Vendor import of OpenSSL release 0.9.7. This release includes

support for AES and OpenBSD's hardware crypto.

965 files changed, 103840 insertions, 20829 deletions

diff --git a/crypto/openssl/CHANGES b/crypto/openssl/CHANGES
index 75ebac55bf53..418378f876a7 100644
--- a/crypto/openssl/CHANGES
+++ b/crypto/openssl/CHANGES
@@ -2,6 +2,1889 @@
  OpenSSL CHANGES
  _______________
 
+ Changes between 0.9.6h and 0.9.7  [31 Dec 2002]
+
+  *) Fix session ID handling in SSLv2 client code: the SERVER FINISHED
+     code (06) was taken as the first octet of the session ID and the last
+     octet was ignored consequently. As a result SSLv2 client side session
+     caching could not have worked due to the session ID mismatch between
+     client and server.
+     Behaviour observed by Crispin Flowerday <crispin@flowerday.cx> as
+     PR #377.
+     [Lutz Jaenicke]
+
+  *) Change the declaration of needed Kerberos libraries to use EX_LIBS
+     instead of the special (and badly supported) LIBKRB5.  LIBKRB5 is
+     removed entirely.
+     [Richard Levitte]
+
+  *) The hw_ncipher.c engine requires dynamic locks.  Unfortunately, it
+     seems that in spite of existing for more than a year, many application
+     author have done nothing to provide the necessary callbacks, which
+     means that this particular engine will not work properly anywhere.
+     This is a very unfortunate situation which forces us, in the name
+     of usability, to give the hw_ncipher.c a static lock, which is part
+     of libcrypto.
+     NOTE: This is for the 0.9.7 series ONLY.  This hack will never
+     appear in 0.9.8 or later.  We EXPECT application authors to have
+     dealt properly with this when 0.9.8 is released (unless we actually
+     make such changes in the libcrypto locking code that changes will
+     have to be made anyway).
+     [Richard Levitte]
+
+  *) In asn1_d2i_read_bio() repeatedly call BIO_read() until all content
+     octets have been read, EOF or an error occurs. Without this change
+     some truncated ASN1 structures will not produce an error.
+     [Steve Henson]
+
+  *) Disable Heimdal support, since it hasn't been fully implemented.
+     Still give the possibility to force the use of Heimdal, but with
+     warnings and a request that patches get sent to openssl-dev.
+     [Richard Levitte]
+
+  *) Add the VC-CE target, introduce the WINCE sysname, and add
+     INSTALL.WCE and appropriate conditionals to make it build.
+     [Steven Reddie <smr@essemer.com.au> via Richard Levitte]
+
+  *) Change the DLL names for Cygwin to cygcrypto-x.y.z.dll and
+     cygssl-x.y.z.dll, where x, y and z are the major, minor and
+     edit numbers of the version.
+     [Corinna Vinschen <vinschen@redhat.com> and Richard Levitte]
+
+  *) Introduce safe string copy and catenation functions
+     (BUF_strlcpy() and BUF_strlcat()).
+     [Ben Laurie (CHATS) and Richard Levitte]
+
+  *) Avoid using fixed-size buffers for one-line DNs.
+     [Ben Laurie (CHATS)]
+
+  *) Add BUF_MEM_grow_clean() to avoid information leakage when
+     resizing buffers containing secrets, and use where appropriate.
+     [Ben Laurie (CHATS)]
+
+  *) Avoid using fixed size buffers for configuration file location.
+     [Ben Laurie (CHATS)]
+
+  *) Avoid filename truncation for various CA files.
+     [Ben Laurie (CHATS)]
+
+  *) Use sizeof in preference to magic numbers.
+     [Ben Laurie (CHATS)]
+
+  *) Avoid filename truncation in cert requests.
+     [Ben Laurie (CHATS)]
+
+  *) Add assertions to check for (supposedly impossible) buffer
+     overflows.
+     [Ben Laurie (CHATS)]
+
+  *) Don't cache truncated DNS entries in the local cache (this could
+     potentially lead to a spoofing attack).
+     [Ben Laurie (CHATS)]
+
+  *) Fix various buffers to be large enough for hex/decimal
+     representations in a platform independent manner.
+     [Ben Laurie (CHATS)]
+
+  *) Add CRYPTO_realloc_clean() to avoid information leakage when
+     resizing buffers containing secrets, and use where appropriate.
+     [Ben Laurie (CHATS)]
+
+  *) Add BIO_indent() to avoid much slightly worrying code to do
+     indents.
+     [Ben Laurie (CHATS)]
+
+  *) Convert sprintf()/BIO_puts() to BIO_printf().
+     [Ben Laurie (CHATS)]
+
+  *) buffer_gets() could terminate with the buffer only half
+     full. Fixed.
+     [Ben Laurie (CHATS)]
+
+  *) Add assertions to prevent user-supplied crypto functions from
+     overflowing internal buffers by having large block sizes, etc.
+     [Ben Laurie (CHATS)]
+
+  *) New OPENSSL_assert() macro (similar to assert(), but enabled
+     unconditionally).
+     [Ben Laurie (CHATS)]
+
+  *) Eliminate unused copy of key in RC4.
+     [Ben Laurie (CHATS)]
+
+  *) Eliminate unused and incorrectly sized buffers for IV in pem.h.
+     [Ben Laurie (CHATS)]
+
+  *) Fix off-by-one error in EGD path.
+     [Ben Laurie (CHATS)]
+
+  *) If RANDFILE path is too long, ignore instead of truncating.
+     [Ben Laurie (CHATS)]
+
+  *) Eliminate unused and incorrectly sized X.509 structure
+     CBCParameter.
+     [Ben Laurie (CHATS)]
+
+  *) Eliminate unused and dangerous function knumber().
+     [Ben Laurie (CHATS)]
+
+  *) Eliminate unused and dangerous structure, KSSL_ERR.
+     [Ben Laurie (CHATS)]
+
+  *) Protect against overlong session ID context length in an encoded
+     session object. Since these are local, this does not appear to be
+     exploitable.
+     [Ben Laurie (CHATS)]
+
+  *) Change from security patch (see 0.9.6e below) that did not affect
+     the 0.9.6 release series:
+
+     Remote buffer overflow in SSL3 protocol - an attacker could
+     supply an oversized master key in Kerberos-enabled versions.
+     (CAN-2002-0657)
+     [Ben Laurie (CHATS)]
+
+  *) Change the SSL kerb5 codes to match RFC 2712.
+     [Richard Levitte]
+
+  *) Make -nameopt work fully for req and add -reqopt switch.
+     [Michael Bell <michael.bell@rz.hu-berlin.de>, Steve Henson]
+
+  *) The "block size" for block ciphers in CFB and OFB mode should be 1.
+     [Steve Henson, reported by Yngve Nysaeter Pettersen <yngve@opera.com>]
+
+  *) Make sure tests can be performed even if the corresponding algorithms
+     have been removed entirely.  This was also the last step to make
+     OpenSSL compilable with DJGPP under all reasonable conditions.
+     [Richard Levitte, Doug Kaufman <dkaufman@rahul.net>]
+
+  *) Add cipher selection rules COMPLEMENTOFALL and COMPLEMENTOFDEFAULT
+     to allow version independent disabling of normally unselected ciphers,
+     which may be activated as a side-effect of selecting a single cipher.
+
+     (E.g., cipher list string "RSA" enables ciphersuites that are left
+     out of "ALL" because they do not provide symmetric encryption.
+     "RSA:!COMPLEMEMENTOFALL" avoids these unsafe ciphersuites.)
+     [Lutz Jaenicke, Bodo Moeller]
+
+  *) Add appropriate support for separate platform-dependent build
+     directories.  The recommended way to make a platform-dependent
+     build directory is the following (tested on Linux), maybe with
+     some local tweaks:
+
+	# Place yourself outside of the OpenSSL source tree.  In
+	# this example, the environment variable OPENSSL_SOURCE
+	# is assumed to contain the absolute OpenSSL source directory.
+	mkdir -p objtree/"`uname -s`-`uname -r`-`uname -m`"
+	cd objtree/"`uname -s`-`uname -r`-`uname -m`"
+	(cd $OPENSSL_SOURCE; find . -type f -o -type l) | while read F; do
+		mkdir -p `dirname $F`
+		ln -s $OPENSSL_SOURCE/$F $F
+	done
+
+     To be absolutely sure not to disturb the source tree, a "make clean"
+     is a good thing.  If it isn't successfull, don't worry about it,
+     it probably means the source directory is very clean.
+     [Richard Levitte]
+
+  *) Make sure any ENGINE control commands make local copies of string
+     pointers passed to them whenever necessary. Otherwise it is possible
+     the caller may have overwritten (or deallocated) the original string
+     data when a later ENGINE operation tries to use the stored values.
+     [Götz Babin-Ebell <babinebell@trustcenter.de>]
+
+  *) Improve diagnostics in file reading and command-line digests.
+     [Ben Laurie aided and abetted by Solar Designer <solar@openwall.com>]
+
+  *) Add AES modes CFB and OFB to the object database.  Correct an
+     error in AES-CFB decryption.
+     [Richard Levitte]
+
+  *) Remove most calls to EVP_CIPHER_CTX_cleanup() in evp_enc.c, this 
+     allows existing EVP_CIPHER_CTX structures to be reused after
+     calling EVP_*Final(). This behaviour is used by encryption
+     BIOs and some applications. This has the side effect that
+     applications must explicitly clean up cipher contexts with
+     EVP_CIPHER_CTX_cleanup() or they will leak memory.
+     [Steve Henson]
+
+  *) Check the values of dna and dnb in bn_mul_recursive before calling
+     bn_mul_comba (a non zero value means the a or b arrays do not contain
+     n2 elements) and fallback to bn_mul_normal if either is not zero.
+     [Steve Henson]
+
+  *) Fix escaping of non-ASCII characters when using the -subj option
+     of the "openssl req" command line tool. (Robert Joop <joop@fokus.gmd.de>)
+     [Lutz Jaenicke]
+
+  *) Make object definitions compliant to LDAP (RFC2256): SN is the short
+     form for "surname", serialNumber has no short form.
+     Use "mail" as the short name for "rfc822Mailbox" according to RFC2798;
+     therefore remove "mail" short name for "internet 7".
+     The OID for unique identifiers in X509 certificates is
+     x500UniqueIdentifier, not uniqueIdentifier.
+     Some more OID additions. (Michael Bell <michael.bell@rz.hu-berlin.de>)
+     [Lutz Jaenicke]
+
+  *) Add an "init" command to the ENGINE config module and auto initialize
+     ENGINEs. Without any "init" command the ENGINE will be initialized 
+     after all ctrl commands have been executed on it. If init=1 the 
+     ENGINE is initailized at that point (ctrls before that point are run
+     on the uninitialized ENGINE and after on the initialized one). If
+     init=0 then the ENGINE will not be iniatialized at all.
+     [Steve Henson]
+
+  *) Fix the 'app_verify_callback' interface so that the user-defined
+     argument is actually passed to the callback: In the
+     SSL_CTX_set_cert_verify_callback() prototype, the callback
+     declaration has been changed from
+          int (*cb)()
+     into
+          int (*cb)(X509_STORE_CTX *,void *);
+     in ssl_verify_cert_chain (ssl/ssl_cert.c), the call
+          i=s->ctx->app_verify_callback(&ctx)
+     has been changed into
+          i=s->ctx->app_verify_callback(&ctx, s->ctx->app_verify_arg).
+
+     To update applications using SSL_CTX_set_cert_verify_callback(),
+     a dummy argument can be added to their callback functions.
+     [D. K. Smetters <smetters@parc.xerox.com>]
+
+  *) Added the '4758cca' ENGINE to support IBM 4758 cards.
+     [Maurice Gittens <maurice@gittens.nl>, touchups by Geoff Thorpe]
+
+  *) Add and OPENSSL_LOAD_CONF define which will cause
+     OpenSSL_add_all_algorithms() to load the openssl.cnf config file.
+     This allows older applications to transparently support certain
+     OpenSSL features: such as crypto acceleration and dynamic ENGINE loading.
+     Two new functions OPENSSL_add_all_algorithms_noconf() which will never
+     load the config file and OPENSSL_add_all_algorithms_conf() which will
+     always load it have also been added.
+     [Steve Henson]
+
+  *) Add the OFB, CFB and CTR (all with 128 bit feedback) to AES.
+     Adjust NIDs and EVP layer.
+     [Stephen Sprunk <stephen@sprunk.org> and Richard Levitte]
+
+  *) Config modules support in openssl utility.
+
+     Most commands now load modules from the config file,
+     though in a few (such as version) this isn't done 
+     because it couldn't be used for anything.
+
+     In the case of ca and req the config file used is
+     the same as the utility itself: that is the -config
+     command line option can be used to specify an
+     alternative file.
+     [Steve Henson]
+
+  *) Move default behaviour from OPENSSL_config(). If appname is NULL
+     use "openssl_conf" if filename is NULL use default openssl config file.
+     [Steve Henson]
+
+  *) Add an argument to OPENSSL_config() to allow the use of an alternative
+     config section name. Add a new flag to tolerate a missing config file
+     and move code to CONF_modules_load_file().
+     [Steve Henson]
+
+  *) Support for crypto accelerator cards from Accelerated Encryption
+     Processing, www.aep.ie.  (Use engine 'aep')
+     The support was copied from 0.9.6c [engine] and adapted/corrected
+     to work with the new engine framework.
+     [AEP Inc. and Richard Levitte]
+
+  *) Support for SureWare crypto accelerator cards from Baltimore
+     Technologies.  (Use engine 'sureware')
+     The support was copied from 0.9.6c [engine] and adapted
+     to work with the new engine framework.
+     [Richard Levitte]
+
+  *) Have the CHIL engine fork-safe (as defined by nCipher) and actually
+     make the newer ENGINE framework commands for the CHIL engine work.
+     [Toomas Kiisk <vix@cyber.ee> and Richard Levitte]
+
+  *) Make it possible to produce shared libraries on ReliantUNIX.
+     [Robert Dahlem <Robert.Dahlem@ffm2.siemens.de> via Richard Levitte]
+
+  *) Add the configuration target debug-linux-ppro.
+     Make 'openssl rsa' use the general key loading routines
+     implemented in apps.c, and make those routines able to
+     handle the key format FORMAT_NETSCAPE and the variant
+     FORMAT_IISSGC.
+     [Toomas Kiisk <vix@cyber.ee> via Richard Levitte]
+
+ *) Fix a crashbug and a logic bug in hwcrhk_load_pubkey().
+     [Toomas Kiisk <vix@cyber.ee> via Richard Levitte]
+
+  *) Add -keyform to rsautl, and document -engine.
+     [Richard Levitte, inspired by Toomas Kiisk <vix@cyber.ee>]
+
+  *) Change BIO_new_file (crypto/bio/bss_file.c) to use new
+     BIO_R_NO_SUCH_FILE error code rather than the generic
+     ERR_R_SYS_LIB error code if fopen() fails with ENOENT.
+     [Ben Laurie]
+
+  *) Add new functions
+          ERR_peek_last_error
+          ERR_peek_last_error_line
+          ERR_peek_last_error_line_data.
+     These are similar to
+          ERR_peek_error
+          ERR_peek_error_line
+          ERR_peek_error_line_data,
+     but report on the latest error recorded rather than the first one
+     still in the error queue.
+     [Ben Laurie, Bodo Moeller]
+        
+  *) default_algorithms option in ENGINE config module. This allows things
+     like:
+     default_algorithms = ALL
+     default_algorithms = RSA, DSA, RAND, CIPHERS, DIGESTS
+     [Steve Henson]
+
+  *) Prelminary ENGINE config module.
+     [Steve Henson]
+
+  *) New experimental application configuration code.
+     [Steve Henson]
+
+  *) Change the AES code to follow the same name structure as all other
+     symmetric ciphers, and behave the same way.  Move everything to
+     the directory crypto/aes, thereby obsoleting crypto/rijndael.
+     [Stephen Sprunk <stephen@sprunk.org> and Richard Levitte]
+
+  *) SECURITY: remove unsafe setjmp/signal interaction from ui_openssl.c.
+     [Ben Laurie and Theo de Raadt]
+
+  *) Add option to output public keys in req command.
+     [Massimiliano Pala madwolf@openca.org]
+
+  *) Use wNAFs in EC_POINTs_mul() for improved efficiency
+     (up to about 10% better than before for P-192 and P-224).
+     [Bodo Moeller]
+
+  *) New functions/macros
+
+          SSL_CTX_set_msg_callback(ctx, cb)
+          SSL_CTX_set_msg_callback_arg(ctx, arg)
+          SSL_set_msg_callback(ssl, cb)
+          SSL_set_msg_callback_arg(ssl, arg)
+
+     to request calling a callback function
+
+          void cb(int write_p, int version, int content_type,
+                  const void *buf, size_t len, SSL *ssl, void *arg)
+
+     whenever a protocol message has been completely received
+     (write_p == 0) or sent (write_p == 1).  Here 'version' is the
+     protocol version  according to which the SSL library interprets
+     the current protocol message (SSL2_VERSION, SSL3_VERSION, or
+     TLS1_VERSION).  'content_type' is 0 in the case of SSL 2.0, or
+     the content type as defined in the SSL 3.0/TLS 1.0 protocol
+     specification (change_cipher_spec(20), alert(21), handshake(22)).
+     'buf' and 'len' point to the actual message, 'ssl' to the
+     SSL object, and 'arg' is the application-defined value set by
+     SSL[_CTX]_set_msg_callback_arg().
+
+     'openssl s_client' and 'openssl s_server' have new '-msg' options
+     to enable a callback that displays all protocol messages.
+     [Bodo Moeller]
+
+  *) Change the shared library support so shared libraries are built as
+     soon as the corresponding static library is finished, and thereby get
+     openssl and the test programs linked against the shared library.
+     This still only happens when the keyword "shard" has been given to
+     the configuration scripts.
+
+     NOTE: shared library support is still an experimental thing, and
+     backward binary compatibility is still not guaranteed.
+     ["Maciej W. Rozycki" <macro@ds2.pg.gda.pl> and Richard Levitte]
+
+  *) Add support for Subject Information Access extension.
+     [Peter Sylvester <Peter.Sylvester@EdelWeb.fr>]
+
+  *) Make BUF_MEM_grow() behaviour more consistent: Initialise to zero
+     additional bytes when new memory had to be allocated, not just
+     when reusing an existing buffer.
+     [Bodo Moeller]
+
+  *) New command line and configuration option 'utf8' for the req command.
+     This allows field values to be specified as UTF8 strings.
+     [Steve Henson]
+
+  *) Add -multi and -mr options to "openssl speed" - giving multiple parallel
+     runs for the former and machine-readable output for the latter.
+     [Ben Laurie]
+
+  *) Add '-noemailDN' option to 'openssl ca'.  This prevents inclusion
+     of the e-mail address in the DN (i.e., it will go into a certificate
+     extension only).  The new configuration file option 'email_in_dn = no'
+     has the same effect.
+     [Massimiliano Pala madwolf@openca.org]
+
+  *) Change all functions with names starting with des_ to be starting
+     with DES_ instead.  Add wrappers that are compatible with libdes,
+     but are named _ossl_old_des_*.  Finally, add macros that map the
+     des_* symbols to the corresponding _ossl_old_des_* if libdes
+     compatibility is desired.  If OpenSSL 0.9.6c compatibility is
+     desired, the des_* symbols will be mapped to DES_*, with one
+     exception.
+
+     Since we provide two compatibility mappings, the user needs to
+     define the macro OPENSSL_DES_LIBDES_COMPATIBILITY if libdes
+     compatibility is desired.  The default (i.e., when that macro
+     isn't defined) is OpenSSL 0.9.6c compatibility.
+
+     There are also macros that enable and disable the support of old
+     des functions altogether.  Those are OPENSSL_ENABLE_OLD_DES_SUPPORT
+     and OPENSSL_DISABLE_OLD_DES_SUPPORT.  If none or both of those
+     are defined, the default will apply: to support the old des routines.
+
+     In either case, one must include openssl/des.h to get the correct
+     definitions.  Do not try to just include openssl/des_old.h, that
+     won't work.
+
+     NOTE: This is a major break of an old API into a new one.  Software
+     authors are encouraged to switch to the DES_ style functions.  Some
+     time in the future, des_old.h and the libdes compatibility functions
+     will be disable (i.e. OPENSSL_DISABLE_OLD_DES_SUPPORT will be the
+     default), and then completely removed.
+     [Richard Levitte]
+
+  *) Test for certificates which contain unsupported critical extensions.
+     If such a certificate is found during a verify operation it is 
+     rejected by default: this behaviour can be overridden by either
+     handling the new error X509_V_ERR_UNHANDLED_CRITICAL_EXTENSION or
+     by setting the verify flag X509_V_FLAG_IGNORE_CRITICAL. A new function
+     X509_supported_extension() has also been added which returns 1 if a
+     particular extension is supported.
+     [Steve Henson]
+
+  *) Modify the behaviour of EVP cipher functions in similar way to digests
+     to retain compatibility with existing code.
+     [Steve Henson]
+
+  *) Modify the behaviour of EVP_DigestInit() and EVP_DigestFinal() to retain
+     compatibility with existing code. In particular the 'ctx' parameter does
+     not have to be to be initialized before the call to EVP_DigestInit() and
+     it is tidied up after a call to EVP_DigestFinal(). New function
+     EVP_DigestFinal_ex() which does not tidy up the ctx. Similarly function
+     EVP_MD_CTX_copy() changed to not require the destination to be
+     initialized valid and new function EVP_MD_CTX_copy_ex() added which
+     requires the destination to be valid.
+
+     Modify all the OpenSSL digest calls to use EVP_DigestInit_ex(),
+     EVP_DigestFinal_ex() and EVP_MD_CTX_copy_ex().
+     [Steve Henson]
+
+  *) Change ssl3_get_message (ssl/s3_both.c) and the functions using it
+     so that complete 'Handshake' protocol structures are kept in memory
+     instead of overwriting 'msg_type' and 'length' with 'body' data.
+     [Bodo Moeller]
+
+  *) Add an implementation of SSL_add_dir_cert_subjects_to_stack for Win32.
+     [Massimo Santin via Richard Levitte]
+
+  *) Major restructuring to the underlying ENGINE code. This includes
+     reduction of linker bloat, separation of pure "ENGINE" manipulation
+     (initialisation, etc) from functionality dealing with implementations
+     of specific crypto iterfaces. This change also introduces integrated
+     support for symmetric ciphers and digest implementations - so ENGINEs
+     can now accelerate these by providing EVP_CIPHER and EVP_MD
+     implementations of their own. This is detailed in crypto/engine/README
+     as it couldn't be adequately described here. However, there are a few
+     API changes worth noting - some RSA, DSA, DH, and RAND functions that
+     were changed in the original introduction of ENGINE code have now
+     reverted back - the hooking from this code to ENGINE is now a good
+     deal more passive and at run-time, operations deal directly with
+     RSA_METHODs, DSA_METHODs (etc) as they did before, rather than
+     dereferencing through an ENGINE pointer any more. Also, the ENGINE
+     functions dealing with BN_MOD_EXP[_CRT] handlers have been removed -
+     they were not being used by the framework as there is no concept of a
+     BIGNUM_METHOD and they could not be generalised to the new
+     'ENGINE_TABLE' mechanism that underlies the new code. Similarly,
+     ENGINE_cpy() has been removed as it cannot be consistently defined in
+     the new code.
+     [Geoff Thorpe]
+
+  *) Change ASN1_GENERALIZEDTIME_check() to allow fractional seconds.
+     [Steve Henson]
+
+  *) Change mkdef.pl to sort symbols that get the same entry number,
+     and make sure the automatically generated functions ERR_load_*
+     become part of libeay.num as well.
+     [Richard Levitte]
+
+  *) New function SSL_renegotiate_pending().  This returns true once
+     renegotiation has been requested (either SSL_renegotiate() call
+     or HelloRequest/ClientHello receveived from the peer) and becomes
+     false once a handshake has been completed.
+     (For servers, SSL_renegotiate() followed by SSL_do_handshake()
+     sends a HelloRequest, but does not ensure that a handshake takes
+     place.  SSL_renegotiate_pending() is useful for checking if the
+     client has followed the request.)
+     [Bodo Moeller]
+
+  *) New SSL option SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION.
+     By default, clients may request session resumption even during
+     renegotiation (if session ID contexts permit); with this option,
+     session resumption is possible only in the first handshake.
+
+     SSL_OP_ALL is now 0x00000FFFL instead of 0x000FFFFFL.  This makes
+     more bits available for options that should not be part of
+     SSL_OP_ALL (such as SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION).
+     [Bodo Moeller]
+
+  *) Add some demos for certificate and certificate request creation.
+     [Steve Henson]
+
+  *) Make maximum certificate chain size accepted from the peer application
+     settable (SSL*_get/set_max_cert_list()), as proposed by
+     "Douglas E. Engert" <deengert@anl.gov>.
+     [Lutz Jaenicke]
+
+  *) Add support for shared libraries for Unixware-7
+     (Boyd Lynn Gerber <gerberb@zenez.com>).
+     [Lutz Jaenicke]
+
+  *) Add a "destroy" handler to ENGINEs that allows structural cleanup to
+     be done prior to destruction. Use this to unload error strings from
+     ENGINEs that load their own error strings. NB: This adds two new API
+     functions to "get" and "set" this destroy handler in an ENGINE.
+     [Geoff Thorpe]
+
+  *) Alter all existing ENGINE implementations (except "openssl" and
+     "openbsd") to dynamically instantiate their own error strings. This
+     makes them more flexible to be built both as statically-linked ENGINEs
+     and self-contained shared-libraries loadable via the "dynamic" ENGINE.
+     Also, add stub code to each that makes building them as self-contained
+     shared-libraries easier (see README.ENGINE).
+     [Geoff Thorpe]
+
+  *) Add a "dynamic" ENGINE that provides a mechanism for binding ENGINE
+     implementations into applications that are completely implemented in
+     self-contained shared-libraries. The "dynamic" ENGINE exposes control
+     commands that can be used to configure what shared-library to load and
+     to control aspects of the way it is handled. Also, made an update to
+     the README.ENGINE file that brings its information up-to-date and
+     provides some information and instructions on the "dynamic" ENGINE
+     (ie. how to use it, how to build "dynamic"-loadable ENGINEs, etc).
+     [Geoff Thorpe]
+
+  *) Make it possible to unload ranges of ERR strings with a new
+     "ERR_unload_strings" function.
+     [Geoff Thorpe]
+
+  *) Add a copy() function to EVP_MD.
+     [Ben Laurie]
+
+  *) Make EVP_MD routines take a context pointer instead of just the
+     md_data void pointer.
+     [Ben Laurie]
+
+  *) Add flags to EVP_MD and EVP_MD_CTX. EVP_MD_FLAG_ONESHOT indicates
+     that the digest can only process a single chunk of data
+     (typically because it is provided by a piece of
+     hardware). EVP_MD_CTX_FLAG_ONESHOT indicates that the application
+     is only going to provide a single chunk of data, and hence the
+     framework needn't accumulate the data for oneshot drivers.
+     [Ben Laurie]
+
+  *) As with "ERR", make it possible to replace the underlying "ex_data"
+     functions. This change also alters the storage and management of global
+     ex_data state - it's now all inside ex_data.c and all "class" code (eg.
+     RSA, BIO, SSL_CTX, etc) no longer stores its own STACKS and per-class
+     index counters. The API functions that use this state have been changed
+     to take a "class_index" rather than pointers to the class's local STACK
+     and counter, and there is now an API function to dynamically create new
+     classes. This centralisation allows us to (a) plug a lot of the
+     thread-safety problems that existed, and (b) makes it possible to clean
+     up all allocated state using "CRYPTO_cleanup_all_ex_data()". W.r.t. (b)
+     such data would previously have always leaked in application code and
+     workarounds were in place to make the memory debugging turn a blind eye
+     to it. Application code that doesn't use this new function will still
+     leak as before, but their memory debugging output will announce it now
+     rather than letting it slide.
+
+     Besides the addition of CRYPTO_cleanup_all_ex_data(), another API change
+     induced by the "ex_data" overhaul is that X509_STORE_CTX_init() now
+     has a return value to indicate success or failure.
+     [Geoff Thorpe]
+
+  *) Make it possible to replace the underlying "ERR" functions such that the
+     global state (2 LHASH tables and 2 locks) is only used by the "default"
+     implementation. This change also adds two functions to "get" and "set"
+     the implementation prior to it being automatically set the first time
+     any other ERR function takes place. Ie. an application can call "get",
+     pass the return value to a module it has just loaded, and that module
+     can call its own "set" function using that value. This means the
+     module's "ERR" operations will use (and modify) the error state in the
+     application and not in its own statically linked copy of OpenSSL code.
+     [Geoff Thorpe]
+
+  *) Give DH, DSA, and RSA types their own "**_up_ref()" function to increment
+     reference counts. This performs normal REF_PRINT/REF_CHECK macros on
+     the operation, and provides a more encapsulated way for external code
+     (crypto/evp/ and ssl/) to do this. Also changed the evp and ssl code
+     to use these functions rather than manually incrementing the counts.
+
+     Also rename "DSO_up()" function to more descriptive "DSO_up_ref()".
+     [Geoff Thorpe]
+
+  *) Add EVP test program.
+     [Ben Laurie]
+
+  *) Add symmetric cipher support to ENGINE. Expect the API to change!
+     [Ben Laurie]
+
+  *) New CRL functions: X509_CRL_set_version(), X509_CRL_set_issuer_name()
+     X509_CRL_set_lastUpdate(), X509_CRL_set_nextUpdate(), X509_CRL_sort(),
+     X509_REVOKED_set_serialNumber(), and X509_REVOKED_set_revocationDate().
+     These allow a CRL to be built without having to access X509_CRL fields
+     directly. Modify 'ca' application to use new functions.
+     [Steve Henson]
+
+  *) Move SSL_OP_TLS_ROLLBACK_BUG out of the SSL_OP_ALL list of recommended
+     bug workarounds. Rollback attack detection is a security feature.
+     The problem will only arise on OpenSSL servers when TLSv1 is not
+     available (sslv3_server_method() or SSL_OP_NO_TLSv1).
+     Software authors not wanting to support TLSv1 will have special reasons
+     for their choice and can explicitly enable this option.
+     [Bodo Moeller, Lutz Jaenicke]
+
+  *) Rationalise EVP so it can be extended: don't include a union of
+     cipher/digest structures, add init/cleanup functions for EVP_MD_CTX
+     (similar to those existing for EVP_CIPHER_CTX).
+     Usage example:
+
+         EVP_MD_CTX md;
+
+         EVP_MD_CTX_init(&md);             /* new function call */
+         EVP_DigestInit(&md, EVP_sha1());
+         EVP_DigestUpdate(&md, in, len);
+         EVP_DigestFinal(&md, out, NULL);
+         EVP_MD_CTX_cleanup(&md);          /* new function call */
+
+     [Ben Laurie]
+
+  *) Make DES key schedule conform to the usual scheme, as well as
+     correcting its structure. This means that calls to DES functions
+     now have to pass a pointer to a des_key_schedule instead of a
+     plain des_key_schedule (which was actually always a pointer
+     anyway): E.g.,
+
+         des_key_schedule ks;
+
+	 des_set_key_checked(..., &ks);
+	 des_ncbc_encrypt(..., &ks, ...);
+
+     (Note that a later change renames 'des_...' into 'DES_...'.)
+     [Ben Laurie]
+
+  *) Initial reduction of linker bloat: the use of some functions, such as
+     PEM causes large amounts of unused functions to be linked in due to
+     poor organisation. For example pem_all.c contains every PEM function
+     which has a knock on effect of linking in large amounts of (unused)
+     ASN1 code. Grouping together similar functions and splitting unrelated
+     functions prevents this.
+     [Steve Henson]
+
+  *) Cleanup of EVP macros.
+     [Ben Laurie]
+
+  *) Change historical references to {NID,SN,LN}_des_ede and ede3 to add the
+     correct _ecb suffix.
+     [Ben Laurie]
+
+  *) Add initial OCSP responder support to ocsp application. The
+     revocation information is handled using the text based index
+     use by the ca application. The responder can either handle
+     requests generated internally, supplied in files (for example
+     via a CGI script) or using an internal minimal server.
+     [Steve Henson]
+
+  *) Add configuration choices to get zlib compression for TLS.
+     [Richard Levitte]
+
+  *) Changes to Kerberos SSL for RFC 2712 compliance:
+     1.  Implemented real KerberosWrapper, instead of just using
+         KRB5 AP_REQ message.  [Thanks to Simon Wilkinson <sxw@sxw.org.uk>]
+     2.  Implemented optional authenticator field of KerberosWrapper.
+
+     Added openssl-style ASN.1 macros for Kerberos ticket, ap_req,
+     and authenticator structs; see crypto/krb5/.
+
+     Generalized Kerberos calls to support multiple Kerberos libraries.
+     [Vern Staats <staatsvr@asc.hpc.mil>,
+      Jeffrey Altman <jaltman@columbia.edu>
+      via Richard Levitte]
+
+  *) Cause 'openssl speed' to use fully hard-coded DSA keys as it
+     already does with RSA. testdsa.h now has 'priv_key/pub_key'
+     values for each of the key sizes rather than having just
+     parameters (and 'speed' generating keys each time).
+     [Geoff Thorpe]
+
+  *) Speed up EVP routines.
+     Before:
+encrypt
+type              8 bytes     64 bytes    256 bytes   1024 bytes   8192 bytes
+des-cbc           4408.85k     5560.51k     5778.46k     5862.20k     5825.16k
+des-cbc           4389.55k     5571.17k     5792.23k     5846.91k     5832.11k
+des-cbc           4394.32k     5575.92k     5807.44k     5848.37k     5841.30k
+decrypt
+des-cbc           3482.66k     5069.49k     5496.39k     5614.16k     5639.28k
+des-cbc           3480.74k     5068.76k     5510.34k     5609.87k     5635.52k
+des-cbc           3483.72k     5067.62k     5504.60k     5708.01k     5724.80k
+     After:
+encrypt
+des-cbc           4660.16k     5650.19k     5807.19k     5827.13k     5783.32k
+decrypt
+des-cbc           3624.96k     5258.21k     5530.91k     5624.30k     5628.26k
+     [Ben Laurie]
+
+  *) Added the OS2-EMX target.
+     ["Brian Havard" <brianh@kheldar.apana.org.au> and Richard Levitte]
+
+  *) Rewrite apps to use NCONF routines instead of the old CONF. New functions
+     to support NCONF routines in extension code. New function CONF_set_nconf()
+     to allow functions which take an NCONF to also handle the old LHASH
+     structure: this means that the old CONF compatible routines can be
+     retained (in particular wrt extensions) without having to duplicate the
+     code. New function X509V3_add_ext_nconf_sk to add extensions to a stack.
+     [Steve Henson]
+
+  *) Enhance the general user interface with mechanisms for inner control
+     and with possibilities to have yes/no kind of prompts.
+     [Richard Levitte]
+
+  *) Change all calls to low level digest routines in the library and
+     applications to use EVP. Add missing calls to HMAC_cleanup() and
+     don't assume HMAC_CTX can be copied using memcpy().
+     [Verdon Walker <VWalker@novell.com>, Steve Henson]
+
+  *) Add the possibility to control engines through control names but with
+     arbitrary arguments instead of just a string.
+     Change the key loaders to take a UI_METHOD instead of a callback
+     function pointer.  NOTE: this breaks binary compatibility with earlier
+     versions of OpenSSL [engine].
+     Adapt the nCipher code for these new conditions and add a card insertion
+     callback.
+     [Richard Levitte]
+
+  *) Enhance the general user interface with mechanisms to better support
+     dialog box interfaces, application-defined prompts, the possibility
+     to use defaults (for example default passwords from somewhere else)
+     and interrupts/cancellations.
+     [Richard Levitte]
+
+  *) Tidy up PKCS#12 attribute handling. Add support for the CSP name
+     attribute in PKCS#12 files, add new -CSP option to pkcs12 utility.
+     [Steve Henson]
+
+  *) Fix a memory leak in 'sk_dup()' in the case reallocation fails. (Also
+     tidy up some unnecessarily weird code in 'sk_new()').
+     [Geoff, reported by Diego Tartara <dtartara@novamens.com>]
+
+  *) Change the key loading routines for ENGINEs to use the same kind
+     callback (pem_password_cb) as all other routines that need this
+     kind of callback.
+     [Richard Levitte]
+
+  *) Increase ENTROPY_NEEDED to 32 bytes, as Rijndael can operate with
+     256 bit (=32 byte) keys. Of course seeding with more entropy bytes
+     than this minimum value is recommended.
+     [Lutz Jaenicke]
+
+  *) New random seeder for OpenVMS, using the system process statistics
+     that are easily reachable.
+     [Richard Levitte]
+
+  *) Windows apparently can't transparently handle global
+     variables defined in DLLs. Initialisations such as:
+
+        const ASN1_ITEM *it = &ASN1_INTEGER_it;
+
+     wont compile. This is used by the any applications that need to
+     declare their own ASN1 modules. This was fixed by adding the option
+     EXPORT_VAR_AS_FN to all Win32 platforms, although this isn't strictly
+     needed for static libraries under Win32.
+     [Steve Henson]
+
+  *) New functions X509_PURPOSE_set() and X509_TRUST_set() to handle
+     setting of purpose and trust fields. New X509_STORE trust and
+     purpose functions and tidy up setting in other SSL functions.
+     [Steve Henson]
+
+  *) Add copies of X509_STORE_CTX fields and callbacks to X509_STORE
+     structure. These are inherited by X509_STORE_CTX when it is 
+     initialised. This allows various defaults to be set in the
+     X509_STORE structure (such as flags for CRL checking and custom
+     purpose or trust settings) for functions which only use X509_STORE_CTX
+     internally such as S/MIME.
+
+     Modify X509_STORE_CTX_purpose_inherit() so it only sets purposes and
+     trust settings if they are not set in X509_STORE. This allows X509_STORE
+     purposes and trust (in S/MIME for example) to override any set by default.
+
+     Add command line options for CRL checking to smime, s_client and s_server
+     applications.
+     [Steve Henson]
+
+  *) Initial CRL based revocation checking. If the CRL checking flag(s)
+     are set then the CRL is looked up in the X509_STORE structure and
+     its validity and signature checked, then if the certificate is found
+     in the CRL the verify fails with a revoked error.
+
+     Various new CRL related callbacks added to X509_STORE_CTX structure.
+
+     Command line options added to 'verify' application to support this.
+
+     This needs some additional work, such as being able to handle multiple
+     CRLs with different times, extension based lookup (rather than just
+     by subject name) and ultimately more complete V2 CRL extension
+     handling.
+     [Steve Henson]
+
+  *) Add a general user interface API (crypto/ui/).  This is designed
+     to replace things like des_read_password and friends (backward
+     compatibility functions using this new API are provided).
+     The purpose is to remove prompting functions from the DES code
+     section as well as provide for prompting through dialog boxes in
+     a window system and the like.
+     [Richard Levitte]
+
+  *) Add "ex_data" support to ENGINE so implementations can add state at a
+     per-structure level rather than having to store it globally.
+     [Geoff]
+
+  *) Make it possible for ENGINE structures to be copied when retrieved by
+     ENGINE_by_id() if the ENGINE specifies a new flag: ENGINE_FLAGS_BY_ID_COPY.
+     This causes the "original" ENGINE structure to act like a template,
+     analogous to the RSA vs. RSA_METHOD type of separation. Because of this
+     operational state can be localised to each ENGINE structure, despite the
+     fact they all share the same "methods". New ENGINE structures returned in
+     this case have no functional references and the return value is the single
+     structural reference. This matches the single structural reference returned
+     by ENGINE_by_id() normally, when it is incremented on the pre-existing
+     ENGINE structure.
+     [Geoff]
+
+  *) Fix ASN1 decoder when decoding type ANY and V_ASN1_OTHER: since this
+     needs to match any other type at all we need to manually clear the
+     tag cache.
+     [Steve Henson]
+
+  *) Changes to the "openssl engine" utility to include;
+     - verbosity levels ('-v', '-vv', and '-vvv') that provide information
+       about an ENGINE's available control commands.
+     - executing control commands from command line arguments using the
+       '-pre' and '-post' switches. '-post' is only used if '-t' is
+       specified and the ENGINE is successfully initialised. The syntax for
+       the individual commands are colon-separated, for example;
+	 openssl engine chil -pre FORK_CHECK:0 -pre SO_PATH:/lib/test.so
+     [Geoff]
+
+  *) New dynamic control command support for ENGINEs. ENGINEs can now
+     declare their own commands (numbers), names (strings), descriptions,
+     and input types for run-time discovery by calling applications. A
+     subset of these commands are implicitly classed as "executable"
+     depending on their input type, and only these can be invoked through
+     the new string-based API function ENGINE_ctrl_cmd_string(). (Eg. this
+     can be based on user input, config files, etc). The distinction is
+     that "executable" commands cannot return anything other than a boolean
+     result and can only support numeric or string input, whereas some
+     discoverable commands may only be for direct use through
+     ENGINE_ctrl(), eg. supporting the exchange of binary data, function
+     pointers, or other custom uses. The "executable" commands are to
+     support parameterisations of ENGINE behaviour that can be
+     unambiguously defined by ENGINEs and used consistently across any
+     OpenSSL-based application. Commands have been added to all the
+     existing hardware-supporting ENGINEs, noticeably "SO_PATH" to allow
+     control over shared-library paths without source code alterations.
+     [Geoff]
+
+  *) Changed all ENGINE implementations to dynamically allocate their
+     ENGINEs rather than declaring them statically. Apart from this being
+     necessary with the removal of the ENGINE_FLAGS_MALLOCED distinction,
+     this also allows the implementations to compile without using the
+     internal engine_int.h header.
+     [Geoff]
+
+  *) Minor adjustment to "rand" code. RAND_get_rand_method() now returns a
+     'const' value. Any code that should be able to modify a RAND_METHOD
+     should already have non-const pointers to it (ie. they should only
+     modify their own ones).
+     [Geoff]
+
+  *) Made a variety of little tweaks to the ENGINE code.
+     - "atalla" and "ubsec" string definitions were moved from header files
+       to C code. "nuron" string definitions were placed in variables
+       rather than hard-coded - allowing parameterisation of these values
+       later on via ctrl() commands.
+     - Removed unused "#if 0"'d code.
+     - Fixed engine list iteration code so it uses ENGINE_free() to release
+       structural references.
+     - Constified the RAND_METHOD element of ENGINE structures.
+     - Constified various get/set functions as appropriate and added
+       missing functions (including a catch-all ENGINE_cpy that duplicates
+       all ENGINE values onto a new ENGINE except reference counts/state).
+     - Removed NULL parameter checks in get/set functions. Setting a method
+       or function to NULL is a way of cancelling out a previously set
+       value.  Passing a NULL ENGINE parameter is just plain stupid anyway
+       and doesn't justify the extra error symbols and code.
+     - Deprecate the ENGINE_FLAGS_MALLOCED define and move the area for
