On Debian based Linux distributions, it would go like this:
+
+        $ apt-cache search Text::Template
+        ...
+        libtext-template-perl - perl module to process text templates
+        $ sudo apt-get install libtext-template-perl
+
+    Perl modules in Debian based distributions use package names like
+    the name of the module in question, with "lib" prepended and
+    "-perl" appended.
+
+ 2. Install using CPAN.  This is very easy, but usually requires root
+    access:
+
+        $ cpan -i Text::Template
+
+    Note that this runs all the tests that the module to be install
+    comes with.  This is usually a smooth operation, but there are
+    platforms where a failure is indicate even though the actual tests
+    were successful.  Should that happen, you can force an
+    installation regardless (that should be safe since you've already
+    seen the tests succeed!):
+
+        $ cpan -f -i Text::Template
+
+    Note: on VMS, you must quote any argument that contains upper case
+    characters, so the lines above would be:
+
+        $ cpan -i "Text::Template"
+
+    and:
+
+        $ cpan -f -i "Text::Template"
--- a/VMS/TODO
+++ b/VMS/TODO
@@ -1,18 +0,0 @@
-TODO:
-=====
-
-There are a few things that need to be worked out in the VMS version of
-OpenSSL, still:
-
- Description files. ("Makefile's" :-))
- Script code to link an already compiled build tree.
- A VMSINSTALlable version (way in the future, unless someone else hacks).
- shareable images (DLL for you Windows folks).
-
-There may be other things that I have missed and that may be desirable.
-Please send mail to <openssl-users@openssl.org> or to me directly if you
-have any ideas.
-
--
-Richard Levitte <richard@levitte.org>
-1999-05-24
--- a/VMS/VMSify-conf.pl
+++ b/VMS/VMSify-conf.pl
@@ -7,7 +7,7 @@ my @directory_vars = ( "dir", "certs", "crl_dir", "new_certs_dir" );
 my @file_vars = ( "database", "certificate", "serial", "crlnumber",
 		  "crl", "private_key", "RANDFILE" );
 while(<STDIN>) {
-    chomp;
+    s|\R$||;
    foreach my $d (@directory_vars) {
 	if (/^(\s*\#?\s*${d}\s*=\s*)\.\/([^\s\#]*)([\s\#].*)$/) {
 	    $_ = "$1sys\\\$disk:\[.$2$3";
--- a/VMS/WISHLIST.TXT
+++ b/VMS/WISHLIST.TXT
@@ -1,4 +0,0 @@
-* Have the building procedure contain a LINK-only possibility.
-  Wished by Mark Daniel <mark.daniel@dsto.defence.gov.au>
-
-  One way to enable that is also to go over to DESCRIP.MMS files.
--- a/engines/alpha.opt
+++ b/engines/alpha.opt
@@ -1 +1,2 @@
+CASE_SENSITIVE=YES
 SYMBOL_VECTOR=(bind_engine=PROCEDURE,v_check=PROCEDURE)
--- a/VMS/install-vms.com
+++ b/VMS/install-vms.com
@@ -1,67 +0,0 @@
-$! install-vms.com -- Installs the files in a given directory tree
-$!
-$! Author: Richard Levitte <richard@levitte.org>
-$! Time of creation: 23-MAY-1998 19:22
-$!
-$! P1	root of the directory tree
-$!
-$!
-$! Announce/identify.
-$!
-$ proc = f$environment( "procedure")
-$ write sys$output "@@@ "+ -
-   f$parse( proc, , , "name")+ f$parse( proc, , , "type")
-$!
-$ on error then goto tidy
-$ on control_c then goto tidy
-$!
-$ if p1 .eqs. ""
-$ then
-$   write sys$output "First argument missing."
-$   write sys$output -
-     "Should be the directory where you want things installed."
-$   exit
-$ endif
-$
-$ if (f$getsyi( "cpu") .lt. 128)
-$ then
-$   arch = "VAX"
-$ else
-$   arch = f$edit( f$getsyi( "arch_name"), "upcase")
-$   if (arch .eqs. "") then arch = "UNK"
-$ endif
-$
-$ root = f$parse( P1, "[]A.;0", , , "SYNTAX_ONLY, NO_CONCEAL")- "A.;0"
-$ root_dev = f$parse( root, , , "device", "syntax_only")
-$ root_dir = f$parse( root, , , "directory", "syntax_only") - -
-   "[000000." - "][" - "[" - "]"
-$ root = root_dev + "[" + root_dir
-$
-$ define /nolog wrk_sslroot 'root'.] /translation_attributes = concealed
-$ define /nolog wrk_sslinclude wrk_sslroot:[include]
-$
-$ if f$parse( "wrk_sslroot:[000000]") .eqs. "" then -
-   create /directory /log wrk_sslroot:[000000]
-$ if f$parse( "wrk_sslinclude:") .eqs. "" then -
-   create /directory /log wrk_sslinclude:
-$ if f$parse( "wrk_sslroot:[vms]") .eqs. "" then -
-   create /directory /log wrk_sslroot:[vms]
-$!
-$ copy /log /protection = world:re openssl_startup.com wrk_sslroot:[vms]
-$ copy /log /protection = world:re openssl_undo.com wrk_sslroot:[vms]
-$ copy /log /protection = world:re openssl_utils.com wrk_sslroot:[vms]
-$!
-$ tidy:
-$!
-$ call deass wrk_sslroot
-$ call deass wrk_sslinclude
-$!
-$ exit
-$!
-$ deass: subroutine
-$ if (f$trnlnm( p1, "LNM$PROCESS") .nes. "")
-$ then
-$   deassign /process 'p1'
-$ endif
-$ endsubroutine
-$!
--- a/VMS/multinet_shr.opt
+++ b/VMS/multinet_shr.opt
@@ -1 +0,0 @@
-multinet:multinet_socket_library.exe/share
--- a/VMS/openssl_shutdown.com.in
+++ b/VMS/openssl_shutdown.com.in
@@ -0,0 +1,59 @@
+$	! OpenSSL shutdown script
+$	!
+$	! This script deassigns the logical names used by the installation
+$	! of OpenSSL.  It can do so at any level, defined by P1.
+$	!
+$	! P1	Qualifier(s) for DEASSIGN.
+$	!	Default: /PROCESS
+$	!
+$	! P2	If the value is "NOALIASES", no alias logical names are
+$	!	deassigned.
+$
+$	status = %x10000001	! Generic success
+$
+$	! In case there's a problem
+$	ON CONTROL_Y THEN GOTO bailout
+$	ON ERROR THEN GOTO bailout
+$
+$	! Find the architecture
+$	IF F$GETSYI("CPU") .LT. 128
+$	THEN
+$	    arch := VAX
+$	ELSE
+$	    arch := F$EDIT(F$GETSYI("ARCH_NAME"),"UPCASE")
+$	    IF arch .EQS. "" THEN GOTO unknown_arch
+$	ENDIF
+$
+$	! Generated information
+$	VERSION := {- $config{version} -}
+$	INSTALLTOP := {- $config{INSTALLTOP} -}
+$	POINTER_SIZE = {- $config{pointersize} -}
+$
+$	! Abbrevs
+$	DEAS := DEASSIGN /NOLOG 'P1'
+$	v    =  VERSION - "." - "."
+$
+$	DEAS OSSL$ROOT'v'
+$	DEAS OSSL$INCLUDE'v'
+$	DEAS OSSL$LIB'v'
+$	DEAS OSSL$SHARE'v'
+$	DEAS OSSL$ENGINES'v'
+$	DEAS OSSL$EXE'v'
+$       {- output_off() if $config{no_shared} -}
+$       {- join("\n\$       ", map { "DEAS $_'v'" } map { $unified_info{sharednames}->{$_} || () } @{$unified_info{libraries}}) -}
+$       {- output_on() -}
+$	IF P2 .NES. "NOALIASES"
+$	THEN
+$	    DEAS OSSL$ROOT
+$	    DEAS OSSL$INCLUDE
+$	    DEAS OSSL$LIB
+$	    DEAS OSSL$SHARE
+$	    DEAS OSSL$ENGINES
+$	    DEAS OSSL$EXE
+$	    DEAS OPENSSL
+$           {- output_off() if $config{no_shared} -}
+$           {- join("\n\$           ", map { "DEAS $_" } map { $unified_info{sharednames}->{$_} || () } @{$unified_info{libraries}}) -}
+$           {- output_on() -}
+$	ENDIF
+$
+$	EXIT 'status'
--- a/VMS/openssl_startup.com
+++ b/VMS/openssl_startup.com
@@ -1,108 +0,0 @@
-$!
-$! Startup file for OpenSSL 1.x.
-$!
-$! 2011-03-05 SMS.
-$!
-$! This procedure must reside in the OpenSSL installation directory.
-$! It will fail if it is copied to a different location.
-$!
-$! P1  qualifier(s) for DEFINE.  For example, "/SYSTEM" to get the
-$!     logical names defined in the system logical name table.
-$!
-$! P2  "64", to use executables which were built with 64-bit pointers.
-$!
-$! Good (default) and bad status values.
-$!
-$ status =    %x00010001 ! RMS$_NORMAL, normal successful completion.
-$ rms_e_fnf = %x00018292 ! RMS$_FNF, file not found.
-$!
-$! Prepare for problems.
-$!
-$ orig_dev_dir = f$environment( "DEFAULT")
-$ on control_y then goto clean_up
-$ on error then goto clean_up
-$!
-$! Determine hardware architecture.
-$!
-$ if (f$getsyi( "cpu") .lt. 128)
-$ then
-$   arch_name = "VAX"
-$ else
-$   arch_name = f$edit( f$getsyi( "arch_name"), "upcase")
-$   if (arch_name .eqs. "") then arch_name = "UNK"
-$ endif
-$!
-$ if (p2 .eqs. "64")
-$ then
-$   arch_name_exe = arch_name+ "_64"
-$ else
-$   arch_name_exe = arch_name
-$ endif
-$!
-$! Derive the OpenSSL installation device:[directory] from the location
-$! of this command procedure.
-$!
-$ proc = f$environment( "procedure")
-$ proc_dev_dir = f$parse( "A.;", proc, , , "no_conceal") - "A.;"
-$ proc_dev = f$parse( proc_dev_dir, , , "device", "syntax_only")
-$ proc_dir = f$parse( proc_dev_dir, , , "directory", "syntax_only") - -
-   ".][000000"- "[000000."- "]["- "["- "]"
-$ proc_dev_dir = proc_dev+ "["+ proc_dir+ "]"
-$ set default 'proc_dev_dir'
-$ set default [-]
-$ ossl_dev_dir = f$environment( "default")
-$!
-$! Check existence of expected directories (to see if this procedure has
-$! been moved away from its proper place).
-$!
-$ if ((f$search( "certs.dir;1") .eqs. "") .or. -
-   (f$search( "include.dir;1") .eqs. "") .or. -
-   (f$search( "private.dir;1") .eqs. "") .or. -
-   (f$search( "vms.dir;1") .eqs. ""))
-$ then
-$    write sys$output -
-      "   Can't find expected common OpenSSL directories in:"
-$    write sys$output "   ''ossl_dev_dir'"
-$    status = rms_e_fnf
-$    goto clean_up
-$ endif
-$!
-$ if ((f$search( "''arch_name_exe'_exe.dir;1") .eqs. "") .or. -
-   (f$search( "''arch_name'_lib.dir;1") .eqs. ""))
-$ then
-$    write sys$output -
-      "   Can't find expected architecture-specific OpenSSL directories in:"
-$    write sys$output "   ''ossl_dev_dir'"
-$    status = rms_e_fnf
-$    goto clean_up
-$ endif
-$!
-$! All seems well (enough).  Define the OpenSSL logical names.
-$!
-$ ossl_root = ossl_dev_dir- "]"+ ".]"
-$ define /translation_attributes = concealed /nolog'p1 SSLROOT 'ossl_root'
-$ define /nolog 'p1' SSLCERTS     sslroot:[certs]
-$ define /nolog 'p1' SSLINCLUDE   sslroot:[include]
-$ define /nolog 'p1' SSLPRIVATE   sslroot:[private]
-$ define /nolog 'p1' SSLEXE       sslroot:['arch_name_exe'_exe]
-$ define /nolog 'p1' SSLLIB       sslroot:['arch_name'_lib]
-$!
-$! Defining OPENSSL lets a C program use "#include <openssl/{foo}.h>":
-$ define /nolog 'p1' OPENSSL      SSLINCLUDE:
-$!
-$! Run a site-specific procedure, if it exists.
-$!
-$ if f$search( "sslroot:[vms]openssl_systartup.com") .nes."" then -
-   @ sslroot:[vms]openssl_systartup.com
-$!
-$! Restore the original default dev:[dir] (if known).
-$!
-$ clean_up:
-$!
-$ if (f$type( orig_dev_dir) .nes. "")
-$ then
-$    set default 'orig_dev_dir'
-$ endif
-$!
-$ EXIT 'status'
-$!
--- a/VMS/openssl_startup.com.in
+++ b/VMS/openssl_startup.com.in
@@ -0,0 +1,115 @@
+$	! OpenSSL startup script
+$	!
+$	! This script defines the logical names used by the installation
+$	! of OpenSSL.  It can provide those logical names at any level,
+$	! defined by P1.
+$	!
+$	! The logical names created are:
+$	!
+$	!	OSSL$ROOTnnn	Installation root
+$	!	OSSL$EXEnnn	Where the executables are located
+$	!	OSSL$LIBnnn	Where the library files are located
+$	!	OSSL$SHAREnnn	Where the sahreable images are located
+$	!	OSSL$INCLUDEnnn	Include directory root
+$	!	OSSL$ENGINESnnn	Where the sahreable images are located
+$	!
+$	! In all these, nnn is the OpenSSL version number.  This allows
+$	! several OpenSSL versions to be installed simultaneously.
+$	!
+$	! In addition, unless P2 is "NOALIASES", these logical names are
+$	! created:
+$	!
+$	!	OSSL$ROOT	Alias for OSSL$ROOTnnn
+$	!	OSSL$EXE	Alias for OSSL$EXEnnn
+$	!	OSSL$LIB	Alias for OSSL$LIBnnn
+$	!	OSSL$SHARE	Alias for OSSL$SHAREnnn
+$	!	OSSL$INCLUDE	Alias for OSSL$INCLUDEnnn
+$	!	OPENSSL		is OSSL$INCLUDE:[OPENSSL]
+$	!	OSSL$ENGINES	Alias for OSSL$ENGINESnnn
+$	!
+$	! P1	Qualifier(s) for DEFINE.  "/SYSTEM" would be typical when
+$	!	calling this script from SYS$STARTUP:SYSTARTUP_VMS.COM,
+$	!	while "/PROCESS" would be typical for a personal install.
+$	!	Default: /PROCESS
+$	!
+$	! P2	If the value is "NOALIASES", no alias logical names are
+$	!	created.
+$
+$	status = %x10000001	! Generic success
+$
+$	! In case there's a problem
+$	ON CONTROL_Y THEN GOTO bailout
+$	ON ERROR THEN GOTO bailout
+$
+$	! Find the architecture
+$	IF F$GETSYI("CPU") .LT. 128
+$	THEN
+$	    arch := VAX
+$	ELSE
+$	    arch := F$EDIT(F$GETSYI("ARCH_NAME"),"UPCASE")
+$	    IF arch .EQS. "" THEN GOTO unknown_arch
+$	ENDIF
+$
+$	! Generated information
+$	VERSION := {- $config{version} -}
+$	INSTALLTOP := {- $config{INSTALLTOP} -}
+$	OPENSSLDIR := {- $config{OPENSSLDIR} -}
+$	POINTER_SIZE = {- $config{pointersize} -}
+$
+$	! Make sure that INSTALLTOP and OPENSSLDIR become something one
+$	! can build concealed logical names on
+$	INSTALLTOP_ = F$PARSE("A.;",INSTALLTOP,,,"NO_CONCEAL") - "A.;" -
+		     - ".][000000" - "[000000." - "][" - "]" + ".]"
+$	OPENSSLDIR_ = F$PARSE("A.;",OPENSSLDIR,,,"NO_CONCEAL") - "A.;" -
+		     - ".][000000" - "[000000." - "][" - "]" + ".]"
+$	DEFINE /TRANSLATION=CONCEALED /NOLOG WRK_INSTALLTOP 'INSTALLTOP_'
+$
+$	! Check that things are in place, and specifically, the stuff
+$	! belonging to this architecture
+$	IF F$SEARCH("WRK_INSTALLTOP:[000000]INCLUDE.DIR;1") .EQS. "" -
+	   .OR. F$SEARCH("WRK_INSTALLTOP:[000000]''arch'.DIR;1") .EQS. "" -
+	   .OR. F$SEARCH("WRK_INSTALLTOP:[''arch']LIB.DIR;1") .EQS. "" -
+	   .OR. F$SEARCH("WRK_INSTALLTOP:[''arch']EXE.DIR;1") .EQS. "" -
+	   .OR. F$SEARCH("WRK_INSTALLTOP:[000000]openssl.cnf;1") .EQS. ""
+$	THEN
+$	    WRITE SYS$ERROR "''INSTALLTOP' doesn't look like an OpenSSL installation for ''arch'"
+$	    status = %x00018292 ! RMS$_FNF, file not found
+$	    GOTO bailout
+$	ENDIF
+$
+$	! Abbrevs
+$	DEFT := DEFINE /TRANSLATION=CONCEALED /NOLOG 'P1'
+$	DEF  := DEFINE /NOLOG 'P1'
+$	v    =  VERSION - "." - "."
+$
+$	DEFT OSSL$INSTROOT'v'	'INSTALLTOP_'
+$	DEFT OSSL$INCLUDE'v'	OSSL$INSTROOT:[INCLUDE.]
+$	DEF  OSSL$LIB'v'	OSSL$INSTROOT:['arch'.LIB]
+$	DEF  OSSL$SHARE'v'	OSSL$INSTROOT:['arch'.LIB]
+$	DEF  OSSL$ENGINES'v'	OSSL$INSTROOT:['arch'.ENGINES]
+$	DEF  OSSL$EXE'v'	OSSL$INSTROOT:['arch'.EXE]
+$       {- output_off() if $config{no_shared} -}
+$       {- join("\n\$       ", map { "DEF  $_'v' OSSL\$SHARE:$_" } map { $unified_info{sharednames}->{$_} || () } @{$unified_info{libraries}}) -}
+$       {- output_on() -}
+$	IF P2 .NES. "NOALIASES"
+$	THEN
+$	    DEF OSSL$INSTROOT	OSSL$INSTROOT'v'
+$	    DEF OSSL$INCLUDE	OSSL$INCLUDE'v'
+$	    DEF OSSL$LIB	OSSL$LIB'v'
+$	    DEF OSSL$SHARE	OSSL$SHARE'v'
+$	    DEF OSSL$ENGINES	OSSL$ENGINES'v'
+$	    DEF OSSL$EXE	OSSL$EXE'v'
+$	    DEF OPENSSL		OSSL$INCLUDE:[OPENSSL]
+$       {- output_off() if $config{no_shared} -}
+$       {- join("\n\$           ", map { "DEF  $_ $_'v'" } map { $unified_info{sharednames}->{$_} || () } @{$unified_info{libraries}}) -}
+$       {- output_on() -}
+$	ENDIF
+$
+$	DEFT OSSL$DATAROOT	'OPENSSLDIR_'
+$	DEF  OSSL$CERTS		OSSL$DATAROOT:[CERTS]
+$	DEF  OSSL$PRIVATE	OSSL$DATAROOT:[PRIVATE]
+$
+$ bailout:
+$	DEASSIGN WRK_INSTALLTOP
+$
+$	EXIT 'status'
--- a/VMS/openssl_undo.com
+++ b/VMS/openssl_undo.com
@@ -1,20 +0,0 @@
-$!
-$! Deassign OpenSSL logical names.
-$!
-$ call deass "OPENSSL" "''p1'"
-$ call deass "SSLCERTS" "''p1'"
-$ call deass "SSLEXE" "''p1'"
-$ call deass "SSLINCLUDE" "''p1'"
-$ call deass "SSLLIB" "''p1'"
-$ call deass "SSLPRIVATE" "''p1'"
-$ call deass "SSLROOT" "''p1'"
-$!
-$ exit
-$!
-$deass: subroutine
-$ if (f$trnlnm( p1) .nes. "")
-$ then
-$    deassign 'p2' 'p1'
-$ endif
-$ endsubroutine
-$!
--- a/VMS/openssl_utils.com
+++ b/VMS/openssl_utils.com
@@ -1,46 +1,12 @@
-$!
-$!  APPS.COM
-$!  Written By:  Robert Byer
-$!               Vice-President
-$!               A-Com Computing, Inc.
-$!               byer@mail.all-net.net
-$!
-$!
-$! Slightly modified by Richard Levitte <richard@levitte.org>
-$!
-$!
-$! Always define OPENSSL.  Others are optional (non-null P1).
-$!
-$ OPENSSL  :== $SSLEXE:OPENSSL
+$	! OpenSSL utilities
+$	!
 $
-$ IF (P1 .NES. "")
-$ THEN
-$     VERIFY   :== $SSLEXE:OPENSSL VERIFY
-$     ASN1PARSE:== $SSLEXE:OPENSSL ASN1PARS
-$! REQ could conflict with REQUEST.
-$     OREQ     :== $SSLEXE:OPENSSL REQ
-$     DGST     :== $SSLEXE:OPENSSL DGST
-$     DH       :== $SSLEXE:OPENSSL DH
-$     ENC      :== $SSLEXE:OPENSSL ENC
-$     GENDH    :== $SSLEXE:OPENSSL GENDH
-$     ERRSTR   :== $SSLEXE:OPENSSL ERRSTR
-$     CA       :== $SSLEXE:OPENSSL CA
-$     CRL      :== $SSLEXE:OPENSSL CRL
-$     RSA      :== $SSLEXE:OPENSSL RSA
-$     DSA      :== $SSLEXE:OPENSSL DSA
-$     DSAPARAM :== $SSLEXE:OPENSSL DSAPARAM
-$     X509     :== $SSLEXE:OPENSSL X509
-$     GENRSA   :== $SSLEXE:OPENSSL GENRSA
-$     GENDSA   :== $SSLEXE:OPENSSL GENDSA
-$     S_SERVER :== $SSLEXE:OPENSSL S_SERVER
-$     S_CLIENT :== $SSLEXE:OPENSSL S_CLIENT
-$     SPEED    :== $SSLEXE:OPENSSL SPEED
-$     S_TIME   :== $SSLEXE:OPENSSL S_TIME
-$     VERSION  :== $SSLEXE:OPENSSL VERSION
-$     PKCS7    :== $SSLEXE:OPENSSL PKCS7
-$     CRL2PKCS7:== $SSLEXE:OPENSSL CRL2P7
-$     SESS_ID  :== $SSLEXE:OPENSSL SESS_ID
-$     CIPHERS  :== $SSLEXE:OPENSSL CIPHERS
-$     NSEQ     :== $SSLEXE:OPENSSL NSEQ
-$     PKCS12   :== $SSLEXE:OPENSSL PKCS12
-$ ENDIF
+$	OPENSSL		:== $OSSL$EXE:OPENSSL
+$
+$	IF F$SYMBOL(PERL) .EQS. "STRING"
+$	THEN
+$	    OSSLCA	:== 'PERL' OSSL$EXE:CA.pl
+$	    OSSLREHASH	:== 'PERL' OSSL$EXE:c_rehash.pl
+$	ELSE
+$	    WRITE SYS$ERROR "NOTE: no perl => no OSSLCA or OSSLREHASH"
+$	ENDIF
--- a/VMS/socketshr_shr.opt
+++ b/VMS/socketshr_shr.opt
@@ -1 +0,0 @@
-socketshr/share
--- a/VMS/tcpip_shr_decc.opt
+++ b/VMS/tcpip_shr_decc.opt
@@ -1 +0,0 @@
-sys$share:tcpip$ipc_shr.exe/share
--- a/VMS/translatesyms.pl
+++ b/VMS/translatesyms.pl
@@ -0,0 +1,55 @@
+#! /usr/bin/perl
+
+# This script will translate any SYMBOL_VECTOR item that has a translation
+# in CXX$DEMANGLER_DB.  The latter is generated by and CC/DECC command that
+# uses the qualifier /REPOSITORY with the build directory as value.  When
+# /NAMES=SHORTENED has been used, this file will hold the translations from
+# the original symbols to the shortened variants.
+#
+# CXX$DEMAGLER_DB. is an ISAM file, but with the magic of RMS, it can be
+# read as a text file, with each record as one line.
+#
+# The lines will have the following syntax for any symbol found that's longer
+# than 31 characters:
+#
+# LONG_symbol_34567890123{cksum}$LONG_symbol_34567890123_more_than_31_chars
+#
+# $ is present at the end of the shortened symbol name, and is preceded by a
+# 7 character checksum.  The $ makes it easy to separate the shortened name
+# from the original one.
+
+use strict;
+use warnings;
+
+usage() if scalar @ARGV < 1;
+
+my %translations = ();
+
+open DEMANGLER_DATA, $ARGV[0]
+    or die "Couldn't open $ARGV[0]: $!\n";
+while(<DEMANGLER_DATA>) {
+    s|\R$||;
+    (my $translated, my $original) = split /\$/;
+    $translations{$original} = $translated.'$';
+}
+close DEMANGLER_DATA;
+
+$| = 1;                         # Autoflush
+while(<STDIN>) {
+    s@
+      ((?:[A-Za-z0-9_]+)\/)?([A-Za-z0-9_]+)=(PROCEDURE|DATA)
+     @
+      if (defined($translations{$2})) {
+          my $trans = $translations{$2};
+          my $trans_uc = uc $trans;
+          if (defined($1) && $trans ne $trans_uc) {
+              "$trans_uc/$trans=$3"
+          } else {
+              "$trans=$3"
+          }
+      } else {
+          $&
+      }
+     @gxe;
+    print $_;
+}
--- a/VMS/ucx_shr_decc.opt
+++ b/VMS/ucx_shr_decc.opt
@@ -1 +0,0 @@
-sys$share:ucx$ipc_shr.exe/share
--- a/VMS/ucx_shr_decc_log.opt
+++ b/VMS/ucx_shr_decc_log.opt
@@ -1 +0,0 @@
-ucx$ipc_shr/share
--- a/VMS/ucx_shr_vaxc.opt
+++ b/VMS/ucx_shr_vaxc.opt
@@ -1 +0,0 @@
-sys$library:ucx$ipc.olb/library
--- a/apps/CA.com
+++ b/apps/CA.com
@@ -1,221 +0,0 @@
-$! CA - wrapper around ca to make it easier to use ... basically ca requires
-$!      some setup stuff to be done before you can use it and this makes
-$!      things easier between now and when Eric is convinced to fix it :-)
-$!
-$! CA -newca ... will setup the right stuff
-$! CA -newreq ... will generate a certificate request 
-$! CA -sign ... will sign the generated request and output 
-$!
-$! At the end of that grab newreq.pem and newcert.pem (one has the key 
-$! and the other the certificate) and cat them together and that is what
-$! you want/need ... I'll make even this a little cleaner later.
-$!
-$! default openssl.cnf file has setup as per the following
-$! demoCA ... where everything is stored
-$
-$ IF F$TYPE(OPENSSL_CONFIG) .EQS. "" THEN OPENSSL_CONFIG := SSLLIB:OPENSSL.CNF
-$
-$ DAYS   = "-days 365"
-$ REQ    = openssl + " req " + OPENSSL_CONFIG
-$ CA     = openssl + " ca " + OPENSSL_CONFIG
-$ VERIFY = openssl + " verify"
-$ X509   = openssl + " x509"
-$ PKCS12 = openssl + " pkcs12"
-$ echo   = "write sys$Output"
-$ RET = 1
-$!
-$! 2010-12-20 SMS.
-$! Use a concealed logical name to reduce command line lengths, to
-$! avoid DCL errors on VAX:
-$!     %DCL-W-TKNOVF, command element is too long - shorten
-$! (Path segments like "openssl-1_0_1-stable-SNAP-20101217" accumulate
-$! quickly.)
-$!
-$ CATOP = F$PARSE( F$ENVIRONMENT( "DEFAULT"), "[]")- "].;"+ ".demoCA.]"
-$ define /translation_attributes = concealed CATOP 'CATOP'
-$!
-$ on error then goto clean_up
-$ on control_y then goto clean_up
-$!
-$ CAKEY  = "CATOP:[private]cakey.pem"
-$ CACERT = "CATOP:[000000]cacert.pem"
-$
-$ __INPUT := SYS$COMMAND
-$!
-$ i = 1
-$opt_loop:
-$ if i .gt. 8 then goto opt_loop_end
-$
-$ prog_opt = F$EDIT(P'i',"lowercase")
-$
-$ IF (prog_opt .EQS. "?" .OR. prog_opt .EQS. "-h" .OR. prog_opt .EQS. "-help") 
-$ THEN
-$   echo "usage: CA -newcert|-newreq|-newca|-sign|-verify" 
-$   goto clean_up
-$ ENDIF
-$!
-$ IF (prog_opt .EQS. "-input")
-$ THEN
-$   ! Get input from somewhere other than SYS$COMMAND
-$   i = i + 1
-$   __INPUT = P'i'
-$   GOTO opt_loop_continue
-$ ENDIF
-$!
-$ IF (prog_opt .EQS. "-newcert")
-$ THEN
-$   ! Create a certificate.
-$   DEFINE /USER_MODE SYS$INPUT '__INPUT'
-$   REQ -new -x509 -keyout newreq.pem -out newreq.pem 'DAYS'
-$   RET=$STATUS
-$   echo "Certificate (and private key) is in newreq.pem"
-$   GOTO opt_loop_continue
-$ ENDIF
-$!
-$ IF (prog_opt .EQS. "-newreq")
-$ THEN
-$   ! Create a certificate request
-$   DEFINE /USER_MODE SYS$INPUT '__INPUT'
-$   REQ -new -keyout newreq.pem -out newreq.pem 'DAYS'
-$   RET=$STATUS
-$   echo "Request (and private key) is in newreq.pem"
-$   GOTO opt_loop_continue
-$ ENDIF
-$!
-$ IF (prog_opt .EQS. "-newca")
-$ THEN
-$   ! If explicitly asked for or it doesn't exist then setup the directory
-$   ! structure that Eric likes to manage things.
-$   IF F$SEARCH( "CATOP:[000000]serial.") .EQS. ""
-$   THEN
-$     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[000000]
-$     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[certs]
-$     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[crl]
-$     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[newcerts]
-$     CREATE /DIRECTORY /PROTECTION=OWNER:RWED CATOP:[private]
-$
-$     OPEN /WRITE ser_file CATOP:[000000]serial. 
-$     WRITE ser_file "01"
-$     CLOSE ser_file
-$     APPEND /NEW_VERSION NL: CATOP:[000000]index.txt
-$
-$     ! The following is to make sure access() doesn't get confused.  It
-$     ! really needs one file in the directory to give correct answers...
-$     COPY NLA0: CATOP:[certs].;
-$     COPY NLA0: CATOP:[crl].;
-$     COPY NLA0: CATOP:[newcerts].;
-$     COPY NLA0: CATOP:[private].;
-$   ENDIF
-$!
-$   IF F$SEARCH( CAKEY) .EQS. ""
-$   THEN
-$     READ '__INPUT' FILE -
-       /PROMPT="CA certificate filename (or enter to create): "
-$     IF (FILE .NES. "") .AND. (F$SEARCH(FILE) .NES. "")
-$     THEN
-$       COPY 'FILE' 'CAKEY'
-$       RET=$STATUS
-$     ELSE
-$       echo "Making CA certificate ..."
-$       DEFINE /USER_MODE SYS$INPUT '__INPUT'
-$       REQ -new -x509 -keyout 'CAKEY' -out 'CACERT' 'DAYS'
-$       RET=$STATUS
-$     ENDIF
-$   ENDIF
-$   GOTO opt_loop_continue
-$ ENDIF
-$!
-$ IF (prog_opt .EQS. "-pkcs12")
-$ THEN
-$   i = i + 1
-$   cname = P'i'
-$   IF cname .EQS. "" THEN cname = "My certificate"
-$   PKCS12 -in newcert.pem -inkey newreq.pem -certfile 'CACERT' -
-     -out newcert.p12 -export -name "''cname'"
-$   RET=$STATUS
-$   goto clean_up
-$ ENDIF
-$!
-$ IF (prog_opt .EQS. "-xsign")
-$ THEN
-$!
-$   DEFINE /USER_MODE SYS$INPUT '__INPUT'
-$   CA -policy policy_anything -infiles newreq.pem
-$   RET=$STATUS
-$   GOTO opt_loop_continue
-$ ENDIF
-$!
-$ IF ((prog_opt .EQS. "-sign") .OR. (prog_opt .EQS. "-signreq"))
-$ THEN
-$!   
-$   DEFINE /USER_MODE SYS$INPUT '__INPUT'
-$   CA -policy policy_anything -out newcert.pem -infiles newreq.pem
-$   RET=$STATUS
-$   type newcert.pem
-$   echo "Signed certificate is in newcert.pem"
-$   GOTO opt_loop_continue
-$ ENDIF
-$!
-$ IF (prog_opt .EQS. "-signcert")
-$  THEN
-$!   
-$   echo "Cert passphrase will be requested twice - bug?"
-$   DEFINE /USER_MODE SYS$INPUT '__INPUT'
-$   X509 -x509toreq -in newreq.pem -signkey newreq.pem -out tmp.pem
-$   DEFINE /USER_MODE SYS$INPUT '__INPUT'
-$   CA -policy policy_anything -out newcert.pem -infiles tmp.pem
-y
-y
-$   type newcert.pem
-$   echo "Signed certificate is in newcert.pem"
-$   GOTO opt_loop_continue
-$ ENDIF
-$!
-$ IF (prog_opt .EQS. "-verify")
-$ THEN
-$!   
-$   i = i + 1
-$   IF (p'i' .EQS. "")
-$   THEN
-$     DEFINE /USER_MODE SYS$INPUT '__INPUT'
-$     VERIFY "-CAfile" 'CACERT' newcert.pem
-$   ELSE
-$     j = i
-$    verify_opt_loop:
-$     IF j .GT. 8 THEN GOTO verify_opt_loop_end
-$     IF p'j' .NES. ""
-$     THEN 
-$       DEFINE /USER_MODE SYS$INPUT '__INPUT'
-$       __tmp = p'j'
-$       VERIFY "-CAfile" 'CACERT' '__tmp'
-$       tmp=$STATUS
-$       IF tmp .NE. 0 THEN RET=tmp
-$     ENDIF
-$     j = j + 1
-$     GOTO verify_opt_loop
-$    verify_opt_loop_end:
-$   ENDIF
-$   
-$   GOTO opt_loop_end
-$ ENDIF
-$!
-$ IF (prog_opt .NES. "")
-$ THEN
-$!   
-$   echo "Unknown argument ''prog_opt'"
-$   RET = 3
-$   goto clean_up
-$ ENDIF
-$
-$opt_loop_continue:
-$ i = i + 1
-$ GOTO opt_loop
-$
-$opt_loop_end:
-$!
-$clean_up:
-$!
-$ if f$trnlnm( "CATOP", "LNM$PROCESS") .nes. "" then -
-   deassign /process CATOP
-$!
-$ EXIT 'RET'
--- a/apps/CA.pl.in
+++ b/apps/CA.pl.in
@@ -1,8 +1,8 @@
-#!/usr/bin/perl
+#!{- $config{perl} -}
 #
 # Wrapper around the ca to make it easier to use
-# Edit CA.pl.in not CA.pl!
-
+#
+# {- join("\n# ", @autowarntext) -}

