Prepare for 1.1.0-pre5 release

Reviewed-by: Rich Salz <rsalz@openssl.org>
Unsigned chars can't be negative
2016-04-19 15:57:51 +01:00 · 2016-04-18 15:12:58 +01:00 · 2016-04-18 14:59:23 +01:00 · 2016-04-18 09:02:11 -04:00 · 2016-04-18 08:22:00 -04:00 · 2016-04-18 14:20:41 +02:00
706 changed files with 26927 additions and 23078 deletions
--- a/.gitignore
+++ b/.gitignore
@@ -37,14 +37,15 @@ Makefile

 # Links under apps
 /apps/CA.pl
+/apps/tsget
 /apps/md4.c


 # Auto generated headers
 /crypto/buildinf.h
-/openssl/include/opensslconf.h
 /crypto/include/internal/*_conf.h
-util/domd
+/openssl/include/opensslconf.h
+/util/domd

 # Auto generated assembly language source files
 *.s
@@ -59,6 +60,7 @@ util/domd
 /test/sha256t
 /test/sha512t
 /test/gost2814789t
+/test/ssltest_old
 /test/*test
 /test/fips_aesavs
 /test/fips_desmovs
--- a/.travis.yml
+++ b/.travis.yml
@@ -23,28 +23,28 @@ compiler:
    - gcc

 env:
-    - CONFIG_OPTS="shared"
-    - CONFIG_OPTS="--debug --strict-warnings enable-crypto-mdebug enable-rc5 enable-md2"
-    - CONFIG_OPTS="" BUILDONLY="yes"
+    - CONFIG_OPTS=""
+    - CONFIG_OPTS="--debug no-shared enable-crypto-mdebug enable-rc5 enable-md2"
+    - CONFIG_OPTS="--strict-warnings no-shared" BUILDONLY="yes"
+    - CONFIG_OPTS="--classic no-shared" BUILDONLY="yes"
    - CONFIG_OPTS="--classic" BUILDONLY="yes"
-    - CONFIG_OPTS="--classic shared" BUILDONLY="yes"
-    - CONFIG_OPTS="no-pic" BUILDONLY="yes"
-    - CONFIG_OPTS="no-engine" BUILDONLY="yes"
+    - CONFIG_OPTS="no-pic --strict-warnings" BUILDONLY="yes"
+    - CONFIG_OPTS="no-engine no-shared --strict-warnings" BUILDONLY="yes"

 matrix:
    include:
        - os: linux
          compiler: clang-3.6
-          env: CONFIG_OPTS="-fsanitize=address"
+          env: CONFIG_OPTS="-fsanitize=address no-shared"
        - os: linux
          compiler: clang-3.6
-          env: CONFIG_OPTS="no-asm --strict-warnings -fno-sanitize-recover -fsanitize=address -fsanitize=undefined enable-rc5 enable-md2"
+          env: CONFIG_OPTS="no-shared no-asm -fno-sanitize-recover -fsanitize=address -fsanitize=undefined enable-rc5 enable-md2 -fno-sanitize=alignment"
        - os: linux
          compiler: gcc-5
-          env: CONFIG_OPTS="-fsanitize=address"
+          env: CONFIG_OPTS="no-shared -fsanitize=address"
        - os: linux
          compiler: gcc-5
-          env: CONFIG_OPTS="no-asm --strict-warnings -fno-sanitize-recover -fsanitize=address -fsanitize=undefined enable-rc5 enable-md2"
+          env: CONFIG_OPTS="no-shared no-asm -fno-sanitize-recover -DPEDANTIC -fsanitize=address -fsanitize=undefined enable-rc5 enable-md2"
        - os: linux
          compiler: i686-w64-mingw32-gcc
          env: CONFIG_OPTS="no-pic"
--- a/66
+++ b/66
@@ -4,6 +4,72 @@

 Changes between 1.0.2g and 1.1.0  [xx XXX xxxx]

+  *) The following datatypes were made opaque: X509_OBJECT, X509_STORE_CTX,
+     X509_STORE, X509_LOOKUP, and X509_LOOKUP_METHOD.  The unused type
+     X509_CERT_FILE_CTX was removed.
+     [Rich Salz]
+
+  *) "shared" builds are now the default. To create only static libraries use
+     the "no-shared" Configure option.
+     [Matt Caswell]
+
+  *) Remove the no-aes, no-hmac, no-rsa, no-sha and no-md5 Configure options.
+     All of these option have not worked for some while and are fundamental
+     algorithms.
+     [Matt Caswell]
+
+  *) Make various cleanup routines no-ops and mark them as deprecated. Most
+     global cleanup functions are no longer required because they are handled
+     via auto-deinit (see OPENSSL_init_crypto and OPENSSL_init_ssl man pages).
+     Explicitly de-initing can cause problems (e.g. where a library that uses
+     OpenSSL de-inits, but an application is still using it). The affected
+     functions are CONF_modules_free(), ENGINE_cleanup(), OBJ_cleanup(),
+     EVP_cleanup(), BIO_sock_cleanup(), CRYPTO_cleanup_all_ex_data(),
+     RAND_cleanup(), SSL_COMP_free_compression_methods(), ERR_free_strings() and
+     COMP_zlib_cleanup().
+     [Matt Caswell]
+
+  *) --strict-warnings no longer enables runtime debugging options
+     such as REF_DEBUG. Instead, debug options are automatically
+     enabled with '--debug' builds.
+     [Andy Polyakov, Emilia Käsper]
+
+  *) Made DH and DH_METHOD opaque. The structures for managing DH objects
+     have been moved out of the public header files. New functions for managing
+     these have been added.
+     [Matt Caswell]
+
+  *) Made RSA and RSA_METHOD opaque. The structures for managing RSA
+     objects have been moved out of the public header files. New
+     functions for managing these have been added.
+     [Richard Levitte]
+
+  *) Made DSA and DSA_METHOD opaque. The structures for managing DSA objects
+     have been moved out of the public header files. New functions for managing
+     these have been added.
+     [Matt Caswell]
+
+  *) Made BIO and BIO_METHOD opaque. The structures for managing BIOs have been
+     moved out of the public header files. New functions for managing these
+     have been added.
+     [Matt Caswell]
+
+  *) Removed no-rijndael as a config option. Rijndael is an old name for AES.
+     [Matt Caswell]
+
+  *) Removed the mk1mf build scripts.
+     [Richard Levitte]
+
+  *) Headers are now wrapped, if necessary, with OPENSSL_NO_xxx, so
+     it is always safe to #include a header now.
+     [Rich Salz]
+
+  *) Removed the aged BC-32 config and all its supporting scripts
+     [Richard Levitte]
+
+  *) Removed support for Ultrix, Netware, and OS/2.
+     [Rich Salz]
+
  *) Add support for HKDF.
     [Alessandro Ghedini]

--- a/Configurations/00-base-templates.conf
+++ b/Configurations/00-base-templates.conf
@@ -43,16 +43,12 @@
    BASE_common => {
 	template	=> 1,
 	defines		=>
-	    [ sub {
-		unless ($disabled{zlib}) {
-		    if (defined($disabled{"zlib-dynamic"})) {
-			return "ZLIB";
-		    } else {
-			return "ZLIB_SHARED";
-		    }
-		}
-		return (); }
-	    ],
+	    sub {
+                my @defs = ();
+                push @defs, "ZLIB" unless $disabled{zlib};
+                push @defs, "ZLIB_SHARED" unless $disabled{"zlib-dynamic"};
+                return [ @defs ];
+            },
    },

    BASE_unix => {
@@ -84,7 +80,7 @@
            sub {
                unless ($disabled{zlib}) {
                    if (defined($disabled{"zlib-dynamic"})) {
-                        return "zlib1.lib";
+                        return $withargs{zlib_lib};
                    }
                }
                return (); },
@@ -104,19 +100,6 @@
        inherit_from    => [ "BASE_common" ],
        template        => 1,

-        ex_libs          =>
-            sub {
-                unless ($disabled{zlib}) {
-                    if (defined($disabled{"zlib-dynamic"})) {
-                        if (defined($withargs{zlib_lib})) {
-                            return $withargs{zlib_lib}.'GNV$LIBZSHR.EXE/SHARED'
-                        } else {
-                            return 'GNV$LIBZSHR/SHARE';
-                        }
-                    }
-                }
-                return (); },
-
        build_file       => "descrip.mms",
        build_scheme     => [ "unified", "VMS" ],
    },
@@ -125,7 +108,7 @@
 	template	=> 1,
 	apps_aux_src	=> add("../ms/applink.c"),
 	uplink_aux_src	=> add("../ms/uplink.c"),
-	shared_defines	=> add("OPENSSL_USE_APPLINK", { separator => undef }),
+	defines		=> add("OPENSSL_USE_APPLINK"),
    },
    x86_uplink => {
 	inherit_from	=> [ "uplink_common" ],
--- a/Configurations/10-main.conf
+++ b/Configurations/10-main.conf
@@ -1,22 +1,6 @@
 ## -*- mode: perl; -*-
 ## Standard openssl configuration targets.

-sub picker {
-    my %opts = @_;
-    return sub { add($opts{default} || (),
-                     $opts{$config{build_type}} || ())->(); }
-}
-
-sub threads {
-    my @flags = @_;
-    return sub { add($disabled{threads} ? () : @flags)->(); }
-}
-
-sub combine {
-    my @stuff = @_;
-    return sub { add(@stuff)->(); }
-}
-
 # Helper functions for the Windows configs
 my $vc_win64a_info = {};
 sub vc_win64a_info {
@@ -90,6 +74,35 @@ sub vc_wince_info {
    return $vc_wince_info;
 }

+# Helper functions for the VMS configs
+my $vms_info = {};
+sub vms_info {
+    unless (%$vms_info) {
+        my $pointer_size = shift;
+        my $pointer_size_str = $pointer_size == 0 ? "" : "$pointer_size";
+
+        $vms_info->{disable_warns} = [ ];
+        if ($pointer_size == 64) {
+            `PIPE CC /NOCROSS_REFERENCE /NOLIST /NOOBJECT /WARNINGS = DISABLE = ( MAYLOSEDATA3, EMPTYFILE ) NL: 2> NL:`;
+            if ($? == 0) {
+                push @{$vms_info->{disable_warns}}, "MAYLOSEDATA3";
+            }
+        }
+
+        unless ($disabled{zlib}) {
+            my $default_zlib = 'GNV$LIBZSHR' . $pointer_size_str;
+            if (defined($disabled{"zlib-dynamic"})) {
+                $vms_info->{zlib} = $withargs{zlib_lib} || "$default_zlib/SHARE";
+            } else {
+                $vms_info->{def_zlib} = $withargs{zlib_lib} || $default_zlib;
+                # In case the --with-zlib-lib value contains something like
+                # /SHARE or /LIB or so at the end, remove it.
+                $vms_info->{def_zlib} =~ s|/.*$||g;
+            }
+        }
+    }
+    return $vms_info;
+}

 %targets = (

@@ -112,7 +125,7 @@ sub vc_wince_info {
        inherit_from     => [ "BASE_unix" ],
        cc               => "gcc",
        cflags           => picker(default => "-Wall -DOPENSSL_SYS_VOS -D_POSIX_C_SOURCE=200112L -D_BSD -D_VOS_EXTENDED_NAMES -DB_ENDIAN",
-                                   debug   => "-O0 -g -DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG",
+                                   debug   => "-O0 -g",
                                   release => "-O3"),
        thread_scheme    => "(unknown)",
        sys_id           => "VOS",
@@ -222,8 +235,7 @@ sub vc_wince_info {
        # -m32 should be safe to add as long as driver recognizes
        # -mcpu=ultrasparc
        inherit_from     => [ "solaris-sparcv7-gcc", asm("sparcv9_asm") ],
-        cflags           => add_before(picker(default => "-m32 -mcpu=ultrasparc",
-                                              debug   => "-DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DPEDANTIC -O -g -pedantic -ansi -Wshadow -Wno-long-long -D__EXTENSIONS__")),
+        cflags           => add_before("-m32 -mcpu=ultrasparc"),
    },
    "solaris64-sparcv9-gcc" => {
        inherit_from     => [ "solaris-sparcv9-gcc" ],
@@ -241,7 +253,7 @@ sub vc_wince_info {
        inherit_from     => [ "solaris-common" ],
        cc               => "cc",
        cflags           => add_before(picker(default => "-xstrconst -Xa -DB_ENDIAN -DBN_DIV2W",
-                                              debug   => "-g -DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG",
+                                              debug   => "-g",
                                              release => "-xO5 -xdepend"),
                                       threads("-D_REENTRANT")),
        lflags           => add(threads("-mt")),
@@ -602,7 +614,7 @@ sub vc_wince_info {
        inherit_from     => [ "BASE_unix" ],
        cc               => "gcc",
        cflags           => combine(picker(default => "-Wall",
-                                           debug   => "-O0 -g -DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG",
+                                           debug   => "-O0 -g",
                                           release => "-O3"),
                                    threads("-pthread")),
        ex_libs          => add("-ldl"),
@@ -1237,61 +1249,87 @@ sub vc_wince_info {
        template         => 1,
        cc               => "cl",
        cflags           => "-W3 -wd4090 -Gs0 -GF -Gy -nologo -DOPENSSL_SYS_WIN32 -DWIN32_LEAN_AND_MEAN -DL_ENDIAN -D_CRT_SECURE_NO_DEPRECATE",
+        defines          => add(sub { my @defs = ();
+                                      unless ($disabled{"zlib-dynamic"}) {
+                                          push @defs,
+                                              quotify("perl",
+                                                      'LIBZ="' . $withargs{zlib_lib} . '"');
+                                      }
+                                      return [ @defs ];
+                                    }),
        coutflag         => "/Fo",
-        lib_cflags       => sub { join(" ",
-                                       ($disabled{shared} ? "/Zl" : ()),
-                                       "/Zi /Fdlib") },
+        rc               => "rc",
+        rcoutflag        => "/fo",
+        lib_cflags       => add("/Zi /Fdlib"),
        dso_cflags       => "/Zi",
        bin_cflags       => "/Zi /Fdapp",
        lflags           => add("/debug"),
-        shared_cflag     => "-D_WINDLL",
        shared_ldflag    => "/dll",
        shared_target    => "win-shared", # meaningless except it gives Configure a hint
        thread_scheme    => "winthreads",
        dso_scheme       => "win32",
    },
    "VC-noCE-common" => {
-        inherit_from     => [ "VC-common", "uplink_common" ],
+        inherit_from     => [ "VC-common" ],
        cflags           => add(picker(default => "-DUNICODE -D_UNICODE",
                                       debug   =>
                                       sub {
-                                           ($disabled{shared} ? "/MT" : "/MD")
-                                               ."d /Od -DDEBUG -D_DEBUG";
+                                           ($disabled{shared} ? "" : "/MDd")
+                                               ." /Od -DDEBUG -D_DEBUG";
                                       },
                                       release =>
                                       sub {
-                                           ($disabled{shared} ? "/MT" : "/MD")
+                                           ($disabled{shared} ? "" : "/MD")
                                               ." /Ox /O2 /Ob2";
                                       })),
+        lib_cflags       => add(sub { $disabled{shared} ? "/MT /Zl" : () }),
+        # Following might/should appears controversial, i.e. defining
+        # /MDd without evaluating $disabled{shared}. It works in
+        # non-shared build because static library is compiled with /Zl
+        # and bares no reference to specific RTL. And it works in
+        # shared build because multiple /MDd options are not prohibited.
+        # But why /MDd in static build? Well, basically this is just a
+        # reference point, which allows to catch eventual errors that
+        # would prevent those who want to wrap OpenSSL into own .DLL.
+        # Why not /MD in release build then? Well, some are likely to
+        # prefer [non-debug] openssl.exe to be free from Micorosoft RTL
+        # redistributable.
+        bin_cflags       => add(picker(debug   => "/MDd",
+                                       release => sub { $disabled{shared} ? "/MT" : () },
+                                      )),
        bin_lflags       => add("/subsystem:console /opt:ref"),
-        ex_libs          => sub {
+        ex_libs          => add(sub {
            my @ex_libs = ();
            push @ex_libs, 'ws2_32.lib' unless $disabled{sock};
            push @ex_libs, 'gdi32.lib advapi32.lib crypt32.lib user32.lib';
            return join(" ", @ex_libs);
-        },
+        }),
    },
    "VC-WIN64-common" => {
        inherit_from     => [ "VC-noCE-common" ],
-        ex_libs          => sub {
+        ex_libs          => add(sub {
            my @ex_libs = ();
            push @ex_libs, 'bufferoverflowu.lib' if (`cl 2>&1` =~ /14\.00\.4[0-9]{4}\./);
            return join(" ", @_, @ex_libs);
-        },
+        }),
        bn_ops           => "SIXTY_FOUR_BIT EXPORT_VAR_AS_FN",
        build_scheme     => add("VC-W64", { separator => undef }),
    },
    "VC-WIN64I" => {
-        inherit_from     => [ "VC-WIN64-common", asm("ia64_asm") ],
+        inherit_from     => [ "VC-WIN64-common", asm("ia64_asm"),
+                              sub { $disabled{shared} ? () : "ia64_uplink" } ],
        as               => "ias",
        asflags          => "-d debug",
        asoutflag        => "-o",
        sys_id           => "WIN64I",
-        rc4_asm_src      => "",
+        bn_asm_src       => sub { return undef unless @_;
+                                  my $r=join(" ",@_); $r=~s|bn-ia64.s|bn_asm.c|; $r; },
        perlasm_scheme   => "ias",
+        multilib         => "-ia64",
    },
    "VC-WIN64A" => {
-        inherit_from     => [ "VC-WIN64-common", asm("x86_64_asm") ],
+        inherit_from     => [ "VC-WIN64-common", asm("x86_64_asm"),
+                              sub { $disabled{shared} ? () : "x86_64_uplink" } ],
        as               => sub { vc_win64a_info()->{as} },
        asflags          => sub { vc_win64a_info()->{asflags} },
        asoutflag        => sub { vc_win64a_info()->{asoutflag} },
@@ -1299,24 +1337,26 @@ sub vc_wince_info {
        bn_asm_src       => sub { return undef unless @_;
                                  my $r=join(" ",@_); $r=~s|asm/x86_64-gcc|bn_asm|; $r; },
        perlasm_scheme   => "auto",
+        multilib         => "-x64",
    },
    "VC-WIN32" => {
        # x86 Win32 target defaults to ANSI API, if you want UNICODE,
        # configure with 'perl Configure VC-WIN32 -DUNICODE -D_UNICODE'
-        inherit_from     => [ "VC-noCE-common", asm("x86_asm") ],
+        inherit_from     => [ "VC-noCE-common", asm("x86_asm"),
+                              sub { $disabled{shared} ? () : "uplink_common" } ],
        as               => sub { my $ver=`nasm -v 2>NUL`;
                                  my $vew=`nasmw -v 2>NUL`;
                                  return $ver ge $vew ? "nasm" : "nasmw" },
        asflags          => "-f win32",
        asoutflag        => "-o",
-        ex_libs          => sub {
+        ex_libs          => add(sub {
            my @ex_libs = ();
            # WIN32 UNICODE build gets linked with unicows.lib for
            # backward compatibility with Win9x.
            push @ex_libs, 'unicows.lib'
                if (grep { $_ eq "UNICODE" } @user_defines);
            return join(" ", @ex_libs, @_);
-        },
+        }),
        sys_id           => "WIN32",
        bn_ops           => "BN_LLONG EXPORT_VAR_AS_FN",
        perlasm_scheme   => "win32n",
@@ -1347,7 +1387,7 @@ sub vc_wince_info {
                                              ? "/entry:mainCRTstartup" : (); }),
        sys_id           => "WINCE",
        bn_ops           => "BN_LLONG EXPORT_VAR_AS_FN",
-        ex_libs          => sub {
+        ex_libs          => add(sub {
            my @ex_libs = ();
            push @ex_libs, 'ws2.lib' unless $disabled{sock};
            push @ex_libs, 'crypt32.lib';
@@ -1365,20 +1405,10 @@ sub vc_wince_info {
            push @ex_libs, ' /nodefaultlib coredll.lib corelibc.lib'
                if ($ENV{'TARGETCPU'} eq "X86");
            return @ex_libs;
-        },
+        }),
        build_scheme     => add("VC-WCE", { separator => undef }),
    },

-###### Borland C++ 4.5
-##    "BC-32" => {
-##        inherit_from     => [ "BASE_Windows" ],
-##        cc               => "bcc32",
-##        sys_id           => "WIN32",
-##        bn_ops           => "BN_LLONG EXPORT_VAR_AS_FN",
-##        dso_scheme       => "win32",
-##        build_scheme     => add("BC", { separator => undef }),
-##    },
-
 #### MinGW
    "mingw" => {
        inherit_from     => [ "BASE_unix", asm("x86_asm"),
@@ -1499,57 +1529,6 @@ sub vc_wince_info {
 	inherit_from     => [ "Cygwin-x86" ]
    },

-#### NetWare from David Ward (dsward@novell.com)
-# requires either MetroWerks NLM development tools, or gcc / nlmconv
-# NetWare defaults socket bio to WinSock sockets. However,
-# the builds can be configured to use BSD sockets instead.
-# netware-clib => legacy CLib c-runtime support
-    "netware-clib" => {
-        inherit_from     => [ "BASE_Windows" ],
-        cc               => "mwccnlm",
-        build_scheme     => add("netware", { separator => undef }),
-    },
-    "netware-clib-bsdsock" => {
-        inherit_from     => [ "BASE_Windows" ],
-        cc               => "mwccnlm",
-        build_scheme     => add("netware", { separator => undef }),
-    },
-    "netware-clib-gcc" => {
-        inherit_from     => [ "BASE_unix" ],
-        cc               => "i586-netware-gcc",
-        cflags           => "-nostdinc -I/ndk/nwsdk/include/nlm -I/ndk/ws295sdk/include -DL_ENDIAN -DNETWARE_CLIB -DOPENSSL_SYS_NETWARE -O2 -Wall",
-    },
-    "netware-clib-bsdsock-gcc" => {
-        inherit_from     => [ "BASE_unix" ],
-        cc               => "i586-netware-gcc",
-        cflags           => "-nostdinc -I/ndk/nwsdk/include/nlm -DNETWARE_BSDSOCK -DNETDB_USE_INTERNET -DL_ENDIAN -DNETWARE_CLIB -DOPENSSL_SYS_NETWARE -O2 -Wall",
-    },
-    # netware-libc => LibC/NKS support
-    "netware-libc" => {
-        inherit_from     => [ "BASE_Windows" ],
-        cc               => "mwccnlm",
-        bn_ops           => "BN_LLONG",
-        build_scheme     => add("netware", { separator => undef }),
-    },
-    "netware-libc-bsdsock" => {
-        inherit_from     => [ "BASE_Windows" ],
-        cc               => "mwccnlm",
-        bn_ops           => "BN_LLONG",
-        build_scheme     => add("netware", { separator => undef }),
-    },
-    "netware-libc-gcc" => {
-        inherit_from     => [ "BASE_unix" ],
-        cc               => "i586-netware-gcc",
-        cflags           => "-nostdinc -I/ndk/libc/include -I/ndk/libc/include/winsock -DL_ENDIAN -DNETWARE_LIBC -DOPENSSL_SYS_NETWARE -DTERMIO -O2 -Wall",
-        bn_ops           => "BN_LLONG",
-    },
-    "netware-libc-bsdsock-gcc" => {
-        inherit_from     => [ "BASE_unix" ],
-        cc               => "i586-netware-gcc",
-        cflags           => "-nostdinc -I/ndk/libc/include -DNETWARE_BSDSOCK -DL_ENDIAN -DNETWARE_LIBC -DOPENSSL_SYS_NETWARE -DTERMIO -O2 -Wall",
-        bn_ops           => "BN_LLONG",
-    },
-
 #### DJGPP
    "DJGPP" => {
        inherit_from     => [ asm("x86_asm") ],
@@ -1561,23 +1540,6 @@ sub vc_wince_info {
        perlasm_scheme   => "a.out",
    },

-#### Ultrix from Bernhard Simon <simon@zid.tuwien.ac.at>
-    "ultrix-cc" => {
-        inherit_from     => [ "BASE_unix" ],
-        cc               => "cc",
-        cflags           => "-std1 -O -Olimit 2500 -DL_ENDIAN",
-        thread_scheme    => "(unknown)",
-    },
-    "ultrix-gcc" => {
-        inherit_from     => [ "BASE_unix" ],
-        cc               => "gcc",
-        cflags           => "-O3 -DL_ENDIAN",
-        bn_ops           => "BN_LLONG",
-        thread_scheme    => "(unknown)",
-    },
-# K&R C is no longer supported; you need gcc on old Ultrix installations
-##"ultrix","cc:-O2 -DNOPROTO -DNOCONST -DL_ENDIAN::(unknown):::::::",
-
 ##### MacOS X (a.k.a. Darwin) setup
    "darwin-common" => {
        inherit_from     => [ "BASE_unix" ],
@@ -1599,15 +1561,18 @@ sub vc_wince_info {
        shared_ldflag    => "-dynamiclib",
        shared_extension => ".\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
    },
+    # Option "freeze" such as -std=gnu9x can't negatively interfere
+    # with future defaults for below two targets, because MacOS X
+    # for PPC has no future, it was discontinued by vendor in 2009.
    "darwin-ppc-cc" => {
        inherit_from     => [ "darwin-common", asm("ppc32_asm") ],
-        cflags           => add("-arch ppc -DB_ENDIAN -Wa,-force_cpusubtype_ALL"),
+        cflags           => add("-arch ppc -std=gnu9x -DB_ENDIAN -Wa,-force_cpusubtype_ALL"),
        perlasm_scheme   => "osx32",
        shared_ldflag    => "-arch ppc -dynamiclib",
    },
    "darwin64-ppc-cc" => {
        inherit_from     => [ "darwin-common", asm("ppc64_asm") ],
-        cflags           => add("-arch ppc64 -DB_ENDIAN"),
+        cflags           => add("-arch ppc64 -std=gnu9x -DB_ENDIAN"),
        bn_ops           => "SIXTY_FOUR_BIT_LONG RC4_CHAR",
        perlasm_scheme   => "osx64",
        shared_ldflag    => "-arch ppc64 -dynamiclib",
@@ -1680,12 +1645,6 @@ sub vc_wince_info {
        shared_cflag     => "-fPIC",
    },

-##### OS/2 EMX
-    "OS2-EMX" => {
-        inherit_from     => [ "BASE_unix" ],
-        cc               => "gcc",
-    },
-
 ##### VxWorks for various targets
    "vxworks-ppc60x" => {
        inherit_from     => [ "BASE_unix" ],
@@ -1718,7 +1677,7 @@ sub vc_wince_info {
    "vxworks-ppc750-debug" => {
        inherit_from     => [ "BASE_unix" ],
        cc               => "ccppc",
-        cflags           => "-ansi -nostdinc -DPPC750 -D_REENTRANT -fvolatile -fno-builtin -fno-for-scope -fsigned-char -Wall -msoft-float -mlongcall -DCPU=PPC604 -I\$(WIND_BASE)/target/h -DBN_DEBUG -DREF_DEBUG -DCONF_DEBUG -DBN_CTX_DEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DDEBUG -g",
+        cflags           => "-ansi -nostdinc -DPPC750 -D_REENTRANT -fvolatile -fno-builtin -fno-for-scope -fsigned-char -Wall -msoft-float -mlongcall -DCPU=PPC604 -I\$(WIND_BASE)/target/h -DPEDANTIC -DDEBUG -g",
        sys_id           => "VXWORKS",
        lflags           => "-r",
    },
@@ -1782,6 +1741,36 @@ sub vc_wince_info {
        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
        ranlib           => "$ENV{'RANLIB'}",
    },
+    "haiku-common" => {
+        template         => 1,
+        cc               => "cc",
+        cflags           => add_before(picker(default => "-DL_ENDIAN -Wall",
+                                              debug   => "-g -O0",
+                                              release => "-O2"),
+                                       threads("-D_REENTRANT")),
+        sys_id           => "HAIKU",
+        lflags           => "-lnetwork",
+        perlasm_scheme   => "elf",
+        thread_scheme    => "pthreads",
+        dso_scheme       => "dlfcn",
+        shared_target    => "haiku-shared",
+        shared_cflag     => "-fPIC",
+        shared_ldflag    => "-shared",
+        shared_extension => ".so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+    },
+    "haiku-x86" => {
+        inherit_from     => [ "haiku-common", asm("x86_elf_asm") ],
+        cflags           => add(picker(default => "",
+                                       release => "-fomit-frame-pointer")),
+        bn_ops           => "BN_LLONG",
+    },
+    # Haiku builds with no-asm
+    "haiku-x86_64" => {
+        inherit_from     => [ "haiku-common", asm("x86_64_asm") ],
+        cflags           => add("-m64"),
+        bn_ops           => "SIXTY_FOUR_BIT_LONG",
+    },
+

    ##### VMS
    "vms-generic" => {
@@ -1795,6 +1784,7 @@ sub vc_wince_info {
                                   debug   => "/DEBUG/TRACEBACK",
                                   release => "/NODEBUG/NOTRACEBACK"),
        shared_target    => "vms-shared",
+        dso_scheme       => "vms",
        thread_scheme    => "pthreads",

        apps_aux_src     => "vms_decc_init.c",
@@ -1814,37 +1804,101 @@ sub vc_wince_info {
    #},
    "vms-alpha" => {
        inherit_from     => [ "vms-generic" ],
+        cflags           => add(sub { my @warnings =
+                                          @{vms_info(0)->{disable_warns}};
+                                      @warnings
+                                          ? "/WARNINGS=DISABLE=(".join(",",@warnings).")" : (); }),
+        defines          =>
+                    add(sub {
+                            return vms_info(0)->{def_zlib}
+                                ? "LIBZ=\"\"\"".vms_info(0)->{def_zlib}."\"\"\"" : ();
+                            }),
+        ex_libs          => add(sub { return vms_info(0)->{zlib} || (); }),
        #as               => "???",
        #debug_aflags     => "/NOOPTIMIZE/DEBUG",
        #release_aflags   => "/OPTIMIZE/NODEBUG",
        bn_opts          => "SIXTY_FOUR_BIT RC4_INT RC4_CHUNK_LL DES_PTR BF_PTR",
    },
-    "vms-alpha-P32" => {
-	inherit_from	 => [ "vms-alpha" ],
-	cflags		 => add("/POINTER_SIZE=32"),
-	ex_libs		 => sub { join(",", map { s|SHR([\./])|SHR32$1|g; $_ } @_) },
+    "vms-alpha-p32" => {
+        inherit_from     => [ "vms-generic" ],
+        cflags           =>
+            add("/POINTER_SIZE=32",
+                sub { my @warnings =
+                          @{vms_info(32)->{disable_warns}};
+                      @warnings
+                          ? "/WARNINGS=DISABLE=(".join(",",@warnings).")" : ();
+                } ),
+        defines          =>
+                    add(sub {
+                            return vms_info(32)->{def_zlib}
+                                ? "LIBZ=\"\"\"".vms_info(32)->{def_zlib}."\"\"\"" : ();
+                            }),
+        ex_libs          => add(sub { return vms_info(32)->{zlib} || (); }),
    },
-    "vms-alpha-P64" => {
-	inherit_from	 => [ "vms-alpha" ],
-	cflags		 => add("/POINTER_SIZE=64"),
-	ex_libs		 => sub { join(",", map { s|SHR([\./])|SHR64$1|g; $_ } @_) },
+    "vms-alpha-p64" => {
+        inherit_from     => [ "vms-generic" ],
+        cflags           =>
+            add("/POINTER_SIZE=64=ARGV",
+                sub { my @warnings =
+                          @{vms_info(64)->{disable_warns}};
+                      @warnings
+                          ? "/WARNINGS=DISABLE=(".join(",",@warnings).")" : ();
+                } ),
+        defines          =>
+                    add(sub {
+                            return vms_info(64)->{def_zlib}
+                                ? "LIBZ=\"\"\"".vms_info(64)->{def_zlib}."\"\"\"" : ();
+                            }),
+        ex_libs          => add(sub { return vms_info(64)->{zlib} || (); }),
    },
    "vms-ia64" => {
        inherit_from     => [ "vms-generic" ],
+        cflags           => add(sub { my @warnings =
+                                          @{vms_info(0)->{disable_warns}};
+                                      @warnings
+                                          ? "/WARNINGS=DISABLE=(".join(",",@warnings).")" : (); }),
+        defines          =>
+                    add(sub {
+                            return vms_info(0)->{def_zlib}
+                                ? "LIBZ=\"\"\"".vms_info(0)->{def_zlib}."\"\"\"" : ();
+                            }),
+        ex_libs          => add(sub { return vms_info(0)->{zlib} || (); }),
        #as               => "I4S",
        #debug_aflags     => "/NOOPTIMIZE/DEBUG",
        #release_aflags   => "/OPTIMIZE/NODEBUG",
        bn_opts          => "SIXTY_FOUR_BIT RC4_INT RC4_CHUNK_LL DES_PTR BF_PTR",
    },
-    "vms-ia64-P32" => {
-	inherit_from	 => [ "vms-ia64" ],
-	cflags		 => add("/POINTER_SIZE=32"),
-	ex_libs		 => sub { join(",", map { s|SHR([\./])|SHR32$1|g; $_ } @_) },
+    "vms-ia64-p32" => {
+        inherit_from     => [ "vms-generic" ],
+        cflags           =>
+            add("/POINTER_SIZE=32",
+                sub { my @warnings =
+                          @{vms_info(32)->{disable_warns}};
+                      @warnings
+                          ? "/WARNINGS=DISABLE=(".join(",",@warnings).")" : ();
+                } ),
+        defines          =>
+                    add(sub {
+                            return vms_info(32)->{def_zlib}
+                                ? "LIBZ=\"\"\"".vms_info(32)->{def_zlib}."\"\"\"" : ();
+                            }),
+        ex_libs          => add(sub { return vms_info(32)->{zlib} || (); }),
    },
-    "vms-ia64-P64" => {
-	inherit_from	 => [ "vms-ia64" ],
-	cflags		 => add("/POINTER_SIZE=64"),
-	ex_libs		 => sub { join(",", map { s|SHR([\./])|SHR64$1|g; $_ } @_) },
+    "vms-ia64-p64" => {
+        inherit_from     => [ "vms-generic" ],
+        cflags           =>
+            add("/POINTER_SIZE=64=ARGV",
+                sub { my @warnings =
+                          @{vms_info(64)->{disable_warns}};
+                      @warnings
+                          ? "/WARNINGS=DISABLE=(".join(",",@warnings).")" : ();
+                } ),
+        defines          =>
+                    add(sub {
+                            return vms_info(64)->{def_zlib}
+                                ? "LIBZ=\"\"\"".vms_info(64)->{def_zlib}."\"\"\"" : ();
+                            }),
+        ex_libs          => add(sub { return vms_info(64)->{zlib} || (); }),
    },

 );
--- a/Configurations/90-team.conf
+++ b/Configurations/90-team.conf
@@ -1,16 +1,6 @@
 ## -*- mode: perl; -*-
 ## Build configuration targets for openssl-team members

-sub threads {
-    my @flags = @_;
-    return sub { add($disabled{threads} ? () : @flags)->(); }
-}
-
-sub combine {
-    my @stuff = @_;
-    return sub { add(@stuff)->(); }
-}
-
 %targets = (
    "purify" => {
        cc               => "purify gcc",
--- a/Configurations/99-personal-levitte.conf
+++ b/Configurations/99-personal-levitte.conf
@@ -1,12 +1,6 @@
 ## -*- mode: perl; -*-
 ## Personal configuration targets

-sub picker {
-    my %opts = @_;
-    return sub { add($opts{default} || (),
-                     $opts{$config{build_type}} || ())->(); }
-}
-
 %targets = (
    "levitte-linux-elf" => {
        inherit_from     => [ "linux-elf" ],
--- a/Configurations/INTERNALS.Configure
+++ b/Configurations/INTERNALS.Configure
@@ -0,0 +1,136 @@
+Configure Internals
+===================
+
+[ note: this file uses markdown for formatting ]
+
+Intro
+-----
+
+This is a collection of notes that are hopefully of interest to those
+who decide to dive into Configure and what it does.  This is a living
+document and anyone is encouraged to add to it and submit changes.
+There's no claim for this document to be complete at any time, but it
+will hopefully reach such a point in time.
+
+
+----------------------------------------------------------------------
+
+Parsing build.info files, processing conditions
+-----------------------------------------------
+
+Processing conditions in build.info files is done with the help of a
+condition stack that tell if a build.info should be processed or if it
+should just be skipped over.  The possible states of the stack top are
+expressed in the following comment from Configure:
+
+    # The top item of this stack has the following values
+    # -2 positive already run and we found ELSE (following ELSIF should fail)
+    # -1 positive already run (skip until ENDIF)
+    # 0 negatives so far (if we're at a condition, check it)
+    # 1 last was positive (don't skip lines until next ELSE, ELSIF or ENDIF)
+    # 2 positive ELSE (following ELSIF should fail)
+
+Ground rule is that non-condition lines are skipped over if the
+stack top is > 0.  Condition lines (IF, ELSIF, ELSE and ENDIF
+statements) need to be processed either way to keep track of the skip
+stack states, so they are a little more intricate.
+
+Instead of trying to describe in words, here are some example of what
+the skip stack should look like after each line is processed:
+
+Example 1:
+
+| IF[1]                     |  1        |                               |
+|   ... whatever ...        |           | this line is processed        |
+|   IF[1]                   |  1  1     |                               |
+|     ... whatever ...      |           | this line is processed        |
+|   ELSIF[1]                |  1 -1     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ELSE                    |  1 -2     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ENDIF                   |  1        |                               |
+|   ... whatever ...        |           | this line is processed        |
+| ELSIF[1]                  | -1        |                               |
+|   ... whatever ...        |           | this line is skipped over     |
+|   IF[1]                   | -1 -1     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ELSIF[1]                | -1 -1     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ELSE                    | -1 -2     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ENDIF                   | -1        |                               |
+|   ... whatever ...        |           | this line is skipped over     |
+| ENDIF                     |           |                               |
+
+Example 2:
+
+| IF[0]                     |  0        |                               |
+|   ... whatever ...        |           | this line is skipped over     |
+|   IF[1]                   |  0 -1     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ELSIF[1]                |  0 -1     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ELSE                    |  0 -2     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ENDIF                   |  0        |                               |
+|   ... whatever ...        |           | this line is skipped over     |
+| ELSIF[1]                  |  1        |                               |
+|   ... whatever ...        |           | this line is processed        |
+|   IF[1]                   |  1  1     |                               |
+|     ... whatever ...      |           | this line is processed        |
+|   ELSIF[1]                |  1 -1     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ELSE                    |  1 -2     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ENDIF                   |  1        |                               |
+|   ... whatever ...        |           | this line is processed        |
+| ENDIF                     |           |                               |
+
+Example 3:
+
+| IF[0]                     |  0        |                               |
+|   ... whatever ...        |           | this line is skipped over     |
+|   IF[0]                   |  0 -1     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ELSIF[1]                |  0 -1     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ELSE                    |  0 -2     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ENDIF                   |  0        |                               |
+|   ... whatever ...        |           | this line is skipped over     |
+| ELSIF[1]                  |  1        |                               |
+|   ... whatever ...        |           | this line is processed        |
+|   IF[0]                   |  1  0     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ELSIF[1]                |  1  1     |                               |
+|     ... whatever ...      |           | this line is processed        |
+|   ELSE                    |  1 -2     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ENDIF                   |  1        |                               |
+|   ... whatever ...        |           | this line is processed        |
+| ENDIF                     |           |                               |
+
+Example 4:
+
+| IF[0]                     |  0        |                               |
+|   ... whatever ...        |           | this line is skipped over     |
+|   IF[0]                   |  0 -1     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ELSIF[0]                |  0 -1     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ELSE                    |  0 -2     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ENDIF                   |  0        |                               |
+|   ... whatever ...        |           | this line is skipped over     |
+| ELSIF[1]                  |  1        |                               |
+|   ... whatever ...        |           | this line is processed        |
+|   IF[0]                   |  1  0     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ELSIF[0]                |  1  0     |                               |
+|     ... whatever ...      |           | this line is skipped over     |
+|   ELSE                    |  1  2     |                               |
+|     ... whatever ...      |           | this line is processed        |
+|   ENDIF                   |  1        |                               |
+|   ... whatever ...        |           | this line is processed        |
+| ENDIF                     |           |                               |
+
--- a/Configurations/README
+++ b/Configurations/README
@@ -100,7 +100,7 @@ In each table entry, the following keys are significant:
                           string in the list is the name of the build
                           scheme.
                           Currently recognised build schemes are
-                           "mk1mf" and "unixmake" and "unified".
+                           "unixmake" and "unified".
                           For the "unified" build scheme, this item
                           *must* be an array with the first being the
                           word "unified" and the second being a word
@@ -358,6 +358,11 @@ sense at all to just have a rename like that (why not just use
 "libbar" everywhere?), it does make sense when it can be used
 conditionally.  See a little further below for an example.

+In some cases, it's desirable to include some source files in the
+shared form of a library only:
+
+    SHARED_SOURCE[libfoo]=dllmain.c
+
 For any file to be built, it's also possible to tell what extra
 include paths the build of their source files should use:

--- a/Configurations/README.design
+++ b/Configurations/README.design
@@ -233,6 +233,10 @@ indexes:
               SOURCE variables, and AS source files for programs and
               libraries.