+       flags from engine_int.h to engine.h.
+     - Changed prototypes for ENGINE handler functions (init(), finish(),
+       ctrl(), key-load functions, etc) to take an (ENGINE*) parameter.
+     [Geoff]
+
+  *) Implement binary inversion algorithm for BN_mod_inverse in addition
+     to the algorithm using long division.  The binary algorithm can be
+     used only if the modulus is odd.  On 32-bit systems, it is faster
+     only for relatively small moduli (roughly 20-30% for 128-bit moduli,
+     roughly 5-15% for 256-bit moduli), so we use it only for moduli
+     up to 450 bits.  In 64-bit environments, the binary algorithm
+     appears to be advantageous for much longer moduli; here we use it
+     for moduli up to 2048 bits.
+     [Bodo Moeller]
+
+  *) Rewrite CHOICE field setting in ASN1_item_ex_d2i(). The old code
+     could not support the combine flag in choice fields.
+     [Steve Henson]
+
+  *) Add a 'copy_extensions' option to the 'ca' utility. This copies
+     extensions from a certificate request to the certificate.
+     [Steve Henson]
+
+  *) Allow multiple 'certopt' and 'nameopt' options to be separated
+     by commas. Add 'namopt' and 'certopt' options to the 'ca' config
+     file: this allows the display of the certificate about to be
+     signed to be customised, to allow certain fields to be included
+     or excluded and extension details. The old system didn't display
+     multicharacter strings properly, omitted fields not in the policy
+     and couldn't display additional details such as extensions.
+     [Steve Henson]
+
+  *) Function EC_POINTs_mul for multiple scalar multiplication
+     of an arbitrary number of elliptic curve points
+          \sum scalars[i]*points[i],
+     optionally including the generator defined for the EC_GROUP:
+          scalar*generator +  \sum scalars[i]*points[i].
+
+     EC_POINT_mul is a simple wrapper function for the typical case
+     that the point list has just one item (besides the optional
+     generator).
+     [Bodo Moeller]
+
+  *) First EC_METHODs for curves over GF(p):
+
+     EC_GFp_simple_method() uses the basic BN_mod_mul and BN_mod_sqr
+     operations and provides various method functions that can also
+     operate with faster implementations of modular arithmetic.     
+
+     EC_GFp_mont_method() reuses most functions that are part of
+     EC_GFp_simple_method, but uses Montgomery arithmetic.
+
+     [Bodo Moeller; point addition and point doubling
+     implementation directly derived from source code provided by
+     Lenka Fibikova <fibikova@exp-math.uni-essen.de>]
+
+  *) Framework for elliptic curves (crypto/ec/ec.h, crypto/ec/ec_lcl.h,
+     crypto/ec/ec_lib.c):
+
+     Curves are EC_GROUP objects (with an optional group generator)
+     based on EC_METHODs that are built into the library.
+
+     Points are EC_POINT objects based on EC_GROUP objects.
+
+     Most of the framework would be able to handle curves over arbitrary
+     finite fields, but as there are no obvious types for fields other
+     than GF(p), some functions are limited to that for now.
+     [Bodo Moeller]
+
+  *) Add the -HTTP option to s_server.  It is similar to -WWW, but requires
+     that the file contains a complete HTTP response.
+     [Richard Levitte]
+
+  *) Add the ec directory to mkdef.pl and mkfiles.pl. In mkdef.pl
+     change the def and num file printf format specifier from "%-40sXXX"
+     to "%-39s XXX". The latter will always guarantee a space after the
+     field while the former will cause them to run together if the field
+     is 40 of more characters long.
+     [Steve Henson]
+
+  *) Constify the cipher and digest 'method' functions and structures
+     and modify related functions to take constant EVP_MD and EVP_CIPHER
+     pointers.
+     [Steve Henson]
+
+  *) Hide BN_CTX structure details in bn_lcl.h instead of publishing them
+     in <openssl/bn.h>.  Also further increase BN_CTX_NUM to 32.
+     [Bodo Moeller]
+
+  *) Modify EVP_Digest*() routines so they now return values. Although the
+     internal software routines can never fail additional hardware versions
+     might.
+     [Steve Henson]
+
+  *) Clean up crypto/err/err.h and change some error codes to avoid conflicts:
+
+     Previously ERR_R_FATAL was too small and coincided with ERR_LIB_PKCS7
+     (= ERR_R_PKCS7_LIB); it is now 64 instead of 32.
+
+     ASN1 error codes
+          ERR_R_NESTED_ASN1_ERROR
+          ...
+          ERR_R_MISSING_ASN1_EOS
+     were 4 .. 9, conflicting with
+          ERR_LIB_RSA (= ERR_R_RSA_LIB)
+          ...
+          ERR_LIB_PEM (= ERR_R_PEM_LIB).
+     They are now 58 .. 63 (i.e., just below ERR_R_FATAL).
+
+     Add new error code 'ERR_R_INTERNAL_ERROR'.
+     [Bodo Moeller]
+
+  *) Don't overuse locks in crypto/err/err.c: For data retrieval, CRYPTO_r_lock
+     suffices.
+     [Bodo Moeller]
+
+  *) New option '-subj arg' for 'openssl req' and 'openssl ca'.  This
+     sets the subject name for a new request or supersedes the
+     subject name in a given request. Formats that can be parsed are
+          'CN=Some Name, OU=myOU, C=IT'
+     and
+          'CN=Some Name/OU=myOU/C=IT'.
+
+     Add options '-batch' and '-verbose' to 'openssl req'.
+     [Massimiliano Pala <madwolf@hackmasters.net>]
+
+  *) Introduce the possibility to access global variables through
+     functions on platform were that's the best way to handle exporting
+     global variables in shared libraries.  To enable this functionality,
+     one must configure with "EXPORT_VAR_AS_FN" or defined the C macro
+     "OPENSSL_EXPORT_VAR_AS_FUNCTION" in crypto/opensslconf.h (the latter
+     is normally done by Configure or something similar).
+
+     To implement a global variable, use the macro OPENSSL_IMPLEMENT_GLOBAL
+     in the source file (foo.c) like this:
+
+	OPENSSL_IMPLEMENT_GLOBAL(int,foo)=1;
+	OPENSSL_IMPLEMENT_GLOBAL(double,bar);
+
+     To declare a global variable, use the macros OPENSSL_DECLARE_GLOBAL
+     and OPENSSL_GLOBAL_REF in the header file (foo.h) like this:
+
+	OPENSSL_DECLARE_GLOBAL(int,foo);
+	#define foo OPENSSL_GLOBAL_REF(foo)
+	OPENSSL_DECLARE_GLOBAL(double,bar);
+	#define bar OPENSSL_GLOBAL_REF(bar)
+
+     The #defines are very important, and therefore so is including the
+     header file everywhere where the defined globals are used.
+
+     The macro OPENSSL_EXPORT_VAR_AS_FUNCTION also affects the definition
+     of ASN.1 items, but that structure is a bit different.
+
+     The largest change is in util/mkdef.pl which has been enhanced with
+     better and easier to understand logic to choose which symbols should
+     go into the Windows .def files as well as a number of fixes and code
+     cleanup (among others, algorithm keywords are now sorted
+     lexicographically to avoid constant rewrites).
+     [Richard Levitte]
+
+  *) In BN_div() keep a copy of the sign of 'num' before writing the
+     result to 'rm' because if rm==num the value will be overwritten
+     and produce the wrong result if 'num' is negative: this caused
+     problems with BN_mod() and BN_nnmod().
+     [Steve Henson]
+
+  *) Function OCSP_request_verify(). This checks the signature on an
+     OCSP request and verifies the signer certificate. The signer
+     certificate is just checked for a generic purpose and OCSP request
+     trust settings.
+     [Steve Henson]
+
+  *) Add OCSP_check_validity() function to check the validity of OCSP
+     responses. OCSP responses are prepared in real time and may only
+     be a few seconds old. Simply checking that the current time lies
+     between thisUpdate and nextUpdate max reject otherwise valid responses
+     caused by either OCSP responder or client clock inaccuracy. Instead
+     we allow thisUpdate and nextUpdate to fall within a certain period of
+     the current time. The age of the response can also optionally be
+     checked. Two new options -validity_period and -status_age added to
+     ocsp utility.
+     [Steve Henson]
+
+  *) If signature or public key algorithm is unrecognized print out its
+     OID rather that just UNKNOWN.
+     [Steve Henson]
+
+  *) Change OCSP_cert_to_id() to tolerate a NULL subject certificate and
+     OCSP_cert_id_new() a NULL serialNumber. This allows a partial certificate
+     ID to be generated from the issuer certificate alone which can then be
+     passed to OCSP_id_issuer_cmp().
+     [Steve Henson]
+
+  *) New compilation option ASN1_ITEM_FUNCTIONS. This causes the new
+     ASN1 modules to export functions returning ASN1_ITEM pointers
+     instead of the ASN1_ITEM structures themselves. This adds several
+     new macros which allow the underlying ASN1 function/structure to
+     be accessed transparently. As a result code should not use ASN1_ITEM
+     references directly (such as &X509_it) but instead use the relevant
+     macros (such as ASN1_ITEM_rptr(X509)). This option is to allow
+     use of the new ASN1 code on platforms where exporting structures
+     is problematical (for example in shared libraries) but exporting
+     functions returning pointers to structures is not.
+     [Steve Henson]
+
+  *) Add support for overriding the generation of SSL/TLS session IDs.
+     These callbacks can be registered either in an SSL_CTX or per SSL.
+     The purpose of this is to allow applications to control, if they wish,
+     the arbitrary values chosen for use as session IDs, particularly as it
+     can be useful for session caching in multiple-server environments. A
+     command-line switch for testing this (and any client code that wishes
+     to use such a feature) has been added to "s_server".
+     [Geoff Thorpe, Lutz Jaenicke]
+
+  *) Modify mkdef.pl to recognise and parse preprocessor conditionals
+     of the form '#if defined(...) || defined(...) || ...' and
+     '#if !defined(...) && !defined(...) && ...'.  This also avoids
+     the growing number of special cases it was previously handling.
+     [Richard Levitte]
+
+  *) Make all configuration macros available for application by making
+     sure they are available in opensslconf.h, by giving them names starting
+     with "OPENSSL_" to avoid conflicts with other packages and by making
+     sure e_os2.h will cover all platform-specific cases together with
+     opensslconf.h.
+     Additionally, it is now possible to define configuration/platform-
+     specific names (called "system identities").  In the C code, these
+     are prefixed with "OPENSSL_SYSNAME_".  e_os2.h will create another
+     macro with the name beginning with "OPENSSL_SYS_", which is determined
+     from "OPENSSL_SYSNAME_*" or compiler-specific macros depending on
+     what is available.
+     [Richard Levitte]
+
+  *) New option -set_serial to 'req' and 'x509' this allows the serial
+     number to use to be specified on the command line. Previously self
+     signed certificates were hard coded with serial number 0 and the 
+     CA options of 'x509' had to use a serial number in a file which was
+     auto incremented.
+     [Steve Henson]
+
+  *) New options to 'ca' utility to support V2 CRL entry extensions.
+     Currently CRL reason, invalidity date and hold instruction are
+     supported. Add new CRL extensions to V3 code and some new objects.
+     [Steve Henson]
+
+  *) New function EVP_CIPHER_CTX_set_padding() this is used to
+     disable standard block padding (aka PKCS#5 padding) in the EVP
+     API, which was previously mandatory. This means that the data is
+     not padded in any way and so the total length much be a multiple
+     of the block size, otherwise an error occurs.
+     [Steve Henson]
+
+  *) Initial (incomplete) OCSP SSL support.
+     [Steve Henson]
+
+  *) New function OCSP_parse_url(). This splits up a URL into its host,
+     port and path components: primarily to parse OCSP URLs. New -url
+     option to ocsp utility.
+     [Steve Henson]
+
+  *) New nonce behavior. The return value of OCSP_check_nonce() now 
+     reflects the various checks performed. Applications can decide
+     whether to tolerate certain situations such as an absent nonce
+     in a response when one was present in a request: the ocsp application
+     just prints out a warning. New function OCSP_add1_basic_nonce()
+     this is to allow responders to include a nonce in a response even if
+     the request is nonce-less.
+     [Steve Henson]
+
+  *) Disable stdin buffering in load_cert (apps/apps.c) so that no certs are
+     skipped when using openssl x509 multiple times on a single input file,
+     e.g. "(openssl x509 -out cert1; openssl x509 -out cert2) <certs".
+     [Bodo Moeller]
+
+  *) Make ASN1_UTCTIME_set_string() and ASN1_GENERALIZEDTIME_set_string()
+     set string type: to handle setting ASN1_TIME structures. Fix ca
+     utility to correctly initialize revocation date of CRLs.
+     [Steve Henson]
+
+  *) New option SSL_OP_CIPHER_SERVER_PREFERENCE allows the server to override
+     the clients preferred ciphersuites and rather use its own preferences.
+     Should help to work around M$ SGC (Server Gated Cryptography) bug in
+     Internet Explorer by ensuring unchanged hash method during stepup.
+     (Also replaces the broken/deactivated SSL_OP_NON_EXPORT_FIRST option.)
+     [Lutz Jaenicke]
+
+  *) Make mkdef.pl recognise all DECLARE_ASN1 macros, change rijndael
+     to aes and add a new 'exist' option to print out symbols that don't
+     appear to exist.
+     [Steve Henson]
+
+  *) Additional options to ocsp utility to allow flags to be set and
+     additional certificates supplied.
+     [Steve Henson]
+
+  *) Add the option -VAfile to 'openssl ocsp', so the user can give the
+     OCSP client a number of certificate to only verify the response
+     signature against.
+     [Richard Levitte]
+
+  *) Update Rijndael code to version 3.0 and change EVP AES ciphers to
+     handle the new API. Currently only ECB, CBC modes supported. Add new
+     AES OIDs.
+
+     Add TLS AES ciphersuites as described in RFC3268, "Advanced
+     Encryption Standard (AES) Ciphersuites for Transport Layer
+     Security (TLS)".  (In beta versions of OpenSSL 0.9.7, these were
+     not enabled by default and were not part of the "ALL" ciphersuite
+     alias because they were not yet official; they could be
+     explicitly requested by specifying the "AESdraft" ciphersuite
+     group alias.  In the final release of OpenSSL 0.9.7, the group
+     alias is called "AES" and is part of "ALL".)
+     [Ben Laurie, Steve  Henson, Bodo Moeller]
+
+  *) New function OCSP_copy_nonce() to copy nonce value (if present) from
+     request to response.
+     [Steve Henson]
+
+  *) Functions for OCSP responders. OCSP_request_onereq_count(),
+     OCSP_request_onereq_get0(), OCSP_onereq_get0_id() and OCSP_id_get0_info()
+     extract information from a certificate request. OCSP_response_create()
+     creates a response and optionally adds a basic response structure.
+     OCSP_basic_add1_status() adds a complete single response to a basic
+     response and returns the OCSP_SINGLERESP structure just added (to allow
+     extensions to be included for example). OCSP_basic_add1_cert() adds a
+     certificate to a basic response and OCSP_basic_sign() signs a basic
+     response with various flags. New helper functions ASN1_TIME_check()
+     (checks validity of ASN1_TIME structure) and ASN1_TIME_to_generalizedtime()
+     (converts ASN1_TIME to GeneralizedTime).
+     [Steve Henson]
+
+  *) Various new functions. EVP_Digest() combines EVP_Digest{Init,Update,Final}()
+     in a single operation. X509_get0_pubkey_bitstr() extracts the public_key
+     structure from a certificate. X509_pubkey_digest() digests the public_key
+     contents: this is used in various key identifiers. 
+     [Steve Henson]
+
+  *) Make sk_sort() tolerate a NULL argument.
+     [Steve Henson reported by Massimiliano Pala <madwolf@comune.modena.it>]
+
+  *) New OCSP verify flag OCSP_TRUSTOTHER. When set the "other" certificates
+     passed by the function are trusted implicitly. If any of them signed the
+     response then it is assumed to be valid and is not verified.
+     [Steve Henson]
+
+  *) In PKCS7_set_type() initialise content_type in PKCS7_ENC_CONTENT
+     to data. This was previously part of the PKCS7 ASN1 code. This
+     was causing problems with OpenSSL created PKCS#12 and PKCS#7 structures.
+     [Steve Henson, reported by Kenneth R. Robinette
+				<support@securenetterm.com>]
+
+  *) Add CRYPTO_push_info() and CRYPTO_pop_info() calls to new ASN1
+     routines: without these tracing memory leaks is very painful.
+     Fix leaks in PKCS12 and PKCS7 routines.
+     [Steve Henson]
+
+  *) Make X509_time_adj() cope with the new behaviour of ASN1_TIME_new().
+     Previously it initialised the 'type' argument to V_ASN1_UTCTIME which
+     effectively meant GeneralizedTime would never be used. Now it
+     is initialised to -1 but X509_time_adj() now has to check the value
+     and use ASN1_TIME_set() if the value is not V_ASN1_UTCTIME or
+     V_ASN1_GENERALIZEDTIME, without this it always uses GeneralizedTime.
+     [Steve Henson, reported by Kenneth R. Robinette
+				<support@securenetterm.com>]
+
+  *) Fixes to BN_to_ASN1_INTEGER when bn is zero. This would previously
+     result in a zero length in the ASN1_INTEGER structure which was
+     not consistent with the structure when d2i_ASN1_INTEGER() was used
+     and would cause ASN1_INTEGER_cmp() to fail. Enhance s2i_ASN1_INTEGER()
+     to cope with hex and negative integers. Fix bug in i2a_ASN1_INTEGER()
+     where it did not print out a minus for negative ASN1_INTEGER.
+     [Steve Henson]
+
+  *) Add summary printout to ocsp utility. The various functions which
+     convert status values to strings have been renamed to:
+     OCSP_response_status_str(), OCSP_cert_status_str() and
+     OCSP_crl_reason_str() and are no longer static. New options
+     to verify nonce values and to disable verification. OCSP response
+     printout format cleaned up.
+     [Steve Henson]
+
+  *) Add additional OCSP certificate checks. These are those specified
+     in RFC2560. This consists of two separate checks: the CA of the
+     certificate being checked must either be the OCSP signer certificate
+     or the issuer of the OCSP signer certificate. In the latter case the
+     OCSP signer certificate must contain the OCSP signing extended key
+     usage. This check is performed by attempting to match the OCSP
+     signer or the OCSP signer CA to the issuerNameHash and issuerKeyHash
+     in the OCSP_CERTID structures of the response.
+     [Steve Henson]
+
+  *) Initial OCSP certificate verification added to OCSP_basic_verify()
+     and related routines. This uses the standard OpenSSL certificate
+     verify routines to perform initial checks (just CA validity) and
+     to obtain the certificate chain. Then additional checks will be
+     performed on the chain. Currently the root CA is checked to see
+     if it is explicitly trusted for OCSP signing. This is used to set
+     a root CA as a global signing root: that is any certificate that
+     chains to that CA is an acceptable OCSP signing certificate.
+     [Steve Henson]
+
+  *) New '-extfile ...' option to 'openssl ca' for reading X.509v3
+     extensions from a separate configuration file.
+     As when reading extensions from the main configuration file,
+     the '-extensions ...' option may be used for specifying the
+     section to use.
+     [Massimiliano Pala <madwolf@comune.modena.it>]
+
+  *) New OCSP utility. Allows OCSP requests to be generated or
+     read. The request can be sent to a responder and the output
+     parsed, outputed or printed in text form. Not complete yet:
+     still needs to check the OCSP response validity.
+     [Steve Henson]
+
+  *) New subcommands for 'openssl ca':
+     'openssl ca -status <serial>' prints the status of the cert with
+     the given serial number (according to the index file).
+     'openssl ca -updatedb' updates the expiry status of certificates
+     in the index file.
+     [Massimiliano Pala <madwolf@comune.modena.it>]
+
+  *) New '-newreq-nodes' command option to CA.pl.  This is like
+     '-newreq', but calls 'openssl req' with the '-nodes' option
+     so that the resulting key is not encrypted.
+     [Damien Miller <djm@mindrot.org>]
+
+  *) New configuration for the GNU Hurd.
+     [Jonathan Bartlett <johnnyb@wolfram.com> via Richard Levitte]
+
+  *) Initial code to implement OCSP basic response verify. This
+     is currently incomplete. Currently just finds the signer's
+     certificate and verifies the signature on the response.
+     [Steve Henson]
+
+  *) New SSLeay_version code SSLEAY_DIR to determine the compiled-in
+     value of OPENSSLDIR.  This is available via the new '-d' option
+     to 'openssl version', and is also included in 'openssl version -a'.
+     [Bodo Moeller]
+
+  *) Allowing defining memory allocation callbacks that will be given
+     file name and line number information in additional arguments
+     (a const char* and an int).  The basic functionality remains, as
+     well as the original possibility to just replace malloc(),
+     realloc() and free() by functions that do not know about these
+     additional arguments.  To register and find out the current
+     settings for extended allocation functions, the following
+     functions are provided:
+
+	CRYPTO_set_mem_ex_functions
+	CRYPTO_set_locked_mem_ex_functions
+	CRYPTO_get_mem_ex_functions
+	CRYPTO_get_locked_mem_ex_functions
+
+     These work the same way as CRYPTO_set_mem_functions and friends.
+     CRYPTO_get_[locked_]mem_functions now writes 0 where such an
+     extended allocation function is enabled.
+     Similarly, CRYPTO_get_[locked_]mem_ex_functions writes 0 where
+     a conventional allocation function is enabled.
+     [Richard Levitte, Bodo Moeller]
+
+  *) Finish off removing the remaining LHASH function pointer casts.
+     There should no longer be any prototype-casting required when using
+     the LHASH abstraction, and any casts that remain are "bugs". See
+     the callback types and macros at the head of lhash.h for details
+     (and "OBJ_cleanup" in crypto/objects/obj_dat.c as an example).
+     [Geoff Thorpe]
+
+  *) Add automatic query of EGD sockets in RAND_poll() for the unix variant.
+     If /dev/[u]random devices are not available or do not return enough
+     entropy, EGD style sockets (served by EGD or PRNGD) will automatically
+     be queried.
+     The locations /var/run/egd-pool, /dev/egd-pool, /etc/egd-pool, and
+     /etc/entropy will be queried once each in this sequence, quering stops
+     when enough entropy was collected without querying more sockets.
+     [Lutz Jaenicke]
+
+  *) Change the Unix RAND_poll() variant to be able to poll several
+     random devices, as specified by DEVRANDOM, until a sufficient amount
+     of data has been collected.   We spend at most 10 ms on each file
+     (select timeout) and read in non-blocking mode.  DEVRANDOM now
+     defaults to the list "/dev/urandom", "/dev/random", "/dev/srandom"
+     (previously it was just the string "/dev/urandom"), so on typical
+     platforms the 10 ms delay will never occur.
+     Also separate out the Unix variant to its own file, rand_unix.c.
+     For VMS, there's a currently-empty rand_vms.c.
+     [Richard Levitte]
+
+  *) Move OCSP client related routines to ocsp_cl.c. These
+     provide utility functions which an application needing
+     to issue a request to an OCSP responder and analyse the
+     response will typically need: as opposed to those which an
+     OCSP responder itself would need which will be added later.
+
+     OCSP_request_sign() signs an OCSP request with an API similar
+     to PKCS7_sign(). OCSP_response_status() returns status of OCSP
+     response. OCSP_response_get1_basic() extracts basic response
+     from response. OCSP_resp_find_status(): finds and extracts status
+     information from an OCSP_CERTID structure (which will be created
+     when the request structure is built). These are built from lower
+     level functions which work on OCSP_SINGLERESP structures but
+     wont normally be used unless the application wishes to examine
+     extensions in the OCSP response for example.
+
+     Replace nonce routines with a pair of functions.
+     OCSP_request_add1_nonce() adds a nonce value and optionally
+     generates a random value. OCSP_check_nonce() checks the
+     validity of the nonce in an OCSP response.
+     [Steve Henson]
+
+  *) Change function OCSP_request_add() to OCSP_request_add0_id().
+     This doesn't copy the supplied OCSP_CERTID and avoids the
+     need to free up the newly created id. Change return type
+     to OCSP_ONEREQ to return the internal OCSP_ONEREQ structure.
+     This can then be used to add extensions to the request.
+     Deleted OCSP_request_new(), since most of its functionality
+     is now in OCSP_REQUEST_new() (and the case insensitive name
+     clash) apart from the ability to set the request name which
+     will be added elsewhere.
+     [Steve Henson]
+
+  *) Update OCSP API. Remove obsolete extensions argument from
+     various functions. Extensions are now handled using the new
+     OCSP extension code. New simple OCSP HTTP function which 
+     can be used to send requests and parse the response.
+     [Steve Henson]
+
+  *) Fix the PKCS#7 (S/MIME) code to work with new ASN1. Two new
+     ASN1_ITEM structures help with sign and verify. PKCS7_ATTR_SIGN
+     uses the special reorder version of SET OF to sort the attributes
+     and reorder them to match the encoded order. This resolves a long
+     standing problem: a verify on a PKCS7 structure just after signing
+     it used to fail because the attribute order did not match the
+     encoded order. PKCS7_ATTR_VERIFY does not reorder the attributes:
+     it uses the received order. This is necessary to tolerate some broken
+     software that does not order SET OF. This is handled by encoding
+     as a SEQUENCE OF but using implicit tagging (with UNIVERSAL class)
+     to produce the required SET OF.
+     [Steve Henson]
+
+  *) Have mk1mf.pl generate the macros OPENSSL_BUILD_SHLIBCRYPTO and
+     OPENSSL_BUILD_SHLIBSSL and use them appropriately in the header
+     files to get correct declarations of the ASN.1 item variables.
+     [Richard Levitte]
+
+  *) Rewrite of PKCS#12 code to use new ASN1 functionality. Replace many
+     PKCS#12 macros with real functions. Fix two unrelated ASN1 bugs:
+     asn1_check_tlen() would sometimes attempt to use 'ctx' when it was
+     NULL and ASN1_TYPE was not dereferenced properly in asn1_ex_c2i().
+     New ASN1 macro: DECLARE_ASN1_ITEM() which just declares the relevant
+     ASN1_ITEM and no wrapper functions.
+     [Steve Henson]
+
+  *) New functions or ASN1_item_d2i_fp() and ASN1_item_d2i_bio(). These
+     replace the old function pointer based I/O routines. Change most of
+     the *_d2i_bio() and *_d2i_fp() functions to use these.
+     [Steve Henson]
+
+  *) Enhance mkdef.pl to be more accepting about spacing in C preprocessor
+     lines, recognice more "algorithms" that can be deselected, and make
+     it complain about algorithm deselection that isn't recognised.
+     [Richard Levitte]
+
+  *) New ASN1 functions to handle dup, sign, verify, digest, pack and
+     unpack operations in terms of ASN1_ITEM. Modify existing wrappers
+     to use new functions. Add NO_ASN1_OLD which can be set to remove
+     some old style ASN1 functions: this can be used to determine if old
+     code will still work when these eventually go away.
+     [Steve Henson]
+
+  *) New extension functions for OCSP structures, these follow the
+     same conventions as certificates and CRLs.
+     [Steve Henson]
+
+  *) New function X509V3_add1_i2d(). This automatically encodes and
+     adds an extension. Its behaviour can be customised with various
+     flags to append, replace or delete. Various wrappers added for
+     certifcates and CRLs.
+     [Steve Henson]
+
+  *) Fix to avoid calling the underlying ASN1 print routine when
+     an extension cannot be parsed. Correct a typo in the
+     OCSP_SERVICELOC extension. Tidy up print OCSP format.
+     [Steve Henson]
+
+  *) Make mkdef.pl parse some of the ASN1 macros and add apropriate
+     entries for variables.
+     [Steve Henson]
+
+  *) Add functionality to apps/openssl.c for detecting locking
+     problems: As the program is single-threaded, all we have
+     to do is register a locking callback using an array for
+     storing which locks are currently held by the program.
+     [Bodo Moeller]
+
+  *) Use a lock around the call to CRYPTO_get_ex_new_index() in
+     SSL_get_ex_data_X509_STORE_idx(), which is used in
+     ssl_verify_cert_chain() and thus can be called at any time
+     during TLS/SSL handshakes so that thread-safety is essential.
+     Unfortunately, the ex_data design is not at all suited
+     for multi-threaded use, so it probably should be abolished.
+     [Bodo Moeller]
+
+  *) Added Broadcom "ubsec" ENGINE to OpenSSL.
+     [Broadcom, tweaked and integrated by Geoff Thorpe]
+
+  *) Move common extension printing code to new function
+     X509V3_print_extensions(). Reorganise OCSP print routines and
+     implement some needed OCSP ASN1 functions. Add OCSP extensions.
+     [Steve Henson]
+
+  *) New function X509_signature_print() to remove duplication in some
+     print routines.
+     [Steve Henson]
+
+  *) Add a special meaning when SET OF and SEQUENCE OF flags are both
+     set (this was treated exactly the same as SET OF previously). This
+     is used to reorder the STACK representing the structure to match the
+     encoding. This will be used to get round a problem where a PKCS7
+     structure which was signed could not be verified because the STACK
+     order did not reflect the encoded order.
+     [Steve Henson]
+
+  *) Reimplement the OCSP ASN1 module using the new code.
+     [Steve Henson]
+
+  *) Update the X509V3 code to permit the use of an ASN1_ITEM structure
+     for its ASN1 operations. The old style function pointers still exist
+     for now but they will eventually go away.
+     [Steve Henson]
+
+  *) Merge in replacement ASN1 code from the ASN1 branch. This almost
+     completely replaces the old ASN1 functionality with a table driven
+     encoder and decoder which interprets an ASN1_ITEM structure describing
+     the ASN1 module. Compatibility with the existing ASN1 API (i2d,d2i) is
+     largely maintained. Almost all of the old asn1_mac.h macro based ASN1
+     has also been converted to the new form.
+     [Steve Henson]
+
+  *) Change BN_mod_exp_recp so that negative moduli are tolerated
+     (the sign is ignored).  Similarly, ignore the sign in BN_MONT_CTX_set
+     so that BN_mod_exp_mont and BN_mod_exp_mont_word work
+     for negative moduli.
+     [Bodo Moeller]
+
+  *) Fix BN_uadd and BN_usub: Always return non-negative results instead
+     of not touching the result's sign bit.
+     [Bodo Moeller]
+
+  *) BN_div bugfix: If the result is 0, the sign (res->neg) must not be
+     set.
+     [Bodo Moeller]
+
+  *) Changed the LHASH code to use prototypes for callbacks, and created
+     macros to declare and implement thin (optionally static) functions
+     that provide type-safety and avoid function pointer casting for the
+     type-specific callbacks.
+     [Geoff Thorpe]
+
+  *) Added Kerberos Cipher Suites to be used with TLS, as written in
+     RFC 2712.
+     [Veers Staats <staatsvr@asc.hpc.mil>,
+      Jeffrey Altman <jaltman@columbia.edu>, via Richard Levitte]
+
+  *) Reformat the FAQ so the different questions and answers can be divided
+     in sections depending on the subject.
+     [Richard Levitte]
+
+  *) Have the zlib compression code load ZLIB.DLL dynamically under
+     Windows.
+     [Richard Levitte]
+
+  *) New function BN_mod_sqrt for computing square roots modulo a prime
+     (using the probabilistic Tonelli-Shanks algorithm unless
+     p == 3 (mod 4)  or  p == 5 (mod 8),  which are cases that can
+     be handled deterministically).
+     [Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller]
+
+  *) Make BN_mod_inverse faster by explicitly handling small quotients
+     in the Euclid loop. (Speed gain about 20% for small moduli [256 or
+     512 bits], about 30% for larger ones [1024 or 2048 bits].)
+     [Bodo Moeller]
+
+  *) New function BN_kronecker.
+     [Bodo Moeller]
+
+  *) Fix BN_gcd so that it works on negative inputs; the result is
+     positive unless both parameters are zero.
+     Previously something reasonably close to an infinite loop was
+     possible because numbers could be growing instead of shrinking
+     in the implementation of Euclid's algorithm.
+     [Bodo Moeller]
+
+  *) Fix BN_is_word() and BN_is_one() macros to take into account the
+     sign of the number in question.
+
+     Fix BN_is_word(a,w) to work correctly for w == 0.
+
+     The old BN_is_word(a,w) macro is now called BN_abs_is_word(a,w)
+     because its test if the absolute value of 'a' equals 'w'.
+     Note that BN_abs_is_word does *not* handle w == 0 reliably;
+     it exists mostly for use in the implementations of BN_is_zero(),
+     BN_is_one(), and BN_is_word().
+     [Bodo Moeller]
+
+  *) New function BN_swap.
+     [Bodo Moeller]
+
+  *) Use BN_nnmod instead of BN_mod in crypto/bn/bn_exp.c so that
+     the exponentiation functions are more likely to produce reasonable
+     results on negative inputs.
+     [Bodo Moeller]
+
+  *) Change BN_mod_mul so that the result is always non-negative.
+     Previously, it could be negative if one of the factors was negative;
+     I don't think anyone really wanted that behaviour.
+     [Bodo Moeller]
+
+  *) Move BN_mod_... functions into new file crypto/bn/bn_mod.c
+     (except for exponentiation, which stays in crypto/bn/bn_exp.c,
+     and BN_mod_mul_reciprocal, which stays in crypto/bn/bn_recp.c)
+     and add new functions:
+
+          BN_nnmod
+          BN_mod_sqr
+          BN_mod_add
+          BN_mod_add_quick
+          BN_mod_sub
+          BN_mod_sub_quick
+          BN_mod_lshift1
+          BN_mod_lshift1_quick
+          BN_mod_lshift
+          BN_mod_lshift_quick
+
+     These functions always generate non-negative results.
+
+     BN_nnmod otherwise is like BN_mod (if BN_mod computes a remainder  r
+     such that  |m| < r < 0,  BN_nnmod will output  rem + |m|  instead).
+
+     BN_mod_XXX_quick(r, a, [b,] m) generates the same result as
+     BN_mod_XXX(r, a, [b,] m, ctx), but requires that  a  [and  b]
+     be reduced modulo  m.
+     [Lenka Fibikova <fibikova@exp-math.uni-essen.de>, Bodo Moeller]
+
+  *) Remove a few calls to bn_wexpand() in BN_sqr() (the one in there
+     was actually never needed) and in BN_mul().  The removal in BN_mul()
+     required a small change in bn_mul_part_recursive() and the addition
+     of the functions bn_cmp_part_words(), bn_sub_part_words() and
+     bn_add_part_words(), which do the same thing as bn_cmp_words(),
+     bn_sub_words() and bn_add_words() except they take arrays with
+     differing sizes.
+     [Richard Levitte]
+
+  *) In 'openssl passwd', verify passwords read from the terminal
+     unless the '-salt' option is used (which usually means that
+     verification would just waste user's time since the resulting
+     hash is going to be compared with some given password hash)
+     or the new '-noverify' option is used.
+
+     This is an incompatible change, but it does not affect
+     non-interactive use of 'openssl passwd' (passwords on the command
+     line, '-stdin' option, '-in ...' option) and thus should not
+     cause any problems.
+     [Bodo Moeller]
+
+  *) Remove all references to RSAref, since there's no more need for it.
+     [Richard Levitte]
+
+  *) Make DSO load along a path given through an environment variable
+     (SHLIB_PATH) with shl_load().
+     [Richard Levitte]
+
+  *) Constify the ENGINE code as a result of BIGNUM constification.
+     Also constify the RSA code and most things related to it.  In a
+     few places, most notable in the depth of the ASN.1 code, ugly
+     casts back to non-const were required (to be solved at a later
+     time)
+     [Richard Levitte]
+
+  *) Make it so the openssl application has all engines loaded by default.
+     [Richard Levitte]
+
+  *) Constify the BIGNUM routines a little more.
+     [Richard Levitte]
+
+  *) Add the following functions:
+
+	ENGINE_load_cswift()
+	ENGINE_load_chil()
+	ENGINE_load_atalla()
+	ENGINE_load_nuron()
+	ENGINE_load_builtin_engines()
+
+     That way, an application can itself choose if external engines that
+     are built-in in OpenSSL shall ever be used or not.  The benefit is
+     that applications won't have to be linked with libdl or other dso
+     libraries unless it's really needed.
+
+     Changed 'openssl engine' to load all engines on demand.
+     Changed the engine header files to avoid the duplication of some
+     declarations (they differed!).
+     [Richard Levitte]
+
+  *) 'openssl engine' can now list capabilities.
+     [Richard Levitte]
+
+  *) Better error reporting in 'openssl engine'.
+     [Richard Levitte]
+
+  *) Never call load_dh_param(NULL) in s_server.
+     [Bodo Moeller]
+
+  *) Add engine application.  It can currently list engines by name and
+     identity, and test if they are actually available.
+     [Richard Levitte]
+
+  *) Improve RPM specification file by forcing symbolic linking and making
+     sure the installed documentation is also owned by root.root.
+     [Damien Miller <djm@mindrot.org>]
+
+  *) Give the OpenSSL applications more possibilities to make use of
+     keys (public as well as private) handled by engines.
+     [Richard Levitte]
+
+  *) Add OCSP code that comes from CertCo.
+     [Richard Levitte]
+
+  *) Add VMS support for the Rijndael code.
+     [Richard Levitte]
+
+  *) Added untested support for Nuron crypto accelerator.
+     [Ben Laurie]
+
+  *) Add support for external cryptographic devices.  This code was
+     previously distributed separately as the "engine" branch.
+     [Geoff Thorpe, Richard Levitte]
+
+  *) Rework the filename-translation in the DSO code. It is now possible to
+     have far greater control over how a "name" is turned into a filename
+     depending on the operating environment and any oddities about the
+     different shared library filenames on each system.
+     [Geoff Thorpe]
+
+  *) Support threads on FreeBSD-elf in Configure.
+     [Richard Levitte]
+
+  *) Fix for SHA1 assembly problem with MASM: it produces
+     warnings about corrupt line number information when assembling
+     with debugging information. This is caused by the overlapping
+     of two sections.
+     [Bernd Matthes <mainbug@celocom.de>, Steve Henson]
+
+  *) NCONF changes.
+     NCONF_get_number() has no error checking at all.  As a replacement,
+     NCONF_get_number_e() is defined (_e for "error checking") and is
+     promoted strongly.  The old NCONF_get_number is kept around for
+     binary backward compatibility.
+     Make it possible for methods to load from something other than a BIO,
+     by providing a function pointer that is given a name instead of a BIO.
+     For example, this could be used to load configuration data from an
+     LDAP server.
+     [Richard Levitte]
+
+  *) Fix for non blocking accept BIOs. Added new I/O special reason
+     BIO_RR_ACCEPT to cover this case. Previously use of accept BIOs
+     with non blocking I/O was not possible because no retry code was
+     implemented. Also added new SSL code SSL_WANT_ACCEPT to cover
+     this case.
+     [Steve Henson]
+
+  *) Added the beginnings of Rijndael support.
+     [Ben Laurie]
+
+  *) Fix for bug in DirectoryString mask setting. Add support for
+     X509_NAME_print_ex() in 'req' and X509_print_ex() function
+     to allow certificate printing to more controllable, additional
+     'certopt' option to 'x509' to allow new printing options to be
+     set.
+     [Steve Henson]
+
+  *) Clean old EAY MD5 hack from e_os.h.
+     [Richard Levitte]
+
+ Changes between 0.9.6g and 0.9.6h  [5 Dec 2002]
+
+  *) New function OPENSSL_cleanse(), which is used to cleanse a section of
+     memory from it's contents.  This is done with a counter that will
+     place alternating values in each byte.  This can be used to solve
+     two issues: 1) the removal of calls to memset() by highly optimizing
+     compilers, and 2) cleansing with other values than 0, since those can
+     be read through on certain media, for example a swap space on disk.
+     [Geoff Thorpe]
+
+  *) Bugfix: client side session caching did not work with external caching,
+     because the session->cipher setting was not restored when reloading
+     from the external cache. This problem was masked, when
+     SSL_OP_NETSCAPE_REUSE_CIPHER_CHANGE_BUG (part of SSL_OP_ALL) was set.
+     (Found by Steve Haslam <steve@araqnid.ddts.net>.)
+     [Lutz Jaenicke]
+
+  *) Fix client_certificate (ssl/s2_clnt.c): The permissible total
+     length of the REQUEST-CERTIFICATE message is 18 .. 34, not 17 .. 33.
+     [Zeev Lieber <zeev-l@yahoo.com>]
+
+  *) Undo an undocumented change introduced in 0.9.6e which caused
+     repeated calls to OpenSSL_add_all_ciphers() and 
+     OpenSSL_add_all_digests() to be ignored, even after calling
+     EVP_cleanup().
+     [Richard Levitte]
+
+  *) Change the default configuration reader to deal with last line not
+     being properly terminated.
+     [Richard Levitte]
+
+  *) Change X509_NAME_cmp() so it applies the special rules on handling
+     DN values that are of type PrintableString, as well as RDNs of type
+     emailAddress where the value has the type ia5String.
+     [stefank@valicert.com via Richard Levitte]
+
+  *) Add a SSL_SESS_CACHE_NO_INTERNAL_STORE flag to take over half
+     the job SSL_SESS_CACHE_NO_INTERNAL_LOOKUP was inconsistently
+     doing, define a new flag (SSL_SESS_CACHE_NO_INTERNAL) to be
+     the bitwise-OR of the two for use by the majority of applications
+     wanting this behaviour, and update the docs. The documented
+     behaviour and actual behaviour were inconsistent and had been
+     changing anyway, so this is more a bug-fix than a behavioural
+     change.
+     [Geoff Thorpe, diagnosed by Nadav Har'El]
+
+  *) Don't impose a 16-byte length minimum on session IDs in ssl/s3_clnt.c
+     (the SSL 3.0 and TLS 1.0 specifications allow any length up to 32 bytes).
+     [Bodo Moeller]
+
+  *) Fix initialization code race conditions in
+        SSLv23_method(),  SSLv23_client_method(),   SSLv23_server_method(),
+        SSLv2_method(),   SSLv2_client_method(),    SSLv2_server_method(),
+        SSLv3_method(),   SSLv3_client_method(),    SSLv3_server_method(),
+        TLSv1_method(),   TLSv1_client_method(),    TLSv1_server_method(),
+        ssl2_get_cipher_by_char(),
+        ssl3_get_cipher_by_char().
+     [Patrick McCormick <patrick@tellme.com>, Bodo Moeller]
+
+  *) Reorder cleanup sequence in SSL_CTX_free(): only remove the ex_data after
+     the cached sessions are flushed, as the remove_cb() might use ex_data
+     contents. Bug found by Sam Varshavchik <mrsam@courier-mta.com>
+     (see [openssl.org #212]).
+     [Geoff Thorpe, Lutz Jaenicke]
+
+  *) Fix typo in OBJ_txt2obj which incorrectly passed the content
+     length, instead of the encoding length to d2i_ASN1_OBJECT.
+     [Steve Henson]
+
  Changes between 0.9.6f and 0.9.6g  [9 Aug 2002]
 