 use strict;
 use warnings;
@@ -120,9 +120,9 @@ if ($WHAT eq '-newcert' ) {
    close OUT;
    # ask user for existing CA certificate
    print "CA certificate filename (or enter to create)\n";
-    $FILE = <STDIN>;
-    chop $FILE if $FILE;
-    if ($FILE) {
+    $FILE = "" unless defined($FILE = <STDIN>);
+    $FILE =~ s{\R$}{};
+    if ($FILE ne "") {
        copy_pemfile($FILE,"${CATOP}/private/$CAKEY", "PRIVATE");
        copy_pemfile($FILE,"${CATOP}/$CACERT", "CERTIFICATE");
    } else {
--- a/apps/Makefile.in
+++ b/apps/Makefile.in
@@ -11,7 +11,7 @@ MAKEFILE=	Makefile
 PERL=		perl
 RM=		rm -f

-PEX_LIBS=
+PLIB_LDFLAG=
 EX_LIBS= 
 EXE_EXT= 

@@ -50,7 +50,7 @@ SRC	= \
 	genpkey.c genrsa.c nseq.c ocsp.c passwd.c pkcs12.c pkcs7.c pkcs8.c \
 	pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c rsa.c rsautl.c \
 	s_client.c s_server.c s_time.c sess_id.c smime.c speed.c spkac.c \
-	srp.c ts.c verify.c version.c x509.c
+	srp.c ts.c verify.c version.c x509.c rehash.c

 EXE_OBJ	= openssl.o $(OBJ) $(EXTRA_OBJ) $(RAND_OBJ)
 EXE_SRC = openssl.c $(SRC) $(EXTRA_SRC) $(RAND_SRC)
@@ -63,10 +63,12 @@ ALL=    $(GENERAL) $(EXE_SRC) $(HEADER)
 top:
 	@(cd ..; $(MAKE) DIRS=$(DIR) all)

-all:	exe
+all:	exe scripts

 exe:	$(EXE)

+scripts: $(SCRIPTS)
+
 openssl-vms.cnf: openssl.cnf
 	$(PERL) $(TOP)/VMS/VMSify-conf.pl < openssl.cnf > openssl-vms.cnf

@@ -78,52 +80,38 @@ install:
 	@set -e; for i in $(EXE); \
 	do  \
 	(echo installing $$i; \
-	 cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
-	 chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
-	 mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \
+	 cp $$i $(DESTDIR)$(INSTALLTOP)/bin/$$i.new; \
+	 chmod 755 $(DESTDIR)$(INSTALLTOP)/bin/$$i.new; \
+	 mv -f $(DESTDIR)$(INSTALLTOP)/bin/$$i.new $(DESTDIR)$(INSTALLTOP)/bin/$$i ); \
 	 done;
 	@set -e; for i in $(SCRIPTS); \
 	do  \
 	(echo installing $$i; \
-	 cp $$i $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \
-	 chmod 755 $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \
-	 mv -f $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i ); \
+	 cp $$i $(DESTDIR)$(OPENSSLDIR)/misc/$$i.new; \
+	 chmod 755 $(DESTDIR)$(OPENSSLDIR)/misc/$$i.new; \
+	 mv -f $(DESTDIR)$(OPENSSLDIR)/misc/$$i.new $(DESTDIR)$(OPENSSLDIR)/misc/$$i ); \
 	 done
-	@cp openssl.cnf $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new; \
-	chmod 644 $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new; \
-	mv -f  $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf
+	@cp openssl.cnf $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new; \
+	chmod 644 $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new; \
+	mv -f  $(DESTDIR)$(OPENSSLDIR)/openssl.cnf.new $(DESTDIR)$(OPENSSLDIR)/openssl.cnf

 uninstall:
 	@set -e; for i in $(EXE); \
 	do  \
-		echo $(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i; \
-		$(RM) $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i; \
+		echo $(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$i; \
+		$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$i; \
 	done;
 	@set -e; for i in $(SCRIPTS); \
 	do  \
-		echo $(RM) $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i; \
-		$(RM) $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i; \
+		echo $(RM) $(DESTDIR)$(OPENSSLDIR)/misc/$$i; \
+		$(RM) $(DESTDIR)$(OPENSSLDIR)/misc/$$i; \
 	done
-	$(RM) $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf
+	$(RM) $(DESTDIR)$(OPENSSLDIR)/openssl.cnf

-tags:
-	ctags $(EXE_SRC) $(HEADER)
+generate: openssl-vms.cnf progs.h

-tests:
-
-lint:
-	echo nope >fluff
-
-update: openssl-vms.cnf local_depend
-
-depend: local_depend
-	@if [ -z "$(THIS)" ]; then $(MAKE) -f $(TOP)/Makefile reflect THIS=$@; fi
-local_depend:
-	@[ -z "$(THIS)" ] || $(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(EXE_SRC)
-
-dclean:
-	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
-	mv -f Makefile.new $(MAKEFILE)
+depend:
+	$(TOP)/util/domd $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(EXE_SRC)

 clean:
 	rm -f *.o *.obj *.dll lib tags core .pure .nfs* *.old *.bak fluff $(EXE)
@@ -135,7 +123,7 @@ $(DLIBSSL):
 $(DLIBCRYPTO):
 	(cd ..; $(MAKE) build_libcrypto)

-$(EXE): progs.h $(EXE_OBJ) $(DLIBCRYPTO) $(DLIBSSL)
+$(EXE): $(EXE_OBJ) $(DLIBCRYPTO) $(DLIBSSL)
 	$(RM) $(EXE)
 	shlib_target=; if [ -n "$(SHARED_LIBS)" ]; then \
 		shlib_target="$(SHLIB_TARGET)"; \
@@ -143,12 +131,17 @@ $(EXE): progs.h $(EXE_OBJ) $(DLIBCRYPTO) $(DLIBSSL)
 	LIBRARIES="$(LIBSSL) $(LIBCRYPTO)" ; \
 	$(MAKE) -f $(TOP)/Makefile.shared -e \
 		APPNAME=$(EXE) OBJECTS="$(EXE_OBJ)" \
-		LIBDEPS="$(PEX_LIBS) $$LIBRARIES $(EX_LIBS)" \
+		LDFLAG="$(LDFLAG)" \
+		LIBDEPS="$(PLIB_LDFLAG) $$LIBRARIES $(EX_LIBS)" \
 		link_app.$${shlib_target}

-progs.h: progs.pl Makefile
+progs.h: progs.pl Makefile.in
 	$(RM) progs.h
-	$(PERL) progs.pl $(COMMANDS) >progs.h
-	$(RM) openssl.o
+	$(PERL) progs.pl $(EXE_SRC) > progs.h
+
+CA.pl: CA.pl.in
+	$(PERL) -I$(TOP) -Mconfigdata $(TOP)/util/dofile.pl -oapps/Makefile CA.pl.in > CA.pl.new
+	mv CA.pl.new CA.pl
+

 # DO NOT DELETE THIS LINE -- make depend depends on it.
--- a/apps/app_rand.c
+++ b/apps/app_rand.c
@@ -126,6 +126,7 @@ int app_RAND_load_file(const char *file, int dont_warn)

    if (file == NULL)
        file = RAND_file_name(buffer, sizeof buffer);
+#ifndef OPENSSL_NO_EGD
    else if (RAND_egd(file) > 0) {
        /*
         * we try if the given filename is an EGD socket. if it is, we don't
@@ -134,6 +135,7 @@ int app_RAND_load_file(const char *file, int dont_warn)
        egdsocket = 1;
        return 1;
    }
+#endif
    if (file == NULL || !RAND_load_file(file, -1)) {
        if (RAND_status() == 0) {
            if (!dont_warn) {
@@ -161,7 +163,9 @@ long app_RAND_load_files(char *name)
    char *p, *n;
    int last;
    long tot = 0;
+#ifndef OPENSSL_NO_EGD
    int egd;
+#endif

    for (;;) {
        last = 0;
@@ -174,10 +178,12 @@ long app_RAND_load_files(char *name)
        if (*n == '\0')
            break;

+#ifndef OPENSSL_NO_EGD
        egd = RAND_egd(n);
        if (egd > 0)
            tot += egd;
        else
+#endif
            tot += RAND_load_file(n, -1);
        if (last)
            break;
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -183,7 +183,7 @@ int chopup_args(ARGS *arg, char *buf)

    for (p = buf;;) {
        /* Skip whitespace. */
-        while (*p && isspace(*p))
+        while (*p && isspace(_UC(*p)))
            p++;
        if (!*p)
            break;
@@ -207,7 +207,7 @@ int chopup_args(ARGS *arg, char *buf)
                p++;
            *p++ = '\0';
        } else {
-            while (*p && !isspace(*p))
+            while (*p && !isspace(_UC(*p)))
                p++;
            if (*p)
                *p++ = '\0';
@@ -763,20 +763,22 @@ EVP_PKEY *load_key(const char *file, int format, int maybe_stdin,
        BIO_printf(bio_err, "no keyfile specified\n");
        goto end;
    }
-#ifndef OPENSSL_NO_ENGINE
    if (format == FORMAT_ENGINE) {
-        if (!e)
+        if (e == NULL)
            BIO_printf(bio_err, "no engine specified\n");
        else {
+#ifndef OPENSSL_NO_ENGINE
            pkey = ENGINE_load_private_key(e, file, ui_method, &cb_data);
-            if (!pkey) {
+            if (pkey == NULL) {
                BIO_printf(bio_err, "cannot load %s from engine\n", key_descrip);
                ERR_print_errors(bio_err);
            }
+#else
+            BIO_printf(bio_err, "engines not supported\n");
+#endif
        }
        goto end;
    }
-#endif
    if (file == NULL && maybe_stdin) {
        unbuffer(stdin);
        key = dup_bio_in(format);
@@ -831,15 +833,22 @@ EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin,
        BIO_printf(bio_err, "no keyfile specified\n");
        goto end;
    }
-#ifndef OPENSSL_NO_ENGINE
    if (format == FORMAT_ENGINE) {
-        if (!e)
+        if (e == NULL)
            BIO_printf(bio_err, "no engine specified\n");
-        else
+        else {
+#ifndef OPENSSL_NO_ENGINE
            pkey = ENGINE_load_public_key(e, file, ui_method, &cb_data);
+            if (pkey == NULL) {
+                BIO_printf(bio_err, "cannot load %s from engine\n", key_descrip);
+                ERR_print_errors(bio_err);
+            }
+#else
+            BIO_printf(bio_err, "engines not supported\n");
+#endif
+        }
        goto end;
    }
-#endif
    if (file == NULL && maybe_stdin) {
        unbuffer(stdin);
        key = dup_bio_in(format);
@@ -850,8 +859,8 @@ EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin,
    if (format == FORMAT_ASN1) {
        pkey = d2i_PUBKEY_bio(key, NULL);
    }
-#ifndef OPENSSL_NO_RSA
    else if (format == FORMAT_ASN1RSA) {
+#ifndef OPENSSL_NO_RSA
        RSA *rsa;
        rsa = d2i_RSAPublicKey_bio(key, NULL);
        if (rsa) {
@@ -860,8 +869,12 @@ EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin,
                EVP_PKEY_set1_RSA(pkey, rsa);
            RSA_free(rsa);
        } else
+#else
+        BIO_printf(bio_err, "RSA keys not supported\n");
+#endif
            pkey = NULL;
    } else if (format == FORMAT_PEMRSA) {
+#ifndef OPENSSL_NO_RSA
        RSA *rsa;
        rsa = PEM_read_bio_RSAPublicKey(key, NULL,
                                        (pem_password_cb *)password_callback,
@@ -872,9 +885,11 @@ EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin,
                EVP_PKEY_set1_RSA(pkey, rsa);
            RSA_free(rsa);
        } else
+#else
+        BIO_printf(bio_err, "RSA keys not supported\n");
+#endif
            pkey = NULL;
    }
-#endif
    else if (format == FORMAT_PEM) {
        pkey = PEM_read_bio_PUBKEY(key, NULL,
                                   (pem_password_cb *)password_callback,
@@ -921,13 +936,13 @@ static int load_certs_crls(const char *file, int format,

    BIO_free(bio);

-    if (pcerts) {
+    if (pcerts && *pcerts == NULL) {
        *pcerts = sk_X509_new_null();
        if (!*pcerts)
            goto end;
    }

-    if (pcrls) {
+    if (pcrls && *pcrls == NULL) {
        *pcrls = sk_X509_CRL_new_null();
        if (!*pcrls)
            goto end;
@@ -986,24 +1001,22 @@ void* app_malloc(int sz, const char *what)
    return vp;
 }

-
-
-STACK_OF(X509) *load_certs(const char *file, int format,
-                           const char *pass, ENGINE *e, const char *desc)
+/*
+ * Initialize or extend, if *certs != NULL,  a certificate stack.
+ */
+int load_certs(const char *file, STACK_OF(X509) **certs, int format,
+               const char *pass, ENGINE *e, const char *desc)
 {
-    STACK_OF(X509) *certs;
-    if (!load_certs_crls(file, format, pass, e, desc, &certs, NULL))
-        return NULL;
-    return certs;
+    return load_certs_crls(file, format, pass, e, desc, certs, NULL);
 }

-STACK_OF(X509_CRL) *load_crls(const char *file, int format,
-                              const char *pass, ENGINE *e, const char *desc)
+/*
+ * Initialize or extend, if *crls != NULL,  a certificate stack.
+ */
+int load_crls(const char *file, STACK_OF(X509_CRL) **crls, int format,
+              const char *pass, ENGINE *e, const char *desc)
 {
-    STACK_OF(X509_CRL) *crls;
-    if (!load_certs_crls(file, format, pass, e, desc, NULL, &crls))
-        return NULL;
-    return crls;
+    return load_certs_crls(file, format, pass, e, desc, NULL, crls);
 }

 #define X509V3_EXT_UNKNOWN_MASK         (0xfL << 16)
@@ -1909,7 +1922,11 @@ int bio_to_mem(unsigned char **out, int maxlen, BIO *in)
        else
            len = 1024;
        len = BIO_read(in, tbuf, len);
-        if (len <= 0)
+        if (len < 0) {
+            BIO_free(mem);
+            return -1;
+        }
+        if (len == 0)
            break;
        if (BIO_write(mem, tbuf, len) != len) {
            BIO_free(mem);
@@ -1926,7 +1943,7 @@ int bio_to_mem(unsigned char **out, int maxlen, BIO *in)
    return ret;
 }

-int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value)
+int pkey_ctrl_string(EVP_PKEY_CTX *ctx, const char *value)
 {
    int rv;
    char *stmp, *vtmp = NULL;
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -1,4 +1,3 @@
-/* apps/apps.h */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -139,6 +138,24 @@
 #  define openssl_fdset(a,b) FD_SET(a, b)
 # endif

+# if defined(__STDC_VERSION__) && __STDC_VERSION__ >= 199901L && \
+     defined(INTMAX_MAX) && defined(UINTMAX_MAX)
+int opt_imax(const char *value, intmax_t *result);
+int opt_umax(const char *value, uintmax_t *result);
+# else
+#  define opt_imax opt_long
+#  define opt_umax opt_ulong
+#  define intmax_t long
+#  define uintmax_t unsigned long
+# endif
+
+/*
+ * quick macro when you need to pass an unsigned char instead of a char.
+ * this is true for some implementations of the is*() functions, for
+ * example.
+ */
+#define _UC(c) ((unsigned char)(c))
+
 int app_RAND_load_file(const char *file, int dont_warn);
 int app_RAND_write_file(const char *file);
 /*
@@ -182,34 +199,51 @@ void wait_for_async(SSL *s);
        OPT_V__LAST

 # define OPT_V_OPTIONS \
-        { "policy", OPT_V_POLICY, 's' }, \
-        { "purpose", OPT_V_PURPOSE, 's' }, \
-        { "verify_name", OPT_V_VERIFY_NAME, 's' }, \
-        { "verify_depth", OPT_V_VERIFY_DEPTH, 'p' }, \
-        { "attime", OPT_V_ATTIME, 'M' }, \
-        { "verify_hostname", OPT_V_VERIFY_HOSTNAME, 's' }, \
-        { "verify_email", OPT_V_VERIFY_EMAIL, 's' }, \
-        { "verify_ip", OPT_V_VERIFY_IP, 's' }, \
-        { "ignore_critical", OPT_V_IGNORE_CRITICAL, '-' }, \
-        { "issuer_checks", OPT_V_ISSUER_CHECKS, '-' }, \
-        { "crl_check", OPT_V_CRL_CHECK, '-', "Check that peer cert has not been revoked" }, \
-        { "crl_check_all", OPT_V_CRL_CHECK_ALL, '-', "Also check all certs in the chain" }, \
-        { "policy_check", OPT_V_POLICY_CHECK, '-' }, \
-        { "explicit_policy", OPT_V_EXPLICIT_POLICY, '-' }, \
-        { "inhibit_any", OPT_V_INHIBIT_ANY, '-' }, \
-        { "inhibit_map", OPT_V_INHIBIT_MAP, '-' }, \
-        { "x509_strict", OPT_V_X509_STRICT, '-' }, \
-        { "extended_crl", OPT_V_EXTENDED_CRL, '-' }, \
-        { "use_deltas", OPT_V_USE_DELTAS, '-' }, \
-        { "policy_print", OPT_V_POLICY_PRINT, '-' }, \
-        { "check_ss_sig", OPT_V_CHECK_SS_SIG, '-' }, \
-        { "trusted_first", OPT_V_TRUSTED_FIRST, '-', "Use locally-trusted CA's first in building chain" }, \
-        { "suiteB_128_only", OPT_V_SUITEB_128_ONLY, '-' }, \
-        { "suiteB_128", OPT_V_SUITEB_128, '-' }, \
-        { "suiteB_192", OPT_V_SUITEB_192, '-' }, \
-        { "partial_chain", OPT_V_PARTIAL_CHAIN, '-' }, \
-        { "no_alt_chains", OPT_V_NO_ALT_CHAINS, '-', "Only use the first cert chain found" }, \
-        { "no_check_time", OPT_V_NO_CHECK_TIME, '-', "Do not check validity against current time" }
+        { "policy", OPT_V_POLICY, 's', "adds policy to the acceptable policy set"}, \
+        { "purpose", OPT_V_PURPOSE, 's', \
+            "certificate chain purpose"}, \
+        { "verify_name", OPT_V_VERIFY_NAME, 's', "verification policy name"}, \
+        { "verify_depth", OPT_V_VERIFY_DEPTH, 'p', \
+            "chain depth limit"}, \
+        { "attime", OPT_V_ATTIME, 'M', "verification epoch time" }, \
+        { "verify_hostname", OPT_V_VERIFY_HOSTNAME, 's', \
+            "expected peer hostname" }, \
+        { "verify_email", OPT_V_VERIFY_EMAIL, 's', \
+            "expected peer email" }, \
+        { "verify_ip", OPT_V_VERIFY_IP, 's', \
+            "expected peer IP address" }, \
+        { "ignore_critical", OPT_V_IGNORE_CRITICAL, '-', \
+            "permit unhandled critical extensions"}, \
+        { "issuer_checks", OPT_V_ISSUER_CHECKS, '-', "(deprecated)"}, \
+        { "crl_check", OPT_V_CRL_CHECK, '-', "check leaf certificate revocation" }, \
+        { "crl_check_all", OPT_V_CRL_CHECK_ALL, '-', "check full chain revocation" }, \
+        { "policy_check", OPT_V_POLICY_CHECK, '-', "perform rfc5280 policy checks"}, \
+        { "explicit_policy", OPT_V_EXPLICIT_POLICY, '-', \
+            "set policy variable require-explicit-policy"}, \
+        { "inhibit_any", OPT_V_INHIBIT_ANY, '-', \
+            "set policy variable inihibit-any-policy"}, \
+        { "inhibit_map", OPT_V_INHIBIT_MAP, '-', \
+            "set policy variable inihibit-policy-mapping"}, \
+        { "x509_strict", OPT_V_X509_STRICT, '-', \
+            "disable certificate compatibility work-arounds"}, \
+        { "extended_crl", OPT_V_EXTENDED_CRL, '-', \
+            "enable extended CRL features"}, \
+        { "use_deltas", OPT_V_USE_DELTAS, '-', \
+            "use delta CRLs"}, \
+        { "policy_print", OPT_V_POLICY_PRINT, '-', \
+            "print policy processing diagnostics"}, \
+        { "check_ss_sig", OPT_V_CHECK_SS_SIG, '-', \
+            "check root CA self-signatures"}, \
+        { "trusted_first", OPT_V_TRUSTED_FIRST, '-', \
+            "search trust store first (default)" }, \
+        { "suiteB_128_only", OPT_V_SUITEB_128_ONLY, '-', "Suite B 128-bit-only mode"}, \
+        { "suiteB_128", OPT_V_SUITEB_128, '-', \
+            "Suite B 128-bit mode allowing 192-bit algorithms"}, \
+        { "suiteB_192", OPT_V_SUITEB_192, '-', "Suite B 192-bit-only mode" }, \
+        { "partial_chain", OPT_V_PARTIAL_CHAIN, '-', \
+            "accept chains anchored by intermediate trust-store CAs"}, \
+        { "no_alt_chains", OPT_V_NO_ALT_CHAINS, '-', "(deprecated)" }, \
+        { "no_check_time", OPT_V_NO_CHECK_TIME, '-', "ignore certificate validity time" }

 # define OPT_V_CASES \
        OPT_V__FIRST: case OPT_V__LAST: break; \
@@ -252,12 +286,15 @@ void wait_for_async(SSL *s);
        OPT_X__LAST

 # define OPT_X_OPTIONS \
-        { "xkey", OPT_X_KEY, '<' }, \
-        { "xcert", OPT_X_CERT, '<' }, \
-        { "xchain", OPT_X_CHAIN, '<' }, \
-        { "xchain_build", OPT_X_CHAIN_BUILD, '-' }, \
-        { "xcertform", OPT_X_CERTFORM, 'F' }, \
-        { "xkeyform", OPT_X_KEYFORM, 'F' }
+        { "xkey", OPT_X_KEY, '<', "key for Extended certificates"}, \
+        { "xcert", OPT_X_CERT, '<', "cert for Extended certificates"}, \
+        { "xchain", OPT_X_CHAIN, '<', "chain for Extended certificates"}, \
+        { "xchain_build", OPT_X_CHAIN_BUILD, '-', \
+            "build certificate chain for the extended certificates"}, \
+        { "xcertform", OPT_X_CERTFORM, 'F', \
+            "format of Extended certificate (PEM or DER) PEM default " }, \
+        { "xkeyform", OPT_X_KEYFORM, 'F', \
+            "format of Exnteded certificate's key (PEM or DER) PEM default"}

 # define OPT_X_CASES \
        OPT_X__FIRST: case OPT_X__LAST: break; \
@@ -275,28 +312,34 @@ void wait_for_async(SSL *s);
 # define OPT_S_ENUM \
        OPT_S__FIRST=3000, \
        OPT_S_NOSSL3, OPT_S_NOTLS1, OPT_S_NOTLS1_1, OPT_S_NOTLS1_2, \
-        OPT_S_BUGS, OPT_S_NOCOMP, OPT_S_ECDHSINGLE, OPT_S_NOTICKET, \
+        OPT_S_BUGS, OPT_S_NO_COMP, OPT_S_NOTICKET, \
        OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_LEGACYCONN, \
        OPT_S_ONRESUMP, OPT_S_NOLEGACYCONN, OPT_S_STRICT, OPT_S_SIGALGS, \
        OPT_S_CLIENTSIGALGS, OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, \
-        OPT_S_DHPARAM, OPT_S_DEBUGBROKE, \
+        OPT_S_DHPARAM, OPT_S_DEBUGBROKE, OPT_S_COMP, \
        OPT_S__LAST