+  shared_sources =>
+               a hash table just like 'sources', but only as source
+               files (object files) for building shared libraries.
+
 As an example, here is how the build.info files example from the
 section above would be digested into a %unified_info table:

--- a/Configurations/common.tmpl
+++ b/Configurations/common.tmpl
@@ -92,14 +92,20 @@
         $OUT .= libobj2shlib(shlib => $unified_info{sharednames}->{$lib},
                              lib => $lib,
                              objs => [ map { (my $x = $_) =~ s|\.o$||; $x }
-                                        @{$unified_info{sources}->{$lib}} ],
+                                        (@{$unified_info{sources}->{$lib}},
+                                         @{$unified_info{shared_sources}->{$lib}}) ],
                              deps => [ reducedepends(resolvedepends($lib)) ],
                              %ordinals);
+         foreach (@{$unified_info{shared_sources}->{$lib}}) {
+             doobj($_, $lib, intent => "lib");
+         }
     }
     $OUT .= obj2lib(lib => $lib,
                     objs => [ map { (my $x = $_) =~ s|\.o$||; $x }
                               @{$unified_info{sources}->{$lib}} ]);
-     map { doobj($_, $lib, intent => "lib") } @{$unified_info{sources}->{$lib}};
+     foreach (@{$unified_info{sources}->{$lib}}) {
+         doobj($_, $lib, intent => "lib");
+     }
     $cache{$lib} = 1;
 }

@@ -111,9 +117,13 @@
     return "" if $cache{$lib};
     $OUT .= obj2dso(lib => $lib,
                     objs => [ map { (my $x = $_) =~ s|\.o$||; $x }
-                               @{$unified_info{sources}->{$lib}} ],
+                               (@{$unified_info{sources}->{$lib}},
+                                @{$unified_info{shared_sources}->{$lib}}) ],
                     deps => [ resolvedepends($lib) ]);
-     map { doobj($_, $lib, intent => "dso") } @{$unified_info{sources}->{$lib}};
+     foreach ((@{$unified_info{sources}->{$lib}},
+               @{$unified_info{shared_sources}->{$lib}})) {
+         doobj($_, $lib, intent => "dso");
+     }
     $cache{$lib} = 1;
 }

@@ -127,7 +137,9 @@
                     objs => [ map { (my $x = $_) =~ s|\.o$||; $x }
                               @{$unified_info{sources}->{$bin}} ],
                     deps => $deps);
-     map { doobj($_, $bin, intent => "bin") } @{$unified_info{sources}->{$bin}};
+     foreach (@{$unified_info{sources}->{$bin}}) {
+         doobj($_, $bin, intent => "bin");
+     }
     $cache{$bin} = 1;
 }

@@ -146,12 +158,12 @@

 # Build all known libraries, engines, programs and scripts.
 # Everything else will be handled as a consequence.
- map { dolib($_) } @{$unified_info{libraries}};
- map { doengine($_) } @{$unified_info{engines}};
- map { dobin($_) } @{$unified_info{programs}};
- map { doscript($_) } @{$unified_info{scripts}};
+ foreach (@{$unified_info{libraries}}) { dolib($_);    }
+ foreach (@{$unified_info{engines}})   { doengine($_); }
+ foreach (@{$unified_info{programs}})  { dobin($_);    }
+ foreach (@{$unified_info{scripts}})   { doscript($_); }

 # Finally, should there be any applicable BEGINRAW/ENDRAW sections,
 # they are added here.
- $OUT .= $_."\n" foreach(@{$unified_info{rawlines}});
+ $OUT .= $_."\n" foreach @{$unified_info{rawlines}};
 -}
--- a/Configurations/descrip.mms.tmpl
+++ b/Configurations/descrip.mms.tmpl
@@ -51,7 +51,7 @@
  my $sd1 = sourcedir("ssl","record");
  my $sd2 = sourcedir("ssl","statem");
  $unified_info{before}->{"[.test]heartbeat_test.OBJ"}
-      = $unified_info{before}->{"[.test]ssltest.OBJ"}
+      = $unified_info{before}->{"[.test]ssltest_old.OBJ"}
      = qq(record = F\$PARSE("$sd1","A.;",,,"SYNTAX_ONLY") - "A.;"
        define record 'record'
        statem = F\$PARSE("$sd2","A.;",,,"SYNTAX_ONLY") - "A.;"
@@ -119,11 +119,15 @@ DEPS={- our @deps = map { (my $x = $_) =~ s|\.o$|\$(DEP_EXT)|; $x; }
 DESTDIR=

 # Do not edit this manually. Use Configure --prefix=DIR to change this!
-INSTALLTOP={- catdir($config{prefix}) || "SYS\$COMMON:[OPENSSL-\$(MAJOR).\$(MINOR)]" -}
+INSTALLTOP={- (my $x = $config{version}) =~ s|\.|_|g;
+              our $installtop =
+                  catdir($config{prefix}) || "SYS\$COMMON:[OPENSSL-$x]";
+              $installtop -}
+SYSTARTUP={- catdir($installtop, '[.SYS$STARTUP]'); -}
 # This is the standard central area to store certificates, private keys...
 OPENSSLDIR={- catdir($config{openssldir}) ||
-              $config{prefix} ? catdir($config{prefix},"SSL")
-                              : "SYS\$COMMON:[SSL]" -}
+              $config{prefix} ? catdir($config{prefix},"COMMON")
+                              : "SYS\$COMMON:[OPENSSL-COMMON]" -}
 # Where installed engines reside
 ENGINESDIR={- $osslprefix -}ENGINES:

@@ -164,26 +168,27 @@ NODEBUG=@
        $(NODEBUG) DEFINE openssl 'openssl_inc1','openssl_inc2'
        $(NODEBUG) DEFINE internal 'internal_inc1','internal_inc2','internal_inc3'
        $(NODEBUG) staging_dir = "$(DESTDIR)"
+        $(NODEBUG) staging_instdir = ""
+        $(NODEBUG) staging_datadir = ""
        $(NODEBUG) IF staging_dir .NES. "" THEN -
-                staging_dir = F$PARSE("A.;",staging_dir,"[]",,"SYNTAX_ONLY") - "A.;"
+                staging_instdir = F$PARSE("A.;",staging_dir,"[]",,"SYNTAX_ONLY")
+        $(NODEBUG) IF staging_instdir - "]A.;" .NES. staging_instdir THEN -
+                staging_instdir = staging_instdir - "]A.;" + ".OPENSSL-INSTALL]"
+        $(NODEBUG) IF staging_instdir - "A.;" .NES. staging_instdir THEN -
+                staging_instdir = staging_instdir - "A.;" + "[OPENSSL-INSTALL]"
+        $(NODEBUG) IF staging_dir .NES. "" THEN -
+                staging_datadir = F$PARSE("A.;",staging_dir,"[]",,"SYNTAX_ONLY")
+        $(NODEBUG) IF staging_datadir - "]A.;" .NES. staging_datadir THEN -
+                staging_datadir = staging_datadir - "]A.;" + ".OPENSSL-COMMON]"
+        $(NODEBUG) IF staging_datadir - "A.;" .NES. staging_datadir THEN -
+                staging_datadir = staging_datadir - "A.;" + "[OPENSSL-COMMON]"
        $(NODEBUG) !
        $(NODEBUG) ! Installation logical names
        $(NODEBUG) !
-        $(NODEBUG) installtop_dev = F$PARSE(staging_dir,"$(INSTALLTOP)",,"DEVICE","SYNTAX_ONLY")
-        $(NODEBUG) ! Because there are no routines to merge directories, we have to
-        $(NODEBUG) ! do it ourselves
-        $(NODEBUG) IF staging_dir .NES. "" THEN -
-                staging_dir = F$PARSE(staging_dir,"[000000]",,"DIRECTORY","SYNTAX_ONLY")
-        $(NODEBUG) installtop_dir = F$PARSE("$(INSTALLTOP)","[000000]",,"DIRECTORY","SYNTAX_ONLY")
-        $(NODEBUG) IF staging_dir .NES. "" .AND. staging_dir .NES. "[000000]" THEN -
-                installtop_dir = staging_dir - "]" + "." + (installtop_dir - "[")
-        $(NODEBUG) installtop_dir = installtop_dir - "]" + ".]"
-        $(NODEBUG) DEFINE ossl_installroot 'installtop_dev''installtop_dir'
-        $(NODEBUG) !
-        $(NODEBUG) datatop = F$PARSE("$(OPENSSLDIR)","[000000]A.;",,,"SYNTAX_ONLY") -
-                - "]A.;" + ".]"
-        $(NODEBUG) IF "$(DESTDIR)" .EQS. "" THEN -
-                DEFINE ossl_dataroot 'datatop'
+        $(NODEBUG) installtop = F$PARSE(staging_instdir,"$(INSTALLTOP)","[]A.;",,"SYNTAX_ONLY,NO_CONCEAL") - ".][000000" - "[000000." - "][" - "]A.;" + ".]"
+        $(NODEBUG) datatop = F$PARSE(staging_datadir,"$(OPENSSLDIR)","[]A.;",,"SYNTAX_ONLY,NO_CONCEAL") - ".][000000" - "[000000." - "][" - "]A.;" + ".]"
+        $(NODEBUG) DEFINE ossl_installroot 'installtop'
+        $(NODEBUG) DEFINE ossl_dataroot 'datatop'
        $(NODEBUG) !
        $(NODEBUG) ! Figure out the architecture
        $(NODEBUG) !
@@ -196,7 +201,7 @@ NODEBUG=@

 .LAST :
        $(NODEBUG) {- join("\n\t\$(NODEBUG) ", map { "DEASSIGN ".uc($_) } map { $unified_info{sharednames}->{$_} || () } @{$unified_info{libraries}}) || "!" -}
-        $(NODEBUG) IF "$(DESTDIR)" .EQS. "" THEN DEASSIGN ossl_dataroot
+        $(NODEBUG) DEASSIGN ossl_dataroot
        $(NODEBUG) DEASSIGN ossl_installroot
        $(NODEBUG) DEASSIGN internal
        $(NODEBUG) DEASSIGN openssl
@@ -221,13 +226,19 @@ build_tests_nodep : $(TESTPROGS)
 test tests : configdata.pm, -
             build_apps_nodep, build_engines_nodep, build_tests_nodep, -
             depend
+        @ ! {- output_off() if $disabled{tests}; "" -}
        SET DEFAULT [.test]{- move("test") -}
        DEFINE SRCTOP {- sourcedir() -}
        DEFINE BLDTOP {- builddir() -}
+        DEFINE OPENSSL_ENGINES {- builddir("engines") -}
        $(PERL) {- sourcefile("test", "run_tests.pl") -} $(TESTS)
+        DEASSIGN OPENSSL_ENGINES
        DEASSIGN BLDTOP
        DEASSIGN SRCTOP
        SET DEFAULT [-]{- move("..") -}
+        @ ! {- if ($disabled{tests}) { output_on(); } else { output_off(); } "" -}
+        @ WRITE SYS$OUTPUT "Tests are not supported with your chosen Configure options"
+        @ ! {- output_on() if !$disabled{tests}; "" -}

 list-tests :
        @ TOP=$(SRCDIR) PERL=$(PERL) $(PERL) {- catfile($config{sourcedir},"test", "run_tests.pl") -} list
@@ -245,12 +256,26 @@ install : install_sw install_docs
        @ WRITE SYS$OUTPUT ""
        @ WRITE SYS$OUTPUT "######################################################################"
        @ WRITE SYS$OUTPUT ""
-        @ WRITE SYS$OUTPUT "Installation complete"
-        @ WRITE SYS$OUTPUT ""
        @ IF "$(DESTDIR)" .EQS. "" THEN -
-             PIPE ( WRITE SYS$OUTPUT "Run @$(INSTALLTOP)openssl_startup to set up logical names" ; -
+             PIPE ( WRITE SYS$OUTPUT "Installation complete" ; -
+                    WRITE SYS$OUTPUT "" ; -
+                    WRITE SYS$OUTPUT "Run @$(INSTALLTOP)openssl_startup to set up logical names" ; -
                    WRITE SYS$OUTPUT "then run @$(INSTALLTOP)openssl_setup to define commands" ; -
                    WRITE SYS$OUTPUT "" )
+        @ IF "$(DESTDIR)" .NES. "" THEN -
+             PIPE ( WRITE SYS$OUTPUT "Staging installation complete" ; -
+                    WRITE SYS$OUTPUT "" ; -
+                    WRITE SYS$OUTPUT "Finish or package in such a way that the contents of the directory tree" ; -
+                    WRITE SYS$OUTPUT staging_instdir ; -
+                    WRITE SYS$OUTPUT "ends up in $(INSTALLTOP)," ; -
+                    WRITE SYS$OUTPUT "and that the contents of the contents of the directory tree" ; -
+                    WRITE SYS$OUTPUT staging_datadir ; -
+                    WRITE SYS$OUTPUT "ends up in $(OPENSSLDIR)" ; -
+                    WRITE SYS$OUTPUT "" ; -
+                    WRITE SYS$OUTPUT "When in its final destination," ; -
+                    WRITE SYS$OUTPUT "Run @$(SYSTARTUP)openssl_startup to set up logical names" ; -
+                    WRITE SYS$OUTPUT "then run @$(SYSTARTUP)openssl_utils to define commands" ; -
+                    WRITE SYS$OUTPUT "" )

 uninstall : uninstall_docs uninstall_sw

@@ -292,10 +317,10 @@ uninstall_docs : uninstall_man_docs uninstall_html_docs
 install_dev : check_INSTALLTOP
        @ WRITE SYS$OUTPUT "*** Installing development files"
        @ ! Install header files
-        CREATE/DIR ossl_installroot:[include.openssl]
+        - CREATE/DIR ossl_installroot:[include.openssl]
        COPY/PROT=W:R openssl:*.h ossl_installroot:[include.openssl]
        @ ! Install libraries
-        CREATE/DIR ossl_installroot:[LIB.'arch']
+        - CREATE/DIR ossl_installroot:[LIB.'arch']
        {- join("\n        ",
                map { "COPY/PROT=W:R $_.OLB ossl_installroot:[LIB.'arch']" }
                @{$unified_info{libraries}}) -}
@@ -307,22 +332,25 @@ install_dev : check_INSTALLTOP
        @ {- output_on() if $disabled{shared}; "" -} !

 install_runtime : check_INSTALLTOP
+        @ ! {- output_off() if $disabled{apps}; "" -}
        @ WRITE SYS$OUTPUT "*** Installing runtime files"
        @ ! Install the main program
-        CREATE/DIR ossl_installroot:[EXE.'arch']
+        - CREATE/DIR ossl_installroot:[EXE.'arch']
        COPY/PROT=W:RE [.APPS]openssl.EXE ossl_installroot:[EXE.'arch']
        @ ! Install scripts
-        CREATE/DIR ossl_installroot:[EXE]
+        - CREATE/DIR ossl_installroot:[EXE]
        COPY/PROT=W:RE [.APPS]CA.pl ossl_installroot:[EXE]
        COPY/PROT=W:RE [.TOOLS]c_rehash. ossl_installroot:[EXE]c_rehash.pl
+        @ ! {- output_on() if $disabled{apps}; "" -}
        @ ! Install configuration file
+        - CREATE/DIR ossl_dataroot:[000000]
        COPY/PROT=W:RE {- sourcefile("apps", "openssl-vms.cnf") -} -
-                ossl_installroot:[000000]openssl.cnf
+                ossl_dataroot:[000000]openssl.cnf

 install_engines : check_INSTALLTOP
        @ {- output_off() unless scalar @{$unified_info{engines}}; "" -} !
        @ WRITE SYS$OUTPUT "*** Installing engines"
-        CREATE/DIR ossl_installroot:[ENGINES.'arch']
+        - CREATE/DIR ossl_installroot:[ENGINES.'arch']
        {- join("\n        ",
                map { "COPY/PROT=W:RE $_.EXE ossl_installroot:[ENGINES.'arch']" }
                grep(!m|ossltest$|i, @{$unified_info{engines}})) -}
@@ -330,13 +358,11 @@ install_engines : check_INSTALLTOP

 install_config : [.VMS]openssl_startup.com [.VMS]openssl_shutdown.com -
                 check_INSTALLTOP
-        IF "$(DESTDIR)" .EQS. "" THEN -
-                IF F$SEARCH("OSSL_DATAROOT:[000000]CERTS.DIR;1") .EQS. "" THEN -
+        IF F$SEARCH("OSSL_DATAROOT:[000000]CERTS.DIR;1") .EQS. "" THEN -
                CREATE/DIR/PROT=(S:RWED,O:RWE,G:RE,W:RE) OSSL_DATAROOT:[CERTS]
-        IF "$(DESTDIR)" .EQS. "" THEN -
-                IF F$SEARCH("OSSL_DATAROOT:[000000]PRIVATE.DIR;1") .EQS. "" THEN -
-                CREATE/DIR/PROT=(S:RWED,O:RWE,G:,W:) OSSL_DATAROOT:[PRIVATE]
-        CREATE/DIR ossl_installroot:[SYS$STARTUP]
+        IF F$SEARCH("OSSL_DATAROOT:[000000]PRIVATE.DIR;1") .EQS. "" THEN -
+                CREATE/DIR/PROT=(S:RWED,O:RWE,G,W) OSSL_DATAROOT:[PRIVATE]
+        - CREATE/DIR ossl_installroot:[SYS$STARTUP]
        COPY/PROT=W:RE -
                [.VMS]openssl_startup.com,openssl_shutdown.com -
                ossl_installroot:[SYS$STARTUP]
@@ -345,13 +371,13 @@ install_config : [.VMS]openssl_startup.com [.VMS]openssl_shutdown.com -
                ossl_installroot:[SYS$STARTUP]

 [.VMS]openssl_startup.com : vmsconfig.pm
-        CREATE/DIR [.VMS]
+        - CREATE/DIR [.VMS]
        $(PERL) "-I." "-Mvmsconfig" {- sourcefile("util", "dofile.pl") -} -
                {- sourcefile("VMS", "openssl_startup.com.in") -} -
                > [.VMS]openssl_startup.com

 [.VMS]openssl_shutdown.com : vmsconfig.pm
-        CREATE/DIR [.VMS]
+        - CREATE/DIR [.VMS]
        $(PERL) "-I." "-Mvmsconfig" {- sourcefile("util", "dofile.pl") -} -
                {- sourcefile("VMS", "openssl_shutdown.com.in") -} -
                > [.VMS]openssl_shutdown.com
@@ -399,7 +425,6 @@ debug_logicals :
 # Building targets ###################################################

 configdata.pm : {- join(" ", sourcefile("Configurations", "descrip.mms.tmpl"), sourcefile("Configurations", "common.tmpl")) -} $(SRCDIR)Configure $(SRCDIR)config.com {- join(" ", @{$config{build_infos}}) -}
-        @ WRITE SYS$OUTPUT "Detected changed: $?"
        @ WRITE SYS$OUTPUT "Reconfiguring..."
        perl $(SRCDIR)Configure reconf
        @ WRITE SYS$OUTPUT "*************************************************"
@@ -416,10 +441,11 @@ configdata.pm : {- join(" ", sourcefile("Configurations", "descrip.mms.tmpl"), s
  sub generatesrc {
      my %args = @_;
      my $generator = join(" ", @{$args{generator}});
+      my $deps = join(", -\n\t\t", @{$args{deps}});

      if ($args{src} !~ /\.[sS]$/) {
          return <<"EOF";
-$args{src} : $args{generator}->[0]
+$args{src} : $args{generator}->[0] $deps
 	\$(PERL) $generator > \$@
 EOF
      } else {
@@ -445,12 +471,26 @@ EOF
      my $srcs =
          join(", ",
               map { abs2rel(rel2abs($_), rel2abs($forward)) } @{$args{srcs}});
-      my $incs =
-          "/INCLUDE=(".join(",",
-                            map {
-                               file_name_is_absolute($_)
-                               ? $_ : catdir($backward,$_)
-                            } @{$args{incs}}).")";
+      my $incs_on = "\@ !";
+      my $incs_off = "\@ !";
+      my $incs = "";
+      my @incs = ();
+      push @incs, @{$args{incs}} if @{$args{incs}};
+      unless ($disabled{zlib}) {
+          # GNV$ZLIB_INCLUDE is the standard logical name for later zlib
+          # incarnations.
+          push @incs, ($withargs{zlib_include} || 'GNV$ZLIB_INCLUDE:');
+      }
+      if (@incs) {
+          $incs_on =
+              "DEFINE tmp_includes "
+              .join(",-\n\t\t\t", map {
+                                      file_name_is_absolute($_)
+                                      ? $_ : catdir($backward,$_)
+                                  } @incs);
+          $incs_off = "DEASSIGN tmp_includes";
+          $incs = " /INCLUDE=(tmp_includes:)";
+      }
      my $before = $unified_info{before}->{$obj.".OBJ"} || "\@ !";
      my $after = $unified_info{after}->{$obj.".OBJ"} || "\@ !";
      my $depbuild = $disabled{makedepend} ? ""
@@ -460,7 +500,9 @@ EOF
 $obj.OBJ : $deps
        ${before}
        SET DEFAULT $forward
+        $incs_on
        \$(CC) \$(CFLAGS)${incs}${depbuild} /OBJECT=${objd}${objn}.OBJ /REPOSITORY=$backward $srcs
+        $incs_off
        SET DEFAULT $backward
        ${after}
        \@ PIPE ( \$(PERL) -e "use File::Compare qw/compare_text/; my \$x = compare_text(""$obj.MMS"",""$obj.tmp-MMS""); exit(0x10000000 + (\$x == 0));" || -
--- a/Configurations/unix-Makefile.tmpl
+++ b/Configurations/unix-Makefile.tmpl
@@ -86,10 +86,12 @@ DEPS={- join(" ", map { (my $x = $_) =~ s|\.o$|$depext|; $x; }
 {- output_on() if $disabled{makedepend}; "" -}
 GENERATED={- join(" ", map { (my $x = $_) =~ s|\.S$|\.s|; $x } keys %{$unified_info{generate}}) -}

+{- output_off() if $disabled{apps}; "" -}
 BIN_SCRIPTS=$(BLDDIR)/tools/c_rehash
 MISC_SCRIPTS=$(SRCDIR)/tools/c_hash $(SRCDIR)/tools/c_info \
 	     $(SRCDIR)/tools/c_issuer $(SRCDIR)/tools/c_name \
-	     $(BLDDIR)/apps/CA.pl $(SRCDIR)/apps/tsget
+	     $(BLDDIR)/apps/CA.pl $(BLDDIR)/apps/tsget
+{- output_on() if $disabled{apps}; "" -}

 SHLIB_INFO={- join(" ", map { "\"".shlib($_).";".shlib_simple($_)."\"" } @{$unified_info{libraries}}) -}

@@ -215,12 +217,18 @@ build_apps_nodep: $(PROGRAMS) $(SCRIPTS)
 build_tests: configdata.pm build_tests_nodep depend
 build_tests_nodep: $(TESTPROGS)

-test tests: build_tests_nodep build_apps_nodep build_engines_nodep depend
+test tests: build_tests_nodep build_apps_nodep build_engines_nodep \
+            depend link-utils
+	@ : {- output_off() if $disabled{tests}; "" -}
 	( cd test; \
 	  SRCTOP=../$(SRCDIR) \
 	  BLDTOP=../$(BLDDIR) \
 	  EXE_EXT={- $exeext -} \
+	  OPENSSL_ENGINES=../$(BLDDIR)/engines \
 	    $(PERL) ../$(SRCDIR)/test/run_tests.pl $(TESTS) )
+	@ : {- if ($disabled{tests}) { output_on(); } else { output_off(); } "" -}
+	@echo "Tests are not supported with your chosen Configure options"
+	@ : {- output_on() if !$disabled{tests}; "" -}

 list-tests:
 	@TOP=$(SRCDIR) PERL=$(PERL) $(PERL) $(SRCDIR)/test/run_tests.pl list
@@ -256,32 +264,15 @@ clean: libclean
 # This exists solely for those who still type 'make depend'
 #
 # We check if any depfile is newer than Makefile and decide to
-# concatenate only if that is true, or if 'test' (a.k.a [ )
-# doesn't have the option to figure it out (-nt).
-#
-# To check if test has the file age comparison operator, we
-# simply try, and rely test to exit with 0 if the comparison
-# was true, 1 if false, and most importantly, 2 if it doesn't
-# recognise the operator.
+# concatenate only if that is true.
 depend:
 	@: {- output_off() if $disabled{makedepend}; "" -}
-	@catdepends=false; \
-	if [ Makefile -nt Makefile ] 2>/dev/null || [ $$? = 1 ]; then \
-	  for d in $(DEPS); do \
-	    if [ $$d -nt Makefile ]; then \
-	      catdepends=true; \
-	      break; \
-	    fi; \
-	  done; \
-	else \
-	  catdepends=true; \
-	fi; \
-	if [ $$catdepends = true ]; then \
+	@if [ -n "`find $(DEPS) -newer Makefile 2>/dev/null; exit 0`" ]; then \
 	  ( sed -e '/^# DO NOT DELETE THIS LINE.*/,$$d' < Makefile; \
 	    echo '# DO NOT DELETE THIS LINE -- make depend depends on it.'; \
 	    echo; \
-	    for d in $(DEPS); do \
-	      if [ -f $$d ]; then cat $$d; fi; \
+	    for f in $(DEPS); do \
+	      if [ -f $$f ]; then cat $$f; fi; \
 	    done ) > Makefile.new; \
 	  if cmp Makefile.new Makefile >/dev/null 2>&1; then \
 	    rm -f Makefile.new; \
@@ -407,7 +398,8 @@ install_engines:
 	@[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1)
 	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(INSTALLTOP)/$(LIBDIR)/engines/
 	@echo "*** Installing engines"
-	@set -e; for e in $(ENGINES); do \
+	@set -e; for e in dummy $(ENGINES); do \
+		if [ "$$e" = "dummy" ]; then continue; fi; \
 		fn=`basename $$e`; \
 		if [ "$$fn" = '{- dso("ossltest") -}' ]; then \
 			continue; \
@@ -421,7 +413,8 @@ install_engines:

 uninstall_engines:
 	@echo "*** Uninstalling engines"
-	@set -e; for e in $(ENGINES); do \
+	@set -e; for e in dummy $(ENGINES); do \
+		if [ "$$e" = "dummy" ]; then continue; fi; \
 		fn=`basename $$e`; \
 		if [ "$$fn" = '{- dso("ossltest") -}' ]; then \
 			continue; \
@@ -437,7 +430,8 @@ install_runtime:
 	@$(PERL) $(SRCDIR)/util/mkdir-p.pl $(DESTDIR)$(OPENSSLDIR)/misc
 	@echo "*** Installing runtime files"
 	: {- output_off() unless windowsdll(); "" -};
-	@set -e; for s in $(SHLIBS); do \
+	@set -e; for s in dummy $(SHLIBS); do \
+		if [ "$$s" = "dummy" ]; then continue; fi; \
 		fn=`basename $$s`; \
 		echo "install $$s -> $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
 		cp $$s $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \
@@ -446,7 +440,8 @@ install_runtime:
 		      $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
 	done
 	: {- output_on() unless windowsdll(); "" -};
-	@set -e; for x in $(PROGRAMS); do \
+	@set -e; for x in dummy $(PROGRAMS); do \
+		if [ "$$x" = "dummy" ]; then continue; fi; \
 		fn=`basename $$x`; \
 		echo "install $$x -> $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
 		cp $$x $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \
@@ -454,7 +449,8 @@ install_runtime:
 		mv -f $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new \
 		      $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
 	done
-	@set -e; for x in $(BIN_SCRIPTS); do \
+	@set -e; for x in dummy $(BIN_SCRIPTS); do \
+		if [ "$$x" = "dummy" ]; then continue; fi; \
 		fn=`basename $$x`; \
 		echo "install $$x -> $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
 		cp $$x $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new; \
@@ -462,7 +458,8 @@ install_runtime:
 		mv -f $(DESTDIR)$(INSTALLTOP)/bin/$$fn.new \
 		      $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
 	done
-	@set -e; for x in $(MISC_SCRIPTS); do \
+	@set -e; for x in dummy $(MISC_SCRIPTS); do \
+		if [ "$$x" = "dummy" ]; then continue; fi; \
 		fn=`basename $$x`; \
 		echo "install $$x -> $(DESTDIR)$(OPENSSLDIR)/misc/$$fn"; \
 		cp $$x $(DESTDIR)$(OPENSSLDIR)/misc/$$fn.new; \
@@ -477,26 +474,30 @@ install_runtime:

 uninstall_runtime:
 	@echo "*** Uninstalling runtime files"
-	@set -e; for x in $(PROGRAMS); \
+	@set -e; for x in dummy $(PROGRAMS); \
 	do  \
+		if [ "$$x" = "dummy" ]; then continue; fi; \
 		fn=`basename $$x`; \
 		echo "$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
 		$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
 	done;
-	@set -e; for x in $(BIN_SCRIPTS); \
+	@set -e; for x in dummy $(BIN_SCRIPTS); \
 	do  \
+		if [ "$$x" = "dummy" ]; then continue; fi; \
 		fn=`basename $$x`; \
 		echo "$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
 		$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
 	done
-	@set -e; for x in $(MISC_SCRIPTS); \
+	@set -e; for x in dummy $(MISC_SCRIPTS); \
 	do  \
+		if [ "$$x" = "dummy" ]; then continue; fi; \
 		fn=`basename $$x`; \
 		echo "$(RM) $(DESTDIR)$(OPENSSLDIR)/misc/$$fn"; \
 		$(RM) $(DESTDIR)$(OPENSSLDIR)/misc/$$fn; \
 	done
 	: {- output_off() unless windowsdll(); "" -};
-	@set -e; for s in $(SHLIBS); do \
+	@set -e; for s in dummy $(SHLIBS); do \
+		if [ "$$s" = "dummy" ]; then continue; fi; \
 		fn=`basename $$s`; \
 		echo "$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn"; \
 		$(RM) $(DESTDIR)$(INSTALLTOP)/bin/$$fn; \
@@ -508,11 +509,11 @@ uninstall_runtime:

 # A method to extract all names from a .pod file
 # The first sed extracts everything between "=head1 NAME" and the next =head1
-# The second sed joins all the lines into one
-# The third sed removes the description and turns all commas into spaces
+# The perl command joins all the lines into one
+# The second sed removes the description and turns all commas into spaces
 # Voilà, you have a space separated list of names!
 EXTRACT_NAMES=sed -e '1,/^=head1  *NAME *$$/d;/^=head1/,$$d' | \
-              sed -e ':a;{N;s/\n/ /;ba}' | \
+              $(PERL) -p -0 -e 's/\n/ /g; END {print "\n"}' | \
              sed -e 's/ - .*$$//;s/,/ /g'
 PROCESS_PODS=\
 	set -e; \
@@ -633,13 +634,35 @@ generate: generate_apps generate_crypto_bn generate_crypto_objects
 lint:
 	lint -DLINT $(INCLUDES) $(SRCS)

-generate_apps: $(SRCDIR)/apps/openssl-vms.cnf $(SRCDIR)/apps/progs.h
+{- # because the program apps/openssl has object files as sources, and
+   # they then have the corresponding C files as source, we need to chain
+   # the lookups in %unified_info
+   my $apps_openssl = catfile("apps","openssl");
+   our @openssl_source = map { @{$unified_info{sources}->{$_}} }
+                         @{$unified_info{sources}->{$apps_openssl}};
+   ""; -}
+generate_apps:
+	( cd $(SRCDIR); $(PERL) VMS/VMSify-conf.pl \
+				< apps/openssl.cnf > apps/openssl-vms.cnf )
+	( b=`pwd`; cd $(SRCDIR); $(PERL) -I$$b apps/progs.pl \
+					{- join(" ", @openssl_source) -} \
+					> apps/progs.h )

-generate_crypto_bn: $(SRCDIR)/crypto/bn/bn_prime.h
+generate_crypto_bn:
+	( cd $(SRCDIR); $(PERL) crypto/bn/bn_prime.pl > crypto/bn/bn_prime.h )

-generate_crypto_objects: $(SRCDIR)/crypto/objects/obj_dat.h \
-                         $(SRCDIR)/include/openssl/obj_mac.h \
-                         $(SRCDIR)/crypto/objects/obj_xref.h
+generate_crypto_objects:
+	( cd $(SRCDIR); $(PERL) crypto/objects/obj_dat.pl \
+				include/openssl/obj_mac.h \
+				crypto/objects/obj_dat.h )
+	( cd $(SRCDIR); $(PERL) crypto/objects/objects.pl \
+				crypto/objects/objects.txt \
+				crypto/objects/obj_mac.num \
+				include/openssl/obj_mac.h )
+	( cd $(SRCDIR); $(PERL) crypto/objects/objxref.pl \
+				crypto/objects/obj_mac.num \
+				crypto/objects/obj_xref.txt \
+				> crypto/objects/obj_xref.h )

 errors:
 	( cd $(SRCDIR); $(PERL) util/ck_errf.pl -strict */*.c */*/*.c )
@@ -706,50 +729,6 @@ $(BLDDIR)/util/shlib_wrap.sh: configdata.pm
 	    mkdir -p "$(BLDDIR)/util"; \
 	    ln -sf "../$(SRCDIR)/util/shlib_wrap.sh" "$(BLDDIR)/util"; \
 	fi
-
-$(SRCDIR)/apps/openssl-vms.cnf: $(SRCDIR)/apps/openssl.cnf
-	$(PERL) $(SRCDIR)/VMS/VMSify-conf.pl \
-                < $(SRCDIR)/apps/openssl.cnf > $(SRCDIR)/apps/openssl-vms.cnf
-
-{- # because the program apps/openssl has object files as sources, and
-   # they then have the corresponding C files as source, we need to chain
-   # the lookups in %unified_info
-   my $apps_openssl = catfile("apps","openssl");
-   our @openssl_source = map { @{$unified_info{sources}->{$_}} }
-                         @{$unified_info{sources}->{$apps_openssl}};
-   ""; -}
-$(SRCDIR)/apps/progs.h:
-	$(RM) $@
-	$(PERL) $(SRCDIR)/apps/progs.pl {- join(" ", @openssl_source) -} > $@
-
-$(SRCDIR)/crypto/bn/bn_prime.h: $(SRCDIR)/crypto/bn/bn_prime.pl
-	$(PERL) $(SRCDIR)/crypto/bn/bn_prime.pl > $(SRCDIR)/crypto/bn/bn_prime.h
-
-$(SRCDIR)/crypto/objects/obj_dat.h: $(SRCDIR)/crypto/objects/obj_dat.pl \
-                                    $(SRCDIR)/include/openssl/obj_mac.h
-	$(PERL) $(SRCDIR)/crypto/objects/obj_dat.pl \
-                $(SRCDIR)/include/openssl/obj_mac.h \
-                $(SRCDIR)/crypto/objects/obj_dat.h
-
-# objects.pl both reads and writes obj_mac.num
-$(SRCDIR)/include/openssl/obj_mac.h: $(SRCDIR)/crypto/objects/objects.pl \
-                                     $(SRCDIR)/crypto/objects/objects.txt \
-                                     $(SRCDIR)/crypto/objects/obj_mac.num
-	$(PERL) $(SRCDIR)/crypto/objects/objects.pl \
-                $(SRCDIR)/crypto/objects/objects.txt \
-                $(SRCDIR)/crypto/objects/obj_mac.num \
-                $(SRCDIR)/include/openssl/obj_mac.h
-	@sleep 1; touch $(SRCDIR)/include/openssl/obj_mac.h; sleep 1
-
-$(SRCDIR)/crypto/objects/obj_xref.h: $(SRCDIR)/crypto/objects/objxref.pl \
-                                     $(SRCDIR)/crypto/objects/obj_xref.txt \
-                                     $(SRCDIR)/crypto/objects/obj_mac.num
-	$(PERL) $(SRCDIR)/crypto/objects/objxref.pl \
-                $(SRCDIR)/crypto/objects/obj_mac.num \
-                $(SRCDIR)/crypto/objects/obj_xref.txt \
-                > $(SRCDIR)/crypto/objects/obj_xref.h
-	@sleep 1; touch $(SRCDIR)/crypto/objects/obj_xref.h; sleep 1
-
 FORCE:

 # Building targets ###################################################
@@ -829,10 +808,11 @@ configdata.pm: $(SRCDIR)/Configurations/unix-Makefile.tmpl $(SRCDIR)/Configurati
      my %args = @_;
      my $generator = join(" ", @{$args{generator}});
      my $incs = join("", map { " -I".$_ } @{$args{incs}});
+      my $deps = join(" ", @{$args{deps}});

      if ($args{src} !~ /\.[sS]$/) {
          return <<"EOF";
-$args{src}: $args{generator}->[0]
+$args{src}: $args{generator}->[0] $deps
 	\$(PERL) $generator > \$@
 EOF
      } else {
@@ -852,7 +832,7 @@ EOF
              if ($args{src} =~ /\.S$/) {
                   (my $target = $args{src}) =~ s|\.S$|.s|;
                   return <<"EOF";
-$target: $args{generator}->[0]
+$target: $args{generator}->[0] $deps
 	( trap "rm -f \$@.*" INT 0; \\
 	  $generator \$@.S; \\
 	  \$(CC) \$(CFLAGS) $incs -E -P \$@.S > \$@.i && mv -f \$@.i \$@ )
@@ -860,12 +840,12 @@ EOF
              }
              # Otherwise....
              return <<"EOF";
-$args{src}: $args{generator}->[0]
+$args{src}: $args{generator}->[0] $deps
 	$generator \$@
 EOF
          }
          return <<"EOF";
-$args{src}: $args{generator}->[0]
+$args{src}: $args{generator}->[0] $deps
 	\$(CC) \$(CFLAGS) $incs -E -P \$< > \$@
 EOF
      }
@@ -877,10 +857,20 @@ EOF
  sub src2obj {
      my %args = @_;
      my $obj = $args{obj};
-      my @srcs = map { (my $x = $_) =~ s/\.S$/.s/; $x } ( @{$args{srcs}} );
+      my @srcs = map { if ($unified_info{generate}->{$_}) {
+                           (my $x = $_) =~ s/\.S$/.s/; $x
+                       } else {
+                           $_
+                       }
+                     } ( @{$args{srcs}} );
      my $srcs = join(" ",  @srcs);
      my $deps = join(" ", @srcs, @{$args{deps}});
      my $incs = join("", map { " -I".$_ } @{$args{incs}});
+      unless ($disabled{zlib}) {
+          if ($withargs{zlib_include}) {
+              $incs .= " -I".$withargs{zlib_include};
+          }
+      }
      my $ecflags = { lib => '$(LIB_CFLAGS)',
                      dso => '$(DSO_CFLAGS)',
                      bin => '$(BIN_CFLAGS)' } -> {$args{intent}};
@@ -889,10 +879,9 @@ EOF
      if (!$disabled{makedepend} && $makedepprog =~ /\/makedepend/) {
          $recipe .= <<"EOF";
 $obj$depext: $deps
-	rm -f \$\@.tmp; touch \$\@.tmp
-	-\$(MAKEDEPEND) -f\$\@.tmp -o"|$obj$objext" -- \$(CFLAGS) $ecflags$incs -- $srcs \\
-	    2>/dev/null
-	perl -i -pe 's/^.*\\|//; s/ \\/(\\\\.|[^ ])*//; \$\$_ = undef if (/: *\$\$/ || /^(#.*| *)\$\$/); \$\$_.="\\n" unless !defined(\$\$_) or /\\R\$\$/g;' \$\@.tmp
+	-\$(MAKEDEPEND) -f- -o"|$obj$objext" -- \$(CFLAGS) $ecflags$incs -- $srcs \\
+	    >\$\@.tmp 2>/dev/null
+	-\$(PERL) -i -pe 's/^.*\\|//; s/ \\/(\\\\.|[^ ])*//; \$\$_ = undef if (/: *\$\$/ || /^(#.*| *)\$\$/); \$\$_.="\\n" unless !defined(\$\$_) or /\\R\$\$/g;' \$\@.tmp
 	\@if cmp \$\@.tmp \$\@ > /dev/null 2> /dev/null; then \\
 		rm -f \$\@.tmp; \\
 	else \\
@@ -1002,7 +991,7 @@ EOF
      my $objs = join(" ", map { $_.$objext } @{$args{objs}});
      return <<"EOF";
 $lib$libext: $objs
-	\$(AR) \$\@ $objs
+	\$(AR) \$\@ \$\?
 	\$(RANLIB) \$\@ || echo Never mind.
 EOF
  }
--- a/Configurations/windows-makefile.tmpl
+++ b/Configurations/windows-makefile.tmpl
@@ -11,6 +11,19 @@
 our $shlibextimport = $target{shared_import_extension} || ".lib";
 our $dsoext = $target{dso_extension} || ".dll";

+ my $win_installenv =
+     $target{build_scheme}->[2] eq "VC-W32" ?
+     "ProgramFiles(x86)" : "ProgramW6432";
+ my $win_commonenv =
+     $target{build_scheme}->[2] eq "VC-W32"
+     ? "CommonProgramFiles(x86)" : "CommonProgramW6432";
+ our $win_installroot =
+     defined($ENV{$win_installenv})
+     ? '%'.$win_installenv.'%' : '%ProgramFiles%';
+ our $win_commonroot =
+     defined($ENV{$win_commonenv})
+     ? '%'.$win_commonenv.'%' : '%CommonProgramFiles%';
+
 sub shlib {
     return () if $disabled{shared};
     my $lib = shift;
@@ -48,15 +61,17 @@ PROGRAMS={- join(" ", map { $_.$exeext } grep { !m|^test\\| } @{$unified_info{pr
 TESTPROGS={- join(" ", map { $_.$exeext } grep { m|^test\\| } @{$unified_info{programs}}) -}
 SCRIPTS={- join(" ", @{$unified_info{scripts}}) -}

+{- output_off() if $disabled{makedepend}; "" -}
 DEPS={- join(" ", map { (my $x = $_) =~ s|\.o$|$depext|; $x; }
                  grep { $unified_info{sources}->{$_}->[0] =~ /\.c$/ }
                  keys %{$unified_info{sources}}); -}
+{- output_on() if $disabled{makedepend}; "" -}

 # Do not edit these manually. Use Configure with --prefix or --openssldir
 # to change this!  Short explanation in the top comment in Configure
 INSTALLTOP={- # $prefix is used in the OPENSSLDIR perl snippet
 	      #
-	      our $prefix = $config{prefix} || "/usr/local";
+	      our $prefix = $config{prefix} || "$win_installroot\\OpenSSL";
              $prefix -}
 OPENSSLDIR={- #
 	      # The logic here is that if no --openssldir was given,
@@ -73,16 +88,9 @@ OPENSSLDIR={- #
                      (file_name_is_absolute($config{openssldir}) ?
                           $config{openssldir}
                           : catdir($prefix, $config{openssldir}))
-                      : catdir($prefix, "ssl");
+                      : "$win_commonroot\\SSL";
              $openssldir -}
-LIBDIR={- #
-          # if $prefix/lib$target{multilib} is not an existing
-          # directory, then assume that it's not searched by linker
-          # automatically, in which case adding $target{multilib} suffix
-          # causes more grief than we're ready to tolerate, so don't...
-          our $multilib =
-              -d "$prefix/lib$target{multilib}" ? $target{multilib} : "";
-          our $libdir = $config{libdir} || "lib$multilib";
+LIBDIR={- our $libdir = $config{libdir} || "lib";
          $libdir -}
 ENGINESDIR={- use File::Spec::Functions;
              our $enginesdir = catdir($prefix,$libdir,"engines");
@@ -91,6 +99,8 @@ ENGINESDIR={- use File::Spec::Functions;
 CC={- $target{cc} -}
 CFLAGS={- join(" ",(map { "-D".$_} @{$target{defines}}, @{$config{defines}})) -} {- join(" ", quotify_l("-DENGINESDIR=\"$enginesdir\"", "-DOPENSSLDIR=\"$openssldir\"")) -} {- $target{cflags} -} {- $config{cflags} -}
 COUTFLAG={- $target{coutflag} || "/Fo" -}
+RC={- $target{rc} || "rc" -}
+RCOUTFLAG={- $target{rcoutflag} || "/fo" -}
 LD={- $target{ld} || "link" -}
 LDFLAGS={- $target{lflags} -}
 LDOUTFLAG={- $target{loutflag} || "/out:" -}
@@ -129,18 +139,27 @@ build_tests: configdata.pm build_tests_nodep depend
 build_tests_nodep: $(TESTPROGS)

 test tests: build_tests_nodep build_apps_nodep build_engines_nodep depend
+	@rem {- output_off() if $disabled{tests}; "" -}
 	set SRCTOP=$(SRCDIR)
 	set BLDTOP=$(BLDDIR)
 	set PERL=$(PERL)
 	$(PERL) $(SRCDIR)\test\run_tests.pl $(TESTS)
+	@rem {- if ($disabled{tests}) { output_on(); } else { output_off(); } "" -}
+	@echo "Tests are not supported with your chosen Configure options"
+	@rem {- output_on() if !$disabled{tests}; "" -}

 list-tests:
 	@set TOP=$(SRCDIR)
 	@set PERL=$(PERL)
 	@$(PERL) $(SRCDIR)\test\run_tests.pl list

+install: install_sw install_ssldirs install_docs
+
+uninstall: uninstall_docs uninstall_sw
+
 libclean:
-	del /Q /F $(LIBS) $(SHLIBS)
+	$(PERL) -e "map { m/(.*)\.dll$$/; unlink glob """$$1.*""" } @ARGV" $(SHLIBS)
+	del /Q /F $(LIBS)
 	del lib.pdb

 clean: libclean
@@ -155,6 +174,53 @@ clean: libclean

 depend:

+# Install helper targets #############################################
+
+install_sw: all install_dev install_engines install_runtime
+
+uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev
+
+install_docs:
+
+uninstall_docs:
+
+install_ssldirs:
+	@$(PERL) $(SRCDIR)\util\mkdir-p.pl "$(DESTDIR)$(OPENSSLDIR)\certs"
+	@$(PERL) $(SRCDIR)\util\mkdir-p.pl "$(DESTDIR)$(OPENSSLDIR)\private"
+
+install_dev:
+	@if "$(INSTALLTOP)"=="" ( echo INSTALLTOP should not be empty & exit 1 )
+	@echo *** Installing development files
+	@$(PERL) $(SRCDIR)\util\mkdir-p.pl "$(DESTDIR)$(INSTALLTOP)\include\openssl"
+	@$(PERL) $(SRCDIR)\util\copy.pl $(SRCDIR)\include\openssl\*.h \
+				       "$(DESTDIR)$(INSTALLTOP)\include\openssl"
+	@$(PERL) $(SRCDIR)\util\copy.pl $(BLDDIR)\include\openssl\*.h \
+				       "$(DESTDIR)$(INSTALLTOP)\include\openssl"
+	@$(PERL) $(SRCDIR)\util\mkdir-p.pl "$(DESTDIR)$(INSTALLTOP)\$(LIBDIR)"
+	@$(PERL) $(SRCDIR)\util\copy.pl $(LIBS) \
+				       "$(DESTDIR)$(INSTALLTOP)\$(LIBDIR)"
+
+uninstall_dev:
+
+install_engines:
+	@if "$(INSTALLTOP)"=="" ( echo INSTALLTOP should not be empty & exit 1 )
+	@echo *** Installing engines
+	@$(PERL) $(SRCDIR)\util\mkdir-p.pl "$(DESTDIR)$(ENGINESDIR)"
+	@if not "$(ENGINES)"=="" \
+	 $(PERL) $(SRCDIR)\util\copy.pl $(ENGINES) "$(DESTDIR)$(ENGINESDIR)"
+
+uninstall_engines:
+
+install_runtime:
+	@if "$(INSTALLTOP)"=="" ( echo INSTALLTOP should not be empty & exit 1 )
+	@echo *** Installing runtime files
+	@$(PERL) $(SRCDIR)\util\mkdir-p.pl "$(DESTDIR)$(INSTALLTOP)\bin"
+	@if not "$(SHLIBS)"=="" \
+	 $(PERL) $(SRCDIR)\util\copy.pl $(SHLIBS) "$(DESTDIR)$(INSTALLTOP)\bin"
+	@$(PERL) $(SRCDIR)\util\copy.pl $(PROGRAMS) "$(DESTDIR)$(INSTALLTOP)\bin"
+
+uninstall_runtime:
+
 # Building targets ###################################################

 configdata.pm: {- $config{build_file_template} -} $(SRCDIR)\Configure
@@ -166,7 +232,7 @@ configdata.pm: {- $config{build_file_template} -} $(SRCDIR)\Configure
 	@echo "***   Please run the same make command again   ***"
 	@echo "***                                            ***"
 	@echo "**************************************************"
-	@( exit 1 )
+	@exit 1

 {-
 use File::Basename;
@@ -186,10 +252,11 @@ configdata.pm: {- $config{build_file_template} -} $(SRCDIR)\Configure
      (my $target = $args{src}) =~ s/\.[sS]$/.asm/;
      my $generator = join(" ", @{$args{generator}});
      my $incs = join("", map { " /I ".$_ } @{$args{incs}});
+      my $deps = join(" ", @{$args{deps}});

      if ($target !~ /\.asm$/) {
          return <<"EOF";
-$target: $args{generator}->[0]
+$target: $args{generator}->[0] $deps
 	\$(PERL) $generator > \$@
 EOF
      } else {
@@ -206,25 +273,25 @@ EOF
              # end up generating foo.s in two steps.
              if ($args{src} =~ /\.S$/) {
                   return <<"EOF";
-$target: $args{generator}->[0]
+$target: $args{generator}->[0] $deps
 	set ASM=\$(AS)
 	set CC=\$(CC)
 	$generator \$@.S
-	\$(CC) \$(CFLAGS) $incs /EP /C \$@.S > \$@
+	\$(CC) \$(CFLAGS) $incs /EP /C \$@.S > \$@.i && move /Y \$@.i \$@
        del /Q \$@.S
 EOF
              }
              # Otherwise....
              return <<"EOF";
-$target: $args{generator}->[0]
+$target: $args{generator}->[0] $deps
 	set ASM=\$(AS)
 	set CC=\$(CC)
 	$generator \$@
 EOF
          }
          return <<"EOF";
-$target: $args{generator}->[0]
-	\$(CC) \$(CFLAGS) $incs /EP /C \$< > \$@
+$target: $args{generator}->[0] $deps
+	\$(CC) \$(CFLAGS) $incs /EP /C $args{generator}->[0] > \$@.i && move /Y \$@.i \$@
 EOF
      }
  }
@@ -232,10 +299,16 @@ EOF
 sub src2obj {
     my %args = @_;
     my $obj = $args{obj};
-     my @srcs = map { (my $x = $_) =~ s/\.[sS]$/.asm/; $x } ( @{$args{srcs}} );
+     my @srcs = map { (my $x = $_) =~ s/\.s$/.asm/; $x
+                    } ( @{$args{srcs}} );
     my $srcs = join(" ",  @srcs);
     my $deps = join(" ", @srcs, @{$args{deps}});
     my $incs = join("", map { " /I ".$_ } @{$args{incs}});
+     unless ($disabled{zlib}) {
+         if ($withargs{zlib_include}) {
+             $incs .= " /I ".$withargs{zlib_include};
+         }
+     }
     my $ecflags = { lib => '$(LIB_CFLAGS)',
 		     dso => '$(DSO_CFLAGS)',
 		     bin => '$(BIN_CFLAGS)' } -> {$args{intent}};
@@ -246,7 +319,7 @@ $obj$objext: $deps
 	\$(AS) \$(ASFLAGS) \$(ASOUTFLAG)\$\@ $srcs
 EOF
     }
-     return <<"EOF";
+     return <<"EOF"	if (!$disabled{makedepend});
 $obj$depext: $deps
 	\$(CC) \$(CFLAGS) $ecflags$inc /Zs /showIncludes $srcs 2>&1 | \\
 	    \$(PERL) -n << > $obj$depext
@@ -254,11 +327,15 @@ chomp;
 s/^Note: including file: *//;
 \$\$collect{\$\$_} = 1;
 END { print '$obj$objext: ',join(" ", sort keys \%collect),"\\n" }
-<<KEEP
+<<
 $obj$objext: $obj$depext
 	\$(CC) \$(CFLAGS) $ecflags$incs -c \$(COUTFLAG)\$\@ @<<
 $srcs
-<<KEEP
+<<
+EOF
+    return <<"EOF"	if ($disabled{makedepend});
+$obj$objext: $deps
+	\$(CC) \$(CFLAGS) $ecflags$incs -c \$(COUTFLAG)\$\@ $srcs
 EOF
 }

@@ -280,15 +357,20 @@ EOF
     my $mkdef_pl = abs2rel(rel2abs(catfile($config{sourcedir},
 					    "util", "mkdef.pl")),
 			    rel2abs($config{builddir}));
+     my $mkrc_pl = abs2rel(rel2abs(catfile($config{sourcedir},
+					   "util", "mkrc.pl")),
+			   rel2abs($config{builddir}));
     my $target = shlib_import($lib);
     return <<"EOF"
 $target: $deps $ordinalsfile $mkdef_pl
 	\$(PERL) $mkdef_pl "$mkdef_key" 32 > $shlib.def
 	\$(PERL) -i.tmp -pe "s|^LIBRARY\\s+${mkdef_key}32|LIBRARY $shlib|;" $shlib.def
 	DEL $shlib.def.tmp
+	\$(PERL) $mkrc_pl $shlib$shlibext > $shlib.rc
+	\$(RC) \$(RCOUTFLAG)$shlib.res $shlib.rc
 	\$(LD) \$(LDFLAGS) \$(LIB_LDFLAGS) \\
-		/implib:$target \$(LDOUTFLAG)$shlib$shlibext /def:$shlib.def @<<
-$objs$linklibs \$(EX_LIBS)
+		/implib:\$@ \$(LDOUTFLAG)$shlib$shlibext /def:$shlib.def @<< || (DEL /Q \$(\@B).* $shlib.* && EXIT 1)
+$objs $shlib.res$linklibs \$(EX_LIBS)
 <<
 	DEL /F apps\\$shlib$shlibext
 	DEL /F test\\$shlib$shlibext
@@ -331,7 +413,7 @@ EOF
     return <<"EOF";
 $lib$libext: $deps
 	\$(AR) \$(ARFLAGS) \$(AROUTFLAG)$lib$libext @<<
-$objs
+\$\?
 <<
 EOF
 }
--- a/248
+++ b/248
@@ -77,10 +77,21 @@ my $usage="Usage: Configure [no-<cipher> ...] [enable-<cipher> ...] [-Dxxx] [-lx
 # Minimum warning options... any contributions to OpenSSL should at least get
 # past these.