   *) [In 0.9.6g-engine release:]
@@ -23,6 +1906,12 @@
 
  Changes between 0.9.6d and 0.9.6e  [30 Jul 2002]
 
+  *) Add various sanity checks to asn1_get_length() to reject
+     the ASN1 length bytes if they exceed sizeof(long), will appear
+     negative or the content length exceeds the length of the
+     supplied buffer.
+     [Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>]
+
   *) Fix cipher selection routines: ciphers without encryption had no flags
      for the cipher strength set and where therefore not handled correctly
      by the selection routines (PR #130).
@@ -54,7 +1943,7 @@
   *) Add various sanity checks to asn1_get_length() to reject
      the ASN1 length bytes if they exceed sizeof(long), will appear
      negative or the content length exceeds the length of the
-     supplied buffer.
+     supplied buffer. (CAN-2002-0659)
      [Steve Henson, Adi Stav <stav@mercury.co.il>, James Yonan <jim@ntlp.com>]
 
   *) Assertions for various potential buffer overflows, not known to
@@ -159,8 +2048,8 @@
      value is 0.
      [Richard Levitte]
 
-  *) [In 0.9.6c-engine release:]
-     Fix a crashbug and a logic bug in hwcrhk_load_pubkey()
+  *) [In 0.9.6d-engine release:]
+     Fix a crashbug and a logic bug in hwcrhk_load_pubkey().
      [Toomas Kiisk <vix@cyber.ee> via Richard Levitte]
 
   *) Add the configuration target linux-s390x.
diff --git a/crypto/openssl/Configure b/crypto/openssl/Configure
index 15cfbaa0331b..df29f780d1bf 100755
--- a/crypto/openssl/Configure
+++ b/crypto/openssl/Configure
@@ -10,7 +10,7 @@ use strict;
 
 # see INSTALL for instructions.
 
-my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [rsaref] [no-threads] [no-asm] [no-dso] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--test-sanity] os/compiler[:flags]\n";
+my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-dso] [no-krb5] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--test-sanity] os/compiler[:flags]\n";
 
 # Options:
 #
@@ -23,10 +23,26 @@ my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-
 #               default).  This needn't be set in advance, you can
 #               just as well use "make INSTALL_PREFIX=/whatever install".
 #
+# --with-krb5-dir  Declare where Kerberos 5 lives.  The libraries are expected
+#		to live in the subdirectory lib/ and the header files in
+#		include/.  A value is required.
+# --with-krb5-lib  Declare where the Kerberos 5 libraries live.  A value is
+#		required.
+#		(Default: KRB5_DIR/lib)
+# --with-krb5-include  Declare where the Kerberos 5 header files live.  A
+#		value is required.
+#		(Default: KRB5_DIR/include)
+# --with-krb5-flavor  Declare what flavor of Kerberos 5 is used.  Currently
+#		supported values are "MIT" and "Heimdal".  A value is required.
+#
 # --test-sanity Make a number of sanity checks on the data in this file.
 #               This is a debugging tool for OpenSSL developers.
 #
-# rsaref        use RSAref
+# no-hw-xxx     do not compile support for specific crypto hardware.
+#               Generic OpenSSL-style methods relating to this support
+#               are always compiled but return NULL if the hardware
+#               support isn't compiled.
+# no-hw         do not compile support for any crypto hardware.
 # [no-]threads  [don't] try to create a library that is suitable for
 #               multithreaded applications (default is "threads" if we
 #               know how to do it)
@@ -34,6 +50,10 @@ my $usage="Usage: Configure [no-<cipher> ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-
 # no-asm        do not use assembler
 # no-dso        do not compile in any native shared-library methods. This
 #               will ensure that all methods just return NULL.
+# no-krb5       do not compile in any KRB5 library or code.
+# [no-]zlib     [don't] compile support for zlib compression.
+# zlib-dynamic	Like "zlib", but the zlib library is expected to be a shared
+#		library and will be loaded in run-time by the OpenSSL library.
 # 386           generate 80386 code
 # no-<cipher>   build without specified algorithm (rsa, idea, rc5, ...)
 # -<xxx> +<xxx> compiler options are passed through 
@@ -100,7 +120,7 @@ my $alpha_asm="::::::::";
 # -DB_ENDIAN slows things down on a sparc for md5, but helps sha1.
 # So the md5_locl.h file has an undef B_ENDIAN if sun is defined
 
-#config-string	$cc : $cflags : $unistd : $thread_cflag : $lflags : $bn_ops : $bn_obj : $des_obj : $bf_obj : $md5_obj : $sha1_obj : $cast_obj : $rc4_obj : $rmd160_obj : $rc5_obj : $dso_scheme : $shared_target : $shared_cflag : $shared_ldflag : $shared_extension : $ranlib
+#config-string	$cc : $cflags : $unistd : $thread_cflag : $sys_id : $lflags : $bn_ops : $bn_obj : $des_obj : $bf_obj : $md5_obj : $sha1_obj : $cast_obj : $rc4_obj : $rmd160_obj : $rc5_obj : $dso_scheme : $shared_target : $shared_cflag : $shared_ldflag : $shared_extension : $ranlib : $arflags
 
 my %table=(
 # File 'TABLE' (created by 'make TABLE') contains the data from this list,
@@ -113,88 +133,96 @@ my %table=(
 #"b2-is-ri-dp",	"${tcc}:${tflags}::${tlib}:${bits2}IDEA_SHORT RC4_INDEX DES_PTR:${tbn_mul}::",
 
 # Our development configs
-"purify",	"purify gcc:-g -DPURIFY -Wall::(unknown):-lsocket -lnsl::::",
-"debug",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror::(unknown):-lefence::::",
-"debug-ben",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown):::::",
-"debug-ben-debug",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown):::::",
-"debug-ben-strict",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown):::::",
-"debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
-"debug-bodo",	"gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -DPEDANTIC -DBIO_PAIR_DEBUG -g -m486 -pedantic -Wshadow -Wall::-D_REENTRANT::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
-"debug-ulf",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -O2 -m486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
-"debug-steve",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -O2 -m486 -pedantic -Wall -Werror -Wshadow -pipe::-D_REENTRANT::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
-"debug-levitte-linux-elf","gcc:-DUSE_ALLOCATING_PRINT -DRL_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DNO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -ggdb -g3 -m486 -pedantic -ansi -Wall -Wshadow -Wid-clash-31 -pipe::-D_REENTRANT:-ldl:::::::::::dlfcn",
-"dist",		"cc:-O::(unknown):::::",
+"purify",	"purify gcc:-g -DPURIFY -Wall::(unknown)::-lsocket -lnsl::::",
+"debug",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -ggdb -g2 -Wformat -Wshadow -Wmissing-prototypes -Wmissing-declarations -Werror::(unknown)::-lefence::::",
+"debug-ben",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::asm/bn86-elf.o asm/co86-elf.o",
+"debug-ben-openbsd","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
+"debug-ben-openbsd-debug","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DOPENSSL_OPENBSD_DEV_CRYPTO -DOPENSSL_NO_ASM -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::",
+"debug-ben-debug",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -g3 -O2 -pedantic -Wall -Wshadow -Werror -pipe::(unknown)::::::",
+"debug-ben-strict",	"gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DCONST_STRICT -O2 -Wall -Wshadow -Werror -Wpointer-arith -Wcast-qual -Wwrite-strings -pipe::(unknown)::::::",
+"debug-rse","cc:-DTERMIOS -DL_ENDIAN -pipe -O -g -ggdb3 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
+"debug-bodo",	"gcc:-DL_ENDIAN -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DBIO_PAIR_DEBUG -DPEDANTIC -g -m486 -pedantic -Wshadow -Wall::-D_REENTRANT:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
+"debug-ulf",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -g -O2 -m486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT:::${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
+"debug-steve",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DPEDANTIC -g -mcpu=i486 -pedantic -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
+"debug-steve-linux-pseudo64",	"gcc:-DL_ENDIAN -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DDEBUG_SAFESTACK -DCRYPTO_MDEBUG_ALL -DOPENSSL_NO_ASM -g -mcpu=i486 -Wall -Werror -Wshadow -pipe::-D_REENTRANT::-rdynamic -ldl:SIXTY_FOUR_BIT::dlfcn",
+"debug-levitte-linux-elf","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-levitte-linux-noasm","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-levitte-linux-elf-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wconversion -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-levitte-linux-noasm-extreme","gcc:-DLEVITTE_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DOPENSSL_NO_ASM -DL_ENDIAN -DTERMIO -D_POSIX_SOURCE -DPEDANTIC -ggdb -g3 -mcpu=i486 -pedantic -ansi -Wall -W -Wundef -Wshadow -Wcast-align -Wstrict-prototypes -Wmissing-prototypes -Wconversion -Wno-long-long -pipe::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"dist",		"cc:-O::(unknown)::::::",
 
 # Basic configs that should work on any (32 and less bit) box
-"gcc",		"gcc:-O3::(unknown)::BN_LLONG:::",
-"cc",		"cc:-O::(unknown):::::",
+"gcc",		"gcc:-O3::(unknown):::BN_LLONG:::",
+"cc",		"cc:-O::(unknown)::::::",
 
-#### Solaris x86 setups
-# -DNO_INLINE_ASM switches off inline assembler. We have to do it
+#### Solaris x86 with GNU C setups
+# -DOPENSSL_NO_INLINE_ASM switches off inline assembler. We have to do it
 # here because whenever GNU C instantiates an assembler template it
 # surrounds it with #APP #NO_APP comment pair which (at least Solaris
 # 7_x86) /usr/ccs/bin/as fails to assemble with "Illegal mnemonic"
 # error message.
-"solaris-x86-gcc","gcc:-O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DNO_INLINE_ASM::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_sol_asm}:dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-x86-gcc","gcc:-O3 -fomit-frame-pointer -m486 -Wall -DL_ENDIAN -DOPENSSL_NO_INLINE_ASM::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_sol_asm}:dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 #### Solaris x86 with Sun C setups
-"solaris-x86-cc","cc:-fast -O -Xa::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-x86-cc","cc:-fast -O -Xa::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 #### SPARC Solaris with GNU C setups
-"solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris-sparcv8-gcc","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris-sparcv9-gcc","gcc:-mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris64-sparcv9-gcc31","gcc:-mcpu=ultrasparc -m64 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-sparcv7-gcc","gcc:-O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-sparcv8-gcc","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+# -m32 should be safe to add as long as driver recognizes -mcpu=ultrasparc
+"solaris-sparcv9-gcc","gcc:-m32 -mcpu=ultrasparc -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris64-sparcv9-gcc31","gcc:-mcpu=ultrasparc -m64 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-fPIC:-m64 -shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # gcc pre-2.8 doesn't understand -mcpu=ultrasparc, so fall down to -mv8
 # but keep the assembler modules.
-"solaris-sparcv9-gcc27","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus-gcc27.o:::asm/md5-sparcv8plus-gcc27.o::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-sparcv9-gcc27","gcc:-mv8 -O3 -fomit-frame-pointer -Wall -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus-gcc27.o:::asm/md5-sparcv8plus-gcc27.o::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris64-sparcv9-gcc","gcc:-m64 -mcpu=ultrasparc -O3 -Wall -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-fPIC:-m64 -shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+
 ####
-"debug-solaris-sparcv8-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-solaris-sparcv9-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mcpu=ultrasparc -Wall -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::::::::dlfcn:solaris-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-solaris-sparcv8-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mv8 -Wall -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-solaris-sparcv9-gcc","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -O -g -mcpu=ultrasparc -Wall -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::::::::dlfcn:solaris-shared:-fPIC:-shared:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 #### SPARC Solaris with Sun C setups
 # DO NOT use /xO[34] on sparc with SC3.0.  It is broken, and will not pass the tests
-"solaris-sparc-sc3","cc:-fast -O -Xa -DB_ENDIAN::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-sparc-sc3","cc:-fast -O -Xa -DB_ENDIAN::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # SC4.0 doesn't pass 'make test', upgrade to SC5.0 or SC4.2.
 # SC4.2 is ok, better than gcc even on bn as long as you tell it -xarch=v8
 # SC5.0 note: Compiler common patch 107357-01 or later is required!
-"solaris-sparcv7-cc","cc:-xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris-sparcv8-cc","cc:-xarch=v8 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris-sparcv9-cc","cc:-xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"solaris64-sparcv9-cc","cc:-xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-KPIC:-xarch=v9:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):/usr/ccs/bin/ar rs",
+"solaris-sparcv7-cc","cc:-xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-sparcv8-cc","cc:-xarch=v8 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris-sparcv9-cc","cc:-xtarget=ultra -xarch=v8plus -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"solaris64-sparcv9-cc","cc:-xtarget=ultra -xarch=v9 -xO5 -xstrconst -xdepend -Xa -DB_ENDIAN::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:solaris-shared:-KPIC:-xarch=v9:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR):/usr/ccs/bin/ar rs",
 ####
-"debug-solaris-sparcv8-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xarch=v8 -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-solaris-sparcv9-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xtarget=ultra -xarch=v8plus -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W -DULTRASPARC::-D_REENTRANT:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-solaris-sparcv8-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xarch=v8 -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT::-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-solaris-sparcv9-cc","cc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG_ALL -xtarget=ultra -xarch=v8plus -g -O -xstrconst -Xa -DB_ENDIAN -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-lsocket -lnsl -ldl:BN_LLONG RC4_CHAR RC4_CHUNK_LL DES_PTR DES_RISC1 DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:solaris-shared:-KPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 #### SPARC Linux setups
-"linux-sparcv7","gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::",
+"linux-sparcv7","gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::",
 # Ray Miller <ray.miller@computing-services.oxford.ac.uk> has patiently
 # assisted with debugging of following two configs.
-"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-sparcv8","gcc:-mv8 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # it's a real mess with -mcpu=ultrasparc option under Linux, but
 # -Wa,-Av8plus should do the trick no matter what.
-"linux-sparcv9","gcc:-mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DULTRASPARC -DBN_DIV2W::-D_REENTRANT:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-# !!!Folowing can't be even tested yet!!!
-#    We have to wait till 64-bit glibc for SPARC is operational!!!
-#"linux64-sparcv9","sparc64-linux-gcc:-m64 -mcpu=v9 -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DULTRASPARC -DBN_DIV2W::-D_REENTRANT::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::asm/md5-sparcv9.o:",
+"linux-sparcv9","gcc:-mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -Wa,-Av8plus -DBN_DIV2W::-D_REENTRANT:ULTRASPARC:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:asm/sparcv8plus.o:::asm/md5-sparcv8plus.o::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+# GCC 3.1 is a requirement
+"linux64-sparcv9","gcc:-m64 -mcpu=ultrasparc -DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:ULTRASPARC:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::::asm/md5-sparcv9.o::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 # Sunos configs, assuming sparc for the gcc one.
-##"sunos-cc", "cc:-O4 -DNOPROTO -DNOCONST::(unknown)::DES_UNROLL:::",
-"sunos-gcc","gcc:-O3 -mv8 -Dssize_t=int::(unknown)::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1:::",
+##"sunos-cc", "cc:-O4 -DNOPROTO -DNOCONST::(unknown):SUNOS::DES_UNROLL:::",
+"sunos-gcc","gcc:-O3 -mv8 -Dssize_t=int::(unknown):SUNOS::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL DES_PTR DES_RISC1:::",
 