 # define OPT_S_OPTIONS \
-        {"no_ssl3", OPT_S_NOSSL3, '-' }, \
-        {"no_tls1", OPT_S_NOTLS1, '-' }, \
-        {"no_tls1_1", OPT_S_NOTLS1_1, '-' }, \
-        {"no_tls1_2", OPT_S_NOTLS1_2, '-' }, \
-        {"bugs", OPT_S_BUGS, '-' }, \
-        {"no_comp", OPT_S_NOCOMP, '-', "Don't use SSL/TLS-level compression" }, \
-        {"ecdh_single", OPT_S_ECDHSINGLE, '-' }, \
-        {"no_ticket", OPT_S_NOTICKET, '-' }, \
-        {"serverpref", OPT_S_SERVERPREF, '-' }, \
-        {"legacy_renegotiation", OPT_S_LEGACYRENEG, '-' }, \
-        {"legacy_server_connect", OPT_S_LEGACYCONN, '-' }, \
-        {"no_resumption_on_reneg", OPT_S_ONRESUMP, '-' }, \
-        {"no_legacy_server_connect", OPT_S_NOLEGACYCONN, '-' }, \
-        {"strict", OPT_S_STRICT, '-' }, \
+        {"no_ssl3", OPT_S_NOSSL3, '-',"Just disable SSLv3" }, \
+        {"no_tls1", OPT_S_NOTLS1, '-', "Just disable TLSv1"}, \
+        {"no_tls1_1", OPT_S_NOTLS1_1, '-', "Just disable TLSv1.1" }, \
+        {"no_tls1_2", OPT_S_NOTLS1_2, '-', "Just disable TLSv1.2"}, \
+        {"bugs", OPT_S_BUGS, '-', "Turn on SSL bug compatibility"}, \
+        {"no_comp", OPT_S_NO_COMP, '-', "Disable SSL/TLS compression (default)" }, \
+        {"comp", OPT_S_COMP, '-', "Use SSL/TLS-level compression" }, \
+        {"no_ticket", OPT_S_NOTICKET, '-', \
+            "Disable use of TLS session tickets"}, \
+        {"serverpref", OPT_S_SERVERPREF, '-', "Use server's cipher preferences"}, \
+        {"legacy_renegotiation", OPT_S_LEGACYRENEG, '-', \
+            "Enable use of legacy renegotiation (dangerous)"}, \
+        {"legacy_server_connect", OPT_S_LEGACYCONN, '-', \
+            "Allow initial connection to servers that don't support RI"}, \
+        {"no_resumption_on_reneg", OPT_S_ONRESUMP, '-', \
+            "Disallow session resumption on renegotiation"}, \
+        {"no_legacy_server_connect", OPT_S_NOLEGACYCONN, '-', \
+            "Disallow initial connection to servers that don't support RI"}, \
+        {"strict", OPT_S_STRICT, '-', \
+            "Enforce strict certificate checks as per TLS standard"}, \
        {"sigalgs", OPT_S_SIGALGS, 's', \
            "Signature algorithms to support (colon-separated list)" }, \
        {"client_sigalgs", OPT_S_CLIENTSIGALGS, 's', \
@@ -306,9 +349,11 @@ void wait_for_async(SSL *s);
            "Elliptic curves to advertise (colon-separated list)" }, \
        {"named_curve", OPT_S_NAMEDCURVE, 's', \
            "Elliptic curve used for ECDHE (server-side only)" }, \
-        {"cipher", OPT_S_CIPHER, 's', }, \
-        {"dhparam", OPT_S_DHPARAM, '<' }, \
-        {"debug_broken_protocol", OPT_S_DEBUGBROKE, '-' }
+        {"cipher", OPT_S_CIPHER, 's', "Specify cipher list to be used"}, \
+        {"dhparam", OPT_S_DHPARAM, '<', \
+            "DH parameter file to use, in cert file if not specified"}, \
+        {"debug_broken_protocol", OPT_S_DEBUGBROKE, '-', \
+            "Perform all sorts of protocol violations for testing purposes"}

 # define OPT_S_CASES \
        OPT_S__FIRST: case OPT_S__LAST: break; \
@@ -317,8 +362,8 @@ void wait_for_async(SSL *s);
        case OPT_S_NOTLS1_1: \
        case OPT_S_NOTLS1_2: \
        case OPT_S_BUGS: \
-        case OPT_S_NOCOMP: \
-        case OPT_S_ECDHSINGLE: \
+        case OPT_S_NO_COMP: \
+        case OPT_S_COMP: \
        case OPT_S_NOTICKET: \
        case OPT_S_SERVERPREF: \
        case OPT_S_LEGACYRENEG: \
@@ -344,8 +389,9 @@ typedef struct options_st {
    int retval;
    /*
     * value type: - no value (also the value zero), n number, p positive
-     * number, u unsigned, s string, < input file, > output file, f der/pem
-     * format, F any format identifier.  n and u include zero; p does not.
+     * number, u unsigned, l long, s string, < input file, > output file,
+     * f any format, F der/pem format , E der/pem/engine format identifier.
+     * l, n and u include zero; p does not.
     */
    int valtype;
    const char *helpstr;
@@ -372,6 +418,7 @@ typedef struct string_int_pair_st {
 # define OPT_FMT_TEXT            (1L <<  8)
 # define OPT_FMT_HTTP            (1L <<  9)
 # define OPT_FMT_PVK             (1L << 10)
+# define OPT_FMT_PDE     (OPT_FMT_PEMDER | OPT_FMT_ENGINE)
 # define OPT_FMT_ANY     ( \
        OPT_FMT_PEMDER | OPT_FMT_PKCS12 | OPT_FMT_SMIME | \
        OPT_FMT_ENGINE | OPT_FMT_MSBLOB | OPT_FMT_NETSCAPE | \
@@ -443,12 +490,10 @@ EVP_PKEY *load_key(const char *file, int format, int maybe_stdin,
                   const char *pass, ENGINE *e, const char *key_descrip);
 EVP_PKEY *load_pubkey(const char *file, int format, int maybe_stdin,
                      const char *pass, ENGINE *e, const char *key_descrip);
-STACK_OF(X509) *load_certs(const char *file, int format,
-                           const char *pass, ENGINE *e,
-                           const char *cert_descrip);
-STACK_OF(X509_CRL) *load_crls(const char *file, int format,
-                              const char *pass, ENGINE *e,
-                              const char *cert_descrip);
+int load_certs(const char *file, STACK_OF(X509) **certs, int format,
+               const char *pass, ENGINE *e, const char *cert_descrip);
+int load_crls(const char *file, STACK_OF(X509_CRL) **crls, int format,
+              const char *pass, ENGINE *e, const char *cert_descrip);
 X509_STORE *setup_verify(char *CAfile, char *CApath,
                         int noCAfile, int noCApath);
 int ctx_set_verify_locations(SSL_CTX *ctx, const char *CAfile,
@@ -514,7 +559,7 @@ int args_verify(char ***pargs, int *pargc,
                int *badarg, X509_VERIFY_PARAM **pm);
 void policies_print(X509_STORE_CTX *ctx);
 int bio_to_mem(unsigned char **out, int maxlen, BIO *in);
-int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value);
+int pkey_ctrl_string(EVP_PKEY_CTX *ctx, const char *value);
 int init_gen_str(EVP_PKEY_CTX **pctx,
                 const char *algname, ENGINE *e, int do_param);
 int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
--- a/apps/asn1pars.c
+++ b/apps/asn1pars.c
@@ -81,7 +81,7 @@ OPTIONS asn1parse_options[] = {
    {"inform", OPT_INFORM, 'F', "input format - one of DER PEM"},
    {"in", OPT_IN, '<', "input file"},
    {"out", OPT_OUT, '>', "output file (output format is always DER)"},
-    {"i", OPT_INDENT, 0, "entries"},
+    {"i", OPT_INDENT, 0, "indents the output"},
    {"noout", OPT_NOOUT, 0, "don't produce any output"},
    {"offset", OPT_OFFSET, 'p', "offset into file"},
    {"length", OPT_LENGTH, 'p', "length of section in file"},
--- a/apps/build.info
+++ b/apps/build.info
@@ -0,0 +1,18 @@
+{- use File::Spec::Functions qw/catdir rel2abs/; -}
+PROGRAMS=openssl
+SOURCE[openssl]=\
+        openssl.c \
+        asn1pars.c ca.c ciphers.c cms.c crl.c crl2p7.c dgst.c dhparam.c \
+        dsa.c dsaparam.c ec.c ecparam.c enc.c engine.c errstr.c gendsa.c \
+        genpkey.c genrsa.c nseq.c ocsp.c passwd.c pkcs12.c pkcs7.c pkcs8.c \
+        pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c rsa.c rsautl.c \
+        s_client.c s_server.c s_time.c sess_id.c smime.c speed.c spkac.c \
+        srp.c ts.c verify.c version.c x509.c rehash.c \
+        apps.c opt.c s_cb.c s_socket.c \
+        app_rand.c \
+        {- $target{apps_extra_src} -}
+INCLUDE[openssl]={- rel2abs(catdir($builddir,"../include")) -} .. ../include
+DEPEND[openssl]=../libssl
+
+SCRIPTS=CA.pl
+SOURCE[CA.pl]=CA.pl.in
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -209,7 +209,8 @@ OPTIONS ca_options[] = {
    {"name", OPT_NAME, 's', "The particular CA definition to use"},
    {"subj", OPT_SUBJ, 's', "Use arg instead of request's subject"},
    {"utf8", OPT_UTF8, '-', "Input characters are UTF8 (default ASCII)"},
-    {"create_serial", OPT_CREATE_SERIAL, '-'},
+    {"create_serial", OPT_CREATE_SERIAL, '-',
+    "If reading serial fails, create a new random serial"},
    {"multivalue-rdn", OPT_MULTIVALUE_RDN, '-',
     "Enable support for multivalued RDNs"},
    {"startdate", OPT_STARTDATE, 's', "Cert notBefore, YYMMDDHHMMSSZ"},
@@ -218,7 +219,7 @@ OPTIONS ca_options[] = {
    {"days", OPT_DAYS, 'p', "Number of days to certify the cert for"},
    {"md", OPT_MD, 's', "md to use; one of md2, md5, sha or sha1"},
    {"policy", OPT_POLICY, 's', "The CA 'policy' to support"},
-    {"keyfile", OPT_KEYFILE, '<', "Private key file"},
+    {"keyfile", OPT_KEYFILE, 's', "Private key"},
    {"keyform", OPT_KEYFORM, 'f', "Private key file format (PEM or ENGINE)"},
    {"passin", OPT_PASSIN, 's'},
    {"key", OPT_KEY, 's', "Key to decode the private key if it is encrypted"},
@@ -253,10 +254,13 @@ OPTIONS ca_options[] = {
    {"updatedb", OPT_UPDATEDB, '-', "Updates db for expired cert"},
    {"crlexts", OPT_CRLEXTS, 's',
     "CRL extension section (override value in config file)"},
-    {"crl_reason", OPT_CRL_REASON, 's'},
-    {"crl_hold", OPT_CRL_HOLD, 's'},
-    {"crl_compromise", OPT_CRL_COMPROMISE, 's'},
-    {"crl_CA_compromise", OPT_CRL_CA_COMPROMISE, 's'},
+    {"crl_reason", OPT_CRL_REASON, 's', "revocation reason"},
+    {"crl_hold", OPT_CRL_HOLD, 's',
+     "the hold instruction, an OID. Sets revocation reason to certificateHold"},
+    {"crl_compromise", OPT_CRL_COMPROMISE, 's',
+     "sets compromise time to val and the revocation reason to keyCompromise"},
+    {"crl_CA_compromise", OPT_CRL_CA_COMPROMISE, 's',
+     "sets compromise time to val and the revocation reason to CACompromise"},
 #ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 #endif
@@ -727,7 +731,7 @@ end_of_options:
            goto end;
        }
        for ( ; *p; p++) {
-            if (!isxdigit(*p)) {
+            if (!isxdigit(_UC(*p))) {
                BIO_printf(bio_err,
                           "entry %d: bad char 0%o '%c' in serial number\n",
                           i + 1, *p, *p);
--- a/apps/ciphers.c
+++ b/apps/ciphers.c
@@ -78,15 +78,21 @@ OPTIONS ciphers_options[] = {
    {"v", OPT_V, '-', "Verbose listing of the SSL/TLS ciphers"},
    {"V", OPT_UPPER_V, '-', "Even more verbose"},
    {"s", OPT_S, '-', "Only supported ciphers"},
-    {"tls1", OPT_TLS1, '-', "TLS1 mode"},
-    {"tls1_1", OPT_TLS1_1, '-', "TLS1.1 mode"},
-    {"tls1_2", OPT_TLS1_2, '-', "TLS1.2 mode"},
-#ifndef OPENSSL_NO_SSL_TRACE
-    {"stdname", OPT_STDNAME, '-', "Show standard cipher names"},
-#endif
 #ifndef OPENSSL_NO_SSL3
    {"ssl3", OPT_SSL3, '-', "SSL3 mode"},
 #endif
+#ifndef OPENSSL_NO_TLS1
+    {"tls1", OPT_TLS1, '-', "TLS1 mode"},
+#endif
+#ifndef OPENSSL_NO_TLS1_1
+    {"tls1_1", OPT_TLS1_1, '-', "TLS1.1 mode"},
+#endif
+#ifndef OPENSSL_NO_TLS1_2
+    {"tls1_2", OPT_TLS1_2, '-', "TLS1.2 mode"},
+#endif
+#ifndef OPENSSL_NO_SSL_TRACE
+    {"stdname", OPT_STDNAME, '-', "Show standard cipher names"},
+#endif
 #ifndef OPENSSL_NO_PSK
    {"psk", OPT_PSK, '-', "include ciphersuites requiring PSK"},
 #endif
@@ -153,13 +159,19 @@ int ciphers_main(int argc, char **argv)
 #endif
            break;
        case OPT_TLS1:
+#ifndef OPENSSL_NO_TLS1
            meth = TLSv1_client_method();
+#endif
            break;
        case OPT_TLS1_1:
+#ifndef OPENSSL_NO_TLS1_1
            meth = TLSv1_1_client_method();
+#endif
            break;
        case OPT_TLS1_2:
+#ifndef OPENSSL_NO_TLS1_2
            meth = TLSv1_2_client_method();
+#endif
            break;
        case OPT_PSK:
 #ifndef OPENSSL_NO_PSK
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -206,7 +206,7 @@ OPTIONS cms_options[] = {
    {"recip", OPT_RECIP, '<', "Recipient cert file for decryption"},
    {"certsout", OPT_CERTSOUT, '>', "Certificate output file"},
    {"md", OPT_MD, 's'},
-    {"inkey", OPT_INKEY, '<',
+    {"inkey", OPT_INKEY, 's',
     "Input private key (if not signer or recipient)"},
    {"keyform", OPT_KEYFORM, 'f', "Input private key format (PEM or ENGINE)"},
    {"keyopt", OPT_KEYOPT, 's', "Set public key parameters as n:v pairs"},
@@ -735,8 +735,8 @@ int cms_main(int argc, char **argv)
    }

    if (certfile) {
-        if ((other = load_certs(certfile, FORMAT_PEM, NULL, e,
-                                "certificate file")) == NULL) {
+        if (!load_certs(certfile, &other, FORMAT_PEM, NULL, e,
+                        "certificate file")) {
            ERR_print_errors(bio_err);
            goto end;
        }
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -91,29 +91,32 @@ OPTIONS dgst_options[] = {
    {"help", OPT_HELP, '-', "Display this summary"},
    {"c", OPT_C, '-', "Print the digest with separating colons"},
    {"r", OPT_R, '-', "Print the digest in coreutils format"},
-    {"rand", OPT_RAND, 's'},
+    {"rand", OPT_RAND, 's',
+     "Use file(s) containing random data to seed RNG or an EGD sock"},
    {"out", OPT_OUT, '>', "Output to filename rather than stdout"},
-    {"passin", OPT_PASSIN, 's'},
-    {"sign", OPT_SIGN, '<', "Sign digest using private key in file"},
-    {"verify", OPT_VERIFY, '<',
-     "Verify a signature using public key in file"},
-    {"prverify", OPT_PRVERIFY, '<',
-     "Verify a signature using private key in file"},
+    {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
+    {"sign", OPT_SIGN, 's', "Sign digest using private key"},
+    {"verify", OPT_VERIFY, 's',
+     "Verify a signature using public key"},
+    {"prverify", OPT_PRVERIFY, 's',
+     "Verify a signature using private key"},
    {"signature", OPT_SIGNATURE, '<', "File with signature to verify"},
    {"keyform", OPT_KEYFORM, 'f', "Key file format (PEM or ENGINE)"},
    {"hex", OPT_HEX, '-', "Print as hex dump"},
    {"binary", OPT_BINARY, '-', "Print in binary form"},
    {"d", OPT_DEBUG, '-', "Print debug info"},
-    {"debug", OPT_DEBUG, '-'},
-    {"fips-fingerprint", OPT_FIPS_FINGERPRINT, '-'},
+    {"debug", OPT_DEBUG, '-', "Print debug info"},
+    {"fips-fingerprint", OPT_FIPS_FINGERPRINT, '-',
+     "Compute HMAC with the key used in OpenSSL-FIPS fingerprint"},
    {"hmac", OPT_HMAC, 's', "Create hashed MAC with key"},
-    {"mac", OPT_MAC, 's', "Create MAC (not neccessarily HMAC)"},
+    {"mac", OPT_MAC, 's', "Create MAC (not necessarily HMAC)"},
    {"sigopt", OPT_SIGOPT, 's', "Signature parameter in n:v form"},
    {"macopt", OPT_MACOPT, 's', "MAC algorithm parameters in n:v form or key"},
    {"", OPT_DIGEST, '-', "Any supported digest"},
 #ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine e, possibly a hardware device"},
-    {"engine_impl", OPT_ENGINE_IMPL, '-'},
+    {"engine_impl", OPT_ENGINE_IMPL, '-',
+     "Also use engine given by -engine for digest operations"},
 #endif
    {NULL}
 };
--- a/apps/dhparam.c
+++ b/apps/dhparam.c
@@ -108,8 +108,11 @@
 *
 */

-#include <openssl/opensslconf.h> /* for OPENSSL_NO_DH */
-#ifndef OPENSSL_NO_DH
+#include <openssl/opensslconf.h>
+#ifdef OPENSSL_NO_DH
+NON_EMPTY_TRANSLATION_UNIT
+#else
+
 # include <stdio.h>
 # include <stdlib.h>
 # include <time.h>
@@ -443,11 +446,4 @@ static int dh_cb(int p, int n, BN_GENCB *cb)
    (void)BIO_flush(BN_GENCB_get_arg(cb));
    return 1;
 }
-
-#else                           /* !OPENSSL_NO_DH */
-
-# if PEDANTIC
-static void *dummy = &dummy;
-# endif
-
 #endif
--- a/apps/dsa.c
+++ b/apps/dsa.c
@@ -55,8 +55,11 @@
 * [including the GNU Public Licence.]
 */

-#include <openssl/opensslconf.h> /* for OPENSSL_NO_DSA */
-#ifndef OPENSSL_NO_DSA
+#include <openssl/opensslconf.h>
+#ifdef OPENSSL_NO_DSA
+NON_EMPTY_TRANSLATION_UNIT
+#else
+
 # include <stdio.h>
 # include <stdlib.h>
 # include <string.h>
@@ -82,7 +85,7 @@ OPTIONS dsa_options[] = {
    {"help", OPT_HELP, '-', "Display this summary"},
    {"inform", OPT_INFORM, 'F', "Input format, DER PEM PVK"},
    {"outform", OPT_OUTFORM, 'F', "Output format, DER PEM PVK"},
-    {"in", OPT_IN, '<', "Input file"},
+    {"in", OPT_IN, 's', "Input key"},
    {"out", OPT_OUT, '>', "Output file"},
    {"noout", OPT_NOOUT, '-', "Don't print key out"},
    {"text", OPT_TEXT, '-', "Print the key in text"},
@@ -130,8 +133,7 @@ int dsa_main(int argc, char **argv)
            ret = 0;
            goto end;
        case OPT_INFORM:
-            if (!opt_format
-                (opt_arg(), OPT_FMT_PEMDER | OPT_FMT_PVK, &informat))
+            if (!opt_format(opt_arg(), OPT_FMT_ANY, &informat))
                goto opthelp;
            break;
        case OPT_IN:
@@ -300,10 +302,4 @@ int dsa_main(int argc, char **argv)
    OPENSSL_free(passout);
    return (ret);
 }
-#else                           /* !OPENSSL_NO_DSA */
-
-# if PEDANTIC
-static void *dummy = &dummy;
-# endif
-
 #endif
--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -55,9 +55,11 @@
 * [including the GNU Public Licence.]
 */

-#include <openssl/opensslconf.h> /* for OPENSSL_NO_DSA */
+#include <openssl/opensslconf.h>
+#ifdef OPENSSL_NO_DSA
+NON_EMPTY_TRANSLATION_UNIT
+#else

-#ifndef OPENSSL_NO_DSA
 # include <stdio.h>
 # include <stdlib.h>
 # include <time.h>
@@ -347,10 +349,4 @@ static int dsa_cb(int p, int n, BN_GENCB *cb)
 # endif
    return 1;
 }
-#else                           /* !OPENSSL_NO_DSA */
-
-# if PEDANTIC
-static void *dummy = &dummy;
-# endif
-
 #endif
--- a/apps/ec.c
+++ b/apps/ec.c
@@ -56,7 +56,10 @@
 */

 #include <openssl/opensslconf.h>
-#ifndef OPENSSL_NO_EC
+#ifdef OPENSSL_NO_EC
+NON_EMPTY_TRANSLATION_UNIT
+#else
+
 # include <stdio.h>
 # include <stdlib.h>
 # include <string.h>
@@ -83,7 +86,8 @@ typedef enum OPTION_choice {
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
    OPT_INFORM, OPT_OUTFORM, OPT_ENGINE, OPT_IN, OPT_OUT,
    OPT_NOOUT, OPT_TEXT, OPT_PARAM_OUT, OPT_PUBIN, OPT_PUBOUT,
-    OPT_PASSIN, OPT_PASSOUT, OPT_PARAM_ENC, OPT_CONV_FORM, OPT_CIPHER
+    OPT_PASSIN, OPT_PASSOUT, OPT_PARAM_ENC, OPT_CONV_FORM, OPT_CIPHER,
+    OPT_NO_PUBLIC, OPT_CHECK
 } OPTION_CHOICE;

 OPTIONS ec_options[] = {
@@ -97,6 +101,8 @@ OPTIONS ec_options[] = {
    {"param_out", OPT_PARAM_OUT, '-', "Print the elliptic curve parameters"},
    {"pubin", OPT_PUBIN, '-'},
    {"pubout", OPT_PUBOUT, '-'},
+    {"no_public", OPT_NO_PUBLIC, '-', "exclude public key from private key"},
+    {"check", OPT_CHECK, '-', "check key consistency"},
    {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
    {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
    {"param_enc", OPT_PARAM_ENC, 's',
@@ -122,6 +128,7 @@ int ec_main(int argc, char **argv)
    int asn1_flag = OPENSSL_EC_NAMED_CURVE, new_form = 0, new_asn1_flag = 0;
    int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0;
    int pubin = 0, pubout = 0, param_out = 0, i, ret = 1, private = 0;
+    int no_public = 0, check = 0;

    prog = opt_init(argc, argv, ec_options);
    while ((o = opt_next()) != OPT_EOF) {
@@ -189,6 +196,12 @@ int ec_main(int argc, char **argv)
            new_asn1_flag = 1;
            asn1_flag = i;
            break;
+        case OPT_NO_PUBLIC:
+            no_public = 1;
+            break;
+        case OPT_CHECK:
+            check = 1;
+            break;
        }
    }
    argc = opt_num_rest();
@@ -236,6 +249,9 @@ int ec_main(int argc, char **argv)
    if (new_asn1_flag)
        EC_KEY_set_asn1_flag(eckey, asn1_flag);

+    if (no_public)
+        EC_KEY_set_enc_flags(eckey, EC_PKEY_NO_PUBKEY);
+
    if (text) {
        assert(pubin || private);
        if (!EC_KEY_print(out, eckey, 0)) {
@@ -245,6 +261,15 @@ int ec_main(int argc, char **argv)
        }
    }

+    if (check) {
+        if (EC_KEY_check_key(eckey) == 1) {
+            BIO_printf(bio_err, "EC Key valid.\n");
+        } else {
+            BIO_printf(bio_err, "EC Key Invalid!\n");
+            ERR_print_errors(bio_err);
+        }
+    }
+
    if (noout) {
        ret = 0;
        goto end;
@@ -285,10 +310,4 @@ int ec_main(int argc, char **argv)
    OPENSSL_free(passout);
    return (ret);
 }
-#else                           /* !OPENSSL_NO_EC */
-
-# if PEDANTIC
-static void *dummy = &dummy;
-# endif
-
 #endif
--- a/apps/ecparam.c
+++ b/apps/ecparam.c
@@ -69,7 +69,10 @@
 */

 #include <openssl/opensslconf.h>
-#ifndef OPENSSL_NO_EC
+#ifdef OPENSSL_NO_EC
+NON_EMPTY_TRANSLATION_UNIT
+#else
+
 # include <stdio.h>
 # include <stdlib.h>
 # include <time.h>
@@ -462,11 +465,17 @@ int ecparam_main(int argc, char **argv)

        assert(need_rand);

-        if (EC_KEY_set_group(eckey, group) == 0)
+        if (EC_KEY_set_group(eckey, group) == 0) {
+            BIO_printf(bio_err, "unable to set group when generating key\n");
+            EC_KEY_free(eckey);
+            ERR_print_errors(bio_err);
            goto end;
+        }

        if (!EC_KEY_generate_key(eckey)) {
+            BIO_printf(bio_err, "unable to generate key\n");
            EC_KEY_free(eckey);
+            ERR_print_errors(bio_err);
            goto end;
        }
        assert(private);
@@ -496,10 +505,4 @@ int ecparam_main(int argc, char **argv)
    return (ret);
 }

-#else                           /* !OPENSSL_NO_EC */
-
-# if PEDANTIC
-static void *dummy = &dummy;
-# endif
-
 #endif
--- a/apps/engine.c
+++ b/apps/engine.c
@@ -56,12 +56,16 @@
 *
 */

-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include "apps.h"
-#include <openssl/err.h>
-#ifndef OPENSSL_NO_ENGINE
+#include <openssl/opensslconf.h>
+#ifdef OPENSSL_NO_ENGINE
+NON_EMPTY_TRANSLATION_UNIT
+#else
+
+# include "apps.h"
+# include <stdio.h>
+# include <stdlib.h>
+# include <string.h>
+# include <openssl/err.h>
 # include <openssl/engine.h>
 # include <openssl/ssl.h>

@@ -72,13 +76,16 @@ typedef enum OPTION_choice {
 } OPTION_CHOICE;

 OPTIONS engine_options[] = {
+    {OPT_HELP_STR, 1, '-', "Usage: %s [options] engine...\n"},
+    {OPT_HELP_STR, 1, '-',
+        "  engine... Engines to load\n"},
    {"help", OPT_HELP, '-', "Display this summary"},
-    {"vvvv", OPT_VVVV, '-', "Also show internal input flags"},
-    {"vvv", OPT_VVV, '-', "Also add the input flags for each command"},
+    {"v", OPT_V, '-', "List 'control commands' For each specified engine"},
    {"vv", OPT_VV, '-', "Also display each command's description"},
-    {"v", OPT_V, '-', "For each engine, list its 'control commands'"},
-    {"c", OPT_C, '-', "List the capabilities of each engine"},
-    {"t", OPT_T, '-', "Check that each engine is available"},
+    {"vvv", OPT_VVV, '-', "Also add the input flags for each command"},
+    {"vvvv", OPT_VVVV, '-', "Also show internal input flags"},
+    {"c", OPT_C, '-', "List the capabilities of specified engine"},
+    {"t", OPT_T, '-', "Check that specified engine is available"},
    {"tt", OPT_TT, '-', "Display error trace for unavailable engines"},
    {"pre", OPT_PRE, 's', "Run command against the ENGINE before loading it"},
    {"post", OPT_POST, 's', "Run command against the ENGINE after loading it"},
@@ -89,19 +96,18 @@ OPTIONS engine_options[] = {

 static void identity(char *ptr)
 {
-    return;
 }

-static int append_buf(char **buf, const char *s, int *size, int step)
+static int append_buf(char **buf, int *size, const char *s)
 {
    if (*buf == NULL) {
-        *size = step;
+        *size = 256;
        *buf = app_malloc(*size, "engine buffer");
        **buf = '\0';
    }

    if (strlen(*buf) + strlen(s) >= (unsigned int)*size) {
-        *size += step;
+        *size += 256;
        *buf = OPENSSL_realloc(*buf, *size);
    }

@@ -313,11 +319,23 @@ int engine_main(int argc, char **argv)
    const char *indent = "     ";
    OPTION_CHOICE o;
    char *prog;
+    char *argv1;

    out = dup_bio_out(FORMAT_TEXT);
-    prog = opt_init(argc, argv, engine_options);
-    if (!engines || !pre_cmds || !post_cmds)
+    if (engines == NULL || pre_cmds == NULL || post_cmds == NULL)
        goto end;
+
+    /* Remember the original command name, parse/skip any leading engine
+     * names, and then setup to parse the rest of the line as flags. */
+    prog = argv[0];
+    while ((argv1 = argv[1]) != NULL && *argv1 != '-') {
+        sk_OPENSSL_STRING_push(engines, argv1);
+        argc--;
+        argv++;
+    }
+    argv[0] = prog;
+    opt_init(argc, argv, engine_options);
+
    while ((o = opt_next()) != OPT_EOF) {
        switch (o) {
        case OPT_EOF:
@@ -353,10 +371,19 @@ int engine_main(int argc, char **argv)
            break;
        }
    }
+
+    /* Allow any trailing parameters as engine names. */
    argc = opt_num_rest();
    argv = opt_rest();
-    for ( ; *argv; argv++)
+    for ( ; *argv; argv++) {
+        if (**argv == '-') {
+            BIO_printf(bio_err, "%s: Cannot mix flags and engine names.\n",
+                       prog);
+            BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
+            goto end;
+        }
        sk_OPENSSL_STRING_push(engines, *argv);
+    }

    if (sk_OPENSSL_STRING_num(engines) == 0) {
        for (e = ENGINE_get_first(); e != NULL; e = ENGINE_get_next(e)) {
@@ -387,16 +414,16 @@ int engine_main(int argc, char **argv)
                ENGINE_PKEY_METHS_PTR fn_pk;

                if (ENGINE_get_RSA(e) != NULL
-                    && !append_buf(&cap_buf, "RSA", &cap_size, 256))
+                    && !append_buf(&cap_buf, &cap_size, "RSA"))
                    goto end;
                if (ENGINE_get_DSA(e) != NULL
-                    && !append_buf(&cap_buf, "DSA", &cap_size, 256))
+                    && !append_buf(&cap_buf, &cap_size, "DSA"))
                    goto end;
                if (ENGINE_get_DH(e) != NULL
-                    && !append_buf(&cap_buf, "DH", &cap_size, 256))
+                    && !append_buf(&cap_buf, &cap_size, "DH"))
                    goto end;
                if (ENGINE_get_RAND(e) != NULL
-                    && !append_buf(&cap_buf, "RAND", &cap_size, 256))
+                    && !append_buf(&cap_buf, &cap_size, "RAND"))
                    goto end;

                fn_c = ENGINE_get_ciphers(e);
@@ -404,8 +431,7 @@ int engine_main(int argc, char **argv)
                    goto skip_ciphers;
                n = fn_c(e, NULL, &nids, 0);
                for (k = 0; k < n; ++k)
-                    if (!append_buf(&cap_buf,
-                                    OBJ_nid2sn(nids[k]), &cap_size, 256))
+                    if (!append_buf(&cap_buf, &cap_size, OBJ_nid2sn(nids[k])))
                        goto end;

 skip_ciphers:
@@ -414,8 +440,7 @@ int engine_main(int argc, char **argv)
                    goto skip_digests;
                n = fn_d(e, NULL, &nids, 0);
                for (k = 0; k < n; ++k)
-                    if (!append_buf(&cap_buf,
-                                    OBJ_nid2sn(nids[k]), &cap_size, 256))
+                    if (!append_buf(&cap_buf, &cap_size, OBJ_nid2sn(nids[k])))
                        goto end;

 skip_digests:
@@ -424,8 +449,7 @@ int engine_main(int argc, char **argv)
                    goto skip_pmeths;
                n = fn_pk(e, NULL, &nids, 0);
                for (k = 0; k < n; ++k)
-                    if (!append_buf(&cap_buf,
-                                    OBJ_nid2sn(nids[k]), &cap_size, 256))
+                    if (!append_buf(&cap_buf, &cap_size, OBJ_nid2sn(nids[k])))
                        goto end;
 skip_pmeths:
                if (cap_buf && (*cap_buf != '\0'))
@@ -463,10 +487,4 @@ int engine_main(int argc, char **argv)
    BIO_free_all(out);
    return (ret);
 }
-#else
-
-# if PEDANTIC
-static void *dummy = &dummy;
-# endif
-
 #endif
--- a/apps/errstr.c
+++ b/apps/errstr.c
@@ -111,9 +111,14 @@ int errstr_main(int argc, char **argv)

    ret = 0;
    for (argv = opt_rest(); *argv; argv++) {
-        if (!opt_ulong(*argv, &l))
+        if (sscanf(*argv, "%lx", &l) == 0)
            ret++;
        else {
+            /* We're not really an SSL application so this won't auto-init, but
+             * we're still interested in SSL error strings
+             */
+            OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS
+                             | OPENSSL_INIT_LOAD_CRYPTO_STRINGS, NULL);
            ERR_error_string_n(l, buf, sizeof buf);
            BIO_printf(bio_out, "%s\n", buf);
        }
--- a/apps/gendsa.c
+++ b/apps/gendsa.c
@@ -55,8 +55,11 @@
 * [including the GNU Public Licence.]
 */