-my $gcc_devteam_warn = "-DPEDANTIC -DREF_DEBUG -DDEBUG_UNUSED -DBIO_DEBUG"
-        . " -pedantic"
+# DEBUG_UNUSED enables __owur (warn unused result) checks.
+my $gcc_devteam_warn = "-DDEBUG_UNUSED"
+        # -DPEDANTIC complements -pedantic and is meant to mask code that
+        # is not strictly standard-compliant and/or implementation-specifc,
+        # e.g. inline assembly, disregards to alignment requirements, such
+        # that -pedantic would complain about. Incidentally -DPEDANTIC has
+        # to be used even in sanitized builds, because sanitizer too is
+        # supposed to and does take notice of non-standard behaviour. Then
+        # -pedantic with pre-C9x compiler would also complain about 'long
+        # long' not being supported. As 64-bit algorithms are common now,
+        # it grew impossible to resolve this without sizeable additional
+        # code, so we just tell compiler to be pedantic about everything
+        # but 'long long' type.
+        . " -DPEDANTIC -pedantic -Wno-long-long"
        . " -Wall"
-        . " -Wno-long-long"
        . " -Wsign-compare"
        . " -Wmissing-prototypes"
        . " -Wshadow"
@@ -232,7 +243,6 @@ my @dtls = qw(dtls1 dtls1_2);
 # For developers: keep it sorted alphabetically

 my @disablables = (
-    "aes",
    "afalgeng",
    "asm",
    "async",
@@ -267,16 +277,14 @@ my @disablables = (
    "engine",
    "err",
    "filenames",
+    "gost",
    "heartbeats",
-    "hmac",
    "hw(-.+)?",
    "idea",
    "makedepend",
    "md2",
    "md4",
-    "md5",
    "mdc2",
-    "md[-_]ghost94",
    "multiblock",
    "nextprotoneg",
    "ocb",
@@ -290,15 +298,12 @@ my @disablables = (
    "rc5",
    "rdrand",
    "rfc3779",
-    "rijndael",			# Old AES name
    "ripemd",
    "rmd160",
-    "rsa",
    "scrypt",
    "sct",
    "sctp",
    "seed",
-    "sha",
    "shared",
    "sock",
    "srp",
@@ -336,7 +341,6 @@ our %disabled = ( # "what"         => "comment"
 		  "md2"                 => "default",
 		  "rc5"                 => "default",
 		  "sctp"                => "default",
-		  "shared"              => "default",
 		  "ssl-trace"           => "default",
 		  "ssl3"                => "default",
 		  "ssl3-method"         => "default",
@@ -356,11 +360,11 @@ my @disable_cascades = (
    "ssl"		=> [ "ssl3" ],
    "ssl3-method"	=> [ "ssl3" ],
    "zlib"		=> [ "zlib-dynamic" ],
-    "rijndael"		=> [ "aes" ],
    "des"		=> [ "mdc2" ],
    "ec"		=> [ "ecdsa", "ecdh" ],

-    "dgram"		=> [ "dtls" ],
+    "dgram"		=> [ "dtls", "sctp" ],
+    "sock"		=> [ "sctp" ],
    "dtls"		=> [ @dtls ],

    # SSL 3.0, (D)TLS 1.0 and TLS 1.1 require MD5 and SHA
@@ -395,6 +399,14 @@ my @disable_cascades = (
    "pic"               => [ "shared" ],
    "shared"            => [ "dynamic-engine" ],
    "engine"            => [ "afalgeng" ],
+
+    # no-autoalginit is only useful when building non-shared
+    "autoalginit"       => [ "shared", "apps" ],
+
+    "stdio"             => [ "apps" ],
+    "apps"              => [ "tests" ],
+    "comp"		=> [ "zlib" ],
+    sub { !$disabled{"unit-test"} } => [ "heartbeats" ],
    );

 # Avoid protocol support holes.  Also disable all versions below N, if version
@@ -550,6 +562,7 @@ foreach (@argvcopy)
                                {
                                $disabled{$proto} = "option(dtls)";
                                }
+                        $disabled{"dtls"} = "option(dtls)";
                        }
                elsif ($1 eq "ssl")
                        {
@@ -659,7 +672,7 @@ foreach (@argvcopy)
 			}
 		elsif (/^--with-zlib-include=(.*)$/)
 			{
-			$withargs{zlib_include}="-I$1";
+			$withargs{zlib_include}=$1;
 			}
 		elsif (/^--with-fipslibdir=(.*)$/)
 			{
@@ -741,9 +754,9 @@ while (@tocheckfor) {
    while (@cascade_copy) {
 	my ($test, $descendents) = (shift @cascade_copy, shift @cascade_copy);
 	if (ref($test) eq "CODE" ? $test->() : defined($disabled{$test})) {
-	    map {
+	    foreach(grep { !defined($disabled{$_}) } @$descendents) {
 		$new_tocheckfor{$_} = 1; $disabled{$_} = "forced";
-	    } grep { !defined($disabled{$_}) } @$descendents;
+	    }
 	}
    }
    @tocheckfor = (keys %new_tocheckfor);
@@ -860,7 +873,6 @@ my %target = resolve_config($target);
 $target{exe_extension}="";
 $target{exe_extension}=".exe" if ($config{target} eq "DJGPP"
                                  || $config{target} =~ /^(?:Cygwin|mingw)/);
-$target{exe_extension}=".nlm" if ($config{target} =~ /netware/);
 $target{exe_extension}=".pm"  if ($config{target} =~ /vos/);

 ($target{shared_extension_simple}=$target{shared_extension})
@@ -874,7 +886,7 @@ $config{cross_compile_prefix} = $ENV{'CROSS_COMPILE'}
    if $config{cross_compile_prefix} eq "";

 # Allow overriding the names of some tools.  USE WITH CARE
-$config{perl} =    $ENV{'PERL'}    || which("perl5") || which("perl") || "perl";
+$config{perl} =    $ENV{'PERL'}    || ($^O ne "VMS" ? $^X : "perl");
 $target{cc} =      $ENV{'CC'}      || $target{cc}      || "cc";
 $target{ranlib} =  $ENV{'RANLIB'}  || $target{ranlib}  || which("ranlib") || "true";
 $target{ar} =      $ENV{'AR'}      || $target{ar}      || "ar";
@@ -901,7 +913,7 @@ if ($target{build_scheme}->[0] eq "unified" && $classic) {
        if $srcdir ne $blddir;

    $target{build_scheme} = { unix    => [ "unixmake" ],
-                              windows => [ "mk1mf", $target{build_scheme}->[2] ],
+                              windows => undef,
                              VMS     => undef } -> {$target{build_scheme}->[1]};

    die "Classic mode unavailable on this platform\n"
@@ -911,6 +923,8 @@ if ($target{build_scheme}->[0] eq "unified" && $classic) {
 my ($builder, $builder_platform, @builder_opts) =
    @{$target{build_scheme}};

+push @{$config{defines}}, "NDEBUG"    if $config{build_type} eq "release";
+
 if ($target =~ /^mingw/ && `$target{cc} --target-help 2>&1` =~ m/-mno-cygwin/m)
 	{
 	$config{cflags} .= " -mno-cygwin";
@@ -1221,6 +1235,7 @@ push @{$config{openssl_other_defines}}, "OPENSSL_NO_AFALGENG" if ($disabled{afal
 # If we use the unified build, collect information from build.info files
 my %unified_info = ();

+my $buildinfo_debug = defined($ENV{CONFIGURE_DEBUG_BUILDINFO});
 if ($builder eq "unified") {
    # Store the name of the template file we will build the build file from
    # in %config.  This may be useful for the build file itself.
@@ -1303,6 +1318,7 @@ if ($builder eq "unified") {

        my %ordinals = ();
        my %sources = ();
+        my %shared_sources = ();
        my %includes = ();
        my %depends = ();
        my %renames = ();
@@ -1382,6 +1398,9 @@ if ($builder eq "unified") {
            qr/^\s*SOURCE\[((?:\\.|[^\\\]])+)\]\s*=\s*(.*)\s*$/
            => sub { push @{$sources{$1}}, split(/\s+/, $2)
                         if !@skip || $skip[$#skip] > 0 },
+            qr/^\s*SHARED_SOURCE\[((?:\\.|[^\\\]])+)\]\s*=\s*(.*)\s*$/
+            => sub { push @{$shared_sources{$1}}, split(/\s+/, $2)
+                         if !@skip || $skip[$#skip] > 0 },
            qr/^\s*INCLUDE\[((?:\\.|[^\\\]])+)\]\s*=\s*(.*)\s*$/
            => sub { push @{$includes{$1}}, split(/\s+/, $2)
                         if !@skip || $skip[$#skip] > 0 },
@@ -1415,7 +1434,18 @@ if ($builder eq "unified") {
                }
            },
            qr/^(?:#.*|\s*)$/ => sub { },
-            "OTHERWISE" => sub { die "Something wrong with this line:\n$_\nat $sourced/$f" }
+            "OTHERWISE" => sub { die "Something wrong with this line:\n$_\nat $sourced/$f" },
+            "BEFORE" => sub {
+                if ($buildinfo_debug) {
+                    print STDERR "DEBUG: Parsing ",join(" ", @_),"\n";
+                    print STDERR "DEBUG: ... before parsing, skip stack is ",join(" ", map { int($_) } @skip),"\n";
+                }
+            },
+            "AFTER" => sub {
+                if ($buildinfo_debug) {
+                    print STDERR "DEBUG: .... after parsing, skip stack is ",join(" ", map { int($_) } @skip),"\n";
+                }
+            },
            );
        die "runaway IF?" if (@skip);

@@ -1556,6 +1586,32 @@ EOF
            }
        }

+        foreach (keys %shared_sources) {
+            my $dest = $_;
+            my $ddest = cleanfile($buildd, $_, $blddir);
+            if ($unified_info{rename}->{$ddest}) {
+                $ddest = $unified_info{rename}->{$ddest};
+            }
+            foreach (@{$shared_sources{$dest}}) {
+                my $s = cleanfile($sourced, $_, $blddir);
+
+                # If it isn't in the source tree, we assume it's generated
+                # in the build tree
+                if (! -f $s) {
+                    $s = cleanfile($buildd, $_, $blddir);
+                }
+                # We recognise C and asm files
+                if ($s =~ /\.[csS]\b$/) {
+                    (my $o = $_) =~ s/\.[csS]\b$/.o/;
+                    $o = cleanfile($buildd, $o, $blddir);
+                    $unified_info{shared_sources}->{$ddest}->{$o} = 1;
+                    $unified_info{sources}->{$o}->{$s} = 1;
+                } else {
+                    die "unrecognised source file type for shared library: $s\n";
+                }
+            }
+        }
+
        foreach (keys %generate) {
            my $dest = $_;
            my $ddest = cleanfile($buildd, $_, $blddir);
@@ -1585,9 +1641,9 @@ EOF
                # and that there are lines to build it in a BEGINRAW..ENDRAW
                # section or in the Makefile template.
                if (! -f $d
-                    || !(grep { $d eq $_ }
-                         map { cleanfile($srcdir, $_, $blddir) }
-                         (@generated_headers, @generated_by_make_headers))) {
+                    || (grep { $d eq $_ }
+                        map { cleanfile($srcdir, $_, $blddir) }
+                        (@generated_headers, @generated_by_make_headers))) {
                    $d = cleanfile($buildd, $_, $blddir);
                }
                # Take note if the file to depend on is being renamed
@@ -1625,7 +1681,7 @@ EOF
        $unified_info{$_} = [ sort keys %{$unified_info{$_}} ];
    }
    # Two level structures
-    foreach my $l1 (("sources", "ldadd", "depends")) {
+    foreach my $l1 (("sources", "shared_sources", "ldadd", "depends")) {
        foreach my $l2 (sort keys %{$unified_info{$l1}}) {
            $unified_info{$l1}->{$l2} =
                [ sort keys %{$unified_info{$l1}->{$l2}} ];
@@ -1653,7 +1709,7 @@ use warnings;
 use Exporter;
 #use vars qw(\@ISA \@EXPORT);
 our \@ISA = qw(Exporter);
-our \@EXPORT = qw(\%config \%target %disabled %withargs %unified_info);
+our \@EXPORT = qw(\%config \%target \%disabled \%withargs \%unified_info \@disablables);

 EOF
 print OUT "our %config = (\n";
@@ -1690,6 +1746,14 @@ print OUT "  dtls => [ ", join(", ", map { quotify("perl", $_) } @dtls), " ],\n"
 print OUT <<"EOF";
 );

+EOF
+print OUT "our \@disablables = (\n";
+foreach (@disablables) {
+    print OUT "  ", quotify("perl", $_), ",\n";
+}
+print OUT <<"EOF";
+);
+
 EOF
 print OUT "our \%disabled = (\n";
 foreach (sort keys %disabled) {
@@ -1759,7 +1823,6 @@ print OUT "1;\n";
 close(OUT);


-print "IsMK1MF       =", ($builder eq "mk1mf" ? "yes" : "no"), "\n";
 print "CC            =$target{cc}\n";
 print "CFLAG         =$target{cflags} $config{cflags}\n";
 print "SHARED_CFLAG  =$target{shared_cflag}\n";
@@ -1851,73 +1914,6 @@ my %builders = (
        run_dofile("util/domd", "util/domd.in");
        chmod 0755, "util/domd";
    },
-    mk1mf => sub {
-        my $platform = shift;
-        # The only reason we do this is to have something to build MINFO from
-        build_Makefile();
-
-	# create the ms/version32.rc file if needed
-	if ($platform ne "netware") {
-	    my ($v1, $v2, $v3, $v4);
-	    if ($config{version_num} =~ /^0x([0-9a-f]{1})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{2})([0-9a-f]{1})L$/i) {
-		$v1=hex $1;
-		$v2=hex $2;
-		$v3=hex $3;
-		$v4=hex $4;
-	    }
-	    open (OUT,">ms/version32.rc") || die "Can't open ms/version32.rc";
-	    print OUT <<"EOF";
-#include <winver.h>
-
-LANGUAGE 0x09,0x01
-
-1 VERSIONINFO
-  FILEVERSION $v1,$v2,$v3,$v4
-  PRODUCTVERSION $v1,$v2,$v3,$v4
-  FILEFLAGSMASK 0x3fL
-#ifdef _DEBUG
-  FILEFLAGS 0x01L
-#else
-  FILEFLAGS 0x00L
-#endif
-  FILEOS VOS__WINDOWS32
-  FILETYPE VFT_DLL
-  FILESUBTYPE 0x0L
-BEGIN
-    BLOCK "StringFileInfo"
-    BEGIN
-	BLOCK "040904b0"
-	BEGIN
-	    // Required:
-	    VALUE "CompanyName", "The OpenSSL Project, http://www.openssl.org/\\0"
-	    VALUE "FileDescription", "OpenSSL Shared Library\\0"
-	    VALUE "FileVersion", "$config{version}\\0"
-#if defined(CRYPTO)
-	    VALUE "InternalName", "libcrypto32\\0"
-	    VALUE "OriginalFilename", "libcrypto32.dll\\0"
-#elif defined(SSL)
-	    VALUE "InternalName", "libssl32\\0"
-	    VALUE "OriginalFilename", "libssl32.dll\\0"
-#endif
-	    VALUE "ProductName", "The OpenSSL Toolkit\\0"
-	    VALUE "ProductVersion", "$config{version}\\0"
-	    // Optional:
-	    //VALUE "Comments", "\\0"
-	    VALUE "LegalCopyright", "Copyright © 1998-2015 The OpenSSL Project. Copyright © 1995-1998 Eric A. Young, Tim J. Hudson. All rights reserved.\\0"
-	    //VALUE "LegalTrademarks", "\\0"
-	    //VALUE "PrivateBuild", "\\0"
-	    //VALUE "SpecialBuild", "\\0"
-	END
-    END
-    BLOCK "VarFileInfo"
-    BEGIN
-        VALUE "Translation", 0x409, 0x4b0
-    END
-END
-EOF
-	    close(OUT);
-	}
-    },
    );

 $builders{$builder}->($builder_platform, @builder_opts);
@@ -1952,6 +1948,11 @@ exit(0);

 # Configuration file reading #########################################

+# Note: All of the helper functions are for lazy evaluation.  They all
+# return a CODE ref, which will return the intended value when evaluated.
+# Thus, whenever there's mention of a returned value, it's about that
+# intended value.
+
 # Helper function to implement conditional inheritance depending on the
 # value of $disabled{asm}.  Used in inherit_from values as follows:
 #
@@ -1964,6 +1965,53 @@ sub asm {
    }
 }

+# Helper function to implement conditional value variants, with a default
+# plus additional values based on the value of $config{build_type}.
+# Arguments are given in hash table form:
+#
+#       picker(default => "Basic string: ",
+#              debug   => "debug",
+#              release => "release")
+#
+# When configuring with --debug, the resulting string will be
+# "Basic string: debug", and when not, it will be "Basic string: release"
+#
+# This can be used to create variants of sets of flags according to the
+# build type:
+#
+#       cflags => picker(default => "-Wall",
+#                        debug   => "-g -O0",
+#                        release => "-O3")
+#
+sub picker {
+    my %opts = @_;
+    return sub { add($opts{default} || (),
+                     $opts{$config{build_type}} || ())->(); }
+}
+
+# Helper function to combine several values of different types into one.
+# This is useful if you want to combine a string with the result of a
+# lazy function, such as:
+#
+#       cflags => combine("-Wall", sub { $disabled{zlib} ? () : "-DZLIB" })
+#
+sub combine {
+    my @stuff = @_;
+    return sub { add(@stuff)->(); }
+}
+
+# Helper function to implement conditional values depending on the value
+# of $disabled{threads}.  Can be used as follows:
+#
+#       cflags => combine("-Wall", threads("-pthread"))
+#
+sub threads {
+    my @flags = @_;
+    return sub { add($disabled{threads} ? () : @flags)->(); }
+}
+
+
+
 our $add_called = 0;
 # Helper function to implement adding values to already existing configuration
 # values.  It handles elements that are ARRAYs, CODEs and scalars
@@ -2091,12 +2139,12 @@ sub resolve_config {
 	    # the config that had it.
 	    delete $inherited_config{template};

-	    map {
+	    foreach (keys %inherited_config) {
 		if (!$combined_inheritance{$_}) {
 		    $combined_inheritance{$_} = [];
 		}
 		push @{$combined_inheritance{$_}}, $inherited_config{$_};
-	    } keys %inherited_config;
+	    }
 	}
    }

@@ -2378,7 +2426,7 @@ sub quotify {
    my $processor =
 	defined($processors{$for}) ? $processors{$for} : sub { shift; };

-    map { $processor->($_); } @_;
+    return map { $processor->($_); } @_;
 }

 # collect_from_file($filename, $line_concat_cond_re, $line_concat)
@@ -2453,8 +2501,11 @@ sub collect_information {
    while(defined($_ = $lineiterator->())) {
        s|\R$||;
        my $found = 0;
+        if ($collectors{"BEFORE"}) {
+            $collectors{"BEFORE"}->($_);
+        }
        foreach my $re (keys %collectors) {
-            if ($re ne "OTHERWISE" && /$re/) {
+            if ($re !~ /^OTHERWISE|BEFORE|AFTER$/ && /$re/) {
                $collectors{$re}->($lineiterator);
                $found = 1;
            };
@@ -2463,5 +2514,8 @@ sub collect_information {
            $collectors{"OTHERWISE"}->($lineiterator, $_)
                unless $found || !defined $collectors{"OTHERWISE"};
        }
+        if ($collectors{"AFTER"}) {
+            $collectors{"AFTER"}->($_);
+        }
    }
 }
--- a/312
+++ b/312
@@ -2,12 +2,10 @@
 OPENSSL INSTALLATION
 --------------------

- [Installation on DOS (with djgpp), MacOS (before MacOS X)
-  and NetWare is described in INSTALL.DJGPP, INSTALL.MacOS
-  and INSTALL.NW.
-  
-  This document describes installation on the main supported operating
-  systems, currently the Linux/Unix family, OpenVMS and Windows.]
+ [This document describes installation on the main supported operating
+  systems, currently the Linux/Unix family, OpenVMS and Windows.
+  Installation on DOS (with djgpp), MacOS (before MacOS X)
+  is described in INSTALL.DJGPP or INSTALL.MacOS, respectively.]

 To install OpenSSL, you will need:

@@ -19,8 +17,8 @@
    header files
  * a supported operating system

- For more details regarding specific platforms, there are these notes
- available:
+ For additional platform specific requirements and other details,
+ please read one of these:

  * NOTES.VMS (OpenVMS)
  * NOTES.WIN (any Windows except for Windows CE)
@@ -49,6 +47,7 @@
    $ perl Configure { VC-WIN32 | VC-WIN64A | VC-WIN64I | VC-CE }
    $ nmake
    $ nmake test
+    $ nmake install

 [If any of these steps fails, see section Installation in Detail below.]

@@ -56,8 +55,8 @@

  Unix:    normal installation directories under /usr/local
  OpenVMS: SYS$COMMON:[OPENSSL-'version'...], where 'version' is the
-           OpenSSL version number ('major'_'minor').
-  Windows: currently don't have an install function     <TBA>
+           OpenSSL version number with underscores instead of periods.
+  Windows: C:\Program Files\OpenSSL or C:\Program Files (x86)\OpenSSL

 If you want to install it anywhere else, run config like this:

@@ -74,73 +73,188 @@
 ---------------------

 There are several options to ./config (or ./Configure) to customize
- the build:
+ the build (note that for Windows, the defaults for --prefix and
+ --openssldir depend in what configuration is used and what Windows
+ implementation OpenSSL is built on.  More notes on this in NOTES.WIN):

-  --prefix=DIR     The top of the installation directory tree.  Defaults are:
+  --prefix=DIR
+                   The top of the installation directory tree.  Defaults are:

                   Unix:           /usr/local
+                   Windows:        C:\Program Files\OpenSSL
+                                or C:\Program Files (x86)\OpenSSL
                   OpenVMS:        SYS$COMMON:[OPENSSL-'version']

-  --openssldir=DIR Directory for OpenSSL configuration files, and also the
+  --openssldir=DIR
+                   Directory for OpenSSL configuration files, and also the
                   default certificate and key store.  Defaults are:

-                   Unix:           PREFIX/ssl (PREFIX is given by --prefix)
-                   OpenVMS:        SYS$COMMON:[SSL]
+                   Unix:           /usr/local/ssl
+                   Windows:        C:\Program Files\Common Files\SSL
+                                or C:\Program Files (x86)\Common Files\SSL
+                   OpenVMS:        SYS$COMMON:[OPENSSL-COMMON]

-  --api=x.y.z      Don't build with support for deprecated APIs below the
+  --api=x.y.z
+                   Don't build with support for deprecated APIs below the
                   specified version number. For example "--api=1.1.0" will
                   remove support for all APIS that were deprecated in OpenSSL
                   version 1.1.0 or below.

-  no-deprecated    Don't build with support for any deprecated APIs. This is the
-                   same as using "--api" and supplying the latest version
-                   number.
+  no-afalgeng
+                   Don't build the AFALG engine. This option will be forced if
+                   on a platform that does not support AFALG.

-  no-autoalginit   Don't automatically load all supported ciphers and digests.
+  no-asm
+                   Do not use assembler code. On some platforms a small amount
+                   of assembler code may still be used.
+
+  no-async
+                   Do not build support for async operations.
+
+  no-autoalginit
+                   Don't automatically load all supported ciphers and digests.
                   Typically OpenSSL will make available all of its supported
                   ciphers and digests. For a statically linked application this
                   may be undesirable if small executable size is an objective.
                   This only affects libcrypto. Ciphers and digests will have to
                   be loaded manually using EVP_add_cipher() and
-                   EVP_add_digest() if this option is used.
+                   EVP_add_digest() if this option is used. This option will
+                   force a non-shared build.

-  no-autoerrinit   Don't automatically load all libcrypto/libssl error strings.
+  no-autoerrinit
+                   Don't automatically load all libcrypto/libssl error strings.
                   Typically OpenSSL will automatically load human readable
                   error strings. For a statically linked application this may
                   be undesirable if small executable size is an objective.

-  no-threads       Don't try to build with support for multi-threaded
-                   applications.

-  threads          Build with support for multi-threaded applications.
-                   This will usually require additional system-dependent
-                   options! See "Note on multi-threading" below.
+  no-capieng
+                   Don't build the CAPI engine. This option will be forced if
+                   on a platform that does not support CAPI.

-  no-zlib          Don't try to build with support for zlib compression and
-                   decompression.
+  no-cms
+                   Don't build support for CMS features

-  zlib             Build with support for zlib compression/decompression.
+  no-comp
+                   Don't build support for SSL/TLS compression. If this option
+                   is left enabled (the default), then compression will only
+                   work if the zlib or zlib-dynamic options are also chosen.

-  zlib-dynamic     Like "zlib", but has OpenSSL load the zlib library
-                   dynamically when needed.  This is only supported on systems
-                   where loading of shared libraries is supported.  This is the
-                   default choice.
+  enable-crypto-mdebug
+                   Build support for debugging memory allocated via
+                   OPENSSL_malloc() or OPENSSL_zalloc().

-  no-shared        Don't try to create shared libraries.
+  enable-crypto-mdebug-backtrace
+                   As for crypto-mdebug, but additionally provide backtrace
+                   information for allocated memory.

-  shared           In addition to the usual static libraries, create shared
-                   libraries on platforms where it's supported.  See "Note on
-                   shared libraries" below.
+  no-ct
+                   Don't build support for Certificate Transparency.

-  no-asm           Do not use assembler code.
+  no-deprecated
+                   Don't build with support for any deprecated APIs. This is the
+                   same as using "--api" and supplying the latest version
+                   number.

-  386              On Intel hardware, use the 80386 instruction set only
-                   (the default x86 code is more efficient, but requires at
-                   least a 486). Note: Use compiler flags for any other CPU
-                   specific configuration, e.g. "-m32" to build x86 code on
-                   an x64 system.
+  no-dgram
+                   Don't build support for datagram based BIOs. Selecting this
+                   option will also force the disabling of DTLS.

-  no-sse2          Exclude SSE2 code pathes. Normally SSE2 extension is
+  no-dso
+                   Don't build support for loading Dynamic Shared Objects.
+
+  no-dynamic-engine
+                   Don't build the dynamically loaded engines. This only has an
+                   effect in a "shared" build
+
+  no-ec
+                   Don't build support for Elliptic Curves.
+
+  no-ec2m
+                   Don't build support for binary Elliptic Curves
+
+  enable-ec_nistp_64_gcc_128
+                   Enable support for optimised implementations of some commonly
+                   used NIST elliptic curves. This is only supported on some
+                   platforms.
+
+  enable-egd
+                   Build support for gathering entropy from EGD (Entropy
+                   Gathering Daemon).
+
+  no-engine
+                   Don't build support for loading engines.
+
+  no-err
+                   Don't compile in any error strings.
+
+  no-filenames
+                   Don't compile in filename and line number information (e.g.
+                   for errors and memory allocation).
+
+  no-gost
+                   Don't build support for GOST based ciphersuites. Note that
+                   if this feature is enabled then GOST ciphersuites are only
+                   available if the GOST algorithms are also available through
+                   loading an externally supplied engine.
+
+  enable-heartbeats
+                   Build support for DTLS heartbeats.
+
+  no-hw-padlock
+                   Don't build the padlock engine.
+
+  no-makedepend
+                   Don't generate dependencies.
+
+  no-multiblock
+                   Don't build support for writing multiple records in one
+                   go in libssl (Note: this is a different capability to the
+                   pipelining functionality).
+
+  no-nextprotoneg
+                   Don't build support for the NPN TLS extension.
+
+  no-ocsp
+                   Don't build support for OCSP.
+
+  no-pic
+                   Don't build with support for Position Independent Code.
+
+  no-posix-io
+                   Don't use POSIX IO capabilities.
+
+  no-psk
+                   Don't build support for Pre-Shared Key based ciphersuites.
+
+  no-rdrand
+                   Don't use hardware RDRAND capabilities.
+
+  no-rfc3779
+                   Don't build support for RFC3779 ("X.509 Extensions for IP
+                   Addresses and AS Identifiers")
+
+  no-sct
+                   ??
+
+  sctp
+                   Build support for SCTP
+
+  no-shared
+                   Do not create shared libraries, only static ones.  See "Note
+                   on shared libraries" below.
+
+  no-sock
+                   Don't build support for socket BIOs
+
+  no-srp
+                   Don't build support for SRP or SRP based ciphersuites.
+
+  no-srtp
+                   Don't build SRTP support
+
+  no-sse2
+                   Exclude SSE2 code paths. Normally SSE2 extension is
                   detected at run-time, but the decision whether or not the
                   machine code will be executed is taken solely on CPU
                   capability vector. This means that if you happen to run OS
@@ -151,15 +265,96 @@
                   compiled with CPU_ENABLE_SSE, and there is a way to
                   disengage SSE2 code pathes upon application start-up,
                   but if you aim for wider "audience" running such kernel,
-                   consider no-sse2. Both 386 and no-asm options above imply
+                   consider no-sse2. Both the 386 and no-asm options imply
                   no-sse2.

-  no-<alg>         Build without the specified algorithm (bf, cast, des, dh,
-                   dsa, hmac, md2, md5, mdc2, rc2, rc4, rc5, rsa, sha).
+  enable-ssl-trace
+                   Build with the SSL Trace capabilities (adds the "-trace"
+                   option to s_client and s_server).

-  -Dxxx, -lxxx,    These system specific options will be passed through to the
-  -Lxxx, -fxxx,    compiler to allow you to define preprocessor symbols, specify
-  -mXXX, -Kxxx     additional libraries, library directories or other compiler
+  no-static-engine
+                   Don't build the statically linked engines. This only
+                   has an impact when not built "shared".
+
+  no-stdio
+                   Don't use any C "stdio" features. Only libcrypto and libssl
+                   can be built in this way. Using this option will suppress
+                   building the command line applications. Additionally since
+                   the OpenSSL tests also use the command line applications the
+                   tests will also be skipped.
+
+  no-threads
+                   Don't try to build with support for multi-threaded
+                   applications.
+
+  threads
+                   Build with support for multi-threaded applications. Most
+                   platforms will enable this by default. However if on a
+                   platform where this is not the case then this will usually
+                   require additional system-dependent options! See "Note on
+                   multi-threading" below.
+
+  no-ts
+                   Don't build Time Stamping Authority support.
+
+  no-ui
+                   Don't build with the "UI" capability (i.e. the set of
+                   features enabling text based prompts).
+
+  enable-unit-test
+                   Enable additional unit test APIs. This should not typically
+                   be used in production deployments.
+
+  enable-weak-ssl-ciphers
+                   Build support for SSL/TLS ciphers that are considered "weak"
+                   (e.g. RC4 based ciphersuites).
+
+  zlib
+                   Build with support for zlib compression/decompression.
+
+  zlib-dynamic
+                   Like "zlib", but has OpenSSL load the zlib library
+                   dynamically when needed.  This is only supported on systems
+                   where loading of shared libraries is supported.
+
+  386
+                   On Intel hardware, use the 80386 instruction set only
+                   (the default x86 code is more efficient, but requires at
+                   least a 486). Note: Use compiler flags for any other CPU
+                   specific configuration, e.g. "-m32" to build x86 code on
+                   an x64 system.
+
+  no-<prot>
+                   Don't build support for negotiating the specified SSL/TLS
+                   protocol (one of ssl, ssl3, tls, tls1, tls1_1, tls1_2, dtls,
+                   dtls1 or dtls1_2). If "no-tls" is selected then all of tls1,
+                   tls1_1 and tls1_2 are disabled. Similarly "no-dtls" will
+                   disable dtls1 and dtls1_2. The "no-ssl" option is synonymous
+                   with "no-ssl3". Note this only affects version negotiation.
+                   OpenSSL will still provide the methods for applications to
+                   explicitly select the individual protocol versions.
+
+  no-<prot>-method
+                   As for no-<prot> but in addition do not build the methods for
+                   applications to explicitly select individual protocol
+                   versions.
+
+  enable-<alg>
+                   Build with support for the specified algorithm, where <alg>
+                   is one of: md2 or rc5.
+
+  no-<alg>
+                   Build without support for the specified algorithm, where
+                   <alg> is one of: bf, blake2, camellia, cast, chacha, cmac,
+                   des, dh, dsa, ecdh, ecdsa, idea, md4, md5, mdc2, ocb,
+                   ploy1305, rc2, rc4, rmd160, scrypt, seed or whirlpool. The
+                   "ripemd" algorithm is deprecated and if used is synonymous
+                   with rmd160.
+
+  -Dxxx, -lxxx, -Lxxx, -fxxx, -mXXX, -Kxxx
+                   These system specific options will be passed through to the
+                   compiler to allow you to define preprocessor symbols, specify
+                   additional libraries, library directories or other compiler
                   options.


@@ -442,15 +637,12 @@
 Note on shared libraries
 ------------------------

- Shared libraries have certain caveats.  Binary backward compatibility
- can't be guaranteed before OpenSSL version 1.0.  The only reason to
- use them would be to conserve memory on systems where several programs
- are using OpenSSL.
-
- For most systems, the OpenSSL Configure script knows what is needed to
- build shared libraries for libcrypto and libssl.  On these systems,
- the shared libraries are currently not created by default, but giving
- the option "shared" will get them created.
+ For most systems the OpenSSL Configure script knows what is needed to
+ build shared libraries for libcrypto and libssl. On these systems
+ the shared libraries will be created by default. This can be suppressed and
+ only static libraries created by using the "no-shared" option. On systems
+ where OpenSSL does not know how to build shared libraries the "no-shared"
+ option will be forced and only static libraries will be created.