 #### IRIX 5.x configs
 # -mips2 flag is added by ./config when appropriate.
-"irix-gcc","gcc:-O3 -DTERMIOS -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK DES_UNROLL DES_RISC2 DES_PTR BF_PTR::::::::::dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"irix-cc", "cc:-O2 -use_readonly_const -DTERMIOS -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC2 DES_UNROLL BF_PTR::::::::::dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"irix-gcc","gcc:-O3 -DTERMIOS -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK DES_UNROLL DES_RISC2 DES_PTR BF_PTR::::::::::dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"irix-cc", "cc:-O2 -use_readonly_const -DTERMIOS -DB_ENDIAN::(unknown):::BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC2 DES_UNROLL BF_PTR::::::::::dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 #### IRIX 6.x configs
 # Only N32 and N64 ABIs are supported. If you need O32 ABI build, invoke
 # './Configure irix-[g]cc' manually.
 # -mips4 flag is added by ./config when appropriate.
-"irix-mips3-gcc","gcc:-mabi=n32 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK_LL DES_UNROLL DES_RISC2 DES_PTR BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"irix-mips3-cc", "cc:-n32 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"irix-mips3-gcc","gcc:-mabi=n32 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::MD2_CHAR RC4_INDEX RC4_CHAR RC4_CHUNK_LL DES_UNROLL DES_RISC2 DES_PTR BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"irix-mips3-cc", "cc:-n32 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::DES_PTR RC4_CHAR RC4_CHUNK_LL DES_RISC2 DES_UNROLL BF_PTR SIXTY_FOUR_BIT:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # N64 ABI builds.
-"irix64-mips4-gcc","gcc:-mabi=64 -mips4 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"irix64-mips4-cc", "cc:-64 -mips4 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"irix64-mips4-gcc","gcc:-mabi=64 -mips4 -mmips-as -O3 -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"irix64-mips4-cc", "cc:-64 -mips4 -O2 -use_readonly_const -DTERMIOS -DB_ENDIAN -DBN_DIV3W::-D_SGI_MP_SOURCE:::RC4_CHAR RC4_CHUNK DES_RISC2 DES_UNROLL SIXTY_FOUR_BIT_LONG:${mips3_irix_asm}:dlfcn:irix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 #### Unified HP-UX ANSI C configs.
 # Special notes:
@@ -212,7 +240,7 @@ my %table=(
 # - Keep in mind that the HP compiler by default generates code
 #   suitable for execution on the host you're currently compiling at.
 #   If the toolkit is ment to be used on various PA-RISC processors
-#   consider './config +Dportable'.
+#   consider './config +DAportable'.
 # - +DD64 is chosen in favour of +DA2.0W because it's ment to be
 #   compatible with *future* releases.
 # - If you run ./Configure hpux-parisc-[g]cc manually don't forget to
@@ -224,59 +252,70 @@ my %table=(
 #   crypto/sha/sha_lcl.h.
 #					<appro@fy.chalmers.se>
 #
-#!#"hpux-parisc-cc","cc:-Ae +O3 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY:::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl",
+#!#"hpux-parisc-cc","cc:-Ae +O3 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl",
 # Since there is mention of this in shlib/hpux10-cc.sh
-"hpux-parisc-cc-o4","cc:-Ae +O4 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY:::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"hpux-parisc-gcc","gcc:-O3 -DB_ENDIAN -DBN_DIV2W:::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"hpux64-parisc-cc","cc:-Ae +DD64 +O3 +ESlit -z -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"hpux64-parisc-gcc","gcc:-DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dlfcn:hpux64-shared:-fpic::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux-parisc-cc-o4","cc:-Ae +O4 +ESlit -z -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::::-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux-parisc-gcc","gcc:-O3 -DB_ENDIAN -DBN_DIV2W::::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux64-parisc-cc","cc:-Ae +DD64 +O3 +ESlit -z -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+# 64bit PARISC for GCC without optimization, which seems to make problems.
+# Submitted by <ross.alexander@uk.neceur.com>
+"hpux64-parisc-gcc","gcc:-DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dlfcn:hpux64-shared:-fpic::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+
+# IA-64 targets
+# I have no idea if this one actually works, feedback needed. <appro>
+"hpux-ia64-cc","cc:-Ae +DD32 +O3 +ESlit -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o:::::::::dlfcn:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+# Frank Geurts <frank.geurts@nl.abnamro.com> has patiently assisted with
+# with debugging of the following config.
+"hpux64-ia64-cc","cc:-Ae +DD64 +O3 +ESlit -z -DB_ENDIAN::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/ia64-cpp.o:::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 # More attempts at unified 10.X and 11.X targets for HP C compiler.
 #
 # Chris Ruemmler <ruemmler@cup.hp.com>
 # Kevin Steves <ks@hp.se>
-"hpux-parisc-cc","cc:+O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::-D_REENTRANT:-ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"hpux-parisc2-cc","cc:+DA2.0 +DS2.0 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT:-ldld:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2.o:::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"hpux64-parisc2-cc","cc:+DD64 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2W.o:::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"hpux-parisc1_1-cc","cc:+DA1.1 +DS1.1 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT:-ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux-parisc-cc","cc:+O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux-parisc2-cc","cc:+DA2.0 +DS2.0 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:SIXTY_FOUR_BIT MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2.o:::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux64-parisc2-cc","cc:+DD64 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT:asm/pa-risc2W.o:::::::::dlfcn:hpux64-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+# Isn't the line below meaningless? HP-UX cc optimizes for host by default.
+# hpux-parisc1_0-cc with +DAportable flag would make more sense. <appro>
+"hpux-parisc1_1-cc","cc:+DA1.1 +DS1.1 +O3 +Optrs_strongly_typed +Olibcalls -Ae +ESlit -DB_ENDIAN -DMD32_XARRAY::-D_REENTRANT::-Wl,+s -ldld:MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 # HPUX 9.X config.
 # Don't use the bundled cc.  It is broken.  Use HP ANSI C if possible, or
 # egcs.  gcc 2.8.1 is also broken.
 
-"hpux-cc",	"cc:-DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O3 -z::(unknown):-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux-cc",	"cc:-DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O3 -z::(unknown)::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # If hpux-cc fails (e.g. during "make test"), try the next one; otherwise,
 # please report your OS and compiler version to the openssl-bugs@openssl.org
 # mailing list.
-"hpux-brokencc",	"cc:-DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z::(unknown):-ldld:DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux-brokencc",	"cc:-DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z::(unknown)::-Wl,+s -ldld:DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
-"hpux-gcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown):-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux-gcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown)::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # If hpux-gcc fails, try this one:
-"hpux-brokengcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown):-ldld:DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux-brokengcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown)::-Wl,+s -ldld:DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 # HPUX 9.X on Motorola 68k platforms with gcc
-"hpux-m68k-gcc",  "gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown)::BN_LLONG DES_PTR DES_UNROLL:::",
+"hpux-m68k-gcc",  "gcc:-DB_ENDIAN -DBN_DIV2W -O3::(unknown):::BN_LLONG DES_PTR DES_UNROLL:::::::::::::",
 
 # HPUX 10.X config.  Supports threads.
-"hpux10-cc",	"cc:-DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O3 -z::-D_REENTRANT:-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux10-cc",	"cc:-DB_ENDIAN -DBN_DIV2W -DMD32_XARRAY -Ae +ESlit +O3 -z::-D_REENTRANT::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # If hpux10-cc fails, try this one (if still fails, try deleting BN_LLONG):
-"hpux10-brokencc",	"cc:-DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z::-D_REENTRANT:-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux10-brokencc",	"cc:-DB_ENDIAN -DBN_DIV2W -Ae +ESlit +O2 -z::-D_REENTRANT::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:+Z::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
-"hpux10-gcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::-D_REENTRANT:-ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux10-gcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::-D_REENTRANT::-Wl,+s -ldld:BN_LLONG DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 # If hpux10-gcc fails, try this one:
-"hpux10-brokengcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::-D_REENTRANT:-ldld:DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"hpux10-brokengcc",	"gcc:-DB_ENDIAN -DBN_DIV2W -O3::-D_REENTRANT::-Wl,+s -ldld:DES_PTR DES_UNROLL DES_RISC1::::::::::dl:hpux-shared:-fPIC::.sl.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 # HPUX 11.X from www.globus.org.
 # Only works on PA-RISC 2.0 cpus, and not optimized.  Why?
-#"hpux11-32bit-cc","cc:+DA2.0 -DB_ENDIAN -D_HPUX_SOURCE -Aa -Ae +ESlit::-D_REENTRANT::DES_PTR DES_UNROLL DES_RISC1:::",
-#"hpux11-64bit-cc","cc:+DA2.0W -g -D_HPUX_SOURCE -Aa -Ae +ESlit::-D_REENTRANT::SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT :::",
+#"hpux11-32bit-cc","cc:+DA2.0 -DB_ENDIAN -D_HPUX_SOURCE -Aa -Ae +ESlit::-D_REENTRANT:::DES_PTR DES_UNROLL DES_RISC1:::",
+#"hpux11-64bit-cc","cc:+DA2.0W -g -D_HPUX_SOURCE -Aa -Ae +ESlit::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC1 DES_INT :::",
 # Use unified settings above instead.
 
 #### HP MPE/iX http://jazz.external.hp.com/src/openssl/
-"MPE/iX-gcc", "gcc:-D_ENDIAN -DBN_DIV2W -O3 -DMPE -D_POSIX_SOURCE -D_SOCKET_SOURCE -I/SYSLOG/PUB::(unknown):-L/SYSLOG/PUB -lsyslog -lsocket -lcurses:BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::",
+"MPE/iX-gcc", "gcc:-D_ENDIAN -DBN_DIV2W -O3 -D_POSIX_SOURCE -D_SOCKET_SOURCE -I/SYSLOG/PUB::(unknown):MPE:-L/SYSLOG/PUB -lsyslog -lsocket -lcurses:BN_LLONG DES_PTR DES_UNROLL DES_RISC1:::",
 
 #### PARISC Linux setups
-"linux-parisc","gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::",
+"linux-parisc","gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall -DBN_DIV2W::-D_REENTRANT:::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR::",
 
 # Dec Alpha, OSF/1 - the alpha164-cc is historical, for the conversion
 # from the older DEC C Compiler to the newer compiler.  It's now the
@@ -303,15 +342,15 @@ my %table=(
 #
 # For gcc, the following gave a %50 speedup on a 164 over the 'DES_INT' version
 #
-"alpha-gcc","gcc:-O3::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:${alpha_asm}:dlfcn:alpha-osf1-shared:::.so",
-"alphaold-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:alpha-osf1-shared:::.so",
-"alpha164-cc", "cc:-std1 -tune host -fast -readonly_strings::-pthread::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared:::.so",
-"alpha-cc", "cc:-std1 -tune host -fast -readonly_strings::-pthread::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared:::.so",
-"alpha-cc-rpath", "cc:-std1 -tune host -fast -readonly_strings::-pthread::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared-rpath:::.so",
+"alpha-gcc","gcc:-O3::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_UNROLL DES_RISC1:${alpha_asm}:dlfcn:alpha-osf1-shared:::.so",
+"alphaold-cc", "cc:-std1 -tune host -O4 -readonly_strings::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:alpha-osf1-shared:::.so",
+"alpha164-cc", "cc:-std1 -tune host -fast -readonly_strings::-pthread:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared:::.so",
+"alpha-cc", "cc:-std1 -tune host -fast -readonly_strings::-pthread:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared:::.so",
+"alpha-cc-rpath", "cc:-std1 -tune host -fast -readonly_strings::-pthread:::SIXTY_FOUR_BIT_LONG RC4_CHUNK:${alpha_asm}:dlfcn:tru64-shared-rpath:::.so",
 #
 # This probably belongs in a different section.
 #
-"FreeBSD-alpha","gcc:-DTERMIOS -O -fomit-frame-pointer::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC2::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"FreeBSD-alpha","gcc:-DTERMIOS -O -fomit-frame-pointer::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC2::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 #### Alpha Linux with GNU C and Compaq C setups
 # Special notes:
@@ -326,76 +365,82 @@ my %table=(
 #
 #					<appro@fy.chalmers.se>
 #
-"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
-"linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
+"linux-alpha-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-alpha+bwx-gcc","gcc:-O3 -DL_ENDIAN -DTERMIO::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL:${alpha_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-alpha-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
+"linux-alpha+bwx-ccc","ccc:-fast -readonly_strings -DL_ENDIAN -DTERMIO::-D_REENTRANT:::SIXTY_FOUR_BIT_LONG RC4_CHAR RC4_CHUNK DES_INT DES_PTR DES_RISC1 DES_UNROLL:${alpha_asm}",
 
 # assembler versions -- currently defunct:
-##"OpenBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2:${alpha_asm}",
+##"OpenBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer:::(unknown):SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2:${alpha_asm}",
 
 # The intel boxes :-), It would be worth seeing if bsdi-gcc can use the
 # bn86-elf.o file file since it is hand tweaked assembler.
-"linux-elf",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT:-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT:-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT:-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
-"linux-aout",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
-"linux-mipsel",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::BN_LLONG:::",
-"linux-mips",   "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown)::BN_LLONG:::",
-"linux-ppc",	"gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-m68k",   "gcc:-DB_ENDIAN -DTERMIO -O2 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::",
-"linux-s390",	"gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:-ldl:BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR),\$(SHLIB_MINOR)",
-"linux-s390x", "gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"linux-ia64",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"NetBSD-sparc",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"NetBSD-m68",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown)::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"NetBSD-x86",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"FreeBSD-elf",  "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::-pthread -D_REENTRANT -D_THREAD_SAFE -D_THREADSAFE::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"FreeBSD",      "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
-"bsdi-gcc",     "gcc:-O3 -ffast-math -DL_ENDIAN -DPERL5 -m486::(unknown)::RSA_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_bsdi_asm}",
-"bsdi-elf-gcc",     "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown):-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"nextstep",	"cc:-O -Wall:<libc.h>:(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::",
-"nextstep3.3",	"cc:-O3 -Wall:<libc.h>:(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::",
+"linux-elf",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-pentium",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -mcpu=pentium -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-ppro",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -mcpu=pentiumpro -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-k6",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -mcpu=k6 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-linux-pentium","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentium -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
+"debug-linux-ppro","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -mcpu=pentiumpro -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
+"debug-linux-elf","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-lefence -ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"debug-linux-elf-noefence","gcc:-DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DL_ENDIAN -DTERMIO -g -m486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn",
+"linux-aout",	"gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
+"linux-mipsel",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown):::BN_LLONG:::",
+"linux-mips",   "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::(unknown):::BN_LLONG:::",
+"linux-ppc",    "gcc:-DB_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG RC4_CHAR RC4_CHUNK DES_RISC1 DES_UNROLL::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-m68k",   "gcc:-DB_ENDIAN -DTERMIO -O2 -fomit-frame-pointer -Wall::-D_REENTRANT:::BN_LLONG::",
+"linux-s390",	"gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-s390x",	"gcc:-DB_ENDIAN -DTERMIO -DNO_ASM -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-ia64",   "gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR:asm/ia64.o:::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-x86_64", "gcc:-m64 -DL_ENDIAN -DTERMIO -O3 -Wall -DMD32_REG_T=int::-D_REENTRANT::-ldl:SIXTY_FOUR_BIT_LONG RC4_CHUNK RC4_CHAR BF_PTR2 DES_INT DES_UNROLL:asm/x86_64-gcc.o:::::::::dlfcn:linux-shared:-fPIC:-m64:.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"NetBSD-sparc",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -mv8 -Wall -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"NetBSD-m68",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -Wall -DB_ENDIAN::(unknown):::BN_LLONG MD2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"NetBSD-x86",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"FreeBSD-elf",  "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::-pthread -D_REENTRANT -D_THREAD_SAFE -D_THREADSAFE:::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"FreeBSD",      "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}",
+"bsdi-gcc",     "gcc:-O3 -ffast-math -DL_ENDIAN -DPERL5 -m486::(unknown):::RSA_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_bsdi_asm}",
+"bsdi-elf-gcc",     "gcc:-DPERL5 -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown)::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"nextstep",	"cc:-O -Wall:<libc.h>:(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::",
+"nextstep3.3",	"cc:-O3 -Wall:<libc.h>:(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::",
+
 # NCR MP-RAS UNIX ver 02.03.01
-"ncr-scde","cc:-O6 -Xa -Hoff=BEHAVED -686 -Hwide -Hiw::(unknown):-lsocket -lnsl:${x86_gcc_des} ${x86_gcc_opts}:::",
+"ncr-scde","cc:-O6 -Xa -Hoff=BEHAVED -686 -Hwide -Hiw::(unknown)::-lsocket -lnsl:${x86_gcc_des} ${x86_gcc_opts}:::",
 
 # QNX 4
-"qnx4",	"cc:-DL_ENDIAN -DTERMIO::(unknown)::${x86_gcc_des} ${x86_gcc_opts}:",
+"qnx4",	"cc:-DL_ENDIAN -DTERMIO::(unknown):::${x86_gcc_des} ${x86_gcc_opts}:",
 
 # QNX 6
-"qnx6",	"cc:-DL_ENDIAN -DTERMIOS::(unknown):-lsocket:${x86_gcc_des} ${x86_gcc_opts}:",
+"qnx6",	"cc:-DL_ENDIAN -DTERMIOS::(unknown)::-lsocket:${x86_gcc_des} ${x86_gcc_opts}:",
 
 # Linux on ARM
-"linux-elf-arm","gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT::BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"linux-elf-arm","gcc:-DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -Wall::-D_REENTRANT:::BN_LLONG::::::::::dlfcn:linux-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 # UnixWare 2.0x fails destest with -O
-"unixware-2.0","cc:-DFILIO_H::-Kthread:-lsocket -lnsl -lx:${x86_gcc_des} ${x86_gcc_opts}:::",
-"unixware-2.0-pentium","cc:-DFILIO_H -Kpentium::-Kthread:-lsocket -lnsl -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
+"unixware-2.0","cc:-DFILIO_H -DNO_STRINGS_H::-Kthread::-lsocket -lnsl -lresolv -lx:${x86_gcc_des} ${x86_gcc_opts}:::",
+"unixware-2.0-pentium","cc:-DFILIO_H -DNO_STRINGS_H -Kpentium::-Kthread::-lsocket -lnsl -lresolv -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
 
 # UnixWare 2.1
-"unixware-2.1","cc:-O -DFILIO_H::-Kthread:-lsocket -lnsl -lx:${x86_gcc_des} ${x86_gcc_opts}:::",
-"unixware-2.1-pentium","cc:-O -DFILIO_H -Kpentium::-Kthread:-lsocket -lnsl -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
-"unixware-2.1-p6","cc:-O -DFILIO_H -Kp6::-Kthread:-lsocket -lnsl -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
+"unixware-2.1","cc:-O -DFILIO_H::-Kthread::-lsocket -lnsl -lresolv -lx:${x86_gcc_des} ${x86_gcc_opts}:::",
+"unixware-2.1-pentium","cc:-O -DFILIO_H -Kpentium::-Kthread::-lsocket -lnsl -lresolv -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
+"unixware-2.1-p6","cc:-O -DFILIO_H -Kp6::-Kthread::-lsocket -lnsl -lresolv -lx:MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
 
 # UnixWare 7
-"unixware-7","cc:-O -DFILIO_H -Kalloca::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
-"unixware-7-pentium","cc:-O -DFILIO_H -Kalloca -Kpentium::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
-"unixware-7-pentium_pro","cc:-O -DFILIO_H -Kalloca -Kpentium_pro::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
-"unixware-7-gcc","gcc:-DL_ENDIAN -DFILIO_H -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT:-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:gnu-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"unixware-7","cc:-O -DFILIO_H -Kalloca::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"unixware-7-pentium","cc:-O -DFILIO_H -Kalloca -Kpentium::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"unixware-7-pentium_pro","cc:-O -DFILIO_H -Kalloca -Kpentium_pro::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"unixware-7-gcc","gcc:-DL_ENDIAN -DFILIO_H -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT::-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:gnu-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 # OpenUNIX 8
-"OpenUNIX-8","cc:-O -DFILIO_H -Kalloca::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
-"OpenUNIX-8-gcc","gcc:-O -DFILIO_H -fomit-frame-pointer::-pthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
-"OpenUNIX-8-pentium","cc:-O -DFILIO_H -Kalloca -Kpentium::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
-"OpenUNIX-8-pentium_pro","cc:-O -DFILIO_H -Kalloca -Kpentium_pro::-Kthread:-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::",
-"OpenUNIX-8-shared","cc:-O -DFILIO_H -Kalloca::-Kthread:-lsocket -lnsl:MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-Kpic",
-"OpenUNIX-8-gcc-shared","gcc:-O3 -DFILIO_H -fomit-frame-pointer::-pthread:-lsocket -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:svr5-shared:-fPIC",
+"OpenUNIX-8","cc:-O -DFILIO_H -Kalloca::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"OpenUNIX-8-gcc","gcc:-O -DFILIO_H -fomit-frame-pointer::-pthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"OpenUNIX-8-pentium","cc:-O -DFILIO_H -Kalloca -Kpentium::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"OpenUNIX-8-pentium_pro","cc:-O -DFILIO_H -Kalloca -Kpentium_pro::-Kthread::-lsocket -lnsl:BN_LLONG MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr5-shared:-Kpic::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 # IBM's AIX.
-"aix-cc",   "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown)::BN_LLONG RC4_CHAR:::",
-"aix-gcc",  "gcc:-O3 -DAIX -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR:::",
-"aix43-cc",   "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown)::BN_LLONG RC4_CHAR::::::::::dlfcn:",
-"aix43-gcc",  "gcc:-O3 -DAIX -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR::::::::::dlfcn:",
+"aix-cc",   "cc:-O -DB_ENDIAN -qmaxmem=16384::(unknown):AIX::BN_LLONG RC4_CHAR:::",
+"aix-gcc",  "gcc:-O3 -DB_ENDIAN::(unknown):AIX::BN_LLONG RC4_CHAR:::",
+"aix43-cc",   "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384::(unknown):::BN_LLONG RC4_CHAR::::::::::dlfcn:",
+"aix43-gcc",  "gcc:-O1 -DAIX -DB_ENDIAN::(unknown):::BN_LLONG RC4_CHAR::::::::::dlfcn:",
+"aix64-cc",   "cc:-O -DAIX -DB_ENDIAN -qmaxmem=16384 -q64::(unknown):::SIXTY_FOUR_BIT_LONG RC4_CHAR::::::::::dlfcn::::::-X 64",
 
 #
 # Cray T90 and similar (SDSC)
@@ -411,7 +456,7 @@ my %table=(
 #
 # j90 is considered the base machine type for unicos machines,
 # so this configuration is now called "cray-j90" ...
-"cray-j90", "cc: -DBIT_FIELD_LIMITS -DTERMIOS::(unknown)::SIXTY_FOUR_BIT_LONG DES_INT:::",
+"cray-j90", "cc: -DBIT_FIELD_LIMITS -DTERMIOS::(unknown):CRAY::SIXTY_FOUR_BIT_LONG DES_INT:::",
 
 #
 # Cray T3E (Research Center Juelich, beckman@acl.lanl.gov)
@@ -421,96 +466,121 @@ my %table=(
 # for some st_addr stuff, and then sizeof and address-of fails
 # I could not use the ams/alpha.o option because the Cray assembler, 'cam'
 # did not like it.
-"cray-t3e", "cc: -DBIT_FIELD_LIMITS -DTERMIOS::(unknown)::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:::",
+"cray-t3e", "cc: -DBIT_FIELD_LIMITS -DTERMIOS::(unknown):CRAY::SIXTY_FOUR_BIT_LONG RC4_CHUNK DES_INT:::",
 
 # DGUX, 88100.
-"dgux-R3-gcc",	"gcc:-O3 -fomit-frame-pointer::(unknown)::RC4_INDEX DES_UNROLL:::",
-"dgux-R4-gcc",	"gcc:-O3 -fomit-frame-pointer::(unknown):-lnsl -lsocket:RC4_INDEX DES_UNROLL:::",
-"dgux-R4-x86-gcc",	"gcc:-O3 -fomit-frame-pointer -DL_ENDIAN::(unknown):-lnsl -lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
+"dgux-R3-gcc",	"gcc:-O3 -fomit-frame-pointer::(unknown):::RC4_INDEX DES_UNROLL:::",
+"dgux-R4-gcc",	"gcc:-O3 -fomit-frame-pointer::(unknown)::-lnsl -lsocket:RC4_INDEX DES_UNROLL:::",
+"dgux-R4-x86-gcc",	"gcc:-O3 -fomit-frame-pointer -DL_ENDIAN::(unknown)::-lnsl -lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}",
 
 # SCO 3 - Tim Rice <tim@multitalents.net>
-"sco3-gcc",  "gcc:-O3 -fomit-frame-pointer -Dssize_t=int -DNO_SYS_UN_H::(unknown):-lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", # the SCO assembler doesn't seem to like our assembler files ...
+"sco3-gcc",  "gcc:-O3 -fomit-frame-pointer -Dssize_t=int -DNO_SYS_UN_H::(unknown)::-lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", # the SCO assembler doesn't seem to like our assembler files ...
 