-#include <openssl/opensslconf.h> /* for OPENSSL_NO_DSA */
-#ifndef OPENSSL_NO_DSA
+#include <openssl/opensslconf.h>
+#ifdef OPENSSL_NO_DSA
+NON_EMPTY_TRANSLATION_UNIT
+#else
+
 # include <stdio.h>
 # include <string.h>
 # include <sys/types.h>
@@ -185,10 +188,4 @@ int gendsa_main(int argc, char **argv)
    OPENSSL_free(passout);
    return (ret);
 }
-#else                           /* !OPENSSL_NO_DSA */
-
-# if PEDANTIC
-static void *dummy = &dummy;
-# endif
-
 #endif
--- a/apps/genrsa.c
+++ b/apps/genrsa.c
@@ -56,8 +56,10 @@
 */

 #include <openssl/opensslconf.h>
+#ifdef OPENSSL_NO_RSA
+NON_EMPTY_TRANSLATION_UNIT
+#else

-#ifndef OPENSSL_NO_RSA
 # include <stdio.h>
 # include <string.h>
 # include <sys/types.h>
@@ -232,10 +234,4 @@ static int genrsa_cb(int p, int n, BN_GENCB *cb)
    (void)BIO_flush(BN_GENCB_get_arg(cb));
    return 1;
 }
-#else                           /* !OPENSSL_NO_RSA */
-
-# if PEDANTIC
-static void *dummy = &dummy;
-# endif
-
 #endif
--- a/apps/install-apps.com
+++ b/apps/install-apps.com
@@ -1,107 +0,0 @@
-$! INSTALL.COM -- Installs the files in a given directory tree
-$!
-$! Author: Richard Levitte <richard@levitte.org>
-$! Time of creation: 22-MAY-1998 10:13
-$!
-$! P1  root of the directory tree
-$! P2  "64" for 64-bit pointers.
-$!
-$!
-$! Announce/identify.
-$!
-$ proc = f$environment( "procedure")
-$ write sys$output "@@@ "+ -
-   f$parse( proc, , , "name")+ f$parse( proc, , , "type")
-$!
-$ on error then goto tidy
-$ on control_c then goto tidy
-$!
-$ if (p1 .eqs. "")
-$ then
-$   write sys$output "First argument missing."
-$   write sys$output -
-     "It should be the directory where you want things installed."
-$   exit
-$ endif
-$!
-$ if (f$getsyi("cpu") .lt. 128)
-$ then
-$   arch = "VAX"
-$ else
-$   arch = f$edit( f$getsyi( "arch_name"), "upcase")
-$   if (arch .eqs. "") then arch = "UNK"
-$ endif
-$!
-$ archd = arch
-$!
-$ if (p2 .nes. "")
-$ then
-$   if (p2 .eqs. "64")
-$   then
-$     archd = arch+ "_64"
-$   else
-$     if (p2 .nes. "32")
-$     then
-$       write sys$output "Second argument invalid."
-$       write sys$output "It should be "32", "64", or nothing."
-$       exit
-$     endif
-$   endif
-$ endif
-$!
-$ root = f$parse( p1, "[]A.;0", , , "syntax_only, no_conceal") - "A.;0"
-$ root_dev = f$parse(root,,,"device","syntax_only")
-$ root_dir = f$parse(root,,,"directory","syntax_only") - -
-   "[000000." - "][" - "[" - "]"
-$ root = root_dev + "[" + root_dir
-$!
-$ define /nolog wrk_sslroot 'root'.] /trans=conc
-$ define /nolog wrk_sslxexe wrk_sslroot:['archd'_exe]
-$!
-$ if f$parse("wrk_sslroot:[000000]") .eqs. "" then -
-   create /directory /log wrk_sslroot:[000000]
-$ if f$parse("wrk_sslxexe:") .eqs. "" then -
-   create /directory /log wrk_sslxexe:
-$!
-$ exe := openssl
-$!
-$ exe_dir := [-.'archd'.exe.apps]
-$!
-$! Executables.
-$!
-$ i = 0
-$ loop_exe:
-$   e = f$edit(f$element( i, ",", exe), "trim")
-$   i = i + 1
-$   if e .eqs. "," then goto loop_exe_end
-$   set noon
-$   file = exe_dir+ e+ ".exe"
-$   if f$search( file) .nes. ""
-$   then
-$     copy /protection = w:re 'file' wrk_sslxexe: /log
-$   endif
-$   set on
-$ goto loop_exe
-$ loop_exe_end:
-$!
-$! Miscellaneous.
-$!
-$ set noon
-$ copy /protection = w:re ca.com wrk_sslxexe:ca.com /log
-$ copy /protection = w:re openssl-vms.cnf wrk_sslroot:[000000]openssl.cnf /log
-$ set on
-$!
-$ tidy:
-$!
-$ call deass wrk_sslroot
-$ call deass wrk_sslxexe
-$!
-$ exit
-$!
-$ deass: subroutine
-$ if (f$trnlnm( p1, "LNM$PROCESS") .nes. "")
-$ then
-$   deassign /process 'p1'
-$ endif
-$ endsubroutine
-$!
--- a/apps/makeapps.com
+++ b/apps/makeapps.com
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -521,7 +521,7 @@ int ocsp_main(int argc, char **argv)
            goto end;
    }

-    if (rsignfile && !rdb) {
+    if (rsignfile) {
        if (!rkeyfile)
            rkeyfile = rsignfile;
        rsigner = load_cert(rsignfile, FORMAT_PEM,
@@ -533,9 +533,8 @@ int ocsp_main(int argc, char **argv)
        rca_cert = load_cert(rca_filename, FORMAT_PEM,
                             NULL, NULL, "CA certificate");
        if (rcertfile) {
-            rother = load_certs(rcertfile, FORMAT_PEM,
-                                NULL, NULL, "responder other certificates");
-            if (!rother)
+            if (!load_certs(rcertfile, &rother, FORMAT_PEM, NULL, NULL,
+                            "responder other certificates"))
                goto end;
        }
        rkey = load_key(rkeyfile, FORMAT_PEM, 0, NULL, NULL,
@@ -578,9 +577,8 @@ int ocsp_main(int argc, char **argv)
            goto end;
        }
        if (sign_certfile) {
-            sign_other = load_certs(sign_certfile, FORMAT_PEM,
-                                    NULL, NULL, "signer certificates");
-            if (!sign_other)
+            if (!load_certs(sign_certfile, &sign_other, FORMAT_PEM, NULL, NULL,
+                            "signer certificates"))
                goto end;
        }
        key = load_key(keyfile, FORMAT_PEM, 0, NULL, NULL,
@@ -702,9 +700,8 @@ int ocsp_main(int argc, char **argv)
    if (vpmtouched)
        X509_STORE_set1_param(store, vpm);
    if (verify_certfile) {
-        verify_other = load_certs(verify_certfile, FORMAT_PEM,
-                                  NULL, NULL, "validator certificate");
-        if (!verify_other)
+        if (!load_certs(verify_certfile, &verify_other, FORMAT_PEM, NULL, NULL,
+                        "validator certificate"))
            goto end;
    }

@@ -1068,7 +1065,7 @@ static int urldecode(char *p)
    for (; *p; p++) {
        if (*p != '%')
            *out++ = *p;
-        else if (isxdigit(p[1]) && isxdigit(p[2])) {
+        else if (isxdigit(_UC(p[1])) && isxdigit(_UC(p[2]))) {
            *out++ = (app_hex(p[1]) << 4) | app_hex(p[2]);
            p += 2;
        }
--- a/apps/openssl-vms.cnf
+++ b/apps/openssl-vms.cnf
@@ -336,7 +336,6 @@ certs		= $dir.cacert.pem]	# Certificate chain to include in reply
 					# (optional)
 signer_key	= $dir/private/tsakey.pem # The TSA private key (optional)
 signer_digest  = sha256			# Signing digest to use. (Optional)
-
 default_policy	= tsa_policy1		# Policy if request did not specify it
 					# (optional)
 other_policies	= tsa_policy2, tsa_policy3	# acceptable policies (optional)
--- a/apps/openssl.c
+++ b/apps/openssl.c
@@ -170,44 +170,20 @@ static int apps_startup()
 #ifdef SIGPIPE
    signal(SIGPIPE, SIG_IGN);
 #endif
-    ERR_load_crypto_strings();
-    ERR_load_SSL_strings();

-    OPENSSL_load_builtin_modules();
-    SSL_add_ssl_module();
-#ifndef OPENSSL_NO_ENGINE
-    ENGINE_load_builtin_engines();
-#endif
-    if (!app_load_modules(NULL)) {
-        ERR_print_errors(bio_err);
-        BIO_printf(bio_err, "Error loading default configuration\n");
+    /* Set non-default library initialisation settings */
+    if (!OPENSSL_init_crypto(OPENSSL_INIT_ENGINE_ALL_BUILTIN
+                             | OPENSSL_INIT_LOAD_CONFIG, NULL))
        return 0;
-    }

-    OpenSSL_add_all_algorithms();
-    OpenSSL_add_ssl_algorithms();
    setup_ui_method();
-    /*SSL_library_init();*/
+
    return 1;
 }

 static void apps_shutdown()
 {
-#ifndef OPENSSL_NO_ENGINE
-    ENGINE_cleanup();
-#endif
    destroy_ui_method();
-    CONF_modules_unload(1);
-#ifndef OPENSSL_NO_COMP
-    COMP_zlib_cleanup();
-    SSL_COMP_free_compression_methods();
-#endif
-    OBJ_cleanup();
-    EVP_cleanup();
-    CRYPTO_cleanup_all_ex_data();
-    ERR_remove_thread_state(NULL);
-    RAND_cleanup();
-    ERR_free_strings();
 }

 static char *make_config_name()
@@ -317,7 +293,6 @@ int main(int argc, char *argv[])
    if (getenv("OPENSSL_FIPS")) {
 #ifdef OPENSSL_FIPS
        if (!FIPS_mode_set(1)) {
-            ERR_load_crypto_strings();
            ERR_print_errors(bio_err);
            return 1;
        }
@@ -429,7 +404,8 @@ int main(int argc, char *argv[])
    BIO_free_all(bio_out);
    apps_shutdown();
 #ifndef OPENSSL_NO_CRYPTO_MDEBUG
-    CRYPTO_mem_leaks(bio_err);
+    if (CRYPTO_mem_leaks(bio_err) <= 0)
+        ret = 1;
 #endif
    BIO_free(bio_err);
    EXIT(ret);
@@ -754,6 +730,12 @@ static void list_disabled(void)
 #if defined(OPENSSL_NO_DTLS)
    BIO_puts(bio_out, "DTLS\n");
 #endif
+#if defined(OPENSSL_NO_DTLS1)
+    BIO_puts(bio_out, "DTLS1\n");
+#endif
+#if defined(OPENSSL_NO_DTLS1_2)
+    BIO_puts(bio_out, "DTLS1_2\n");
+#endif
 #ifdef OPENSSL_NO_EC
    BIO_puts(bio_out, "EC\n");
 #endif
@@ -766,6 +748,9 @@ static void list_disabled(void)
 #ifdef OPENSSL_NO_GOST
    BIO_puts(bio_out, "GOST\n");
 #endif
+#ifdef OPENSSL_NO_HEARTBEATS
+    BIO_puts(bio_out, "HEARTBEATS\n");
+#endif
 #ifdef OPENSSL_NO_HMAC
    BIO_puts(bio_out, "HMAC\n");
 #endif
@@ -835,9 +820,24 @@ static void list_disabled(void)
 #ifdef OPENSSL_NO_SRTP
    BIO_puts(bio_out, "SRTP\n");
 #endif
+#ifdef OPENSSL_NO_SSL
+    BIO_puts(bio_out, "SSL\n");
+#endif
 #ifdef OPENSSL_NO_SSL3
    BIO_puts(bio_out, "SSL3\n");
 #endif
+#if defined(OPENSSL_NO_TLS)
+    BIO_puts(bio_out, "TLS\n");
+#endif
+#ifdef OPENSSL_NO_TLS1
+    BIO_puts(bio_out, "TLS1\n");
+#endif
+#ifdef OPENSSL_NO_TLS1_1
+    BIO_puts(bio_out, "TLS1_1\n");
+#endif
+#ifdef OPENSSL_NO_TLS1_2
+    BIO_puts(bio_out, "TLS1_2\n");
+#endif
 #ifdef OPENSSL_NO_WHIRLPOOL
    BIO_puts(bio_out, "WHIRLPOOL\n");
 #endif
--- a/apps/opt.c
+++ b/apps/opt.c
@@ -75,12 +75,6 @@ static const OPTIONS *unknown;
 static const OPTIONS *opts;
 static char prog[40];

-#if !defined(__STDC_VERSION__) || __STDC_VERSION__ < 199901L || \
-    !defined(INTMAX_MAX) && !defined(UINTMAX_MAX)
-#define opt_imax opt_long
-#define opt_umax opt_ulong
-#endif
-
 /*
 * Return the simple name of the program; removing various platform gunk.
 */
@@ -188,8 +182,9 @@ char *opt_init(int ac, char **av, const OPTIONS *o)
        assert(o->name[0] != '-');
        assert(o->retval > 0);
        switch (i) {
-        case   0: case '-': case '/': case '<': case '>': case 'F': case 'M':
-        case 'L': case 'U': case 'f': case 'n': case 'p': case 's': case 'u':
+        case   0: case '-': case '/': case '<': case '>': case 'E': case 'F':
+        case 'M': case 'U': case 'f': case 'l': case 'n': case 'p': case 's':
+        case 'u':
            break;
        default:
            assert(0);
@@ -502,14 +497,25 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
        X509_VERIFY_PARAM_add0_policy(vpm, otmp);
        break;
    case OPT_V_PURPOSE:
+        /* purpose name -> purpose index */
        i = X509_PURPOSE_get_by_sname(opt_arg());
        if (i < 0) {
            BIO_printf(bio_err, "%s: Invalid purpose %s\n", prog, opt_arg());
            return 0;
        }
+
+        /* purpose index -> purpose object */
        xptmp = X509_PURPOSE_get0(i);
+
+        /* purpose object -> purpose value */
        i = X509_PURPOSE_get_id(xptmp);
-        X509_VERIFY_PARAM_set_purpose(vpm, i);
+
+        if (!X509_VERIFY_PARAM_set_purpose(vpm, i)) {
+            BIO_printf(bio_err,
+                       "%s: Internal error setting purpose %s\n",
+                       prog, opt_arg());
+            return 0;
+        }
        break;
    case OPT_V_VERIFY_NAME:
        vtmp = X509_VERIFY_PARAM_lookup(opt_arg());
@@ -551,7 +557,7 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_IGNORE_CRITICAL);
        break;
    case OPT_V_ISSUER_CHECKS:
-        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CB_ISSUER_CHECK);
+        /* NOP, deprecated */
        break;
    case OPT_V_CRL_CHECK:
        X509_VERIFY_PARAM_set_flags(vpm, X509_V_FLAG_CRL_CHECK);
@@ -729,7 +735,7 @@ int opt_next(void)
                return -1;
            }
            break;
-        case 'L':
+        case 'l':
            if (!opt_long(arg, &lval)) {
                BIO_printf(bio_err,
                           "%s: Invalid number \"%s\" for -%s\n",
@@ -745,9 +751,11 @@ int opt_next(void)
                return -1;
            }
            break;
-        case 'f':
+        case 'E':
        case 'F':
+        case 'f':
            if (opt_format(arg,
+                           o->valtype == 'E' ? OPT_FMT_PDE :
                           o->valtype == 'F' ? OPT_FMT_PEMDER
                           : OPT_FMT_ANY, &ival))
                break;
@@ -807,6 +815,7 @@ int opt_num_rest(void)
 static const char *valtype2param(const OPTIONS *o)
 {
    switch (o->valtype) {
+    case 0:
    case '-':
        return "";
    case 's':
@@ -818,15 +827,23 @@ static const char *valtype2param(const OPTIONS *o)
    case '>':
        return "outfile";
    case 'p':
-        return "pnum";
+        return "+int";
    case 'n':
-        return "num";
+        return "int";
+    case 'l':
+        return "long";
    case 'u':
-        return "unum";
+        return "ulong";
+    case 'E':
+        return "PEM|DER|ENGINE";
    case 'F':
-        return "der/pem";
+        return "PEM|DER";
    case 'f':
        return "format";
+    case 'M':
+        return "intmax";
+    case 'U':
+        return "uintmax";
    }
    return "parm";
 }
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -395,9 +395,8 @@ int pkcs12_main(int argc, char **argv)

        /* Load in all certs in input file */
        if (!(options & NOCERTS)) {
-            certs = load_certs(infile, FORMAT_PEM, NULL, e,
-                               "certificates");
-            if (!certs)
+            if (!load_certs(infile, &certs, FORMAT_PEM, NULL, e,
+                            "certificates"))
                goto export_end;

            if (key) {
@@ -425,13 +424,9 @@ int pkcs12_main(int argc, char **argv)

        /* Add any more certificates asked for */
        if (certfile) {
-            STACK_OF(X509) *morecerts = NULL;
-            if ((morecerts = load_certs(certfile, FORMAT_PEM, NULL, e,
-                                        "certificates from certfile")) == NULL)
+            if (!load_certs(certfile, &certs, FORMAT_PEM, NULL, e,
+                            "certificates from certfile"))
                goto export_end;
-            while (sk_X509_num(morecerts) > 0)
-                sk_X509_push(certs, sk_X509_shift(morecerts));
-            sk_X509_free(morecerts);
        }

        /* If chaining get chain from user cert */
@@ -545,9 +540,13 @@ int pkcs12_main(int argc, char **argv)
    if (!twopass)
        OPENSSL_strlcpy(macpass, pass, sizeof macpass);

-    if ((options & INFO) && p12->mac)
+    if ((options & INFO) && PKCS12_mac_present(p12)) {
+        ASN1_INTEGER *tmaciter;
+
+        PKCS12_get0_mac(NULL, NULL, NULL, &tmaciter, p12);
        BIO_printf(bio_err, "MAC Iteration %ld\n",
-                   p12->mac->iter ? ASN1_INTEGER_get(p12->mac->iter) : 1);
+                   tmaciter  != NULL ? ASN1_INTEGER_get(tmaciter) : 1L);
+    }
    if (macver) {
        /* If we enter empty password try no password first */
        if (!mpass[0] && PKCS12_verify_mac(p12, NULL, 0)) {
@@ -645,15 +644,18 @@ int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass,
    EVP_PKEY *pkey;
    PKCS8_PRIV_KEY_INFO *p8;
    X509 *x509;
+    STACK_OF(X509_ATTRIBUTE) *attrs;

-    switch (M_PKCS12_bag_type(bag)) {
+    attrs = PKCS12_SAFEBAG_get0_attrs(bag);
+
+    switch (PKCS12_SAFEBAG_get_nid(bag)) {
    case NID_keyBag:
        if (options & INFO)
            BIO_printf(bio_err, "Key bag\n");
        if (options & NOKEYS)
            return 1;
-        print_attribs(out, bag->attrib, "Bag Attributes");
-        p8 = bag->value.keybag;
+        print_attribs(out, attrs, "Bag Attributes");
+        p8 = PKCS12_SAFEBAG_get0_p8inf(bag);
        if ((pkey = EVP_PKCS82PKEY(p8)) == NULL)
            return 0;
        print_attribs(out, p8->attributes, "Key Attributes");
@@ -663,12 +665,15 @@ int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass,

    case NID_pkcs8ShroudedKeyBag:
        if (options & INFO) {
+            X509_SIG *tp8;
+
            BIO_printf(bio_err, "Shrouded Keybag: ");
-            alg_print(bag->value.shkeybag->algor);
+            tp8 = PKCS12_SAFEBAG_get0_pkcs8(bag);
+            alg_print(tp8->algor);
        }
        if (options & NOKEYS)
            return 1;
-        print_attribs(out, bag->attrib, "Bag Attributes");
+        print_attribs(out, attrs, "Bag Attributes");
        if ((p8 = PKCS12_decrypt_skey(bag, pass, passlen)) == NULL)
            return 0;
        if ((pkey = EVP_PKCS82PKEY(p8)) == NULL) {
@@ -686,15 +691,15 @@ int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass,
            BIO_printf(bio_err, "Certificate bag\n");
        if (options & NOCERTS)
            return 1;
-        if (PKCS12_get_attr(bag, NID_localKeyID)) {
+        if (PKCS12_SAFEBAG_get0_attr(bag, NID_localKeyID)) {
            if (options & CACERTS)
                return 1;
        } else if (options & CLCERTS)
            return 1;
-        print_attribs(out, bag->attrib, "Bag Attributes");
-        if (M_PKCS12_cert_bag_type(bag) != NID_x509Certificate)
+        print_attribs(out, attrs, "Bag Attributes");
+        if (PKCS12_SAFEBAG_get_bag_nid(bag) != NID_x509Certificate)
            return 1;
-        if ((x509 = PKCS12_certbag2x509(bag)) == NULL)
+        if ((x509 = PKCS12_SAFEBAG_get1_cert(bag)) == NULL)
            return 0;
        dump_cert_text(out, x509);
        PEM_write_bio_X509(out, x509);
@@ -704,13 +709,13 @@ int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass,
    case NID_safeContentsBag:
        if (options & INFO)
            BIO_printf(bio_err, "Safe Contents bag\n");
-        print_attribs(out, bag->attrib, "Bag Attributes");
-        return dump_certs_pkeys_bags(out, bag->value.safes, pass,
-                                     passlen, options, pempass, enc);
+        print_attribs(out, attrs, "Bag Attributes");
+        return dump_certs_pkeys_bags(out, PKCS12_SAFEBAG_get0_safes(bag),
+                                     pass, passlen, options, pempass, enc);

    default:
        BIO_printf(bio_err, "Warning unsupported bag type: ");
-        i2a_ASN1_OBJECT(bio_err, bag->type);
+        i2a_ASN1_OBJECT(bio_err, PKCS12_SAFEBAG_get0_type(bag));
        BIO_printf(bio_err, "\n");
        return 1;
    }
--- a/apps/pkey.c
+++ b/apps/pkey.c
@@ -75,7 +75,7 @@ OPTIONS pkey_options[] = {
    {"outform", OPT_OUTFORM, 'F', "Output format (DER or PEM)"},
    {"passin", OPT_PASSIN, 's', "Input file pass phrase source"},
    {"passout", OPT_PASSOUT, 's', "Output file pass phrase source"},
-    {"in", OPT_IN, '<', "Input file"},
+    {"in", OPT_IN, 's', "Input key"},
    {"out", OPT_OUT, '>', "Output file"},
    {"pubin", OPT_PUBIN, '-',
     "Read public key from input (default is private key)"},
@@ -116,7 +116,7 @@ int pkey_main(int argc, char **argv)
            ret = 0;
            goto end;
        case OPT_INFORM:
-            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &informat))
+            if (!opt_format(opt_arg(), OPT_FMT_ANY, &informat))
                goto opthelp;
            break;
        case OPT_OUTFORM:
--- a/apps/pkeyutl.c
+++ b/apps/pkeyutl.c
@@ -67,10 +67,12 @@
 #define KEY_CERT        3

 static EVP_PKEY_CTX *init_ctx(int *pkeysize,
-                              char *keyfile, int keyform, int key_type,
-                              char *passinarg, int pkey_op, ENGINE *e);
+                              const char *keyfile, int keyform, int key_type,
+                              char *passinarg, int pkey_op, ENGINE *e,
+                              const int impl);

-static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file);
+static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file,
+                      ENGINE *e);

 static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,
                    unsigned char *out, size_t *poutlen,
@@ -78,7 +80,7 @@ static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op,

 typedef enum OPTION_choice {
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
-    OPT_ENGINE, OPT_IN, OPT_OUT,
+    OPT_ENGINE, OPT_ENGINE_IMPL, OPT_IN, OPT_OUT,
    OPT_PUBIN, OPT_CERTIN, OPT_ASN1PARSE, OPT_HEXDUMP, OPT_SIGN,
    OPT_VERIFY, OPT_VERIFYRECOVER, OPT_REV, OPT_ENCRYPT, OPT_DECRYPT,
    OPT_DERIVE, OPT_SIGFILE, OPT_INKEY, OPT_PEERKEY, OPT_PASSIN,
@@ -87,29 +89,31 @@ typedef enum OPTION_choice {

 OPTIONS pkeyutl_options[] = {
    {"help", OPT_HELP, '-', "Display this summary"},
-    {"in", OPT_IN, '<', "Input file"},
-    {"out", OPT_OUT, '>', "Output file"},
+    {"in", OPT_IN, '<', "Input file - default stdin"},
+    {"out", OPT_OUT, '>', "Output file - default stdout"},
    {"pubin", OPT_PUBIN, '-', "Input is a public key"},
    {"certin", OPT_CERTIN, '-', "Input is a cert with a public key"},
-    {"asn1parse", OPT_ASN1PARSE, '-'},
+    {"asn1parse", OPT_ASN1PARSE, '-', "asn1parse the output data"},
    {"hexdump", OPT_HEXDUMP, '-', "Hex dump output"},
-    {"sign", OPT_SIGN, '-', "Sign with private key"},
+    {"sign", OPT_SIGN, '-', "Sign input data with private key"},
    {"verify", OPT_VERIFY, '-', "Verify with public key"},
    {"verifyrecover", OPT_VERIFYRECOVER, '-',
     "Verify with public key, recover original data"},
-    {"rev", OPT_REV, '-'},
-    {"encrypt", OPT_ENCRYPT, '-', "Encrypt with public key"},
-    {"decrypt", OPT_DECRYPT, '-', "Decrypt with private key"},
+    {"rev", OPT_REV, '-', "Reverse the order of the input buffer"},
+    {"encrypt", OPT_ENCRYPT, '-', "Encrypt input data with public key"},
+    {"decrypt", OPT_DECRYPT, '-', "Decrypt input data with private key"},
    {"derive", OPT_DERIVE, '-', "Derive shared secret"},
    {"sigfile", OPT_SIGFILE, '<', "Signature file (verify operation only)"},
-    {"inkey", OPT_INKEY, 's', "Input key"},
-    {"peerkey", OPT_PEERKEY, 's'},
+    {"inkey", OPT_INKEY, 's', "Input private key file"},
+    {"peerkey", OPT_PEERKEY, 's', "Peer key file used in key derivation"},
    {"passin", OPT_PASSIN, 's', "Pass phrase source"},
-    {"peerform", OPT_PEERFORM, 'F'},
-    {"keyform", OPT_KEYFORM, 'F', "Private key format - default PEM"},
+    {"peerform", OPT_PEERFORM, 'E', "Peer key format - default PEM"},
+    {"keyform", OPT_KEYFORM, 'E', "Private key format - default PEM"},
    {"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"},
 #ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
+    {"engine_impl", OPT_ENGINE_IMPL, '-',
+     "Also use engine given by -engine for crypto operations"},
 #endif
    {NULL}
 };
@@ -126,8 +130,12 @@ int pkeyutl_main(int argc, char **argv)
    int buf_inlen = 0, siglen = -1, keyform = FORMAT_PEM, peerform =
        FORMAT_PEM;
    int keysize = -1, pkey_op = EVP_PKEY_OP_SIGN, key_type = KEY_PRIVKEY;
+    int engine_impl = 0;
    int ret = 1, rv = -1;
    size_t buf_outlen;
+    const char *inkey = NULL;
+    const char *peerkey = NULL;
+    STACK_OF(OPENSSL_STRING) *pkeyopts = NULL;

    prog = opt_init(argc, argv, pkeyutl_options);
    while ((o = opt_next()) != OPT_EOF) {
@@ -150,28 +158,24 @@ int pkeyutl_main(int argc, char **argv)
        case OPT_SIGFILE:
            sigfile = opt_arg();
            break;
+        case OPT_ENGINE_IMPL:
+            engine_impl = 1;
+            break;
        case OPT_INKEY:
-            ctx = init_ctx(&keysize, opt_arg(), keyform, key_type,
-                           passinarg, pkey_op, e);
-            if (ctx == NULL) {
-                BIO_puts(bio_err, "%s: Error initializing context\n");
-                ERR_print_errors(bio_err);
-                goto opthelp;
-            }
+            inkey = opt_arg();
            break;
        case OPT_PEERKEY:
-            if (!setup_peer(ctx, peerform, opt_arg()))
-                goto opthelp;
+            peerkey = opt_arg();
            break;
        case OPT_PASSIN:
            passinarg = opt_arg();
            break;
        case OPT_PEERFORM:
-            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &peerform))
+            if (!opt_format(opt_arg(), OPT_FMT_PDE, &peerform))
                goto opthelp;
            break;
        case OPT_KEYFORM:
-            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &keyform))
+            if (!opt_format(opt_arg(), OPT_FMT_PDE, &keyform))
                goto opthelp;
            break;
        case OPT_ENGINE:
@@ -198,9 +202,6 @@ int pkeyutl_main(int argc, char **argv)
        case OPT_VERIFYRECOVER:
            pkey_op = EVP_PKEY_OP_VERIFYRECOVER;
            break;
-        case OPT_REV:
-            rev = 1;
-            break;
        case OPT_ENCRYPT:
            pkey_op = EVP_PKEY_OP_ENCRYPT;
            break;
@@ -210,15 +211,14 @@ int pkeyutl_main(int argc, char **argv)
        case OPT_DERIVE:
            pkey_op = EVP_PKEY_OP_DERIVE;
            break;
+        case OPT_REV:
+            rev = 1;
+            break;
        case OPT_PKEYOPT:
-            if (ctx == NULL) {
-                BIO_printf(bio_err,
-                           "%s: Must have -inkey before -pkeyopt\n", prog);
-                goto opthelp;
-            }
-            if (pkey_ctrl_string(ctx, opt_arg()) <= 0) {
-                BIO_printf(bio_err, "%s: Can't set parameter:\n", prog);
-                ERR_print_errors(bio_err);
+            if ((pkeyopts == NULL &&
+                 (pkeyopts = sk_OPENSSL_STRING_new_null()) == NULL) ||
+                sk_OPENSSL_STRING_push(pkeyopts, *++argv) == 0) {
+                BIO_puts(bio_err, "out of memory\n");
                goto end;
            }
            break;
@@ -227,9 +227,37 @@ int pkeyutl_main(int argc, char **argv)
    argc = opt_num_rest();
    argv = opt_rest();