 Note on random number generation
 --------------------------------
--- a/INSTALL.NW
+++ b/INSTALL.NW
@@ -1,454 +0,0 @@
-
-INSTALLATION ON THE NETWARE PLATFORM
------------------------------------
-
-Notes about building OpenSSL for NetWare.
-
-
-BUILD PLATFORM:
---------------
-The build scripts (batch files, perl scripts, etc) have been developed and
-tested on W2K.  The scripts should run fine on other Windows platforms
-(NT, Win9x, WinXP) but they have not been tested.  They may require some
-modifications.
-
-
-Supported NetWare Platforms - NetWare 5.x, NetWare 6.x:
-------------------------------------------------------
-OpenSSL can either use the WinSock interfaces introduced in NetWare 5,
-or the BSD socket interface.  Previous versions of NetWare, 4.x and 3.x,
-are only supported if OpenSSL is build for CLIB and BSD sockets;
-WinSock builds only support NetWare 5 and up.
-
-On NetWare there are two c-runtime libraries.  There is the legacy CLIB 
-interfaces and the newer LIBC interfaces.  Being ANSI-C libraries, the 
-functionality in CLIB and LIBC is similar but the LIBC interfaces are built 
-using Novell Kernal Services (NKS) which is designed to leverage 
-multi-processor environments.
-
-The NetWare port of OpenSSL can be configured to build using CLIB or LIBC.
-The CLIB build was developed and tested using NetWare 5.0 sp6.0a.  The LIBC 
-build was developed and tested using the NetWare 6.0 FCS.  
-
-The necessary LIBC functionality ships with NetWare 6.  However, earlier 
-NetWare 5.x versions will require updates in order to run the OpenSSL LIBC
-build (NetWare 5.1 SP8 is known to work).
-
-As of June 2005, the LIBC build can be configured to use BSD sockets instead
-of WinSock sockets. Call Configure (usually through netware\build.bat) using
-a target of "netware-libc-bsdsock" instead of "netware-libc".
-
-As of June 2007, support for CLIB and BSD sockets is also now available
-using a target of "netware-clib-bsdsock" instead of "netware-clib";
-also gcc builds are now supported on both Linux and Win32 (post 0.9.8e).
-
-REQUIRED TOOLS:
---------------
-Based upon the configuration and build options used, some or all of the
-following tools may be required:
-
-* Perl for Win32 - required (http://www.activestate.com/ActivePerl)
-   Used to run the various perl scripts on the build platform.
-
-* Perl 5.8.0 for NetWare v3.20 (or later) - required 
-   (http://developer.novell.com) Used to run the test script on NetWare 
-   after building.
-
-* Compiler / Linker - required:
-   Metrowerks CodeWarrior PDK 2.1 (or later) for NetWare (commercial):
-      Provides command line tools used for building.
-      Tools:
-      mwccnlm.exe  - C/C++ Compiler for NetWare
-      mwldnlm.exe  - Linker for NetWare
-      mwasmnlm.exe - x86 assembler for NetWare (if using assembly option)
-
-   gcc / nlmconv Cross-Compiler, available from Novell Forge (free):
-         http://forge.novell.com/modules/xfmod/project/?aunixnw
-
-* Assemblers - optional:
-   If you intend to build using the assembly options you will need an
-   assembler.  Work has been completed to support two assemblers, Metrowerks
-   and NASM.  However, during development, a bug was found in the Metrowerks
-   assembler which generates incorrect code.  Until this problem is fixed,
-   the Metrowerks assembler cannot be used.
-
-   mwasmnlm.exe - Metrowerks x86 assembler - part of CodeWarrior tools.
-         (version 2.2 Built Aug 23, 1999 - not useable due to code
-          generation bug)
-
-   nasmw.exe - Netwide Assembler NASM
-         version 0.98 was used in development and testing
-
-* Make Tool - required:
-   In order to build you will need a make tool.  Two make tools are
-   supported, GNU make (gmake.exe) or Microsoft nmake.exe.
-
-   make.exe - GNU make for Windows (version 3.75 used for development)
-         http://gnuwin32.sourceforge.net/packages/make.htm
-
-   nmake.exe - Microsoft make (Version 6.00.8168.0 used for development)
-         http://support.microsoft.com/kb/132084/EN-US/
-
-* Novell Developer Kit (NDK) - required: (http://developer.novell.com)
-
-   CLIB - BUILDS:
-
-      WinSock2 Developer Components for NetWare:
-         For initial development, the October 27, 2000 version was used.
-         However, future versions should also work.
-
-         NOTE:  The WinSock2 components include headers & import files for
-         NetWare, but you will also need the winsock2.h and supporting
-         headers (pshpack4.h, poppack.h, qos.h) delivered in the
-         Microsoft SDK.  Note: The winsock2.h support headers may change
-         with various versions of winsock2.h.  Check the dependencies
-         section on the NDK WinSock2 download page for the latest
-         information on dependencies. These components are unsupported by
-         Novell. They are provided as a courtesy, but it is strongly
-         suggested that all development be done using LIBC, not CLIB.
-
-         As of June 2005, the WinSock2 components are available at:
-         http://forgeftp.novell.com//ws2comp/
-
-
-      NLM and NetWare libraries for C (including CLIB and XPlat):
-         If you are going to build a CLIB version of OpenSSL, you will
-         need the CLIB headers and imports.  The March, 2001 NDK release or 
-         later is recommended.
-
-         Earlier versions should work but haven't been tested.  In recent
-         versions the import files have been consolidated and function
-         names moved.  This means you may run into link problems
-         (undefined symbols) when using earlier versions.   The functions
-         are available in earlier versions, but you will have to modifiy
-         the make files to include additional import files (see
-         openssl\util\pl\netware.pl).
-
-
-   LIBC - BUILDS:
-   
-      Libraries for C (LIBC) - LIBC headers and import files
-         If you are going to build a LIBC version of OpenSSL, you will
-         need the LIBC headers and imports.  The March 14, 2002 NDK release or
-         later is required.  
-         
-         NOTE: The LIBC SDK includes the necessary WinSock2 support.
-         It is not necessary to download the WinSock2 NDK when building for
-         LIBC. The LIBC SDK also includes the appropriate BSD socket support
-         if configuring to use BSD sockets.
-
-
-BUILDING:
---------
-Before building, you will need to set a few environment variables.  You can
-set them manually or you can modify the "netware\set_env.bat" file.
-
-The set_env.bat file is a template you can use to set up the path
-and environment variables you will need to build.  Modify the
-various lines to point to YOUR tools and run set_env.bat.
-
-   netware\set_env.bat <target> [compiler]
-
-      target        - "netware-clib" - CLIB NetWare build
-                    - "netware-libc" - LIBC NetWare build
-
-      compiler      - "gnuc"         - GNU GCC Compiler
-                    - "codewarrior"  - MetroWerks CodeWarrior (default)
-
-If you don't use set_env.bat, you will need to set up the following
-environment variables:
-
-   PATH - Set PATH to point to the tools you will use.
-
-   INCLUDE - The location of the NDK include files.
-         
-            CLIB ex: set INCLUDE=c:\ndk\nwsdk\include\nlm
-            LIBC ex: set INCLUDE=c:\ndk\libc\include
-
-   PRELUDE - The absolute path of the prelude object to link with.  For
-            a CLIB build it is recommended you use the "clibpre.o" files shipped
-            with the Metrowerks PDK for NetWare.  For a LIBC build you should 
-            use the "libcpre.o" file delivered with the LIBC NDK components.
-
-            CLIB ex: set PRELUDE=c:\ndk\nwsdk\imports\clibpre.o
-            LIBC ex: set PRELUDE=c:\ndk\libc\imports\libcpre.o
-
-   IMPORTS - The locaton of the NDK import files.
-
-            CLIB ex: set IMPORTS=c:\ndk\nwsdk\imports
-            LIBC ex: set IMPORTS=c:\ndk\libc\imports
-
-
-In order to build, you need to run the Perl scripts to configure the build
-process and generate a make file.  There is a batch file,
-"netware\build.bat", to automate the process.
-
-Build.bat runs the build configuration scripts and generates a make file.
-If an assembly option is specified, it also runs the scripts to generate 
-the assembly code.  Always run build.bat from the "openssl" directory.
-
-   netware\build [target] [debug opts] [assembly opts] [configure opts]
-
-      target        - "netware-clib" - CLIB NetWare build (WinSock Sockets)
-                    - "netware-clib-bsdsock" - CLIB NetWare build (BSD Sockets)
-                    - "netware-libc" - LIBC NetWare build (WinSock Sockets)
-                    - "netware-libc-bsdsock" - LIBC NetWare build (BSD Sockets)
- 
-      debug opts    - "debug"  - build debug
-
-      assembly opts - "nw-mwasm" - use Metrowerks assembler
-                      "nw-nasm"  - use NASM assembler
-                      "no-asm"   - don't use assembly
-
-      configure opts- all unrecognized arguments are passed to the
-                      perl 'configure' script. See that script for
-                      internal documentation regarding options that
-                      are available.
-
-   examples:
-
-      CLIB build, debug, without assembly:
-         netware\build.bat netware-clib debug no-asm
-
-      LIBC build, non-debug, using NASM assembly, add mdc2 support:
-         netware\build.bat netware-libc nw-nasm enable-mdc2
-
-      LIBC build, BSD sockets, non-debug, without assembly:
-         netware\build.bat netware-libc-bsdsock no-asm
-
-Running build.bat generates a make file to be processed by your make 
-tool (gmake or nmake):
-
-   CLIB ex: gmake -f netware\nlm_clib_dbg.mak 
-   LIBC ex: gmake -f netware\nlm_libc.mak 
-   LIBC ex: gmake -f netware\nlm_libc_bsdsock.mak 
-
-
-You can also run the build scripts manually if you do not want to use the
-build.bat file.  Run the following scripts in the "\openssl"
-subdirectory (in the order listed below):
-
-   perl configure no-asm [other config opts] [netware-clib|netware-libc|netware-libc-bsdsock]
-      configures no assembly build for specified netware environment
-      (CLIB or LIBC).
-
-   perl util\mkfiles.pl >MINFO
-      generates a listing of source files (used by mk1mf)
-
-   perl util\mk1mf.pl no-asm [other config opts] [netware-clib|netware-libc|netware-libc-bsdsock >netware\nlm.mak
-      generates the makefile for NetWare
-
-   gmake -f netware\nlm.mak
-      build with the make tool (nmake.exe also works)
-
-NOTE:  If you are building using the assembly option, you must also run the
-various Perl scripts to generate the assembly files.  See build.bat
-for an example of running the various assembly scripts.  You must use the
-"no-asm" option to build without assembly.  The configure and mk1mf scripts
-also have various other options.  See the scripts for more information.
-
-
-The output from the build is placed in the following directories:
-
-   CLIB Debug build:
-      out_nw_clib.dbg     - static libs & test nlm(s)
-      tmp_nw_clib.dbg     - temporary build files
-      outinc_nw_clib      - necessary include files
-
-   CLIB Non-debug build:
-      out_nw_clib         - static libs & test nlm(s)
-      tmp_nw_clib         - temporary build files
-      outinc_nw_clib      - necesary include files
-
-   LIBC Debug build:
-      out_nw_libc.dbg     - static libs & test nlm(s)
-      tmp_nw_libc.dbg     - temporary build files
-      outinc_nw_libc      - necessary include files
-
-   LIBC Non-debug build:
-      out_nw_libc         - static libs & test nlm(s)
-      tmp_nw_libc         - temporary build files
-      outinc_nw_libc      - necesary include files
-
-
-TESTING:
--------
-The build process creates the OpenSSL static libs ( crypto.lib, ssl.lib,
-rsaglue.lib ) and several test programs.  You should copy the test programs
-to your NetWare server and run the tests.
-
-The batch file "netware\cpy_tests.bat" will copy all the necessary files
-to your server for testing.  In order to run the batch file, you need a
-drive mapped to your target server.  It will create an "OpenSSL" directory
-on the drive and copy the test files to it.  CAUTION: If a directory with the
-name of "OpenSSL" already exists, it will be deleted.
-
-To run cpy_tests.bat:
-
-   netware\cpy_tests [output directory] [NetWare drive]
-
-      output directory - "out_nw_clib.dbg", "out_nw_libc", etc.
-      NetWare drive    - drive letter of mapped drive
-
-      CLIB ex: netware\cpy_tests out_nw_clib m:
-      LIBC ex: netware\cpy_tests out_nw_libc m:
-
-
-The Perl script, "do_tests.pl", in the "OpenSSL" directory on the server
-should be used to execute the tests.  Before running the script, make sure
-your SEARCH PATH includes the "OpenSSL" directory.  For example, if you
-copied the files to the "sys:" volume you use the command:
-
-   SEARCH ADD SYS:\OPENSSL
-
-
-To run do_tests.pl type (at the console prompt):
-
-   perl \openssl\do_tests.pl [options]
-
-      options:
-         -p    - pause after executing each test
-
-The do_tests.pl script generates a log file "\openssl\test_out\tests.log"
-which should be reviewed for errors.  Any errors will be denoted by the word
-"ERROR" in the log.
-
-DEVELOPING WITH THE OPENSSL SDK:
--------------------------------
-Now that everything is built and tested, you are ready to use the OpenSSL
-libraries in your development.
-
-There is no real installation procedure, just copy the static libs and
-headers to your build location.  The libs (crypto.lib & ssl.lib) are
-located in the appropriate "out_nw_XXXX" directory 
-(out_nw_clib, out_nw_libc, etc).  
-
-The headers are located in the appropriate "outinc_nw_XXX" directory 
-(outinc_nw_clib, outinc_nw_libc).  
-
-One suggestion is to create the following directory 
-structure for the OpenSSL SDK:
-
-   \openssl
-      |- bin
-      |   |- openssl.nlm
-      |   |- (other tests you want)
-      |
-      |- lib
-      |   | - crypto.lib
-      |   | - ssl.lib
-      |
-      |- include
-      |   | - openssl
-      |   |    | - (all the headers in "outinc_nw\openssl")
-
-
-The program "openssl.nlm" can be very useful.  It has dozens of
-options and you may want to keep it handy for debugging, testing, etc.
-
-When building your apps using OpenSSL, define "NETWARE".  It is needed by
-some of the OpenSSL headers.  One way to do this is with a compile option,
-for example "-DNETWARE".
-
-
-
-NOTES:
------
-
-Resource leaks in Tests
------------------------
-Some OpenSSL tests do not clean up resources and NetWare reports
-the resource leaks when the tests unload.  If this really bugs you,
-you can stop the messages by setting the developer option off at the console
-prompt (set developer option = off).  Or better yet, fix the tests to
-clean up the resources!
-
-
-Multi-threaded Development
---------------------------
-The NetWare version of OpenSSL is thread-safe, however multi-threaded
-applications must provide the necessary locking function callbacks.  This
-is described in doc\threads.doc.  The file "openssl-x.x.x\crypto\threads\mttest.c"
-is a multi-threaded test program and demonstrates the locking functions.
-
-
-What is openssl2.nlm?
---------------------
-The openssl program has numerous options and can be used for many different
-things.  Many of the options operate in an interactive mode requiring the
-user to enter data.  Because of this, a default screen is created for the
-program.  However, when running the test script it is not desirable to
-have a separate screen.  Therefore, the build also creates openssl2.nlm.
-Openssl2.nlm is functionally identical but uses the console screen.
-Openssl2 can be used when a non-interactive mode is desired.
-
-NOTE:  There are may other possibilities (command line options, etc)
-which could have been used to address the screen issue.  The openssl2.nlm
-option was chosen because it impacted only the build not the code.
-
-
-Why only static libraries?
--------------------------
-Globals, globals, and more globals.  The OpenSSL code uses many global
-variables that are allocated and initialized when used for the first time.
-
-On NetWare, most applications (at least historically) run in the kernel.
-When running in the kernel, there is one instance of global variables.
-For regular application type NLM(s) this isn't a problem because they are
-the only ones using the globals.  However, for a library NLM (an NLM which
-exposes functions and has no threads of execution), the globals cause
-problems.  Applications could inadvertently step on each other if they
-change some globals.  Even worse, the first application that triggers a
-global to be allocated and initialized has the allocated memory charged to
-itself.  Now when that application unloads, NetWare will clean up all the
-applicaton's memory.  The global pointer variables inside OpenSSL now
-point to freed memory.  An abend waiting to happen!
-
-To work correctly in the kernel, library NLM(s) that use globals need to
-provide a set of globals (instance data) for each application.  Another
-option is to require the library only be loaded in a protected address
-space along with the application using it.
-
-Modifying the OpenSSL code to provide a set of globals (instance data) for
-each application isn't technically difficult, but due to the large number
-globals it would require substantial code changes and it wasn't done.  Hence,
-the build currently only builds static libraries which are then linked
-into each application.
-
-NOTE:  If you are building a library NLM that uses the OpenSSL static
-libraries, you will still have to deal with the global variable issue.
-This is because when you link in the OpenSSL code you bring in all the
-globals.  One possible solution for the global pointer variables is to
-register memory functions with OpenSSL which allocate memory and charge it
-to your library NLM (see the function CRYPTO_set_mem_functions).  However,
-be aware that now all memory allocated by OpenSSL is charged to your NLM.
-
-
-CodeWarrior Tools and W2K
---------------------------
-There have been problems reported with the CodeWarrior Linker
-(mwldnlm.exe) in the PDK 2.1 for NetWare when running on Windows 2000.  The
-problems cause the link step to fail.  The only work around is to obtain an
-updated linker from Metrowerks.  It is expected Metrowerks will release
-PDK 3.0 (in beta testing at this time - May, 2001) in the near future which
-will fix these problems.
-
-
-Makefile "vclean"
------------------
-The generated makefile has a "vclean" target which cleans up the build
-directories.  If you have been building successfully and suddenly
-experience problems, use "vclean" (gmake -f netware\nlm_xxxx.mak vclean) and retry.
-
-
-"Undefined Symbol" Linker errors
--------------------------------
-There have been linker errors reported when doing a CLIB build.  The problems
-occur because some versions of the CLIB SDK import files inadvertently 
-left out some symbols.  One symbol in particular is "_lrotl".  The missing
-functions are actually delivered in the binaries, but they were left out of
-the import files.  The issues should be fixed in the September 2001 release 
-of the NDK.  If you experience the problems you can temporarily
-work around it by manually adding the missing symbols to your version of 
-"clib.imp".
-
--- a/INSTALL.OS2
+++ b/INSTALL.OS2
@@ -1,31 +0,0 @@
- 
- Installation on OS/2
- --------------------
-
- You need to have the following tools installed:
-
-  * EMX GCC
-  * PERL
-  * GNU make
-
-
- To build the makefile, run
-
- > os2\os2-emx
-
- This will configure OpenSSL and create OS2-EMX.mak which you then use to 
- build the OpenSSL libraries & programs by running
-
- > make -f os2-emx.mak
-
- If that finishes successfully you will find the libraries and programs in the
- "out" directory.
-
- Alternatively, you can make a dynamic build that puts the library code into
- crypto.dll and ssl.dll by running
-
- > make -f os2-emx-dll.mak
-
- This will build the above mentioned dlls and a matching pair of import
- libraries in the "out_dll" directory along with the set of test programs
- and the openssl application.
--- a/Makefile.in
+++ b/Makefile.in
@@ -465,19 +465,11 @@ clean:	libclean
 	rm -f speed.* .pure
 	rm -f $(TARFILE)

-makefile.one: files
-	$(PERL) util/mk1mf.pl >makefile.one; \
-	sh util/do_ms.sh
-
-files:
-	$(PERL) $(TOP)/util/files.pl Makefile > $(TOP)/MINFO
-	@set -e; target=files; $(RECURSIVE_BUILD_CMD)
-
 gentests:
 	@(cd test && echo "generating dummy tests (if needed)..." && \
 	$(CLEARENV) && $(MAKE) -e $(BUILDENV) TESTS='$(TESTS)' OPENSSL_DEBUG_MEMORY=on generate );

-test:   files tests
+test:   tests

 tests:  build_tests 
 	@(cd test && echo "testing..." && \
--- a/Makefile.shared
+++ b/Makefile.shared
@@ -561,11 +561,11 @@ symlink.hpux:
 symlink.cygwin symlink.alpha-osf1 symlink.tru64 symlink.tru64-rpath:

 # Compatibility targets
-link_dso.bsd-gcc-shared link_dso.linux-shared link_dso.gnu-shared: link_dso.gnu
+link_dso.bsd-gcc-shared link_dso.linux-shared link_dso.gnu-shared link_dso.haiku-shared: link_dso.gnu
 link_shlib.bsd-gcc-shared: link_shlib.linux-shared
-link_shlib.gnu-shared: link_shlib.gnu
-link_app.bsd-gcc-shared link_app.linux-shared link_app.gnu-shared: link_app.gnu
-symlink.bsd-gcc-shared symlink.bsd-shared symlink.linux-shared symlink.gnu-shared: symlink.gnu
+link_shlib.gnu-shared link_shlib.haiku-shared: link_shlib.gnu
+link_app.bsd-gcc-shared link_app.linux-shared link_app.gnu-shared link_app.haiku-shared: link_app.gnu
+symlink.bsd-gcc-shared symlink.bsd-shared symlink.linux-shared symlink.gnu-shared symlink.haiku-shared: symlink.gnu
 link_dso.bsd-shared: link_dso.bsd
 link_shlib.bsd-shared: link_shlib.bsd
 link_app.bsd-shared: link_app.bsd
--- a/5
+++ b/5
@@ -7,6 +7,7 @@

  Major changes between OpenSSL 1.0.2g and OpenSSL 1.1.0 [in pre-release]

+      o "shared" builds are now the default when possible
      o Added support for "pipelining"
      o Added the AFALG engine
      o New threading API implemented
@@ -14,8 +15,8 @@
      o Support for extended master secret
      o CCM ciphersuites
      o Reworked test suite, now based on perl, Test::Harness and Test::More
-      o Various libcrypto structures made opaque including: BIGNUM, EVP_MD,
-        EVP_MD_CTX, HMAC_CTX, EVP_CIPHER and EVP_CIPHER_CTX.
+      o *Most* libcrypto and libssl structures were made opaque including:
+        <TBA>
      o libssl internal structures made opaque
      o SSLv2 support removed
      o Kerberos ciphersuite support removed
--- a/NOTES.VMS
+++ b/NOTES.VMS
@@ -5,8 +5,8 @@
 Requirement details
 -------------------

- In addition to the requirements listed in INSTALL, these are required
- as well:
+ In addition to the requirements and instructions listed in INSTALL,
+ this are required as well:

  * At least ODS-5 disk organization for source and build.
    Installation can be done on any existing disk organization.
@@ -15,11 +15,27 @@
 About ANSI C compiler
 ---------------------

- An ANSI C compiled is needed among other things.  This means that VAX C
- is not and will not be supported.
+ An ANSI C compiled is needed among other things.  This means that
+ VAX C is not and will not be supported.

- We have only tested with DEC C (a.k.a HP VMS C / VSI C), compiling with
- a different ANSI C compiler may require some work.
+ We have only tested with DEC C (a.k.a HP VMS C / VSI C) and require
+ version 7.1 or later.  Compiling with a different ANSI C compiler may
+ require some work.
+
+ Please avoid using C RTL feature logical names DECC$* when building
+ and testing OpenSSL.  Most of all, they can be disruptive when
+ running the tests, as they affect the Perl interpreter.
+
+
+ About MMS and DCL
+ -----------------
+
+ MMS has certain limitations when it comes to line length, and DCL has
+ certain limitations when it comes to total command length.  We do
+ what we can to mitigate, but there is the possibility that it's not
+ enough.  Should you run into issues, a very simple solution is to set
+ yourself up a few logical names for the directory trees you're going
+ to use.


 Checking the distribution
--- a/NOTES.WIN
+++ b/NOTES.WIN
@@ -22,6 +22,31 @@
   supported.


+ Visual C++ (native Windows)
+ ---------------------------
+
+ Installation directories
+
+ The default installation directories are derived from environment
+ variables.
+
+ For VC-WIN32, the following defaults are use:
+
+     PREFIX:      %ProgramFiles(86)%\OpenSSL
+     OPENSSLDIR:  %CommonProgramFiles(86)%\SSL
+
+ For VC-WIN32, the following defaults are use:
+
+     PREFIX:      %ProgramW6432%\OpenSSL
+     OPENSSLDIR:  %CommonProgramW6432%\SSL
+
+ Should those environment variables not exist (on a pure Win32
+ installation for examples), these fallbacks are used:
+
+     PREFIX:      %ProgramFiles%\OpenSSL
+     OPENSSLDIR:  %CommonProgramFiles%\SSL
+
+
 GNU C (Cygwin)
 --------------

@@ -53,8 +78,9 @@
 recognize that binaries targeting Cygwin itself are not interchangeable
 with "conventional" Windows binaries you generate with/for MinGW.

+
 GNU C (MinGW/MSYS)
- -------------
+ ------------------

 * Compiler and shell environment installation:

@@ -73,75 +99,6 @@
   and i686-w64-mingw32-.


- "Classic" builds (Visual C++)
- ----------------
-
- [OpenSSL was classically built using a script called mk1mf.  This is
-  still available by configuring with --classic.  The notes below are
-  using this flag, and are tentative.  Use with care.
-
-  NOTE: this won't be available for long.]
-
- If you want to compile in the assembly language routines with Visual
- C++, then you will need the Netwide Assembler binary, nasmw.exe or nasm.exe, to
- be available on your %PATH%.
-
- Firstly you should run Configure and generate the Makefiles. If you don't want
- the assembly language files then add the "no-asm" option (without quotes) to
- the Configure lines below.
-
- For Win32:
-
- > perl Configure VC-WIN32 --classic --prefix=c:\some\openssl\dir
- > ms\do_nasm
-
- Note: replace the last line above with the following if not using the assembly
- language files:
-
- > ms\do_ms
-
- For Win64/x64:
-
- > perl Configure VC-WIN64A --classic --prefix=c:\some\openssl\dir
- > ms\do_win64a
-
- For Win64/IA64:
-
- > perl Configure VC-WIN64I --classic --prefix=c:\some\openssl\dir
- > ms\do_win64i
-
- Where the prefix argument specifies where OpenSSL will be installed to.
-
- Then from the VC++ environment at a prompt do the following. Note, your %PATH%
- and other environment variables should be set up for 32-bit or 64-bit
- development as appropriate.
-
- > nmake -f ms\ntdll.mak
-
- If all is well it should compile and you will have some DLLs and
- executables in out32dll. If you want to try the tests then do:
-
- > nmake -f ms\ntdll.mak test
-
- To install OpenSSL to the specified location do:
-
- > nmake -f ms\ntdll.mak install
-
- Tweaks:
-
- There are various changes you can make to the Windows compile
- environment. By default the library is not compiled with debugging
- symbols. If you add --debug to the Configure lines above then debugging symbols
- will be compiled in.
-
- By default in 1.1.0 OpenSSL will compile builtin ENGINES into separate shared
- libraries. If you specify the "enable-static-engine" option on the command line
- to Configure the shared library build (ms\ntdll.mak) will compile the engines
- into libcrypto32.dll instead.
-
- You can also build a static version of the library using the Makefile
- ms\nt.mak
-
 Linking your application
 ------------------------

--- a/Netware/build.bat
+++ b/Netware/build.bat
@@ -1,235 +0,0 @@
-@echo off
-
-rem ========================================================================
-rem   Batch file to automate building OpenSSL for NetWare.
-rem
-rem   usage:
-rem      build [target] [debug opts] [assembly opts] [configure opts]
-rem
-rem      target        - "netware-clib" - CLib NetWare build (WinSock Sockets)
-rem                    - "netware-clib-bsdsock" - CLib NetWare build (BSD Sockets)
-rem                    - "netware-libc" - LibC NetWare build (WinSock Sockets)
-rem                    - "netware-libc-bsdsock" - LibC NetWare build (BSD Sockets)
-rem 
-rem      debug opts    - "debug"  - build debug
-rem
-rem      assembly opts - "nw-mwasm" - use Metrowerks assembler
-rem                    - "nw-nasm"  - use NASM assembler
-rem                    - "no-asm"   - don't use assembly
-rem
-rem      configure opts- all unrecognized arguments are passed to the
-rem                       perl configure script
-rem
-rem   If no arguments are specified the default is to build non-debug with
-rem   no assembly.  NOTE: there is no default BLD_TARGET.
-rem
-
-
-
-rem   No assembly is the default - Uncomment section below to change
-rem   the assembler default
-set ASM_MODE=
-set ASSEMBLER=
-set NO_ASM=no-asm
-
-rem   Uncomment to default to the Metrowerks assembler
-rem set ASM_MODE=nw-mwasm
-rem set ASSEMBLER=Metrowerks
-rem set NO_ASM=
-
-rem   Uncomment to default to the NASM assembler
-rem set ASM_MODE=nw-nasm
-rem set ASSEMBLER=NASM
-rem set NO_ASM=
-
-rem   No default Bld target
-set BLD_TARGET=no_target
-rem set BLD_TARGET=netware-clib
-rem set BLD_TARGET=netware-libc
-
-
-rem   Default to build non-debug
-set DEBUG=
-                                    
-rem   Uncomment to default to debug build
-rem set DEBUG=debug
-
-
-set CONFIG_OPTS=
-set ARG_PROCESSED=NO
-
-
-rem   Process command line args
-:opts
-if "a%1" == "a" goto endopt
-if "%1" == "no-asm"   set NO_ASM=no-asm
-if "%1" == "no-asm"   set ARG_PROCESSED=YES
-if "%1" == "debug"    set DEBUG=debug
-if "%1" == "debug"    set ARG_PROCESSED=YES
-if "%1" == "nw-nasm"  set ASM_MODE=nw-nasm
-if "%1" == "nw-nasm"  set ASSEMBLER=NASM
-if "%1" == "nw-nasm"  set NO_ASM=
-if "%1" == "nw-nasm"  set ARG_PROCESSED=YES
-if "%1" == "nw-mwasm" set ASM_MODE=nw-mwasm
-if "%1" == "nw-mwasm" set ASSEMBLER=Metrowerks
-if "%1" == "nw-mwasm" set NO_ASM=
-if "%1" == "nw-mwasm" set ARG_PROCESSED=YES
-if "%1" == "netware-clib" set BLD_TARGET=netware-clib
-if "%1" == "netware-clib" set ARG_PROCESSED=YES
-if "%1" == "netware-clib-bsdsock" set BLD_TARGET=netware-clib-bsdsock
-if "%1" == "netware-clib-bsdsock" set ARG_PROCESSED=YES
-if "%1" == "netware-libc" set BLD_TARGET=netware-libc
-if "%1" == "netware-libc" set ARG_PROCESSED=YES
-if "%1" == "netware-libc-bsdsock" set BLD_TARGET=netware-libc-bsdsock
-if "%1" == "netware-libc-bsdsock" set ARG_PROCESSED=YES
-
-rem   If we didn't recognize the argument, consider it an option for config
-if "%ARG_PROCESSED%" == "NO" set CONFIG_OPTS=%CONFIG_OPTS% %1
-if "%ARG_PROCESSED%" == "YES" set ARG_PROCESSED=NO
-
-shift
-goto opts
-:endopt
-
-rem make sure a valid BLD_TARGET was specified
-if "%BLD_TARGET%" == "no_target" goto no_target
-
-rem build the nlm make file name which includes target and debug info
-set NLM_MAKE=
-if "%BLD_TARGET%" == "netware-clib" set NLM_MAKE=netware\nlm_clib
-if "%BLD_TARGET%" == "netware-clib-bsdsock" set NLM_MAKE=netware\nlm_clib_bsdsock
-if "%BLD_TARGET%" == "netware-libc" set NLM_MAKE=netware\nlm_libc
-if "%BLD_TARGET%" == "netware-libc-bsdsock" set NLM_MAKE=netware\nlm_libc_bsdsock
-if "%DEBUG%" == "" set NLM_MAKE=%NLM_MAKE%.mak
-if "%DEBUG%" == "debug" set NLM_MAKE=%NLM_MAKE%_dbg.mak
-
-if "%NO_ASM%" == "no-asm" set ASM_MODE=
-if "%NO_ASM%" == "no-asm" set ASSEMBLER=
-if "%NO_ASM%" == "no-asm" set CONFIG_OPTS=%CONFIG_OPTS% no-asm
-if "%NO_ASM%" == "no-asm" goto do_config
-
-
-rem ==================================================
-echo Generating x86 for %ASSEMBLER% assembler
-
-echo Bignum
-cd crypto\bn\asm
-rem perl x86.pl %ASM_MODE% > bn-nw.asm
-perl bn-586.pl %ASM_MODE% > bn-nw.asm
-perl co-586.pl %ASM_MODE% > co-nw.asm
-cd ..\..\..
-
-echo AES
-cd crypto\aes\asm
-perl aes-586.pl %ASM_MODE% > a-nw.asm
-cd ..\..\..
-
-echo DES
-cd crypto\des\asm
-perl des-586.pl %ASM_MODE% > d-nw.asm
-cd ..\..\..
-
-echo "crypt(3)"
-
-cd crypto\des\asm
-perl crypt586.pl %ASM_MODE% > y-nw.asm
-cd ..\..\..
-
-echo Blowfish
-
-cd crypto\bf\asm
-perl bf-586.pl %ASM_MODE% > b-nw.asm
-cd ..\..\..
-
-echo CAST5
-cd crypto\cast\asm
-perl cast-586.pl %ASM_MODE% > c-nw.asm
-cd ..\..\..
-
-echo RC4
-cd crypto\rc4\asm
-perl rc4-586.pl %ASM_MODE% > r4-nw.asm
-cd ..\..\..
-
-echo MD5
-cd crypto\md5\asm
-perl md5-586.pl %ASM_MODE% > m5-nw.asm
-cd ..\..\..
-
-echo SHA1
-cd crypto\sha\asm
-perl sha1-586.pl %ASM_MODE% > s1-nw.asm
-perl sha256-586.pl %ASM_MODE% > sha256-nw.asm
-perl sha512-586.pl %ASM_MODE% > sha512-nw.asm
-cd ..\..\..
-
-echo RIPEMD160
-cd crypto\ripemd\asm
-perl rmd-586.pl %ASM_MODE% > rm-nw.asm
-cd ..\..\..
-
-echo RC5\32
-cd crypto\rc5\asm
-perl rc5-586.pl %ASM_MODE% > r5-nw.asm
-cd ..\..\..
-
-echo WHIRLPOOL
-cd crypto\whrlpool\asm
-perl wp-mmx.pl %ASM_MODE% > wp-nw.asm
-cd ..\..\..
-
-echo CPUID
-cd crypto
-perl x86cpuid.pl %ASM_MODE% > x86cpuid-nw.asm
-cd ..\
-
-rem ===============================================================
-rem
-:do_config
-
-echo .
-echo configure options: %CONFIG_OPTS% %BLD_TARGET%
-echo .
-perl configure %CONFIG_OPTS% %BLD_TARGET%
-
-perl util\mkfiles.pl >MINFO
-
-echo .
-echo mk1mf.pl options: %DEBUG% %ASM_MODE% %CONFIG_OPTS% %BLD_TARGET%
-echo .
-perl util\mk1mf.pl %DEBUG% %ASM_MODE% %CONFIG_OPTS% %BLD_TARGET% >%NLM_MAKE%
-
-make -f %NLM_MAKE% vclean
-echo .
-echo The makefile "%NLM_MAKE%" has been created use your maketool to
-echo build (ex: make -f %NLM_MAKE%)
-goto end
-
-rem ===============================================================
-rem
-:no_target
-echo .
-echo .  No build target specified!!!
-echo .
-echo .  usage: build [target] [debug opts] [assembly opts] [configure opts]
-echo .
-echo .     target        - "netware-clib" - CLib NetWare build (WinSock Sockets)
-echo .                   - "netware-clib-bsdsock" - CLib NetWare build (BSD Sockets)
-echo .                   - "netware-libc" - LibC NetWare build (WinSock Sockets)
-echo .                   - "netware-libc-bsdsock" - LibC NetWare build (BSD Sockets)
-echo .
-echo .     debug opts    - "debug"  - build debug
-echo .
-echo .     assembly opts - "nw-mwasm" - use Metrowerks assembler
-echo .                     "nw-nasm"  - use NASM assembler
-echo .                     "no-asm"   - don't use assembly
-echo .
-echo .     configure opts- all unrecognized arguments are passed to the
-echo .                      perl configure script
-echo .
-echo .  If no debug or assembly opts are specified the default is to build
-echo .  non-debug without assembly
-echo .
-
-        
-:end        
--- a/Netware/cpy_tests.bat
+++ b/Netware/cpy_tests.bat
@@ -1,113 +0,0 @@
-@echo off
-
-rem   Batch file to copy OpenSSL stuff to a NetWare server for testing
-
-rem   This batch file will create an "opensssl" directory at the root of the
-rem   specified NetWare drive and copy the required files to run the tests.
-rem   It should be run from inside the "openssl\netware" subdirectory.
-
-rem   Usage:
-rem      cpy_tests.bat <test subdirectory> <NetWare drive>
-rem          <test subdirectory> - out_nw.dbg | out_nw
-rem          <NetWare drive> - any mapped drive letter
-rem
-rem      example ( copy from debug build to m: dirve ):
-rem              cpy_tests.bat out_nw.dbg m:
-rem
-rem      CAUTION:  If a directory named OpenSSL exists on the target drive
-rem                it will be deleted first.
-
-
-if "%1" == "" goto usage
-if "%2" == "" goto usage
-
-rem   Assume running in \openssl directory unless cpy_tests.bat exists then
-rem   it must be the \openssl\netware directory
-set loc=.
-if exist cpy_tests.bat set loc=..
-
-rem   make sure the local build subdirectory specified is valid
-if not exist %loc%\%1\NUL goto invalid_dir
-
-rem   make sure target drive is valid
-if not exist %2\NUL goto invalid_drive
-
-rem   If an OpenSSL directory exists on the target drive, remove it
-if exist %2\openssl\NUL goto remove_openssl
-goto do_copy
-
-:remove_openssl
-echo .
-echo OpenSSL directory exists on %2 - it will be removed!
-pause
-rmdir %2\openssl /s /q
-
-:do_copy
-rem   make an "openssl" directory and others at the root of the NetWare drive
-mkdir %2\openssl
-mkdir %2\openssl\test_out
-mkdir %2\openssl\apps
-mkdir %2\openssl\certs
-mkdir %2\openssl\test
-
-
-rem   copy the test nlms
-copy %loc%\%1\*.nlm %2\openssl\
-
-rem   copy the test perl script
-copy %loc%\netware\do_tests.pl %2\openssl\
-
-rem   copy the certs directory stuff
-xcopy %loc%\certs\*.*         %2\openssl\certs\ /s
-
-rem   copy the test directory stuff
-copy %loc%\test\CAss.cnf      %2\openssl\test\
-copy %loc%\test\Uss.cnf       %2\openssl\test\
-copy %loc%\test\pkcs7.pem     %2\openssl\test\
-copy %loc%\test\pkcs7-1.pem   %2\openssl\test\
-copy %loc%\test\testcrl.pem   %2\openssl\test\
-copy %loc%\test\testp7.pem    %2\openssl\test\
-copy %loc%\test\testreq2.pem  %2\openssl\test\
-copy %loc%\test\testrsa.pem   %2\openssl\test\
-copy %loc%\test\testsid.pem   %2\openssl\test\
-copy %loc%\test\testx509.pem  %2\openssl\test\
-copy %loc%\test\v3-cert1.pem  %2\openssl\test\
-copy %loc%\test\v3-cert2.pem  %2\openssl\test\
-copy %loc%\crypto\evp\evptests.txt %2\openssl\test\
-
-rem   copy the apps directory stuff
-copy %loc%\apps\client.pem    %2\openssl\apps\
-copy %loc%\apps\server.pem    %2\openssl\apps\
-copy %loc%\apps\openssl.cnf   %2\openssl\apps\
-
-echo .
-echo Tests copied
-echo Run the test script at the console by typing:
-echo     "Perl \openssl\do_tests.pl"
-echo .
-echo Make sure the Search path includes the OpenSSL subdirectory
-
-goto end
-
-:invalid_dir
-echo.
-echo Invalid build directory specified: %1
-echo.
-goto usage
-
-:invalid_drive
-echo.
-echo Invalid drive: %2
-echo.
-goto usage
-
-:usage
-echo.
-echo usage: cpy_tests.bat [test subdirectory] [NetWare drive]
-echo     [test subdirectory] - out_nw_clib.dbg, out_nw_libc.dbg, etc. 
-echo     [NetWare drive]     - any mapped drive letter
-echo.
-echo example: cpy_test out_nw_clib.dbg M:
-echo  (copy from clib debug build area to M: drive)
-
-:end
--- a/Netware/do_tests.pl
+++ b/Netware/do_tests.pl
@@ -1,592 +0,0 @@
-# perl script to run OpenSSL tests
-
-
-my $base_path      = "\\openssl";
-
-my $output_path    = "$base_path\\test_out";
-my $cert_path      = "$base_path\\certs";
-my $test_path      = "$base_path\\test";
-my $app_path       = "$base_path\\apps";
-
-my $tmp_cert       = "$output_path\\cert.tmp";
-my $OpenSSL_config = "$app_path\\openssl.cnf";
-my $log_file       = "$output_path\\tests.log";
-
-my $pause = 0;
-
-
-#  process the command line args to see if they wanted us to pause
-#  between executing each command
-foreach $i (@ARGV)
-{
-   if ($i =~ /^-p$/)
-   { $pause=1; }
-}
-
-
-
-main();
-
-
-############################################################################
-sub main()
-{
-   # delete all the output files in the output directory
-   unlink <$output_path\\*.*>;
-
-   # open the main log file
-   open(OUT, ">$log_file") || die "unable to open $log_file\n";
-
-   print( OUT "========================================================\n");
-   my $outFile = "$output_path\\version.out";
-   system("openssl2 version (CLIB_OPT)/>$outFile");
-   log_output("CHECKING FOR OPENSSL VERSION:", $outFile);
-
-   algorithm_tests();
-   encryption_tests();
-   evp_tests();
-   pem_tests();
-   verify_tests();
-   ca_tests();
-   ssl_tests();
-
-   close(OUT);
-
-   print("\nCompleted running tests.\n\n");
-   print("Check log file for errors: $log_file\n");
-}
-
-############################################################################
-sub algorithm_tests
-{
-   my $i;
-   my $outFile;
-   my @tests = ( rsa_test, destest, ideatest, bftest, bntest, shatest, sha1test,
-                 sha256t, sha512t, dsatest, md2test, md4test, md5test, mdc2test,
-                 rc2test, rc4test, rc5test, randtest, rmdtest, dhtest, ecdhtest,
-                 ecdsatest, ectest, exptest, casttest, hmactest );
-
-   print( "\nRUNNING CRYPTO ALGORITHM TESTS:\n\n");
-
-   print( OUT "\n========================================================\n");
-   print( OUT "CRYPTO ALGORITHM TESTS:\n\n");
-
-   foreach $i (@tests)
-   {
-      if (-e "$base_path\\$i.nlm")
-      {
-         $outFile = "$output_path\\$i.out";
-         system("$i (CLIB_OPT)/>$outFile");
-         log_desc("Test: $i\.nlm:");
-         log_output("", $outFile );
-      }
-      else
-      {
-         log_desc("Test: $i\.nlm: file not found");
-      }
-   }
-}
-
-############################################################################
-sub encryption_tests
-{
-   my $i;
-   my $outFile;
-   my @enc_tests = ( "enc", "rc4", "des-cfb", "des-ede-cfb", "des-ede3-cfb",
-                     "des-ofb", "des-ede-ofb", "des-ede3-ofb",
-                     "des-ecb", "des-ede", "des-ede3", "des-cbc",
-                     "des-ede-cbc", "des-ede3-cbc", "idea-ecb", "idea-cfb",
-                     "idea-ofb", "idea-cbc", "rc2-ecb", "rc2-cfb",
-                     "rc2-ofb", "rc2-cbc", "bf-ecb", "bf-cfb",
-                     "bf-ofb", "bf-cbc" );
-
-   my $input = "$base_path\\do_tests.pl";
-   my $cipher = "$output_path\\cipher.out";
-   my $clear = "$output_path\\clear.out";
-
-   print( "\nRUNNING ENCRYPTION & DECRYPTION TESTS:\n\n");
-
-   print( OUT "\n========================================================\n");
-   print( OUT "FILE ENCRYPTION & DECRYPTION TESTS:\n\n");
-
-   foreach $i (@enc_tests)
-   {
-      log_desc("Testing: $i");
-
-      # do encryption
-      $outFile = "$output_path\\enc.out";
-      system("openssl2 $i -e -bufsize 113 -k test -in $input -out $cipher (CLIB_OPT)/>$outFile" );
-      log_output("Encrypting: $input --> $cipher", $outFile);
-
-      # do decryption
-      $outFile = "$output_path\\dec.out";
-      system("openssl2 $i -d -bufsize 157 -k test -in $cipher -out $clear (CLIB_OPT)/>$outFile");
-      log_output("Decrypting: $cipher --> $clear", $outFile);
-
-      # compare files
-      $x = compare_files( $input, $clear, 1);
-      if ( $x == 0 )
-      {
-         print( "\rSUCCESS - files match: $input, $clear\n");
-         print( OUT "SUCCESS - files match: $input, $clear\n");
-      }
-      else
-      {
-         print( "\rERROR: files don't match\n");
-         print( OUT "ERROR: files don't match\n");
-      }
-
-      do_wait();
-
-      # Now do the same encryption but use Base64
-
-      # do encryption B64
-      $outFile = "$output_path\\B64enc.out";
-      system("openssl2 $i -a -e -bufsize 113 -k test -in $input -out $cipher (CLIB_OPT)/>$outFile");
-      log_output("Encrypting(B64): $cipher --> $clear", $outFile);
-
-      # do decryption B64
-      $outFile = "$output_path\\B64dec.out";
-      system("openssl2 $i -a -d -bufsize 157 -k test -in $cipher -out $clear (CLIB_OPT)/>$outFile");
-      log_output("Decrypting(B64): $cipher --> $clear", $outFile);
-
-      # compare files
-      $x = compare_files( $input, $clear, 1);
-      if ( $x == 0 )
-      {
-         print( "\rSUCCESS - files match: $input, $clear\n");
-         print( OUT "SUCCESS - files match: $input, $clear\n");
-      }
-      else
-      {
-         print( "\rERROR: files don't match\n");
-         print( OUT "ERROR: files don't match\n");
-      }
-
-      do_wait();
-
-   } # end foreach
-
-   # delete the temporary files
-   unlink($cipher);
-   unlink($clear);
-}
-
-
-############################################################################
-sub pem_tests
-{
-   my $i;
-   my $tmp_out;
-   my $outFile = "$output_path\\pem.out";
-
-   my %pem_tests = (
-         "crl"      => "testcrl.pem",
-          "pkcs7"   => "testp7.pem",
-          "req"     => "testreq2.pem",
-          "rsa"     => "testrsa.pem",
-          "x509"    => "testx509.pem",
-          "x509"    => "v3-cert1.pem",
-          "sess_id" => "testsid.pem"  );
-
-
-   print( "\nRUNNING PEM TESTS:\n\n");
-
-   print( OUT "\n========================================================\n");
-   print( OUT "PEM TESTS:\n\n");
-
-   foreach $i (keys(%pem_tests))
-   {
-      log_desc( "Testing: $i");
-
-      my $input = "$test_path\\$pem_tests{$i}";
-
-      $tmp_out = "$output_path\\$pem_tests{$i}";
-
-      if ($i ne "req" )
-      {
-         system("openssl2 $i -in $input -out $tmp_out (CLIB_OPT)/>$outFile");
-         log_output( "openssl2 $i -in $input -out $tmp_out", $outFile);
-      }
-      else
-      {
-         system("openssl2 $i -in $input -out $tmp_out -config $OpenSSL_config (CLIB_OPT)/>$outFile");
-         log_output( "openssl2 $i -in $input -out $tmp_out -config $OpenSSL_config", $outFile );
-      }
-
-      $x = compare_files( $input, $tmp_out);
-      if ( $x == 0 )
-      {
-         print( "\rSUCCESS - files match: $input, $tmp_out\n");
-         print( OUT "SUCCESS - files match: $input, $tmp_out\n");
-      }
-      else
-      {
-         print( "\rERROR: files don't match\n");
-         print( OUT "ERROR: files don't match\n");
-      }
-      do_wait();
-
-   } # end foreach
-}
-
-
-############################################################################
-sub verify_tests
-{
-   my $i;
-   my $outFile = "$output_path\\verify.out";
-
-   $cert_path =~ s/\\/\//g;
-   my @cert_files = <$cert_path/*.pem>;
-
-   print( "\nRUNNING VERIFY TESTS:\n\n");
-
-   print( OUT "\n========================================================\n");
-   print( OUT "VERIFY TESTS:\n\n");
-
-   make_tmp_cert_file();
-
-   foreach $i (@cert_files)
-   {
-      system("openssl2 verify -CAfile $tmp_cert $i (CLIB_OPT)/>$outFile");
-      log_desc("Verifying cert: $i");
-      log_output("openssl2 verify -CAfile $tmp_cert $i", $outFile);
-   }
-}
-
-
-############################################################################
-sub ssl_tests
-{
-   my $outFile = "$output_path\\ssl_tst.out";
-   my($CAcert) = "$output_path\\certCA.ss";
-   my($Ukey)   = "$output_path\\keyU.ss";
-   my($Ucert)  = "$output_path\\certU.ss";
-   my($ssltest)= "ssltest -key $Ukey -cert $Ucert -c_key $Ukey -c_cert $Ucert -CAfile $CAcert";
-
-   print( "\nRUNNING SSL TESTS:\n\n");
-
-   print( OUT "\n========================================================\n");
-   print( OUT "SSL TESTS:\n\n");
-
-   system("ssltest -ssl3 (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv3:");
-   log_output("ssltest -ssl3", $outFile);
-
-   system("$ssltest -ssl3 -server_auth (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv3 with server authentication:");
-   log_output("$ssltest -ssl3 -server_auth", $outFile);
-
-   system("$ssltest -ssl3 -client_auth (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv3 with client authentication:");
-   log_output("$ssltest -ssl3 -client_auth", $outFile);
-
-   system("$ssltest -ssl3 -server_auth -client_auth (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv3 with both client and server authentication:");
-   log_output("$ssltest -ssl3 -server_auth -client_auth", $outFile);
-
-   system("ssltest (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv2/sslv3:");
-   log_output("ssltest", $outFile);
-
-   system("$ssltest -server_auth (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv2/sslv3 with server authentication:");
-   log_output("$ssltest -server_auth", $outFile);
-
-   system("$ssltest -client_auth (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv2/sslv3 with client authentication:");
-   log_output("$ssltest -client_auth ", $outFile);
-
-   system("$ssltest -server_auth -client_auth (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv2/sslv3 with both client and server authentication:");
-   log_output("$ssltest -server_auth -client_auth", $outFile);
-
-   system("ssltest -bio_pair -dhe1024dsa -v (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv2/sslv3 with 1024 bit DHE via BIO pair:");
-   log_output("ssltest -bio_pair -dhe1024dsa -v", $outFile);
-
-   system("ssltest -bio_pair -ssl3 (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv3 via BIO pair:");
-   log_output("ssltest -bio_pair -ssl3", $outFile);
-
-   system("$ssltest -bio_pair -ssl3 -server_auth (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv3 with server authentication via BIO pair:");
-   log_output("$ssltest -bio_pair -ssl3 -server_auth", $outFile);
-
-   system("$ssltest -bio_pair -ssl3 -client_auth (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv3 with client authentication  via BIO pair:");
-   log_output("$ssltest -bio_pair -ssl3 -client_auth", $outFile);
-
-   system("$ssltest -bio_pair -ssl3 -server_auth -client_auth (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv3 with both client and server authentication via BIO pair:");
-   log_output("$ssltest -bio_pair -ssl3 -server_auth -client_auth", $outFile);
-
-   system("ssltest -bio_pair (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv2/sslv3 via BIO pair:");
-   log_output("ssltest -bio_pair", $outFile);
-
-   system("$ssltest -bio_pair -server_auth (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv2/sslv3 with server authentication via BIO pair:");
-   log_output("$ssltest -bio_pair -server_auth", $outFile);
-
-   system("$ssltest -bio_pair -client_auth (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv2/sslv3 with client authentication via BIO pair:");
-   log_output("$ssltest -bio_pair -client_auth", $outFile);
-
-   system("$ssltest -bio_pair -server_auth -client_auth (CLIB_OPT)/>$outFile");
-   log_desc("Testing sslv2/sslv3 with both client and server authentication via BIO pair:");
-   log_output("$ssltest -bio_pair -server_auth -client_auth", $outFile);
-}
-
-
-############################################################################
-sub ca_tests
-{
-   my $outFile = "$output_path\\ca_tst.out";
-
-   my($CAkey)     = "$output_path\\keyCA.ss";
-   my($CAcert)    = "$output_path\\certCA.ss";
-   my($CAserial)  = "$output_path\\certCA.srl";
-   my($CAreq)     = "$output_path\\reqCA.ss";
-   my($CAreq2)    = "$output_path\\req2CA.ss";
-
-   my($CAconf)    = "$test_path\\CAss.cnf";
-
-   my($Uconf)     = "$test_path\\Uss.cnf";
-
-   my($Ukey)      = "$output_path\\keyU.ss";
-   my($Ureq)      = "$output_path\\reqU.ss";
-   my($Ucert)     = "$output_path\\certU.ss";
-
-   print( "\nRUNNING CA TESTS:\n\n");
-
-   print( OUT "\n========================================================\n");
-   print( OUT "CA TESTS:\n");
-
-   system("openssl2 req -config $CAconf -out $CAreq -keyout $CAkey -new (CLIB_OPT)/>$outFile");
-   log_desc("Make a certificate request using req:");
-   log_output("openssl2 req -config $CAconf -out $CAreq -keyout $CAkey -new", $outFile);
-
-   system("openssl2 x509 -CAcreateserial -in $CAreq -days 30 -req -out $CAcert -signkey $CAkey (CLIB_OPT)/>$outFile");
-   log_desc("Convert the certificate request into a self signed certificate using x509:");
-   log_output("openssl2 x509 -CAcreateserial -in $CAreq -days 30 -req -out $CAcert -signkey $CAkey", $outFile);
-
-   system("openssl2 x509 -in $CAcert -x509toreq -signkey $CAkey -out $CAreq2 (CLIB_OPT)/>$outFile");
-   log_desc("Convert a certificate into a certificate request using 'x509':");
-   log_output("openssl2 x509 -in $CAcert -x509toreq -signkey $CAkey -out $CAreq2", $outFile);
-
-   system("openssl2 req -config $OpenSSL_config -verify -in $CAreq -noout (CLIB_OPT)/>$outFile");
-   log_output("openssl2 req -config $OpenSSL_config -verify -in $CAreq -noout", $outFile);
-
-   system("openssl2 req -config $OpenSSL_config -verify -in $CAreq2 -noout (CLIB_OPT)/>$outFile");
-   log_output( "openssl2 req -config $OpenSSL_config -verify -in $CAreq2 -noout", $outFile);
-
-   system("openssl2 verify -CAfile $CAcert $CAcert (CLIB_OPT)/>$outFile");
-   log_output("openssl2 verify -CAfile $CAcert $CAcert", $outFile);
-
-   system("openssl2 req -config $Uconf -out $Ureq -keyout $Ukey -new (CLIB_OPT)/>$outFile");
-   log_desc("Make another certificate request using req:");
-   log_output("openssl2 req -config $Uconf -out $Ureq -keyout $Ukey -new", $outFile);
-
-   system("openssl2 x509 -CAcreateserial -in $Ureq -days 30 -req -out $Ucert -CA $CAcert -CAkey $CAkey -CAserial $CAserial (CLIB_OPT)/>$outFile");
-   log_desc("Sign certificate request with the just created CA via x509:");
-   log_output("openssl2 x509 -CAcreateserial -in $Ureq -days 30 -req -out $Ucert -CA $CAcert -CAkey $CAkey -CAserial $CAserial", $outFile);
-
-   system("openssl2 verify -CAfile $CAcert $Ucert (CLIB_OPT)/>$outFile");
-   log_output("openssl2 verify -CAfile $CAcert $Ucert", $outFile);
-
-   system("openssl2 x509 -subject -issuer -startdate -enddate -noout -in $Ucert (CLIB_OPT)/>$outFile");
-   log_desc("Certificate details");
-   log_output("openssl2 x509 -subject -issuer -startdate -enddate -noout -in $Ucert", $outFile);
-
-   print(OUT "--\n");
-   print(OUT "The generated CA certificate is $CAcert\n");
-   print(OUT "The generated CA private key is $CAkey\n");
-   print(OUT "The current CA signing serial number is in $CAserial\n");
-
-   print(OUT "The generated user certificate is $Ucert\n");
-   print(OUT "The generated user private key is $Ukey\n");
-   print(OUT "--\n");
-}
-
-############################################################################
-sub evp_tests
-{
-   my $i = 'evp_test';
-
-   print( "\nRUNNING EVP TESTS:\n\n");
-
-   print( OUT "\n========================================================\n");
-   print( OUT "EVP TESTS:\n\n");
-
-   if (-e "$base_path\\$i.nlm")
-   {
-       my $outFile = "$output_path\\$i.out";
-       system("$i $test_path\\evptests.txt (CLIB_OPT)/>$outFile");
-       log_desc("Test: $i\.nlm:");
-       log_output("", $outFile );
-   }
-   else
-   {
-       log_desc("Test: $i\.nlm: file not found");
-   }
-}
-
-############################################################################
-sub log_output( $ $ )
-{
-   my( $desc, $file ) = @_;
-   my($error) = 0;
-   my($key);
-   my($msg);
-
-   if ($desc)
-   {
-      print("\r$desc\n");
-      print(OUT "$desc\n");
-   }
-
-      # loop waiting for test program to complete
-   while ( stat($file) == 0)
-      { print(". "); sleep(1); }
-
-
-      # copy test output to log file
-   open(IN, "<$file");
-   while (<IN>)
-   {
-      print(OUT $_);
-      if ( $_ =~ /ERROR/ )
-      {
-         $error = 1;
-      }
-   }
-      # close and delete the temporary test output file
-   close(IN);
-   unlink($file);
-
-   if ( $error == 0 )
-   {
-      $msg = "Test Succeeded";
-   }
-   else
-   {
-      $msg = "Test Failed";
-   }
-
-   print(OUT "$msg\n");
-
-   if ($pause)
-   {
-      print("$msg - press ENTER to continue...");
-      $key = getc;
-      print("\n");
-   }
-
-      # Several of the testing scripts run a loop loading the
-      # same NLM with different options.
-      # On slow NetWare machines there appears to be some delay in the
-      # OS actually unloading the test nlms and the OS complains about.
-      # the NLM already being loaded.  This additional pause is to
-      # to help provide a little more time for unloading before trying to
-      # load again.
-   sleep(1);
-}
-
-
-############################################################################
-sub log_desc( $ )
-{
-   my( $desc ) = @_;
-
-   print("\n");
-   print("$desc\n");
-
-   print(OUT "\n");
-   print(OUT "$desc\n");
-   print(OUT "======================================\n");
-}
-
-############################################################################
-sub compare_files( $ $ $ )
-{
-   my( $file1, $file2, $binary ) = @_;
-   my( $n1, $n2, $b1, $b2 );
-   my($ret) = 1;
-
-   open(IN0, $file1) || die "\nunable to open $file1\n";
-   open(IN1, $file2) || die "\nunable to open $file2\n";
-
-  if ($binary)
-  {
-      binmode IN0;
-      binmode IN1;
-  }
-
-   for (;;)
-   {
-      $n1 = read(IN0, $b1, 512);
-      $n2 = read(IN1, $b2, 512);
-
-      if ($n1 != $n2) {last;}
-      if ($b1 != $b2) {last;}
-
-      if ($n1 == 0)
-      {
-         $ret = 0;
-         last;
-      }
-   }
-   close(IN0);
-   close(IN1);
-   return($ret);
-}
-
-############################################################################
-sub do_wait()
-{
-   my($key);
-
-   if ($pause)
-   {
-      print("Press ENTER to continue...");
-      $key = getc;
-      print("\n");
-   }
-}
-
-
-############################################################################
-sub make_tmp_cert_file()
-{
-   my @cert_files = <$cert_path/*.pem>;
-
-      # delete the file if it already exists
-   unlink($tmp_cert);
-
-   open( TMP_CERT, ">$tmp_cert") || die "\nunable to open $tmp_cert\n";
-
-   print("building temporary cert file\n");
-
-   # create a temporary cert file that contains all the certs
-   foreach $i (@cert_files)
-   {
-      open( IN_CERT, $i ) || die "\nunable to open $i\n";
-
-      for(;;)
-      {
-         $n = sysread(IN_CERT, $data, 1024);
-
-         if ($n == 0)
-         {
-            close(IN_CERT);
-            last;
-         };
-
-         syswrite(TMP_CERT, $data, $n);
-      }
-   }
-
-   close( TMP_CERT );
-}
--- a/Netware/globals.txt
+++ b/Netware/globals.txt
@@ -1,254 +0,0 @@
-An initial review of the OpenSSL code was done to determine how many 
-global variables where present.  The idea was to determine the amount of 
-work required to pull the globals into an instance data structure in 
-order to build a Library NLM for NetWare.  This file contains the results 
-of the review.  Each file is listed along with the globals in the file.  
-The initial review was done very quickly so this list is probably
-not a comprehensive list.
-
-
-cryptlib.c
-===========================================
-
-static STACK *app_locks=NULL;
-
-static STACK_OF(CRYPTO_dynlock) *dyn_locks=NULL;
-
-static void (MS_FAR *locking_callback)(int mode,int type,
-   const char *file,int line)=NULL;
-static int (MS_FAR *add_lock_callback)(int *pointer,int amount,
-   int type,const char *file,int line)=NULL;
-static unsigned long (MS_FAR *id_callback)(void)=NULL;
-static struct CRYPTO_dynlock_value *(MS_FAR *dynlock_create_callback)
-   (const char *file,int line)=NULL;
-static void (MS_FAR *dynlock_lock_callback)(int mode,
-   struct CRYPTO_dynlock_value *l, const char *file,int line)=NULL;
-static void (MS_FAR *dynlock_destroy_callback)(struct CRYPTO_dynlock_value *l,
-   const char *file,int line)=NULL;
-
-
-mem.c
-===========================================
-static int allow_customize = 1;      /* we provide flexible functions for */
-static int allow_customize_debug = 1;/* exchanging memory-related functions at
-
-/* may be changed as long as `allow_customize' is set */
-static void *(*malloc_locked_func)(size_t)  = malloc;
-static void (*free_locked_func)(void *)     = free;
-static void *(*malloc_func)(size_t)         = malloc;
-static void *(*realloc_func)(void *, size_t)= realloc;
-static void (*free_func)(void *)            = free;
-
-/* use default functions from mem_dbg.c */
-static void (*malloc_debug_func)(void *,int,const char *,int,int)
-   = CRYPTO_dbg_malloc;
-static void (*realloc_debug_func)(void *,void *,int,const char *,int,int)
-   = CRYPTO_dbg_realloc;
-static void (*free_debug_func)(void *,int) = CRYPTO_dbg_free;
-static void (*set_debug_options_func)(long) = CRYPTO_dbg_set_options;
-static long (*get_debug_options_func)(void) = CRYPTO_dbg_get_options;
-
-
-mem_dbg.c
-===========================================
-static int mh_mode=CRYPTO_MEM_CHECK_OFF;
-static unsigned long order = 0; /* number of memory requests */
-static LHASH *mh=NULL; /* hash-table of memory requests (address as key) */
-
-static LHASH *amih=NULL; /* hash-table with those app_mem_info_st's */
-static long options =             /* extra information to be recorded */
-static unsigned long disabling_thread = 0;
-
-
-err.c
-===========================================
-static LHASH *error_hash=NULL;
-static LHASH *thread_hash=NULL;
-
-several files have routines with static "init" to track if error strings
-   have been loaded ( may not want separate error strings for each process )
-   The "init" variable can't be left "global" because the error has is a ptr
-   that is malloc'ed.  The malloc'ed error has is dependant on the "init"
-   vars.
-
-   files:
-      pem_err.c
-      cpt_err.c
-      pk12err.c
-      asn1_err.c
-      bio_err.c
-      bn_err.c
-      buf_err.c
-      comp_err.c
-      conf_err.c
-      cpt_err.c
-      dh_err.c
-      dsa_err.c
-      dso_err.c
-      evp_err.c
-      obj_err.c
-      pkcs7err.c
-      rand_err.c
-      rsa_err.c
-      rsar_err.c
-      ssl_err.c
-      x509_err.c
-      v3err.c
-		err.c
-
-These file have similar "init" globals but they are for other stuff not
-error strings:
-
-		bn_lib.c
-		ecc_enc.c
-		s23_clnt.c
-		s23_meth.c
-		s23_srvr.c
-		s2_clnt.c
-		s2_lib.c
-		s2_meth.c
-		s2_srvr.c
-		s3_clnt.c
-		s3_lib.c
-		s3_srvr.c
-		t1_clnt.c
-		t1_meth.c
-		t1_srvr.c
-
-rand_lib.c
-===========================================
-static RAND_METHOD *rand_meth= &rand_ssleay_meth;
-
-md_rand.c
-===========================================
-static int state_num=0,state_index=0;
-static unsigned char state[STATE_SIZE+MD_DIGEST_LENGTH];
-static unsigned char md[MD_DIGEST_LENGTH];
-static long md_count[2]={0,0};
-static double entropy=0;
-static int initialized=0;
-
-/* This should be set to 1 only when ssleay_rand_add() is called inside
-   an already locked state, so it doesn't try to lock and thereby cause
-   a hang.  And it should always be reset back to 0 before unlocking. */
-static int add_do_not_lock=0;
-
-obj_dat.c
-============================================
-static int new_nid=NUM_NID;
-static LHASH *added=NULL;
-
-b_sock.c
-===========================================
-static unsigned long BIO_ghbn_hits=0L;
-static unsigned long BIO_ghbn_miss=0L;
-static struct ghbn_cache_st
-   {
-   char name[129];
-   struct hostent *ent;
-   unsigned long order;
-   } ghbn_cache[GHBN_NUM];
-
-static int wsa_init_done=0;
-
-
-bio_lib.c
-===========================================
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *bio_meth=NULL;
-static int bio_meth_num=0;
-
-
-bn_lib.c
-========================================
-static int bn_limit_bits=0;
-static int bn_limit_num=8;        /* (1<<bn_limit_bits) */
-static int bn_limit_bits_low=0;
-static int bn_limit_num_low=8;    /* (1<<bn_limit_bits_low) */
-static int bn_limit_bits_high=0;
-static int bn_limit_num_high=8;   /* (1<<bn_limit_bits_high) */
-static int bn_limit_bits_mont=0;
-static int bn_limit_num_mont=8;   /* (1<<bn_limit_bits_mont) */
-
-conf_lib.c
-========================================
-static CONF_METHOD *default_CONF_method=NULL;
-
-dh_lib.c
-========================================
-static DH_METHOD *default_DH_method;
-static int dh_meth_num = 0;
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *dh_meth = NULL;
-
-dsa_lib.c
-========================================
-static DSA_METHOD *default_DSA_method;
-static int dsa_meth_num = 0;
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *dsa_meth = NULL;
-
-dso_lib.c
-========================================
-static DSO_METHOD *default_DSO_meth = NULL;
-
-rsa_lib.c
-========================================
-static RSA_METHOD *default_RSA_meth=NULL;
-static int rsa_meth_num=0;
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *rsa_meth=NULL;
-
-x509_trs.c
-=======================================
-static int (*default_trust)(int id, X509 *x, int flags) = obj_trust;
-static STACK_OF(X509_TRUST) *trtable = NULL;
-
-x509_req.c
-=======================================
-static int *ext_nids = ext_nid_list;
-
-o_names.c
-======================================
-static LHASH *names_lh=NULL;
-static STACK_OF(NAME_FUNCS) *name_funcs_stack;
-static int free_type;
-static int names_type_num=OBJ_NAME_TYPE_NUM;
-
-
-th-lock.c - NEED to add support for locking for NetWare
-==============================================
-static long *lock_count;
-(other platform specific globals)
-
-x_x509.c
-==============================================
-static int x509_meth_num = 0;
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *x509_meth = NULL;
-
-
-evp_pbe.c
-============================================
-static STACK *pbe_algs;
-
-evp_key.c
-============================================
-static char prompt_string[80];
-
-ssl_ciph.c
-============================================
-static STACK_OF(SSL_COMP) *ssl_comp_methods=NULL;
-
-ssl_lib.c
-=============================================
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *ssl_meth=NULL;
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *ssl_ctx_meth=NULL;
-static int ssl_meth_num=0;
-static int ssl_ctx_meth_num=0;
-
-ssl_sess.c
-=============================================
-static int ssl_session_num=0;
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *ssl_session_meth=NULL;
-
-x509_vfy.c
-============================================
-static STACK_OF(CRYPTO_EX_DATA_FUNCS) *x509_store_ctx_method=NULL;
-static int x509_store_ctx_num=0;
-
--- a/Netware/readme.txt
+++ b/Netware/readme.txt
@@ -1,19 +0,0 @@
-
-Contents of the openssl\netware directory
-==========================================
-
-Regular files:
-
-readme.txt     - this file
-do_tests.pl    - perl script used to run the OpenSSL tests on NetWare
-cpy_tests.bat  - batch to to copy test stuff to NetWare server
-build.bat      - batch file to help with builds
-set_env.bat    - batch file to help setup build environments
-globals.txt    - results of initial code review to identify OpenSSL global variables
-
-
-The following files are generated by the various scripts.  They are
-recreated each time and it is okay to delete them.
-
-*.def - command files used by Metrowerks linker
-*.mak - make files generated by mk1mf.pl
--- a/Netware/set_env.bat
+++ b/Netware/set_env.bat
@@ -1,112 +0,0 @@
-@echo off
-
-rem ========================================================================
-rem   Batch file to assist in setting up the necessary environment for
-rem   building OpenSSL for NetWare.
-rem
-rem   usage:
-rem      set_env [target]
-rem
-rem      target      - "netware-clib" - Clib build
-rem                  - "netware-libc" - LibC build
-rem
-rem
-
-if "a%1" == "a" goto usage
-               
-set LIBC_BUILD=
-set CLIB_BUILD=
-set GNUC=
-
-if "%1" == "netware-clib" set CLIB_BUILD=Y
-if "%1" == "netware-clib" set LIBC_BUILD=
-
-if "%1" == "netware-libc" set LIBC_BUILD=Y
-if "%1" == "netware-libc" set CLIB_BUILD=
-
-if "%2" == "gnuc" set GNUC=Y
-if "%2" == "codewarrior" set GNUC=
-
-rem   Location of tools (compiler, linker, etc)
-if "%NDKBASE%" == "" set NDKBASE=c:\Novell
-
-rem   If Perl for Win32 is not already in your path, add it here
-set PERL_PATH=
-
-rem   Define path to the Metrowerks command line tools
-rem   or GNU Crosscompiler gcc / nlmconv
-rem   ( compiler, assembler, linker)
-if "%GNUC%" == "Y" set COMPILER_PATH=c:\usr\i586-netware\bin;c:\usr\bin
-if "%GNUC%" == "" set COMPILER_PATH=c:\prg\cwcmdl40
-
-rem   If using gnu make define path to utility
-rem set GNU_MAKE_PATH=%NDKBASE%\gnu
-set GNU_MAKE_PATH=c:\prg\tools
-
-rem   If using ms nmake define path to nmake
-rem set MS_NMAKE_PATH=%NDKBASE%\msvc\600\bin
-
-rem   If using NASM assembler define path
-rem set NASM_PATH=%NDKBASE%\nasm
-set NASM_PATH=c:\prg\tools
-
-rem   Update path to include tool paths
-set path=%path%;%COMPILER_PATH%
-if not "%GNU_MAKE_PATH%" == "" set path=%path%;%GNU_MAKE_PATH%
-if not "%MS_NMAKE_PATH%" == "" set path=%path%;%MS_NMAKE_PATH%
-if not "%NASM_PATH%"     == "" set path=%path%;%NASM_PATH%
-if not "%PERL_PATH%"     == "" set path=%path%;%PERL_PATH%
-
-rem   Set INCLUDES to location of Novell NDK includes
-if "%LIBC_BUILD%" == "Y" set INCLUDE=%NDKBASE%\ndk\libc\include;%NDKBASE%\ndk\libc\include\winsock
-if "%CLIB_BUILD%" == "Y" set INCLUDE=%NDKBASE%\ndk\nwsdk\include\nlm;%NDKBASE%\ws295sdk\include
-
-rem   Set Imports to location of Novell NDK import files
-if "%LIBC_BUILD%" == "Y" set IMPORTS=%NDKBASE%\ndk\libc\imports
-if "%CLIB_BUILD%" == "Y" set IMPORTS=%NDKBASE%\ndk\nwsdk\imports
-
-rem   Set PRELUDE to the absolute path of the prelude object to link with in
-rem   the Metrowerks NetWare PDK - NOTE: for Clib builds "clibpre.o" is 
-rem   recommended, for LibC NKS builds libcpre.o must be used
-if "%GNUC%" == "Y" goto gnuc
-if "%LIBC_BUILD%" == "Y" set PRELUDE=%IMPORTS%\libcpre.o
-rem if "%CLIB_BUILD%" == "Y" set PRELUDE=%IMPORTS%\clibpre.o
-if "%CLIB_BUILD%" == "Y" set PRELUDE=%IMPORTS%\prelude.o
-echo using MetroWerks CodeWarrior 
-goto info
-
-:gnuc
-if "%LIBC_BUILD%" == "Y" set PRELUDE=%IMPORTS%\libcpre.gcc.o
-rem if "%CLIB_BUILD%" == "Y" set PRELUDE=%IMPORTS%\clibpre.gcc.o
-if "%CLIB_BUILD%" == "Y" set PRELUDE=%IMPORTS%\prelude.gcc.o
-echo using GNU GCC Compiler 
-
-:info
-echo.
-
-if "%LIBC_BUILD%" == "Y" echo Environment configured for LibC build
-if "%LIBC_BUILD%" == "Y" echo use "netware\build.bat netware-libc ..." 
-
-if "%CLIB_BUILD%" == "Y" echo Environment configured for CLib build
-if "%CLIB_BUILD%" == "Y" echo use "netware\build.bat netware-clib ..." 
-
-goto end
-
-:usage
-rem ===============================================================
-echo.
-echo No target build specified!
-echo.
-echo usage: set_env [target] [compiler]
-echo.
-echo target      - "netware-clib" - Clib build
-echo             - "netware-libc" - LibC build
-echo.
-echo compiler    - "gnuc"         - GNU GCC Compiler
-echo             - "codewarrior"  - MetroWerks CodeWarrior (default)
-echo.
-
-:end
-echo.
-
-
--- a/12
+++ b/12
@@ -1,5 +1,5 @@