 # SCO 5 - Ben Laurie <ben@algroup.co.uk> says the -O breaks the
 # SCO cc.
-"sco5-cc",  "cc:-belf::(unknown):-lsocket -lresolv:${x86_gcc_des} ${x86_gcc_opts}:::", # des options?
-"sco5-cc-pentium",  "cc:-Kpentium::(unknown):-lsocket:${x86_gcc_des} ${x86_gcc_opts}:::", # des options?
-"sco5-gcc",  "gcc:-O3 -fomit-frame-pointer::(unknown):-lsocket:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:::", # the SCO assembler doesn't seem to like our assembler files ...
-"sco5-cc-shared","cc:-belf:::-lsocket -lresolv -lnsl:MD2_CHAR RC4_INDEX ${x86_gcc_des}::::::::::dlfcn:svr3-shared:-Kpic",
-"sco5-gcc-shared","gcc:-O3 -fomit-frame-pointer:::-lsocket -lresolv -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:svr3-shared:-fPIC", # the SCO assembler doesn't seem to like our assembler files ...
+"sco5-cc",  "cc:-belf::(unknown)::-lsocket -lresolv -lnsl:${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:svr3-shared:-Kpic", # des options?
+"sco5-cc-pentium",  "cc:-Kpentium::(unknown)::-lsocket:${x86_gcc_des} ${x86_gcc_opts}:::", # des options?
+"sco5-gcc",  "gcc:-O3 -fomit-frame-pointer::(unknown)::-lsocket -lresolv -lnsl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::dlfcn:svr3-shared:-fPIC",
 
 # Sinix/ReliantUNIX RM400
 # NOTE: The CDS++ Compiler up to V2.0Bsomething has the IRIX_CC_BUG optimizer problem. Better use -g  */
-"ReliantUNIX","cc:-KPIC -g -DSNI -DTERMIOS -DB_ENDIAN::-Kthread:-lsocket -lnsl -lc -L/usr/ucblib -lucb:BN_LLONG DES_PTR DES_RISC2 DES_UNROLL BF_PTR:::",
-"SINIX","cc:-O -DSNI::(unknown):-lsocket -lnsl -lc -L/usr/ucblib -lucb:RC4_INDEX RC4_CHAR:::",
-"SINIX-N","/usr/ucb/cc:-O2 -misaligned::(unknown):-lucb:RC4_INDEX RC4_CHAR:::",
+"ReliantUNIX","cc:-KPIC -g -DTERMIOS -DB_ENDIAN::-Kthread:SNI:-lsocket -lnsl -lc -L/usr/ucblib -lucb:BN_LLONG DES_PTR DES_RISC2 DES_UNROLL BF_PTR::::::::::dlfcn:reliantunix-shared:::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"SINIX","cc:-O::(unknown):SNI:-lsocket -lnsl -lc -L/usr/ucblib -lucb:RC4_INDEX RC4_CHAR:::",
+"SINIX-N","/usr/ucb/cc:-O2 -misaligned::(unknown)::-lucb:RC4_INDEX RC4_CHAR:::",
 
 # SIEMENS BS2000/OSD: an EBCDIC-based mainframe
-"BS2000-OSD","c89:-O -XLLML -XLLMK -XL -DB_ENDIAN -DTERMIOS -DCHARSET_EBCDIC::(unknown):-lsocket -lnsl:THIRTY_TWO_BIT DES_PTR DES_UNROLL MD2_CHAR RC4_INDEX RC4_CHAR BF_PTR:::",
+"BS2000-OSD","c89:-O -XLLML -XLLMK -XL -DB_ENDIAN -DTERMIOS -DCHARSET_EBCDIC::(unknown)::-lsocket -lnsl:THIRTY_TWO_BIT DES_PTR DES_UNROLL MD2_CHAR RC4_INDEX RC4_CHAR BF_PTR:::",
 
 # OS/390 Unix an EBCDIC-based Unix system on IBM mainframe
 # You need to compile using the c89.sh wrapper in the tools directory, because the
 # IBM compiler does not like the -L switch after any object modules.
 #
-"OS390-Unix","c89.sh:-O -DB_ENDIAN -DCHARSET_EBCDIC -DNO_SYS_PARAM_H  -D_ALL_SOURCE::(unknown)::THIRTY_TWO_BIT DES_PTR DES_UNROLL MD2_CHAR RC4_INDEX RC4_CHAR BF_PTR:::",
+"OS390-Unix","c89.sh:-O -DB_ENDIAN -DCHARSET_EBCDIC -DNO_SYS_PARAM_H  -D_ALL_SOURCE::(unknown):::THIRTY_TWO_BIT DES_PTR DES_UNROLL MD2_CHAR RC4_INDEX RC4_CHAR BF_PTR:::",
 
 # Windows NT, Microsoft Visual C++ 4.0
 
-"VC-NT","cl:::::BN_LLONG RC4_INDEX ${x86_gcc_opts}::::::::::win32",
-"VC-WIN32","cl:::::BN_LLONG RC4_INDEX ${x86_gcc_opts}::::::::::win32",
-"VC-WIN16","cl:::(unknown)::MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX THIRTY_TWO_BIT:::",
-"VC-W31-16","cl:::(unknown)::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX SIXTEEN_BIT:::",
-"VC-W31-32","cl:::::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX THIRTY_TWO_BIT:::",
-"VC-MSDOS","cl:::(unknown)::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX SIXTEEN_BIT:::",
+"VC-NT","cl::::WINNT::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}::::::::::win32",
+"VC-CE","cl::::WINCE::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}::::::::::win32",
+"VC-WIN32","cl::::WIN32::BN_LLONG RC4_INDEX EXPORT_VAR_AS_FN ${x86_gcc_opts}::::::::::win32",
+"VC-WIN16","cl:::(unknown):WIN16::MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX THIRTY_TWO_BIT:::",
+"VC-W31-16","cl:::(unknown):WIN16::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX SIXTEEN_BIT:::",
+"VC-W31-32","cl::::WIN16::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX THIRTY_TWO_BIT:::",
+"VC-MSDOS","cl:::(unknown):MSDOS::BN_LLONG MD2_CHAR DES_UNROLL DES_PTR RC4_INDEX SIXTEEN_BIT:::",
 
 # Borland C++ 4.5
-"BC-32","bcc32:::::BN_LLONG DES_PTR RC4_INDEX::::::::::win32",
-"BC-16","bcc:::(unknown)::BN_LLONG DES_PTR RC4_INDEX SIXTEEN_BIT:::",
+"BC-32","bcc32::::WIN32::BN_LLONG DES_PTR RC4_INDEX::::::::::win32",
+"BC-16","bcc:::(unknown):WIN16::BN_LLONG DES_PTR RC4_INDEX SIXTEEN_BIT:::",
 
 # Mingw32
 # (Note: the real CFLAGS for Windows builds are defined by util/mk1mf.pl
 # and its library files in util/pl/*)
-"Mingw32", "gcc:-DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",
+"Mingw32", "gcc:-DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall:::::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",
 
 # UWIN 
-"UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall::::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",
+"UWIN", "cc:-DTERMIOS -DL_ENDIAN -O -Wall:::UWIN::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",
 
 # Cygwin
-"Cygwin-pre1.3", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -m486 -Wall::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",
-"Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -m486 -Wall::::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32:cygwin-shared:::.dll",
+"Cygwin-pre1.3", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -m486 -Wall::(unknown):CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::win32",
+"Cygwin", "gcc:-DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O3 -march=i486 -Wall:::CYGWIN32::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:win32:cygwin-shared:::.dll",
+
+# DJGPP
+"DJGPP", "gcc:-I/dev/env/WATT_ROOT/inc -DTERMIOS -DL_ENDIAN -fomit-frame-pointer -O2 -Wall:::MSDOS:-L/dev/env/WATT_ROOT/lib -lwatt:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}::::::::::",
 
 # Ultrix from Bernhard Simon <simon@zid.tuwien.ac.at>
-"ultrix-cc","cc:-std1 -O -Olimit 1000 -DL_ENDIAN::(unknown)::::::",
-"ultrix-gcc","gcc:-O3 -DL_ENDIAN::(unknown)::::::",
+"ultrix-cc","cc:-std1 -O -Olimit 2500 -DL_ENDIAN::(unknown):::::::",
+"ultrix-gcc","gcc:-O3 -DL_ENDIAN::(unknown):::::::",
 # K&R C is no longer supported; you need gcc on old Ultrix installations
-##"ultrix","cc:-O2 -DNOPROTO -DNOCONST -DL_ENDIAN::(unknown)::::::",
+##"ultrix","cc:-O2 -DNOPROTO -DNOCONST -DL_ENDIAN::(unknown):::::::",
 
 # Some OpenBSD from Bob Beck <beck@obtuse.com>
-"OpenBSD-alpha","gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"OpenBSD-x86",  "gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -m486::(unknown)::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"OpenBSD",      "gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown)::BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
-"OpenBSD-mips","gcc:-O2 -DL_ENDIAN::(unknown):BN_LLONG MD2_CHAR RC4_INDEX RC4_CHAR DES_UNROLL DES_RISC2 DES_PTR BF_PTR:::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"OpenBSD",		"gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"OpenBSD-alpha",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"OpenBSD-i386",	"gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_out_asm}:dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"OpenBSD-m68k",		"gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"OpenBSD-m88k",		"gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"OpenBSD-mips",		"gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL DES_RISC2::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"OpenBSD-powerpc",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"OpenBSD-sparc",	"gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"OpenBSD-sparc64",	"gcc:-DB_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer::(unknown):::SIXTY_FOUR_BIT_LONG DES_INT DES_PTR DES_RISC2 BF_PTR::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"OpenBSD-vax",		"gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_INT DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
+"OpenBSD-hppa",		"gcc:-DTERMIOS -O3 -fomit-frame-pointer::(unknown):::BN_LLONG RC2_CHAR RC4_INDEX DES_UNROLL::::::::::dlfcn:bsd-gcc-shared:-fPIC::.so.\$(SHLIB_MAJOR).\$(SHLIB_MINOR)",
 
 ##### MacOS X (a.k.a. Rhapsody or Darwin) setup
-"rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown)::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
-"darwin-ppc-cc","cc:-O3 -D_DARWIN -DB_ENDIAN -fno-common::-D_REENTRANT::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+"rhapsody-ppc-cc","cc:-O3 -DB_ENDIAN::(unknown):MACOSX_RHAPSODY::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
+"darwin-ppc-cc","cc:-O3 -fomit-frame-pointer -fno-common -DB_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+"darwin-i386-cc","cc:-O3 -fomit-frame-pointer -fno-common -DB_ENDIAN::-D_REENTRANT:MACOSX::BN_LLONG RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::::::::::darwin-shared:-fPIC::.\$(SHLIB_MAJOR).\$(SHLIB_MINOR).dylib",
+
+##### A/UX
+"aux3-gcc","gcc:-O2 -DTERMIO::(unknown):AUX:-lbsd:RC4_CHAR RC4_CHUNK DES_UNROLL BF_PTR:::",
 
 ##### Sony NEWS-OS 4.x
-"newsos4-gcc","gcc:-O -DB_ENDIAN -DNEWS4::(unknown):-lmld -liberty:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::",
+"newsos4-gcc","gcc:-O -DB_ENDIAN::(unknown):NEWS4:-lmld -liberty:BN_LLONG RC4_CHAR RC4_CHUNK DES_PTR DES_RISC1 DES_UNROLL BF_PTR::::",
+
+##### GNU Hurd
+"hurd-x86",  "gcc:-DL_ENDIAN -DTERMIOS -O3 -fomit-frame-pointer -m486 -Wall::-D_REENTRANT::-ldl:BN_LLONG ${x86_gcc_des} ${x86_gcc_opts}:${x86_elf_asm}:dlfcn:linux-shared:-fPIC",
+
+##### OS/2 EMX
+"OS2-EMX", "gcc::::::::",
 
 ##### VxWorks for various targets
-"vxworks-ppc405","ccppc:-g -msoft-float -mlongcall -DVXWORKS -DCPU=PPC405 -I\$(WIND_BASE)/target/h:::-r:::::",
+"vxworks-ppc405","ccppc:-g -msoft-float -mlongcall -DCPU=PPC405 -I\$(WIND_BASE)/target/h:::VXWORKS:-r:::::",
+"vxworks-ppc750","ccppc:-ansi -nostdinc -DPPC750 -D_REENTRANT -fvolatile -fno-builtin -fno-for-scope -fsigned-char -Wall -msoft-float -mlongcall -DCPU=PPC604 -I\$(WIND_BASE)/target/h \$(DEBUG_FLAG):::VXWORKS:-r:::::",
+"vxworks-ppc750-debug","ccppc:-ansi -nostdinc -DPPC750 -D_REENTRANT -fvolatile -fno-builtin -fno-for-scope -fsigned-char -Wall -msoft-float -mlongcall -DCPU=PPC604 -I\$(WIND_BASE)/target/h -DBN_DEBUG -DREF_CHECK -DCONF_DEBUG -DBN_CTX_DEBUG -DCRYPTO_MDEBUG -DPEDANTIC -DDEBUG_SAFESTACK -DDEBUG -g:::VXWORKS:-r:::::",
+
+##### Compaq Non-Stop Kernel (Tandem)
+"tandem-c89","c89:-Ww -D__TANDEM -D_XOPEN_SOURCE -D_XOPEN_SOURCE_EXTENDED=1 -D_TANDEM_SOURCE -DB_ENDIAN::(unknown):::THIRTY_TWO_BIT:::",
 
 );
 
-my @WinTargets=qw(VC-NT VC-WIN32 VC-WIN16 VC-W31-16 VC-W31-32 VC-MSDOS BC-32
-	BC-16 Mingw32);
+my @WinTargets=qw(VC-NT VC-CE VC-WIN32 VC-WIN16 VC-W31-16 VC-W31-32 VC-MSDOS
+	BC-32 BC-16 Mingw32 OS2-EMX);
 
 my $idx = 0;
 my $idx_cc = $idx++;
 my $idx_cflags = $idx++;
 my $idx_unistd = $idx++;
 my $idx_thread_cflag = $idx++;
+my $idx_sys_id = $idx++;
 my $idx_lflags = $idx++;
 my $idx_bn_ops = $idx++;
 my $idx_bn_obj = $idx++;
@@ -528,6 +598,7 @@ my $idx_shared_cflag = $idx++;
 my $idx_shared_ldflag = $idx++;
 my $idx_shared_extension = $idx++;
 my $idx_ranlib = $idx++;
+my $idx_arflags = $idx++;
 
 my $prefix="";
 my $openssldir="";
@@ -535,6 +606,8 @@ my $exe_ext="";
 my $install_prefix="";
 my $no_threads=0;
 my $no_shared=1;
+my $zlib=0;
+my $no_krb5=0;
 my $threads=0;
 my $no_asm=0;
 my $no_dso=0;
@@ -562,6 +635,14 @@ my $processor="";
 my $default_ranlib;
 my $perl;
 
+my $no_ssl2=0;
+my $no_ssl3=0;
+my $no_tls1=0;
+my $no_md5=0;
+my $no_sha=0;
+my $no_rsa=0;
+my $no_dh=0;
+
 $default_ranlib= &which("ranlib") or $default_ranlib="true";
 $perl=$ENV{'PERL'} or $perl=&which("perl5") or $perl=&which("perl")
   or $perl="perl";
@@ -572,11 +653,14 @@ my $flags;
 my $depflags;
 my $openssl_algorithm_defines;
 my $openssl_thread_defines;
+my $openssl_sys_defines="";
 my $openssl_other_defines;
 my $libs;
 my $target;
 my $options;
 my $symlink;
+my $make_depend=0;
+my %withargs=();
 
 my @argvcopy=@ARGV;
 my $argvstring="";
@@ -588,6 +672,7 @@ while($argv_unprocessed)
 	$depflags="";
 	$openssl_algorithm_defines="";
 	$openssl_thread_defines="";
+	$openssl_sys_defines="";
 	$openssl_other_defines="";
 	$libs="";
 	$target="";
@@ -608,36 +693,87 @@ PROCESS_ARGS:
 		elsif (/^no-asm$/)
 		 	{
 			$no_asm=1;
-			$flags .= "-DNO_ASM ";
-			$openssl_other_defines .= "#define NO_ASM\n";
+			$flags .= "-DOPENSSL_NO_ASM ";
+			$openssl_other_defines .= "#define OPENSSL_NO_ASM\n";
+			}
+		elsif (/^no-hw-(.+)$/)
+			{
+			my $hw=$1;
+			$hw =~ tr/[a-z]/[A-Z]/;
+			$flags .= "-DOPENSSL_NO_HW_$hw ";
+			$openssl_other_defines .= "#define OPENSSL_NO_HW_$hw\n";
+			}
+		elsif (/^no-hw$/)
+			{
+			$flags .= "-DOPENSSL_NO_HW ";
+			$openssl_other_defines .= "#define OPENSSL_NO_HW\n";
 			}
 		elsif (/^no-dso$/)
 			{ $no_dso=1; }
+		elsif (/^no-krb5$/)
+			{ $no_krb5=1; }
 		elsif (/^no-threads$/)
 			{ $no_threads=1; }
 		elsif (/^threads$/)
 			{ $threads=1; }
 		elsif (/^no-shared$/)
 			{ $no_shared=1; }
-		elsif (/^shared$/)
+		elsif (/^shared$/ || /^-shared$/ || /^--shared$/)
 			{ $no_shared=0; }
+		elsif (/^no-zlib$/)
+			{ $zlib=0; }
+		elsif (/^zlib$/)
+			{ $zlib=1; }
+		elsif (/^zlib-dynamic$/)
+			{ $zlib=2; }
 		elsif (/^no-symlinks$/)
 			{ $symlink=0; }
+		elsif (/^no-ssl$/)
+			{ $no_ssl2 = $no_ssl3 = 1; }
+		elsif (/^no-ssl2$/)
+			{ $no_ssl2 = 1; }
+		elsif (/^no-ssl3$/)
+			{ $no_ssl3 = 1; }
+		elsif (/^no-tls1?$/)
+			{ $no_tls1 = 1; }
 		elsif (/^no-(.+)$/)
 			{
 			my $algo=$1;
 			push @skip,$algo;
 			$algo =~ tr/[a-z]/[A-Z]/;
-			$flags .= "-DNO_$algo ";
-			$depflags .= "-DNO_$algo ";
-			$openssl_algorithm_defines .= "#define NO_$algo\n";
+			$flags .= "-DOPENSSL_NO_$algo ";
+			$depflags .= "-DOPENSSL_NO_$algo ";
+			$openssl_algorithm_defines .= "#define OPENSSL_NO_$algo\n";
+			if ($algo eq "RIJNDAEL")
+				{
+				push @skip, "aes";
+				$flags .= "-DOPENSSL_NO_AES ";
+				$depflags .= "-DOPENSSL_NO_AES ";
+				$openssl_algorithm_defines .= "#define OPENSSL_NO_AES\n";
+				}
 			if ($algo eq "DES")
 				{
 				push @skip, "mdc2";
 				$options .= " no-mdc2";
-				$flags .= "-DNO_MDC2 ";
-				$depflags .= "-DNO_MDC2 ";
-				$openssl_algorithm_defines .= "#define NO_MDC2\n";
+				$flags .= "-DOPENSSL_NO_MDC2 ";
+				$depflags .= "-DOPENSSL_NO_MDC2 ";
+				$openssl_algorithm_defines .= "#define OPENSSL_NO_MDC2\n";
+				}
+			if ($algo eq "MD5")
+				{
+				$no_md5 = 1;
+				}
+			if ($algo eq "SHA")
+				{
+				$no_sha = 1;
+				}
+			if ($algo eq "RSA")
+				{
+				$no_rsa = 1;
+				}
+			if ($algo eq "DH")
+				{
+				$no_dh = 1;
 				}
 			}
 		elsif (/^reconfigure/ || /^reconf/)
@@ -667,9 +803,9 @@ PROCESS_ARGS:
 			{ $processor=386; }
 		elsif (/^rsaref$/)
 			{
-			$libs.= "-lRSAglue -lrsaref ";
-			$flags.= "-DRSAref ";
-			$openssl_other_defines .= "#define RSAref\n";
+			# No RSAref support any more since it's not needed.
+			# The check for the option is there so scripts aren't
+			# broken
 			}
 		elsif (/^[-+]/)
 			{
@@ -693,6 +829,10 @@ PROCESS_ARGS:
 				{
 				$install_prefix=$1;
 				}
+			elsif (/^--with-krb5-(dir|lib|include|flavor)=(.*)$/)
+				{
+				$withargs{"krb5-".$1}=$2;
+				}
 			else
 				{
 				print STDERR $usage;
@@ -719,6 +859,39 @@ PROCESS_ARGS:
 	}
 }
 
+$no_ssl3=1 if ($no_md5 || $no_sha);
+$no_ssl3=1 if ($no_rsa && $no_dh);
+
+$no_ssl2=1 if ($no_md5);
+$no_ssl2=1 if ($no_rsa);
+
+$no_tls1=1 if ($no_md5 || $no_sha);
+$no_tls1=1 if ($no_dh);
+
+if ($no_ssl2)
+	{
+	push @skip,"SSL2";
+	$flags .= "-DOPENSSL_NO_SSL2 ";
+	$depflags .= "-DOPENSSL_NO_SSL2 ";
+	$openssl_algorithm_defines .= "#define OPENSSL_NO_SSL2\n";
+	}
+
+if ($no_ssl3)
+	{
+	push @skip,"SSL3";
+	$flags .= "-DOPENSSL_NO_SSL3 ";
+	$depflags .= "-DOPENSSL_NO_SSL3 ";
+	$openssl_algorithm_defines .= "#define OPENSSL_NO_SSL3\n";
+	}
+
+if ($no_tls1)
+	{
+	push @skip,"TLS1";
+	$flags .= "-DOPENSSL_NO_TLS1 ";
+	$depflags .= "-DOPENSSL_NO_TLS1 ";
+	$openssl_algorithm_defines .= "#define OPENSSL_NO_TLS1\n";
+	}
+
 if ($target eq "TABLE") {
 	foreach $target (sort keys %table) {
 		print_table_entry($target);
@@ -745,6 +918,7 @@ print "Configuring for $target\n";
 my $IsWindows=scalar grep /^$target$/,@WinTargets;
 
 $exe_ext=".exe" if ($target eq "Cygwin");
+$exe_ext=".exe" if ($target eq "DJGPP");
 $openssldir="/usr/local/ssl" if ($openssldir eq "" and $prefix eq "");
 $prefix=$openssldir if $prefix eq "";
 
@@ -752,7 +926,7 @@ chop $openssldir if $openssldir =~ /\/$/;
 chop $prefix if $prefix =~ /\/$/;
 
 $openssldir=$prefix . "/ssl" if $openssldir eq "";
-$openssldir=$prefix . "/" . $openssldir if $openssldir !~ /^\//;
+$openssldir=$prefix . "/" . $openssldir if $openssldir !~ /(^\/|^[a-zA-Z]:[\\\/])/;
 
 
 print "IsWindows=$IsWindows\n";
@@ -762,16 +936,17 @@ my $cc = $fields[$idx_cc];
 my $cflags = $fields[$idx_cflags];
 my $unistd = $fields[$idx_unistd];
 my $thread_cflag = $fields[$idx_thread_cflag];
+my $sys_id = $fields[$idx_sys_id];
 my $lflags = $fields[$idx_lflags];
 my $bn_ops = $fields[$idx_bn_ops];
 my $bn_obj = $fields[$idx_bn_obj];
 my $des_obj = $fields[$idx_des_obj];
 my $bf_obj = $fields[$idx_bf_obj];
-my $md5_obj = $fields[$idx_md5_obj];
-my $sha1_obj = $fields[$idx_sha1_obj];
+$md5_obj = $fields[$idx_md5_obj];
+$sha1_obj = $fields[$idx_sha1_obj];
 my $cast_obj = $fields[$idx_cast_obj];
 my $rc4_obj = $fields[$idx_rc4_obj];
-my $rmd160_obj = $fields[$idx_rmd160_obj];
+$rmd160_obj = $fields[$idx_rmd160_obj];
 my $rc5_obj = $fields[$idx_rc5_obj];
 my $dso_scheme = $fields[$idx_dso_scheme];
 my $shared_target = $fields[$idx_shared_target];
@@ -779,9 +954,76 @@ my $shared_cflag = $fields[$idx_shared_cflag];
 my $shared_ldflag = $fields[$idx_shared_ldflag];
 my $shared_extension = $fields[$idx_shared_extension];
 my $ranlib = $fields[$idx_ranlib];
+my $arflags = $fields[$idx_arflags];
 
 $cflags="$flags$cflags" if ($flags ne "");
 
+# Kerberos settings.  The flavor must be provided from outside, either through
+# the script "config" or manually.
+if ($no_krb5
+	|| !defined($withargs{"krb5-flavor"})
+	|| $withargs{"krb5-flavor"} eq "")
+	{
+	$cflags="-DOPENSSL_NO_KRB5 $cflags";
+	$options.=" no-krb5" unless $no_krb5;
+	$openssl_algorithm_defines .= "#define OPENSSL_NO_KRB5\n";
+	}
+else
+	{
+	my ($lresolv, $lpath, $lext);
+	if ($withargs{"krb5-flavor"} =~ /^[Hh]eimdal$/)
+		{
+		die "Sorry, Heimdal is currently not supported\n";
+		}
+	##### HACK to force use of Heimdal.
+	##### WARNING: Since we don't really have adequate support for Heimdal,
+	#####          using this will break the build.  You'll have to make
+	#####          changes to the source, and if you do, please send
+	#####          patches to openssl-dev@openssl.org
+	if ($withargs{"krb5-flavor"} =~ /^force-[Hh]eimdal$/)
+		{
+		warn "Heimdal isn't really supported.  Your build WILL break\n";
+		warn "If you fix the problems, please send a patch to openssl-dev\@openssl.org\n";
+		$withargs{"krb5-dir"} = "/usr/heimdal"
+			if $withargs{"krb5-dir"} eq "";
+		$withargs{"krb5-lib"} = "-L".$withargs{"krb5-dir"}.
+			"/lib -lgssapi -lkrb5 -lcom_err"
+			if $withargs{"krb5-lib"} eq "";
+		$cflags="-DKRB5_HEIMDAL $cflags";
+		}
+	if ($withargs{"krb5-flavor"} =~ /^[Mm][Ii][Tt]/)
+		{
+		$withargs{"krb5-dir"} = "/usr/kerberos"
+			if $withargs{"krb5-dir"} eq "";
+		$withargs{"krb5-lib"} = "-L".$withargs{"krb5-dir"}.
+			"/lib -lgssapi_krb5 -lkrb5 -lcom_err -lk5crypto"
+			if $withargs{"krb5-lib"} eq "";
+		$cflags="-DKRB5_MIT $cflags";
+		$withargs{"krb5-flavor"} =~ s/^[Mm][Ii][Tt][._-]*//;
+		if ($withargs{"krb5-flavor"} =~ /^1[._-]*[01]/)
+			{
+			$cflags="-DKRB5_MIT_OLD11 $cflags";
+			}
+		}
+	LRESOLV:
+	foreach $lpath ("/lib", "/usr/lib")
+		{
+		foreach $lext ("a", "so")
+			{
+			$lresolv = "$lpath/libresolv.$lext";
+			last LRESOLV	if (-r "$lresolv");
+			$lresolv = "";
+			}
+		}
+	$withargs{"krb5-lib"} .= " -lresolv"
+		if ("$lresolv" ne "");
+	$withargs{"krb5-include"} = "-I".$withargs{"krb5-dir"}."/include"
+		if $withargs{"krb5-include"} eq "" &&
+		   $withargs{"krb5-dir"} ne "";
+
+	$libs.=$withargs{"krb5-lib"}." " if $withargs{"krb5-lib"} ne "";
+	}
+
 # The DSO code currently always implements all functions so that no
 # applications will have to worry about that from a compilation point
 # of view. However, the "method"s may return zero unless that platform
@@ -795,18 +1037,14 @@ if (!$no_dso && $dso_scheme ne "")
 	if ($dso_scheme eq "DLFCN")
 		{
 		$dso_cflags = "-DDSO_DLFCN -DHAVE_DLFCN_H";
-		$openssl_other_defines .= "#define DSO_DLFCN\n";
-		$openssl_other_defines .= "#define HAVE_DLFCN_H\n";
 		}
 	elsif ($dso_scheme eq "DLFCN_NO_H")
 		{
 		$dso_cflags = "-DDSO_DLFCN";
-		$openssl_other_defines .= "#define DSO_DLFCN\n";
 		}
 	else
 		{
 		$dso_cflags = "-DDSO_$dso_scheme";
-		$openssl_other_defines .= "#define DSO_$dso_scheme\n";
 		}
 	$cflags = "$dso_cflags $cflags";
 	}
@@ -822,13 +1060,13 @@ if ($thread_cflag eq "(unknown)")
 	{
 	# If the user asked for "threads", hopefully they also provided
 	# any system-dependent compiler options that are necessary.
-	$thread_cflags="-DTHREADS $cflags" ;
-	$thread_defines .= "#define THREADS\n";
+	$thread_cflags="-DOPENSSL_THREADS $cflags" ;
+	$thread_defines .= "#define OPENSSL_THREADS\n";
 	}
 else
 	{
-	$thread_cflags="-DTHREADS $thread_cflag $cflags";
-	$thread_defines .= "#define THREADS\n";
+	$thread_cflags="-DOPENSSL_THREADS $thread_cflag $cflags";
+	$thread_defines .= "#define OPENSSL_THREADS\n";
 #	my $def;
 #	foreach $def (split ' ',$thread_cflag)
 #		{
@@ -839,7 +1077,7 @@ else
 #		}
 	}	
 
-$lflags="$libs$lflags"if ($libs ne "");
+$lflags="$libs$lflags" if ($libs ne "");
 
 if ($no_asm)
 	{
@@ -847,28 +1085,42 @@ if ($no_asm)
 	$sha1_obj=$md5_obj=$rmd160_obj="";
 	}
 
+if (!$no_shared)
+	{
+	$cast_obj="";	# CAST assembler is not PIC
+	}
+
 if ($threads)
 	{
-		$cflags=$thread_cflags;
-		$openssl_thread_defines .= $thread_defines;
+	$cflags=$thread_cflags;
+	$openssl_thread_defines .= $thread_defines;
+	}
+
+if ($zlib)
+	{
+	$cflags = "-DZLIB $cflags";
+	$cflags = "-DZLIB_SHARED $cflags" if $zlib == 2;
+	$lflags = "$lflags -lz" if $zlib == 1;
 	}
 
 # You will find shlib_mark1 and shlib_mark2 explained in Makefile.org
 my $shared_mark = "";
-if ($shared_target ne "")
+if ($shared_target eq "")
+	{
+	$no_shared = 1;
+	}
+if (!$no_shared)
 	{
 	if ($shared_cflag ne "")
 		{
 		$cflags = "$shared_cflag $cflags";
 		}
-	if (!$no_shared)
-		{
-		#$shared_mark = "\$(SHARED_LIBS)";
-		}
 	}
-else
+
+if ($sys_id ne "")
 	{
-	$no_shared = 1;
+	$cflags="-DOPENSSL_SYSNAME_$sys_id $cflags";
+	$openssl_sys_defines="#define OPENSSL_SYSNAME_$sys_id\n";
 	}
 
 if ($ranlib eq "")
@@ -939,7 +1191,8 @@ if ($shlib_version_number =~ /(^[0-9]*)\.([0-9\.]*)/)
 	}
 
 open(IN,'<Makefile.org') || die "unable to read Makefile.org:$!\n";
-open(OUT,">$Makefile") || die "unable to create $Makefile:$!\n";
+unlink("$Makefile.new") || die "unable to remove old $Makefile.new:$!\n" if -e "$Makefile.new";
+open(OUT,">$Makefile.new") || die "unable to create $Makefile.new:$!\n";
 print OUT "### Generated automatically from Makefile.org by Configure.\n\n";
 my $sdirs=0;
 while (<IN>)
@@ -949,7 +1202,7 @@ while (<IN>)
 	if ($sdirs) {
 		my $dir;
 		foreach $dir (@skip) {
-			s/$dir//;
+			s/([ 	])$dir /\1/;
 			}
 		}
 	$sdirs = 0 unless /\\$/;
@@ -968,6 +1221,7 @@ while (<IN>)
 	s/^OPTIONS=.*$/OPTIONS=$options/;
 	s/^CONFIGURE_ARGS=.*$/CONFIGURE_ARGS=$argvstring/;
 	s/^CC=.*$/CC= $cc/;
+	s/^MAKEDEPPROG=.*$/MAKEDEPPROG= $cc/ if $cc eq "gcc";
 	s/^CFLAG=.*$/CFLAG= $cflags/;
 	s/^DEPFLAG=.*$/DEPFLAG= $depflags/;
 	s/^EX_LIBS=.*$/EX_LIBS= $lflags/;
@@ -983,7 +1237,9 @@ while (<IN>)
 	s/^RMD160_ASM_OBJ=.*$/RMD160_ASM_OBJ= $rmd160_obj/;
 	s/^PROCESSOR=.*/PROCESSOR= $processor/;
 	s/^RANLIB=.*/RANLIB= $ranlib/;
+	s/^ARFLAGS=.*/ARFLAGS= $arflags/;
 	s/^PERL=.*/PERL= $perl/;
+	s/^KRB5_INCLUDES=.*/KRB5_INCLUDES=$withargs{"krb5-include"}/;
 	s/^SHLIB_TARGET=.*/SHLIB_TARGET=$shared_target/;
 	s/^SHLIB_MARK=.*/SHLIB_MARK=$shared_mark/;
 	s/^SHARED_LIBS=.*/SHARED_LIBS=\$(SHARED_CRYPTO) \$(SHARED_SSL)/ if (!$no_shared);
@@ -1010,6 +1266,8 @@ while (<IN>)
 	}
 close(IN);
 close(OUT);
+rename($Makefile,"$Makefile.bak") || die "unable to rename $Makefile\n" if -e $Makefile;
+rename("$Makefile.new",$Makefile) || die "unable to rename $Makefile.new\n";
 
 print "CC            =$cc\n";
 print "CFLAG         =$cflags\n";
@@ -1025,7 +1283,10 @@ print "SHA1_OBJ_ASM  =$sha1_obj\n";
 print "RMD160_OBJ_ASM=$rmd160_obj\n";
 print "PROCESSOR     =$processor\n";
 print "RANLIB        =$ranlib\n";
+print "ARFLAGS       =$arflags\n";
 print "PERL          =$perl\n";
+print "KRB5_INCLUDES =",$withargs{"krb5-include"},"\n"
+	if $withargs{"krb5-include"} ne "";
 
 my $des_ptr=0;
 my $des_risc1=0;
@@ -1042,6 +1303,7 @@ my $rc4_chunk=0;
 my $bf_ptr=0;
 my @type=("char","short","int","long");
 my ($b64l,$b64,$b32,$b16,$b8)=(0,0,1,0,0);
+my $export_var_as_fn=0;
 
 my $des_int;
 