-    if (ctx == NULL)
+    if (inkey == NULL ||
+        (peerkey != NULL && pkey_op != EVP_PKEY_OP_DERIVE))
        goto opthelp;

+    ctx = init_ctx(&keysize, inkey, keyform, key_type,
+                   passinarg, pkey_op, e, engine_impl);
+    if (ctx == NULL) {
+        BIO_printf(bio_err, "%s: Error initializing context\n", prog);
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+    if (peerkey != NULL && !setup_peer(ctx, peerform, peerkey, e)) {
+        BIO_printf(bio_err, "%s: Error setting up peer key\n", prog);
+        ERR_print_errors(bio_err);
+        goto end;
+    }
+    if (pkeyopts != NULL) {
+        int num = sk_OPENSSL_STRING_num(pkeyopts);
+        int i;
+
+        for (i = 0; i < num; ++i) {
+            const char *opt = sk_OPENSSL_STRING_value(pkeyopts, i);
+
+            if (pkey_ctrl_string(ctx, opt) <= 0) {
+                BIO_printf(bio_err, "%s: Can't set parameter:\n", prog);
+                ERR_print_errors(bio_err);
+                goto end;
+            }
+        }
+    }
+
    if (sigfile && (pkey_op != EVP_PKEY_OP_VERIFY)) {
        BIO_printf(bio_err,
                   "%s: Signature file specified for non verify\n", prog);
@@ -262,7 +290,7 @@ int pkeyutl_main(int argc, char **argv)
        }
        siglen = bio_to_mem(&sig, keysize * 10, sigbio);
        BIO_free(sigbio);
-        if (siglen <= 0) {
+        if (siglen < 0) {
            BIO_printf(bio_err, "Error reading signature data\n");
            goto end;
        }
@@ -271,7 +299,7 @@ int pkeyutl_main(int argc, char **argv)
    if (in) {
        /* Read the input data */
        buf_inlen = bio_to_mem(&buf_in, keysize * 10, in);
-        if (buf_inlen <= 0) {
+        if (buf_inlen < 0) {
            BIO_printf(bio_err, "Error reading input Data\n");
            exit(1);
        }
@@ -299,13 +327,13 @@ int pkeyutl_main(int argc, char **argv)
    }
    rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen,
                  buf_in, (size_t)buf_inlen);
-    if (rv > 0) {
+    if (rv > 0 && buf_outlen != 0) {
        buf_out = app_malloc(buf_outlen, "buffer output");
        rv = do_keyop(ctx, pkey_op,
                      buf_out, (size_t *)&buf_outlen,
                      buf_in, (size_t)buf_inlen);
    }
-    if (rv <= 0) {
+    if (rv < 0) {
        ERR_print_errors(bio_err);
        goto end;
    }
@@ -326,15 +354,18 @@ int pkeyutl_main(int argc, char **argv)
    OPENSSL_free(buf_in);
    OPENSSL_free(buf_out);
    OPENSSL_free(sig);
+    sk_OPENSSL_STRING_free(pkeyopts);
    return ret;
 }

 static EVP_PKEY_CTX *init_ctx(int *pkeysize,
-                              char *keyfile, int keyform, int key_type,
-                              char *passinarg, int pkey_op, ENGINE *e)
+                              const char *keyfile, int keyform, int key_type,
+                              char *passinarg, int pkey_op, ENGINE *e,
+                              const int engine_impl)
 {
    EVP_PKEY *pkey = NULL;
    EVP_PKEY_CTX *ctx = NULL;
+    ENGINE *impl = NULL;
    char *passin = NULL;
    int rv = -1;
    X509 *x;
@@ -372,7 +403,12 @@ static EVP_PKEY_CTX *init_ctx(int *pkeysize,
    if (!pkey)
        goto end;

-    ctx = EVP_PKEY_CTX_new(pkey, e);
+#ifndef OPENSSL_NO_ENGINE
+    if (engine_impl)
+        impl = e;
+#endif
+    
+    ctx = EVP_PKEY_CTX_new(pkey, impl);

    EVP_PKEY_free(pkey);

@@ -416,17 +452,16 @@ static EVP_PKEY_CTX *init_ctx(int *pkeysize,

 }

-static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file)
+static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file,
+                      ENGINE* e)
 {
    EVP_PKEY *peer = NULL;
+    ENGINE* engine = NULL;
    int ret;
-    if (!ctx) {
-        BIO_puts(bio_err, "-peerkey command before -inkey\n");
-        return 0;
-    }
-
-    peer = load_pubkey(file, peerform, 0, NULL, NULL, "Peer Key");

+    if (peerform == FORMAT_ENGINE)
+        engine = e;
+    peer = load_pubkey(file, peerform, 0, NULL, engine, "Peer Key");
    if (!peer) {
        BIO_printf(bio_err, "Error reading peer key %s\n", file);
        ERR_print_errors(bio_err);
--- a/apps/progs.h
+++ b/apps/progs.h
@@ -33,9 +33,12 @@ extern int ecparam_main(int argc, char *argv[]);
 extern int enc_main(int argc, char *argv[]);
 extern int engine_main(int argc, char *argv[]);
 extern int errstr_main(int argc, char *argv[]);
+extern int exit_main(int argc, char *argv[]);
 extern int gendsa_main(int argc, char *argv[]);
 extern int genpkey_main(int argc, char *argv[]);
 extern int genrsa_main(int argc, char *argv[]);
+extern int help_main(int argc, char *argv[]);
+extern int list_main(int argc, char *argv[]);
 extern int nseq_main(int argc, char *argv[]);
 extern int ocsp_main(int argc, char *argv[]);
 extern int passwd_main(int argc, char *argv[]);
@@ -47,6 +50,7 @@ extern int pkeyparam_main(int argc, char *argv[]);
 extern int pkeyutl_main(int argc, char *argv[]);
 extern int prime_main(int argc, char *argv[]);
 extern int rand_main(int argc, char *argv[]);
+extern int rehash_main(int argc, char *argv[]);
 extern int req_main(int argc, char *argv[]);
 extern int rsa_main(int argc, char *argv[]);
 extern int rsautl_main(int argc, char *argv[]);
@@ -62,10 +66,6 @@ extern int ts_main(int argc, char *argv[]);
 extern int verify_main(int argc, char *argv[]);
 extern int version_main(int argc, char *argv[]);
 extern int x509_main(int argc, char *argv[]);
-extern int rehash_main(int argc, char *argv[]);
-extern int list_main(int argc, char *argv[]);
-extern int help_main(int argc, char *argv[]);
-extern int exit_main(int argc, char *argv[]);

 extern OPTIONS asn1parse_options[];
 extern OPTIONS ca_options[];
@@ -82,9 +82,12 @@ extern OPTIONS ecparam_options[];
 extern OPTIONS enc_options[];
 extern OPTIONS engine_options[];
 extern OPTIONS errstr_options[];
+extern OPTIONS exit_options[];
 extern OPTIONS gendsa_options[];
 extern OPTIONS genpkey_options[];
 extern OPTIONS genrsa_options[];
+extern OPTIONS help_options[];
+extern OPTIONS list_options[];
 extern OPTIONS nseq_options[];
 extern OPTIONS ocsp_options[];
 extern OPTIONS passwd_options[];
@@ -96,6 +99,7 @@ extern OPTIONS pkeyparam_options[];
 extern OPTIONS pkeyutl_options[];
 extern OPTIONS prime_options[];
 extern OPTIONS rand_options[];
+extern OPTIONS rehash_options[];
 extern OPTIONS req_options[];
 extern OPTIONS rsa_options[];
 extern OPTIONS rsautl_options[];
@@ -111,10 +115,6 @@ extern OPTIONS ts_options[];
 extern OPTIONS verify_options[];
 extern OPTIONS version_options[];
 extern OPTIONS x509_options[];
-extern OPTIONS rehash_options[];
-extern OPTIONS list_options[];
-extern OPTIONS help_options[];
-extern OPTIONS exit_options[];

 #ifdef INCLUDE_FUNCTION_TABLE
 static FUNCTION functions[] = {
@@ -149,6 +149,7 @@ static FUNCTION functions[] = {
    { FT_general, "engine", engine_main, engine_options },
 #endif
    { FT_general, "errstr", errstr_main, errstr_options },
+    { FT_general, "exit", exit_main, exit_options },
 #ifndef OPENSSL_NO_DSA
    { FT_general, "gendsa", gendsa_main, gendsa_options },
 #endif
@@ -156,6 +157,8 @@ static FUNCTION functions[] = {
 #ifndef OPENSSL_NO_RSA
    { FT_general, "genrsa", genrsa_main, genrsa_options },
 #endif
+    { FT_general, "help", help_main, help_options },
+    { FT_general, "list", list_main, list_options },
    { FT_general, "nseq", nseq_main, nseq_options },
 #ifndef OPENSSL_NO_OCSP
    { FT_general, "ocsp", ocsp_main, ocsp_options },
@@ -171,6 +174,7 @@ static FUNCTION functions[] = {
    { FT_general, "pkeyutl", pkeyutl_main, pkeyutl_options },
    { FT_general, "prime", prime_main, prime_options },
    { FT_general, "rand", rand_main, rand_options },
+    { FT_general, "rehash", rehash_main, rehash_options },
    { FT_general, "req", req_main, req_options },
 #ifndef OPENSSL_NO_RSA
    { FT_general, "rsa", rsa_main, rsa_options },
@@ -198,10 +202,6 @@ static FUNCTION functions[] = {
    { FT_general, "verify", verify_main, verify_options },
    { FT_general, "version", version_main, version_options },
    { FT_general, "x509", x509_main, x509_options },
-    { FT_general, "rehash", rehash_main, rehash_options },
-    { FT_general, "list", list_main, list_options },
-    { FT_general, "help", help_main, help_options },
-    { FT_general, "exit", exit_main, exit_options },
 #ifndef OPENSSL_NO_MD2
    { FT_md, "md2", dgst_main},
 #endif
@@ -214,7 +214,6 @@ static FUNCTION functions[] = {
 #ifndef OPENSSL_NO_MD_GHOST94
    { FT_md, "md_ghost94", dgst_main},
 #endif
-    { FT_md, "sha", dgst_main},
    { FT_md, "sha1", dgst_main},
    { FT_md, "sha224", dgst_main},
    { FT_md, "sha256", dgst_main},
--- a/apps/progs.pl
+++ b/apps/progs.pl
@@ -1,5 +1,23 @@
-#!/usr/local/bin/perl
-# Generate progs.h file from list of "programs" passed on the command line.
+#!/usr/bin/perl
+# Generate progs.h file by looking for command mains in list of C files
+# passed on the command line.
+
+use strict;
+use warnings;
+
+my %commands = ();
+my $cmdre = qr/^\s*int\s+([a-z_][a-z0-9_]*)_main\(\s*int\s+argc\s*,/;
+
+foreach my $filename (@ARGV) {
+	open F, $filename or die "Coudn't open $_: $!\n";
+	foreach (grep /$cmdre/, <F>) {
+		my @foo = /$cmdre/;
+		$commands{$1} = 1;
+	}
+	close F;
+}
+
+@ARGV = sort keys %commands;

 print <<'EOF';
 /*
@@ -24,13 +42,6 @@ DEFINE_LHASH_OF(FUNCTION);

 EOF

-grep(s/\.o//, @ARGV);
-grep(s/^asn1pars$/asn1parse/, @ARGV);
-grep(s/^crl2p7$/crl2pkcs7/, @ARGV);
-push @ARGV, 'list';
-push @ARGV, 'help';
-push @ARGV, 'exit';
-
 foreach (@ARGV) {
 	printf "extern int %s_main(int argc, char *argv[]);\n", $_;
 }
@@ -43,7 +54,7 @@ foreach (@ARGV) {
 print "\n#ifdef INCLUDE_FUNCTION_TABLE\n";
 print "static FUNCTION functions[] = {\n";
 foreach (@ARGV) {
-	$str="    { FT_general, \"$_\", ${_}_main, ${_}_options },\n";
+	my $str="    { FT_general, \"$_\", ${_}_main, ${_}_options },\n";
 	if (/^s_/ || /^ciphers$/) {
 		print "#if !defined(OPENSSL_NO_SOCK)\n${str}#endif\n";
 	} elsif (/^engine$/) {
@@ -72,7 +83,7 @@ foreach (@ARGV) {
 foreach (
 	"md2", "md4", "md5",
 	"md_ghost94",
-	"sha", "sha1", "sha224", "sha256", "sha384", "sha512",
+	"sha1", "sha224", "sha256", "sha384", "sha512",
 	"mdc2", "rmd160"
 ) {
        printf "#ifndef OPENSSL_NO_".uc($_)."\n" if ! /sha/;
@@ -101,7 +112,7 @@ foreach (
 	"cast5-cbc","cast5-ecb", "cast5-cfb","cast5-ofb",
 	"cast-cbc", "rc5-cbc",   "rc5-ecb",  "rc5-cfb",  "rc5-ofb"
 ) {
-	$str="    { FT_cipher, \"$_\", enc_main, enc_options },\n";
+	my $str="    { FT_cipher, \"$_\", enc_main, enc_options },\n";
 	if (/des/) {
 		printf "#ifndef OPENSSL_NO_DES\n${str}#endif\n";
 	} elsif (/aes/) {
--- a/apps/req.c
+++ b/apps/req.c
@@ -89,8 +89,8 @@
 #define STRING_MASK     "string_mask"
 #define UTF8_IN         "utf8"

-#define DEFAULT_KEY_LENGTH      512
-#define MIN_KEY_LENGTH          384
+#define DEFAULT_KEY_LENGTH      2048
+#define MIN_KEY_LENGTH          512

 static int make_REQ(X509_REQ *req, EVP_PKEY *pkey, char *dn, int mutlirdn,
                    int attribs, unsigned long chtype);
@@ -136,8 +136,8 @@ OPTIONS req_options[] = {
    {"outform", OPT_OUTFORM, 'F', "Output format - DER or PEM"},
    {"in", OPT_IN, '<', "Input file"},
    {"out", OPT_OUT, '>', "Output file"},
-    {"key", OPT_KEY, '<', "Use the private key contained in file"},
-    {"keyform", OPT_KEYFORM, 'F', "Key file format"},
+    {"key", OPT_KEY, 's', "Private key to use"},
+    {"keyform", OPT_KEYFORM, 'f', "Key file format"},
    {"pubkey", OPT_PUBKEY, '-', "Output public key"},
    {"new", OPT_NEW, '-', "New request"},
    {"config", OPT_CONFIG, '<', "Request template file"},
@@ -235,7 +235,7 @@ int req_main(int argc, char **argv)
                goto opthelp;
            break;
        case OPT_ENGINE:
-            (void)setup_engine(opt_arg(), 0);
+            e = setup_engine(opt_arg(), 0);
            break;
        case OPT_KEYGEN_ENGINE:
 #ifndef OPENSSL_NO_ENGINE
@@ -259,7 +259,7 @@ int req_main(int argc, char **argv)
            template = opt_arg();
            break;
        case OPT_KEYFORM:
-            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &keyform))
+            if (!opt_format(opt_arg(), OPT_FMT_ANY, &keyform))
                goto opthelp;
            break;
        case OPT_IN:
@@ -811,7 +811,7 @@ int req_main(int argc, char **argv)
        fprintf(stdout, "Modulus=");
 #ifndef OPENSSL_NO_RSA
        if (EVP_PKEY_base_id(tpubkey) == EVP_PKEY_RSA)
-            BN_print(out, tpubkey->pkey.rsa->n);
+            BN_print(out, EVP_PKEY_get0_RSA(tpubkey)->n);
        else
 #endif
            fprintf(stdout, "Wrong Algorithm type");
@@ -1451,6 +1451,7 @@ static EVP_PKEY_CTX *set_keygen_ctx(const char *gstr,
    if (EVP_PKEY_keygen_init(gctx) <= 0) {
        BIO_puts(bio_err, "Error initializing keygen context\n");
        ERR_print_errors(bio_err);
+        EVP_PKEY_CTX_free(gctx);
        return NULL;
    }
 #ifndef OPENSSL_NO_RSA
--- a/apps/rsa.c
+++ b/apps/rsa.c
@@ -104,7 +104,10 @@
 */

 #include <openssl/opensslconf.h>
-#ifndef OPENSSL_NO_RSA
+#ifdef OPENSSL_NO_RSA
+NON_EMPTY_TRANSLATION_UNIT
+#else
+
 # include <stdio.h>
 # include <stdlib.h>
 # include <string.h>
@@ -130,7 +133,7 @@ OPTIONS rsa_options[] = {
    {"help", OPT_HELP, '-', "Display this summary"},
    {"inform", OPT_INFORM, 'f', "Input format, one of DER NET PEM"},
    {"outform", OPT_OUTFORM, 'f', "Output format, one of DER NET PEM PVK"},
-    {"in", OPT_IN, '<', "Input file"},
+    {"in", OPT_IN, 's', "Input file"},
    {"out", OPT_OUT, '>', "Output file"},
    {"pubin", OPT_PUBIN, '-', "Expect a public key in input file"},
    {"pubout", OPT_PUBOUT, '-', "Output a public key"},
@@ -396,10 +399,4 @@ int rsa_main(int argc, char **argv)
    OPENSSL_free(passout);
    return (ret);
 }
-#else                           /* !OPENSSL_NO_RSA */
-
-# if PEDANTIC
-static void *dummy = &dummy;
-# endif
-
 #endif
--- a/apps/rsautl.c
+++ b/apps/rsautl.c
@@ -57,7 +57,9 @@
 */

 #include <openssl/opensslconf.h>
-#ifndef OPENSSL_NO_RSA
+#ifdef OPENSSL_NO_RSA
+NON_EMPTY_TRANSLATION_UNIT
+#else

 # include "apps.h"
 # include <string.h>
@@ -86,8 +88,8 @@ OPTIONS rsautl_options[] = {
    {"help", OPT_HELP, '-', "Display this summary"},
    {"in", OPT_IN, '<', "Input file"},
    {"out", OPT_OUT, '>', "Output file"},
-    {"inkey", OPT_INKEY, '<', "Input key"},
-    {"keyform", OPT_KEYFORM, 'F', "Private key format - default PEM"},
+    {"inkey", OPT_INKEY, 's', "Input key"},
+    {"keyform", OPT_KEYFORM, 'E', "Private key format - default PEM"},
    {"pubin", OPT_PUBIN, '-', "Input is an RSA public"},
    {"certin", OPT_CERTIN, '-', "Input is a cert carrying an RSA public key"},
    {"ssl", OPT_SSL, '-', "Use SSL v2 padding"},
@@ -137,7 +139,7 @@ int rsautl_main(int argc, char **argv)
            ret = 0;
            goto end;
        case OPT_KEYFORM:
-            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &keyformat))
+            if (!opt_format(opt_arg(), OPT_FMT_PDE, &keyformat))
                goto opthelp;
            break;
        case OPT_IN:
@@ -262,7 +264,7 @@ int rsautl_main(int argc, char **argv)

    /* Read the input data */
    rsa_inlen = BIO_read(in, rsa_in, keysize * 2);
-    if (rsa_inlen <= 0) {
+    if (rsa_inlen < 0) {
        BIO_printf(bio_err, "Error reading input Data\n");
        goto end;
    }
@@ -294,10 +296,9 @@ int rsautl_main(int argc, char **argv)
        rsa_outlen =
            RSA_private_decrypt(rsa_inlen, rsa_in, rsa_out, rsa, pad);
        break;
-
    }

-    if (rsa_outlen <= 0) {
+    if (rsa_outlen < 0) {
        BIO_printf(bio_err, "RSA operation error\n");
        ERR_print_errors(bio_err);
        goto end;
@@ -320,11 +321,4 @@ int rsautl_main(int argc, char **argv)
    OPENSSL_free(passin);
    return ret;
 }
-
-#else                           /* !OPENSSL_NO_RSA */
-
-# if PEDANTIC
-static void *dummy = &dummy;
-# endif
-
 #endif
--- a/apps/s_apps.h
+++ b/apps/s_apps.h
@@ -1,4 +1,3 @@
-/* apps/s_apps.h */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -147,20 +146,14 @@ typedef fd_mask fd_set;
 # define FD_ZERO(p)      memset((p), 0, sizeof(*(p)))
 #endif

-#define PORT            4433
-#define PORT_STR        "4433"
+#define PORT            "4433"
 #define PROTOCOL        "tcp"

-int do_server(int port, int type, int *ret,
-              int (*cb) (char *hostname, int s, int stype,
+int do_server(int *accept_sock, const char *host, const char *port,
+              int family, int type,
+              int (*cb) (const char *hostname, int s, int stype,
                         unsigned char *context), unsigned char *context,
              int naccept);
-#ifndef NO_SYS_UN_H
-int do_server_unix(const char *path, int *ret,
-                   int (*cb) (char *hostname, int s, int stype,
-                              unsigned char *context), unsigned char *context,
-                   int naccept);
-#endif
 #ifdef HEADER_X509_H
 int verify_callback(int ok, X509_STORE_CTX *ctx);
 #endif
@@ -173,14 +166,9 @@ int ssl_print_point_formats(BIO *out, SSL *s);
 int ssl_print_curves(BIO *out, SSL *s, int noshared);
 #endif
 int ssl_print_tmp_key(BIO *out, SSL *s);
-int init_client(int *sock, const char *server, int port, int type);
-#ifndef NO_SYS_UN_H
-int init_client_unix(int *sock, const char *server);
-#endif
+int init_client(int *sock, const char *host, const char *port,
+                int family, int type);
 int should_retry(int i);
-int extract_port(const char *str, unsigned short *port_ptr);
-int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
-                      unsigned short *p);

 long bio_dump_callback(BIO *bio, int cmd, const char *argp,
                       int argi, long argl, long ret);
@@ -189,7 +177,7 @@ long bio_dump_callback(BIO *bio, int cmd, const char *argp,
 void apps_ssl_info_callback(const SSL *s, int where, int ret);
 void msg_cb(int write_p, int version, int content_type, const void *buf,
            size_t len, SSL *ssl, void *arg);
-void tlsext_cb(SSL *s, int client_server, int type, unsigned char *data,
+void tlsext_cb(SSL *s, int client_server, int type, const unsigned char *data,
               int len, void *arg);
 #endif

@@ -204,6 +192,7 @@ void ssl_ctx_set_excert(SSL_CTX *ctx, SSL_EXCERT *exc);
 void ssl_excert_free(SSL_EXCERT *exc);
 int args_excert(int option, SSL_EXCERT **pexc);
 int load_excert(SSL_EXCERT **pexc);
+void print_verify_detail(SSL *s, BIO *bio);
 void print_ssl_summary(SSL *s);
 #ifdef HEADER_SSL_H
 int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str,
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -167,7 +167,7 @@ int verify_callback(int ok, X509_STORE_CTX *ctx)
        if (verify_depth >= depth) {
            if (!verify_return_error)
                ok = 1;
-            verify_error = X509_V_OK;
+            verify_error = err;
        } else {
            ok = 0;
            verify_error = X509_V_ERR_CERT_CHAIN_TOO_LONG;
@@ -596,6 +596,7 @@ static STRINT_PAIR handshakes[] = {
    {", ClientHello", 1},
    {", ServerHello", 2},
    {", HelloVerifyRequest", 3},
+    {", NewSessionTicket", 4},
    {", Certificate", 11},
    {", ServerKeyExchange", 12},
    {", CertificateRequest", 13},
@@ -603,6 +604,9 @@ static STRINT_PAIR handshakes[] = {
    {", CertificateVerify", 15},
    {", ClientKeyExchange", 16},
    {", Finished", 20},
+    {", CertificateUrl", 21},
+    {", CertificateStatus", 22},
+    {", SupplementalData", 23},
    {NULL}
 };

@@ -645,6 +649,9 @@ void msg_cb(int write_p, int version, int content_type, const void *buf,
            if (len > 0)
                str_details1 = lookup((int)bp[0], handshakes, "???");
            break;
+        case 23:
+            str_content_type = "ApplicationData";
+            break;
 #ifndef OPENSSL_NO_HEARTBEATS
        case 24:
            str_details1 = ", Heartbeat";
@@ -722,14 +729,14 @@ static STRINT_PAIR tlsext_types[] = {
 };

 void tlsext_cb(SSL *s, int client_server, int type,
-               unsigned char *data, int len, void *arg)
+               const unsigned char *data, int len, void *arg)
 {
    BIO *bio = arg;
    const char *extname = lookup(type, tlsext_types, "unknown");

    BIO_printf(bio, "TLS %s extension \"%s\" (id=%d), len=%d\n",
               client_server ? "server" : "client", extname, type, len);
-    BIO_dump(bio, (char *)data, len);
+    BIO_dump(bio, (const char *)data, len);
    (void)BIO_flush(bio);
 }

@@ -737,14 +744,9 @@ int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
                             unsigned int *cookie_len)
 {
    unsigned char *buffer;
-    unsigned int length;
-    union {
-        struct sockaddr sa;
-        struct sockaddr_in s4;
-#if OPENSSL_USE_IPV6
-        struct sockaddr_in6 s6;
-#endif
-    } peer;
+    size_t length;
+    unsigned short port;
+    BIO_ADDR *peer = NULL;

    /* Initialize a random secret */
    if (!cookie_initialized) {
@@ -755,50 +757,31 @@ int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
        cookie_initialized = 1;
    }

+    peer = BIO_ADDR_new();
+    if (peer == NULL) {
+        BIO_printf(bio_err, "memory full\n");
+        return 0;
+    }
+
    /* Read peer information */
-    (void)BIO_dgram_get_peer(SSL_get_rbio(ssl), &peer);
+    (void)BIO_dgram_get_peer(SSL_get_rbio(ssl), peer);

    /* Create buffer with peer's address and port */
-    length = 0;
-    switch (peer.sa.sa_family) {
-    case AF_INET:
-        length += sizeof(struct in_addr);
-        length += sizeof(peer.s4.sin_port);
-        break;
-#if OPENSSL_USE_IPV6
-    case AF_INET6:
-        length += sizeof(struct in6_addr);
-        length += sizeof(peer.s6.sin6_port);
-        break;
-#endif
-    default:
-        OPENSSL_assert(0);
-        break;
-    }
+    BIO_ADDR_rawaddress(peer, NULL, &length);
+    OPENSSL_assert(length != 0);
+    port = BIO_ADDR_rawport(peer);
+    length += sizeof(port);
    buffer = app_malloc(length, "cookie generate buffer");

-    switch (peer.sa.sa_family) {
-    case AF_INET:
-        memcpy(buffer, &peer.s4.sin_port, sizeof(peer.s4.sin_port));
-        memcpy(buffer + sizeof(peer.s4.sin_port),
-               &peer.s4.sin_addr, sizeof(struct in_addr));
-        break;
-#if OPENSSL_USE_IPV6
-    case AF_INET6:
-        memcpy(buffer, &peer.s6.sin6_port, sizeof(peer.s6.sin6_port));
-        memcpy(buffer + sizeof(peer.s6.sin6_port),
-               &peer.s6.sin6_addr, sizeof(struct in6_addr));
-        break;
-#endif
-    default:
-        OPENSSL_assert(0);
-        break;
-    }
+    memcpy(buffer, &port, sizeof(port));
+    BIO_ADDR_rawaddress(peer, buffer + sizeof(port), NULL);

    /* Calculate HMAC of buffer using the secret */
    HMAC(EVP_sha1(), cookie_secret, COOKIE_SECRET_LENGTH,
         buffer, length, cookie, cookie_len);
+
    OPENSSL_free(buffer);
+    BIO_ADDR_free(peer);

    return 1;
 }
@@ -848,7 +831,7 @@ static STRINT_PAIR chain_flags[] = {
    {"CA signature", CERT_PKEY_CA_SIGNATURE},
    {"EE key parameters", CERT_PKEY_EE_PARAM},
    {"CA key parameters", CERT_PKEY_CA_PARAM},
-    {"Explicity sign with EE key", CERT_PKEY_EXPLICIT_SIGN},
+    {"Explicitly sign with EE key", CERT_PKEY_EXPLICIT_SIGN},
    {"Issuer Name", CERT_PKEY_ISSUER_NAME},
    {"Certificate Type", CERT_PKEY_CERT_TYPE},
    {NULL}
@@ -1002,9 +985,8 @@ int load_excert(SSL_EXCERT **pexc)
        if (!exc->key)
            return 0;
        if (exc->chainfile) {
-            exc->chain = load_certs(exc->chainfile, FORMAT_PEM,
-                                    NULL, NULL, "Server Chain");
-            if (!exc->chain)
+            if (!load_certs(exc->chainfile, &exc->chain, FORMAT_PEM, NULL,
+                            NULL, "Server Chain"))
                return 0;
        }
    }
@@ -1104,6 +1086,80 @@ static void print_raw_cipherlist(SSL *s)
    BIO_puts(bio_err, "\n");
 }