- OpenSSL 1.1.0-pre4 (beta) 16 Mar 2016
+ OpenSSL 1.1.0-pre5 (beta) 19 Apr 2016

 Copyright (c) 1998-2016 The OpenSSL Project
 Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
@@ -27,10 +27,10 @@

 The OpenSSL toolkit includes:

- libssl.a:
+ libssl (with platform specific naming):
     Provides the client and server-side implementations for SSLv3 and TLS.

- libcrypto.a:
+ libcrypto (with platform specific naming):
     Provides general cryptographic and X.509 support needed by SSL/TLS but
     not logically part of it.

@@ -48,12 +48,8 @@
 ------------

 See the appropriate file:
-        INSTALL         Linux, Unix, etc.
+        INSTALL         Linux, Unix, Windows, OpenVMS
        INSTALL.DJGPP   DOS platform with DJGPP
-        INSTALL.NW      Netware
-        INSTALL.OS2     OS/2
-        INSTALL.VMS     VMS
-        INSTALL.WIN     Windows
        INSTALL.WCE     Windows CE

 SUPPORT
--- a/VMS/openssl_startup.com.in
+++ b/VMS/openssl_startup.com.in
@@ -46,7 +46,7 @@ $	IF F$GETSYI("CPU") .LT. 128
 $	THEN
 $	    arch := VAX
 $	ELSE
-$	    arch := F$EDIT(F$GETSYI("ARCH_NAME"),"UPCASE")
+$	    arch = F$EDIT(F$GETSYI("ARCH_NAME"),"UPCASE")
 $	    IF arch .EQS. "" THEN GOTO unknown_arch
 $	ENDIF
 $
@@ -54,23 +54,25 @@ $	! Generated information
 $	VERSION := {- $config{version} -}
 $	INSTALLTOP := {- $config{INSTALLTOP} -}
 $	OPENSSLDIR := {- $config{OPENSSLDIR} -}
-$	POINTER_SIZE = {- $config{pointersize} -}
+$	POINTER_SIZE := {- $config{pointersize} -}
 $
 $	! Make sure that INSTALLTOP and OPENSSLDIR become something one
 $	! can build concealed logical names on
-$	INSTALLTOP_ = F$PARSE("A.;",INSTALLTOP,,,"NO_CONCEAL") - "A.;" -
-		     - ".][000000" - "[000000." - "][" - "]" + ".]"
-$	OPENSSLDIR_ = F$PARSE("A.;",OPENSSLDIR,,,"NO_CONCEAL") - "A.;" -
-		     - ".][000000" - "[000000." - "][" - "]" + ".]"
+$	INSTALLTOP_ = F$PARSE("A.;",INSTALLTOP,,,"NO_CONCEAL") -
+		     - ".][000000" - "[000000." - "][" - "]A.;" + ".]"
+$	OPENSSLDIR_ = F$PARSE("A.;",OPENSSLDIR,,,"NO_CONCEAL") -
+		     - ".][000000" - "[000000." - "][" - "]A.;" + ".]"
 $	DEFINE /TRANSLATION=CONCEALED /NOLOG WRK_INSTALLTOP 'INSTALLTOP_'
+$	DEFINE /TRANSLATION=CONCEALED /NOLOG WRK_OPENSSLDIR 'OPENSSLDIR_'
 $
 $	! Check that things are in place, and specifically, the stuff
 $	! belonging to this architecture
 $	IF F$SEARCH("WRK_INSTALLTOP:[000000]INCLUDE.DIR;1") .EQS. "" -
-	   .OR. F$SEARCH("WRK_INSTALLTOP:[000000]''arch'.DIR;1") .EQS. "" -
-	   .OR. F$SEARCH("WRK_INSTALLTOP:[''arch']LIB.DIR;1") .EQS. "" -
-	   .OR. F$SEARCH("WRK_INSTALLTOP:[''arch']EXE.DIR;1") .EQS. "" -
-	   .OR. F$SEARCH("WRK_INSTALLTOP:[000000]openssl.cnf;1") .EQS. ""
+	   .OR. F$SEARCH("WRK_INSTALLTOP:[000000]LIB.DIR;1") .EQS. "" -
+	   .OR. F$SEARCH("WRK_INSTALLTOP:[000000]EXE.DIR;1") .EQS. "" -
+	   .OR. F$SEARCH("WRK_INSTALLTOP:[LIB]''arch'.DIR;1") .EQS. "" -
+	   .OR. F$SEARCH("WRK_INSTALLTOP:[EXE]''arch'.DIR;1") .EQS. "" -
+	   .OR. F$SEARCH("WRK_OPENSSLDIR:[000000]openssl.cnf") .EQS. ""
 $	THEN
 $	    WRITE SYS$ERROR "''INSTALLTOP' doesn't look like an OpenSSL installation for ''arch'"
 $	    status = %x00018292 ! RMS$_FNF, file not found
@@ -84,10 +86,10 @@ $	v    =  VERSION - "." - "."
 $
 $	DEFT OSSL$INSTROOT'v'	'INSTALLTOP_'
 $	DEFT OSSL$INCLUDE'v'	OSSL$INSTROOT:[INCLUDE.]
-$	DEF  OSSL$LIB'v'	OSSL$INSTROOT:['arch'.LIB]
-$	DEF  OSSL$SHARE'v'	OSSL$INSTROOT:['arch'.LIB]
-$	DEF  OSSL$ENGINES'v'	OSSL$INSTROOT:['arch'.ENGINES]
-$	DEF  OSSL$EXE'v'	OSSL$INSTROOT:['arch'.EXE]
+$	DEF  OSSL$LIB'v'	OSSL$INSTROOT:[LIB.'arch']
+$	DEF  OSSL$SHARE'v'	OSSL$INSTROOT:[LIB.'arch']
+$	DEF  OSSL$ENGINES'v'	OSSL$INSTROOT:[ENGINES.'arch']
+$	DEF  OSSL$EXE'v'	OSSL$INSTROOT:[EXE.'arch']
 $       {- output_off() if $disabled{shared} -}
 $       {- join("\n\$       ", map { "DEF  $_'v' OSSL\$SHARE:$_" } map { $unified_info{sharednames}->{$_} || () } @{$unified_info{libraries}}) -}
 $       {- output_on() -}
--- a/apps/Makefile.in
+++ b/apps/Makefile.in
@@ -75,9 +75,6 @@ scripts: $(SCRIPTS)
 openssl-vms.cnf: openssl.cnf
 	$(PERL) $(TOP)/VMS/VMSify-conf.pl < openssl.cnf > openssl-vms.cnf

-files:
-	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
-
 install:
 	@[ -n "$(INSTALLTOP)" ] # should be set by top Makefile...
 	@set -e; for i in $(EXE); \
@@ -154,5 +151,9 @@ CA.pl: CA.pl.in
 	$(PERL) -I$(TOP) -Mconfigdata $(TOP)/util/dofile.pl -oapps/Makefile CA.pl.in > CA.pl.new
 	mv CA.pl.new CA.pl

+tsget:	tsget.in
+	$(PERL) -I$(TOP) -Mconfigdata $(TOP)/util/dofile.pl -oapps/Makefile tsget.in > tsget.new
+	mv tsget.new tsget
+

 # DO NOT DELETE THIS LINE -- make depend depends on it.
--- a/apps/apps.c
+++ b/apps/apps.c
@@ -266,6 +266,7 @@ int dump_cert_text(BIO *out, X509 *x)
    return 0;
 }

+#ifndef OPENSSL_NO_UI
 static int ui_open(UI *ui)
 {
    return UI_method_get_opener(UI_OpenSSL())(ui);
@@ -335,20 +336,25 @@ void destroy_ui_method(void)
        ui_method = NULL;
    }
 }
+#endif

 int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp)
 {
-    UI *ui = NULL;
    int res = 0;
+#ifndef OPENSSL_NO_UI
+    UI *ui = NULL;
    const char *prompt_info = NULL;
+#endif
    const char *password = NULL;
    PW_CB_DATA *cb_data = (PW_CB_DATA *)cb_tmp;

    if (cb_data) {
        if (cb_data->password)
            password = cb_data->password;
+#ifndef OPENSSL_NO_UI
        if (cb_data->prompt_info)
            prompt_info = cb_data->prompt_info;
+#endif
    }

    if (password) {
@@ -359,6 +365,7 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp)
        return res;
    }

+#ifndef OPENSSL_NO_UI
    ui = UI_new_method(ui_method);
    if (ui) {
        int ok = 0;
@@ -408,6 +415,7 @@ int password_callback(char *buf, int bufsiz, int verify, PW_CB_DATA *cb_tmp)
        UI_free(ui);
        OPENSSL_free(prompt);
    }
+#endif
    return res;
 }

@@ -640,7 +648,7 @@ static int load_pkcs12(BIO *in, const char *desc,
    return ret;
 }

-#ifndef OPENSSL_NO_OCSP
+#if !defined(OPENSSL_NO_OCSP) && !defined(OPENSSL_NO_SOCK)
 static int load_cert_crl_http(const char *url, X509 **pcert, X509_CRL **pcrl)
 {
    char *host = NULL, *port = NULL, *path = NULL;
@@ -695,7 +703,7 @@ X509 *load_cert(const char *file, int format, const char *cert_descrip)
    BIO *cert;

    if (format == FORMAT_HTTP) {
-#ifndef OPENSSL_NO_OCSP
+#if !defined(OPENSSL_NO_OCSP) && !defined(OPENSSL_NO_SOCK)
        load_cert_crl_http(file, &x, NULL);
 #endif
        return x;
@@ -736,7 +744,7 @@ X509_CRL *load_crl(const char *infile, int format)
    BIO *in = NULL;

    if (format == FORMAT_HTTP) {
-#ifndef OPENSSL_NO_OCSP
+#if !defined(OPENSSL_NO_OCSP) && !defined(OPENSSL_NO_SOCK)
        load_cert_crl_http(infile, NULL, &x);
 #endif
        return x;
@@ -2203,30 +2211,6 @@ double app_tminterval(int stop, int usertime)

    return (ret);
 }
-#elif defined(OPENSSL_SYS_NETWARE)
-# include <time.h>
-
-double app_tminterval(int stop, int usertime)
-{
-    static clock_t tmstart;
-    static int warning = 1;
-    double ret = 0;
-
-    if (usertime && warning) {
-        BIO_printf(bio_err, "To get meaningful results, run "
-                   "this program on idle system.\n");
-        warning = 0;
-    }
-
-    if (stop == TM_START)
-        tmstart = clock();
-    else
-        ret = (clock() - tmstart) / (double)CLOCKS_PER_SEC;
-
-    return (ret);
-}
-
-
 #elif defined(OPENSSL_SYSTEM_VXWORKS)
 # include <time.h>

@@ -2356,45 +2340,6 @@ int app_access(const char* name, int flag)
 #endif
 }

-int app_hex(char c)
-{
-    switch (c) {
-    default:
-    case '0':
-        return 0;
-    case '1':
-        return 1;
-    case '2':
-        return 2;
-    case '3':
-        return 3;
-    case '4':
-          return 4;
-    case '5':
-          return 5;
-    case '6':
-          return 6;
-    case '7':
-          return 7;
-    case '8':
-          return 8;
-    case '9':
-          return 9;
-    case 'a': case 'A':
-          return 0x0A;
-    case 'b': case 'B':
-          return 0x0B;
-    case 'c': case 'C':
-          return 0x0C;
-    case 'd': case 'D':
-          return 0x0D;
-    case 'e': case 'E':
-          return 0x0E;
-    case 'f': case 'F':
-          return 0x0F;
-    }
-}
-
 /* app_isdir section */
 #ifdef _WIN32
 int app_isdir(const char *name)
@@ -2510,9 +2455,34 @@ BIO *dup_bio_out(int format)
    return b;
 }

+BIO *dup_bio_err(int format)
+{
+    BIO *b = BIO_new_fp(stderr,
+                        BIO_NOCLOSE | (istext(format) ? BIO_FP_TEXT : 0));
+#ifdef OPENSSL_SYS_VMS
+    if (istext(format))
+        b = BIO_push(BIO_new(BIO_f_linebuffer()), b);
+#endif
+    return b;
+}
+
 void unbuffer(FILE *fp)
 {
+/*
+ * On VMS, setbuf() will only take 32-bit pointers, and a compilation
+ * with /POINTER_SIZE=64 will give off a MAYLOSEDATA2 warning here.
+ * However, we trust that the C RTL will never give us a FILE pointer
+ * above the first 4 GB of memory, so we simply turn off the warning
+ * temporarily.
+ */
+#if defined(OPENSSL_SYS_VMS) && defined(__DECC)
+# pragma environment save
+# pragma message disable maylosedata2
+#endif
    setbuf(fp, NULL);
+#if defined(OPENSSL_SYS_VMS) && defined(__DECC)
+# pragma environment restore
+#endif
 }

 static const char *modestr(char mode, int format)
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -121,16 +121,10 @@
 # include <openssl/lhash.h>
 # include <openssl/conf.h>
 # include <openssl/txt_db.h>
-# ifndef OPENSSL_NO_ENGINE
-#  include <openssl/engine.h>
-# endif
-# ifndef OPENSSL_NO_OCSP
-#  include <openssl/ocsp.h>
-# endif
+# include <openssl/engine.h>
+# include <openssl/ocsp.h>
 # include <openssl/ossl_typ.h>
-# ifndef OPENSSL_SYS_NETWARE
-#  include <signal.h>
-# endif
+# include <signal.h>

 # if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WINCE)
 #  define openssl_fdset(a,b) FD_SET((unsigned int)a, b)
@@ -162,6 +156,7 @@ extern BIO *bio_out;
 extern BIO *bio_err;
 BIO *dup_bio_in(int format);
 BIO *dup_bio_out(int format);
+BIO *dup_bio_err(int format);
 BIO *bio_open_owner(const char *filename, int format, int private);
 BIO *bio_open_default(const char *filename, char mode, int format);
 BIO *bio_open_default_quiet(const char *filename, char mode, int format);
@@ -185,6 +180,7 @@ void wait_for_async(SSL *s);
        OPT_V_POLICY_PRINT, OPT_V_CHECK_SS_SIG, OPT_V_TRUSTED_FIRST, \
        OPT_V_SUITEB_128_ONLY, OPT_V_SUITEB_128, OPT_V_SUITEB_192, \
        OPT_V_PARTIAL_CHAIN, OPT_V_NO_ALT_CHAINS, OPT_V_NO_CHECK_TIME, \
+        OPT_V_VERIFY_AUTH_LEVEL, \
        OPT_V__LAST

 # define OPT_V_OPTIONS \
@@ -192,8 +188,10 @@ void wait_for_async(SSL *s);
        { "purpose", OPT_V_PURPOSE, 's', \
            "certificate chain purpose"}, \
        { "verify_name", OPT_V_VERIFY_NAME, 's', "verification policy name"}, \
-        { "verify_depth", OPT_V_VERIFY_DEPTH, 'p', \
-            "chain depth limit"}, \
+        { "verify_depth", OPT_V_VERIFY_DEPTH, 'n', \
+            "chain depth limit" }, \
+        { "auth_level", OPT_V_VERIFY_AUTH_LEVEL, 'n', \
+            "chain authentication security level" }, \
        { "attime", OPT_V_ATTIME, 'M', "verification epoch time" }, \
        { "verify_hostname", OPT_V_VERIFY_HOSTNAME, 's', \
            "expected peer hostname" }, \
@@ -240,6 +238,7 @@ void wait_for_async(SSL *s);
        case OPT_V_PURPOSE: \
        case OPT_V_VERIFY_NAME: \
        case OPT_V_VERIFY_DEPTH: \
+        case OPT_V_VERIFY_AUTH_LEVEL: \
        case OPT_V_ATTIME: \
        case OPT_V_VERIFY_HOSTNAME: \
        case OPT_V_VERIFY_EMAIL: \
@@ -450,6 +449,14 @@ typedef struct args_st {
    char **argv;
 } ARGS;

+/*
+ * VMS C only for now, implemented in vms_decc_init.c
+ * If other C compilers forget to terminate argv with NULL, this function
+ * can be re-used.
+ */
+char **copy_argv(int *argc, char *argv[]);
+
+
 # define PW_MIN_LENGTH 4
 typedef struct pw_cb_data {
    const void *password;
@@ -617,7 +624,6 @@ void store_setup_crl_download(X509_STORE *st);

 # define SERIAL_RAND_BITS        64

-int app_hex(char);
 int app_isdir(const char *);
 int app_access(const char *, int flag);
 int raw_read_stdin(void *, int);
--- a/apps/asn1pars.c
+++ b/apps/asn1pars.c
@@ -327,7 +327,6 @@ int asn1parse_main(int argc, char **argv)
        OPENSSL_free(str);
    ASN1_TYPE_free(at);
    sk_OPENSSL_STRING_free(osk);
-    OBJ_cleanup();
    return (ret);
 }

--- a/apps/build.info
+++ b/apps/build.info
@@ -1,18 +1,21 @@
 {- use File::Spec::Functions qw/catdir rel2abs/; -}
-PROGRAMS=openssl
-SOURCE[openssl]=\
-        openssl.c \
-        asn1pars.c ca.c ciphers.c cms.c crl.c crl2p7.c dgst.c dhparam.c \
-        dsa.c dsaparam.c ec.c ecparam.c enc.c engine.c errstr.c gendsa.c \
-        genpkey.c genrsa.c nseq.c ocsp.c passwd.c pkcs12.c pkcs7.c pkcs8.c \
-        pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c rsa.c rsautl.c \
-        s_client.c s_server.c s_time.c sess_id.c smime.c speed.c spkac.c \
-        srp.c ts.c verify.c version.c x509.c rehash.c \
-        apps.c opt.c s_cb.c s_socket.c \
-        app_rand.c \
-        {- $target{apps_aux_src} -}
-INCLUDE[openssl]={- rel2abs(catdir($builddir,"../include")) -} .. ../include
-DEPEND[openssl]=../libssl
+IF[{- !$disabled{apps} -}]
+  PROGRAMS=openssl
+  SOURCE[openssl]=\
+          openssl.c \
+          asn1pars.c ca.c ciphers.c cms.c crl.c crl2p7.c dgst.c dhparam.c \
+          dsa.c dsaparam.c ec.c ecparam.c enc.c engine.c errstr.c gendsa.c \
+          genpkey.c genrsa.c nseq.c ocsp.c passwd.c pkcs12.c pkcs7.c pkcs8.c \
+          pkey.c pkeyparam.c pkeyutl.c prime.c rand.c req.c rsa.c rsautl.c \
+          s_client.c s_server.c s_time.c sess_id.c smime.c speed.c spkac.c \
+          srp.c ts.c verify.c version.c x509.c rehash.c \
+          apps.c opt.c s_cb.c s_socket.c \
+          app_rand.c \
+          {- $target{apps_aux_src} -}
+  INCLUDE[openssl]={- rel2abs(catdir($builddir,"../include")) -} .. ../include
+  DEPEND[openssl]=../libssl

-SCRIPTS=CA.pl
-SOURCE[CA.pl]=CA.pl.in
+  SCRIPTS=CA.pl tsget
+  SOURCE[CA.pl]=CA.pl.in
+  SOURCE[tsget]=tsget.in
+ENDIF
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -81,7 +81,7 @@
 #  else
 #   include <unixlib.h>
 #  endif
-# elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_NETWARE)
+# elif !defined(OPENSSL_SYS_VXWORKS) && !defined(OPENSSL_SYS_WINDOWS)
 #  include <sys/file.h>
 # endif
 #endif
@@ -1307,7 +1307,6 @@ end_of_options:
    X509_CRL_free(crl);
    NCONF_free(conf);
    NCONF_free(extconf);
-    OBJ_cleanup();
    return (ret);
 }

@@ -1351,12 +1350,12 @@ static int certify(X509 **xret, char *infile, EVP_PKEY *pkey, X509 *x509,
        ok = 0;
        goto end;
    }
-    if ((pktmp = X509_REQ_get_pubkey(req)) == NULL) {
+    if ((pktmp = X509_REQ_get0_pubkey(req)) == NULL) {
        BIO_printf(bio_err, "error unpacking public key\n");
        goto end;
    }
    i = X509_REQ_verify(req, pktmp);
-    EVP_PKEY_free(pktmp);
+    pktmp = NULL;
    if (i < 0) {
        ok = 0;
        BIO_printf(bio_err, "Signature verification problems....\n");
@@ -1788,9 +1787,8 @@ static int do_body(X509 **xret, EVP_PKEY *pkey, X509 *x509,
    if (!X509_set_subject_name(ret, subject))
        goto end;

-    pktmp = X509_REQ_get_pubkey(req);
+    pktmp = X509_REQ_get0_pubkey(req);
    i = X509_set_pubkey(ret, pktmp);
-    EVP_PKEY_free(pktmp);
    if (!i)
        goto end;

@@ -2072,6 +2070,7 @@ static int certify_spkac(X509 **xret, char *infile, EVP_PKEY *pkey,

    j = NETSCAPE_SPKI_verify(spki, pktmp);
    if (j <= 0) {
+        EVP_PKEY_free(pktmp);
        BIO_printf(bio_err,
                   "signature verification failed on SPKAC public key\n");
        goto end;
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -214,11 +214,9 @@ OPTIONS cms_options[] = {
    {"receipt_request_to", OPT_RR_TO, 's'},
    {"", OPT_CIPHER, '-', "Any supported cipher"},
    OPT_V_OPTIONS,
-# ifndef OPENSSL_NO_AES
    {"aes128-wrap", OPT_AES128_WRAP, '-', "Use AES128 to wrap key"},
    {"aes192-wrap", OPT_AES192_WRAP, '-', "Use AES192 to wrap key"},
    {"aes256-wrap", OPT_AES256_WRAP, '-', "Use AES256 to wrap key"},
-# endif
 # ifndef OPENSSL_NO_DES
    {"des3-wrap", OPT_3DES_WRAP, '-', "Use 3DES-EDE to wrap key"},
 # endif
@@ -455,7 +453,7 @@ int cms_main(int argc, char **argv)
            noout = print = 1;
            break;
        case OPT_SECRETKEY:
-            secret_key = string_to_hex(opt_arg(), &ltmp);
+            secret_key = OPENSSL_hexstr2buf(opt_arg(), &ltmp);
            if (secret_key == NULL) {
                BIO_printf(bio_err, "Invalid key %s\n", opt_arg());
                goto end;
@@ -463,7 +461,7 @@ int cms_main(int argc, char **argv)
            secret_keylen = (size_t)ltmp;
            break;
        case OPT_SECRETKEYID:
-            secret_keyid = string_to_hex(opt_arg(), &ltmp);
+            secret_keyid = OPENSSL_hexstr2buf(opt_arg(), &ltmp);
            if (secret_keyid == NULL) {
                BIO_printf(bio_err, "Invalid id %s\n", opt_arg());
                goto opthelp;
@@ -603,7 +601,6 @@ int cms_main(int argc, char **argv)
            wrap_cipher = EVP_des_ede3_wrap();
 # endif
            break;
-# ifndef OPENSSL_NO_AES
        case OPT_AES128_WRAP:
            wrap_cipher = EVP_aes_128_wrap();
            break;
@@ -613,12 +610,6 @@ int cms_main(int argc, char **argv)
        case OPT_AES256_WRAP:
            wrap_cipher = EVP_aes_256_wrap();
            break;
-# else
-        case OPT_AES128_WRAP:
-        case OPT_AES192_WRAP:
-        case OPT_AES256_WRAP:
-            break;
-# endif
        }
    }
    argc = opt_num_rest();
--- a/apps/crl.c
+++ b/apps/crl.c
@@ -112,9 +112,9 @@ int crl_main(int argc, char **argv)
    X509_CRL *x = NULL;
    BIO *out = NULL;
    X509_STORE *store = NULL;
-    X509_STORE_CTX ctx;
+    X509_STORE_CTX *ctx = NULL;
    X509_LOOKUP *lookup = NULL;
-    X509_OBJECT xobj;
+    X509_OBJECT *xobj = NULL;
    EVP_PKEY *pkey;
    const EVP_MD *digest = EVP_sha1();
    unsigned long nmflag = 0;
@@ -243,24 +243,26 @@ int crl_main(int argc, char **argv)
        lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file());
        if (lookup == NULL)
            goto end;
-        if (!X509_STORE_CTX_init(&ctx, store, NULL, NULL)) {
+        ctx = X509_STORE_CTX_new();
+        if (!X509_STORE_CTX_init(ctx, store, NULL, NULL)) {
            BIO_printf(bio_err, "Error initialising X509 store\n");
            goto end;
        }

-        i = X509_STORE_get_by_subject(&ctx, X509_LU_X509,
-                                      X509_CRL_get_issuer(x), &xobj);
-        if (i <= 0) {
+        xobj = X509_STORE_get_X509_by_subject(ctx, X509_LU_X509,
+                                              X509_CRL_get_issuer(x));
+        if (xobj == NULL) {
            BIO_printf(bio_err, "Error getting CRL issuer certificate\n");
            goto end;
        }
-        pkey = X509_get0_pubkey(xobj.data.x509);
-        X509_OBJECT_free_contents(&xobj);
+        pkey = X509_get_pubkey(X509_OBJECT_get0_X509(xobj));
+        X509_OBJECT_free(xobj);
        if (!pkey) {
            BIO_printf(bio_err, "Error getting CRL issuer public key\n");
            goto end;
        }
        i = X509_CRL_verify(x, pkey);
+        EVP_PKEY_free(pkey);
        if (i < 0)
            goto end;
        if (i == 0)
@@ -388,9 +390,7 @@ int crl_main(int argc, char **argv)
        ERR_print_errors(bio_err);
    BIO_free_all(out);
    X509_CRL_free(x);
-    if (store) {
-        X509_STORE_CTX_cleanup(&ctx);
-        X509_STORE_free(store);
-    }
+    X509_STORE_CTX_free(ctx);
+    X509_STORE_free(store);
    return (ret);
 }
--- a/apps/dhparam.c
+++ b/apps/dhparam.c
@@ -171,7 +171,10 @@ int dhparam_main(int argc, char **argv)
    BIO *in = NULL, *out = NULL;
    DH *dh = NULL;
    char *infile = NULL, *outfile = NULL, *prog, *inrand = NULL;
-    int dsaparam = 0, i, text = 0, C = 0, ret = 1, num = 0, g = 0;
+#ifndef OPENSSL_NO_DSA
+    int dsaparam = 0;
+#endif
+    int i, text = 0, C = 0, ret = 1, num = 0, g = 0;
    int informat = FORMAT_PEM, outformat = FORMAT_PEM, check = 0, noout = 0;
    OPTION_CHOICE o;