@@ -1071,26 +1333,47 @@ foreach (sort split(/\s+/,$bn_ops))
 	($b64l,$b64,$b32,$b16,$b8)=(0,0,1,0,0) if /THIRTY_TWO_BIT/;
 	($b64l,$b64,$b32,$b16,$b8)=(0,0,0,1,0) if /SIXTEEN_BIT/;
 	($b64l,$b64,$b32,$b16,$b8)=(0,0,0,0,1) if /EIGHT_BIT/;
+	$export_var_as_fn=1 if /EXPORT_VAR_AS_FN/;
 	}
 
 open(IN,'<crypto/opensslconf.h.in') || die "unable to read crypto/opensslconf.h.in:$!\n";
-open(OUT,'>crypto/opensslconf.h') || die "unable to create crypto/opensslconf.h:$!\n";
+unlink("crypto/opensslconf.h.new") || die "unable to remove old crypto/opensslconf.h.new:$!\n" if -e "crypto/opensslconf.h.new";
+open(OUT,'>crypto/opensslconf.h.new') || die "unable to create crypto/opensslconf.h.new:$!\n";
 print OUT "/* opensslconf.h */\n";
 print OUT "/* WARNING: Generated automatically from opensslconf.h.in by Configure. */\n\n";
 
 print OUT "/* OpenSSL was configured with the following options: */\n";
-$openssl_algorithm_defines =~ s/^\s*#\s*define\s+(.*)/# ifndef $1\n#  define $1\n# endif/mg;
+my $openssl_algorithm_defines_trans = $openssl_algorithm_defines;
+$openssl_algorithm_defines_trans =~ s/^\s*#\s*define\s+OPENSSL_(.*)/# if defined(OPENSSL_$1) \&\& !defined($1)\n#  define $1\n# endif/mg;
+$openssl_algorithm_defines =~ s/^\s*#\s*define\s+(.*)/#ifndef $1\n# define $1\n#endif/mg;
 $openssl_algorithm_defines = "   /* no ciphers excluded */\n" if $openssl_algorithm_defines eq "";
-$openssl_thread_defines =~ s/^\s*#\s*define\s+(.*)/# ifndef $1\n#  define $1\n# endif/mg;
-$openssl_other_defines =~ s/^\s*#\s*define\s+(.*)/# ifndef $1\n#  define $1\n# endif/mg;
-print OUT "#ifdef OPENSSL_ALGORITHM_DEFINES\n$openssl_algorithm_defines#endif\n";
-print OUT "#ifdef OPENSSL_THREAD_DEFINES\n$openssl_thread_defines#endif\n";
-print OUT "#ifdef OPENSSL_OTHER_DEFINES\n$openssl_other_defines#endif\n\n";
+$openssl_thread_defines =~ s/^\s*#\s*define\s+(.*)/#ifndef $1\n# define $1\n#endif/mg;
+$openssl_sys_defines =~ s/^\s*#\s*define\s+(.*)/#ifndef $1\n# define $1\n#endif/mg;
+$openssl_other_defines =~ s/^\s*#\s*define\s+(.*)/#ifndef $1\n# define $1\n#endif/mg;
+print OUT $openssl_sys_defines;
+print OUT "#ifndef OPENSSL_DOING_MAKEDEPEND\n\n";
+print OUT $openssl_algorithm_defines;
+print OUT "\n#endif /* OPENSSL_DOING_MAKEDEPEND */\n";
+print OUT $openssl_thread_defines;
+print OUT $openssl_other_defines,"\n";
+
+print OUT "/* The OPENSSL_NO_* macros are also defined as NO_* if the application\n";
+print OUT "   asks for it.  This is a transient feature that is provided for those\n";
+print OUT "   who haven't had the time to do the appropriate changes in their\n";
+print OUT "   applications.  */\n";
+print OUT "#ifdef OPENSSL_ALGORITHM_DEFINES\n";
+print OUT $openssl_algorithm_defines_trans;
+print OUT "#endif\n\n";
 
 while (<IN>)
 	{
 	if	(/^#define\s+OPENSSLDIR/)
 		{ print OUT "#define OPENSSLDIR \"$openssldir\"\n"; }
+	elsif	(/^#((define)|(undef))\s+OPENSSL_EXPORT_VAR_AS_FUNCTION/)
+		{ printf OUT "#undef OPENSSL_EXPORT_VAR_AS_FUNCTION\n"
+			if $export_var_as_fn;
+		  printf OUT "#%s OPENSSL_EXPORT_VAR_AS_FUNCTION\n",
+			($export_var_as_fn)?"define":"undef"; }
 	elsif	(/^#define\s+OPENSSL_UNISTD/)
 		{
 		$unistd = "<unistd.h>" if $unistd eq "";
@@ -1149,6 +1432,8 @@ while (<IN>)
 	}
 close(IN);
 close(OUT);
+rename("crypto/opensslconf.h","crypto/opensslconf.h.bak") || die "unable to rename crypto/opensslconf.h\n" if -e "crypto/opensslconf.h";
+rename("crypto/opensslconf.h.new","crypto/opensslconf.h") || die "unable to rename crypto/opensslconf.h.new\n";
 
 
 # Fix the date
@@ -1188,11 +1473,13 @@ if($IsWindows) {
 EOF
 	close(OUT);
 } else {
-	(system "make -f Makefile.ssl PERL=\'$perl\' links") == 0 or exit $?
-		if $symlink;
-	### (system 'make depend') == 0 or exit $? if $depflags ne "";
-	# Run "make depend" manually if you want to be able to delete
-	# the source code files of ciphers you left out.
+	my $make_command = "make -f Makefile.ssl PERL=\'$perl\'";
+	my $make_targets = "";
+	$make_targets .= " links" if $symlink;
+	$make_targets .= " depend" if $depflags ne "" && $make_depend;
+	$make_targets .= " gentests" if $symlink;
+	(system $make_command.$make_targets) == 0 or exit $?
+		if $make_targets ne "";
 	if ( $perl =~ m@^/@) {
 	    &dofile("tools/c_rehash",$perl,'^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";');
 	    &dofile("apps/der_chop",$perl,'^#!/', '#!%s');
@@ -1202,7 +1489,16 @@ EOF
 	    &dofile("tools/c_rehash",'/usr/local/bin/perl','^#!/', '#!%s','^my \$dir;$', 'my $dir = "' . $openssldir . '";');
 	    &dofile("apps/der_chop",'/usr/local/bin/perl','^#!/', '#!%s');
 	    &dofile("apps/CA.pl",'/usr/local/bin/perl','^#!/', '#!%s');
-	}	    
+	}
+	if ($depflags ne "" && !$make_depend) {
+		print <<EOF;
+
+Since you've disabled at least one algorithm, you need to do the following
+before building:
+
+	make depend
+EOF
+	}
 }
 
 print <<EOF;
@@ -1289,11 +1585,11 @@ sub print_table_entry
 	{
 	my $target = shift;
 
-	(my $cc,my $cflags,my $unistd,my $thread_cflag,my $lflags,my $bn_ops,
-	my $bn_obj,my $des_obj,my $bf_obj,
+	(my $cc,my $cflags,my $unistd,my $thread_cflag,my $sys_id,my $lflags,
+	my $bn_ops,my $bn_obj,my $des_obj,my $bf_obj,
 	my $md5_obj,my $sha1_obj,my $cast_obj,my $rc4_obj,my $rmd160_obj,
 	my $rc5_obj,my $dso_scheme,my $shared_target,my $shared_cflag,
-	my $shared_ldflag,my $shared_extension,my $ranlib)=
+	my $shared_ldflag,my $shared_extension,my $ranlib,my $arflags)=
 	split(/\s*:\s*/,$table{$target} . ":" x 30 , -1);
 			
 	print <<EOF
@@ -1303,6 +1599,7 @@ sub print_table_entry
 \$cflags       = $cflags
 \$unistd       = $unistd
 \$thread_cflag = $thread_cflag
+\$sys_id       = $sys_id
 \$lflags       = $lflags
 \$bn_ops       = $bn_ops
 \$bn_obj       = $bn_obj
@@ -1320,6 +1617,7 @@ sub print_table_entry
 \$shared_ldflag = $shared_ldflag
 \$shared_extension = $shared_extension
 \$ranlib       = $ranlib
+\$arflags      = $arflags
 EOF
 	}
 
diff --git a/crypto/openssl/FAQ b/crypto/openssl/FAQ
index f9cd7d2820a9..9d1b0bb6c1b5 100644
--- a/crypto/openssl/FAQ
+++ b/crypto/openssl/FAQ
@@ -9,6 +9,7 @@ OpenSSL  -  Frequently Asked Questions
 * Where can I get a compiled version of OpenSSL?
 * Why aren't tools like 'autoconf' and 'libtool' used?
 * What is an 'engine' version?
+* How do I check the authenticity of the OpenSSL distribution?
 
 [LEGAL] Legal questions
 
@@ -29,17 +30,22 @@ OpenSSL  -  Frequently Asked Questions
 * Why can't I use OpenSSL certificates with SSL client authentication?
 * Why does my browser give a warning about a mismatched hostname?
 * How do I install a CA certificate into a browser?
+* Why is OpenSSL x509 DN output not conformant to RFC2253?
 
 [BUILD] Questions about building and testing OpenSSL
 
 * Why does the linker complain about undefined symbols?
 * Why does the OpenSSL test fail with "bc: command not found"?
 * Why does the OpenSSL test fail with "bc: 1 no implemented"?
+* Why does the OpenSSL test fail with "bc: stack empty"?
 * Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
 * Why does the OpenSSL compilation fail with "ar: command not found"?
 * Why does the OpenSSL compilation fail on Win32 with VC++?
 * What is special about OpenSSL on Redhat?
+* Why does the OpenSSL compilation fail on MacOS X?
 * Why does the OpenSSL test suite fail on MacOS X?
+* Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]?
+* Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"?
 
 [PROG] Questions about programming with OpenSSL
 
@@ -53,6 +59,7 @@ OpenSSL  -  Frequently Asked Questions
 * Why can't the OpenSSH configure script detect OpenSSL?
 * Can I use OpenSSL's SSL library with non-blocking I/O?
 * Why doesn't my server application receive a client certificate?
+* Why does compilation fail due to an undefined symbol NID_uniqueIdentifier?
 
 ===============================================================================
 
@@ -61,7 +68,7 @@ OpenSSL  -  Frequently Asked Questions
 * Which is the current version of OpenSSL?
 
 The current version is available from <URL: http://www.openssl.org>.
-OpenSSL 0.9.6g was released on 9 August 2002.
+OpenSSL 0.9.7 was released on December 31, 2002.
 
 In addition to the current stable release, you can also access daily
 snapshots of the OpenSSL development version at <URL:
@@ -132,6 +139,19 @@ hardware. This was realized in a special release '0.9.6-engine'. With
 version 0.9.7 (not yet released) the changes were merged into the main
 development line, so that the special release is no longer necessary.
 
+* How do I check the authenticity of the OpenSSL distribution?
+
+We provide MD5 digests and ASC signatures of each tarball.
+Use MD5 to check that a tarball from a mirror site is identical:
+
+   md5sum TARBALL | awk '{print $1;}' | cmp - TARBALL.md5
+
+You can check authenticity using pgp or gpg. You need the OpenSSL team
+member public key used to sign it (download it from a key server). Then
+just do:
+
+   pgp TARBALL.asc
+
 [LEGAL] =======================================================================
 
 * Do I need patent licenses to use OpenSSL?
@@ -222,6 +242,8 @@ support can be found at
   http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsrdb/27606&zone_32=SUNWski
 However, be warned that /dev/random is usually a blocking device, which
 may have some effects on OpenSSL.
+A third party /dev/random solution for Solaris is available at
+  http://www.cosy.sbg.ac.at/~andi/
 
 
 * Why do I get an "unable to write 'random state'" error message?
@@ -348,6 +370,13 @@ DO NOT DO THIS! This command will give away your CAs private key and
 reduces its security to zero: allowing anyone to forge certificates in
 whatever name they choose.
 
+* Why is OpenSSL x509 DN output not conformant to RFC2253?
+
+The ways to print out the oneline format of the DN (Distinguished Name) have
+been extended in version 0.9.7 of OpenSSL. Using the new X509_NAME_print_ex()
+interface, the "-nameopt" option could be introduded. See the manual
+page of the "openssl x509" commandline tool for details. The old behaviour
+has however been left as default for the sake of compatibility.
 
 [BUILD] =======================================================================
 
@@ -392,6 +421,17 @@ and compile/install it.  GNU bc (see http://www.gnu.org/software/software.html
 for download instructions) can be safely used, for example.
 
 
+* Why does the OpenSSL test fail with "bc: stack empty"?
+
+On some DG/ux versions, bc seems to have a too small stack for calculations
+that the OpenSSL bntest throws at it.  This gets triggered when you run the
+test suite (using "make test").  The message returned is "bc: stack empty".
+
+The best way to deal with this is to find another implementation of bc
+and compile/install it.  GNU bc (see http://www.gnu.org/software/software.html
+for download instructions) can be safely used, for example.
+
+
 * Why does the OpenSSL compilation fail on Alpha Tru64 Unix?
 
 On some Alpha installations running Tru64 Unix and Compaq C, the compilation
@@ -489,6 +529,18 @@ IDEA:  5,214,703 25/05/2010
 RC5:   5,724,428 03/03/2015
 
 
+* Why does the OpenSSL compilation fail on MacOS X?
+
+If the failure happens when trying to build the "openssl" binary, with
+a large number of undefined symbols, it's very probable that you have
+OpenSSL 0.9.6b delivered with the operating system (you can find out by
+running '/usr/bin/openssl version') and that you were trying to build
+OpenSSL 0.9.7 or newer.  The problem is that the loader ('ld') in
+MacOS X has a misfeature that's quite difficult to go around.
+Look in the file PROBLEMS for a more detailed explanation and for possible
+solutions.
+
+
 * Why does the OpenSSL test suite fail on MacOS X?
 
 If the failure happens when running 'make test' and the RC4 test fails,
@@ -502,6 +554,34 @@ libraries you just built.
 Look in the file PROBLEMS for a more detailed explanation and for possible
 solutions.
 
+* Why does the OpenSSL test suite fail in BN_sqr test [on a 64-bit platform]?
+
+Failure in BN_sqr test is most likely caused by a failure to configure the
+toolkit for current platform or lack of support for the platform in question.
+Run './config -t' and './apps/openssl version -p'. Do these platform
+identifiers match? If they don't, then you most likely failed to run
+./config and you're hereby advised to do so before filing a bug report.
+If ./config itself fails to run, then it's most likely problem with your
+local environment and you should turn to your system administrator (or
+similar). If identifiers match (and/or no alternative identifier is
+suggested by ./config script), then the platform is unsupported. There might
+or might not be a workaround. Most notably on SPARC64 platforms with GNU
+C compiler you should be able to produce a working build by running
+'./config -m32'. I understand that -m32 might not be what you want/need,
+but the build should be operational. For further details turn to
+<openssl-dev@openssl.org>.
+
+* Why does OpenBSD-i386 build fail on des-586.s with "Unimplemented segment type"?
+
+As of 0.9.7 assembler routines were overhauled for position independence
+of the machine code, which is essential for shared library support. For
+some reason OpenBSD is equipped with an out-of-date GNU assembler which
+finds the new code offensive. To work around the problem, configure with
+no-asm (and sacrifice a great deal of performance) or upgrade /usr/bin/as.
+For your convenience a pre-compiled replacement binary is provided at
+http://www.openssl.org/~appro/i386-openbsd3-as, which is compiled from
+binutils-2.8 released in 1997.
+
 [PROG] ========================================================================
 
 * Is OpenSSL thread-safe?
@@ -667,5 +747,13 @@ if explicitly asked by the server. Use the SSL_VERIFY_PEER flag of the
 SSL_CTX_set_verify() function to enable the use of client certificates.
 
 
+* Why does compilation fail due to an undefined symbol NID_uniqueIdentifier?
+
+For OpenSSL 0.9.7 the OID table was extended and corrected. In earlier
+versions, uniqueIdentifier was incorrectly used for X.509 certificates.
+The correct name according to RFC2256 (LDAP) is x500UniqueIdentifier.
+Change your code to use the new name when compiling against OpenSSL 0.9.7.
+
+
 ===============================================================================
 
diff --git a/crypto/openssl/INSTALL b/crypto/openssl/INSTALL
index 75a843b15f4e..a427f12f6cba 100644
--- a/crypto/openssl/INSTALL
+++ b/crypto/openssl/INSTALL
@@ -2,8 +2,10 @@
  INSTALLATION ON THE UNIX PLATFORM
  ---------------------------------
 
- [Installation on Windows, OpenVMS and MacOS (before MacOS X) is described
-  in INSTALL.W32, INSTALL.VMS and INSTALL.MacOS.]
+ [Installation on DOS (with djgpp), Windows, OpenVMS and MacOS (before MacOS X)
+  is described in INSTALL.DJGPP, INSTALL.W32, INSTALL.VMS and INSTALL.MacOS.
+  This document describes installation on operating systems in the Unix
+  family.]
 
  To install OpenSSL, you will need:
 
@@ -53,6 +55,15 @@
                 This will usually require additional system-dependent options!
                 See "Note on multi-threading" below.
 
+  no-zlib       Don't try to build with support for zlib compression and
+                decompression.
+
+  zlib          Build with support for zlib compression/decompression.
+
+  zlib-dynamic  Like "zlib", but has OpenSSL load the zlib library dynamically
+                when needed.  This is only supported on systems where loading
+                of shared libraries is supported.  This is the default choice.
+
   no-shared     Don't try to create shared libraries.
 
   shared        In addition to the usual static libraries, create shared
@@ -129,8 +140,8 @@
      standard headers).  If it is a problem with OpenSSL itself, please
      report the problem to <openssl-bugs@openssl.org> (note that your
      message will be recorded in the request tracker publicly readable
-     via http://www.openssl.org/rt2.html and will be forwarded to a public
-     mailing list). Include the output of "make report" in your message.
+     via http://www.openssl.org/support/rt2.html and will be forwarded to a
+     public mailing list). Include the output of "make report" in your message.
      Please check out the request tracker. Maybe the bug was already
      reported or has already been fixed.
 
@@ -151,7 +162,7 @@
      in Makefile.ssl and run "make clean; make". Please send a bug
      report to <openssl-bugs@openssl.org>, including the output of
      "make report" in order to be added to the request tracker at
-     http://www.openssl.org/rt2.html.
+     http://www.openssl.org/support/rt2.html.
 
   4. If everything tests ok, install OpenSSL with
 
@@ -285,3 +296,15 @@
  targets for shared library creation, like linux-shared.  Those targets
  can currently be used on their own just as well, but this is expected
  to change in future versions of OpenSSL.
+
+ Note on random number generation
+ --------------------------------
+
+ Availability of cryptographically secure random numbers is required for
+ secret key generation. OpenSSL provides several options to seed the
+ internal PRNG. If not properly seeded, the internal PRNG will refuse
+ to deliver random bytes and a "PRNG not seeded error" will occur.
+ On systems without /dev/urandom (or similar) device, it may be necessary
+ to install additional support software to obtain random seed.
+ Please check out the manual pages for RAND_add(), RAND_bytes(), RAND_egd(),
+ and the FAQ for more information.
diff --git a/crypto/openssl/Makefile.org b/crypto/openssl/Makefile.org
index 56e11a144b72..fa18de17eb7f 100644
--- a/crypto/openssl/Makefile.org
+++ b/crypto/openssl/Makefile.org
@@ -15,6 +15,11 @@ OPTIONS=
 CONFIGURE_ARGS=
 SHLIB_TARGET=
 
+# HERE indicates where this Makefile lives.  This can be used to indicate
+# where sub-Makefiles are expected to be.  Currently has very limited usage,
+# and should probably not be bothered with at all.
+HERE=.
+
 # INSTALL_PREFIX is for package builders so that they can configure
 # for, say, /usr/ and yet have everything installed to /tmp/somedir/usr/.
 # Normally it is left empty.
@@ -24,7 +29,6 @@ INSTALLTOP=/usr/local/ssl
 # Do not edit this manually. Use Configure --openssldir=DIR do change this!
 OPENSSLDIR=/usr/local/ssl
 
-# RSAref  - Define if we are to link with RSAref.
 # NO_IDEA - Define to build without the IDEA algorithm
 # NO_RC4  - Define to build without the RC4 algorithm
 # NO_RC2  - Define to build without the RC2 algorithm
@@ -60,11 +64,13 @@ DEPFLAG=
 PEX_LIBS= 
 EX_LIBS= 
 EXE_EXT= 
-AR=ar r
+ARFLAGS=
+AR=ar $(ARFLAGS) r
 RANLIB= ranlib
 PERL= perl
 TAR= tar
 TARFLAGS= --no-recursion
+MAKEDEPPROG=makedepend
 
 # Set BN_ASM to bn_asm.o if you want to use the C version
 BN_ASM= bn_asm.o
@@ -151,20 +157,27 @@ RMD160_ASM_OBJ= asm/rm86-out.o
 #RMD160_ASM_OBJ= asm/rm86-out.o       # a.out, FreeBSD
 #RMD160_ASM_OBJ= asm/rm86bsdi.o       # bsdi
 
+# KRB5 stuff
+KRB5_INCLUDES=
+
 # When we're prepared to use shared libraries in the programs we link here
 # we might set SHLIB_MARK to '$(SHARED_LIBS)'.
 SHLIB_MARK=
 
-DIRS=   crypto ssl rsaref $(SHLIB_MARK) apps test tools
+DIRS=   crypto ssl $(SHLIB_MARK) apps test tools
 SHLIBDIRS= crypto ssl
 
 # dirs in crypto to build
 SDIRS=  \
 	md2 md4 md5 sha mdc2 hmac ripemd \
 	des rc2 rc4 rc5 idea bf cast \
-	bn rsa dsa dh dso \
+	bn ec rsa dsa dh dso engine aes \
 	buffer bio stack lhash rand err objects \
-	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp
+	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5
+
+# tests to perform.  "alltests" is a special word indicating that all tests
+# should be performed.
+TESTS = alltests
 
 MAKEFILE= Makefile.ssl
 MAKE=     make -f Makefile.ssl
@@ -190,29 +203,24 @@ BASENAME=       openssl
 NAME=           $(BASENAME)-$(VERSION)
 TARFILE=        $(NAME).tar
 WTARFILE=       $(NAME)-win.tar
-EXHEADER=       e_os.h e_os2.h
+EXHEADER=       e_os2.h
 HEADER=         e_os.h
 
 # When we're prepared to use shared libraries in the programs we link here
 # we might remove 'clean-shared' from the targets to perform at this stage
 
-all: clean-shared Makefile.ssl sub_all
+all: Makefile.ssl sub_all openssl.pc
 
 sub_all:
 	@for i in $(DIRS); \
 	do \
 	if [ -d "$$i" ]; then \
 		(cd $$i && echo "making all in $$i..." && \
-		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' EXE_EXT='${EXE_EXT}' all ) || exit 1; \
+		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all ) || exit 1; \
 	else \
 		$(MAKE) $$i; \
 	fi; \
-	done; \
-	if echo "$(DIRS)" | \
-	    egrep '(^| )(crypto|ssl)( |$$)' > /dev/null 2>&1 && \
-	   [ -n "$(SHARED_LIBS)" ]; then \
-		$(MAKE) $(SHARED_LIBS); \
-	fi
+	done;
 
 libcrypto$(SHLIB_EXT): libcrypto.a
 	@if [ "$(SHLIB_TARGET)" != "" ]; then \
@@ -220,6 +228,7 @@ libcrypto$(SHLIB_EXT): libcrypto.a
 	else \
 		echo "There's no support for shared libraries on this platform" >&2; \
 	fi
+
 libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a
 	@if [ "$(SHLIB_TARGET)" != "" ]; then \
 		$(MAKE) SHLIBDIRS=ssl SHLIBDEPS='-lcrypto' build-shared; \
@@ -237,7 +246,7 @@ clean-shared:
 		fi; \
 		( set -x; rm -f lib$$i$(SHLIB_EXT) ); \
 		if [ "$(PLATFORM)" = "Cygwin" ]; then \
-			( set -x; rm -f cyg$$i$(SHLIB_EXT) lib$$i$(SHLIB_EXT).a ); \
+			( set -x; rm -f cyg$$i-$(SHLIB_VERSION_NUMBER)$(SHLIB_EXT) lib$$i$(SHLIB_EXT).a ); \
 		fi; \
 	done
 
@@ -269,12 +278,7 @@ do_gnu-shared:
 	libs="$$libs -l$$i"; \
 	done
 
-DETECT_GNU_LD=${CC} -v 2>&1 | grep '^gcc' >/dev/null 2>&1 && \
-	collect2=`gcc -print-prog-name=collect2 2>&1` && \
-	[ -n "$$collect2" ] && \
-	my_ld=`$$collect2 --help 2>&1 | grep Usage: | sed 's/^Usage: *\([^ ][^ ]*\).*/\1/'` && \
-	[ -n "$$my_ld" ] && \
-	$$my_ld -v 2>&1 | grep 'GNU ld' >/dev/null 2>&1
+DETECT_GNU_LD=(${CC} -Wl,-V /dev/null 2>&1 | grep '^GNU ld' )>/dev/null
 
 # For Darwin AKA Mac OS/X (dyld)
 do_darwin-shared: 
@@ -289,7 +293,7 @@ do_darwin-shared:
 
 do_cygwin-shared:
 	libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
-	( set -x; ${CC}  -shared -o cyg$$i.dll \
+	( set -x; ${CC}  -shared -o cyg$$i-$(SHLIB_VERSION_NUMBER).dll \
 		-Wl,-Bsymbolic \
 		-Wl,--whole-archive lib$$i.a \
 		-Wl,--out-implib,lib$$i.dll.a \
@@ -352,10 +356,13 @@ do_solaris-shared:
 	else \
 		libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
 		( PATH=/usr/ccs/bin:$$PATH ; export PATH; \
-		  set -x; ${CC} ${SHARED_LDFLAGS} \
-			-G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
+		  MINUSZ='-z '; \
+		  (${CC} -v 2>&1 | grep gcc) > /dev/null && MINUSZ='-Wl,-z,'; \
+		  set -x; ${CC} ${SHARED_LDFLAGS} -G -dy -z text \
+			-o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			-h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-			-z allextract lib$$i.a $$libs ${EX_LIBS} -lc ) || exit 1; \
+			$${MINUSZ}allextract lib$$i.a $${MINUSZ}defaultextract \
+			$$libs ${EX_LIBS} -lc ) || exit 1; \
 		libs="$$libs -l$$i"; \
 		done; \
 	fi
@@ -414,26 +421,44 @@ do_irix-shared:
 	fi
 
 # This assumes that GNU utilities are *not* used
+# HP-UX includes the full pathname of libs we depend on, so we would get
+# ./libcrypto (with ./ as path information) compiled into libssl, hence
+# we omit the SHLIBDEPS. Applications must be linked with -lssl -lcrypto
+# anyway.
+# The object modules are loaded from lib$i.a using the undocumented -Fl
+# option.
+#
+# WARNING: Until DSO is fixed to support a search path, we support SHLIB_PATH
+#          by temporarily specifying "+s"!
+#
 do_hpux-shared:
-	libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
+	for i in ${SHLIBDIRS}; do \
 	( set -x; /usr/ccs/bin/ld ${SHARED_LDFLAGS} \
-		+vnocompatwarnings \
-		-b -z -o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
+ 		+vnocompatwarnings \
+		-b -z +s \
+		-o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		+h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-		-Fl lib$$i.a $$libs ${EX_LIBS} -lc ) || exit 1; \
-	chmod a=rx lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} ; \
-	libs="$$libs -L. -l$$i"; \
+		-Fl lib$$i.a -ldld -lc ) || exit 1; \
+	chmod a=rx lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}; \
 	done
 
 # This assumes that GNU utilities are *not* used
+# HP-UX includes the full pathname of libs we depend on, so we would get
+# ./libcrypto (with ./ as path information) compiled into libssl, hence
+# we omit the SHLIBDEPS. Applications must be linked with -lssl -lcrypto
+# anyway.
+#
+# HP-UX in 64bit mode has "+s" enabled by default; it will search for
+# shared libraries along LD_LIBRARY_PATH _and_ SHLIB_PATH.
+#
 do_hpux64-shared:
-	libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
+	for i in ${SHLIBDIRS}; do \
 	( set -x; /usr/ccs/bin/ld ${SHARED_LDFLAGS} \
-		-b -z -o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
+ 		-b -z \
+		-o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		+h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-		+forceload lib$$i.a $$libs ${EX_LIBS} -lc ) || exit 1; \
-	chmod a=rx lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} ; \
-	libs="$$libs -L. -l$$i"; \
+		+forceload lib$$i.a -ldl -lc ) || exit 1; \
+	chmod a=rx lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}; \
 	done
 
 # The following method is said to work on all platforms.  Tests will
@@ -479,6 +504,33 @@ do_aix-shared:
 	libs="$$libs -l$$i"; \
 	done
 
+do_reliantunix-shared:
+	libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
+	tmpdir=/tmp/openssl.$$$$ ; rm -rf $$tmpdir ; \
+	( set -x; \
+	  ( Opwd=`pwd` ; mkdir $$tmpdir || exit 1; \
+	    cd $$tmpdir || exit 1 ; ar x $$Opwd/lib$$i.a ; \
+	    ${CC} -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} *.o \
+	  ) || exit 1; \
+	  cp $$tmpdir/lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} . ; \
+	) || exit 1; \
+	rm -rf $$tmpdir ; \
+	libs="$$libs -l$$i"; \
+	done
+
+openssl.pc: Makefile.ssl
+	@ ( echo 'prefix=$(INSTALLTOP)'; \
+	    echo 'exec_prefix=$${prefix}'; \
+	    echo 'libdir=$${exec_prefix}/lib'; \
+	    echo 'includedir=$${prefix}/include'; \
+	    echo ''; \
+	    echo 'Name: OpenSSL'; \
+	    echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \
+	    echo 'Version: '$(VERSION); \
+	    echo 'Requires: '; \
+	    echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
+	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
+
 Makefile.ssl: Makefile.org
 	@echo "Makefile.ssl is older than Makefile.org."
 	@echo "Reconfigure the source tree (via './config' or 'perl Configure'), please."
@@ -497,6 +549,7 @@ clean:
 		rm -f $(LIBS); \
 	fi; \
 	done;
+	rm -f openssl.pc
 	rm -f *.a *.o speed.* *.map *.so .pure core
 	rm -f $(TARFILE)
 	@for i in $(ONEDIRS) ;\
@@ -525,10 +578,14 @@ links:
 	@for i in $(DIRS); do \
 	if [ -d "$$i" ]; then \
 		(cd $$i && echo "making links in $$i..." && \
-		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' links ) || exit 1; \
+		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' links ) || exit 1; \
 	fi; \
 	done;
 
+gentests:
+	@(cd test && echo "generating dummy tests (if needed)..." && \
+	$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on generate );
+
 dclean:
 	rm -f *.bak
 	@for i in $(DIRS) ;\
@@ -541,15 +598,25 @@ dclean:
 
 rehash: rehash.time
 rehash.time: certs
-	@(OPENSSL="`pwd`/apps/openssl"; export OPENSSL; $(PERL) tools/c_rehash certs)
+	@(OPENSSL="`pwd`/apps/openssl"; OPENSSL_DEBUG_MEMORY=on; \
+		export OPENSSL OPENSSL_DEBUG_MEMORY; \
+		LD_LIBRARY_PATH="`pwd`"; DYLD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; LIBPATH="`pwd`"; \
+		if [ "$(PLATFORM)" = "DJGPP" ]; then PATH="`pwd`\;$$PATH";  \
+		elif [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \
+		export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \
+		$(PERL) tools/c_rehash certs)
 	touch rehash.time
 
 test:   tests
 
 tests: rehash
 	@(cd test && echo "testing..." && \
-	$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' OPENSSL_DEBUG_MEMORY=on tests );
-	@apps/openssl version -a
+	$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on tests );
+	@LD_LIBRARY_PATH="`pwd`"; DYLD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; LIBPATH="`pwd`"; \
+		if [ "$(PLATFORM)" = "DJGPP" ]; then PATH="`pwd`\;$$PATH";  \
+		elif [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \
+		export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \
+		apps/openssl version -a
 
 report:
 	@$(PERL) util/selftest.pl
@@ -559,7 +626,7 @@ depend:
 	do \
 	if [ -d "$$i" ]; then \
 		(cd $$i && echo "making dependencies $$i..." && \
-		$(MAKE) SDIRS='${SDIRS}' DEPFLAG='${DEPFLAG}' PERL='${PERL}' depend ) || exit 1; \
+		$(MAKE) SDIRS='${SDIRS}' CFLAG='${CFLAG}' DEPFLAG='${DEPFLAG}' MAKEDEPPROG='${MAKEDEPPROG}' KRB5_INCLUDES='${KRB5_INCLUDES}' PERL='${PERL}' depend ) || exit 1; \
 	fi; \
 	done;
 
@@ -583,6 +650,7 @@ tags:
 
 errors:
 	$(PERL) util/mkerr.pl -recurse -write
+	(cd crypto/engine; $(MAKE) PERL=$(PERL) errors)
 
 stacks:
 	$(PERL) util/mkstack.pl -write
@@ -593,9 +661,9 @@ util/libeay.num::
 util/ssleay.num::
 	$(PERL) util/mkdef.pl ssl update
 
-crypto/objects/obj_dat.h: crypto/objects/obj_mac.h crypto/objects/obj_dat.pl
+crypto/objects/obj_dat.h: crypto/objects/obj_dat.pl crypto/objects/obj_mac.h
 	$(PERL) crypto/objects/obj_dat.pl crypto/objects/obj_mac.h crypto/objects/obj_dat.h
-crypto/objects/obj_mac.h: crypto/objects/objects.pl crypto/objects/objects.txt 
+crypto/objects/obj_mac.h: crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num
 	$(PERL) crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num crypto/objects/obj_mac.h
 
 TABLE: Configure
@@ -610,6 +678,9 @@ update: depend errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_
 # and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal
 # tar does not support the --files-from option.
 tar:
+	find . -type d -print | xargs chmod 755
+	find . -type f -print | xargs chmod a+r
+	find . -type f -perm -0100 -print | xargs chmod a+x
 	find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE | sort > ../$(TARFILE).list; \
 	$(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list -cvf - | \
 	tardy --user_number=0  --user_name=openssl \
@@ -619,6 +690,14 @@ tar:
 	rm -f ../$(TARFILE).list; \
 	ls -l ../$(TARFILE).gz
 