+/*
+ * Hex encoder for TLSA RRdata, not ':' delimited.
+ */
+static char *hexencode(const unsigned char *data, size_t len)
+{
+    static const char *hex = "0123456789abcdef";
+    char *out;
+    char *cp;
+    size_t outlen = 2 * len + 1;
+    int ilen = (int) outlen;
+
+    if (outlen < len || ilen < 0 || outlen != (size_t)ilen) {
+        BIO_printf(bio_err, "%s: %" PRIu64 "-byte buffer too large to hexencode\n",
+                   opt_getprog(), (uint64_t)len);
+        exit(1);
+    }
+    cp = out = app_malloc(ilen, "TLSA hex data buffer");
+
+    while (ilen-- > 0) {
+        *cp++ = hex[(*data >> 4) & 0x0f];
+        *cp++ = hex[*data++ & 0x0f];
+    }
+    *cp = '\0';
+    return out;
+}
+
+void print_verify_detail(SSL *s, BIO *bio)
+{
+    int mdpth;
+    EVP_PKEY *mspki;
+    long verify_err = SSL_get_verify_result(s);
+
+    if (verify_err == X509_V_OK) {
+        const char *peername = SSL_get0_peername(s);
+
+        BIO_printf(bio, "Verification: OK\n");
+        if (peername != NULL)
+            BIO_printf(bio, "Verified peername: %s\n", peername);
+    } else {
+        const char *reason = X509_verify_cert_error_string(verify_err);
+
+        BIO_printf(bio, "Verification error: %s\n", reason);
+    }
+
+    if ((mdpth = SSL_get0_dane_authority(s, NULL, &mspki)) >= 0) {
+        uint8_t usage, selector, mtype;
+        const unsigned char *data = NULL;
+        size_t dlen = 0;
+        char *hexdata;
+
+        mdpth = SSL_get0_dane_tlsa(s, &usage, &selector, &mtype, &data, &dlen);
+
+        /*
+         * The TLSA data field can be quite long when it is a certificate,
+         * public key or even a SHA2-512 digest.  Because the initial octets of
+         * ASN.1 certificates and public keys contain mostly boilerplate OIDs
+         * and lengths, we show the last 12 bytes of the data instead, as these
+         * are more likely to distinguish distinct TLSA records.
+         */
+#define TLSA_TAIL_SIZE 12
+        if (dlen > TLSA_TAIL_SIZE)
+            hexdata = hexencode(data + dlen - TLSA_TAIL_SIZE, TLSA_TAIL_SIZE);
+        else
+            hexdata = hexencode(data, dlen);
+        BIO_printf(bio, "DANE TLSA %d %d %d %s%s %s at depth %d\n",
+                   usage, selector, mtype,
+                   (dlen > TLSA_TAIL_SIZE) ? "..." : "", hexdata,
+                   (mspki != NULL) ? "signed the certificate" :
+                   mdpth ? "matched TA certificate" : "matched EE certificate",
+                   mdpth);
+        OPENSSL_free(hexdata);
+    }
+}
+
 void print_ssl_summary(SSL *s)
 {
    const SSL_CIPHER *c;
@@ -1118,12 +1174,14 @@ void print_ssl_summary(SSL *s)
    peer = SSL_get_peer_certificate(s);
    if (peer) {
        int nid;
+
        BIO_puts(bio_err, "Peer certificate: ");
        X509_NAME_print_ex(bio_err, X509_get_subject_name(peer),
                           0, XN_FLAG_ONELINE);
        BIO_puts(bio_err, "\n");
        if (SSL_get_peer_signature_nid(s, &nid))
            BIO_printf(bio_err, "Hash used: %s\n", OBJ_nid2sn(nid));
+        print_verify_detail(s, bio_err);
    } else
        BIO_puts(bio_err, "No peer certificate\n");
    X509_free(peer);
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -173,8 +173,6 @@ typedef unsigned int u_int;
 # undef FIONBIO
 #endif

-#define SSL_HOST_NAME   "localhost"
-
 #undef BUFSIZZ
 #define BUFSIZZ 1024*8
 #define S_CLIENT_IRC_READ_TIMEOUT 8
@@ -189,7 +187,6 @@ static int async = 0;
 static int c_nbio = 0;
 static int c_tlsextdebug = 0;
 static int c_status_req = 0;
-static int c_Pause = 0;
 static int c_debug = 0;
 static int c_msg = 0;
 static int c_showcerts = 0;
@@ -219,6 +216,27 @@ static int restore_errno(void)
    return ret;
 }

+static void do_ssl_shutdown(SSL *ssl)
+{
+    int ret;
+
+    do {
+        /* We only do unidirectional shutdown */
+        ret = SSL_shutdown(ssl);
+        if (ret < 0) {
+            switch (SSL_get_error(ssl, ret)) {
+            case SSL_ERROR_WANT_READ:
+            case SSL_ERROR_WANT_WRITE:
+            case SSL_ERROR_WANT_ASYNC:
+                /* We just do busy waiting. Nothing clever */
+                continue;
+            }
+            ret = 0;
+        }
+    } while (ret < 0);
+}
+
+
 #ifndef OPENSSL_NO_PSK
 /* Default PSK identity and key */
 static char *psk_identity = "Client_identity";
@@ -491,9 +509,9 @@ static ossl_ssize_t hexdecode(const char **inptr, void *result)
    for (byte = 0; *in; ++in) {
        char c;

-        if (isspace(*in))
+        if (isspace(_UC(*in)))
            continue;
-        c = tolower(*in);
+        c = tolower(_UC(*in));
        if ('0' <= c && c <= '9') {
            byte |= c - '0';
        } else if ('a' <= c && c <= 'f') {
@@ -535,11 +553,11 @@ static ossl_ssize_t checked_uint8(const char **inptr, void *out)
    e = restore_errno();

    if (((v == LONG_MIN || v == LONG_MAX) && e == ERANGE) ||
-        endp == in || !isspace(*endp) ||
+        endp == in || !isspace(_UC(*endp)) ||
        v != (*result = (uint8_t) v)) {
        return -1;
    }
-    for (in = endp; isspace(*in); ++in)
+    for (in = endp; isspace(_UC(*in)); ++in)
        continue;

    *inptr = in;
@@ -614,12 +632,13 @@ static int tlsa_import_rrset(SSL *con, STACK_OF(OPENSSL_STRING) *rrset)

 typedef enum OPTION_choice {
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
-    OPT_HOST, OPT_PORT, OPT_CONNECT, OPT_UNIX, OPT_XMPPHOST, OPT_VERIFY,
+    OPT_4, OPT_6, OPT_HOST, OPT_PORT, OPT_CONNECT, OPT_UNIX,
+    OPT_XMPPHOST, OPT_VERIFY,
    OPT_CERT, OPT_CRL, OPT_CRL_DOWNLOAD, OPT_SESS_OUT, OPT_SESS_IN,
    OPT_CERTFORM, OPT_CRLFORM, OPT_VERIFY_RET_ERROR, OPT_VERIFY_QUIET,
    OPT_BRIEF, OPT_PREXIT, OPT_CRLF, OPT_QUIET, OPT_NBIO,
    OPT_SSL_CLIENT_ENGINE, OPT_RAND, OPT_IGN_EOF, OPT_NO_IGN_EOF,
-    OPT_PAUSE, OPT_DEBUG, OPT_TLSEXTDEBUG, OPT_STATUS, OPT_WDEBUG,
+    OPT_DEBUG, OPT_TLSEXTDEBUG, OPT_STATUS, OPT_WDEBUG,
    OPT_MSG, OPT_MSGFILE, OPT_ENGINE, OPT_TRACE, OPT_SECURITY_DEBUG,
    OPT_SECURITY_DEBUG_VERBOSE, OPT_SHOWCERTS, OPT_NBIO_TEST, OPT_STATE,
    OPT_PSK_IDENTITY, OPT_PSK, OPT_SRPUSER, OPT_SRPPASS, OPT_SRP_STRENGTH,
@@ -644,10 +663,14 @@ OPTIONS s_client_options[] = {
    {"host", OPT_HOST, 's', "Use -connect instead"},
    {"port", OPT_PORT, 'p', "Use -connect instead"},
    {"connect", OPT_CONNECT, 's',
-     "TCP/IP where to connect (default is " SSL_HOST_NAME ":" PORT_STR ")"},
+     "TCP/IP where to connect (default is :" PORT ")"},
    {"proxy", OPT_PROXY, 's',
     "Connect to via specified proxy to the real server"},
+#ifdef AF_UNIX
    {"unix", OPT_UNIX, 's', "Connect over unix domain sockets"},
+#endif
+    {"4", OPT_4, '-', "Use IPv4 only"},
+    {"6", OPT_6, '-', "Use IPv6 only"},
    {"verify", OPT_VERIFY, 'p', "Turn on peer certificate verification"},
    {"cert", OPT_CERT, '<', "Certificate file to use, PEM format assumed"},
    {"certform", OPT_CERTFORM, 'F',
@@ -666,7 +689,6 @@ OPTIONS s_client_options[] = {
     "DANE TLSA rrdata presentation form"},
    {"reconnect", OPT_RECONNECT, '-',
     "Drop and re-make the connection with the same Session-ID"},
-    {"pause", OPT_PAUSE, '-', "Sleep  after each read and write system call"},
    {"showcerts", OPT_SHOWCERTS, '-', "Show all certificates in the chain"},
    {"debug", OPT_DEBUG, '-', "Extra output"},
    {"msg", OPT_MSG, '-', "Show protocol messages"},
@@ -677,9 +699,6 @@ OPTIONS s_client_options[] = {
    {"quiet", OPT_QUIET, '-', "No s_client output"},
    {"ign_eof", OPT_IGN_EOF, '-', "Ignore input eof (default when -quiet)"},
    {"no_ign_eof", OPT_NO_IGN_EOF, '-', "Don't ignore input eof"},
-    {"tls1_2", OPT_TLS1_2, '-', "Just use TLSv1.2"},
-    {"tls1_1", OPT_TLS1_1, '-', "Just use TLSv1.1"},
-    {"tls1", OPT_TLS1, '-', "Just use TLSv1"},
    {"starttls", OPT_STARTTLS, 's',
     "Use the appropriate STARTTLS command before starting TLS"},
    {"xmpphost", OPT_XMPPHOST, 's',
@@ -729,13 +748,26 @@ OPTIONS s_client_options[] = {
 #ifndef OPENSSL_NO_SSL3
    {"ssl3", OPT_SSL3, '-', "Just use SSLv3"},
 #endif
+#ifndef OPENSSL_NO_TLS1
+    {"tls1", OPT_TLS1, '-', "Just use TLSv1"},
+#endif
+#ifndef OPENSSL_NO_TLS1_1
+    {"tls1_1", OPT_TLS1_1, '-', "Just use TLSv1.1"},
+#endif
+#ifndef OPENSSL_NO_TLS1_2
+    {"tls1_2", OPT_TLS1_2, '-', "Just use TLSv1.2"},
+#endif
 #ifndef OPENSSL_NO_DTLS
    {"dtls", OPT_DTLS, '-'},
-    {"dtls1", OPT_DTLS1, '-', "Just use DTLSv1"},
-    {"dtls1_2", OPT_DTLS1_2, '-'},
    {"timeout", OPT_TIMEOUT, '-'},
    {"mtu", OPT_MTU, 'p', "Set the link layer MTU"},
 #endif
+#ifndef OPENSSL_NO_DTLS1
+    {"dtls1", OPT_DTLS1, '-', "Just use DTLSv1"},
+#endif
+#ifndef OPENSSL_NO_DTLS1_2
+    {"dtls1_2", OPT_DTLS1_2, '-'},
+#endif
 #ifndef OPENSSL_NO_SSL_TRACE
    {"trace", OPT_TRACE, '-'},
 #endif
@@ -816,12 +848,12 @@ int s_client_main(int argc, char **argv)
    char *CApath = NULL, *CAfile = NULL, *cbuf = NULL, *sbuf = NULL;
    char *mbuf = NULL, *proxystr = NULL, *connectstr = NULL;
    char *cert_file = NULL, *key_file = NULL, *chain_file = NULL;
-    char *chCApath = NULL, *chCAfile = NULL, *host = SSL_HOST_NAME;
+    char *chCApath = NULL, *chCAfile = NULL, *host = NULL;
+    char *port = BUF_strdup(PORT);
    char *inrand = NULL;
    char *passarg = NULL, *pass = NULL, *vfyCApath = NULL, *vfyCAfile = NULL;
    char *sess_in = NULL, *sess_out = NULL, *crl_file = NULL, *p;
    char *jpake_secret = NULL, *xmpphost = NULL;
-    const char *unix_path = NULL;
    const char *ehlo = "mail.example.com";
    struct sockaddr peer;
    struct timeval timeout, *timeoutp;
@@ -833,12 +865,12 @@ int s_client_main(int argc, char **argv)
    int enable_timeouts = 0, sdebug = 0, peerlen = sizeof peer;
    int reconnect = 0, verify = SSL_VERIFY_NONE, vpmtouched = 0;
    int ret = 1, in_init = 1, i, nbio_test = 0, s = -1, k, width, state = 0;
-    int sbuf_len, sbuf_off, socket_type = SOCK_STREAM, cmdletters = 1;
+    int sbuf_len, sbuf_off, cmdletters = 1;
+    int socket_family = AF_UNSPEC, socket_type = SOCK_STREAM;
    int starttls_proto = PROTO_OFF, crl_format = FORMAT_PEM, crl_download = 0;
    int write_tty, read_tty, write_ssl, read_ssl, tty_on, ssl_pending;
    int fallback_scsv = 0;
    long socket_mtu = 0, randamt = 0;
-    unsigned short port = PORT;
    OPTION_CHOICE o;
 #ifndef OPENSSL_NO_ENGINE
    ENGINE *ssl_client_engine = NULL;
@@ -864,7 +896,6 @@ int s_client_main(int argc, char **argv)
 #endif

    prog = opt_progname(argv[0]);
-    c_Pause = 0;
    c_quiet = 0;
    c_ign_eof = 0;
    c_debug = 0;
@@ -898,22 +929,72 @@ int s_client_main(int argc, char **argv)
            opt_help(s_client_options);
            ret = 0;
            goto end;
+        case OPT_4:
+#ifdef AF_UNIX
+            if (socket_family == AF_UNIX) {
+                OPENSSL_free(host); host = NULL;
+                OPENSSL_free(port); port = NULL;
+            }
+#endif
+            socket_family = AF_INET;
+            break;
+        case OPT_6:
+            if (1) {
+#ifdef AF_INET6
+#ifdef AF_UNIX
+                if (socket_family == AF_UNIX) {
+                    OPENSSL_free(host); host = NULL;
+                    OPENSSL_free(port); port = NULL;
+                }
+#endif
+                socket_family = AF_INET6;
+            } else {
+#endif
+                BIO_printf(bio_err, "%s: IPv6 domain sockets unsupported\n", prog);
+                goto end;
+            }
+            break;
        case OPT_HOST:
-            host = opt_arg();
+#ifdef AF_UNIX
+            if (socket_family == AF_UNIX) {
+                OPENSSL_free(host); host = NULL;
+                OPENSSL_free(port); port = NULL;
+                socket_family = AF_UNSPEC;
+            }
+#endif
+            OPENSSL_free(host); host = BUF_strdup(opt_arg());
            break;
        case OPT_PORT:
-            port = atoi(opt_arg());
+#ifdef AF_UNIX
+            if (socket_family == AF_UNIX) {
+                OPENSSL_free(host); host = NULL;
+                OPENSSL_free(port); port = NULL;
+                socket_family = AF_UNSPEC;
+            }
+#endif
+            OPENSSL_free(port); port = BUF_strdup(opt_arg());
            break;
        case OPT_CONNECT:
+#ifdef AF_UNIX
+            if (socket_family == AF_UNIX) {
+                socket_family = AF_UNSPEC;
+            }
+#endif
+            OPENSSL_free(host); host = NULL;
+            OPENSSL_free(port); port = NULL;
            connectstr = opt_arg();
            break;
        case OPT_PROXY:
            proxystr = opt_arg();
            starttls_proto = PROTO_CONNECT;
            break;
+#ifdef AF_UNIX
        case OPT_UNIX:
-            unix_path = opt_arg();
+            socket_family = AF_UNIX;
+            OPENSSL_free(host); host = BUF_strdup(opt_arg());
+            OPENSSL_free(port); port = NULL;
            break;
+#endif
        case OPT_XMPPHOST:
            xmpphost = opt_arg();
            break;
@@ -1014,9 +1095,6 @@ int s_client_main(int argc, char **argv)
        case OPT_NO_IGN_EOF:
            c_ign_eof = 0;
            break;
-        case OPT_PAUSE:
-            c_Pause = 1;
-            break;
        case OPT_DEBUG:
            c_debug = 1;
            break;
@@ -1063,7 +1141,7 @@ int s_client_main(int argc, char **argv)
            break;
        case OPT_PSK:
            for (p = psk_key = opt_arg(); *p; p++) {
-                if (isxdigit(*p))
+                if (isxdigit(_UC(*p)))
                    continue;
                BIO_printf(bio_err, "Not a hex number '%s'\n", psk_key);
                goto end;
@@ -1114,41 +1192,48 @@ int s_client_main(int argc, char **argv)
 #endif
            break;
        case OPT_TLS1_2:
+#ifndef OPENSSL_NO_TLS1_2
            meth = TLSv1_2_client_method();
+#endif
            break;
        case OPT_TLS1_1:
+#ifndef OPENSSL_NO_TLS1_1
            meth = TLSv1_1_client_method();
+#endif
            break;
        case OPT_TLS1:
+#ifndef OPENSSL_NO_TLS1
            meth = TLSv1_client_method();
+#endif
            break;
-#ifndef OPENSSL_NO_DTLS
        case OPT_DTLS:
+#ifndef OPENSSL_NO_DTLS
            meth = DTLS_client_method();
            socket_type = SOCK_DGRAM;
+#endif
            break;
        case OPT_DTLS1:
+#ifndef OPENSSL_NO_DTLS1
            meth = DTLSv1_client_method();
            socket_type = SOCK_DGRAM;
+#endif
            break;
        case OPT_DTLS1_2:
+#ifndef OPENSSL_NO_DTLS1_2
            meth = DTLSv1_2_client_method();
            socket_type = SOCK_DGRAM;
-            break;
-        case OPT_TIMEOUT:
-            enable_timeouts = 1;
-            break;
-        case OPT_MTU:
-            socket_mtu = atol(opt_arg());
-            break;
-#else
-        case OPT_DTLS:
-        case OPT_DTLS1:
-        case OPT_DTLS1_2:
-        case OPT_TIMEOUT:
-        case OPT_MTU:
-            break;
 #endif
+            break;
+        case OPT_TIMEOUT:
+#ifndef OPENSSL_NO_DTLS
+            enable_timeouts = 1;
+#endif
+            break;
+        case OPT_MTU:
+#ifndef OPENSSL_NO_DTLS
+            socket_mtu = atol(opt_arg());
+#endif
+            break;
        case OPT_FALLBACKSCSV:
            fallback_scsv = 1;
            break;
@@ -1254,18 +1339,41 @@ int s_client_main(int argc, char **argv)
    argv = opt_rest();

    if (proxystr) {
+        int res;
+        char *tmp_host = host, *tmp_port = port;
        if (connectstr == NULL) {
            BIO_printf(bio_err, "%s: -proxy requires use of -connect\n", prog);
            goto opthelp;
        }
-        if (!extract_host_port(proxystr, &host, NULL, &port))
+        res = BIO_parse_hostserv(proxystr, &host, &port, BIO_PARSE_PRIO_HOST);
+        if (tmp_host != host)
+            OPENSSL_free(tmp_host);
+        if (tmp_port != port)
+            OPENSSL_free(tmp_port);
+        if (!res) {
+            BIO_printf(bio_err, "%s: -proxy argument malformed or ambiguous\n",
+                       prog);
            goto end;
+        }
+    } else {
+        int res = 1;
+        char *tmp_host = host, *tmp_port = port;
+        if (connectstr != NULL)
+            res = BIO_parse_hostserv(connectstr, &host, &port,
+                                     BIO_PARSE_PRIO_HOST);
+        if (tmp_host != host)
+            OPENSSL_free(tmp_host);
+        if (tmp_port != port)
+            OPENSSL_free(tmp_port);
+        if (!res) {
+            BIO_printf(bio_err,
+                       "%s: -connect argument malformed or ambiguous\n",
+                       prog);
+            goto end;
+        }
    }
-    else if (connectstr != NULL
-            && !extract_host_port(connectstr, &host, NULL, &port))
-        goto end;

-    if (unix_path && (socket_type != SOCK_STREAM)) {
+    if (socket_family == AF_UNIX && socket_type != SOCK_STREAM) {
        BIO_printf(bio_err,
                   "Can't use unix sockets and datagrams together\n");
        goto end;
@@ -1320,9 +1428,8 @@ int s_client_main(int argc, char **argv)
    }

    if (chain_file) {
-        chain = load_certs(chain_file, FORMAT_PEM,
-                           NULL, e, "client certificate chain");
-        if (!chain)
+        if (!load_certs(chain_file, &chain, FORMAT_PEM, NULL, e,
+                        "client certificate chain"))
            goto end;
    }

@@ -1397,7 +1504,6 @@ int s_client_main(int argc, char **argv)

    if (async) {
        SSL_CTX_set_mode(ctx, SSL_MODE_ASYNC);
-        ASYNC_init(1, 0, 0);
    }

    if (!config_ctx(cctx, ssl_args, ctx, jpake_secret == NULL))
@@ -1579,12 +1685,7 @@ int s_client_main(int argc, char **argv)
    }

 re_start:
-#ifdef NO_SYS_UN_H
-    if (init_client(&s, host, port, socket_type) == 0)
-#else
-    if ((!unix_path && (init_client(&s, host, port, socket_type) == 0)) ||
-        (unix_path && (init_client_unix(&s, unix_path) == 0)))
-#endif
+    if (init_client(&s, host, port, socket_family, socket_type) == 0)
    {
        BIO_printf(bio_err, "connect:errno=%d\n", get_last_socket_error());
        SHUTDOWN(s);
@@ -1602,9 +1703,6 @@ int s_client_main(int argc, char **argv)
        }
    }
 #endif
-    if (c_Pause & 0x01)
-        SSL_set_debug(con, 1);
-
    if (socket_type == SOCK_DGRAM) {

        sbio = BIO_new_dgram(s, BIO_NOCLOSE);
@@ -1654,7 +1752,6 @@ int s_client_main(int argc, char **argv)
    }

    if (c_debug) {
-        SSL_set_debug(con, 1);
        BIO_set_callback(sbio, bio_dump_callback);
        BIO_set_callback_arg(sbio, (char *)bio_c_out);
    }
@@ -1996,7 +2093,7 @@ int s_client_main(int argc, char **argv)
                    reconnect--;
                    BIO_printf(bio_c_out,
                               "drop connection and then reconnect\n");
-                    SSL_shutdown(con);
+                    do_ssl_shutdown(con);
                    SSL_set_connect_state(con);
                    SHUTDOWN(SSL_get_fd(con));
                    goto re_start;
@@ -2314,7 +2411,7 @@ int s_client_main(int argc, char **argv)
 shut:
    if (in_init)
        print_stuff(bio_c_out, con, full_log);
-    SSL_shutdown(con);
+    do_ssl_shutdown(con);
    SHUTDOWN(SSL_get_fd(con));
 end:
    if (con != NULL) {
@@ -2322,9 +2419,6 @@ int s_client_main(int argc, char **argv)
            print_stuff(bio_c_out, con, 1);
        SSL_free(con);
    }
-    if (async) {
-        ASYNC_cleanup(1);
-    }
 #if !defined(OPENSSL_NO_NEXTPROTONEG)
    OPENSSL_free(next_proto.data);
 #endif
@@ -2337,6 +2431,8 @@ int s_client_main(int argc, char **argv)
 #ifndef OPENSSL_NO_SRP
    OPENSSL_free(srp_arg.srppassin);
 #endif
+    OPENSSL_free(host);
+    OPENSSL_free(port);
    X509_VERIFY_PARAM_free(vpm);
    ssl_excert_free(exc);
    sk_OPENSSL_STRING_free(ssl_args);
@@ -2361,9 +2457,6 @@ static void print_stuff(BIO *bio, SSL *s, int full)
    const SSL_CIPHER *c;
    X509_NAME *xn;
    int i;
-    int mdpth;
-    EVP_PKEY *mspki;
-    const char *peername;
 #ifndef OPENSSL_NO_COMP
    const COMP_METHOD *comp, *expansion;
 #endif
@@ -2425,19 +2518,8 @@ static void print_stuff(BIO *bio, SSL *s, int full)
                   BIO_number_read(SSL_get_rbio(s)),
                   BIO_number_written(SSL_get_wbio(s)));
    }
-    if ((mdpth = SSL_get0_dane_authority(s, NULL, &mspki)) >= 0) {
-        uint8_t usage, selector, mtype;
-        mdpth = SSL_get0_dane_tlsa(s, &usage, &selector, &mtype, NULL, NULL);
-        BIO_printf(bio, "DANE TLSA %d %d %d %s at depth %d\n",
-                   usage, selector, mtype,
-                   (mspki != NULL) ? "TA public key verified certificate" :
-                   mdpth ? "matched TA certificate" : "matched EE certificate",
-                   mdpth);
-    }
-    if (SSL_get_verify_result(s) == X509_V_OK &&
-        (peername = SSL_get0_peername(s)) != NULL)
-        BIO_printf(bio, "Verified peername: %s\n", peername);
-    BIO_printf(bio, (SSL_cache_hit(s) ? "---\nReused, " : "---\nNew, "));
+    print_verify_detail(s, bio);
+    BIO_printf(bio, (SSL_session_reused(s) ? "---\nReused, " : "---\nNew, "));
    c = SSL_get_current_cipher(s);
    BIO_printf(bio, "%s, Cipher is %s\n",
               SSL_CIPHER_get_version(c), SSL_CIPHER_get_name(c));
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -191,9 +191,12 @@ typedef unsigned int u_int;
 #endif

 static int not_resumable_sess_cb(SSL *s, int is_forward_secure);
-static int sv_body(char *hostname, int s, int stype, unsigned char *context);
-static int www_body(char *hostname, int s, int stype, unsigned char *context);
-static int rev_body(char *hostname, int s, int stype, unsigned char *context);
+static int sv_body(const char *hostname, int s, int stype,
+                   unsigned char *context);
+static int www_body(const char *hostname, int s, int stype,
+                    unsigned char *context);
+static int rev_body(const char *hostname, int s, int stype,
+                    unsigned char *context);
 static void close_accept_socket(void);
 static int init_ssl_connection(SSL *s);
 static void print_stats(BIO *bp, SSL_CTX *ctx);
@@ -791,8 +794,8 @@ static char *srtp_profiles = NULL;
 #endif

 typedef enum OPTION_choice {
-    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
-    OPT_ENGINE, OPT_PORT, OPT_UNIX, OPT_UNLINK, OPT_NACCEPT,
+    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_ENGINE,
+    OPT_4, OPT_6, OPT_ACCEPT, OPT_PORT, OPT_UNIX, OPT_UNLINK, OPT_NACCEPT,
    OPT_VERIFY, OPT_UPPER_V_VERIFY, OPT_CONTEXT, OPT_CERT, OPT_CRL,
    OPT_CRL_DOWNLOAD, OPT_SERVERINFO, OPT_CERTFORM, OPT_KEY, OPT_KEYFORM,
    OPT_PASS, OPT_CERT_CHAIN, OPT_DHPARAM, OPT_DCERTFORM, OPT_DCERT,
@@ -820,11 +823,18 @@ typedef enum OPTION_choice {