@@ -211,7 +214,9 @@ int dhparam_main(int argc, char **argv)
            text = 1;
            break;
        case OPT_DSAPARAM:
+#ifndef OPENSSL_NO_DSA
            dsaparam = 1;
+#endif
            break;
        case OPT_C:
            C = 1;
@@ -379,40 +384,50 @@ int dhparam_main(int argc, char **argv)
    if (C) {
        unsigned char *data;
        int len, bits;
+        BIGNUM *pbn, *gbn;

-        len = BN_num_bytes(dh->p);
-        bits = BN_num_bits(dh->p);
+        len = DH_size(dh);
+        bits = DH_bits(dh);
+        DH_get0_pqg(dh, &pbn, NULL, &gbn);
        data = app_malloc(len, "print a BN");
        BIO_printf(out, "#ifndef HEADER_DH_H\n"
                        "# include <openssl/dh.h>\n"
                        "#endif\n"
                        "\n");
        BIO_printf(out, "DH *get_dh%d()\n{\n", bits);
-        print_bignum_var(out, dh->p, "dhp", bits, data);
-        print_bignum_var(out, dh->g, "dhg", bits, data);
-        BIO_printf(out, "    DH *dh = DN_new();\n"
+        print_bignum_var(out, pbn, "dhp", bits, data);
+        print_bignum_var(out, gbn, "dhg", bits, data);
+        BIO_printf(out, "    DH *dh = DH_new();\n"
+                        "    BIGNUM *dhp_bn, *dhg_bn;\n"
                        "\n"
                        "    if (dh == NULL)\n"
                        "        return NULL;\n");
-        BIO_printf(out, "    dh->p = BN_bin2bn(dhp_%d, sizeof (dhp_%d), NULL);\n",
-               bits, bits);
-        BIO_printf(out, "    dh->g = BN_bin2bn(dhg_%d, sizeof (dhg_%d), NULL);\n",
-               bits, bits);
-        BIO_printf(out, "    if (!dh->p || !dh->g) {\n"
+        BIO_printf(out, "    dhp_bn = BN_bin2bn(dhp_%d, sizeof (dhp_%d), NULL);\n",
+                   bits, bits);
+        BIO_printf(out, "    dhg_bn = BN_bin2bn(dhg_%d, sizeof (dhg_%d), NULL);\n",
+                   bits, bits);
+        BIO_printf(out, "    if (dhp_bn == NULL || dhg_bn == NULL\n"
+                        "            || !DH_set0_pqg(dh, dhp_bn, NULL, dhg_bn)) {\n"
                        "        DH_free(dh);\n"
+                        "        BN_free(dhp_bn);\n"
+                        "        BN_free(dhg_bn);\n"
                        "        return NULL;\n"
                        "    }\n");
-        if (dh->length)
+        if (DH_get_length(dh) > 0)
            BIO_printf(out,
-                        "    dh->length = %ld;\n", dh->length);
+                        "    if (!DH_set_length(dh, %ld)) {\n"
+                        "        DH_free(dh);\n"
+                        "    }\n", DH_get_length(dh));
        BIO_printf(out, "    return dh;\n}\n");
        OPENSSL_free(data);
    }

    if (!noout) {
+        BIGNUM *q;
+        DH_get0_pqg(dh, NULL, &q, NULL);
        if (outformat == FORMAT_ASN1)
            i = i2d_DHparams_bio(out, dh);
-        else if (dh->q)
+        else if (q != NULL)
            i = PEM_write_bio_DHxparams(out, dh);
        else
            i = PEM_write_bio_DHparams(out, dh);
--- a/apps/dsa.c
+++ b/apps/dsa.c
@@ -116,7 +116,10 @@ int dsa_main(int argc, char **argv)
    char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL;
    OPTION_CHOICE o;
    int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, noout = 0;
-    int i, modulus = 0, pubin = 0, pubout = 0, pvk_encr = 2, ret = 1;
+    int i, modulus = 0, pubin = 0, pubout = 0, ret = 1;
+# ifndef OPENSSL_NO_RC4
+    int pvk_encr = 2;
+# endif
    int private = 0;

    prog = opt_init(argc, argv, dsa_options);
@@ -240,8 +243,10 @@ int dsa_main(int argc, char **argv)
    }

    if (modulus) {
+        BIGNUM *pub_key = NULL;
+        DSA_get0_key(dsa, &pub_key, NULL);
        BIO_printf(out, "Public Key=");
-        BN_print(out, dsa->pub_key);
+        BN_print(out, pub_key);
        BIO_printf(out, "\n");
    }

--- a/apps/dsaparam.c
+++ b/apps/dsaparam.c
@@ -263,14 +263,20 @@ int dsaparam_main(int argc, char **argv)
    }

    if (C) {
-        int len = BN_num_bytes(dsa->p);
-        int bits_p = BN_num_bits(dsa->p);
-        unsigned char *data = app_malloc(len + 20, "BN space");
+        BIGNUM *p = NULL, *q = NULL, *g = NULL;
+        unsigned char *data;
+        int len, bits_p;
+
+        DSA_get0_pqg(dsa, &p, &q, &g);
+        len = BN_num_bytes(p);
+        bits_p = BN_num_bits(p);
+
+        data = app_malloc(len + 20, "BN space");

        BIO_printf(bio_out, "DSA *get_dsa%d()\n{\n", bits_p);
-        print_bignum_var(bio_out, dsa->p, "dsap", len, data);
-        print_bignum_var(bio_out, dsa->q, "dsaq", len, data);
-        print_bignum_var(bio_out, dsa->g, "dsag", len, data);
+        print_bignum_var(bio_out, p, "dsap", len, data);
+        print_bignum_var(bio_out, q, "dsaq", len, data);
+        print_bignum_var(bio_out, g, "dsag", len, data);
        BIO_printf(bio_out, "    DSA *dsa = DSA_new();\n"
                            "\n");
        BIO_printf(bio_out, "    if (dsa == NULL)\n"
--- a/apps/enc.c
+++ b/apps/enc.c
@@ -313,23 +313,19 @@ int enc_main(int argc, char **argv)
    if (verbose)
        BIO_printf(bio_err, "bufsize=%d\n", bsize);

-    if (base64) {
-        if (enc)
-            outformat = FORMAT_BASE64;
-        else
-            informat = FORMAT_BASE64;
-    }
+#ifdef ZLIB
+    if (!do_zlib)
+#endif
+        if (base64) {
+            if (enc)
+                outformat = FORMAT_BASE64;
+            else
+                informat = FORMAT_BASE64;
+        }

    strbuf = app_malloc(SIZE, "strbuf");
    buff = app_malloc(EVP_ENCODE_LENGTH(bsize), "evp buffer");

-    if (debug) {
-        BIO_set_callback(in, BIO_debug_callback);
-        BIO_set_callback(out, BIO_debug_callback);
-        BIO_set_callback_arg(in, (char *)bio_err);
-        BIO_set_callback_arg(out, (char *)bio_err);
-    }
-
    if (infile == NULL) {
        unbuffer(stdin);
        in = dup_bio_in(informat);
@@ -347,26 +343,33 @@ int enc_main(int argc, char **argv)
    }

    if ((str == NULL) && (cipher != NULL) && (hkey == NULL)) {
-        for (;;) {
-            char prompt[200];
+        if (1) {
+#ifndef OPENSSL_NO_UI
+            for (;;) {
+                char prompt[200];

-            BIO_snprintf(prompt, sizeof prompt, "enter %s %s password:",
-                         OBJ_nid2ln(EVP_CIPHER_nid(cipher)),
-                         (enc) ? "encryption" : "decryption");
-            strbuf[0] = '\0';
-            i = EVP_read_pw_string((char *)strbuf, SIZE, prompt, enc);
-            if (i == 0) {
-                if (strbuf[0] == '\0') {
-                    ret = 1;
+                BIO_snprintf(prompt, sizeof prompt, "enter %s %s password:",
+                             OBJ_nid2ln(EVP_CIPHER_nid(cipher)),
+                             (enc) ? "encryption" : "decryption");
+                strbuf[0] = '\0';
+                i = EVP_read_pw_string((char *)strbuf, SIZE, prompt, enc);
+                if (i == 0) {
+                    if (strbuf[0] == '\0') {
+                        ret = 1;
+                        goto end;
+                    }
+                    str = strbuf;
+                    break;
+                }
+                if (i < 0) {
+                    BIO_printf(bio_err, "bad password read\n");
                    goto end;
                }
-                str = strbuf;
-                break;
-            }
-            if (i < 0) {
-                BIO_printf(bio_err, "bad password read\n");
-                goto end;
            }
+        } else {
+#endif
+            BIO_printf(bio_err, "password required\n");
+            goto end;
        }
    }

@@ -374,6 +377,13 @@ int enc_main(int argc, char **argv)
    if (out == NULL)
        goto end;

+    if (debug) {
+        BIO_set_callback(in, BIO_debug_callback);
+        BIO_set_callback(out, BIO_debug_callback);
+        BIO_set_callback_arg(in, (char *)bio_err);
+        BIO_set_callback_arg(out, (char *)bio_err);
+    }
+
    rbio = in;
    wbio = out;

@@ -381,6 +391,10 @@ int enc_main(int argc, char **argv)
    if (do_zlib) {
        if ((bzl = BIO_new(BIO_f_zlib())) == NULL)
            goto end;
+        if (debug) {
+            BIO_set_callback(bzl, BIO_debug_callback);
+            BIO_set_callback_arg(bzl, (char *)bio_err);
+        }
        if (enc)
            wbio = BIO_push(bzl, wbio);
        else
@@ -622,7 +636,7 @@ static int set_hex(char *in, unsigned char *out, int size)
            BIO_printf(bio_err, "non-hex digit\n");
            return (0);
        }
-        j = (unsigned char)app_hex(j);
+        j = (unsigned char)OPENSSL_hexchar2int(j);
        if (i & 1)
            out[i / 2] |= j;
        else
--- a/apps/gendsa.c
+++ b/apps/gendsa.c
@@ -101,6 +101,7 @@ int gendsa_main(int argc, char **argv)
    char *outfile = NULL, *passoutarg = NULL, *passout = NULL, *prog;
    OPTION_CHOICE o;
    int ret = 1, private = 0;
+    BIGNUM *p = NULL;

    prog = opt_init(argc, argv, gendsa_options);
    while ((o = opt_next()) != OPT_EOF) {
@@ -168,7 +169,8 @@ int gendsa_main(int argc, char **argv)
        BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
                   app_RAND_load_files(inrand));

-    BIO_printf(bio_err, "Generating DSA key, %d bits\n", BN_num_bits(dsa->p));
+    DSA_get0_pqg(dsa, &p, NULL, NULL);
+    BIO_printf(bio_err, "Generating DSA key, %d bits\n", BN_num_bits(p));
    if (!DSA_generate_key(dsa))
        goto end;

--- a/apps/genrsa.c
+++ b/apps/genrsa.c
@@ -104,9 +104,10 @@ int genrsa_main(int argc, char **argv)
 {
    BN_GENCB *cb = BN_GENCB_new();
    PW_CB_DATA cb_data;
-    ENGINE *e = NULL;
+    ENGINE *eng = NULL;
    BIGNUM *bn = BN_new();
    BIO *out = NULL;
+    BIGNUM *e;
    RSA *rsa = NULL;
    const EVP_CIPHER *enc = NULL;
    int ret = 1, num = DEFBITS, private = 0;
@@ -141,7 +142,7 @@ int genrsa_main(int argc, char **argv)
            outfile = opt_arg();
            break;
        case OPT_ENGINE:
-            e = setup_engine(opt_arg(), 0);
+            eng = setup_engine(opt_arg(), 0);
            break;
        case OPT_RAND:
            inrand = opt_arg();
@@ -182,7 +183,7 @@ int genrsa_main(int argc, char **argv)

    BIO_printf(bio_err, "Generating RSA private key, %d bit long modulus\n",
               num);
-    rsa = e ? RSA_new_method(e) : RSA_new();
+    rsa = eng ? RSA_new_method(eng) : RSA_new();
    if (rsa == NULL)
        goto end;

@@ -191,8 +192,9 @@ int genrsa_main(int argc, char **argv)

    app_RAND_write_file(NULL);

-    hexe = BN_bn2hex(rsa->e);
-    dece = BN_bn2dec(rsa->e);
+    RSA_get0_key(rsa, NULL, &e, NULL);
+    hexe = BN_bn2hex(e);
+    dece = BN_bn2dec(e);
    if (hexe && dece) {
        BIO_printf(bio_err, "e is %s (0x%s)\n", dece, hexe);
    }
--- a/apps/ocsp.c
+++ b/apps/ocsp.c
@@ -55,8 +55,12 @@
 * Hudson (tjh@cryptsoft.com).
 *
 */
-#ifndef OPENSSL_NO_OCSP

+#include <openssl/opensslconf.h>
+
+#ifdef OPENSSL_NO_OCSP
+NON_EMPTY_TRANSLATION_UNIT
+#else
 # ifdef OPENSSL_SYS_VMS
 #  define _XOPEN_SOURCE_EXTENDED/* So fd_set and friends get properly defined
                                 * on OpenVMS */
@@ -69,8 +73,9 @@
 # include <string.h>
 # include <time.h>
 # include <ctype.h>
-# include "apps.h"              /* needs to be included before the openssl
-                                 * headers! */
+
+/* Needs to be included before the openssl headers */
+# include "apps.h"
 # include <openssl/e_os2.h>
 # include <openssl/crypto.h>
 # include <openssl/err.h>
@@ -117,10 +122,13 @@ static char **lookup_serial(CA_DB *db, ASN1_INTEGER *ser);
 static BIO *init_responder(const char *port);
 static int do_responder(OCSP_REQUEST **preq, BIO **pcbio, BIO *acbio);
 static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp);
+
+# ifndef OPENSSL_NO_SOCK
 static OCSP_RESPONSE *query_responder(BIO *cbio, const char *host,
                                      const char *path,
                                      const STACK_OF(CONF_VALUE) *headers,
                                      OCSP_REQUEST *req, int req_timeout);
+# endif

 typedef enum OPTION_choice {
    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
@@ -244,7 +252,10 @@ int ocsp_main(int argc, char **argv)
    int noCAfile = 0, noCApath = 0;
    int accept_count = -1, add_nonce = 1, noverify = 0, use_ssl = -1;
    int vpmtouched = 0, badsig = 0, i, ignore_err = 0, nmin = 0, ndays = -1;
-    int req_text = 0, resp_text = 0, req_timeout = -1, ret = 1;
+    int req_text = 0, resp_text = 0, ret = 1;
+#ifndef OPENSSL_NO_SOCK
+    int req_timeout = -1;
+#endif
    long nsec = MAX_VALIDITY_PERIOD, maxage = -1;
    unsigned long sign_flags = 0, verify_flags = 0, rflags = 0;
    OPTION_CHOICE o;
@@ -275,7 +286,9 @@ int ocsp_main(int argc, char **argv)
            outfile = opt_arg();
            break;
        case OPT_TIMEOUT:
+#ifndef OPENSSL_NO_SOCK
            req_timeout = atoi(opt_arg());
+#endif
            break;
        case OPT_URL:
            OPENSSL_free(thost);
@@ -1062,7 +1075,9 @@ static int urldecode(char *p)
        if (*p != '%')
            *out++ = *p;
        else if (isxdigit(_UC(p[1])) && isxdigit(_UC(p[2]))) {
-            *out++ = (app_hex(p[1]) << 4) | app_hex(p[2]);
+            /* Don't check, can't fail because of ixdigit() call. */
+            *out++ = (OPENSSL_hexchar2int(p[1]) << 4)
+                   | OPENSSL_hexchar2int(p[2]);
            p += 2;
        }
        else
@@ -1170,6 +1185,7 @@ static int send_ocsp_response(BIO *cbio, OCSP_RESPONSE *resp)
    return 1;
 }

+# ifndef OPENSSL_NO_SOCK
 static OCSP_RESPONSE *query_responder(BIO *cbio, const char *host,
                                      const char *path,
                                      const STACK_OF(CONF_VALUE) *headers,
@@ -1300,5 +1316,6 @@ OCSP_RESPONSE *process_responder(OCSP_REQUEST *req,
    SSL_CTX_free(ctx);
    return resp;
 }
+# endif

 #endif
--- a/apps/openssl.c
+++ b/apps/openssl.c
@@ -176,14 +176,18 @@ static int apps_startup()
                             | OPENSSL_INIT_LOAD_CONFIG, NULL))
        return 0;

+#ifndef OPENSSL_NO_UI
    setup_ui_method();
+#endif

    return 1;
 }

 static void apps_shutdown()
 {
+#ifndef OPENSSL_NO_UI
    destroy_ui_method();
+#endif
 }

 static char *make_config_name()
@@ -207,10 +211,6 @@ static char *make_config_name()
    return p;
 }

-#if defined( OPENSSL_SYS_VMS)
-extern char **copy_argv(int *argc, char **argv);
-#endif
-
 int main(int argc, char *argv[])
 {
    FUNCTION f, *fp;
@@ -229,9 +229,9 @@ int main(int argc, char *argv[])
    default_config_file = make_config_name();
    bio_in = dup_bio_in(FORMAT_TEXT);
    bio_out = dup_bio_out(FORMAT_TEXT);
-    bio_err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT);
+    bio_err = dup_bio_err(FORMAT_TEXT);

-#if defined( OPENSSL_SYS_VMS)
+#if defined(OPENSSL_SYS_VMS) && defined(__DECC)
    copied_argv = argv = copy_argv(&argc, argv);
 #endif

@@ -644,9 +644,6 @@ static int SortFnByName(const void *_f1, const void *_f2)
 static void list_disabled(void)
 {
    BIO_puts(bio_out, "Disabled algorithms:\n");
-#ifdef OPENSSL_NO_AES
-    BIO_puts(bio_out, "AES\n");
-#endif
 #ifdef OPENSSL_NO_BF
    BIO_puts(bio_out, "BF\n");
 #endif
@@ -704,9 +701,6 @@ static void list_disabled(void)
 #ifdef OPENSSL_NO_HEARTBEATS
    BIO_puts(bio_out, "HEARTBEATS\n");
 #endif
-#ifdef OPENSSL_NO_HMAC
-    BIO_puts(bio_out, "HMAC\n");
-#endif
 #ifdef OPENSSL_NO_IDEA
    BIO_puts(bio_out, "IDEA\n");
 #endif
@@ -758,9 +752,6 @@ static void list_disabled(void)
 #ifdef OPENSSL_NO_SEED
    BIO_puts(bio_out, "SEED\n");
 #endif
-#ifdef OPENSSL_NO_SHA
-    BIO_puts(bio_out, "SHA\n");
-#endif
 #ifdef OPENSSL_NO_SOCK
    BIO_puts(bio_out, "SOCK\n");
 #endif
--- a/apps/opt.c
+++ b/apps/opt.c
@@ -78,7 +78,7 @@ static char prog[40];
 /*
 * Return the simple name of the program; removing various platform gunk.
 */
-#if defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_NETWARE)
+#if defined(OPENSSL_SYS_WIN32)
 char *opt_progname(const char *argv0)
 {
    size_t i, n;
@@ -97,11 +97,6 @@ char *opt_progname(const char *argv0)
    if (n > 4 &&
        (strcmp(&p[n - 4], ".exe") == 0 || strcmp(&p[n - 4], ".EXE") == 0))
        n -= 4;
-#if defined(OPENSSL_SYS_NETWARE)
-    if (n > 4 &&
-        (strcmp(&p[n - 4], ".nlm") == 0 || strcmp(&p[n - 4], ".NLM") == 0))
-        n -= 4;
-#endif

    /* Copy over the name, in lowercase. */
    if (n > sizeof prog - 1)
@@ -168,8 +163,8 @@ char *opt_init(int ac, char **av, const OPTIONS *o)
    unknown = NULL;

    for (; o->name; ++o) {
-        const OPTIONS *next;
 #ifndef NDEBUG
+        const OPTIONS *next;
        int duplicated, i;
 #endif

@@ -378,6 +373,7 @@ int opt_long(const char *value, long *result)
    long l;
    char *endp;

+    errno = 0;
    l = strtol(value, &endp, 0);
    if (*endp
            || endp == value
@@ -403,6 +399,7 @@ int opt_imax(const char *value, intmax_t *result)
    intmax_t m;
    char *endp;

+    errno = 0;
    m = strtoimax(value, &endp, 0);
    if (*endp
            || endp == value
@@ -425,6 +422,7 @@ int opt_umax(const char *value, uintmax_t *result)
    uintmax_t m;
    char *endp;

+    errno = 0;
    m = strtoumax(value, &endp, 0);
    if (*endp
            || endp == value
@@ -450,6 +448,7 @@ int opt_ulong(const char *value, unsigned long *result)
    char *endptr;
    unsigned long l;

+    errno = 0;
    l = strtoul(value, &endptr, 0);
    if (*endptr
            || endptr == value
@@ -531,6 +530,11 @@ int opt_verify(int opt, X509_VERIFY_PARAM *vpm)
        if (i >= 0)
            X509_VERIFY_PARAM_set_depth(vpm, i);
        break;
+    case OPT_V_VERIFY_AUTH_LEVEL:
+        i = atoi(opt_arg());
+        if (i >= 0)
+            X509_VERIFY_PARAM_set_auth_level(vpm, i);
+        break;
    case OPT_V_ATTIME:
        if (!opt_imax(opt_arg(), &t))
            return 0;
--- a/apps/passwd.c
+++ b/apps/passwd.c
@@ -118,7 +118,10 @@ int passwd_main(int argc, char **argv)
    char *infile = NULL, *salt = NULL, *passwd = NULL, **passwds = NULL;
    char *salt_malloc = NULL, *passwd_malloc = NULL, *prog;
    OPTION_CHOICE o;
-    int in_stdin = 0, in_noverify = 0, pw_source_defined = 0;
+    int in_stdin = 0, pw_source_defined = 0;
+#ifndef OPENSSL_NO_UI
+    int in_noverify = 0;
+#endif
    int passed_salt = 0, quiet = 0, table = 0, reverse = 0;
    int ret = 1, usecrypt = 0, use1 = 0, useapr1 = 0;
    size_t passwd_malloc_size = 0, pw_maxlen = 256;
@@ -142,7 +145,9 @@ int passwd_main(int argc, char **argv)
            pw_source_defined = 1;
            break;
        case OPT_NOVERIFY:
+#ifndef OPENSSL_NO_UI
            in_noverify = 1;
+#endif
            break;
        case OPT_QUIET:
            quiet = 1;
@@ -201,14 +206,20 @@ int passwd_main(int argc, char **argv)
        goto opthelp;
 # endif

-    if (infile && in_stdin) {
+    if (infile != NULL && in_stdin) {
        BIO_printf(bio_err, "%s: Can't combine -in and -stdin\n", prog);
        goto end;
    }

-    in = bio_open_default(infile, 'r', FORMAT_TEXT);
-    if (in == NULL)
-        goto end;
+    if (infile != NULL || in_stdin) {
+        /*
+         * If in_stdin is true, we know that infile is NULL, and that
+         * bio_open_default() will give us back an alias for stdin.
+         */
+        in = bio_open_default(infile, 'r', FORMAT_TEXT);
+        if (in == NULL)
+            goto end;
+    }

    if (usecrypt)
        pw_maxlen = 8;
@@ -226,18 +237,26 @@ int passwd_main(int argc, char **argv)
    }

    if ((in == NULL) && (passwds == NULL)) {
-        /* build a null-terminated list */
-        static char *passwds_static[2] = { NULL, NULL };
+        if (1) {
+#ifndef OPENSSL_NO_UI
+            /* build a null-terminated list */
+            static char *passwds_static[2] = { NULL, NULL };

-        passwds = passwds_static;
-        if (in == NULL)
-            if (EVP_read_pw_string
-                (passwd_malloc, passwd_malloc_size, "Password: ",
-                 !(passed_salt || in_noverify)) != 0)
-                goto end;
-        passwds[0] = passwd_malloc;
+            passwds = passwds_static;
+            if (in == NULL)
+                if (EVP_read_pw_string
+                    (passwd_malloc, passwd_malloc_size, "Password: ",
+                     !(passed_salt || in_noverify)) != 0)
+                    goto end;
+            passwds[0] = passwd_malloc;
+        } else {
+#endif
+            BIO_printf(bio_err, "password required\n");
+            goto end;
+        }
    }

+
    if (in == NULL) {
        assert(passwds != NULL);
        assert(*passwds != NULL);
--- a/apps/pkcs12.c
+++ b/apps/pkcs12.c
@@ -57,7 +57,9 @@
 */

 #include <openssl/opensslconf.h>
-#if !defined(OPENSSL_NO_DES)
+#if defined(OPENSSL_NO_DES)
+NON_EMPTY_TRANSLATION_UNIT
+#else

 # include <stdio.h>
 # include <stdlib.h>
@@ -174,7 +176,8 @@ int pkcs12_main(int argc, char **argv)
    int cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
 # endif
    int key_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
-    int ret = 1, macver = 1, noprompt = 0, add_lmk = 0, private = 0;
+    int ret = 1, macver = 1, add_lmk = 0, private = 0;
+    int noprompt = 0;
    char *passinarg = NULL, *passoutarg = NULL, *passarg = NULL;
    char *passin = NULL, *passout = NULL, *inrand = NULL, *macalg = NULL;
    char *cpass = NULL, *mpass = NULL, *CApath = NULL, *CAfile = NULL;
@@ -365,9 +368,16 @@ int pkcs12_main(int argc, char **argv)
    }

    if (twopass) {
-        if (EVP_read_pw_string
-            (macpass, sizeof macpass, "Enter MAC Password:", export_cert)) {
-            BIO_printf(bio_err, "Can't read Password\n");
+        if (1) {
+#ifndef OPENSSL_NO_UI
+            if (EVP_read_pw_string
+                (macpass, sizeof macpass, "Enter MAC Password:", export_cert)) {
+                BIO_printf(bio_err, "Can't read Password\n");
+                goto end;
+            }
+        } else {
+#endif
+            BIO_printf(bio_err, "Unsupported option -twopass\n");
            goto end;
        }
    }
@@ -475,12 +485,21 @@ int pkcs12_main(int argc, char **argv)
        if (add_lmk && key)
            EVP_PKEY_add1_attr_by_NID(key, NID_LocalKeySet, 0, NULL, -1);

-        if (!noprompt &&
-            EVP_read_pw_string(pass, sizeof pass, "Enter Export Password:",
-                               1)) {
-            BIO_printf(bio_err, "Can't read Password\n");
-            goto export_end;
+        if (!noprompt) {
+            if (1) {
+#ifndef OPENSSL_NO_UI
+                if (EVP_read_pw_string(pass, sizeof pass, "Enter Export Password:",
+                                       1)) {
+                    BIO_printf(bio_err, "Can't read Password\n");
+                    goto export_end;
+                }
+            } else {
+#endif
+                BIO_printf(bio_err, "Password required\n");
+                goto export_end;
+            }
        }
+
        if (!twopass)
            OPENSSL_strlcpy(macpass, pass, sizeof macpass);

@@ -532,11 +551,19 @@ int pkcs12_main(int argc, char **argv)
        goto end;
    }

-    if (!noprompt
-        && EVP_read_pw_string(pass, sizeof pass, "Enter Import Password:",
-                              0)) {
-        BIO_printf(bio_err, "Can't read Password\n");
-        goto end;
+    if (!noprompt) {
+        if (1) {
+#ifndef OPENSSL_NO_UI
+            if (EVP_read_pw_string(pass, sizeof pass, "Enter Import Password:",
+                                   0)) {
+                BIO_printf(bio_err, "Can't read Password\n");
+                goto end;
+            }
+        } else {
+#endif
+            BIO_printf(bio_err, "Password required\n");
+            goto end;
+        }
    }

    if (!twopass)
@@ -731,21 +758,28 @@ int dump_certs_pkeys_bag(BIO *out, PKCS12_SAFEBAG *bag, char *pass,
 static int get_cert_chain(X509 *cert, X509_STORE *store,
                          STACK_OF(X509) **chain)
 {
-    X509_STORE_CTX store_ctx;
+    X509_STORE_CTX *store_ctx = NULL;
    STACK_OF(X509) *chn = NULL;
    int i = 0;

-    if (!X509_STORE_CTX_init(&store_ctx, store, cert, NULL)) {
-        *chain = NULL;
-        return X509_V_ERR_UNSPECIFIED;
+    store_ctx = X509_STORE_CTX_new();
+    if (store_ctx == NULL) {
+        i =  X509_V_ERR_UNSPECIFIED;
+        goto end;
+    }
+    if (!X509_STORE_CTX_init(store_ctx, store, cert, NULL)) {
+        i =  X509_V_ERR_UNSPECIFIED;
+        goto end;
    }

-    if (X509_verify_cert(&store_ctx) > 0)
-        chn = X509_STORE_CTX_get1_chain(&store_ctx);
-    else if ((i = X509_STORE_CTX_get_error(&store_ctx)) == 0)
+
+    if (X509_verify_cert(store_ctx) > 0)
+        chn = X509_STORE_CTX_get1_chain(store_ctx);
+    else if ((i = X509_STORE_CTX_get_error(store_ctx)) == 0)
        i = X509_V_ERR_UNSPECIFIED;

-    X509_STORE_CTX_cleanup(&store_ctx);
+end:
+    X509_STORE_CTX_free(store_ctx);
    *chain = chn;
    return i;
 }
--- a/apps/pkcs8.c
+++ b/apps/pkcs8.c
@@ -111,7 +111,10 @@ int pkcs8_main(int argc, char **argv)
    const EVP_CIPHER *cipher = NULL;
    char *infile = NULL, *outfile = NULL;
    char *passinarg = NULL, *passoutarg = NULL, *prog;
-    char pass[50], *passin = NULL, *passout = NULL, *p8pass = NULL;
+#ifndef OPENSSL_NO_UI
+    char pass[50];
+#endif
+    char *passin = NULL, *passout = NULL, *p8pass = NULL;
    OPTION_CHOICE o;
    int nocrypt = 0, ret = 1, iter = PKCS12_DEFAULT_ITER;
    int informat = FORMAT_PEM, outformat = FORMAT_PEM, topk8 = 0, pbe_nid = -1;
@@ -272,13 +275,18 @@ int pkcs8_main(int argc, char **argv)
            }
            if (passout)
                p8pass = passout;
-            else {
+            else if (1) {
+#ifndef OPENSSL_NO_UI
                p8pass = pass;
                if (EVP_read_pw_string
                    (pass, sizeof pass, "Enter Encryption Password:", 1)) {
                    X509_ALGOR_free(pbe);
                    goto end;
                }
+            } else {
+#endif
+                BIO_printf(bio_err, "Password required\n");
+                goto end;
            }
            app_RAND_load_file(NULL, 0);
            p8 = PKCS8_set0_pbe(p8pass, strlen(p8pass), p8inf, pbe);
@@ -330,9 +338,14 @@ int pkcs8_main(int argc, char **argv)
        }
        if (passin)
            p8pass = passin;
-        else {
+        else if (1) {
+#ifndef OPENSSL_NO_UI
            p8pass = pass;
            EVP_read_pw_string(pass, sizeof pass, "Enter Password:", 0);
+        } else {
+#endif
+            BIO_printf(bio_err, "Password required\n");
+            goto end;
        }
        p8inf = PKCS8_decrypt(p8, p8pass, strlen(p8pass));
    }
--- a/apps/progs.h
+++ b/apps/progs.h
@@ -1,7 +1,12 @@
 /*
 * Automatically generated by progs.pl for openssl.c
- * Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
- * See the openssl.c for copyright details.
+ * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL licenses, (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * https://www.openssl.org/source/license.html
+ * or in the file LICENSE in the source distribution.
 */

 typedef enum FUNC_TYPE {
@@ -120,7 +125,7 @@ extern OPTIONS x509_options[];
 static FUNCTION functions[] = {
    { FT_general, "asn1parse", asn1parse_main, asn1parse_options },
    { FT_general, "ca", ca_main, ca_options },
-#if !defined(OPENSSL_NO_SOCK)
+#ifndef OPENSSL_NO_SOCK
    { FT_general, "ciphers", ciphers_main, ciphers_options },
 #endif
 #ifndef OPENSSL_NO_CMS
@@ -164,7 +169,7 @@ static FUNCTION functions[] = {
    { FT_general, "ocsp", ocsp_main, ocsp_options },
 #endif
    { FT_general, "passwd", passwd_main, passwd_options },
-#if !defined(OPENSSL_NO_DES)
+#ifndef OPENSSL_NO_DES
    { FT_general, "pkcs12", pkcs12_main, pkcs12_options },
 #endif
    { FT_general, "pkcs7", pkcs7_main, pkcs7_options },
@@ -176,19 +181,17 @@ static FUNCTION functions[] = {
    { FT_general, "rand", rand_main, rand_options },
    { FT_general, "rehash", rehash_main, rehash_options },
    { FT_general, "req", req_main, req_options },
-#ifndef OPENSSL_NO_RSA
    { FT_general, "rsa", rsa_main, rsa_options },
-#endif
 #ifndef OPENSSL_NO_RSA
    { FT_general, "rsautl", rsautl_main, rsautl_options },
 #endif
-#if !defined(OPENSSL_NO_SOCK)
+#ifndef OPENSSL_NO_SOCK
    { FT_general, "s_client", s_client_main, s_client_options },
 #endif
-#if !defined(OPENSSL_NO_SOCK)
+#ifndef OPENSSL_NO_SOCK
    { FT_general, "s_server", s_server_main, s_server_options },
 #endif
-#if !defined(OPENSSL_NO_SOCK)
+#ifndef OPENSSL_NO_SOCK
    { FT_general, "s_time", s_time_main, s_time_options },
 #endif
    { FT_general, "sess_id", sess_id_main, sess_id_options },
@@ -198,7 +201,9 @@ static FUNCTION functions[] = {
 #ifndef OPENSSL_NO_SRP
    { FT_general, "srp", srp_main, srp_options },
 #endif
+#ifndef OPENSSL_NO_TS
    { FT_general, "ts", ts_main, ts_options },
+#endif
    { FT_general, "verify", verify_main, verify_options },
    { FT_general, "version", version_main, version_options },
    { FT_general, "x509", x509_main, x509_options },
@@ -211,14 +216,24 @@ static FUNCTION functions[] = {
 #ifndef OPENSSL_NO_MD5
    { FT_md, "md5", dgst_main},
 #endif
-#ifndef OPENSSL_NO_MD_GHOST94
-    { FT_md, "md_ghost94", dgst_main},
+#ifndef OPENSSL_NO_GOST
+    { FT_md, "gost", dgst_main},
 #endif
+#ifndef OPENSSL_NO_SHA
    { FT_md, "sha1", dgst_main},
+#endif
+#ifndef OPENSSL_NO_SHA
    { FT_md, "sha224", dgst_main},
+#endif
+#ifndef OPENSSL_NO_SHA
    { FT_md, "sha256", dgst_main},
+#endif
+#ifndef OPENSSL_NO_SHA
    { FT_md, "sha384", dgst_main},
+#endif
+#ifndef OPENSSL_NO_SHA
    { FT_md, "sha512", dgst_main},
+#endif
 #ifndef OPENSSL_NO_MDC2
    { FT_md, "mdc2", dgst_main},
 #endif
@@ -227,26 +242,16 @@ static FUNCTION functions[] = {
 #endif
 #ifndef OPENSSL_NO_BLAKE2
    { FT_md, "blake2b512", dgst_main},
+#endif
+#ifndef OPENSSL_NO_BLAKE2
    { FT_md, "blake2s256", dgst_main},
 #endif
-#ifndef OPENSSL_NO_AES
    { FT_cipher, "aes-128-cbc", enc_main, enc_options },
-#endif
-#ifndef OPENSSL_NO_AES
    { FT_cipher, "aes-128-ecb", enc_main, enc_options },
-#endif
-#ifndef OPENSSL_NO_AES
    { FT_cipher, "aes-192-cbc", enc_main, enc_options },
-#endif
-#ifndef OPENSSL_NO_AES
    { FT_cipher, "aes-192-ecb", enc_main, enc_options },
-#endif
-#ifndef OPENSSL_NO_AES
    { FT_cipher, "aes-256-cbc", enc_main, enc_options },
-#endif
-#ifndef OPENSSL_NO_AES
    { FT_cipher, "aes-256-ecb", enc_main, enc_options },
-#endif
 #ifndef OPENSSL_NO_CAMELLIA
    { FT_cipher, "camellia-128-cbc", enc_main, enc_options },
 #endif
--- a/apps/progs.pl
+++ b/apps/progs.pl
@@ -1,9 +1,19 @@
 #!/usr/bin/perl
+
+# Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL licenses, (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+# https://www.openssl.org/source/license.html
+# or in the file LICENSE in the source distribution.
+
 # Generate progs.h file by looking for command mains in list of C files
 # passed on the command line.

 use strict;
 use warnings;
+use configdata qw/@disablables/;

 my %commands = ();
 my $cmdre = qr/^\s*int\s+([a-z_][a-z0-9_]*)_main\(\s*int\s+argc\s*,/;
@@ -22,8 +32,13 @@ foreach my $filename (@ARGV) {
 print <<'EOF';
 /*
 * Automatically generated by progs.pl for openssl.c
- * Copyright (c) 2008 The OpenSSL Project.  All rights reserved.
- * See the openssl.c for copyright details.
+ * Copyright 2008-2016 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL licenses, (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ * https://www.openssl.org/source/license.html
+ * or in the file LICENSE in the source distribution.
 */

 typedef enum FUNC_TYPE {
@@ -51,47 +66,64 @@ print "\n";
 foreach (@ARGV) {
 	printf "extern OPTIONS %s_options[];\n", $_;
 }
+
 print "\n#ifdef INCLUDE_FUNCTION_TABLE\n";
 print "static FUNCTION functions[] = {\n";
-foreach (@ARGV) {
-	my $str="    { FT_general, \"$_\", ${_}_main, ${_}_options },\n";
-	if (/^s_/ || /^ciphers$/) {
-		print "#if !defined(OPENSSL_NO_SOCK)\n${str}#endif\n";
-	} elsif (/^engine$/) {
-		print "#ifndef OPENSSL_NO_ENGINE\n${str}#endif\n";
-	} elsif (/^rsa$/ || /^genrsa$/ || /^rsautl$/) {
-		print "#ifndef OPENSSL_NO_RSA\n${str}#endif\n";
-	} elsif (/^dsa$/ || /^gendsa$/ || /^dsaparam$/) {
-		print "#ifndef OPENSSL_NO_DSA\n${str}#endif\n";
-	} elsif (/^ec$/ || /^ecparam$/) {
-		print "#ifndef OPENSSL_NO_EC\n${str}#endif\n";
-	} elsif (/^dh$/ || /^gendh$/ || /^dhparam$/) {
-		print "#ifndef OPENSSL_NO_DH\n${str}#endif\n";
-	} elsif (/^pkcs12$/) {
-		print "#if !defined(OPENSSL_NO_DES)\n${str}#endif\n";
-	} elsif (/^cms$/) {
-		print "#ifndef OPENSSL_NO_CMS\n${str}#endif\n";
-	} elsif (/^ocsp$/) {
-		print "#ifndef OPENSSL_NO_OCSP\n${str}#endif\n";
-	} elsif (/^srp$/) {
-		print "#ifndef OPENSSL_NO_SRP\n${str}#endif\n";
+my %cmd_disabler = (
+    ciphers  => "sock",
+    genrsa   => "rsa",
+    rsautl   => "rsa",
+    gendsa   => "dsa",
+    dsaparam => "dsa",
+    gendh    => "dh",
+    dhparam  => "dh",
+    ecparam  => "ec",
+    pkcs12   => "des",
+    );
+foreach my $cmd (@ARGV) {
+	my $str="    { FT_general, \"$cmd\", ${cmd}_main, ${cmd}_options },\n";
+	if ($cmd =~ /^s_/) {
+		print "#ifndef OPENSSL_NO_SOCK\n${str}#endif\n";
+	} elsif (grep { $cmd eq $_ } @disablables) {
+		print "#ifndef OPENSSL_NO_".uc($cmd)."\n${str}#endif\n";
+	} elsif (my $disabler = $cmd_disabler{$cmd}) {
+		print "#ifndef OPENSSL_NO_".uc($disabler)."\n${str}#endif\n";
 	} else {
 		print $str;
 	}
 }

-foreach (
+my %md_disabler = (
+    sha1       => "sha",
+    sha224     => "sha",
+    sha256     => "sha",
+    sha384     => "sha",
+    sha512     => "sha",
+    blake2b512 => "blake2",
+    blake2s256 => "blake2",
+    );
+foreach my $cmd (
 	"md2", "md4", "md5",
-	"md_ghost94",
+	"gost",
 	"sha1", "sha224", "sha256", "sha384", "sha512",
-	"mdc2", "rmd160", "blake2b", "blake2s"
+	"mdc2", "rmd160", "blake2b512", "blake2s256"
 ) {
-        printf "#ifndef OPENSSL_NO_".uc($_)."\n" if ! /sha/;
-        printf "    { FT_md, \"".$_."\", dgst_main},\n";
-        printf "#endif\n" if ! /sha/;
+        my $str = "    { FT_md, \"".$cmd."\", dgst_main},\n";
+        if (grep { $cmd eq $_ } @disablables) {
+                print "#ifndef OPENSSL_NO_".uc($cmd)."\n${str}#endif\n";
+        } elsif (my $disabler = $md_disabler{$cmd}) {
+                print "#ifndef OPENSSL_NO_".uc($disabler)."\n${str}#endif\n";
+        } else {
+                print "#ifndef OPENSSL_NO_".uc($cmd)."\n${str}#endif\n";
+        }
 }

-foreach (
+my %cipher_disabler = (
+    des3  => "des",
+    desx  => "des",
+    cast5 => "cast",
+    );
+foreach my $cmd (
 	"aes-128-cbc", "aes-128-ecb",
 	"aes-192-cbc", "aes-192-ecb",
 	"aes-256-cbc", "aes-256-ecb",
@@ -112,33 +144,18 @@ foreach (
 	"cast5-cbc","cast5-ecb", "cast5-cfb","cast5-ofb",
 	"cast-cbc", "rc5-cbc",   "rc5-ecb",  "rc5-cfb",  "rc5-ofb"
 ) {
-	my $str="    { FT_cipher, \"$_\", enc_main, enc_options },\n";
-	if (/des/) {
-		printf "#ifndef OPENSSL_NO_DES\n${str}#endif\n";
-	} elsif (/aes/) {
-		printf "#ifndef OPENSSL_NO_AES\n${str}#endif\n";
-	} elsif (/camellia/) {
-		printf "#ifndef OPENSSL_NO_CAMELLIA\n${str}#endif\n";
-	} elsif (/idea/) {
-		printf "#ifndef OPENSSL_NO_IDEA\n${str}#endif\n";
-	} elsif (/seed/) {
-		printf "#ifndef OPENSSL_NO_SEED\n${str}#endif\n";
-	} elsif (/rc4/) {
-		printf "#ifndef OPENSSL_NO_RC4\n${str}#endif\n";
-	} elsif (/rc2/) {
-		printf "#ifndef OPENSSL_NO_RC2\n${str}#endif\n";
-	} elsif (/bf/) {
-		printf "#ifndef OPENSSL_NO_BF\n${str}#endif\n";
-	} elsif (/cast/) {
-		printf "#ifndef OPENSSL_NO_CAST\n${str}#endif\n";
-	} elsif (/rc5/) {
-		printf "#ifndef OPENSSL_NO_RC5\n${str}#endif\n";
-	} elsif (/zlib/) {
-		printf "#ifdef ZLIB\n${str}#endif\n";
+	my $str="    { FT_cipher, \"$cmd\", enc_main, enc_options },\n";
+	(my $algo= $cmd) =~ s/-.*//g;
+        if ($cmd eq "zlib") {
+                print "#ifdef ZLIB\n${str}#endif\n";
+        } elsif (grep { $algo eq $_ } @disablables) {
+                print "#ifndef OPENSSL_NO_".uc($algo)."\n${str}#endif\n";
+        } elsif (my $disabler = $cipher_disabler{$algo}) {
+                print "#ifndef OPENSSL_NO_".uc($disabler)."\n${str}#endif\n";
 	} else {
 		print $str;
 	}
 }

 print "    { 0, NULL, NULL}\n};\n";
-printf "#endif\n";
+print "#endif\n";
--- a/apps/rehash.c
+++ b/apps/rehash.c
@@ -210,7 +210,7 @@ static int handle_symlink(const char *filename, const char *fullpath)
        if (!isxdigit(ch))
            return -1;
        hash <<= 4;
-        hash += app_hex(ch);
+        hash += OPENSSL_hexchar2int(ch);
    }
    if (filename[i++] != '.')
        return -1;
--- a/apps/req.c
+++ b/apps/req.c
@@ -375,6 +375,7 @@ int req_main(int argc, char **argv)
    if (!nmflag_set)
        nmflag = XN_FLAG_ONELINE;

+    /* TODO: simplify this as pkey is still always NULL here */ 
    private = newreq && (pkey == NULL) ? 1 : 0;

    if (!app_passwd(passargin, passargout, &passin, &passout)) {
@@ -666,10 +667,9 @@ int req_main(int argc, char **argv)
            if (!X509_set_subject_name
                (x509ss, X509_REQ_get_subject_name(req)))
                goto end;
-            tmppkey = X509_REQ_get_pubkey(req);
+            tmppkey = X509_REQ_get0_pubkey(req);
            if (!tmppkey || !X509_set_pubkey(x509ss, tmppkey))
                goto end;
-            EVP_PKEY_free(tmppkey);

            /* Set up V3 context struct */

@@ -739,20 +739,15 @@ int req_main(int argc, char **argv)
    }

    if (verify && !x509) {
-        int tmp = 0;
+        EVP_PKEY *tpubkey = pkey;