+tar-snap:
+	@$(TAR) $(TARFLAGS) -cvf - \
+		`find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \! -name '*.so' \! -name '*.so.*'  \! -name 'openssl' \! -name '*test' \! -name '.#*' \! -name '*~' | sort` |\
+	tardy --user_number=0  --user_name=openssl \
+	      --group_number=0 --group_name=openssl \
+	      --prefix=openssl-$(VERSION) - > ../$(TARFILE);\
+	ls -l ../$(TARFILE)
+
 dist:   
 	$(PERL) Configure dist
 	@$(MAKE) dist_pem_h
@@ -631,6 +710,7 @@ dist_pem_h:
 install: all install_docs
 	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/lib \
+		$(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
@@ -652,11 +732,12 @@ install: all install_docs
 	do \
 		if [ -f "$$i" ]; then \
 		(       echo installing $$i; \
-			cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
-			$(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
-			chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
+			cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+			$(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+			chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+			mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
 		fi; \
-	done
+	done;
 	@if [ -n "$(SHARED_LIBS)" ]; then \
 		tmp="$(SHARED_LIBS)"; \
 		for i in $${tmp:-x}; \
@@ -664,14 +745,17 @@ install: all install_docs
 			if [ -f "$$i" -o -f "$$i.a" ]; then \
 			(       echo installing $$i; \
 				if [ "$(PLATFORM)" != "Cygwin" ]; then \
-					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
-					chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
+					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+					chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
 				else \
-					c=`echo $$i | sed 's/^lib/cyg/'`; \
-					cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
-					chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
-					cp $$i.a $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \
-					chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \
+					c=`echo $$i | sed 's/^lib\(.*\)/cyg\1-$(SHLIB_VERSION_NUMBER)/'`; \
+					cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
+					chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
+					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
+					cp $$i.a $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new; \
+					chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new; \
+					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \
 				fi ); \
 			fi; \
 		done; \
@@ -680,6 +764,7 @@ install: all install_docs
 			set $(MAKE); \
 			$$1 -f $$here/Makefile link-shared ); \
 	fi
+	cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig
 
 install_docs:
 	@$(PERL) $(TOP)/util/mkdir-p.pl \
@@ -687,26 +772,43 @@ install_docs:
 		$(INSTALL_PREFIX)$(MANDIR)/man3 \
 		$(INSTALL_PREFIX)$(MANDIR)/man5 \
 		$(INSTALL_PREFIX)$(MANDIR)/man7
-	@pod2man=`cd util; ./pod2mantest ignore`; \
+	@pod2man="`cd util; ./pod2mantest $(PERL)`"; \
+	here="`pwd`"; \
+	filecase=; \
+	if [ "$(PLATFORM)" = "DJGPP" -o "$(PLATFORM)" = "Cygwin" ]; then \
+		filecase=-i; \
+	fi; \
 	for i in doc/apps/*.pod; do \
 		fn=`basename $$i .pod`; \
 		if [ "$$fn" = "config" ]; then sec=5; else sec=1; fi; \
-		echo "installing man$$sec/`basename $$i .pod`.$$sec"; \
+		echo "installing man$$sec/$$fn.$$sec"; \
 		(cd `$(PERL) util/dirname.pl $$i`; \
-		sh -c "$(PERL) $$pod2man \
+		sh -c "$$pod2man \
 			--section=$$sec --center=OpenSSL \
 			--release=$(VERSION) `basename $$i`") \
-			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \
+			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$$sec; \
+		$(PERL) util/extract-names.pl < $$i | \
+			grep -v $$filecase "^$$fn\$$" | \
+			(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
+			 while read n; do \
+				$$here/util/point.sh $$fn.$$sec $$n.$$sec; \
+			 done); \
 	done; \
 	for i in doc/crypto/*.pod doc/ssl/*.pod; do \
 		fn=`basename $$i .pod`; \
 		if [ "$$fn" = "des_modes" ]; then sec=7; else sec=3; fi; \
-		echo "installing man$$sec/`basename $$i .pod`.$$sec"; \
+		echo "installing man$$sec/$$fn.$$sec"; \
 		(cd `$(PERL) util/dirname.pl $$i`; \
-		sh -c "$(PERL) $$pod2man \
+		sh -c "$$pod2man \
 			--section=$$sec --center=OpenSSL \
 			--release=$(VERSION) `basename $$i`") \
-			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \
+			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$$sec; \
+		$(PERL) util/extract-names.pl < $$i | \
+			grep -v $$filecase "^$$fn\$$" | \
+			(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
+			 while read n; do \
+				$$here/util/point.sh $$fn.$$sec $$n.$$sec; \
+			 done); \
 	done
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
diff --git a/crypto/openssl/Makefile.ssl b/crypto/openssl/Makefile.ssl
index 43b5ac39582b..b262f9d568f9 100644
--- a/crypto/openssl/Makefile.ssl
+++ b/crypto/openssl/Makefile.ssl
@@ -4,19 +4,24 @@
 ## Makefile for OpenSSL
 ##
 
-VERSION=0.9.6g
+VERSION=0.9.7
 MAJOR=0
-MINOR=9.6
-SHLIB_VERSION_NUMBER=0.9.6
+MINOR=9.7
+SHLIB_VERSION_NUMBER=0.9.7
 SHLIB_VERSION_HISTORY=
 SHLIB_MAJOR=0
-SHLIB_MINOR=9.6
+SHLIB_MINOR=9.7
 SHLIB_EXT=
 PLATFORM=dist
-OPTIONS=
+OPTIONS= no-krb5
 CONFIGURE_ARGS=dist
 SHLIB_TARGET=
 
+# HERE indicates where this Makefile lives.  This can be used to indicate
+# where sub-Makefiles are expected to be.  Currently has very limited usage,
+# and should probably not be bothered with at all.
+HERE=.
+
 # INSTALL_PREFIX is for package builders so that they can configure
 # for, say, /usr/ and yet have everything installed to /tmp/somedir/usr/.
 # Normally it is left empty.
@@ -26,7 +31,6 @@ INSTALLTOP=/usr/local/ssl
 # Do not edit this manually. Use Configure --openssldir=DIR do change this!
 OPENSSLDIR=/usr/local/ssl
 
-# RSAref  - Define if we are to link with RSAref.
 # NO_IDEA - Define to build without the IDEA algorithm
 # NO_RC4  - Define to build without the RC4 algorithm
 # NO_RC2  - Define to build without the RC2 algorithm
@@ -57,16 +61,18 @@ OPENSSLDIR=/usr/local/ssl
 
 CC= cc
 #CFLAG= -DL_ENDIAN -DTERMIO -O3 -fomit-frame-pointer -m486 -Wall -Wuninitialized -DSHA1_ASM -DMD5_ASM -DRMD160_ASM
-CFLAG= -O
+CFLAG= -DOPENSSL_NO_KRB5 -O
 DEPFLAG= 
 PEX_LIBS= 
 EX_LIBS= 
 EXE_EXT= 
-AR=ar r
+ARFLAGS= 
+AR=ar $(ARFLAGS) r
 RANLIB= /usr/bin/ranlib
 PERL= /usr/local/bin/perl
 TAR= tar
 TARFLAGS= --no-recursion
+MAKEDEPPROG=makedepend
 
 # Set BN_ASM to bn_asm.o if you want to use the C version
 BN_ASM= bn_asm.o
@@ -153,20 +159,27 @@ RMD160_ASM_OBJ=
 #RMD160_ASM_OBJ= asm/rm86-out.o       # a.out, FreeBSD
 #RMD160_ASM_OBJ= asm/rm86bsdi.o       # bsdi
 
+# KRB5 stuff
+KRB5_INCLUDES=
+
 # When we're prepared to use shared libraries in the programs we link here
 # we might set SHLIB_MARK to '$(SHARED_LIBS)'.
 SHLIB_MARK=
 
-DIRS=   crypto ssl rsaref $(SHLIB_MARK) apps test tools
+DIRS=   crypto ssl $(SHLIB_MARK) apps test tools
 SHLIBDIRS= crypto ssl
 
 # dirs in crypto to build
 SDIRS=  \
 	md2 md4 md5 sha mdc2 hmac ripemd \
 	des rc2 rc4 rc5 idea bf cast \
-	bn rsa dsa dh dso \
+	bn ec rsa dsa dh dso engine aes \
 	buffer bio stack lhash rand err objects \
-	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp
+	evp asn1 pem x509 x509v3 conf txt_db pkcs7 pkcs12 comp ocsp ui krb5
+
+# tests to perform.  "alltests" is a special word indicating that all tests
+# should be performed.
+TESTS = alltests
 
 MAKEFILE= Makefile.ssl
 MAKE=     make -f Makefile.ssl
@@ -192,29 +205,24 @@ BASENAME=       openssl
 NAME=           $(BASENAME)-$(VERSION)
 TARFILE=        $(NAME).tar
 WTARFILE=       $(NAME)-win.tar
-EXHEADER=       e_os.h e_os2.h
+EXHEADER=       e_os2.h
 HEADER=         e_os.h
 
 # When we're prepared to use shared libraries in the programs we link here
 # we might remove 'clean-shared' from the targets to perform at this stage
 
-all: clean-shared Makefile.ssl sub_all
+all: Makefile.ssl sub_all openssl.pc
 
 sub_all:
 	@for i in $(DIRS); \
 	do \
 	if [ -d "$$i" ]; then \
 		(cd $$i && echo "making all in $$i..." && \
-		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' EXE_EXT='${EXE_EXT}' all ) || exit 1; \
+		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' all ) || exit 1; \
 	else \
 		$(MAKE) $$i; \
 	fi; \
-	done; \
-	if echo "$(DIRS)" | \
-	    egrep '(^| )(crypto|ssl)( |$$)' > /dev/null 2>&1 && \
-	   [ -n "$(SHARED_LIBS)" ]; then \
-		$(MAKE) $(SHARED_LIBS); \
-	fi
+	done;
 
 libcrypto$(SHLIB_EXT): libcrypto.a
 	@if [ "$(SHLIB_TARGET)" != "" ]; then \
@@ -222,6 +230,7 @@ libcrypto$(SHLIB_EXT): libcrypto.a
 	else \
 		echo "There's no support for shared libraries on this platform" >&2; \
 	fi
+
 libssl$(SHLIB_EXT): libcrypto$(SHLIB_EXT) libssl.a
 	@if [ "$(SHLIB_TARGET)" != "" ]; then \
 		$(MAKE) SHLIBDIRS=ssl SHLIBDEPS='-lcrypto' build-shared; \
@@ -239,7 +248,7 @@ clean-shared:
 		fi; \
 		( set -x; rm -f lib$$i$(SHLIB_EXT) ); \
 		if [ "$(PLATFORM)" = "Cygwin" ]; then \
-			( set -x; rm -f cyg$$i$(SHLIB_EXT) lib$$i$(SHLIB_EXT).a ); \
+			( set -x; rm -f cyg$$i-$(SHLIB_VERSION_NUMBER)$(SHLIB_EXT) lib$$i$(SHLIB_EXT).a ); \
 		fi; \
 	done
 
@@ -271,12 +280,7 @@ do_gnu-shared:
 	libs="$$libs -l$$i"; \
 	done
 
-DETECT_GNU_LD=${CC} -v 2>&1 | grep '^gcc' >/dev/null 2>&1 && \
-	collect2=`gcc -print-prog-name=collect2 2>&1` && \
-	[ -n "$$collect2" ] && \
-	my_ld=`$$collect2 --help 2>&1 | grep Usage: | sed 's/^Usage: *\([^ ][^ ]*\).*/\1/'` && \
-	[ -n "$$my_ld" ] && \
-	$$my_ld -v 2>&1 | grep 'GNU ld' >/dev/null 2>&1
+DETECT_GNU_LD=(${CC} -Wl,-V /dev/null 2>&1 | grep '^GNU ld' )>/dev/null
 
 # For Darwin AKA Mac OS/X (dyld)
 do_darwin-shared: 
@@ -291,7 +295,7 @@ do_darwin-shared:
 
 do_cygwin-shared:
 	libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
-	( set -x; ${CC}  -shared -o cyg$$i.dll \
+	( set -x; ${CC}  -shared -o cyg$$i-$(SHLIB_VERSION_NUMBER).dll \
 		-Wl,-Bsymbolic \
 		-Wl,--whole-archive lib$$i.a \
 		-Wl,--out-implib,lib$$i.dll.a \
@@ -354,10 +358,13 @@ do_solaris-shared:
 	else \
 		libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
 		( PATH=/usr/ccs/bin:$$PATH ; export PATH; \
-		  set -x; ${CC} ${SHARED_LDFLAGS} \
-			-G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
+		  MINUSZ='-z '; \
+		  (${CC} -v 2>&1 | grep gcc) > /dev/null && MINUSZ='-Wl,-z,'; \
+		  set -x; ${CC} ${SHARED_LDFLAGS} -G -dy -z text \
+			-o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 			-h lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-			-z allextract lib$$i.a $$libs ${EX_LIBS} -lc ) || exit 1; \
+			$${MINUSZ}allextract lib$$i.a $${MINUSZ}defaultextract \
+			$$libs ${EX_LIBS} -lc ) || exit 1; \
 		libs="$$libs -l$$i"; \
 		done; \
 	fi
@@ -416,26 +423,44 @@ do_irix-shared:
 	fi
 
 # This assumes that GNU utilities are *not* used
+# HP-UX includes the full pathname of libs we depend on, so we would get
+# ./libcrypto (with ./ as path information) compiled into libssl, hence
+# we omit the SHLIBDEPS. Applications must be linked with -lssl -lcrypto
+# anyway.
+# The object modules are loaded from lib$i.a using the undocumented -Fl
+# option.
+#
+# WARNING: Until DSO is fixed to support a search path, we support SHLIB_PATH
+#          by temporarily specifying "+s"!
+#
 do_hpux-shared:
-	libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
+	for i in ${SHLIBDIRS}; do \
 	( set -x; /usr/ccs/bin/ld ${SHARED_LDFLAGS} \
-		+vnocompatwarnings \
-		-b -z -o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
+ 		+vnocompatwarnings \
+		-b -z +s \
+		-o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		+h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-		-Fl lib$$i.a $$libs ${EX_LIBS} -lc ) || exit 1; \
-	chmod a=rx lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} ; \
-	libs="$$libs -L. -l$$i"; \
+		-Fl lib$$i.a -ldld -lc ) || exit 1; \
+	chmod a=rx lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}; \
 	done
 
 # This assumes that GNU utilities are *not* used
+# HP-UX includes the full pathname of libs we depend on, so we would get
+# ./libcrypto (with ./ as path information) compiled into libssl, hence
+# we omit the SHLIBDEPS. Applications must be linked with -lssl -lcrypto
+# anyway.
+#
+# HP-UX in 64bit mode has "+s" enabled by default; it will search for
+# shared libraries along LD_LIBRARY_PATH _and_ SHLIB_PATH.
+#
 do_hpux64-shared:
-	libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
+	for i in ${SHLIBDIRS}; do \
 	( set -x; /usr/ccs/bin/ld ${SHARED_LDFLAGS} \
-		-b -z -o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
+ 		-b -z \
+		-o lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
 		+h lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} \
-		+forceload lib$$i.a $$libs ${EX_LIBS} -lc ) || exit 1; \
-	chmod a=rx lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR} ; \
-	libs="$$libs -L. -l$$i"; \
+		+forceload lib$$i.a -ldl -lc ) || exit 1; \
+	chmod a=rx lib$$i.sl.${SHLIB_MAJOR}.${SHLIB_MINOR}; \
 	done
 
 # The following method is said to work on all platforms.  Tests will
@@ -481,6 +506,33 @@ do_aix-shared:
 	libs="$$libs -l$$i"; \
 	done
 
+do_reliantunix-shared:
+	libs='-L. ${SHLIBDEPS}'; for i in ${SHLIBDIRS}; do \
+	tmpdir=/tmp/openssl.$$$$ ; rm -rf $$tmpdir ; \
+	( set -x; \
+	  ( Opwd=`pwd` ; mkdir $$tmpdir || exit 1; \
+	    cd $$tmpdir || exit 1 ; ar x $$Opwd/lib$$i.a ; \
+	    ${CC} -G -o lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} *.o \
+	  ) || exit 1; \
+	  cp $$tmpdir/lib$$i.so.${SHLIB_MAJOR}.${SHLIB_MINOR} . ; \
+	) || exit 1; \
+	rm -rf $$tmpdir ; \
+	libs="$$libs -l$$i"; \
+	done
+
+openssl.pc: Makefile.ssl
+	@ ( echo 'prefix=$(INSTALLTOP)'; \
+	    echo 'exec_prefix=$${prefix}'; \
+	    echo 'libdir=$${exec_prefix}/lib'; \
+	    echo 'includedir=$${prefix}/include'; \
+	    echo ''; \
+	    echo 'Name: OpenSSL'; \
+	    echo 'Description: Secure Sockets Layer and cryptography libraries and tools'; \
+	    echo 'Version: '$(VERSION); \
+	    echo 'Requires: '; \
+	    echo 'Libs: -L$${libdir} -lssl -lcrypto $(EX_LIBS)'; \
+	    echo 'Cflags: -I$${includedir} $(KRB5_INCLUDES)' ) > openssl.pc
+
 Makefile.ssl: Makefile.org
 	@echo "Makefile.ssl is older than Makefile.org."
 	@echo "Reconfigure the source tree (via './config' or 'perl Configure'), please."
@@ -499,6 +551,7 @@ clean:
 		rm -f $(LIBS); \
 	fi; \
 	done;
+	rm -f openssl.pc
 	rm -f *.a *.o speed.* *.map *.so .pure core
 	rm -f $(TARFILE)
 	@for i in $(ONEDIRS) ;\
@@ -527,10 +580,14 @@ links:
 	@for i in $(DIRS); do \
 	if [ -d "$$i" ]; then \
 		(cd $$i && echo "making links in $$i..." && \
-		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' links ) || exit 1; \
+		$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PERL='${PERL}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' links ) || exit 1; \
 	fi; \
 	done;
 
+gentests:
+	@(cd test && echo "generating dummy tests (if needed)..." && \
+	$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on generate );
+
 dclean:
 	rm -f *.bak
 	@for i in $(DIRS) ;\
@@ -543,15 +600,25 @@ dclean:
 
 rehash: rehash.time
 rehash.time: certs
-	@(OPENSSL="`pwd`/apps/openssl"; export OPENSSL; $(PERL) tools/c_rehash certs)
+	@(OPENSSL="`pwd`/apps/openssl"; OPENSSL_DEBUG_MEMORY=on; \
+		export OPENSSL OPENSSL_DEBUG_MEMORY; \
+		LD_LIBRARY_PATH="`pwd`"; DYLD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; LIBPATH="`pwd`"; \
+		if [ "$(PLATFORM)" = "DJGPP" ]; then PATH="`pwd`\;$$PATH";  \
+		elif [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \
+		export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \
+		$(PERL) tools/c_rehash certs)
 	touch rehash.time
 
 test:   tests
 
 tests: rehash
 	@(cd test && echo "testing..." && \
-	$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' OPENSSL_DEBUG_MEMORY=on tests );
-	@apps/openssl version -a
+	$(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' KRB5_INCLUDES='${KRB5_INCLUDES}' LIBKRB5='${LIBKRB5}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}' TESTS='${TESTS}' OPENSSL_DEBUG_MEMORY=on tests );
+	@LD_LIBRARY_PATH="`pwd`"; DYLD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; LIBPATH="`pwd`"; \
+		if [ "$(PLATFORM)" = "DJGPP" ]; then PATH="`pwd`\;$$PATH";  \
+		elif [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \
+		export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \
+		apps/openssl version -a
 
 report:
 	@$(PERL) util/selftest.pl
@@ -561,7 +628,7 @@ depend:
 	do \
 	if [ -d "$$i" ]; then \
 		(cd $$i && echo "making dependencies $$i..." && \
-		$(MAKE) SDIRS='${SDIRS}' DEPFLAG='${DEPFLAG}' PERL='${PERL}' depend ) || exit 1; \
+		$(MAKE) SDIRS='${SDIRS}' CFLAG='${CFLAG}' DEPFLAG='${DEPFLAG}' MAKEDEPPROG='${MAKEDEPPROG}' KRB5_INCLUDES='${KRB5_INCLUDES}' PERL='${PERL}' depend ) || exit 1; \
 	fi; \
 	done;
 
@@ -585,6 +652,7 @@ tags:
 
 errors:
 	$(PERL) util/mkerr.pl -recurse -write
+	(cd crypto/engine; $(MAKE) PERL=$(PERL) errors)
 
 stacks:
 	$(PERL) util/mkstack.pl -write
@@ -595,9 +663,9 @@ util/libeay.num::
 util/ssleay.num::
 	$(PERL) util/mkdef.pl ssl update
 
-crypto/objects/obj_dat.h: crypto/objects/obj_mac.h crypto/objects/obj_dat.pl
+crypto/objects/obj_dat.h: crypto/objects/obj_dat.pl crypto/objects/obj_mac.h
 	$(PERL) crypto/objects/obj_dat.pl crypto/objects/obj_mac.h crypto/objects/obj_dat.h
-crypto/objects/obj_mac.h: crypto/objects/objects.pl crypto/objects/objects.txt 
+crypto/objects/obj_mac.h: crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num
 	$(PERL) crypto/objects/objects.pl crypto/objects/objects.txt crypto/objects/obj_mac.num crypto/objects/obj_mac.h
 
 TABLE: Configure
@@ -612,6 +680,9 @@ update: depend errors stacks util/libeay.num util/ssleay.num crypto/objects/obj_
 # and read directly, requiring GNU-Tar. Call "make TAR=gtar dist" if the normal
 # tar does not support the --files-from option.
 tar:
+	find . -type d -print | xargs chmod 755
+	find . -type f -print | xargs chmod a+r
+	find . -type f -perm -0100 -print | xargs chmod a+x
 	find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE | sort > ../$(TARFILE).list; \
 	$(TAR) $(TARFLAGS) --files-from ../$(TARFILE).list -cvf - | \
 	tardy --user_number=0  --user_name=openssl \
@@ -621,6 +692,14 @@ tar:
 	rm -f ../$(TARFILE).list; \
 	ls -l ../$(TARFILE).gz
 
+tar-snap:
+	@$(TAR) $(TARFLAGS) -cvf - \
+		`find * \! -path CVS/\* \! -path \*/CVS/\* \! -name CVS \! -name .cvsignore \! -name STATUS \! -name TABLE \! -name '*.o' \! -name '*.a' \! -name '*.so' \! -name '*.so.*'  \! -name 'openssl' \! -name '*test' \! -name '.#*' \! -name '*~' | sort` |\
+	tardy --user_number=0  --user_name=openssl \
+	      --group_number=0 --group_name=openssl \
+	      --prefix=openssl-$(VERSION) - > ../$(TARFILE);\
+	ls -l ../$(TARFILE)
+
 dist:   
 	$(PERL) Configure dist
 	@$(MAKE) dist_pem_h
@@ -633,6 +712,7 @@ dist_pem_h:
 install: all install_docs
 	@$(PERL) $(TOP)/util/mkdir-p.pl $(INSTALL_PREFIX)$(INSTALLTOP)/bin \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/lib \
+		$(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig \
 		$(INSTALL_PREFIX)$(INSTALLTOP)/include/openssl \
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/misc \
 		$(INSTALL_PREFIX)$(OPENSSLDIR)/certs \
@@ -654,11 +734,12 @@ install: all install_docs
 	do \
 		if [ -f "$$i" ]; then \
 		(       echo installing $$i; \
-			cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
-			$(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
-			chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
+			cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+			$(RANLIB) $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+			chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+			mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i ); \
 		fi; \
-	done
+	done;
 	@if [ -n "$(SHARED_LIBS)" ]; then \
 		tmp="$(SHARED_LIBS)"; \
 		for i in $${tmp:-x}; \
@@ -666,14 +747,17 @@ install: all install_docs
 			if [ -f "$$i" -o -f "$$i.a" ]; then \
 			(       echo installing $$i; \
 				if [ "$(PLATFORM)" != "Cygwin" ]; then \
-					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib; \
-					chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
+					cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+					chmod 555 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new; \
+					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i; \
 				else \
-					c=`echo $$i | sed 's/^lib/cyg/'`; \
-					cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
-					chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
-					cp $$i.a $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \
-					chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \
+					c=`echo $$i | sed 's/^lib\(.*\)/cyg\1-$(SHLIB_VERSION_NUMBER)/'`; \
+					cp $$c $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
+					chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new; \
+					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$c; \
+					cp $$i.a $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new; \
+					chmod 644 $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new; \
+					mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a.new $(INSTALL_PREFIX)$(INSTALLTOP)/lib/$$i.a; \
 				fi ); \
 			fi; \
 		done; \
@@ -682,6 +766,7 @@ install: all install_docs
 			set $(MAKE); \
 			$$1 -f $$here/Makefile link-shared ); \
 	fi
+	cp openssl.pc $(INSTALL_PREFIX)$(INSTALLTOP)/lib/pkgconfig
 
 install_docs:
 	@$(PERL) $(TOP)/util/mkdir-p.pl \
@@ -689,26 +774,43 @@ install_docs:
 		$(INSTALL_PREFIX)$(MANDIR)/man3 \
 		$(INSTALL_PREFIX)$(MANDIR)/man5 \
 		$(INSTALL_PREFIX)$(MANDIR)/man7
-	@pod2man=`cd util; ./pod2mantest ignore`; \
+	@pod2man="`cd util; ./pod2mantest $(PERL)`"; \
+	here="`pwd`"; \
+	filecase=; \
+	if [ "$(PLATFORM)" = "DJGPP" -o "$(PLATFORM)" = "Cygwin" ]; then \
+		filecase=-i; \
+	fi; \
 	for i in doc/apps/*.pod; do \
 		fn=`basename $$i .pod`; \
 		if [ "$$fn" = "config" ]; then sec=5; else sec=1; fi; \
-		echo "installing man$$sec/`basename $$i .pod`.$$sec"; \
+		echo "installing man$$sec/$$fn.$$sec"; \
 		(cd `$(PERL) util/dirname.pl $$i`; \
-		sh -c "$(PERL) $$pod2man \
+		sh -c "$$pod2man \
 			--section=$$sec --center=OpenSSL \
 			--release=$(VERSION) `basename $$i`") \
-			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \
+			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$$sec; \
+		$(PERL) util/extract-names.pl < $$i | \
+			grep -v $$filecase "^$$fn\$$" | \
+			(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
+			 while read n; do \
+				$$here/util/point.sh $$fn.$$sec $$n.$$sec; \
+			 done); \
 	done; \
 	for i in doc/crypto/*.pod doc/ssl/*.pod; do \
 		fn=`basename $$i .pod`; \
 		if [ "$$fn" = "des_modes" ]; then sec=7; else sec=3; fi; \
-		echo "installing man$$sec/`basename $$i .pod`.$$sec"; \
+		echo "installing man$$sec/$$fn.$$sec"; \
 		(cd `$(PERL) util/dirname.pl $$i`; \
-		sh -c "$(PERL) $$pod2man \
+		sh -c "$$pod2man \
 			--section=$$sec --center=OpenSSL \
 			--release=$(VERSION) `basename $$i`") \
-			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/`basename $$i .pod`.$$sec; \
+			>  $(INSTALL_PREFIX)$(MANDIR)/man$$sec/$$fn.$$sec; \
+		$(PERL) util/extract-names.pl < $$i | \
+			grep -v $$filecase "^$$fn\$$" | \
+			(cd $(INSTALL_PREFIX)$(MANDIR)/man$$sec/; \
+			 while read n; do \
+				$$here/util/point.sh $$fn.$$sec $$n.$$sec; \
+			 done); \
 	done
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
diff --git a/crypto/openssl/NEWS b/crypto/openssl/NEWS
index 577db09cff5e..28f42ce89c0f 100644
--- a/crypto/openssl/NEWS
+++ b/crypto/openssl/NEWS
@@ -5,6 +5,66 @@
   This file gives a brief overview of the major changes between each OpenSSL
   release. For more details please read the CHANGES file.
 
+  Major changes between OpenSSL 0.9.6 and OpenSSL 0.9.7:
+
+      o New library section OCSP.
+      o Complete rewrite of ASN1 code.
+      o CRL checking in verify code and openssl utility.
+      o Extension copying in 'ca' utility.
+      o Flexible display options in 'ca' utility.
+      o Provisional support for international characters with UTF8.
+      o Support for external crypto devices ('engine') is no longer
+        a separate distribution.
+      o New elliptic curve library section.
+      o New AES (Rijndael) library section.
+      o Support for new platforms: Windows CE, Tandem OSS, A/UX, AIX 64-bit,
+        Linux x86_64, Linux 64-bit on Sparc v9
+      o Extended support for some platforms: VxWorks
+      o Enhanced support for shared libraries.
+      o Now only builds PIC code when shared library support is requested.
+      o Support for pkg-config.
+      o Lots of new manuals.
+      o Makes symbolic links to or copies of manuals to cover all described
+        functions.
+      o Change DES API to clean up the namespace (some applications link also
+        against libdes providing similar functions having the same name).
+        Provide macros for backward compatibility (will be removed in the
+        future).
+      o Unify handling of cryptographic algorithms (software and engine)
+        to be available via EVP routines for asymmetric and symmetric ciphers.
+      o NCONF: new configuration handling routines.
+      o Change API to use more 'const' modifiers to improve error checking
+        and help optimizers.
+      o Finally remove references to RSAref.
+      o Reworked parts of the BIGNUM code.
+      o Support for new engines: Broadcom ubsec, Accelerated Encryption
+        Processing, IBM 4758.
+      o A few new engines added in the demos area.
+      o Extended and corrected OID (object identifier) table.
+      o PRNG: query at more locations for a random device, automatic query for
+        EGD style random sources at several locations.
+      o SSL/TLS: allow optional cipher choice according to server's preference.
+      o SSL/TLS: allow server to explicitly set new session ids.
+      o SSL/TLS: support Kerberos cipher suites (RFC2712).
+	Only supports MIT Kerberos for now.
+      o SSL/TLS: allow more precise control of renegotiations and sessions.
+      o SSL/TLS: add callback to retrieve SSL/TLS messages.
+      o SSL/TLS: support AES cipher suites (RFC3268).
+
+  Major changes between OpenSSL 0.9.6g and OpenSSL 0.9.6h:
+
+      o New configuration targets for Tandem OSS and A/UX.
+      o New OIDs for Microsoft attributes.
+      o Better handling of SSL session caching.
+      o Better comparison of distinguished names.
+      o Better handling of shared libraries in a mixed GNU/non-GNU environment.
+      o Support assembler code with Borland C.
+      o Fixes for length problems.
+      o Fixes for uninitialised variables.
+      o Fixes for memory leaks, some unusual crashes and some race conditions.
+      o Fixes for smaller building problems.
+      o Updates of manuals, FAQ and other instructive documents.
+
   Major changes between OpenSSL 0.9.6f and OpenSSL 0.9.6g:
 
       o Important building fixes on Unix.
diff --git a/crypto/openssl/PROBLEMS b/crypto/openssl/PROBLEMS
index 7e6af8ad4d87..4bf31303be99 100644
--- a/crypto/openssl/PROBLEMS
+++ b/crypto/openssl/PROBLEMS
@@ -1,5 +1,11 @@
 * System libcrypto.dylib and libssl.dylib are used by system ld on MacOS X.
-[NOTE: This is currently undergoing tests, and may be removed soon]
+
+
+    NOTE: The problem described here only applies when OpenSSL isn't built
+    with shared library support (i.e. without the "shared" configuration
+    option).  If you build with shared library support, you will have no
+    problems as long as you set up DYLD_LIBRARY_PATH properly at all times.
+
 
 This is really a misfeature in ld, which seems to look for .dylib libraries
 along the whole library path before it bothers looking for .a libraries.  This
@@ -40,3 +46,27 @@ scripts use the same name for output and input files, which means different
 will interfere with each other and lead to test failure.
 