 OPTIONS s_server_options[] = {
    {"help", OPT_HELP, '-', "Display this summary"},
-    {"port", OPT_PORT, 'p'},
-    {"accept", OPT_PORT, 'p',
-     "TCP/IP port to accept on (default is " PORT_STR ")"},
+    {"port", OPT_PORT, 'p',
+     "TCP/IP port to listen on for connections (default is " PORT ")"},
+    {"accept", OPT_ACCEPT, 's',
+     "TCP/IP optional host and port to accept on (default is " PORT ")"},
+#ifdef AF_UNIX
    {"unix", OPT_UNIX, 's', "Unix domain socket to accept on"},
+#endif
+    {"4", OPT_4, '-', "Use IPv4 only"},
+    {"6", OPT_6, '-', "Use IPv6 only"},
+#ifdef AF_UNIX
    {"unlink", OPT_UNLINK, '-', "For -unix, unlink existing socket first"},
+#endif
    {"context", OPT_CONTEXT, 's', "Set session ID context"},
    {"verify", OPT_VERIFY, 'n', "Turn on peer certificate verification"},
    {"Verify", OPT_UPPER_V_VERIFY, 'n',
@@ -853,7 +863,8 @@ OPTIONS s_server_options[] = {
    {"crlf", OPT_CRLF, '-', "Convert LF from terminal into CRLF"},
    {"debug", OPT_DEBUG, '-', "Print more output"},
    {"msg", OPT_MSG, '-', "Show protocol messages"},
-    {"msgfile", OPT_MSGFILE, '>'},
+    {"msgfile", OPT_MSGFILE, '>',
+     "File to send output of -msg or -trace, instead of stdout"},
    {"state", OPT_STATE, '-', "Print the SSL states"},
    {"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"},
    {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"},
@@ -863,9 +874,6 @@ OPTIONS s_server_options[] = {
     "Do not load certificates from the default certificates directory"},
    {"nocert", OPT_NOCERT, '-', "Don't use any certificates (Anon-DH)"},
    {"quiet", OPT_QUIET, '-', "No server output"},
-    {"tls1_2", OPT_TLS1_2, '-', "just talk TLSv1.2"},
-    {"tls1_1", OPT_TLS1_1, '-', "Just talk TLSv1.1"},
-    {"tls1", OPT_TLS1, '-', "Just talk TLSv1"},
    {"no_resume_ephemeral", OPT_NO_RESUME_EPHEMERAL, '-',
     "Disable caching and tickets if ephemeral (EC)DH is used"},
    {"www", OPT_WWW, '-', "Respond to a 'GET /' with a status page"},
@@ -889,33 +897,52 @@ OPTIONS s_server_options[] = {
     "Export keying material using label"},
    {"keymatexportlen", OPT_KEYMATEXPORTLEN, 'p',
     "Export len bytes of keying material (default 20)"},
-    {"CRL", OPT_CRL, '<'},
-    {"crl_download", OPT_CRL_DOWNLOAD, '-'},
-    {"cert_chain", OPT_CERT_CHAIN, '<'},
-    {"dcert_chain", OPT_DCERT_CHAIN, '<'},
-    {"chainCApath", OPT_CHAINCAPATH, '/'},
-    {"verifyCApath", OPT_VERIFYCAPATH, '/'},
-    {"no_cache", OPT_NO_CACHE, '-'},
-    {"ext_cache", OPT_EXT_CACHE, '-'},
-    {"CRLform", OPT_CRLFORM, 'F'},
-    {"verify_return_error", OPT_VERIFY_RET_ERROR, '-'},
-    {"verify_quiet", OPT_VERIFY_QUIET, '-'},
-    {"build_chain", OPT_BUILD_CHAIN, '-'},
-    {"chainCAfile", OPT_CHAINCAFILE, '<'},
-    {"verifyCAfile", OPT_VERIFYCAFILE, '<'},
-    {"ign_eof", OPT_IGN_EOF, '-'},
-    {"no_ign_eof", OPT_NO_IGN_EOF, '-'},
-    {"status", OPT_STATUS, '-'},
-    {"status_verbose", OPT_STATUS_VERBOSE, '-'},
-    {"status_timeout", OPT_STATUS_TIMEOUT, 'n'},
-    {"status_url", OPT_STATUS_URL, 's'},
-    {"trace", OPT_TRACE, '-'},
-    {"security_debug", OPT_SECURITY_DEBUG, '-'},
-    {"security_debug_verbose", OPT_SECURITY_DEBUG_VERBOSE, '-'},
-    {"brief", OPT_BRIEF, '-'},
-    {"rev", OPT_REV, '-'},
+    {"CRL", OPT_CRL, '<', "CRL file to use"},
+    {"crl_download", OPT_CRL_DOWNLOAD, '-',
+     "Download CRL from distribution points"},
+    {"cert_chain", OPT_CERT_CHAIN, '<',
+     "certificate chain file in PEM format"},
+    {"dcert_chain", OPT_DCERT_CHAIN, '<',
+     "second certificate chain file in PEM format"},
+    {"chainCApath", OPT_CHAINCAPATH, '/',
+     "use dir as certificate store path to build CA certificate chain"},
+    {"verifyCApath", OPT_VERIFYCAPATH, '/',
+     "use dir as certificate store path to verify CA certificate"},
+    {"no_cache", OPT_NO_CACHE, '-', "Disable session cache"},
+    {"ext_cache", OPT_EXT_CACHE, '-',
+     "Disable internal cache, setup and use external cache"},
+    {"CRLform", OPT_CRLFORM, 'F', "CRL format (PEM or DER) PEM is default" },
+    {"verify_return_error", OPT_VERIFY_RET_ERROR, '-',
+     "Close connection on verification error"},
+    {"verify_quiet", OPT_VERIFY_QUIET, '-',
+     "No verify output except verify errors"},
+    {"build_chain", OPT_BUILD_CHAIN, '-', "Build certificate chain"},
+    {"chainCAfile", OPT_CHAINCAFILE, '<',
+     "CA file for certificate chain (PEM format)"},
+    {"verifyCAfile", OPT_VERIFYCAFILE, '<',
+     "CA file for certificate verification (PEM format)"},
+    {"ign_eof", OPT_IGN_EOF, '-', "ignore input eof (default when -quiet)"},
+    {"no_ign_eof", OPT_NO_IGN_EOF, '-', "Do not ignore input eof"},
+    {"status", OPT_STATUS, '-', "Request certificate status from server"},
+    {"status_verbose", OPT_STATUS_VERBOSE, '-',
+     "Print more output in certificate status callback"},
+    {"status_timeout", OPT_STATUS_TIMEOUT, 'n',
+     "Status request responder timeout"},
+    {"status_url", OPT_STATUS_URL, 's', "Status request fallback URL"},
+#ifndef OPENSSL_NO_SSL_TRACE
+    {"trace", OPT_TRACE, '-', "trace protocol messages"},
+#endif
+    {"security_debug", OPT_SECURITY_DEBUG, '-',
+     "Print output from SSL/TLS security framework"},
+    {"security_debug_verbose", OPT_SECURITY_DEBUG_VERBOSE, '-',
+     "Print more output from SSL/TLS security framework"},
+    {"brief", OPT_BRIEF, '-', \
+     "Restrict output to brief summary of connection parameters"},
+    {"rev", OPT_REV, '-',
+     "act as a simple test server which just sends back with the received text reversed"},
    {"async", OPT_ASYNC, '-', "Operate in asynchronous mode"},
-    {"ssl_config", OPT_SSL_CONFIG, 's'},
+    {"ssl_config", OPT_SSL_CONFIG, 's', \
+     "Configure SSL_CTX using the configuration 'val'"},
    OPT_S_OPTIONS,
    OPT_V_OPTIONS,
    OPT_X_OPTIONS,
@@ -937,16 +964,29 @@ OPTIONS s_server_options[] = {
 #ifndef OPENSSL_NO_SSL3
    {"ssl3", OPT_SSL3, '-', "Just talk SSLv3"},
 #endif
+#ifndef OPENSSL_NO_TLS1
+    {"tls1", OPT_TLS1, '-', "Just talk TLSv1"},
+#endif
+#ifndef OPENSSL_NO_TLS1_1
+    {"tls1_1", OPT_TLS1_1, '-', "Just talk TLSv1.1"},
+#endif
+#ifndef OPENSSL_NO_TLS1_2
+    {"tls1_2", OPT_TLS1_2, '-', "just talk TLSv1.2"},
+#endif
 #ifndef OPENSSL_NO_DTLS
-    {"dtls", OPT_DTLS, '-'},
-    {"dtls1", OPT_DTLS1, '-', "Just talk DTLSv1"},
-    {"dtls1_2", OPT_DTLS1_2, '-', "Just talk DTLSv1.2"},
+    {"dtls", OPT_DTLS, '-', "Use any DTLS version"},
    {"timeout", OPT_TIMEOUT, '-', "Enable timeouts"},
    {"mtu", OPT_MTU, 'p', "Set link layer MTU"},
    {"chain", OPT_CHAIN, '-', "Read a certificate chain"},
    {"listen", OPT_LISTEN, '-',
     "Listen for a DTLS ClientHello with a cookie and then connect"},
 #endif
+#ifndef OPENSSL_NO_DTLS1
+    {"dtls1", OPT_DTLS1, '-', "Just talk DTLSv1"},
+#endif
+#ifndef OPENSSL_NO_DTLS1_2
+    {"dtls1_2", OPT_DTLS1_2, '-', "Just talk DTLSv1.2"},
+#endif
 #ifndef OPENSSL_NO_DH
    {"no_dhe", OPT_NO_DHE, '-', "Disable ephemeral DH"},
 #endif
@@ -961,7 +1001,7 @@ OPTIONS s_server_options[] = {
     "Set the advertised protocols for the ALPN extension (comma-separated list)"},
 #endif
 #ifndef OPENSSL_NO_ENGINE
-    {"engine", OPT_ENGINE, 's'},
+    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 #endif
    {NULL}
 };
@@ -988,11 +1028,10 @@ int s_server_main(int argc, char *argv[])
 #ifndef OPENSSL_NO_PSK
    char *p;
 #endif
-    const char *unix_path = NULL;
-#ifndef NO_SYS_UN_H
+#ifdef AF_UNIX
    int unlink_unix_path = 0;
 #endif
-    int (*server_cb) (char *hostname, int s, int stype,
+    int (*server_cb) (const char *hostname, int s, int stype,
                      unsigned char *context);
    int vpmtouched = 0, build_chain = 0, no_cache = 0, ext_cache = 0;
 #ifndef OPENSSL_NO_DH
@@ -1002,9 +1041,11 @@ int s_server_main(int argc, char *argv[])
    int noCApath = 0, noCAfile = 0;
    int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM;
    int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM;
-    int rev = 0, naccept = -1, sdebug = 0, socket_type = SOCK_STREAM;
+    int rev = 0, naccept = -1, sdebug = 0;
+    int socket_family = AF_UNSPEC, socket_type = SOCK_STREAM;
    int state = 0, crl_format = FORMAT_PEM, crl_download = 0;
-    unsigned short port = PORT;
+    char *host = NULL;
+    char *port = BUF_strdup(PORT);
    unsigned char *context = NULL;
    OPTION_CHOICE o;
    EVP_PKEY *s_key2 = NULL;
@@ -1039,19 +1080,6 @@ int s_server_main(int argc, char *argv[])
    prog = opt_init(argc, argv, s_server_options);
    while ((o = opt_next()) != OPT_EOF) {
        switch (o) {
-#ifdef OPENSSL_NO_PSK
-        case OPT_PSK_HINT:
-        case OPT_PSK:
-#endif
-#ifdef OPENSSL_NO_DTLS
-        case OPT_DTLS:
-        case OPT_DTLS1:
-        case OPT_DTLS1_2:
-        case OPT_TIMEOUT:
-        case OPT_MTU:
-        case OPT_CHAIN:
-        case OPT_LISTEN:
-#endif
        case OPT_EOF:
        case OPT_ERR:
 opthelp:
@@ -1062,26 +1090,71 @@ int s_server_main(int argc, char *argv[])
            ret = 0;
            goto end;

-        case OPT_PORT:
-            if (!extract_port(opt_arg(), &port))
-                goto end;
-            break;
-        case OPT_UNIX:
-#ifdef NO_SYS_UN_H
-            BIO_printf(bio_err, "unix domain sockets unsupported\n");
-            goto end;
-#else
-            unix_path = opt_arg();
+        case OPT_4:
+#ifdef AF_UNIX
+            if (socket_family == AF_UNIX) {
+                OPENSSL_free(host); host = NULL;
+                OPENSSL_free(port); port = NULL;
+            }
 #endif
+            socket_family = AF_INET;
+            break;
+        case OPT_6:
+            if (1) {
+#ifdef AF_INET6
+#ifdef AF_UNIX
+                if (socket_family == AF_UNIX) {
+                    OPENSSL_free(host); host = NULL;
+                    OPENSSL_free(port); port = NULL;
+                }
+#endif
+                socket_family = AF_INET6;
+            } else {
+#endif
+                BIO_printf(bio_err, "%s: IPv6 domain sockets unsupported\n", prog);
+                goto end;
+            }
+            break;
+        case OPT_PORT:
+#ifdef AF_UNIX
+            if (socket_family == AF_UNIX) {
+                socket_family = AF_UNSPEC;
+            }
+#endif
+            OPENSSL_free(port); port = NULL;
+            OPENSSL_free(host); host = NULL;
+            if (BIO_parse_hostserv(opt_arg(), NULL, &port, BIO_PARSE_PRIO_SERV) < 1) {
+                BIO_printf(bio_err,
+                           "%s: -port argument malformed or ambiguous\n",
+                           port);
+                goto end;
+            }
+            break;
+        case OPT_ACCEPT:
+#ifdef AF_UNIX
+            if (socket_family == AF_UNIX) {
+                socket_family = AF_UNSPEC;
+            }
+#endif
+            OPENSSL_free(port); port = NULL;
+            OPENSSL_free(host); host = NULL;
+            if (BIO_parse_hostserv(opt_arg(), &host, &port, BIO_PARSE_PRIO_SERV) < 1) {
+                BIO_printf(bio_err,
+                           "%s: -accept argument malformed or ambiguous\n",
+                           port);
+                goto end;
+            }
+            break;
+#ifdef AF_UNIX
+        case OPT_UNIX:
+            socket_family = AF_UNIX;
+            OPENSSL_free(host); host = BUF_strdup(opt_arg());
+            OPENSSL_free(port); port = NULL;
            break;
        case OPT_UNLINK:
-#ifdef NO_SYS_UN_H
-            BIO_printf(bio_err, "unix domain sockets unsupported\n");
-            goto end;
-#else
            unlink_unix_path = 1;
-#endif
            break;
+#endif
        case OPT_NACCEPT:
            naccept = atol(opt_arg());
            break;
@@ -1299,33 +1372,33 @@ int s_server_main(int argc, char *argv[])
        case OPT_NO_RESUME_EPHEMERAL:
            no_resume_ephemeral = 1;
            break;
-#ifndef OPENSSL_NO_PSK
        case OPT_PSK_HINT:
+#ifndef OPENSSL_NO_PSK
            psk_identity_hint = opt_arg();
+#endif
            break;
        case OPT_PSK:
+#ifndef OPENSSL_NO_PSK
            for (p = psk_key = opt_arg(); *p; p++) {
-                if (isxdigit(*p))
+                if (isxdigit(_UC(*p)))
                    continue;
                BIO_printf(bio_err, "Not a hex number '%s'\n", *argv);
                goto end;
            }
-            break;
 #endif
-#ifndef OPENSSL_NO_SRP
+            break;
        case OPT_SRPVFILE:
+#ifndef OPENSSL_NO_SRP
            srp_verifier_file = opt_arg();
            meth = TLSv1_server_method();
+#endif
            break;
        case OPT_SRPUSERSEED:
+#ifndef OPENSSL_NO_SRP
            srpuserseed = opt_arg();
            meth = TLSv1_server_method();
-            break;
-#else
-        case OPT_SRPVFILE:
-        case OPT_SRPUSERSEED:
-            break;
 #endif
+            break;
        case OPT_REV:
            rev = 1;
            break;
@@ -1347,40 +1420,58 @@ int s_server_main(int argc, char *argv[])
 #endif
            break;
        case OPT_TLS1_2:
+#ifndef OPENSSL_NO_TLS1_2
            meth = TLSv1_2_server_method();
+#endif
            break;
        case OPT_TLS1_1:
+#ifndef OPENSSL_NO_TLS1_1
            meth = TLSv1_1_server_method();
+#endif
            break;
        case OPT_TLS1:
+#ifndef OPENSSL_NO_TLS1
            meth = TLSv1_server_method();
+#endif
            break;
-#ifndef OPENSSL_NO_DTLS
        case OPT_DTLS:
+#ifndef OPENSSL_NO_DTLS
            meth = DTLS_server_method();
            socket_type = SOCK_DGRAM;
+#endif
            break;
        case OPT_DTLS1:
+#ifndef OPENSSL_NO_DTLS1
            meth = DTLSv1_server_method();
            socket_type = SOCK_DGRAM;
+#endif
            break;
        case OPT_DTLS1_2:
+#ifndef OPENSSL_NO_DTLS1_2
            meth = DTLSv1_2_server_method();
            socket_type = SOCK_DGRAM;
+#endif
            break;
        case OPT_TIMEOUT:
+#ifndef OPENSSL_NO_DTLS
            enable_timeouts = 1;
+#endif
            break;
        case OPT_MTU:
+#ifndef OPENSSL_NO_DTLS
            socket_mtu = atol(opt_arg());
+#endif
            break;
        case OPT_CHAIN:
+#ifndef OPENSSL_NO_DTLS
            cert_chain = 1;
+#endif
            break;
        case OPT_LISTEN:
+#ifndef OPENSSL_NO_DTLS
            dtlslisten = 1;
-            break;
 #endif
+            break;
        case OPT_ID_PREFIX:
            session_id_prefix = opt_arg();
            break;
@@ -1447,11 +1538,13 @@ int s_server_main(int argc, char *argv[])
    }
 #endif

-    if (unix_path && (socket_type != SOCK_STREAM)) {
+#ifdef AF_UNIX
+    if (socket_family == AF_UNIX && socket_type != SOCK_STREAM) {
        BIO_printf(bio_err,
                   "Can't use unix sockets and datagrams together\n");
        goto end;
    }
+#endif
 #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
    if (jpake_secret) {
        if (psk_key) {
@@ -1492,9 +1585,8 @@ int s_server_main(int argc, char *argv[])
            goto end;
        }
        if (s_chain_file) {
-            s_chain = load_certs(s_chain_file, FORMAT_PEM,
-                                 NULL, e, "server certificate chain");
-            if (!s_chain)
+            if (!load_certs(s_chain_file, &s_chain, FORMAT_PEM, NULL, e,
+                            "server certificate chain"))
                goto end;
        }

@@ -1572,9 +1664,8 @@ int s_server_main(int argc, char *argv[])
            goto end;
        }
        if (s_dchain_file) {
-            s_dchain = load_certs(s_dchain_file, FORMAT_PEM,
-                                  NULL, e, "second server certificate chain");
-            if (!s_dchain)
+            if (!load_certs(s_dchain_file, &s_dchain, FORMAT_PEM, NULL, e,
+                            "second server certificate chain"))
                goto end;
        }

@@ -1612,12 +1703,12 @@ int s_server_main(int argc, char *argv[])
    }

    ctx = SSL_CTX_new(meth);
-    if (sdebug)
-        ssl_ctx_security_debug(ctx, sdebug);
    if (ctx == NULL) {
        ERR_print_errors(bio_err);
        goto end;
    }
+    if (sdebug)
+        ssl_ctx_security_debug(ctx, sdebug);
    if (ssl_config) {
        if (SSL_CTX_config(ctx, ssl_config) == 0) {
            BIO_printf(bio_err, "Error using configuration \"%s\"\n",
@@ -1653,7 +1744,6 @@ int s_server_main(int argc, char *argv[])

    if (async) {
        SSL_CTX_set_mode(ctx, SSL_MODE_ASYNC);
-        ASYNC_init(1, 0, 0);
    }

 #ifndef OPENSSL_NO_SRTP
@@ -1916,16 +2006,13 @@ int s_server_main(int argc, char *argv[])
        server_cb = www_body;
    else
        server_cb = sv_body;
-#ifndef NO_SYS_UN_H
-    if (unix_path) {
-        if (unlink_unix_path)
-            unlink(unix_path);
-        do_server_unix(unix_path, &accept_socket, server_cb, context,
-                       naccept);
-    } else
+#ifdef AF_UNIX
+    if (socket_family == AF_UNIX
+        && unlink_unix_path)
+        unlink(host);
 #endif
-        do_server(port, socket_type, &accept_socket, server_cb, context,
-                  naccept);
+    do_server(&accept_socket, host, port, socket_family, socket_type,
+              server_cb, context, naccept);
    print_stats(bio_s_out, ctx);
    ret = 0;
 end:
@@ -1939,6 +2026,8 @@ int s_server_main(int argc, char *argv[])
    sk_X509_pop_free(s_dchain, X509_free);
    OPENSSL_free(pass);
    OPENSSL_free(dpass);
+    OPENSSL_free(host);
+    OPENSSL_free(port);
    X509_VERIFY_PARAM_free(vpm);
    free_sessions();
    OPENSSL_free(tlscstatp.host);
@@ -1959,9 +2048,6 @@ int s_server_main(int argc, char *argv[])
    bio_s_out = NULL;
    BIO_free(bio_s_msg);
    bio_s_msg = NULL;
-    if (async) {
-        ASYNC_cleanup(1);
-    }
    return (ret);
 }

@@ -1993,7 +2079,8 @@ static void print_stats(BIO *bio, SSL_CTX *ssl_ctx)
               SSL_CTX_sess_get_cache_size(ssl_ctx));
 }

-static int sv_body(char *hostname, int s, int stype, unsigned char *context)
+static int sv_body(const char *hostname, int s, int stype,
+                   unsigned char *context)
 {
    char *buf = NULL;
    fd_set readfds;
@@ -2098,7 +2185,6 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context)
    /* SSL_set_fd(con,s); */

    if (s_debug) {
-        SSL_set_debug(con, 1);
        BIO_set_callback(SSL_get_rbio(con), bio_dump_callback);
        BIO_set_callback_arg(SSL_get_rbio(con), (char *)bio_s_out);
    }
@@ -2420,13 +2506,16 @@ static int init_ssl_connection(SSL *con)
    unsigned next_proto_neg_len;
 #endif
    unsigned char *exportedkeymat;
-#ifndef OPENSSL_NO_DTLS
-    struct sockaddr_storage client;
-#endif

 #ifndef OPENSSL_NO_DTLS
    if(dtlslisten) {
-        i = DTLSv1_listen(con, &client);
+        BIO_ADDR *client = NULL;
+
+        if ((client = BIO_ADDR_new()) == NULL) {
+            BIO_printf(bio_err, "ERROR - memory\n");
+            return 0;
+        }
+        i = DTLSv1_listen(con, client);
        if (i > 0) {
            BIO *wbio;
            int fd = -1;
@@ -2436,11 +2525,12 @@ static int init_ssl_connection(SSL *con)
                BIO_get_fd(wbio, &fd);
            }

-            if(!wbio || connect(fd, (struct sockaddr *)&client,
-                                sizeof(struct sockaddr_storage))) {
+            if(!wbio || BIO_connect(fd, client, 0) == 0) {
                BIO_printf(bio_err, "ERROR - unable to connect\n");
+                BIO_ADDR_free(client);
                return 0;
            }
+            BIO_ADDR_free(client);
            dtlslisten = 0;
            i = SSL_accept(con);
        }
@@ -2541,7 +2631,7 @@ static int init_ssl_connection(SSL *con)
                       srtp_profile->name);
    }
 #endif
-    if (SSL_cache_hit(con))
+    if (SSL_session_reused(con))
        BIO_printf(bio_s_out, "Reused session-id\n");
    BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n",
               SSL_get_secure_renegotiation_support(con) ? "" : " NOT");
@@ -2583,7 +2673,8 @@ static DH *load_dh_param(const char *dhfile)
 }
 #endif

-static int www_body(char *hostname, int s, int stype, unsigned char *context)
+static int www_body(const char *hostname, int s, int stype,
+                    unsigned char *context)
 {
    char *buf = NULL;
    int ret = 1;
@@ -2651,7 +2742,6 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context)
 #endif

    if (s_debug) {
-        SSL_set_debug(con, 1);
        BIO_set_callback(SSL_get_rbio(con), bio_dump_callback);
        BIO_set_callback_arg(SSL_get_rbio(con), (char *)bio_s_out);
    }
@@ -2811,7 +2901,7 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context)
 #ifndef OPENSSL_NO_EC
            ssl_print_curves(io, con, 0);
 #endif
-            BIO_printf(io, (SSL_cache_hit(con)
+            BIO_printf(io, (SSL_session_reused(con)
                            ? "---\nReused, " : "---\nNew, "));
            c = SSL_get_current_cipher(con);
            BIO_printf(io, "%s, Cipher is %s\n",
@@ -2971,7 +3061,8 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context)
    return (ret);
 }

-static int rev_body(char *hostname, int s, int stype, unsigned char *context)
+static int rev_body(const char *hostname, int s, int stype,
+                    unsigned char *context)
 {
    char *buf = NULL;
    int i;
@@ -3013,7 +3104,6 @@ static int rev_body(char *hostname, int s, int stype, unsigned char *context)
 #endif

    if (s_debug) {
-        SSL_set_debug(con, 1);
        BIO_set_callback(SSL_get_rbio(con), bio_dump_callback);
        BIO_set_callback_arg(SSL_get_rbio(con), (char *)bio_s_out);
    }
@@ -3206,7 +3296,7 @@ static int add_session(SSL *ssl, SSL_SESSION *session)
    return 0;
 }

-static SSL_SESSION *get_session(SSL *ssl, unsigned char *id, int idlen,
+static SSL_SESSION *get_session(SSL *ssl, const unsigned char *id, int idlen,
                                int *do_copy)
 {
    simple_ssl_session *sess;
--- a/apps/s_socket.c
+++ b/apps/s_socket.c
@@ -121,573 +121,201 @@
 typedef unsigned int u_int;
 #endif

-#define USE_SOCKETS
-#include "apps.h"
-#undef USE_SOCKETS
-#include "s_apps.h"
-#include <openssl/ssl.h>
-
-#ifdef FLAT_INC
-# include "e_os.h"
-#else
-# include "../e_os.h"
-#endif
-
 #ifndef OPENSSL_NO_SOCK

-# if defined(OPENSSL_SYS_NETWARE) && defined(NETWARE_BSDSOCK)
-#  include "netdb.h"
-# endif
+# define USE_SOCKETS
+# include "apps.h"
+# undef USE_SOCKETS
+# include "s_apps.h"

-# if defined(OPENSSL_SYS_WINDOWS) || (defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK))
-static void ssl_sock_cleanup(void);
-# endif
-static int ssl_sock_init(void);
-static int init_client_ip(int *sock, const unsigned char ip[4], int port,
-                          int type);
-static int init_server(int *sock, int port, int type);
-static int init_server_long(int *sock, int port, char *ip, int type);
-static int do_accept(int acc_sock, int *sock, char **host);
-static int host_ip(const char *str, unsigned char ip[4]);
-# ifndef NO_SYS_UN_H
-static int init_server_unix(int *sock, const char *path);
-static int do_accept_unix(int acc_sock, int *sock);
-# endif
+# include <openssl/bio.h>
+# include <openssl/err.h>

-# if defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK)
-static int wsa_init_done = 0;
-# endif
-
-# ifdef OPENSSL_SYS_WINDOWS
-static struct WSAData wsa_state;
-static int wsa_init_done = 0;
-
-# endif                         /* OPENSSL_SYS_WINDOWS */
-
-# ifdef OPENSSL_SYS_WINDOWS
-static void ssl_sock_cleanup(void)
+/*
+ * init_client - helper routine to set up socket communication
+ * @sock: pointer to storage of resulting socket.
+ * @host: the host name or path (for AF_UNIX) to connect to.
+ * @port: the port to connect to (ignored for AF_UNIX).
+ * @family: desired socket family, may be AF_INET, AF_INET6, AF_UNIX or
+ *  AF_UNSPEC
+ * @type: socket type, must be SOCK_STREAM or SOCK_DGRAM
+ *
+ * This will create a socket and use it to connect to a host:port, or if
+ * family == AF_UNIX, to the path found in host.
+ *
+ * If the host has more than one address, it will try them one by one until
+ * a successful connection is established.  The resulting socket will be
+ * found in *sock on success, it will be given INVALID_SOCKET otherwise.
+ *
+ * Returns 1 on success, 0 on failure.
+ */
+int init_client(int *sock, const char *host, const char *port,
+                int family, int type)
 {
-    if (wsa_init_done) {
-        wsa_init_done = 0;
-#  ifndef OPENSSL_SYS_WINCE
-        WSACancelBlockingCall();
-#  endif
-        WSACleanup();
-    }
-}
-# elif defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK)
-static void sock_cleanup(void)
-{
-    if (wsa_init_done) {
-        wsa_init_done = 0;
-        WSACleanup();
-    }
-}
-# endif
+    BIO_ADDRINFO *res = NULL;
+    const BIO_ADDRINFO *ai = NULL;
+    int ret;

-static int ssl_sock_init(void)
-{
-# ifdef WATT32
-    extern int _watt_do_exit;
-    _watt_do_exit = 0;
-    if (sock_init())
-        return (0);
-# elif defined(OPENSSL_SYS_WINDOWS)
-    if (!wsa_init_done) {
-        int err;
-
-#  ifdef SIGINT
-        signal(SIGINT, (void (*)(int))ssl_sock_cleanup);
-#  endif
-        wsa_init_done = 1;
-        memset(&wsa_state, 0, sizeof(wsa_state));
-        if (WSAStartup(0x0101, &wsa_state) != 0) {
-            err = WSAGetLastError();
-            BIO_printf(bio_err, "unable to start WINSOCK, error code=%d\n",
-                       err);
-            return (0);
-        }
-    }
-# elif defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK)
-    WORD wVerReq;
-    WSADATA wsaData;
-    int err;
-
-    if (!wsa_init_done) {
-
-#  ifdef SIGINT
-        signal(SIGINT, (void (*)(int))sock_cleanup);
-#  endif
-
-        wsa_init_done = 1;
-        wVerReq = MAKEWORD(2, 0);
-        err = WSAStartup(wVerReq, &wsaData);
-        if (err != 0) {
-            BIO_printf(bio_err, "unable to start WINSOCK2, error code=%d\n",
-                       err);
-            return (0);
-        }
-    }
-# endif
-    return (1);
-}
-
-int init_client(int *sock, const char *host, int port, int type)
-{
-    unsigned char ip[4];
-
-    ip[0] = ip[1] = ip[2] = ip[3] = 0;
-    if (!host_ip(host, &(ip[0])))
+    if (!BIO_sock_init())
        return 0;
-    return init_client_ip(sock, ip, port, type);
-}

-static int init_client_ip(int *sock, const unsigned char ip[4], int port,
-                          int type)
-{
-    unsigned long addr;
-    struct sockaddr_in them;
-    int s, i;
-
-    if (!ssl_sock_init())
-        return (0);
-
-    memset(&them, 0, sizeof(them));
-    them.sin_family = AF_INET;
-    them.sin_port = htons((unsigned short)port);
-    addr = (unsigned long)
-        ((unsigned long)ip[0] << 24L) |
-        ((unsigned long)ip[1] << 16L) |
-        ((unsigned long)ip[2] << 8L) | ((unsigned long)ip[3]);
-    them.sin_addr.s_addr = htonl(addr);
-
-    if (type == SOCK_STREAM)
-        s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
-    else                        /* ( type == SOCK_DGRAM) */
-        s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
-
-    if (s == (int)INVALID_SOCKET) {
-        perror("socket");
-        return (0);
+    ret = BIO_lookup(host, port, BIO_LOOKUP_CLIENT, family, type, &res);
+    if (ret == 0) {
+        ERR_print_errors(bio_err);
+        return 0;
    }
-# if defined(SO_KEEPALIVE)
-    if (type == SOCK_STREAM) {
-        i = 0;
-        i = setsockopt(s, SOL_SOCKET, SO_KEEPALIVE, (char *)&i, sizeof(i));
-        if (i < 0) {
-            closesocket(s);
-            perror("keepalive");
-            return (0);
+
+    ret = 0;
+    for (ai = res; ai != NULL; ai = BIO_ADDRINFO_next(ai)) {
+        /* Admitedly, these checks are quite paranoid, we should
+           not get anything in the BIO_ADDRINFO chain that we haven't
+           asked for */
+        OPENSSL_assert((family == AF_UNSPEC || family == BIO_ADDRINFO_family(res))
+                       && (type == 0 || type == BIO_ADDRINFO_socktype(res)));
+
+        *sock = BIO_socket(BIO_ADDRINFO_family(ai), BIO_ADDRINFO_socktype(ai),
+                           BIO_ADDRINFO_protocol(res), 0);
+        if (*sock == INVALID_SOCKET) {
+            /* Maybe the kernel doesn't support the socket family, even if
+             * BIO_lookup() added it in the returned result...
+             */
+            continue;
+        }
+        if (!BIO_connect(*sock, BIO_ADDRINFO_address(ai), 0)) {
+            BIO_closesocket(*sock);
+            *sock = INVALID_SOCKET;
+            continue;
        }
-    }
-# endif