-        if (pkey == NULL) {
-            pkey = X509_REQ_get_pubkey(req);
-            tmp = 1;
-            if (pkey == NULL)
+        if (tpubkey == NULL) {
+            tpubkey = X509_REQ_get0_pubkey(req);
+            if (tpubkey == NULL)
                goto end;
        }

-        i = X509_REQ_verify(req, pkey);
-        if (tmp) {
-            EVP_PKEY_free(pkey);
-            pkey = NULL;
-        }
+        i = X509_REQ_verify(req, tpubkey);

        if (i < 0) {
            goto end;
@@ -816,9 +811,11 @@ int req_main(int argc, char **argv)
        }
        fprintf(stdout, "Modulus=");
 #ifndef OPENSSL_NO_RSA
-        if (EVP_PKEY_base_id(tpubkey) == EVP_PKEY_RSA)
-            BN_print(out, EVP_PKEY_get0_RSA(tpubkey)->n);
-        else
+        if (EVP_PKEY_base_id(tpubkey) == EVP_PKEY_RSA) {
+            BIGNUM *n;
+            RSA_get0_key(EVP_PKEY_get0_RSA(tpubkey), &n, NULL, NULL);
+            BN_print(out, n);
+        } else
 #endif
            fprintf(stdout, "Wrong Algorithm type");
        EVP_PKEY_free(tpubkey);
@@ -870,7 +867,6 @@ int req_main(int argc, char **argv)
        OPENSSL_free(passin);
    if (passout != nofree_passout)
        OPENSSL_free(passout);
-    OBJ_cleanup();
    return (ret);
 }

@@ -1523,13 +1519,9 @@ int do_X509_sign(X509 *x, EVP_PKEY *pkey, const EVP_MD *md,
    EVP_MD_CTX *mctx = EVP_MD_CTX_new();

    rv = do_sign_init(mctx, pkey, md, sigopts);
-    /* Note: X509_sign_ctx() calls ASN1_item_sign_ctx(), which destroys
-     * the EVP_MD_CTX we send it, so only destroy it here if the former
-     * isn't called */
    if (rv > 0)
        rv = X509_sign_ctx(x, mctx);
-    else
-        EVP_MD_CTX_free(mctx);
+    EVP_MD_CTX_free(mctx);
    return rv > 0 ? 1 : 0;
 }

@@ -1539,13 +1531,9 @@ int do_X509_REQ_sign(X509_REQ *x, EVP_PKEY *pkey, const EVP_MD *md,
    int rv;
    EVP_MD_CTX *mctx = EVP_MD_CTX_new();
    rv = do_sign_init(mctx, pkey, md, sigopts);
-    /* Note: X509_REQ_sign_ctx() calls ASN1_item_sign_ctx(), which destroys
-     * the EVP_MD_CTX we send it, so only destroy it here if the former
-     * isn't called */
    if (rv > 0)
        rv = X509_REQ_sign_ctx(x, mctx);
-    else
-        EVP_MD_CTX_free(mctx);
+    EVP_MD_CTX_free(mctx);
    return rv > 0 ? 1 : 0;
 }

@@ -1555,12 +1543,8 @@ int do_X509_CRL_sign(X509_CRL *x, EVP_PKEY *pkey, const EVP_MD *md,
    int rv;
    EVP_MD_CTX *mctx = EVP_MD_CTX_new();
    rv = do_sign_init(mctx, pkey, md, sigopts);
-    /* Note: X509_CRL_sign_ctx() calls ASN1_item_sign_ctx(), which destroys
-     * the EVP_MD_CTX we send it, so only destroy it here if the former
-     * isn't called */
    if (rv > 0)
        rv = X509_CRL_sign_ctx(x, mctx);
-    else
-        EVP_MD_CTX_free(mctx);
+    EVP_MD_CTX_free(mctx);
    return rv > 0 ? 1 : 0;
 }
--- a/apps/rsa.c
+++ b/apps/rsa.c
@@ -167,7 +167,10 @@ int rsa_main(int argc, char **argv)
    char *passin = NULL, *passout = NULL, *passinarg = NULL, *passoutarg = NULL;
    int i, private = 0;
    int informat = FORMAT_PEM, outformat = FORMAT_PEM, text = 0, check = 0;
-    int noout = 0, modulus = 0, pubin = 0, pubout = 0, pvk_encr = 2, ret = 1;
+    int noout = 0, modulus = 0, pubin = 0, pubout = 0, ret = 1;
+# if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_RC4)
+    int pvk_encr = 2;
+#endif
    OPTION_CHOICE o;

    prog = opt_init(argc, argv, rsa_options);
@@ -217,7 +220,7 @@ int rsa_main(int argc, char **argv)
        case OPT_RSAPUBKEY_OUT:
            pubout = 2;
            break;
-#ifndef OPENSSL_NO_RC4
+# if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_RC4)
        case OPT_PVK_STRONG:
            pvk_encr = 2;
            break;
@@ -307,8 +310,10 @@ int rsa_main(int argc, char **argv)
    }

    if (modulus) {
+        BIGNUM *n;
+        RSA_get0_key(rsa, &n, NULL, NULL);
        BIO_printf(out, "Modulus=");
-        BN_print(out, rsa->n);
+        BN_print(out, n);
        BIO_printf(out, "\n");
    }

--- a/apps/s_apps.h
+++ b/apps/s_apps.h
@@ -107,10 +107,6 @@
 * Hudson (tjh@cryptsoft.com).
 *
 */
-/* conflicts with winsock2 stuff on netware */
-#if !defined(OPENSSL_SYS_NETWARE)
-# include <sys/types.h>
-#endif
 #include <openssl/opensslconf.h>

 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@@ -131,8 +131,10 @@ int verify_depth = 0;
 int verify_quiet = 0;
 int verify_error = X509_V_OK;
 int verify_return_error = 0;
+#ifndef OPENSSL_NO_SOCK
 static unsigned char cookie_secret[COOKIE_SECRET_LENGTH];
 static int cookie_initialized = 0;
+#endif

 static const char *lookup(int val, const STRINT_PAIR* list, const char* def)
 {
@@ -505,12 +507,12 @@ long bio_dump_callback(BIO *bio, int cmd, const char *argp,

    if (cmd == (BIO_CB_READ | BIO_CB_RETURN)) {
        BIO_printf(out, "read from %p [%p] (%lu bytes => %ld (0x%lX))\n",
-                   (void *)bio, argp, (unsigned long)argi, ret, ret);
+                   (void *)bio, (void *)argp, (unsigned long)argi, ret, ret);
        BIO_dump(out, argp, (int)ret);
        return (ret);
    } else if (cmd == (BIO_CB_WRITE | BIO_CB_RETURN)) {
        BIO_printf(out, "write to %p [%p] (%lu bytes => %ld (0x%lX))\n",
-                   (void *)bio, argp, (unsigned long)argi, ret, ret);
+                   (void *)bio, (void *)argp, (unsigned long)argi, ret, ret);
        BIO_dump(out, argp, (int)ret);
    }
    return (ret);
@@ -741,6 +743,7 @@ void tlsext_cb(SSL *s, int client_server, int type,
    (void)BIO_flush(bio);
 }

+#ifndef OPENSSL_NO_SOCK
 int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
                             unsigned int *cookie_len)
 {
@@ -803,6 +806,7 @@ int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,

    return 0;
 }
+#endif

 /*
 * Example of extended certificate handling. Where the standard support of
@@ -1106,7 +1110,7 @@ static char *hexencode(const unsigned char *data, size_t len)
    }
    cp = out = app_malloc(ilen, "TLSA hex data buffer");

-    while (ilen-- > 0) {
+    while (len-- > 0) {
        *cp++ = hex[(*data >> 4) & 0x0f];
        *cp++ = hex[*data++ & 0x0f];
    }
@@ -1367,7 +1371,7 @@ static int security_callback_debug(const SSL *s, const SSL_CTX *ctx,
    case SSL_SECOP_OTHER_DH:
        {
            DH *dh = other;
-            BIO_printf(sdb->out, "%d", BN_num_bits(dh->p));
+            BIO_printf(sdb->out, "%d", DH_bits(dh));
            break;
        }
 #endif
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -141,6 +141,8 @@
 #include <errno.h>
 #include <openssl/e_os2.h>

+#ifndef OPENSSL_NO_SOCK
+
 /*
 * With IPv6, it looks like Digital has mixed up the proper order of
 * recursive header file inclusion, resulting in the compiler complaining
@@ -205,7 +207,9 @@ static int c_ign_eof = 0;
 static int c_brief = 0;

 static void print_stuff(BIO *berr, SSL *con, int full);
+#ifndef OPENSSL_NO_OCSP
 static int ocsp_resp_cb(SSL *s, void *arg);
+#endif

 static int saved_errno;

@@ -662,7 +666,7 @@ typedef enum OPTION_choice {
    OPT_S_ENUM,
    OPT_FALLBACKSCSV, OPT_NOCMDS, OPT_PROXY, OPT_DANE_TLSA_DOMAIN,
 #ifndef OPENSSL_NO_CT
-    OPT_NOCT, OPT_REQUESTCT, OPT_REQUIRECT, OPT_CTLOG_FILE,
+    OPT_CT, OPT_NOCT, OPT_CTLOG_FILE,
 #endif
    OPT_DANE_TLSA_RRDATA
 } OPTION_CHOICE;
@@ -755,7 +759,9 @@ OPTIONS s_client_options[] = {
     "Set TLS extension servername in ClientHello"},
    {"tlsextdebug", OPT_TLSEXTDEBUG, '-',
     "Hex dump of all TLS extensions received"},
+#ifndef OPENSSL_NO_OCSP
    {"status", OPT_STATUS, '-', "Request certificate status from server"},
+#endif
    {"serverinfo", OPT_SERVERINFO, 's',
     "types  Send empty ClientHello extensions (comma-separated numbers)"},
    {"alpn", OPT_ALPN, 's',
@@ -825,9 +831,8 @@ OPTIONS s_client_options[] = {
     "Specify engine to be used for client certificate operations"},
 #endif
 #ifndef OPENSSL_NO_CT
+    {"ct", OPT_CT, '-', "Request and parse SCTs (also enables OCSP stapling)"},
    {"noct", OPT_NOCT, '-', "Do not request or parse SCTs (default)"},
-    {"requestct", OPT_REQUESTCT, '-', "Request SCTs (enables OCSP stapling)"},
-    {"requirect", OPT_REQUIRECT, '-', "Require at least 1 SCT (enables OCSP stapling)"},
    {"ctlogfile", OPT_CTLOG_FILE, '<', "CT log list CONF file"},
 #endif
    {NULL}
@@ -884,14 +889,13 @@ int s_client_main(int argc, char **argv)
    char *sess_in = NULL, *sess_out = NULL, *crl_file = NULL, *p;
    char *xmpphost = NULL;
    const char *ehlo = "mail.example.com";
-    struct sockaddr peer;
    struct timeval timeout, *timeoutp;
    fd_set readfds, writefds;
    int noCApath = 0, noCAfile = 0;
    int build_chain = 0, cbuf_len, cbuf_off, cert_format = FORMAT_PEM;
    int key_format = FORMAT_PEM, crlf = 0, full_log = 1, mbuf_len = 0;
    int prexit = 0;
-    int enable_timeouts = 0, sdebug = 0, peerlen = sizeof peer;
+    int sdebug = 0;
    int reconnect = 0, verify = SSL_VERIFY_NONE, vpmtouched = 0;
    int ret = 1, in_init = 1, i, nbio_test = 0, s = -1, k, width, state = 0;
    int sbuf_len, sbuf_off, cmdletters = 1;
@@ -900,13 +904,17 @@ int s_client_main(int argc, char **argv)
    int write_tty, read_tty, write_ssl, read_ssl, tty_on, ssl_pending;
    int read_buf_len = 0;
    int fallback_scsv = 0;
-    long socket_mtu = 0, randamt = 0;
+    long randamt = 0;
    OPTION_CHOICE o;
+#ifndef OPENSSL_NO_DTLS
+    int enable_timeouts = 0;
+    long socket_mtu = 0;
+#endif
 #ifndef OPENSSL_NO_ENGINE
    ENGINE *ssl_client_engine = NULL;
 #endif
    ENGINE *e = NULL;
-#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
    struct timeval tv;
 #endif
    char *servername = NULL;
@@ -926,7 +934,7 @@ int s_client_main(int argc, char **argv)
 #endif
 #ifndef OPENSSL_NO_CT
    char *ctlog_file = NULL;
-    ct_validation_cb ct_validation = NULL;
+    int ct_validation = 0;
 #endif
    int min_version = 0, max_version = 0;

@@ -1326,13 +1334,10 @@ int s_client_main(int argc, char **argv)
            break;
 #ifndef OPENSSL_NO_CT
        case OPT_NOCT:
-            ct_validation = NULL;
+            ct_validation = 0;
            break;
-        case OPT_REQUESTCT:
-            ct_validation = CT_verify_no_bad_scts;
-            break;
-        case OPT_REQUIRECT:
-            ct_validation = CT_verify_at_least_one_good_sct;
+        case OPT_CT:
+            ct_validation = 1;
            break;
        case OPT_CTLOG_FILE:
            ctlog_file = opt_arg();
@@ -1357,7 +1362,9 @@ int s_client_main(int argc, char **argv)
            }
            break;
        case OPT_NEXTPROTONEG:
+#ifndef OPENSSL_NO_NEXTPROTONEG
            next_proto_neg_in = opt_arg();
+#endif
            break;
        case OPT_ALPN:
            alpn_in = opt_arg();
@@ -1675,13 +1682,15 @@ int s_client_main(int argc, char **argv)
        SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);

 #ifndef OPENSSL_NO_CT
-    if (!SSL_CTX_set_ct_validation_callback(ctx, ct_validation, NULL)) {
+    /* Enable SCT processing, without early connection termination */
+    if (ct_validation &&
+        !SSL_CTX_enable_ct(ctx, SSL_CT_VALIDATION_PERMISSIVE)) {
        ERR_print_errors(bio_err);
        goto end;
    }

    if (!ctx_set_ctlog_list_file(ctx, ctlog_file)) {
-        if (ct_validation != NULL) {
+        if (ct_validation) {
            ERR_print_errors(bio_err);
            goto end;
        }
@@ -1813,7 +1822,10 @@ int s_client_main(int argc, char **argv)
        }
        BIO_printf(bio_c_out, "Turned on non blocking io\n");
    }
+#ifndef OPENSSL_NO_DTLS
    if (socket_type == SOCK_DGRAM) {
+        struct sockaddr peer;
+        int peerlen = sizeof peer;

        sbio = BIO_new_dgram(s, BIO_NOCLOSE);
        if (getsockname(s, &peer, (void *)&peerlen) < 0) {
@@ -1852,6 +1864,7 @@ int s_client_main(int argc, char **argv)
            /* want to do MTU discovery */
            BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
    } else
+#endif /* OPENSSL_NO_DTLS */
        sbio = BIO_new_socket(s, BIO_NOCLOSE);

    if (nbio_test) {
@@ -1879,11 +1892,13 @@ int s_client_main(int argc, char **argv)
        SSL_set_tlsext_debug_callback(con, tlsext_cb);
        SSL_set_tlsext_debug_arg(con, bio_c_out);
    }
+#ifndef OPENSSL_NO_OCSP
    if (c_status_req) {
        SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
        SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
        SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
    }
+#endif

    SSL_set_bio(con, sbio, sbio);
    SSL_set_connect_state(con);
@@ -2065,7 +2080,7 @@ int s_client_main(int argc, char **argv)
            BIO *fbio = BIO_new(BIO_f_buffer());

            BIO_push(fbio, sbio);
-            BIO_printf(fbio, "CONNECT %s\r\n\r\n", connectstr);
+            BIO_printf(fbio, "CONNECT %s HTTP/1.0\r\n\r\n", connectstr);
            (void)BIO_flush(fbio);
            /* wait for multi-line response to end CONNECT response */
            do {
@@ -2210,7 +2225,7 @@ int s_client_main(int argc, char **argv)
        ssl_pending = read_ssl && SSL_has_pending(con);

        if (!ssl_pending) {
-#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE)
+#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS)
            if (tty_on) {
                if (read_tty)
                    openssl_fdset(fileno(stdin), &readfds);
@@ -2268,17 +2283,6 @@ int s_client_main(int argc, char **argv)
                    i = select(width, (void *)&readfds, (void *)&writefds,
                               NULL, timeoutp);
            }
-#elif defined(OPENSSL_SYS_NETWARE)
-            if (!write_tty) {
-                if (read_tty) {
-                    tv.tv_sec = 1;
-                    tv.tv_usec = 0;
-                    i = select(width, (void *)&readfds, (void *)&writefds,
-                               NULL, &tv);
-                } else
-                    i = select(width, (void *)&readfds, (void *)&writefds,
-                               NULL, timeoutp);
-            }
 #else
            i = select(width, (void *)&readfds, (void *)&writefds,
                       NULL, timeoutp);
@@ -2360,7 +2364,7 @@ int s_client_main(int argc, char **argv)
                goto shut;
            }
        }
-#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
        /* Assume Windows/DOS/BeOS can always write */
        else if (!ssl_pending && write_tty)
 #else
@@ -2455,8 +2459,6 @@ int s_client_main(int argc, char **argv)
                 || (WAIT_OBJECT_0 ==
                     WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0)))
 # endif
-#elif defined (OPENSSL_SYS_NETWARE)
-        else if (_kbhit())
 #else
        else if (FD_ISSET(fileno(stdin), &readfds))
 #endif
@@ -2568,7 +2570,6 @@ static void print_stuff(BIO *bio, SSL *s, int full)
 #endif
    unsigned char *exportedkeymat;
 #ifndef OPENSSL_NO_CT
-    const STACK_OF(SCT) *scts;
    const SSL_CTX *ctx = SSL_get_SSL_CTX(s);
 #endif

@@ -2624,21 +2625,35 @@ static void print_stuff(BIO *bio, SSL *s, int full)
        ssl_print_tmp_key(bio, s);

 #ifndef OPENSSL_NO_CT
-        scts = SSL_get0_peer_scts(s);
-        BIO_printf(bio, "---\nSCTs present (%i)\n",
-                   scts != NULL ? sk_SCT_num(scts) : 0);
+        /*
+         * When the SSL session is anonymous, or resumed via an abbreviated
+         * handshake, no SCTs are provided as part of the handshake.  While in
+         * a resumed session SCTs may be present in the session's certificate,
+         * no callbacks are invoked to revalidate these, and in any case that
+         * set of SCTs may be incomplete.  Thus it makes little sense to
+         * attempt to display SCTs from a resumed session's certificate, and of
+         * course none are associated with an anonymous peer.
+         */
+        if (peer != NULL && !SSL_session_reused(s) && SSL_ct_is_enabled(s)) {
+            const STACK_OF(SCT) *scts = SSL_get0_peer_scts(s);
+            int sct_count = scts != NULL ? sk_SCT_num(scts) : 0;

-        if (SSL_get_ct_validation_callback(s) == NULL) {
-          BIO_printf(bio, "Warning: CT validation is disabled, so not all "
-                     "SCTs may be displayed. Re-run with \"-requestct\".\n");
-        }
+            BIO_printf(bio, "---\nSCTs present (%i)\n", sct_count);
+            if (sct_count > 0) {
+                const CTLOG_STORE *log_store = SSL_CTX_get0_ctlog_store(ctx);

-        if (scts != NULL && sk_SCT_num(scts) > 0) {
-            const CTLOG_STORE *log_store = SSL_CTX_get0_ctlog_store(ctx);
+                BIO_printf(bio, "---\n");
+                for (i = 0; i < sct_count; ++i) {
+                    SCT *sct = sk_SCT_value(scts, i);

-            BIO_printf(bio, "---\n");
-            SCT_LIST_print(scts, bio, 0, "\n---\n", log_store);
-            BIO_printf(bio, "\n");
+                    BIO_printf(bio, "SCT validation status: %s\n",
+                               SCT_validation_status_string(sct));
+                    SCT_print(sct, bio, 0, log_store);
+                    if (i < sct_count - 1)
+                        BIO_printf(bio, "\n---\n");
+                }
+                BIO_printf(bio, "\n");
+            }
        }
 #endif

@@ -2740,6 +2755,7 @@ static void print_stuff(BIO *bio, SSL *s, int full)
    (void)BIO_flush(bio);
 }

+# ifndef OPENSSL_NO_OCSP
 static int ocsp_resp_cb(SSL *s, void *arg)
 {
    const unsigned char *p;
@@ -2763,3 +2779,6 @@ static int ocsp_resp_cb(SSL *s, void *arg)
    OCSP_RESPONSE_free(rsp);
    return 1;
 }
+# endif
+
+#endif
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -147,10 +147,7 @@

 #include <openssl/e_os2.h>

-/* conflicts with winsock2 stuff on netware */
-#if !defined(OPENSSL_SYS_NETWARE)
-# include <sys/types.h>
-#endif
+#ifndef OPENSSL_NO_SOCK

 /*
 * With IPv6, it looks like Digital has mixed up the proper order of
@@ -233,7 +230,6 @@ static BIO *bio_s_msg = NULL;
 static int s_debug = 0;
 static int s_tlsextdebug = 0;
 static int s_tlsextstatus = 0;
-static int cert_status_cb(SSL *s, void *arg);
 static int no_resume_ephemeral = 0;
 static int s_msg = 0;
 static int s_quiet = 0;
@@ -424,7 +420,7 @@ static int ebcdic_gets(BIO *bp, char *buf, int size);
 static int ebcdic_puts(BIO *bp, const char *str);

 # define BIO_TYPE_EBCDIC_FILTER  (18|0x0200)
-static BIO_METHOD methods_ebcdic = {
+static const BIO_METHOD methods_ebcdic = {
    BIO_TYPE_EBCDIC_FILTER,
    "EBCDIC/ASCII filter",
    ebcdic_write,
@@ -442,7 +438,7 @@ typedef struct {
    char buff[1];
 } EBCDIC_OUTBUFF;

-BIO_METHOD *BIO_f_ebcdic_filter()
+const BIO_METHOD *BIO_f_ebcdic_filter()
 {
    return (&methods_ebcdic);
 }
@@ -607,6 +603,7 @@ typedef struct tlsextstatusctx_st {

 static tlsextstatusctx tlscstatp = { NULL, NULL, NULL, 0, -1, 0 };

+#ifndef OPENSSL_NO_OCSP
 /*
 * Certificate Status callback. This is called when a client includes a
 * certificate status request extension. This is a simplified version. It
@@ -625,8 +622,8 @@ static int cert_status_cb(SSL *s, void *arg)
    int rspderlen;
    STACK_OF(OPENSSL_STRING) *aia = NULL;
    X509 *x = NULL;
-    X509_STORE_CTX inctx;
-    X509_OBJECT obj;
+    X509_STORE_CTX *inctx = NULL;
+    X509_OBJECT *obj;
    OCSP_REQUEST *req = NULL;
    OCSP_RESPONSE *resp = NULL;
    OCSP_CERTID *id = NULL;
@@ -660,22 +657,24 @@ static int cert_status_cb(SSL *s, void *arg)
        use_ssl = srctx->use_ssl;
    }

-    if (!X509_STORE_CTX_init(&inctx,
+    inctx = X509_STORE_CTX_new();
+    if (inctx == NULL)
+        goto err;
+    if (!X509_STORE_CTX_init(inctx,
                             SSL_CTX_get_cert_store(SSL_get_SSL_CTX(s)),
                             NULL, NULL))
        goto err;
-    if (X509_STORE_get_by_subject(&inctx, X509_LU_X509,
-                                  X509_get_issuer_name(x), &obj) <= 0) {
+    obj = X509_STORE_get_X509_by_subject(inctx, X509_LU_X509,
+                                         X509_get_issuer_name(x));
+    if (obj == NULL) {
        BIO_puts(bio_err, "cert_status: Can't retrieve issuer certificate.\n");
-        X509_STORE_CTX_cleanup(&inctx);
        goto done;
    }
    req = OCSP_REQUEST_new();
    if (req == NULL)
        goto err;
-    id = OCSP_cert_to_id(NULL, x, obj.data.x509);
-    X509_free(obj.data.x509);
-    X509_STORE_CTX_cleanup(&inctx);
+    id = OCSP_cert_to_id(NULL, x, X509_OBJECT_get0_X509(obj));
+    X509_OBJECT_free(obj);
    if (!id)
        goto err;
    if (!OCSP_request_add0_id(req, id))
@@ -703,6 +702,10 @@ static int cert_status_cb(SSL *s, void *arg)
        OCSP_RESPONSE_print(bio_err, resp, 2);
    }
    ret = SSL_TLSEXT_ERR_OK;
+    goto done;
+
+ err:
+    ret = SSL_TLSEXT_ERR_ALERT_FATAL;
 done:
    if (ret != SSL_TLSEXT_ERR_OK)
        ERR_print_errors(bio_err);
@@ -715,11 +718,10 @@ static int cert_status_cb(SSL *s, void *arg)
    OCSP_CERTID_free(id);
    OCSP_REQUEST_free(req);
    OCSP_RESPONSE_free(resp);
+    X509_STORE_CTX_free(inctx);
    return ret;
- err:
-    ret = SSL_TLSEXT_ERR_ALERT_FATAL;
-    goto done;
 }
+#endif

 #ifndef OPENSSL_NO_NEXTPROTONEG
 /* This is the context that we pass to next_proto_cb */
@@ -922,12 +924,14 @@ OPTIONS s_server_options[] = {
     "CA file for certificate verification (PEM format)"},
    {"ign_eof", OPT_IGN_EOF, '-', "ignore input eof (default when -quiet)"},
    {"no_ign_eof", OPT_NO_IGN_EOF, '-', "Do not ignore input eof"},
+#ifndef OPENSSL_NO_OCSP
    {"status", OPT_STATUS, '-', "Request certificate status from server"},
    {"status_verbose", OPT_STATUS_VERBOSE, '-',
     "Print more output in certificate status callback"},
    {"status_timeout", OPT_STATUS_TIMEOUT, 'n',
     "Status request responder timeout"},
    {"status_url", OPT_STATUS_URL, 's', "Status request fallback URL"},
+#endif
 #ifndef OPENSSL_NO_SSL_TRACE
    {"trace", OPT_TRACE, '-', "trace protocol messages"},
 #endif
@@ -1326,6 +1330,7 @@ int s_server_main(int argc, char *argv[])
            tlscstatp.timeout = atoi(opt_arg());
            break;
        case OPT_STATUS_URL:
+#ifndef OPENSSL_NO_OCSP
            s_tlsextstatus = 1;
            if (!OCSP_parse_url(opt_arg(),
                                &tlscstatp.host,
@@ -1334,6 +1339,7 @@ int s_server_main(int argc, char *argv[])
                BIO_printf(bio_err, "Error parsing URL\n");
                goto end;
            }
+#endif
            break;
        case OPT_MSG:
            s_msg = 1;
@@ -2012,6 +2018,7 @@ int s_server_main(int argc, char *argv[])
        if (ctx2)
            SSL_CTX_set_client_CA_list(ctx2, SSL_load_client_CA_file(CAfile));
    }
+#ifndef OPENSSL_NO_OCSP
    if (s_tlsextstatus) {
        SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb);
        SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp);
@@ -2020,6 +2027,7 @@ int s_server_main(int argc, char *argv[])
            SSL_CTX_set_tlsext_status_arg(ctx2, &tlscstatp);
        }
    }
+#endif

    BIO_printf(bio_s_out, "ACCEPT\n");
    (void)BIO_flush(bio_s_out);
@@ -2112,7 +2120,7 @@ static int sv_body(int s, int stype, unsigned char *context)
    SSL *con = NULL;
    BIO *sbio;
    struct timeval timeout;
-#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
    struct timeval tv;
 #else
    struct timeval *timeoutp;
@@ -2228,7 +2236,7 @@ static int sv_body(int s, int stype, unsigned char *context)

        if (!read_from_sslcon) {
            FD_ZERO(&readfds);
-#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE)
+#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS)
            openssl_fdset(fileno(stdin), &readfds);
 #endif
            openssl_fdset(s, &readfds);
@@ -2239,7 +2247,7 @@ static int sv_body(int s, int stype, unsigned char *context)
             * if you do have a cast then you can either go for (int *) or
             * (void *).
             */
-#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
            /*
             * Under DOS (non-djgpp) and Windows we can't select on stdin:
             * only on sockets. As a workaround we timeout the select every
@@ -2793,9 +2801,7 @@ static int www_body(int s, int stype, unsigned char *context)
                    continue;
                }
 #endif
-#if defined(OPENSSL_SYS_NETWARE)
-                delay(1000);
-#elif !defined(OPENSSL_SYS_MSDOS)
+#if !defined(OPENSSL_SYS_MSDOS)
                sleep(1);
 #endif
                continue;
@@ -3186,9 +3192,7 @@ static int rev_body(int s, int stype, unsigned char *context)
                    continue;
                }
 #endif
-#if defined(OPENSSL_SYS_NETWARE)
-                delay(1000);
-#elif !defined(OPENSSL_SYS_MSDOS)
+#if !defined(OPENSSL_SYS_MSDOS)
                sleep(1);
 #endif
                continue;
@@ -3372,3 +3376,5 @@ static void free_sessions(void)
    }
    first = NULL;
 }
+
+#endif
--- a/apps/s_socket.c
+++ b/apps/s_socket.c
@@ -109,6 +109,7 @@
 #include <string.h>
 #include <errno.h>
 #include <signal.h>
+#include <openssl/opensslconf.h>

 /*
 * With IPv6, it looks like Digital has mixed up the proper order of
--- a/apps/s_time.c
+++ b/apps/s_time.c
@@ -66,6 +66,10 @@
 #include <stdlib.h>
 #include <string.h>

+#include <openssl/opensslconf.h>
+
+#ifndef OPENSSL_NO_SOCK
+
 #define USE_SOCKETS
 #include "apps.h"
 #include <openssl/x509.h>
@@ -474,3 +478,4 @@ static SSL *doConnection(SSL *scon, const char *host, SSL_CTX *ctx)

    return serverCon;
 }
+#endif /* OPENSSL_NO_SOCK */
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -91,10 +91,6 @@
 # include OPENSSL_UNISTD
 #endif

-#ifndef OPENSSL_SYS_NETWARE
-# include <signal.h>
-#endif
-
 #if defined(_WIN32)
 # include <windows.h>
 #endif
@@ -103,9 +99,7 @@
 #ifndef OPENSSL_NO_DES
 # include <openssl/des.h>
 #endif
-#ifndef OPENSSL_NO_AES
-# include <openssl/aes.h>
-#endif
+#include <openssl/aes.h>
 #ifndef OPENSSL_NO_CAMELLIA
 # include <openssl/camellia.h>
 #endif
@@ -165,7 +159,7 @@
 #include <openssl/modes.h>

 #ifndef HAVE_FORK
-# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_OS2) || defined(OPENSSL_SYS_NETWARE)
+# if defined(OPENSSL_SYS_VMS) || defined(OPENSSL_SYS_WINDOWS)
 #  define HAVE_FORK 0
 # else
 #  define HAVE_FORK 1
@@ -253,7 +247,6 @@ static int RC4_loop(void *args);
 static int DES_ncbc_encrypt_loop(void *args);
 static int DES_ede3_cbc_encrypt_loop(void *args);
 #endif
-#ifndef OPENSSL_NO_AES
 static int AES_cbc_128_encrypt_loop(void *args);
 static int AES_cbc_192_encrypt_loop(void *args);
 static int AES_ige_128_encrypt_loop(void *args);
@@ -261,7 +254,6 @@ static int AES_cbc_256_encrypt_loop(void *args);
 static int AES_ige_192_encrypt_loop(void *args);
 static int AES_ige_256_encrypt_loop(void *args);
 static int CRYPTO_gcm128_aad_loop(void *args);
-#endif
 static int EVP_Update_loop(void *args);
 static int EVP_Digest_loop(void *args);
 #ifndef OPENSSL_NO_RSA
@@ -314,10 +306,9 @@ static double ecdsa_results[EC_NUM][2];
 static double ecdh_results[EC_NUM][1];
 #endif

-#if defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_EC)
+#if !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_EC)
 static const char rnd_seed[] =
    "string to make the random number generator think it has entropy";
-static int rnd_fake = 0;
 #endif

 #ifdef SIGALRM
@@ -513,14 +504,12 @@ static OPT_PAIR doit_choices[] = {
    {"des-cbc", D_CBC_DES},
    {"des-ede3", D_EDE3_DES},
 #endif
-#ifndef OPENSSL_NO_AES
    {"aes-128-cbc", D_CBC_128_AES},
    {"aes-192-cbc", D_CBC_192_AES},
    {"aes-256-cbc", D_CBC_256_AES},
    {"aes-128-ige", D_IGE_128_AES},
    {"aes-192-ige", D_IGE_192_AES},
    {"aes-256-ige", D_IGE_256_AES},
-#endif
 #ifndef OPENSSL_NO_RC2
    {"rc2-cbc", D_CBC_RC2},
    {"rc2", D_CBC_RC2},
@@ -551,15 +540,17 @@ static OPT_PAIR doit_choices[] = {
    {NULL}
 };

-#define R_DSA_512       0
-#define R_DSA_1024      1
-#define R_DSA_2048      2
+#ifndef OPENSSL_NO_DSA
+# define R_DSA_512       0
+# define R_DSA_1024      1
+# define R_DSA_2048      2
 static OPT_PAIR dsa_choices[] = {
    {"dsa512", R_DSA_512},
    {"dsa1024", R_DSA_1024},
    {"dsa2048", R_DSA_2048},
    {NULL},
 };
+#endif

 #define R_RSA_512       0
 #define R_RSA_1024      1
@@ -822,14 +813,9 @@ static int DES_ede3_cbc_encrypt_loop(void *args)
 }
 #endif

-#ifndef OPENSSL_NO_AES
-# define MAX_BLOCK_SIZE 128
-#else
-# define MAX_BLOCK_SIZE 64
-#endif
+#define MAX_BLOCK_SIZE 128

 static unsigned char iv[2 * MAX_BLOCK_SIZE / 8];
-#ifndef OPENSSL_NO_AES
 static AES_KEY aes_ks1, aes_ks2, aes_ks3;
 static int AES_cbc_128_encrypt_loop(void *args)
 {
@@ -917,8 +903,6 @@ static int CRYPTO_gcm128_aad_loop(void *args)
    return count;
 }

-#endif
-
 static int decrypt = 0;
 static int EVP_Update_loop(void *args)
 {
@@ -1176,6 +1160,16 @@ static int run_benchmark(int async_jobs, int (*loop_function)(void *), loopargs_
                max_fd = job_fd;
        }

+        if (max_fd >= (OSSL_ASYNC_FD)FD_SETSIZE) {
+            BIO_printf(bio_err,
+                    "Error: max_fd (%d) must be smaller than FD_SETSIZE (%d). "
+                    "Decrease the value of async_jobs\n",
+                    max_fd, FD_SETSIZE);
+            ERR_print_errors(bio_err);
+            error = 1;
+            break;
+        }
+
        select_result = select(max_fd + 1, &waitfdset, NULL, NULL, NULL);
        if (select_result == -1 && errno == EINTR)
            continue;
@@ -1251,7 +1245,10 @@ int speed_main(int argc, char **argv)
    double d = 0.0;
    OPTION_CHOICE o;
    int multiblock = 0, doit[ALGOR_NUM], pr_header = 0;
-    int dsa_doit[DSA_NUM], rsa_doit[RSA_NUM];
+#ifndef OPENSSL_NO_DSA
+    int dsa_doit[DSA_NUM];
+#endif
+    int rsa_doit[RSA_NUM];
    int ret = 1, i, k, misalign = 0;
    long c[ALGOR_NUM][SIZE_NUM], count = 0, save_count = 0;
 #ifndef NO_FORK
@@ -1284,7 +1281,6 @@ int speed_main(int argc, char **argv)
        0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0,
        0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12
    };
-#ifndef OPENSSL_NO_AES
    static const unsigned char key24[24] = {
        0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0,
        0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12,
@@ -1296,7 +1292,6 @@ int speed_main(int argc, char **argv)
        0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34,
        0x78, 0x9a, 0xbc, 0xde, 0xf0, 0x12, 0x34, 0x56
    };
-#endif
 #ifndef OPENSSL_NO_CAMELLIA
    static const unsigned char ckey24[24] = {
        0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0,
@@ -1390,15 +1385,19 @@ int speed_main(int argc, char **argv)
    memset(results, 0, sizeof(results));

    memset(c, 0, sizeof(c));
+#ifndef OPENSSL_NO_DES
    memset(DES_iv, 0, sizeof(DES_iv));
+#endif
    memset(iv, 0, sizeof(iv));

    for (i = 0; i < ALGOR_NUM; i++)
        doit[i] = 0;
    for (i = 0; i < RSA_NUM; i++)
        rsa_doit[i] = 0;
+#ifndef OPENSSL_NO_DSA
    for (i = 0; i < DSA_NUM; i++)
        dsa_doit[i] = 0;
+#endif
 #ifndef OPENSSL_NO_EC
    for (i = 0; i < EC_NUM; i++)
        ecdsa_doit[i] = 0;
@@ -1528,13 +1527,11 @@ int speed_main(int argc, char **argv)
            continue;
        }
 #endif
-#ifndef OPENSSL_NO_AES
        if (strcmp(*argv, "aes") == 0) {
            doit[D_CBC_128_AES] = doit[D_CBC_192_AES] =
                doit[D_CBC_256_AES] = 1;
            continue;
        }
-#endif
 #ifndef OPENSSL_NO_CAMELLIA
        if (strcmp(*argv, "camellia") == 0) {
            doit[D_CBC_128_CML] = doit[D_CBC_192_CML] =
@@ -1614,8 +1611,10 @@ int speed_main(int argc, char **argv)
                doit[i] = 1;
        for (i = 0; i < RSA_NUM; i++)
            rsa_doit[i] = 1;
+#ifndef OPENSSL_NO_DSA
        for (i = 0; i < DSA_NUM; i++)
            dsa_doit[i] = 1;
+#endif
 #ifndef OPENSSL_NO_EC
        for (i = 0; i < EC_NUM; i++)
            ecdsa_doit[i] = 1;
@@ -1659,18 +1658,16 @@ int speed_main(int argc, char **argv)
    DES_set_key_unchecked(&key2, &sch2);
    DES_set_key_unchecked(&key3, &sch3);
 #endif
-#ifndef OPENSSL_NO_AES
    AES_set_encrypt_key(key16, 128, &aes_ks1);
    AES_set_encrypt_key(key24, 192, &aes_ks2);
    AES_set_encrypt_key(key32, 256, &aes_ks3);
-#endif
 #ifndef OPENSSL_NO_CAMELLIA
    Camellia_set_key(key16, 128, &camellia_ks1);
    Camellia_set_key(ckey24, 192, &camellia_ks2);
    Camellia_set_key(ckey32, 256, &camellia_ks3);
 #endif
 #ifndef OPENSSL_NO_IDEA
-    idea_set_encrypt_key(key16, &idea_ks);
+    IDEA_set_encrypt_key(key16, &idea_ks);
 #endif
 #ifndef OPENSSL_NO_SEED
    SEED_set_key(key16, &seed_ks);
@@ -2063,7 +2060,7 @@ int speed_main(int argc, char **argv)
        }
    }
 #endif
-#ifndef OPENSSL_NO_AES
+
    if (doit[D_CBC_128_AES]) {
        for (testnum = 0; testnum < SIZE_NUM; testnum++) {
            print_message(names[D_CBC_128_AES], c[D_CBC_128_AES][testnum],
@@ -2141,7 +2138,7 @@ int speed_main(int argc, char **argv)
        for (i = 0; i < loopargs_len; i++)
            CRYPTO_gcm128_release(loopargs[i].gcm_ctx);
    }
-#endif
+
 #ifndef OPENSSL_NO_CAMELLIA
    if (doit[D_CBC_128_CML]) {
        for (testnum = 0; testnum < SIZE_NUM; testnum++) {
@@ -2205,7 +2202,7 @@ int speed_main(int argc, char **argv)
            }
            Time_F(START);
            for (count = 0, run = 1; COND(c[D_CBC_IDEA][testnum]); count++)
-                idea_cbc_encrypt(loopargs[0].buf, loopargs[0].buf,
+                IDEA_cbc_encrypt(loopargs[0].buf, loopargs[0].buf,
                                 (unsigned long)lengths[testnum], &idea_ks,
                                 iv, IDEA_ENCRYPT);
            d = Time_F(STOP);
@@ -2431,7 +2428,6 @@ int speed_main(int argc, char **argv)
 #ifndef OPENSSL_NO_DSA
    if (RAND_status() != 1) {
        RAND_seed(rnd_seed, sizeof rnd_seed);
-        rnd_fake = 1;
    }
    for (testnum = 0; testnum < DSA_NUM; testnum++) {
        int st = 0;
@@ -2495,14 +2491,11 @@ int speed_main(int argc, char **argv)
                dsa_doit[testnum] = 0;
        }
    }
-    if (rnd_fake)
-        RAND_cleanup();
 #endif

 #ifndef OPENSSL_NO_EC
    if (RAND_status() != 1) {
        RAND_seed(rnd_seed, sizeof rnd_seed);
-        rnd_fake = 1;
    }
    for (testnum = 0; testnum < EC_NUM; testnum++) {
        int st = 1;
@@ -2584,14 +2577,11 @@ int speed_main(int argc, char **argv)
            }
        }
    }
-    if (rnd_fake)
-        RAND_cleanup();
 #endif

 #ifndef OPENSSL_NO_EC
    if (RAND_status() != 1) {
        RAND_seed(rnd_seed, sizeof rnd_seed);
-        rnd_fake = 1;
    }
    for (testnum = 0; testnum < EC_NUM; testnum++) {
        if (!ecdh_doit[testnum])
@@ -2683,8 +2673,6 @@ int speed_main(int argc, char **argv)
                ecdh_doit[testnum] = 0;
        }
    }
-    if (rnd_fake)
-        RAND_cleanup();
 #endif
 #ifndef NO_FORK
 show_res:
@@ -2703,11 +2691,9 @@ int speed_main(int argc, char **argv)
 #ifndef OPENSSL_NO_DES
        printf("%s ", DES_options());
 #endif
-#ifndef OPENSSL_NO_AES
        printf("%s ", AES_options());
-#endif
 #ifndef OPENSSL_NO_IDEA
-        printf("%s ", idea_options());
+        printf("%s ", IDEA_options());
 #endif
 #ifndef OPENSSL_NO_BF
        printf("%s ", BF_options());
--- a/apps/srp.c
+++ b/apps/srp.c
@@ -653,7 +653,6 @@ int srp_main(int argc, char **argv)
        app_RAND_write_file(randfile);
    NCONF_free(conf);
    free_index(db);
-    OBJ_cleanup();
    return (ret);
 }
 #endif
--- a/apps/testdsa.h
+++ b/apps/testdsa.h
@@ -92,18 +92,35 @@ static unsigned char dsa512_g[] = {
 DSA *get_dsa512()
 {
    DSA *dsa;
+    BIGNUM *priv_key, *pub_key, *p, *q, *g;

    if ((dsa = DSA_new()) == NULL)
        return (NULL);
-    dsa->priv_key = BN_bin2bn(dsa512_priv, sizeof(dsa512_priv), NULL);
-    dsa->pub_key = BN_bin2bn(dsa512_pub, sizeof(dsa512_pub), NULL);
-    dsa->p = BN_bin2bn(dsa512_p, sizeof(dsa512_p), NULL);
-    dsa->q = BN_bin2bn(dsa512_q, sizeof(dsa512_q), NULL);
-    dsa->g = BN_bin2bn(dsa512_g, sizeof(dsa512_g), NULL);
-    if ((dsa->priv_key == NULL) || (dsa->pub_key == NULL) || (dsa->p == NULL)
-        || (dsa->q == NULL) || (dsa->g == NULL))
-        return (NULL);
-    return (dsa);
+    priv_key = BN_bin2bn(dsa512_priv, sizeof(dsa512_priv), NULL);
+    pub_key = BN_bin2bn(dsa512_pub, sizeof(dsa512_pub), NULL);
+    p = BN_bin2bn(dsa512_p, sizeof(dsa512_p), NULL);
+    q = BN_bin2bn(dsa512_q, sizeof(dsa512_q), NULL);
+    g = BN_bin2bn(dsa512_g, sizeof(dsa512_g), NULL);
+    if ((priv_key == NULL) || (pub_key == NULL) || (p == NULL) || (q == NULL)
+            || (g == NULL)) {
+        goto err;
+    }
+    if (!DSA_set0_pqg(dsa, p, q, g))
+        goto err;
+    p = q = g = NULL;
+
+    if (!DSA_set0_key(dsa, pub_key, priv_key))
+        goto err;
+
+    return dsa;
+ err:
+    DSA_free(dsa);
+    BN_free(priv_key);
+    BN_free(pub_key);
+    BN_free(p);
+    BN_free(q);
+    BN_free(g);
+    return NULL;
 }

 static unsigned char dsa1024_priv[] = {
@@ -161,18 +178,35 @@ static unsigned char dsa1024_g[] = {
 DSA *get_dsa1024()
 {
    DSA *dsa;
+    BIGNUM *priv_key, *pub_key, *p, *q, *g;

    if ((dsa = DSA_new()) == NULL)
        return (NULL);
-    dsa->priv_key = BN_bin2bn(dsa1024_priv, sizeof(dsa1024_priv), NULL);
-    dsa->pub_key = BN_bin2bn(dsa1024_pub, sizeof(dsa1024_pub), NULL);
-    dsa->p = BN_bin2bn(dsa1024_p, sizeof(dsa1024_p), NULL);
-    dsa->q = BN_bin2bn(dsa1024_q, sizeof(dsa1024_q), NULL);
-    dsa->g = BN_bin2bn(dsa1024_g, sizeof(dsa1024_g), NULL);
-    if ((dsa->priv_key == NULL) || (dsa->pub_key == NULL) || (dsa->p == NULL)
-        || (dsa->q == NULL) || (dsa->g == NULL))
-        return (NULL);
-    return (dsa);
+    priv_key = BN_bin2bn(dsa1024_priv, sizeof(dsa1024_priv), NULL);
+    pub_key = BN_bin2bn(dsa1024_pub, sizeof(dsa1024_pub), NULL);
+    p = BN_bin2bn(dsa1024_p, sizeof(dsa1024_p), NULL);
+    q = BN_bin2bn(dsa1024_q, sizeof(dsa1024_q), NULL);
+    g = BN_bin2bn(dsa1024_g, sizeof(dsa1024_g), NULL);
+    if ((priv_key == NULL) || (pub_key == NULL) || (p == NULL) || (q == NULL)
+            || (g == NULL)) {
+        goto err;
+    }
+    if (!DSA_set0_pqg(dsa, p, q, g))
+        goto err;
+    p = q = g = NULL;
+
+    if (!DSA_set0_key(dsa, pub_key, priv_key))
+        goto err;
+
+    return dsa;
+ err:
+    DSA_free(dsa);
+    BN_free(priv_key);
+    BN_free(pub_key);
+    BN_free(p);
+    BN_free(q);
+    BN_free(g);
+    return NULL;
 }

 static unsigned char dsa2048_priv[] = {
@@ -263,20 +297,34 @@ static unsigned char dsa2048_g[] = {
 DSA *get_dsa2048()
 {
    DSA *dsa;
+    BIGNUM *priv_key, *pub_key, *p, *q, *g;

    if ((dsa = DSA_new()) == NULL)
        return (NULL);
-    dsa->priv_key = BN_bin2bn(dsa2048_priv, sizeof(dsa2048_priv), NULL);
-    dsa->pub_key = BN_bin2bn(dsa2048_pub, sizeof(dsa2048_pub), NULL);
-    dsa->p = BN_bin2bn(dsa2048_p, sizeof(dsa2048_p), NULL);
-    dsa->q = BN_bin2bn(dsa2048_q, sizeof(dsa2048_q), NULL);
-    dsa->g = BN_bin2bn(dsa2048_g, sizeof(dsa2048_g), NULL);
-    if ((dsa->priv_key == NULL) || (dsa->pub_key == NULL) || (dsa->p == NULL)
-        || (dsa->q == NULL) || (dsa->g == NULL))
-        return (NULL);
-    return (dsa);
+    priv_key = BN_bin2bn(dsa2048_priv, sizeof(dsa2048_priv), NULL);
+    pub_key = BN_bin2bn(dsa2048_pub, sizeof(dsa2048_pub), NULL);
+    p = BN_bin2bn(dsa2048_p, sizeof(dsa2048_p), NULL);
+    q = BN_bin2bn(dsa2048_q, sizeof(dsa2048_q), NULL);
+    g = BN_bin2bn(dsa2048_g, sizeof(dsa2048_g), NULL);
+    if ((priv_key == NULL) || (pub_key == NULL) || (p == NULL) || (q == NULL)
+            || (g == NULL)) {
+        goto err;
+    }
+    if (!DSA_set0_pqg(dsa, p, q, g))
+        goto err;
+    p = q = g = NULL;
+
+    if (!DSA_set0_key(dsa, pub_key, priv_key))
+        goto err;
+
+    return dsa;
+ err:
+    DSA_free(dsa);
+    BN_free(priv_key);
+    BN_free(pub_key);
+    BN_free(p);
+    BN_free(q);
+    BN_free(g);
+    return NULL;
 }