-    if (connect(s, (struct sockaddr *)&them, sizeof(them)) == -1) {
-        closesocket(s);
-        perror("connect");
-        return (0);
+        /* Success, don't try any more addresses */
+        break;
    }
-    *sock = s;
-    return (1);
+
+    if (*sock == INVALID_SOCKET) {
+        ERR_print_errors(bio_err);
+    } else {
+        ret = 1;
+    }
+    BIO_ADDRINFO_free(res);
+    return ret;
 }

-# ifndef NO_SYS_UN_H
-int init_client_unix(int *sock, const char *server)
-{
-    struct sockaddr_un them;
-    int s;
-
-    if (strlen(server) > (UNIX_PATH_MAX + 1))
-        return (0);
-    if (!ssl_sock_init())
-        return (0);
-
-    s = socket(AF_UNIX, SOCK_STREAM, 0);
-    if (s == (int)INVALID_SOCKET) {
-        perror("socket");
-        return (0);
-    }
-
-    memset(&them, 0, sizeof(them));
-    them.sun_family = AF_UNIX;
-    strcpy(them.sun_path, server);
-
-    if (connect(s, (struct sockaddr *)&them, sizeof(them)) == -1) {
-        closesocket(s);
-        perror("connect");
-        return (0);
-    }
-    *sock = s;
-    return (1);
-}
-# endif
-
-int do_server(int port, int type, int *ret,
-              int (*cb) (char *hostname, int s, int stype,
+/*
+ * do_server - helper routine to perform a server operation
+ * @accept_sock: pointer to storage of resulting socket.
+ * @host: the host name or path (for AF_UNIX) to connect to.
+ * @port: the port to connect to (ignored for AF_UNIX).
+ * @family: desired socket family, may be AF_INET, AF_INET6, AF_UNIX or
+ *  AF_UNSPEC
+ * @type: socket type, must be SOCK_STREAM or SOCK_DGRAM
+ * @cb: pointer to a function that receives the accepted socket and
+ *  should perform the communication with the connecting client.
+ * @context: pointer to memory that's passed verbatim to the cb function.
+ * @naccept: number of times an incoming connect should be accepted.  If -1,
+ *  unlimited number.
+ *
+ * This will create a socket and use it to listen to a host:port, or if
+ * family == AF_UNIX, to the path found in host, then start accepting
+ * incoming connections and run cb on the resulting socket.
+ *
+ * 0 on failure, something other on success.
+ */
+int do_server(int *accept_sock, const char *host, const char *port,
+              int family, int type,
+              int (*cb) (const char *hostname, int s, int stype,
                         unsigned char *context), unsigned char *context,
              int naccept)
 {
+    int asock = 0;
    int sock;
-    char *name = NULL;
-    int accept_socket = 0;
    int i;
+    BIO_ADDRINFO *res = NULL;
+    int ret = 0;

-    if (!init_server(&accept_socket, port, type))
-        return (0);
+    if (!BIO_sock_init())
+        return 0;

-    if (ret != NULL) {
-        *ret = accept_socket;
-        /* return(1); */
+    if (!BIO_lookup(host, port, BIO_LOOKUP_SERVER, family, type, &res)) {
+        ERR_print_errors(bio_err);
+        return 0;
+    }
+
+    /* Admitedly, these checks are quite paranoid, we should
+       not get anything in the BIO_ADDRINFO chain that we haven't
+       asked for */
+    OPENSSL_assert((family == AF_UNSPEC || family == BIO_ADDRINFO_family(res))
+                   && (type == 0 || type == BIO_ADDRINFO_socktype(res)));
+
+    asock = BIO_socket(BIO_ADDRINFO_family(res), BIO_ADDRINFO_socktype(res),
+                       BIO_ADDRINFO_protocol(res), 0);
+    if (asock == INVALID_SOCKET
+        || !BIO_listen(asock, BIO_ADDRINFO_address(res), BIO_SOCK_REUSEADDR)) {
+        BIO_ADDRINFO_free(res);
+        ERR_print_errors(bio_err);
+        if (asock != INVALID_SOCKET)
+            BIO_closesocket(asock);
+        goto end;
+    }
+
+    BIO_ADDRINFO_free(res);
+
+    if (accept_sock != NULL) {
+        *accept_sock = asock;
    }
    for (;;) {
+        BIO_ADDR *accepted_addr = NULL;
+        char *name = NULL;
        if (type == SOCK_STREAM) {
-# ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
-            if (do_accept(accept_socket, &sock, NULL) == 0)
-# else
-            if (do_accept(accept_socket, &sock, &name) == 0)
-# endif
-            {
-                SHUTDOWN(accept_socket);
-                return (0);
+            if ((accepted_addr = BIO_ADDR_new()) == NULL) {
+                BIO_closesocket(asock);
+                return 0;
            }
-        } else
-            sock = accept_socket;
+         redoit:
+            sock = BIO_accept_ex(asock, accepted_addr, 0);
+            if (sock < 0) {
+                if (BIO_sock_should_retry(ret)) {
+                    goto redoit;
+                } else {
+                    ERR_print_errors(bio_err);
+                    BIO_ADDR_free(accepted_addr);
+                    SHUTDOWN(asock);
+                    break;
+                }
+            }
+        } else {
+            sock = asock;
+        }
+
+        /* accepted_addr is NULL if we're dealing with SOCK_DGRAM
+         * this means that for SOCK_DGRAM, name will be NULL
+         */
+        if (accepted_addr != NULL) {
+#ifdef AF_UNIX
+            if (family == AF_UNIX)
+                name = BIO_ADDR_path_string(accepted_addr);
+            else
+#endif
+                name = BIO_ADDR_hostname_string(accepted_addr, 0);
+        }
        i = (*cb) (name, sock, type, context);
        OPENSSL_free(name);
+        BIO_ADDR_free(accepted_addr);
        if (type == SOCK_STREAM)
            SHUTDOWN2(sock);
        if (naccept != -1)
            naccept--;
        if (i < 0 || naccept == 0) {
-            SHUTDOWN2(accept_socket);
-            return (i);
-        }
-    }
-}
-
-# ifndef NO_SYS_UN_H
-int do_server_unix(const char *path, int *ret,
-                   int (*cb) (char *hostname, int s, int stype,
-                              unsigned char *context), unsigned char *context,
-                   int naccept)
-{
-    int sock;
-    int accept_socket = 0;
-    int i;
-
-    if (!init_server_unix(&accept_socket, path))
-        return (0);
-
-    if (ret != NULL)
-        *ret = accept_socket;
-    for (;;) {
-        if (do_accept_unix(accept_socket, &sock) == 0) {
-            SHUTDOWN(accept_socket);
-            i = 0;
-            goto out;
-        }
-        i = (*cb) (NULL, sock, 0, context);
-        SHUTDOWN2(sock);
-        if (naccept != -1)
-            naccept--;
-        if (i < 0 || naccept == 0) {
-            SHUTDOWN2(accept_socket);
-            goto out;
-        }
-    }
- out:
-    unlink(path);
-    return (i);
-}
-# endif
-
-static int init_server_long(int *sock, int port, char *ip, int type)
-{
-    int ret = 0;
-    struct sockaddr_in server;
-    int s = -1;
-
-    if (!ssl_sock_init())
-        return (0);
-
-    memset(&server, 0, sizeof(server));
-    server.sin_family = AF_INET;
-    server.sin_port = htons((unsigned short)port);
-    if (ip == NULL)
-        server.sin_addr.s_addr = INADDR_ANY;
-    else
-/* Added for T3E, address-of fails on bit field (beckman@acl.lanl.gov) */
-# ifndef BIT_FIELD_LIMITS
-        memcpy(&server.sin_addr.s_addr, ip, 4);
-# else
-        memcpy(&server.sin_addr, ip, 4);
-# endif
-
-    if (type == SOCK_STREAM)
-        s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
-    else                        /* type == SOCK_DGRAM */
-        s = socket(AF_INET, SOCK_DGRAM, IPPROTO_UDP);
-
-    if (s == (int)INVALID_SOCKET)
-        goto err;
-# if defined SOL_SOCKET && defined SO_REUSEADDR
-    {
-        int j = 1;
-        setsockopt(s, SOL_SOCKET, SO_REUSEADDR, (void *)&j, sizeof j);
-    }
-# endif
-    if (bind(s, (struct sockaddr *)&server, sizeof(server)) == -1) {
-# ifndef OPENSSL_SYS_WINDOWS
-        perror("bind");
-# endif
-        goto err;
-    }
-    /* Make it 128 for linux */
-    if (type == SOCK_STREAM && listen(s, 128) == -1)
-        goto err;
-    *sock = s;
-    ret = 1;
- err:
-    if ((ret == 0) && (s != -1)) {
-        SHUTDOWN(s);
-    }
-    return (ret);
-}
-
-static int init_server(int *sock, int port, int type)
-{
-    return (init_server_long(sock, port, NULL, type));
-}
-
-# ifndef NO_SYS_UN_H
-static int init_server_unix(int *sock, const char *path)
-{
-    int ret = 0;
-    struct sockaddr_un server;
-    int s = -1;
-
-    if (strlen(path) > (UNIX_PATH_MAX + 1))
-        return (0);
-    if (!ssl_sock_init())
-        return (0);
-
-    s = socket(AF_UNIX, SOCK_STREAM, 0);
-    if (s == (int)INVALID_SOCKET)
-        goto err;
-
-    memset(&server, 0, sizeof(server));
-    server.sun_family = AF_UNIX;
-    strcpy(server.sun_path, path);
-
-    if (bind(s, (struct sockaddr *)&server, sizeof(server)) == -1) {
-#  ifndef OPENSSL_SYS_WINDOWS
-        perror("bind");
-#  endif
-        goto err;
-    }
-    /* Make it 128 for linux */
-    if (listen(s, 128) == -1) {
-#  ifndef OPENSSL_SYS_WINDOWS
-        perror("listen");
-#  endif
-        unlink(path);
-        goto err;
-    }
-    *sock = s;
-    ret = 1;
- err:
-    if ((ret == 0) && (s != -1)) {
-        SHUTDOWN(s);
-    }
-    return (ret);
-}
-# endif
-
-static int do_accept(int acc_sock, int *sock, char **host)
-{
-    int ret;
-    struct hostent *h1, *h2;
-    static struct sockaddr_in from;
-    int len;
-/*      struct linger ling; */
-
-    if (!ssl_sock_init())
-        return (0);
-
-# ifndef OPENSSL_SYS_WINDOWS
- redoit:
-# endif
-
-    memset(&from, 0, sizeof(from));
-    len = sizeof(from);
-    /*
-     * Note: under VMS with SOCKETSHR the fourth parameter is currently of
-     * type (int *) whereas under other systems it is (void *) if you don't
-     * have a cast it will choke the compiler: if you do have a cast then you
-     * can either go for (int *) or (void *).
-     */
-    ret = accept(acc_sock, (struct sockaddr *)&from, (void *)&len);
-    if (ret == (int)INVALID_SOCKET) {
-# if defined(OPENSSL_SYS_WINDOWS) || (defined(OPENSSL_SYS_NETWARE) && !defined(NETWARE_BSDSOCK))
-        int i;
-        i = WSAGetLastError();
-        BIO_printf(bio_err, "accept error %d\n", i);
-# else
-        if (errno == EINTR) {
-            /*
-             * check_timeout();
-             */
-            goto redoit;
-        }
-        BIO_printf(bio_err, "accept errno=%d, %s\n", errno, strerror(errno));
-# endif
-        return (0);
-    }
-
-    if (host == NULL)
-        goto end;
-# ifndef BIT_FIELD_LIMITS
-    /* I should use WSAAsyncGetHostByName() under windows */
-    h1 = gethostbyaddr((char *)&from.sin_addr.s_addr,
-                       sizeof(from.sin_addr.s_addr), AF_INET);
-# else
-    h1 = gethostbyaddr((char *)&from.sin_addr,
-                       sizeof(struct in_addr), AF_INET);
-# endif
-    if (h1 == NULL) {
-        BIO_printf(bio_err, "bad gethostbyaddr\n");
-        *host = NULL;
-        /* return(0); */
-    } else {
-        *host = app_malloc(strlen(h1->h_name) + 1, "copy hostname");
-        OPENSSL_strlcpy(*host, h1->h_name, strlen(h1->h_name) + 1);
-
-        h2 = gethostbyname(*host);
-        if (h2 == NULL) {
-            BIO_printf(bio_err, "gethostbyname failure\n");
-            closesocket(ret);
-            return (0);
-        }
-        if (h2->h_addrtype != AF_INET) {
-            BIO_printf(bio_err, "gethostbyname addr is not AF_INET\n");
-            closesocket(ret);
-            return (0);
+            SHUTDOWN2(asock);
+            ret = i;
+            break;
        }
    }
 end:
-    *sock = ret;
-    return (1);
-}
-
-# ifndef NO_SYS_UN_H
-static int do_accept_unix(int acc_sock, int *sock)
-{
-    int ret;
-
-    if (!ssl_sock_init())
-        return (0);
-
- redoit:
-    ret = accept(acc_sock, NULL, NULL);
-    if (ret == (int)INVALID_SOCKET) {
-        if (errno == EINTR) {
-            /*
-             * check_timeout();
-             */
-            goto redoit;
-        }
-        BIO_printf(bio_err, "accept errno=%d, %s\n", errno, strerror(errno));
-        return (0);
-    }
-
-    *sock = ret;
-    return (1);
-}
+# ifdef AF_UNIX
+    if (family == AF_UNIX)
+        unlink(host);
 # endif
-
-int extract_host_port(char *str, char **host_ptr, unsigned char *ip,
-                      unsigned short *port_ptr)
-{
-    char *h, *p;
-
-    h = str;
-    p = strchr(str, ':');
-    if (p == NULL) {
-        BIO_printf(bio_err, "no port defined\n");
-        return (0);
-    }
-    *(p++) = '\0';
-
-    if ((ip != NULL) && !host_ip(str, ip))
-        goto err;
-    if (host_ptr != NULL)
-        *host_ptr = h;
-
-    if (!extract_port(p, port_ptr))
-        goto err;
-    return (1);
- err:
-    return (0);
+    return ret;
 }

-static int host_ip(const char *str, unsigned char ip[4])
-{
-    unsigned int in[4];
-    int i;
-
-    if (sscanf(str, "%u.%u.%u.%u", &(in[0]), &(in[1]), &(in[2]), &(in[3])) ==
-        4) {
-        for (i = 0; i < 4; i++)
-            if (in[i] > 255) {
-                BIO_printf(bio_err, "invalid IP address\n");
-                goto err;
-            }
-        ip[0] = in[0];
-        ip[1] = in[1];
-        ip[2] = in[2];
-        ip[3] = in[3];
-    } else {                    /* do a gethostbyname */
-        struct hostent *he;
-
-        if (!ssl_sock_init())
-            return (0);
-
-        he = gethostbyname(str);
-        if (he == NULL) {
-            BIO_printf(bio_err, "gethostbyname failure\n");
-            goto err;
-        }
-        if (he->h_addrtype != AF_INET) {
-            BIO_printf(bio_err, "gethostbyname addr is not AF_INET\n");
-            return (0);
-        }
-        ip[0] = he->h_addr_list[0][0];
-        ip[1] = he->h_addr_list[0][1];
-        ip[2] = he->h_addr_list[0][2];
-        ip[3] = he->h_addr_list[0][3];
-    }
-    return (1);
- err:
-    return (0);
-}
-
-int extract_port(const char *str, unsigned short *port_ptr)
-{
-    int i;
-    struct servent *s;
-
-    i = atoi(str);
-    if (i != 0)
-        *port_ptr = (unsigned short)i;
-    else {
-        s = getservbyname(str, "tcp");
-        if (s == NULL) {
-            BIO_printf(bio_err, "getservbyname failure for %s\n", str);
-            return (0);
-        }
-        *port_ptr = ntohs((unsigned short)s->s_port);
-    }
-    return (1);
-}
-
-#endif
+#endif  /* OPENSSL_NO_SOCK */
--- a/apps/smime.c
+++ b/apps/smime.c
@@ -468,8 +468,8 @@ int smime_main(int argc, char **argv)
    }

    if (certfile) {
-        if ((other = load_certs(certfile, FORMAT_PEM, NULL,
-                                 e, "certificate file")) == NULL) {
+        if (!load_certs(certfile, &other, FORMAT_PEM, NULL, e,
+                        "certificate file")) {
            ERR_print_errors(bio_err);
            goto end;
        }
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -94,16 +94,8 @@
 # include <signal.h>
 #endif

-#if defined(_WIN32) || defined(__CYGWIN__)
+#if defined(_WIN32)
 # include <windows.h>
-# if defined(__CYGWIN__) && !defined(_WIN32)
-  /*
-   * <windows.h> should define _WIN32, which normally is mutually exclusive
-   * with __CYGWIN__, but if it didn't...
-   */
-#  define _WIN32
-  /* this is done because Cygwin alarm() fails sometimes. */
-# endif
 #endif

 #include <openssl/bn.h>
@@ -129,7 +121,6 @@
 # include <openssl/md5.h>
 #endif
 #include <openssl/hmac.h>
-#include <openssl/evp.h>
 #include <openssl/sha.h>
 #ifndef OPENSSL_NO_RMD160
 # include <openssl/ripemd.h>
@@ -172,8 +163,6 @@
 #endif
 #include <openssl/modes.h>

-#include <openssl/bn.h>
-
 #ifndef HAVE_FORK
 # if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_NETWARE)
 #  define HAVE_FORK 0
@@ -1082,6 +1071,7 @@ int speed_main(int argc, char **argv)
        c[D_SHA256][i] = c[D_SHA256][0] * 4 * l0 / l1;
        c[D_SHA512][i] = c[D_SHA512][0] * 4 * l0 / l1;
        c[D_WHIRLPOOL][i] = c[D_WHIRLPOOL][0] * 4 * l0 / l1;
+        c[D_GHASH][i] = c[D_GHASH][0] * 4 * l0 / l1;

        l0 = (long)lengths[i - 1];

--- a/apps/srp.c
+++ b/apps/srp.c
@@ -55,19 +55,22 @@
 * Hudson (tjh@cryptsoft.com).
 *
 */
-#include <openssl/opensslconf.h>

-#ifndef OPENSSL_NO_SRP
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include <openssl/conf.h>
-#include <openssl/bio.h>
-#include <openssl/err.h>
-#include <openssl/txt_db.h>
-#include <openssl/buffer.h>
-#include <openssl/srp.h>
-#include "apps.h"
+#include <openssl/opensslconf.h>
+#ifdef OPENSSL_NO_SRP
+NON_EMPTY_TRANSLATION_UNIT
+#else
+
+# include <stdio.h>
+# include <stdlib.h>
+# include <string.h>
+# include <openssl/conf.h>
+# include <openssl/bio.h>
+# include <openssl/err.h>
+# include <openssl/txt_db.h>
+# include <openssl/buffer.h>
+# include <openssl/srp.h>
+# include "apps.h"

 # define BASE_SECTION    "srp"
 # define CONFIG_FILE "openssl.cnf"
@@ -365,7 +368,7 @@ int srp_main(int argc, char **argv)
            if (verbose)
                BIO_printf(bio_err,
                           "trying to read " ENV_DEFAULT_SRP
-                           " in \" BASE_SECTION \"\n");
+                           " in " BASE_SECTION "\n");

            section = NCONF_get_string(conf, BASE_SECTION, ENV_DEFAULT_SRP);
            if (section == NULL) {
@@ -653,11 +656,4 @@ int srp_main(int argc, char **argv)
    OBJ_cleanup();
    return (ret);
 }
-
-#else
-
-# if PEDANTIC
-static void *dummy = &dummy;
-# endif
-
 #endif
--- a/apps/testrsa.h
+++ b/apps/testrsa.h
@@ -1,4 +1,3 @@
-/* apps/testrsa.h */
 /* used by apps/speed.c */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
--- a/apps/timeouts.h
+++ b/apps/timeouts.h
@@ -1,4 +1,3 @@
-/* apps/timeouts.h */
 /*
 * DTLS implementation written by Nagendra Modadugu
 * (nagendra@cs.stanford.edu) for the OpenSSL project 2005.
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -115,7 +115,6 @@ int verify_main(int argc, char **argv)
    X509_VERIFY_PARAM *vpm = NULL;
    char *prog, *CApath = NULL, *CAfile = NULL;
    int noCApath = 0, noCAfile = 0;
-    char *untfile = NULL, *trustfile = NULL, *crlfile = NULL;
    int vpmtouched = 0, crl_download = 0, show_chain = 0, i = 0, ret = 1;
    OPTION_CHOICE o;

@@ -167,13 +166,24 @@ int verify_main(int argc, char **argv)
            noCAfile = 1;
            break;
        case OPT_UNTRUSTED:
-            untfile = opt_arg();
+            /* Zero or more times */
+            if (!load_certs(opt_arg(), &untrusted, FORMAT_PEM, NULL, e,
+                            "untrusted certificates"))
+                goto end;
            break;
        case OPT_TRUSTED:
-            trustfile = opt_arg();
+            /* Zero or more times */
+            noCAfile = 1;
+            noCApath = 1;
+            if (!load_certs(opt_arg(), &trusted, FORMAT_PEM, NULL, e,
+                            "trusted certificates"))
+                goto end;
            break;
        case OPT_CRLFILE:
-            crlfile = opt_arg();
+            /* Zero or more times */
+            if (!load_crls(opt_arg(), &crls, FORMAT_PEM, NULL, e,
+                           "other CRLs"))
+                goto end;
            break;
        case OPT_CRL_DOWNLOAD:
            crl_download = 1;
@@ -182,6 +192,7 @@ int verify_main(int argc, char **argv)
            show_chain = 1;
            break;
        case OPT_ENGINE:
+            /* Specify *before* -trusted/-untrusted/-CRLfile */
            e = setup_engine(opt_arg(), 0);
            break;
        case OPT_VERBOSE:
@@ -191,7 +202,7 @@ int verify_main(int argc, char **argv)
    }
    argc = opt_num_rest();
    argv = opt_rest();
-    if (trustfile && (CAfile || CApath)) {
+    if (trusted != NULL && (CAfile || CApath)) {
        BIO_printf(bio_err,
                   "%s: Cannot use -trusted with -CAfile or -CApath\n",
                   prog);
@@ -207,26 +218,6 @@ int verify_main(int argc, char **argv)

    ERR_clear_error();

-    if (untfile) {
-        untrusted = load_certs(untfile, FORMAT_PEM,
-                               NULL, e, "untrusted certificates");
-        if (!untrusted)
-            goto end;
-    }
-
-    if (trustfile) {
-        trusted = load_certs(trustfile, FORMAT_PEM,
-                             NULL, e, "trusted certificates");
-        if (!trusted)
-            goto end;
-    }
-
-    if (crlfile) {
-        crls = load_crls(crlfile, FORMAT_PEM, NULL, e, "other CRLs");
-        if (!crls)
-            goto end;
-    }
-
    if (crl_download)
        store_setup_crl_download(store);

--- a/apps/version.c
+++ b/apps/version.c
@@ -133,7 +133,7 @@

 typedef enum OPTION_choice {
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
-    OPT_B, OPT_D, OPT_F, OPT_O, OPT_P, OPT_V, OPT_A
+    OPT_B, OPT_D, OPT_E, OPT_F, OPT_O, OPT_P, OPT_V, OPT_A
 } OPTION_CHOICE;

 OPTIONS version_options[] = {
@@ -141,6 +141,7 @@ OPTIONS version_options[] = {
    {"a", OPT_A, '-', "Show all data"},
    {"b", OPT_B, '-', "Show build date"},
    {"d", OPT_D, '-', "Show configuration directory"},
+    {"e", OPT_E, '-', "Show engines directory"},
    {"f", OPT_F, '-', "Show compiler flags used"},
    {"o", OPT_O, '-', "Show some internal datatype options"},
    {"p", OPT_P, '-', "Show target build platform"},
@@ -152,6 +153,7 @@ int version_main(int argc, char **argv)
 {
    int ret = 1, dirty = 0;
    int cflags = 0, version = 0, date = 0, options = 0, platform = 0, dir = 0;
+    int engdir = 0;
    char *prog;
    OPTION_CHOICE o;

@@ -172,6 +174,9 @@ int version_main(int argc, char **argv)
        case OPT_D:
            dirty = dir = 1;
            break;
+        case OPT_E:
+            dirty = engdir = 1;
+            break;
        case OPT_F:
            dirty = cflags = 1;
            break;
@@ -228,6 +233,8 @@ int version_main(int argc, char **argv)
        printf("%s\n", OpenSSL_version(OPENSSL_CFLAGS));
    if (dir)
        printf("%s\n", OpenSSL_version(OPENSSL_DIR));
+    if (engdir)
+        printf("%s\n", OpenSSL_version(OPENSSL_ENGINES_DIR));
    ret = 0;
 end:
    return (ret);
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -152,7 +152,7 @@ OPTIONS x509_options[] = {
    {"setalias", OPT_SETALIAS, 's', "Set certificate alias"},
    {"days", OPT_DAYS, 'n',
     "How long till expiry of a signed certificate - def 30 days"},
-    {"checkend", OPT_CHECKEND, 'p',
+    {"checkend", OPT_CHECKEND, 'M',
     "Check whether the cert expires in the next arg seconds"},
    {OPT_MORE_STR, 1, 1, "Exit 1 if so, 0 if not"},
    {"signkey", OPT_SIGNKEY, '<', "Self sign cert with arg"},
@@ -160,7 +160,7 @@ OPTIONS x509_options[] = {
     "Output a certification request object"},
    {"req", OPT_REQ, '-', "Input is a certificate request, sign and output"},
    {"CA", OPT_CA, '<', "Set the CA certificate, must be PEM format"},
-    {"CAkey", OPT_CAKEY, '<',
+    {"CAkey", OPT_CAKEY, 's',
     "The CA key, must be PEM format; if not in CAfile"},
    {"CAcreateserial", OPT_CACREATESERIAL, '-',
     "Create serial number file if it does not exist"},
@@ -225,7 +225,8 @@ int x509_main(int argc, char **argv)
    int ocsp_uri = 0, trustout = 0, clrtrust = 0, clrreject = 0, aliasout = 0;
    int ret = 1, i, num = 0, badsig = 0, clrext = 0, nocert = 0;
    int text = 0, serial = 0, subject = 0, issuer = 0, startdate = 0;
-    int checkoffset = 0, enddate = 0;
+    int enddate = 0;
+    time_t checkoffset = 0;
    unsigned long nmflag = 0, certflag = 0;
    char nmflag_set = 0;
    OPTION_CHOICE o;
@@ -271,7 +272,7 @@ int x509_main(int argc, char **argv)
                goto opthelp;
            break;
        case OPT_CAKEYFORM:
-            if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &CAkeyformat))
+            if (!opt_format(opt_arg(), OPT_FMT_ANY, &CAkeyformat))
                goto opthelp;
            break;
        case OPT_OUT:
@@ -466,8 +467,18 @@ int x509_main(int argc, char **argv)
            enddate = ++num;
            break;
        case OPT_CHECKEND:
-            checkoffset = atoi(opt_arg());
            checkend = 1;
+            {
+                intmax_t temp = 0;
+                if (!opt_imax(opt_arg(), &temp))
+                    goto opthelp;
+                checkoffset = (time_t)temp;
+                if ((intmax_t)checkoffset != temp) {
+                    BIO_printf(bio_err, "%s: checkend time out of range %s\n",
+                               prog, opt_arg());
+                    goto opthelp;
+                }
+            }
            break;
        case OPT_CHECKHOST:
            checkhost = opt_arg();
@@ -731,13 +742,13 @@ int x509_main(int argc, char **argv)
                }
                BIO_printf(out, "Modulus=");
 #ifndef OPENSSL_NO_RSA
-                if (pkey->type == EVP_PKEY_RSA)
-                    BN_print(out, pkey->pkey.rsa->n);
+                if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA)
+                    BN_print(out, EVP_PKEY_get0_RSA(pkey)->n);
                else
 #endif
 #ifndef OPENSSL_NO_DSA
-                if (pkey->type == EVP_PKEY_DSA)
-                    BN_print(out, pkey->pkey.dsa->pub_key);
+                if (EVP_PKEY_id(pkey) == EVP_PKEY_DSA)
+                    BN_print(out, EVP_PKEY_get0_DSA(pkey)->pub_key);
                else
 #endif
                    BIO_printf(out, "Wrong Algorithm type");
--- a/build.info
+++ b/build.info
@@ -0,0 +1,27 @@
+{- use File::Spec::Functions qw/catdir rel2abs/; -}
+LIBS=libcrypto libssl
+ORDINALS[libcrypto]=crypto
+ORDINALS[libssl]=ssl
+INCLUDE[libcrypto]={- rel2abs(catdir($builddir,"include")) -} . crypto/include include
+INCLUDE[libssl]={- rel2abs(catdir($builddir,"include")) -} . include
+DEPEND[libssl]=libcrypto
+
+IF[{- $config{target} =~ /^Cygwin/ -}]
+ SHARED_NAME[libcrypto]=cygcrypto-{- $config{shlib_major}.".".$config{shlib_minor} -}
+ SHARED_NAME[libssl]=cygssl-{- $config{shlib_major}.".".$config{shlib_minor} -}
+ELSIF[{- $config{target} =~ /^mingw/ -}]
+ SHARED_NAME[libcrypto]=libeay32
+ SHARED_NAME[libssl]=ssleay32
+ENDIF
+
+# VMS has a cultural standard where all libraries are prefixed.
+# For OpenSSL, the choice is 'ossl$' (this prefix was claimed in a
+# conversation with VSI, Tuesday January 26 2016)
+# Also, it seems it's usual to have a suffix to the shared library name
+# for the different pointer sizes that were built for.
+IF[{- $config{target} =~ /^vms/ -}]
+ RENAME[libcrypto]=ossl$libcrypto
+ RENAME[libssl]=ossl$libssl
+ SHARED_NAME[libcrypto]=ossl$libcrypto_shr{- $target{pointer_size} -}
+ SHARED_NAME[libssl]=ossl$libssl_shr{- $target{pointer_size} -}
+ENDIF
--- a/Show More
+++ b/Show More