-static const char rnd_seed[] =
-    "string to make the random number generator think it has entropy";
-static int rnd_fake = 0;
--- a/apps/ts.c
+++ b/apps/ts.c
@@ -56,25 +56,29 @@
 *
 */

-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include "apps.h"
-#include <openssl/bio.h>
-#include <openssl/err.h>
-#include <openssl/pem.h>
-#include <openssl/rand.h>
-#include <openssl/ts.h>
-#include <openssl/bn.h>
+#include <openssl/opensslconf.h>
+#ifdef OPENSSL_NO_TS
+NON_EMPTY_TRANSLATION_UNIT
+#else
+# include <stdio.h>
+# include <stdlib.h>
+# include <string.h>
+# include "apps.h"
+# include <openssl/bio.h>
+# include <openssl/err.h>
+# include <openssl/pem.h>
+# include <openssl/rand.h>
+# include <openssl/ts.h>
+# include <openssl/bn.h>

 /* Request nonce length, in bits (must be a multiple of 8). */
-#define NONCE_LENGTH            64
+# define NONCE_LENGTH            64

 /* Name of config entry that defines the OID file. */
-#define ENV_OID_FILE            "oid_file"
+# define ENV_OID_FILE            "oid_file"

 /* Is |EXACTLY_ONE| of three pointers set? */
-#define EXACTLY_ONE(a, b, c) \
+# define EXACTLY_ONE(a, b, c) \
        (( a && !b && !c) || \
         ( b && !a && !c) || \
         ( c && !a && !b))
@@ -159,9 +163,9 @@ OPTIONS ts_options[] = {
    {"CAfile", OPT_CAFILE, '<', "File with trusted CA certs"},
    {"untrusted", OPT_UNTRUSTED, '<', "File with untrusted certs"},
    {"", OPT_MD, '-', "Any supported digest"},
-#ifndef OPENSSL_NO_ENGINE
+# ifndef OPENSSL_NO_ENGINE
    {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
-#endif
+# endif
    {OPT_HELP_STR, 1, '-', "\nOptions specific to 'ts -verify': \n"},
    OPT_V_OPTIONS,
    {OPT_HELP_STR, 1, '-', "\n"},
@@ -182,11 +186,11 @@ static char* opt_helplist[] = {
    "          [-signer tsa_cert.pem] [-inkey private_key.pem]",
    "          [-chain certs_file.pem] [-tspolicy oid]",
    "          [-in file] [-token_in] [-out file] [-token_out]",
-#ifndef OPENSSL_NO_ENGINE
+# ifndef OPENSSL_NO_ENGINE
    "          [-text]",
-#else
+# else
    "          [-text] [-engine id]",
-#endif
+# endif
    "  or",
    "ts -verify -CApath dir -CAfile file.pem -untrusted file.pem",
    "           [-data file] [-digest hexstring]",
@@ -379,7 +383,6 @@ int ts_main(int argc, char **argv)
    app_RAND_write_file(NULL);
    NCONF_free(conf);
    OPENSSL_free(password);
-    OBJ_cleanup();
    return (ret);
 }

@@ -564,7 +567,7 @@ static int create_digest(BIO *input, char *digest, const EVP_MD *md,
        EVP_MD_CTX_free(md_ctx);
    } else {
        long digest_len;
-        *md_value = string_to_hex(digest, &digest_len);
+        *md_value = OPENSSL_hexstr2buf(digest, &digest_len);
        if (!*md_value || md_value_len != digest_len) {
            OPENSSL_free(*md_value);
            *md_value = NULL;
@@ -735,10 +738,10 @@ static TS_RESP *create_response(CONF *conf, const char *section, char *engine,
        goto end;
    if (!TS_CONF_set_serial(conf, section, serial_cb, resp_ctx))
        goto end;
-#ifndef OPENSSL_NO_ENGINE
+# ifndef OPENSSL_NO_ENGINE
    if (!TS_CONF_set_crypto_device(conf, section, engine))
        goto end;
-#endif
+# endif
    if (!TS_CONF_set_signer_cert(conf, section, signer, resp_ctx))
        goto end;
    if (!TS_CONF_set_certs(conf, section, chain, resp_ctx))
@@ -936,7 +939,7 @@ static TS_VERIFY_CTX *create_verify_ctx(char *data, char *digest,
                goto err;
        } else if (digest != NULL) {
            long imprint_len;
-            unsigned char *hexstr = string_to_hex(digest, &imprint_len);
+            unsigned char *hexstr = OPENSSL_hexstr2buf(digest, &imprint_len);
            f |= TS_VFY_IMPRINT;
            if (TS_VERIFY_CTX_set_imprint(ctx, hexstr, imprint_len) == NULL) {
                BIO_printf(bio_err, "invalid digest string\n");
@@ -1026,3 +1029,4 @@ static int verify_cb(int ok, X509_STORE_CTX *ctx)
 {
    return ok;
 }
+#endif
--- a/apps/tsget.in
+++ b/apps/tsget.in
@@ -1,4 +1,4 @@
-#!/usr/bin/perl -w
+#!{- $config{perl} -}
 # Written by Zoltan Glozik <zglozik@stones.com>.
 # Copyright (c) 2002 The OpenTSA Project.  All rights reserved.
 $::version = '$Id: tsget,v 1.3 2009/09/07 17:57:18 steve Exp $';
--- a/apps/verify.c
+++ b/apps/verify.c
@@ -269,7 +269,7 @@ static int check(X509_STORE *ctx, char *file,
        goto end;
    }
    if (tchain)
-        X509_STORE_CTX_trusted_stack(csc, tchain);
+        X509_STORE_CTX_set0_trusted_stack(csc, tchain);
    if (crls)
        X509_STORE_CTX_set0_crls(csc, crls);
    i = X509_verify_cert(csc);
--- a/apps/version.c
+++ b/apps/version.c
@@ -190,7 +190,7 @@ int version_main(int argc, char **argv)
            dirty = version = 1;
            break;
        case OPT_A:
-            cflags = version = date = platform = dir = 1;
+            cflags = version = date = platform = dir = engdir = 1;
            break;
        }
    }
@@ -222,7 +222,7 @@ int version_main(int argc, char **argv)
        printf("%s ", DES_options());
 #endif
 #ifndef OPENSSL_NO_IDEA
-        printf("%s ", idea_options());
+        printf("%s ", IDEA_options());
 #endif
 #ifndef OPENSSL_NO_BF
        printf("%s ", BF_options());
--- a/apps/vms_decc_init.c
+++ b/apps/vms_decc_init.c
@@ -105,6 +105,7 @@ decc_feat_t decc_feat_array[] = {
    {(char *)NULL, 0}
 };

+
 char **copy_argv(int *argc, char *argv[])
 {
    /*-
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -562,12 +562,11 @@ int x509_main(int argc, char **argv)
            goto end;
        }

-        if ((pkey = X509_REQ_get_pubkey(req)) == NULL) {
+        if ((pkey = X509_REQ_get0_pubkey(req)) == NULL) {
            BIO_printf(bio_err, "error unpacking public key\n");
            goto end;
        }
        i = X509_REQ_verify(req, pkey);
-        EVP_PKEY_free(pkey);
        if (i < 0) {
            BIO_printf(bio_err, "Signature verification error\n");
            ERR_print_errors(bio_err);
@@ -607,9 +606,8 @@ int x509_main(int argc, char **argv)
        if (fkey)
            X509_set_pubkey(x, fkey);
        else {
-            pkey = X509_REQ_get_pubkey(req);
+            pkey = X509_REQ_get0_pubkey(req);
            X509_set_pubkey(x, pkey);
-            EVP_PKEY_free(pkey);
        }
    } else
        x = load_cert(infile, informat, "Certificate");
@@ -729,16 +727,22 @@ int x509_main(int argc, char **argv)
                }
                BIO_printf(out, "Modulus=");
 #ifndef OPENSSL_NO_RSA
-                if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA)
-                    BN_print(out, EVP_PKEY_get0_RSA(pkey)->n);
-                else
+                if (EVP_PKEY_id(pkey) == EVP_PKEY_RSA) {
+                    BIGNUM *n;
+                    RSA_get0_key(EVP_PKEY_get0_RSA(pkey), &n, NULL, NULL);
+                    BN_print(out, n);
+                } else
 #endif
 #ifndef OPENSSL_NO_DSA
-                if (EVP_PKEY_id(pkey) == EVP_PKEY_DSA)
-                    BN_print(out, EVP_PKEY_get0_DSA(pkey)->pub_key);
-                else
+                if (EVP_PKEY_id(pkey) == EVP_PKEY_DSA) {
+                    BIGNUM *dsapub = NULL;
+                    DSA_get0_key(EVP_PKEY_get0_DSA(pkey), &dsapub, NULL);
+                    BN_print(out, dsapub);
+                } else
 #endif
+                {
                    BIO_printf(out, "Wrong Algorithm type");
+                }
                BIO_printf(out, "\n");
            } else if (pubkey == i) {
                EVP_PKEY *pkey;
@@ -915,7 +919,6 @@ int x509_main(int argc, char **argv)
 end:
    if (need_rand)
        app_RAND_write_file(NULL);
-    OBJ_cleanup();
    NCONF_free(extconf);
    BIO_free_all(out);
    X509_STORE_free(ctx);
@@ -984,13 +987,14 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
 {
    int ret = 0;
    ASN1_INTEGER *bs = NULL;
-    X509_STORE_CTX xsc;
+    X509_STORE_CTX *xsc = NULL;
    EVP_PKEY *upkey;

    upkey = X509_get0_pubkey(xca);
    EVP_PKEY_copy_parameters(upkey, pkey);

-    if (!X509_STORE_CTX_init(&xsc, ctx, x, NULL)) {
+    xsc = X509_STORE_CTX_new();
+    if (xsc == NULL || !X509_STORE_CTX_init(xsc, ctx, x, NULL)) {
        BIO_printf(bio_err, "Error initialising X509 store\n");
        goto end;
    }
@@ -1003,9 +1007,9 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
     * NOTE: this certificate can/should be self signed, unless it was a
     * certificate request in which case it is not.
     */
-    X509_STORE_CTX_set_cert(&xsc, x);
-    X509_STORE_CTX_set_flags(&xsc, X509_V_FLAG_CHECK_SS_SIGNATURE);
-    if (!reqfile && X509_verify_cert(&xsc) <= 0)
+    X509_STORE_CTX_set_cert(xsc, x);
+    X509_STORE_CTX_set_flags(xsc, X509_V_FLAG_CHECK_SS_SIGNATURE);
+    if (!reqfile && X509_verify_cert(xsc) <= 0)
        goto end;

    if (!X509_check_private_key(xca, pkey)) {
@@ -1044,7 +1048,7 @@ static int x509_certify(X509_STORE *ctx, char *CAfile, const EVP_MD *digest,
        goto end;
    ret = 1;
 end:
-    X509_STORE_CTX_cleanup(&xsc);
+    X509_STORE_CTX_free(xsc);
    if (!ret)
        ERR_print_errors(bio_err);
    if (!sno)
--- a/appveyor.yml
+++ b/appveyor.yml
@@ -21,9 +21,9 @@ before_build:
        }
    - ps: >-
        If ($env:Configuration -Match "shared") {
-            $env:SHARED="shared"
-        } Else {
            $env:SHARED=""
+        } Else {
+            $env:SHARED="no-shared"
        }
    - ps: $env:VSCOMNTOOLS=(Get-Content ("env:VS" + "$env:VSVER" + "0COMNTOOLS"))
    - call "%VSCOMNTOOLS%\..\..\VC\vcvarsall.bat" %VCVARS_PLATFORM%
--- a/build.info
+++ b/build.info
@@ -13,8 +13,8 @@ ELSIF[{- $config{target} =~ /^mingw/ -}]
 SHARED_NAME[libcrypto]=libcrypto-{- $config{shlib_major}."_".$config{shlib_minor} -}{- $config{target} eq "mingw64" ? "-x64" : "" -}
 SHARED_NAME[libssl]=libssl-{- $config{shlib_major}."_".$config{shlib_minor} -}{- $config{target} eq "mingw64" ? "-x64" : "" -}
 ELSIF[{- $config{target} =~ /^VC-/ -}]
- SHARED_NAME[libcrypto]=libcrypto-{- $config{shlib_major}."_".$config{shlib_minor} -}{- $config{target} =~ /^VC-WIN64/ ? "-x64" : "" -}
- SHARED_NAME[libssl]=libssl-{- $config{shlib_major}."_".$config{shlib_minor} -}{- $config{target} =~ /^VC-WIN64/ ? "-x64" : "" -}
+ SHARED_NAME[libcrypto]=libcrypto-{- $config{shlib_major}."_".$config{shlib_minor} -}{- $target{multilib} -}
+ SHARED_NAME[libssl]=libssl-{- $config{shlib_major}."_".$config{shlib_minor} -}{- $target{multilib} -}
 ENDIF

 # VMS has a cultural standard where all libraries are prefixed.
--- a/8
+++ b/8
@@ -202,6 +202,10 @@ case "${SYSTEM}:${RELEASE}:${VERSION}:${MACHINE}" in
 	echo "${MACHINE}-whatever-freebsd"; exit 0
 	;;

+    Haiku:*)
+	echo "${MACHINE}-whatever-haiku"; exit 0
+	;;
+
    NetBSD:*:*:*386*)
        echo "`(/usr/sbin/sysctl -n hw.model || /sbin/sysctl -n hw.model) | sed 's,.*\(.\)86-class.*,i\186,'`-whatever-netbsd"; exit 0
 	;;
@@ -724,6 +728,8 @@ case "$GUESSOS" in
 			*ELF*)	OUT="BSD-x86-elf" ;;
 			*)	OUT="BSD-x86"; options="$options no-sse2" ;;
 			esac ;;
+  x86_64-*-haiku)	OUT="haiku-x86_64" ;;
+  *-*-haiku)		OUT="haiku-x86" ;;
  *-*-*bsd*)		OUT="BSD-generic32" ;;

  *-*-osf)		OUT="osf1-alpha-cc" ;;
@@ -770,7 +776,7 @@ case "$GUESSOS" in
 	     # PA-RISC 2.0 is no longer supported as separate 32-bit
 	     # target. This is compensated for by run-time detection
 	     # in most critical assembly modules and taking advantage
-	     # of 2.0 architectire in PA-RISC 1.1 build.
+	     # of 2.0 architecture in PA-RISC 1.1 build.
 	     OUT="hpux-parisc1_1-${CC}"
 	elif [ $CPU_VERSION -ge 528 ]; then	# PA-RISC 1.1+ CPU
 	     OUT="hpux-parisc1_1-${CC}"
--- a/crypto/Makefile.in
+++ b/crypto/Makefile.in
@@ -89,10 +89,6 @@ armv4cpuid.S:	armv4cpuid.pl;	$(PERL) armv4cpuid.pl $(PERLASM_SCHEME) $@
 subdirs:
 	@target=all; $(RECURSIVE_MAKE)

-files:
-	$(PERL) $(TOP)/util/files.pl "CPUID_OBJ=$(CPUID_OBJ)" Makefile >> $(TOP)/MINFO
-	@target=files; $(RECURSIVE_MAKE)
-
 # lib: $(LIB): are splitted to avoid end-less loop
 lib:	$(LIB)
 	@touch lib
--- a/crypto/aes/Makefile.in
+++ b/crypto/aes/Makefile.in
@@ -97,9 +97,6 @@ aes-armv4.o:	aes-armv4.S
 bsaes-%.S:	asm/bsaes-%.pl;	$(PERL) $< $(PERLASM_SCHEME) $@
 bsaes-armv7.o:	bsaes-armv7.S

-files:
-	$(PERL) $(TOP)/util/files.pl "AES_ENC=$(AES_ENC)" Makefile >> $(TOP)/MINFO
-
 depend:
 	$(TOP)/util/domd $(CFLAG) $(INCLUDES) -- $(PROGS) $(LIBSRC)

--- a/crypto/aes/aes_core.c
+++ b/crypto/aes/aes_core.c
@@ -27,11 +27,6 @@
 /* Note: rewritten a little bit to provide error control and an OpenSSL-
   compatible API */

-#ifndef AES_DEBUG
-# ifndef NDEBUG
-#  define NDEBUG
-# endif
-#endif
 #include <assert.h>

 #include <stdlib.h>
--- a/crypto/aes/aes_ecb.c
+++ b/crypto/aes/aes_ecb.c
@@ -48,11 +48,6 @@
 *
 */

-#ifndef AES_DEBUG
-# ifndef NDEBUG
-#  define NDEBUG
-# endif
-#endif
 #include <assert.h>

 #include <openssl/aes.h>
--- a/crypto/aes/aes_locl.h
+++ b/crypto/aes/aes_locl.h
@@ -52,11 +52,6 @@
 # define HEADER_AES_LOCL_H

 # include <openssl/e_os2.h>
-
-# ifdef OPENSSL_NO_AES
-#  error AES is disabled.
-# endif
-
 # include <stdio.h>
 # include <stdlib.h>
 # include <string.h>
--- a/crypto/aes/aes_x86core.c
+++ b/crypto/aes/aes_x86core.c
@@ -34,11 +34,6 @@
 */


-#ifndef AES_DEBUG
-# ifndef NDEBUG
-#  define NDEBUG
-# endif
-#endif
 #include <assert.h>

 #include <stdlib.h>
--- a/crypto/aes/asm/aes-ppc.pl
+++ b/crypto/aes/asm/aes-ppc.pl
@@ -590,7 +590,7 @@ Lenc_loop:
 	xor	$s2,$t2,$acc14
 	xor	$s3,$t3,$acc15
 	addi	$key,$key,16
-	bdnz-	Lenc_loop
+	bdnz	Lenc_loop

 	addi	$Tbl2,$Tbl0,2048
 	nop
@@ -1068,7 +1068,7 @@ Ldec_loop:
 	xor	$s2,$t2,$acc14
 	xor	$s3,$t3,$acc15
 	addi	$key,$key,16
-	bdnz-	Ldec_loop
+	bdnz	Ldec_loop

 	addi	$Tbl2,$Tbl0,2048
 	nop
--- a/crypto/asn1/Makefile.in
+++ b/crypto/asn1/Makefile.in
@@ -18,7 +18,7 @@ LIB=$(TOP)/libcrypto.a
 LIBSRC=	a_object.c a_bitstr.c a_utctm.c a_gentm.c a_time.c a_int.c a_octet.c \
 	a_print.c a_type.c a_dup.c a_d2i_fp.c a_i2d_fp.c \
 	a_utf8.c a_sign.c a_digest.c a_verify.c a_mbstr.c a_strex.c \
-	x_algor.c x_val.c x_pubkey.c x_sig.c x_bignum.c \
+	x_algor.c x_val.c x_sig.c x_bignum.c \
 	x_long.c x_info.c x_spki.c nsseq.c \
 	d2i_pu.c d2i_pr.c i2d_pu.c i2d_pr.c\
 	t_pkey.c t_spki.c t_bitst.c \
@@ -32,7 +32,7 @@ LIBSRC=	a_object.c a_bitstr.c a_utctm.c a_gentm.c a_time.c a_int.c a_octet.c \
 LIBOBJ= a_object.o a_bitstr.o a_utctm.o a_gentm.o a_time.o a_int.o a_octet.o \
 	a_print.o a_type.o a_dup.o a_d2i_fp.o a_i2d_fp.o \
 	a_utf8.o a_sign.o a_digest.o a_verify.o a_mbstr.o a_strex.o \
-	x_algor.o x_val.o x_pubkey.o x_sig.o x_bignum.o \
+	x_algor.o x_val.o x_sig.o x_bignum.o \
 	x_long.o x_info.o x_spki.o nsseq.o \
 	d2i_pu.o d2i_pr.o i2d_pu.o i2d_pr.o \
 	t_pkey.o t_spki.o t_bitst.o \
@@ -68,9 +68,6 @@ lib:	$(LIBOBJ)
 	$(RANLIB) $(LIB) || echo Never mind.
 	@touch lib

-files:
-	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
-
 depend:
 	$(TOP)/util/domd $(CFLAG) $(INCLUDES) -- $(PROGS) $(LIBSRC)

--- a/crypto/asn1/a_sign.c
+++ b/crypto/asn1/a_sign.c
@@ -216,6 +216,7 @@ int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1,
                   X509_ALGOR *algor2, ASN1_BIT_STRING *signature, void *asn,
                   EVP_PKEY *pkey, const EVP_MD *type)
 {
+    int rv;
    EVP_MD_CTX *ctx = EVP_MD_CTX_new();

    if (ctx == NULL) {
@@ -226,7 +227,11 @@ int ASN1_item_sign(const ASN1_ITEM *it, X509_ALGOR *algor1,
        EVP_MD_CTX_free(ctx);
        return 0;
    }
-    return ASN1_item_sign_ctx(it, algor1, algor2, signature, asn, ctx);
+
+    rv = ASN1_item_sign_ctx(it, algor1, algor2, signature, asn, ctx);
+
+    EVP_MD_CTX_free(ctx);
+    return rv;
 }

 int ASN1_item_sign_ctx(const ASN1_ITEM *it,
@@ -318,7 +323,6 @@ int ASN1_item_sign_ctx(const ASN1_ITEM *it,
    signature->flags &= ~(ASN1_STRING_FLAG_BITS_LEFT | 0x07);
    signature->flags |= ASN1_STRING_FLAG_BITS_LEFT;
 err:
-    EVP_MD_CTX_free(ctx);
    OPENSSL_clear_free((char *)buf_in, (unsigned int)inl);
    OPENSSL_clear_free((char *)buf_out, outll);
    return (outl);
--- a/crypto/asn1/ameth_lib.c
+++ b/crypto/asn1/ameth_lib.c
@@ -60,9 +60,7 @@
 #include "internal/cryptlib.h"
 #include <openssl/asn1t.h>
 #include <openssl/x509.h>
-#ifndef OPENSSL_NO_ENGINE
-# include <openssl/engine.h>
-#endif
+#include <openssl/engine.h>
 #include "internal/asn1_int.h"
 #include "internal/evp_int.h"

@@ -86,7 +84,9 @@ static const EVP_PKEY_ASN1_METHOD *standard_methods[] = {
    &eckey_asn1_meth,
 #endif
    &hmac_asn1_meth,
+#ifndef OPENSSL_NO_CMAC
    &cmac_asn1_meth,
+#endif
 #ifndef OPENSSL_NO_DH
    &dhx_asn1_meth
 #endif
--- a/crypto/asn1/asn1_gen.c
+++ b/crypto/asn1/asn1_gen.c
@@ -743,7 +743,7 @@ static ASN1_TYPE *asn1_str2type(const char *str, int format, int utype)
        }

        if (format == ASN1_GEN_FORMAT_HEX) {
-            if ((rdata = string_to_hex((char *)str, &rdlen)) == NULL) {
+            if ((rdata = OPENSSL_hexstr2buf((char *)str, &rdlen)) == NULL) {
                ASN1err(ASN1_F_ASN1_STR2TYPE, ASN1_R_ILLEGAL_HEX);
                goto bad_str;
            }
--- a/crypto/asn1/asn1_lib.c
+++ b/crypto/asn1/asn1_lib.c
@@ -61,7 +61,7 @@
 #include <openssl/asn1.h>

 static int asn1_get_length(const unsigned char **pp, int *inf, long *rl,
-                           int max);
+                           long max);
 static void asn1_put_length(unsigned char **pp, int length);

 static int _asn1_check_infinite_end(const unsigned char **p, long len)
@@ -128,7 +128,7 @@ int ASN1_get_object(const unsigned char **pp, long *plength, int *ptag,
    }
    *ptag = tag;
    *pclass = xclass;
-    if (!asn1_get_length(&p, &inf, plength, (int)max))
+    if (!asn1_get_length(&p, &inf, plength, max))
        goto err;

    if (inf && !(ret & V_ASN1_CONSTRUCTED))
@@ -150,14 +150,14 @@ int ASN1_get_object(const unsigned char **pp, long *plength, int *ptag,
 }

 static int asn1_get_length(const unsigned char **pp, int *inf, long *rl,
-                           int max)
+                           long max)
 {
    const unsigned char *p = *pp;
    unsigned long ret = 0;
-    unsigned int i;
+    unsigned long i;

    if (max-- < 1)
-        return (0);
+        return 0;
    if (*p == 0x80) {
        *inf = 1;
        ret = 0;
@@ -166,7 +166,7 @@ static int asn1_get_length(const unsigned char **pp, int *inf, long *rl,
        *inf = 0;
        i = *p & 0x7f;
        if (*(p++) & 0x80) {
-            if (max < (int)i)
+            if (max < (long)i + 1)
                return 0;
            /* Skip leading zeroes */
            while (i && *p == 0) {
@@ -186,7 +186,7 @@ static int asn1_get_length(const unsigned char **pp, int *inf, long *rl,
        return 0;
    *pp = p;
    *rl = (long)ret;
-    return (1);
+    return 1;
 }

 /*
--- a/crypto/asn1/asn1_par.c
+++ b/crypto/asn1/asn1_par.c
@@ -164,6 +164,8 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
        if (!asn1_print_info(bp, tag, xclass, j, (indent) ? depth : 0))
            goto end;
        if (j & V_ASN1_CONSTRUCTED) {
+            const unsigned char *sp = p;
+                
            ep = p + len;
            if (BIO_write(bp, "\n", 1) <= 0)
                goto end;
@@ -181,19 +183,26 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
                        ret = 0;
                        goto end;
                    }
-                    if ((r == 2) || (p >= tot))
+                    if ((r == 2) || (p >= tot)) {
+                        len = p - sp;
                        break;
+                    }
                }
-            } else
+            } else {
+                long tmp = len;
+
                while (p < ep) {
-                    r = asn1_parse2(bp, &p, (long)len,
+                    sp = p;
+                    r = asn1_parse2(bp, &p, tmp,
                                    offset + (p - *pp), depth + 1,
                                    indent, dump);
                    if (r == 0) {
                        ret = 0;
                        goto end;
                    }
+                    tmp -= p - sp;
                }
+            }
        } else if (xclass != 0) {
            p += len;
            if (BIO_write(bp, "\n", 1) <= 0)
@@ -229,7 +238,8 @@ static int asn1_parse2(BIO *bp, const unsigned char **pp, long length,
                        goto end;
                    dump_cont = 1;
                }
-                BIO_printf(bp, ":%u", p[0]);
+                if (len > 0)
+                    BIO_printf(bp, ":%u", p[0]);
            } else if (tag == V_ASN1_BMPSTRING) {
                /* do the BMP thang */
            } else if (tag == V_ASN1_OCTET_STRING) {
--- a/crypto/asn1/asn_mime.c
+++ b/crypto/asn1/asn_mime.c
@@ -60,6 +60,7 @@
 #include <openssl/asn1.h>
 #include <openssl/asn1t.h>
 #include "internal/evp_int.h"
+#include "internal/bio.h"
 #include "asn1_locl.h"

 /*
--- a/crypto/asn1/asn_moid.c
+++ b/crypto/asn1/asn_moid.c
@@ -61,9 +61,9 @@
 #include <openssl/crypto.h>
 #include "internal/cryptlib.h"
 #include <openssl/conf.h>
-#include <openssl/dso.h>
 #include <openssl/x509.h>
 #include "internal/asn1_int.h"
+#include "internal/objects.h"

 /* Simple ASN1 OID module: add all objects in a given section */

@@ -93,7 +93,6 @@ static int oid_module_init(CONF_IMODULE *md, const CONF *cnf)

 static void oid_module_finish(CONF_IMODULE *md)
 {
-    OBJ_cleanup();
 }

 void ASN1_add_oid_module(void)
--- a/crypto/asn1/bio_asn1.c
+++ b/crypto/asn1/bio_asn1.c
@@ -63,7 +63,7 @@
 */

 #include <string.h>
-#include <openssl/bio.h>
+#include <internal/bio.h>
 #include <openssl/asn1.h>

 /* Must be large enough for biggest tag+length */
@@ -124,7 +124,7 @@ static int asn1_bio_setup_ex(BIO *b, BIO_ASN1_BUF_CTX *ctx,
                             asn1_bio_state_t ex_state,
                             asn1_bio_state_t other_state);

-static BIO_METHOD methods_asn1 = {
+static const BIO_METHOD methods_asn1 = {
    BIO_TYPE_ASN1,
    "asn1",
    asn1_bio_write,
@@ -137,7 +137,7 @@ static BIO_METHOD methods_asn1 = {
    asn1_bio_callback_ctrl,
 };

-BIO_METHOD *BIO_f_asn1(void)
+const BIO_METHOD *BIO_f_asn1(void)
 {
    return (&methods_asn1);
 }
@@ -152,9 +152,9 @@ static int asn1_bio_new(BIO *b)
        OPENSSL_free(ctx);
        return 0;
    }
-    b->init = 1;
-    b->ptr = (char *)ctx;
-    b->flags = 0;
+    BIO_set_data(b, ctx);
+    BIO_set_init(b, 1);
+
    return 1;
 }

@@ -178,15 +178,20 @@ static int asn1_bio_init(BIO_ASN1_BUF_CTX *ctx, int size)

 static int asn1_bio_free(BIO *b)
 {
-    BIO_ASN1_BUF_CTX *ctx = (BIO_ASN1_BUF_CTX *)b->ptr;
+    BIO_ASN1_BUF_CTX *ctx;

+    if (b == NULL)
+        return 0;
+
+    ctx = BIO_get_data(b);
    if (ctx == NULL)
        return 0;
+
    OPENSSL_free(ctx->buf);
    OPENSSL_free(ctx);
-    b->init = 0;
-    b->ptr = NULL;
-    b->flags = 0;
+    BIO_set_data(b, NULL);
+    BIO_set_init(b, 0);
+
    return 1;
 }

@@ -195,10 +200,11 @@ static int asn1_bio_write(BIO *b, const char *in, int inl)
    BIO_ASN1_BUF_CTX *ctx;
    int wrmax, wrlen, ret;
    unsigned char *p;
-    if (!in || (inl < 0) || (b->next_bio == NULL))
-        return 0;
-    ctx = (BIO_ASN1_BUF_CTX *)b->ptr;
-    if (ctx == NULL)
+    BIO *next;
+
+    ctx = BIO_get_data(b);
+    next = BIO_next(b);
+    if (in == NULL || inl < 0 || ctx == NULL || next == NULL)
        return 0;

    wrlen = 0;
@@ -236,7 +242,7 @@ static int asn1_bio_write(BIO *b, const char *in, int inl)
            break;

        case ASN1_STATE_HEADER_COPY:
-            ret = BIO_write(b->next_bio, ctx->buf + ctx->bufpos, ctx->buflen);
+            ret = BIO_write(next, ctx->buf + ctx->bufpos, ctx->buflen);
            if (ret <= 0)
                goto done;

@@ -256,7 +262,7 @@ static int asn1_bio_write(BIO *b, const char *in, int inl)
                wrmax = ctx->copylen;
            else
                wrmax = inl;
-            ret = BIO_write(b->next_bio, in, wrmax);
+            ret = BIO_write(next, in, wrmax);
            if (ret <= 0)
                break;
            wrlen += ret;
@@ -292,10 +298,11 @@ static int asn1_bio_flush_ex(BIO *b, BIO_ASN1_BUF_CTX *ctx,
                             asn1_ps_func *cleanup, asn1_bio_state_t next)
 {
    int ret;
+
    if (ctx->ex_len <= 0)
        return 1;
    for (;;) {
-        ret = BIO_write(b->next_bio, ctx->ex_buf + ctx->ex_pos, ctx->ex_len);
+        ret = BIO_write(BIO_next(b), ctx->ex_buf + ctx->ex_pos, ctx->ex_len);
        if (ret <= 0)
            break;
        ctx->ex_len -= ret;
@@ -330,9 +337,10 @@ static int asn1_bio_setup_ex(BIO *b, BIO_ASN1_BUF_CTX *ctx,

 static int asn1_bio_read(BIO *b, char *in, int inl)
 {
-    if (!b->next_bio)
+    BIO *next = BIO_next(b);
+    if (next == NULL)
        return 0;
-    return BIO_read(b->next_bio, in, inl);
+    return BIO_read(next, in, inl);
 }

 static int asn1_bio_puts(BIO *b, const char *str)
@@ -342,16 +350,18 @@ static int asn1_bio_puts(BIO *b, const char *str)

 static int asn1_bio_gets(BIO *b, char *str, int size)
 {
-    if (!b->next_bio)
+    BIO *next = BIO_next(b);
+    if (next == NULL)
        return 0;
-    return BIO_gets(b->next_bio, str, size);
+    return BIO_gets(next, str, size);
 }

 static long asn1_bio_callback_ctrl(BIO *b, int cmd, bio_info_cb *fp)
 {
-    if (b->next_bio == NULL)
-        return (0);
-    return BIO_callback_ctrl(b->next_bio, cmd, fp);
+    BIO *next = BIO_next(b);
+    if (next == NULL)
+        return 0;
+    return BIO_callback_ctrl(next, cmd, fp);
 }

 static long asn1_bio_ctrl(BIO *b, int cmd, long arg1, void *arg2)
@@ -359,9 +369,12 @@ static long asn1_bio_ctrl(BIO *b, int cmd, long arg1, void *arg2)
    BIO_ASN1_BUF_CTX *ctx;
    BIO_ASN1_EX_FUNCS *ex_func;
    long ret = 1;
-    ctx = (BIO_ASN1_BUF_CTX *)b->ptr;
+    BIO *next;
+
+    ctx = BIO_get_data(b);
    if (ctx == NULL)
        return 0;
+    next = BIO_next(b);
    switch (cmd) {

    case BIO_C_SET_PREFIX:
@@ -397,7 +410,7 @@ static long asn1_bio_ctrl(BIO *b, int cmd, long arg1, void *arg2)
        break;

    case BIO_CTRL_FLUSH:
-        if (!b->next_bio)
+        if (next == NULL)
            return 0;

        /* Call post function if possible */
@@ -415,16 +428,16 @@ static long asn1_bio_ctrl(BIO *b, int cmd, long arg1, void *arg2)
        }

        if (ctx->state == ASN1_STATE_DONE)
-            return BIO_ctrl(b->next_bio, cmd, arg1, arg2);
+            return BIO_ctrl(next, cmd, arg1, arg2);
        else {
            BIO_clear_retry_flags(b);
            return 0;
        }

    default:
-        if (!b->next_bio)
+        if (next == NULL)
            return 0;
-        return BIO_ctrl(b->next_bio, cmd, arg1, arg2);
+        return BIO_ctrl(next, cmd, arg1, arg2);

    }

--- a/crypto/asn1/build.info
+++ b/crypto/asn1/build.info
@@ -3,7 +3,7 @@ SOURCE[../../libcrypto]=\
        a_object.c a_bitstr.c a_utctm.c a_gentm.c a_time.c a_int.c a_octet.c \
        a_print.c a_type.c a_dup.c a_d2i_fp.c a_i2d_fp.c \
        a_utf8.c a_sign.c a_digest.c a_verify.c a_mbstr.c a_strex.c \
-        x_algor.c x_val.c x_pubkey.c x_sig.c x_bignum.c \
+        x_algor.c x_val.c x_sig.c x_bignum.c \
        x_long.c x_info.c x_spki.c nsseq.c \
        d2i_pu.c d2i_pr.c i2d_pu.c i2d_pr.c\
        t_pkey.c t_spki.c t_bitst.c \
--- a/crypto/asn1/d2i_pr.c
+++ b/crypto/asn1/d2i_pr.c
@@ -60,9 +60,7 @@
 #include <openssl/bn.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
-#ifndef OPENSSL_NO_ENGINE
-# include <openssl/engine.h>
-#endif
+#include <openssl/engine.h>
 #include <openssl/x509.h>
 #include <openssl/asn1.h>
 #include "internal/asn1_int.h"
--- a/crypto/asn1/d2i_pu.c
+++ b/crypto/asn1/d2i_pu.c
@@ -61,15 +61,9 @@
 #include <openssl/evp.h>
 #include <openssl/objects.h>
 #include <openssl/asn1.h>
-#ifndef OPENSSL_NO_RSA
-# include <openssl/rsa.h>
-#endif
-#ifndef OPENSSL_NO_DSA
-# include <openssl/dsa.h>
-#endif
-#ifndef OPENSSL_NO_EC
-# include <openssl/ec.h>
-#endif
+#include <openssl/rsa.h>
+#include <openssl/dsa.h>
+#include <openssl/ec.h>

 #include "internal/evp_int.h"

--- a/crypto/asn1/i2d_pu.c
+++ b/crypto/asn1/i2d_pu.c
@@ -60,15 +60,9 @@
 #include <openssl/bn.h>
 #include <openssl/evp.h>
 #include <openssl/objects.h>
-#ifndef OPENSSL_NO_RSA
-# include <openssl/rsa.h>
-#endif
-#ifndef OPENSSL_NO_DSA
-# include <openssl/dsa.h>
-#endif
-#ifndef OPENSSL_NO_EC
-# include <openssl/ec.h>
-#endif
+#include <openssl/rsa.h>
+#include <openssl/dsa.h>
+#include <openssl/ec.h>

 int i2d_PublicKey(EVP_PKEY *a, unsigned char **pp)
 {
--- a/crypto/asn1/t_spki.c
+++ b/crypto/asn1/t_spki.c
@@ -60,12 +60,8 @@
 #include "internal/cryptlib.h"
 #include <openssl/x509.h>
 #include <openssl/asn1.h>
-#ifndef OPENSSL_NO_RSA
-# include <openssl/rsa.h>
-#endif
-#ifndef OPENSSL_NO_DSA
-# include <openssl/dsa.h>
-#endif
+#include <openssl/rsa.h>
+#include <openssl/dsa.h>
 #include <openssl/bn.h>

 /* Print out an SPKI */
@@ -74,10 +70,12 @@ int NETSCAPE_SPKI_print(BIO *out, NETSCAPE_SPKI *spki)
 {
    EVP_PKEY *pkey;
    ASN1_IA5STRING *chal;
+    ASN1_OBJECT *spkioid;
    int i, n;
    char *s;
    BIO_printf(out, "Netscape SPKI:\n");
-    i = OBJ_obj2nid(spki->spkac->pubkey->algor->algorithm);
+    X509_PUBKEY_get0_param(&spkioid, NULL, NULL, NULL, spki->spkac->pubkey);
+    i = OBJ_obj2nid(spkioid);
    BIO_printf(out, "  Public Key Algorithm: %s\n",
               (i == NID_undef) ? "UNKNOWN" : OBJ_nid2ln(i));
    pkey = X509_PUBKEY_get(spki->spkac->pubkey);
--- a/crypto/asn1/tasn_dec.c
+++ b/crypto/asn1/tasn_dec.c
@@ -273,6 +273,12 @@ static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in,
            /* If field not present, try the next one */
            if (ret == -1)
                continue;
+            /*
+             * Set the choice selector here to ensure that the value is
+             * correctly freed upon error. It may be partially initialized
+             * even if parsing failed.
+             */
+            asn1_set_choice_selector(pval, i, it);
            /* If positive return, read OK, break loop */
            if (ret > 0)
                break;
@@ -294,7 +300,6 @@ static int asn1_item_embed_d2i(ASN1_VALUE **pval, const unsigned char **in,
            goto err;
        }

-        asn1_set_choice_selector(pval, i, it);
        if (asn1_cb && !asn1_cb(ASN1_OP_D2I_POST, pval, it, NULL))
            goto auxerr;
        *in = p;
@@ -617,6 +622,8 @@ static int asn1_template_noexp_d2i(ASN1_VALUE **val,
                                     ASN1_ITEM_ptr(tt->item), -1, 0, 0, ctx)) {
                ASN1err(ASN1_F_ASN1_TEMPLATE_NOEXP_D2I,
                        ERR_R_NESTED_ASN1_ERROR);
+                /* |skfield| may be partially allocated despite failure. */
+                ASN1_item_free(skfield, ASN1_ITEM_ptr(tt->item));
                goto err;
            }
            len -= p - q;
--- a/crypto/asn1/x_info.c
+++ b/crypto/asn1/x_info.c
@@ -71,34 +71,17 @@ X509_INFO *X509_INFO_new(void)
        return NULL;
    }

-    ret->references = 1;
-
-    ret->lock = CRYPTO_THREAD_lock_new();
-    if (ret->lock == NULL) {
-        X509_INFO_free(ret);
-        return NULL;
-    }
-
    return ret;
 }

 void X509_INFO_free(X509_INFO *x)
 {
-    int i;
-
    if (x == NULL)
        return;

-    CRYPTO_atomic_add(&x->references, -1, &i, x->lock);
-    REF_PRINT_COUNT("X509_INFO", x);
-    if (i > 0)
-        return;
-    REF_ASSERT_ISNT(i < 0);
-
    X509_free(x->x509);
    X509_CRL_free(x->crl);
    X509_PKEY_free(x->x_pkey);
    OPENSSL_free(x->enc_data);
-    CRYPTO_THREAD_lock_free(x->lock);
    OPENSSL_free(x);
 }
--- a/crypto/asn1/x_pkey.c
+++ b/crypto/asn1/x_pkey.c
@@ -69,12 +69,6 @@ X509_PKEY *X509_PKEY_new(void)
    if (ret == NULL)
        goto err;

-    ret->references = 1;
-    ret->lock = CRYPTO_THREAD_lock_new();
-    if (ret->lock == NULL) {
-        OPENSSL_free(ret);
-        return NULL;
-    }
    ret->enc_algor = X509_ALGOR_new();
    ret->enc_pkey = ASN1_OCTET_STRING_new();
    if (ret->enc_algor == NULL || ret->enc_pkey == NULL)
@@ -89,22 +83,13 @@ err:

 void X509_PKEY_free(X509_PKEY *x)
 {
-    int i;
-
    if (x == NULL)
        return;

-    CRYPTO_atomic_add(&x->references, -1, &i, x->lock);
-    REF_PRINT_COUNT("X509_PKEY", x);
-    if (i > 0)
-        return;
-    REF_ASSERT_ISNT(i < 0);
-
    X509_ALGOR_free(x->enc_algor);
    ASN1_OCTET_STRING_free(x->enc_pkey);
    EVP_PKEY_free(x->dec_pkey);
    if (x->key_free)
        OPENSSL_free(x->key_data);
-    CRYPTO_THREAD_lock_free(x->lock);
    OPENSSL_free(x);
 }
--- a/crypto/async/Makefile.in
+++ b/crypto/async/Makefile.in
@@ -36,9 +36,6 @@ lib:	$(LIBOBJ)
 	$(RANLIB) $(LIB) || echo Never mind.
 	@touch lib

-files:
-	$(PERL) $(TOP)/util/files.pl Makefile >> $(TOP)/MINFO
-
 links:
 	@$(PERL) $(TOP)/util/mklink.pl ../../include/openssl $(EXHEADER)
 	@$(PERL) $(TOP)/util/mklink.pl ../../test $(TEST)
--- a/crypto/async/arch/async_null.c
+++ b/crypto/async/arch/async_null.c
@@ -54,6 +54,8 @@
 #include "../async_locl.h"

 #ifdef ASYNC_NULL
+# include <openssl/ct.h>
+# include <openssl/x509v3.h>

 int ASYNC_is_capable(void)
 {
--- a/Show More
+++ b/Show More