 The solution is simple for now: don't run parallell make when testing.
+
+
+* Bugs in gcc 3.0 triggered
+
+According to a problem report, there are bugs in gcc 3.0 that are
+triggered by some of the code in OpenSSL, more specifically in
+PEM_get_EVP_CIPHER_INFO().  The triggering code is the following:
+
+	header+=11;
+	if (*header != '4') return(0); header++;
+	if (*header != ',') return(0); header++;
+
+What happens is that gcc might optimize a little too agressively, and
+you end up with an extra incrementation when *header != '4'.
+
+We recommend that you upgrade gcc to as high a 3.x version as you can.
+
+* solaris64-sparcv9-cc SHA-1 performance with WorkShop 6 compiler.
+
+As subject suggests SHA-1 might perform poorly (4 times slower)
+if compiled with WorkShop 6 compiler and -xarch=v9. The cause for
+this seems to be the fact that compiler emits multiplication to
+perform shift operations:-( To work the problem around configure
+with './Configure solaris64-sparcv9-cc -DMD32_REG_T=int'.
diff --git a/crypto/openssl/README b/crypto/openssl/README
index da9015331f68..b74af83b0b96 100644
--- a/crypto/openssl/README
+++ b/crypto/openssl/README
@@ -1,5 +1,5 @@
 
- OpenSSL 0.9.6g 9 August 2002
+ OpenSSL 0.9.7 31 Dec 2002
 
  Copyright (c) 1998-2002 The OpenSSL Project
  Copyright (c) 1995-1998 Eric A. Young, Tim J. Hudson
@@ -154,7 +154,7 @@
     - Stack Traceback (if the application dumps core)
 
  Report the bug to the OpenSSL project via the Request Tracker
- (http://www.openssl.org/rt2.html) by mail to:
+ (http://www.openssl.org/support/rt2.html) by mail to:
 
     openssl-bugs@openssl.org
 
diff --git a/crypto/openssl/README.ASN1 b/crypto/openssl/README.ASN1
new file mode 100644
index 000000000000..11bcfaf4ddb2
--- /dev/null
+++ b/crypto/openssl/README.ASN1
@@ -0,0 +1,187 @@
+
+OpenSSL ASN1 Revision
+=====================
+
+This document describes some of the issues relating to the new ASN1 code.
+
+Previous OpenSSL ASN1 problems
+=============================
+
+OK why did the OpenSSL ASN1 code need revising in the first place? Well
+there are lots of reasons some of which are included below...
+
+1. The code is difficult to read and write. For every single ASN1 structure
+(e.g. SEQUENCE) four functions need to be written for new, free, encode and
+decode operations. This is a very painful and error prone operation. Very few
+people have ever written any OpenSSL ASN1 and those that have usually wish
+they hadn't.
+
+2. Partly because of 1. the code is bloated and takes up a disproportionate
+amount of space. The SEQUENCE encoder is particularly bad: it essentially
+contains two copies of the same operation, one to compute the SEQUENCE length
+and the other to encode it.
+
+3. The code is memory based: that is it expects to be able to read the whole
+structure from memory. This is fine for small structures but if you have a
+(say) 1Gb PKCS#7 signedData structure it isn't such a good idea...
+
+4. The code for the ASN1 IMPLICIT tag is evil. It is handled by temporarily
+changing the tag to the expected one, attempting to read it, then changing it
+back again. This means that decode buffers have to be writable even though they
+are ultimately unchanged. This gets in the way of constification.
+
+5. The handling of EXPLICIT isn't much better. It adds a chunk of code into 
+the decoder and encoder for every EXPLICIT tag.
+
+6. APPLICATION and PRIVATE tags aren't even supported at all.
+
+7. Even IMPLICIT isn't complete: there is no support for implicitly tagged
+types that are not OPTIONAL.
+
+8. Much of the code assumes that a tag will fit in a single octet. This is
+only true if the tag is 30 or less (mercifully tags over 30 are rare).
+
+9. The ASN1 CHOICE type has to be largely handled manually, there aren't any
+macros that properly support it.
+
+10. Encoders have no concept of OPTIONAL and have no error checking. If the
+passed structure contains a NULL in a mandatory field it will not be encoded,
+resulting in an invalid structure.
+
+11. It is tricky to add ASN1 encoders and decoders to external applications.
+
+Template model
+==============
+
+One of the major problems with revision is the sheer volume of the ASN1 code.
+Attempts to change (for example) the IMPLICIT behaviour would result in a
+modification of *every* single decode function. 
+
+I decided to adopt a template based approach. I'm using the term 'template'
+in a manner similar to SNACC templates: it has nothing to do with C++
+templates.
+
+A template is a description of an ASN1 module as several constant C structures.
+It describes in a machine readable way exactly how the ASN1 structure should
+behave. If this template contains enough detail then it is possible to write
+versions of new, free, encode, decode (and possibly others operations) that
+operate on templates.
+
+Instead of having to write code to handle each operation only a single
+template needs to be written. If new operations are needed (such as a 'print'
+operation) only a single new template based function needs to be written 
+which will then automatically handle all existing templates.
+
+Plans for revision
+==================
+
+The revision will consist of the following steps. Other than the first two
+these can be handled in any order.
+ 
+o Design and write template new, free, encode and decode operations, initially
+memory based. *DONE*
+
+o Convert existing ASN1 code to template form. *IN PROGRESS*
+
+o Convert an existing ASN1 compiler (probably SNACC) to output templates
+in OpenSSL form.
+
+o Add support for BIO based ASN1 encoders and decoders to handle large
+structures, initially blocking I/O.
+
+o Add support for non blocking I/O: this is quite a bit harder than blocking
+I/O.
+
+o Add new ASN1 structures, such as OCSP, CRMF, S/MIME v3 (CMS), attribute
+certificates etc etc.
+
+Description of major changes
+============================
+
+The BOOLEAN type now takes three values. 0xff is TRUE, 0 is FALSE and -1 is
+absent. The meaning of absent depends on the context. If for example the
+boolean type is DEFAULT FALSE (as in the case of the critical flag for
+certificate extensions) then -1 is FALSE, if DEFAULT TRUE then -1 is TRUE.
+Usually the value will only ever be read via an API which will hide this from
+an application.
+
+There is an evil bug in the old ASN1 code that mishandles OPTIONAL with
+SEQUENCE OF or SET OF. These are both implemented as a STACK structure. The
+old code would omit the structure if the STACK was NULL (which is fine) or if
+it had zero elements (which is NOT OK). This causes problems because an empty
+SEQUENCE OF or SET OF will result in an empty STACK when it is decoded but when
+it is encoded it will be omitted resulting in different encodings. The new code
+only omits the encoding if the STACK is NULL, if it contains zero elements it
+is encoded and empty. There is an additional problem though: because an empty
+STACK was omitted, sometimes the corresponding *_new() function would
+initialize the STACK to empty so an application could immediately use it, if
+this is done with the new code (i.e. a NULL) it wont work. Therefore a new
+STACK should be allocated first. One instance of this is the X509_CRL list of
+revoked certificates: a helper function X509_CRL_add0_revoked() has been added
+for this purpose.
+
+The X509_ATTRIBUTE structure used to have an element called 'set' which took
+the value 1 if the attribute value was a SET OF or 0 if it was a single. Due
+to the behaviour of CHOICE in the new code this has been changed to a field
+called 'single' which is 0 for a SET OF and 1 for single. The old field has
+been deleted to deliberately break source compatibility. Since this structure
+is normally accessed via higher level functions this shouldn't break too much.
+
+The X509_REQ_INFO certificate request info structure no longer has a field
+called 'req_kludge'. This used to be set to 1 if the attributes field was
+(incorrectly) omitted. You can check to see if the field is omitted now by
+checking if the attributes field is NULL. Similarly if you need to omit
+the field then free attributes and set it to NULL.
+
+The top level 'detached' field in the PKCS7 structure is no longer set when
+a PKCS#7 structure is read in. PKCS7_is_detached() should be called instead.
+The behaviour of PKCS7_get_detached() is unaffected.
+
+The values of 'type' in the GENERAL_NAME structure have changed. This is
+because the old code use the ASN1 initial octet as the selector. The new
+code uses the index in the ASN1_CHOICE template.
+
+The DIST_POINT_NAME structure has changed to be a true CHOICE type.
+
+typedef struct DIST_POINT_NAME_st {
+int type;
+union {
+	STACK_OF(GENERAL_NAME) *fullname;
+	STACK_OF(X509_NAME_ENTRY) *relativename;
+} name;
+} DIST_POINT_NAME;
+
+This means that name.fullname or name.relativename should be set
+and type reflects the option. That is if name.fullname is set then
+type is 0 and if name.relativename is set type is 1.
+
+With the old code using the i2d functions would typically involve:
+
+unsigned char *buf, *p;
+int len;
+/* Find length of encoding */
+len = i2d_SOMETHING(x, NULL);
+/* Allocate buffer */
+buf = OPENSSL_malloc(len);
+if(buf == NULL) {
+	/* Malloc error */
+}
+/* Use temp variable because &p gets updated to point to end of
+ * encoding.
+ */
+p = buf;
+i2d_SOMETHING(x, &p);
+
+
+Using the new i2d you can also do:
+
+unsigned char *buf = NULL;
+int len;
+len = i2d_SOMETHING(x, &buf);
+if(len < 0) {
+	/* Malloc error */
+}
+
+and it will automatically allocate and populate a buffer with the
+encoding. After this call 'buf' will point to the start of the
+encoding which is len bytes long.
diff --git a/crypto/openssl/README.ENGINE b/crypto/openssl/README.ENGINE
index 43e39d5b09be..0ff833370930 100644
--- a/crypto/openssl/README.ENGINE
+++ b/crypto/openssl/README.ENGINE
@@ -1,63 +1,289 @@
-
   ENGINE
   ======
 
-  With OpenSSL 0.9.6, a new component has been added to support external 
-  crypto devices, for example accelerator cards.  The component is called
-  ENGINE, and has still a pretty experimental status and almost no
-  documentation.  It's designed to be fairly easily extensible by the
-  calling programs.
+  With OpenSSL 0.9.6, a new component was added to support alternative
+  cryptography implementations, most commonly for interfacing with external
+  crypto devices (eg. accelerator cards). This component is called ENGINE,
+  and its presence in OpenSSL 0.9.6 (and subsequent bug-fix releases)
+  caused a little confusion as 0.9.6** releases were rolled in two
+  versions, a "standard" and an "engine" version. In development for 0.9.7,
+  the ENGINE code has been merged into the main branch and will be present
+  in the standard releases from 0.9.7 forwards.
 
-  There's currently built-in support for the following crypto devices:
+  There are currently built-in ENGINE implementations for the following
+  crypto devices:
 
       o CryptoSwift
       o Compaq Atalla
       o nCipher CHIL
+      o Nuron
+      o Broadcom uBSec
+
+  In addition, dynamic binding to external ENGINE implementations is now
+  provided by a special ENGINE called "dynamic". See the "DYNAMIC ENGINE"
+  section below for details.
+
+  At this stage, a number of things are still needed and are being worked on:
+
+      1 Integration of EVP support.
+      2 Configuration support.
+      3 Documentation!
+
+1 With respect to EVP, this relates to support for ciphers and digests in
+  the ENGINE model so that alternative implementations of existing
+  algorithms/modes (or previously unimplemented ones) can be provided by
+  ENGINE implementations.
 
-  A number of things are still needed and are being worked on:
+2 Configuration support currently exists in the ENGINE API itself, in the
+  form of "control commands". These allow an application to expose to the
+  user/admin the set of commands and parameter types a given ENGINE
+  implementation supports, and for an application to directly feed string
+  based input to those ENGINEs, in the form of name-value pairs. This is an
+  extensible way for ENGINEs to define their own "configuration" mechanisms
+  that are specific to a given ENGINE (eg. for a particular hardware
+  device) but that should be consistent across *all* OpenSSL-based
+  applications when they use that ENGINE. Work is in progress (or at least
+  in planning) for supporting these control commands from the CONF (or
+  NCONF) code so that applications using OpenSSL's existing configuration
+  file format can have ENGINE settings specified in much the same way.
+  Presently however, applications must use the ENGINE API itself to provide
+  such functionality. To see first hand the types of commands available
+  with the various compiled-in ENGINEs (see further down for dynamic
+  ENGINEs), use the "engine" openssl utility with full verbosity, ie;
+       openssl engine -vvvv
 
-      o An openssl utility command to handle or at least check available
-        engines.
-      o A better way of handling the methods that are handled by the
-        engines.
-      o Documentation!
+3 Documentation? Volunteers welcome! The source code is reasonably well
+  self-documenting, but some summaries and usage instructions are needed -
+  moreover, they are needed in the same POD format the existing OpenSSL
+  documentation is provided in. Any complete or incomplete contributions
+  would help make this happen.
+
+  STABILITY & BUG-REPORTS
+  =======================
 
   What already exists is fairly stable as far as it has been tested, but
-  the test base has been a bit small most of the time.
+  the test base has been a bit small most of the time. For the most part,
+  the vendors of the devices these ENGINEs support have contributed to the
+  development and/or testing of the implementations, and *usually* (with no
+  guarantees) have experience in using the ENGINE support to drive their
+  devices from common OpenSSL-based applications. Bugs and/or inexplicable
+  behaviour in using a specific ENGINE implementation should be sent to the
+  author of that implementation (if it is mentioned in the corresponding C
+  file), and in the case of implementations for commercial hardware
+  devices, also through whatever vendor support channels are available.  If
+  none of this is possible, or the problem seems to be something about the
+  ENGINE API itself (ie. not necessarily specific to a particular ENGINE
+  implementation) then you should mail complete details to the relevant
+  OpenSSL mailing list. For a definition of "complete details", refer to
+  the OpenSSL "README" file. As for which list to send it to;
 
-  Because of this experimental status and what's lacking, the ENGINE
-  component is not yet part of the default OpenSSL distribution.  However,
-  we have made a separate kit for those who want to try this out, to be
-  found in the same places as the default OpenSSL distribution, but with
-  "-engine-" being part of the kit file name.  For example, version 0.9.6
-  is distributed in the following two files:
+     openssl-users: if you are *using* the ENGINE abstraction, either in an
+          pre-compiled application or in your own application code.
 
-      openssl-0.9.6.tar.gz
-      openssl-engine-0.9.6.tar.gz
+     openssl-dev: if you are discussing problems with OpenSSL source code.
 
-  NOTES
+  USAGE
   =====
 
-  openssl-engine-0.9.6.tar.gz does not depend on openssl-0.9.6.tar, you do
-  not need to download both.
+  The default "openssl" ENGINE is always chosen when performing crypto
+  operations unless you specify otherwise. You must actively tell the
+  openssl utility commands to use anything else through a new command line
+  switch called "-engine". Also, if you want to use the ENGINE support in
+  your own code to do something similar, you must likewise explicitly
+  select the ENGINE implementation you want.
+
+  Depending on the type of hardware, system, and configuration, "settings"
+  may need to be applied to an ENGINE for it to function as expected/hoped.
+  The recommended way of doing this is for the application to support
+  ENGINE "control commands" so that each ENGINE implementation can provide
+  whatever configuration primitives it might require and the application
+  can allow the user/admin (and thus the hardware vendor's support desk
+  also) to provide any such input directly to the ENGINE implementation.
+  This way, applications do not need to know anything specific to any
+  device, they only need to provide the means to carry such user/admin
+  input through to the ENGINE in question. Ie. this connects *you* (and
+  your helpdesk) to the specific ENGINE implementation (and device), and
+  allows application authors to not get buried in hassle supporting
+  arbitrary devices they know (and care) nothing about.
+
+  A new "openssl" utility, "openssl engine", has been added in that allows
+  for testing and examination of ENGINE implementations. Basic usage
+  instructions are available by specifying the "-?" command line switch.
+
+  DYNAMIC ENGINES
+  ===============
+
+  The new "dynamic" ENGINE provides a low-overhead way to support ENGINE
+  implementations that aren't pre-compiled and linked into OpenSSL-based
+  applications. This could be because existing compiled-in implementations
+  have known problems and you wish to use a newer version with an existing
+  application. It could equally be because the application (or OpenSSL
+  library) you are using simply doesn't have support for the ENGINE you
+  wish to use, and the ENGINE provider (eg. hardware vendor) is providing
+  you with a self-contained implementation in the form of a shared-library.
+  The other use-case for "dynamic" is with applications that wish to
+  maintain the smallest foot-print possible and so do not link in various
+  ENGINE implementations from OpenSSL, but instead leaves you to provide
+  them, if you want them, in the form of "dynamic"-loadable
+  shared-libraries. It should be possible for hardware vendors to provide
+  their own shared-libraries to support arbitrary hardware to work with
+  applications based on OpenSSL 0.9.7 or later. If you're using an
+  application based on 0.9.7 (or later) and the support you desire is only
+  announced for versions later than the one you need, ask the vendor to
+  backport their ENGINE to the version you need.
+
+  How does "dynamic" work?
+  ------------------------
+    The dynamic ENGINE has a special flag in its implementation such that
+    every time application code asks for the 'dynamic' ENGINE, it in fact
+    gets its own copy of it. As such, multi-threaded code (or code that
+    multiplexes multiple uses of 'dynamic' in a single application in any
+    way at all) does not get confused by 'dynamic' being used to do many
+    independent things. Other ENGINEs typically don't do this so there is
+    only ever 1 ENGINE structure of its type (and reference counts are used
+    to keep order). The dynamic ENGINE itself provides absolutely no
+    cryptographic functionality, and any attempt to "initialise" the ENGINE
+    automatically fails. All it does provide are a few "control commands"
+    that can be used to control how it will load an external ENGINE
+    implementation from a shared-library. To see these control commands,
+    use the command-line;
+
+       openssl engine -vvvv dynamic
+
+    The "SO_PATH" control command should be used to identify the
+    shared-library that contains the ENGINE implementation, and "NO_VCHECK"
+    might possibly be useful if there is a minor version conflict and you
+    (or a vendor helpdesk) is convinced you can safely ignore it.
+    "ID" is probably only needed if a shared-library implements
+    multiple ENGINEs, but if you know the engine id you expect to be using,
+    it doesn't hurt to specify it (and this provides a sanity check if
+    nothing else). "LIST_ADD" is only required if you actually wish the
+    loaded ENGINE to be discoverable by application code later on using the
+    ENGINE's "id". For most applications, this isn't necessary - but some
+    application authors may have nifty reasons for using it. The "LOAD"
+    command is the only one that takes no parameters and is the command
+    that uses the settings from any previous commands to actually *load*
+    the shared-library ENGINE implementation. If this command succeeds, the
+    (copy of the) 'dynamic' ENGINE will magically morph into the ENGINE
+    that has been loaded from the shared-library. As such, any control
+    commands supported by the loaded ENGINE could then be executed as per
+    normal. Eg. if ENGINE "foo" is implemented in the shared-library
+    "libfoo.so" and it supports some special control command "CMD_FOO", the
+    following code would load and use it (NB: obviously this code has no
+    error checking);
+
+       ENGINE *e = ENGINE_by_id("dynamic");
+       ENGINE_ctrl_cmd_string(e, "SO_PATH", "/lib/libfoo.so", 0);
+       ENGINE_ctrl_cmd_string(e, "ID", "foo", 0);
+       ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0);
+       ENGINE_ctrl_cmd_string(e, "CMD_FOO", "some input data", 0);
+
+    For testing, the "openssl engine" utility can be useful for this sort
+    of thing. For example the above code excerpt would achieve much the
+    same result as;
+
+       openssl engine dynamic \
+                 -pre SO_PATH:/lib/libfoo.so \
+                 -pre ID:foo \
+                 -pre LOAD \
+                 -pre "CMD_FOO:some input data"
+
+    Or to simply see the list of commands supported by the "foo" ENGINE;
+
+       openssl engine -vvvv dynamic \
+                 -pre SO_PATH:/lib/libfoo.so \
+                 -pre ID:foo \
+                 -pre LOAD
+
+    Applications that support the ENGINE API and more specifically, the
+    "control commands" mechanism, will provide some way for you to pass
+    such commands through to ENGINEs. As such, you would select "dynamic"
+    as the ENGINE to use, and the parameters/commands you pass would
+    control the *actual* ENGINE used. Each command is actually a name-value
+    pair and the value can sometimes be omitted (eg. the "LOAD" command).
+    Whilst the syntax demonstrated in "openssl engine" uses a colon to
+    separate the command name from the value, applications may provide
+    their own syntax for making that separation (eg. a win32 registry
+    key-value pair may be used by some applications). The reason for the
+    "-pre" syntax in the "openssl engine" utility is that some commands
+    might be issued to an ENGINE *after* it has been initialised for use.
+    Eg. if an ENGINE implementation requires a smart-card to be inserted
+    during initialisation (or a PIN to be typed, or whatever), there may be
+    a control command you can issue afterwards to "forget" the smart-card
+    so that additional initialisation is no longer possible. In
+    applications such as web-servers, where potentially volatile code may
+    run on the same host system, this may provide some arguable security
+    value. In such a case, the command would be passed to the ENGINE after
+    it has been initialised for use, and so the "-post" switch would be
+    used instead. Applications may provide a different syntax for
+    supporting this distinction, and some may simply not provide it at all
+    ("-pre" is almost always what you're after, in reality).
 
-  openssl-engine-0.9.6.tar.gz is usable even if you don't have an external
-  crypto device.  The internal OpenSSL functions are contained in the
-  engine "openssl", and will be used by default.
+  How do I build a "dynamic" ENGINE?
+  ----------------------------------
+    This question is trickier - currently OpenSSL bundles various ENGINE
+    implementations that are statically built in, and any application that
+    calls the "ENGINE_load_builtin_engines()" function will automatically
+    have all such ENGINEs available (and occupying memory). Applications
+    that don't call that function have no ENGINEs available like that and
+    would have to use "dynamic" to load any such ENGINE - but on the other
+    hand such applications would only have the memory footprint of any
+    ENGINEs explicitly loaded using user/admin provided control commands.
+    The main advantage of not statically linking ENGINEs and only using
+    "dynamic" for hardware support is that any installation using no
+    "external" ENGINE suffers no unnecessary memory footprint from unused
+    ENGINEs. Likewise, installations that do require an ENGINE incur the
+    overheads from only *that* ENGINE once it has been loaded.
 
-  No external crypto device is chosen unless you say so.  You have actively
-  tell the openssl utility commands to use it through a new command line
-  switch called "-engine".  And if you want to use the ENGINE library to
-  do something similar, you must also explicitly choose an external crypto
-  device, or the built-in crypto routines will be used, just as in the
-  default OpenSSL distribution.
+    Sounds good? Maybe, but currently building an ENGINE implementation as
+    a shared-library that can be loaded by "dynamic" isn't automated in
+    OpenSSL's build process. It can be done manually quite easily however.
+    Such a shared-library can either be built with any OpenSSL code it
+    needs statically linked in, or it can link dynamically against OpenSSL
+    if OpenSSL itself is built as a shared library. The instructions are
+    the same in each case, but in the former (statically linked any
+    dependencies on OpenSSL) you must ensure OpenSSL is built with
+    position-independent code ("PIC"). The default OpenSSL compilation may
+    already specify the relevant flags to do this, but you should consult
+    with your compiler documentation if you are in any doubt.
 
+    This example will show building the "atalla" ENGINE in the
+    crypto/engine/ directory as a shared-library for use via the "dynamic"
+    ENGINE.
+    1) "cd" to the crypto/engine/ directory of a pre-compiled OpenSSL
+       source tree.
+    2) Recompile at least one source file so you can see all the compiler
+       flags (and syntax) being used to build normally. Eg;
+           touch hw_atalla.c ; make
+       will rebuild "hw_atalla.o" using all such flags.
+    3) Manually enter the same compilation line to compile the
+       "hw_atalla.c" file but with the following two changes;
+         (a) add "-DENGINE_DYNAMIC_SUPPORT" to the command line switches,
+	 (b) change the output file from "hw_atalla.o" to something new,
+             eg. "tmp_atalla.o"
+    4) Link "tmp_atalla.o" into a shared-library using the top-level
+       OpenSSL libraries to resolve any dependencies. The syntax for doing
+       this depends heavily on your system/compiler and is a nightmare
+       known well to anyone who has worked with shared-library portability
+       before. 'gcc' on Linux, for example, would use the following syntax;
+          gcc -shared -o dyn_atalla.so tmp_atalla.o -L../.. -lcrypto
+    5) Test your shared library using "openssl engine" as explained in the
+       previous section. Eg. from the top-level directory, you might try;
+          apps/openssl engine -vvvv dynamic \
+              -pre SO_PATH:./crypto/engine/dyn_atalla.so -pre LOAD
+       If the shared-library loads successfully, you will see both "-pre"
+       commands marked as "SUCCESS" and the list of control commands
+       displayed (because of "-vvvv") will be the control commands for the
+       *atalla* ENGINE (ie. *not* the 'dynamic' ENGINE). You can also add
+       the "-t" switch to the utility if you want it to try and initialise
+       the atalla ENGINE for use to test any possible hardware/driver
+       issues.
 
   PROBLEMS
   ========
 
-  It seems like the ENGINE part doesn't work too well with CryptoSwift on
-  Win32.  A quick test done right before the release showed that trying
-  "openssl speed -engine cswift" generated errors.  If the DSO gets enabled,
-  an attempt is made to write at memory address 0x00000002.
+  It seems like the ENGINE part doesn't work too well with CryptoSwift on Win32.
+  A quick test done right before the release showed that trying "openssl speed
+  -engine cswift" generated errors. If the DSO gets enabled, an attempt is made
+  to write at memory address 0x00000002.
 
diff --git a/crypto/openssl/apps/CA.pl b/crypto/openssl/apps/CA.pl
index f1ac7e772690..8b2ce7ea4248 100755
--- a/crypto/openssl/apps/CA.pl
+++ b/crypto/openssl/apps/CA.pl
@@ -5,7 +5,7 @@
 #      things easier between now and when Eric is convinced to fix it :-)
 #
 # CA -newca ... will setup the right stuff
-# CA -newreq ... will generate a certificate request 
+# CA -newreq[-nodes] ... will generate a certificate request 
 # CA -sign ... will sign the generated request and output 
 #
 # At the end of that grab newreq.pem and newcert.pem (one has the key 
@@ -54,7 +54,7 @@ $RET = 0;
 
 foreach (@ARGV) {
 	if ( /^(-\?|-h|-help)$/ ) {
-	    print STDERR "usage: CA -newcert|-newreq|-newca|-sign|-verify\n";
+	    print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
 	    exit 0;
 	} elsif (/^-newcert$/) {
 	    # create a certificate
@@ -66,6 +66,11 @@ foreach (@ARGV) {
 	    system ("$REQ -new -keyout newreq.pem -out newreq.pem $DAYS");
 	    $RET=$?;
 	    print "Request (and private key) is in newreq.pem\n";
+	} elsif (/^-newreq-nodes$/) {
+	    # create a certificate request
+	    system ("$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS");
+	    $RET=$?;
+	    print "Request (and private key) is in newreq.pem\n";
 	} elsif (/^-newca$/) {
 		# if explicitly asked for or it doesn't exist then setup the
 		# directory structure that Eric likes to manage things 
@@ -143,7 +148,7 @@ foreach (@ARGV) {
 	    }
 	} else {
 	    print STDERR "Unknown arg $_\n";
-	    print STDERR "usage: CA -newcert|-newreq|-newca|-sign|-verify\n";
+	    print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
 	    exit 1;
 	}
 }
diff --git a/crypto/openssl/apps/CA.pl.in b/crypto/openssl/apps/CA.pl.in
index f1ac7e772690..8b2ce7ea4248 100644
--- a/crypto/openssl/apps/CA.pl.in
+++ b/crypto/openssl/apps/CA.pl.in
@@ -5,7 +5,7 @@
 #      things easier between now and when Eric is convinced to fix it :-)
 #
 # CA -newca ... will setup the right stuff
-# CA -newreq ... will generate a certificate request 
+# CA -newreq[-nodes] ... will generate a certificate request 
 # CA -sign ... will sign the generated request and output 
 #
 # At the end of that grab newreq.pem and newcert.pem (one has the key 
@@ -54,7 +54,7 @@ $RET = 0;
 
 foreach (@ARGV) {
 	if ( /^(-\?|-h|-help)$/ ) {
-	    print STDERR "usage: CA -newcert|-newreq|-newca|-sign|-verify\n";
+	    print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
 	    exit 0;
 	} elsif (/^-newcert$/) {
 	    # create a certificate
@@ -66,6 +66,11 @@ foreach (@ARGV) {
 	    system ("$REQ -new -keyout newreq.pem -out newreq.pem $DAYS");
 	    $RET=$?;
 	    print "Request (and private key) is in newreq.pem\n";
+	} elsif (/^-newreq-nodes$/) {
+	    # create a certificate request
+	    system ("$REQ -new -nodes -keyout newreq.pem -out newreq.pem $DAYS");
+	    $RET=$?;
+	    print "Request (and private key) is in newreq.pem\n";
 	} elsif (/^-newca$/) {
 		# if explicitly asked for or it doesn't exist then setup the
 		# directory structure that Eric likes to manage things 
@@ -143,7 +148,7 @@ foreach (@ARGV) {
 	    }
 	} else {
 	    print STDERR "Unknown arg $_\n";
-	    print STDERR "usage: CA -newcert|-newreq|-newca|-sign|-verify\n";
+	    print STDERR "usage: CA -newcert|-newreq|-newreq-nodes|-newca|-sign|-verify\n";
 	    exit 1;
 	}
 }
diff --git a/crypto/openssl/apps/Makefile.ssl b/crypto/openssl/apps/Makefile.ssl
index 0b3208f0de82..c75d0d2e77c3 100644
--- a/crypto/openssl/apps/Makefile.ssl
+++ b/crypto/openssl/apps/Makefile.ssl
@@ -5,21 +5,26 @@
 DIR=		apps
 TOP=		..
 CC=		cc
-INCLUDES=	-I../include
+INCLUDES=	-I$(TOP) -I../include $(KRB5_INCLUDES)
 CFLAG=		-g -static
 INSTALL_PREFIX=
 INSTALLTOP=	/usr/local/ssl
 OPENSSLDIR=	/usr/local/ssl
 MAKE=		make -f Makefile.ssl
-MAKEDEPEND=	$(TOP)/util/domd $(TOP)
+MAKEDEPPROG=	makedepend
+MAKEDEPEND=	$(TOP)/util/domd $(TOP) -MD $(MAKEDEPPROG)
 MAKEFILE=	Makefile.ssl
 PERL=		perl
 RM=		rm -f
+# KRB5 stuff
+KRB5_INCLUDES=
 
 PEX_LIBS=
 EX_LIBS= 
 EXE_EXT= 
 
+SHLIB_TARGET=
+
 CFLAGS= -DMONOLITH $(INCLUDES) $(CFLAG)
 
 GENERAL=Makefile makeapps.com install.com
@@ -39,7 +44,7 @@ E_EXE=	verify asn1pars req dgst dh dhparam enc passwd gendh errstr \
 	ca crl rsa rsautl dsa dsaparam \
 	x509 genrsa gendsa s_server s_client speed \
 	s_time version pkcs7 crl2pkcs7 sess_id ciphers nseq pkcs12 \
-	pkcs8 spkac smime rand
+	pkcs8 spkac smime rand engine ocsp
 
 PROGS= $(PROGRAM).c
 
@@ -55,14 +60,14 @@ E_OBJ=	verify.o asn1pars.o req.o dgst.o dh.o dhparam.o enc.o passwd.o gendh.o er
 	rsa.o rsautl.o dsa.o dsaparam.o \
 	x509.o genrsa.o gendsa.o s_server.o s_client.o speed.o \
 	s_time.o $(A_OBJ) $(S_OBJ) $(RAND_OBJ) version.o sess_id.o \
-	ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o
+	ciphers.o nseq.o pkcs12.o pkcs8.o spkac.o smime.o rand.o engine.o ocsp.o
 
 E_SRC=	verify.c asn1pars.c req.c dgst.c dh.c enc.c passwd.c gendh.c errstr.c ca.c \
 	pkcs7.c crl2p7.c crl.c \
 	rsa.c rsautl.c dsa.c dsaparam.c \
 	x509.c genrsa.c gendsa.c s_server.c s_client.c speed.c \
 	s_time.c $(A_SRC) $(S_SRC) $(RAND_SRC) version.c sess_id.c \
-	ciphers.c nseq.c pkcs12.c pkcs8.c spkac.c smime.c rand.c
+	ciphers.c nseq.c pkcs12.c pkcs8.c spkac.c smime.c rand.c engine.c ocsp.c
 
 SRC=$(E_SRC)
 
@@ -93,17 +98,20 @@ install:
 	@for i in $(EXE); \
 	do  \
 	(echo installing $$i; \
-	 cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i; \
-	 chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \
+	 cp $$i $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
+	 chmod 755 $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new; \
+	 mv -f $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i.new $(INSTALL_PREFIX)$(INSTALLTOP)/bin/$$i ); \
 	 done;
 	@for i in $(SCRIPTS); \
 	do  \
 	(echo installing $$i; \
-	 cp $$i $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i; \
-	 chmod 755 $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i ); \
+	 cp $$i $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \
+	 chmod 755 $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new; \
+	 mv -f $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i.new $(INSTALL_PREFIX)$(OPENSSLDIR)/misc/$$i ); \
 	 done
-	@cp openssl.cnf $(INSTALL_PREFIX)$(OPENSSLDIR); \
-	chmod 644 $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf
+	@cp openssl.cnf $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new; \
+	chmod 644 $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new; \
+	mv -f  $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf.new $(INSTALL_PREFIX)$(OPENSSLDIR)/openssl.cnf
 
 tags:
 	ctags $(SRC)
@@ -117,7 +125,7 @@ lint:
 	lint -DLINT $(INCLUDES) $(SRC)>fluff
 
 depend:
-	$(MAKEDEPEND) $(INCLUDES) $(DEPFLAG) $(PROGS) $(SRC)
+	$(MAKEDEPEND) -- $(CFLAG) $(INCLUDES) $(DEPFLAG) -- $(PROGS) $(SRC)
 
 dclean:
 	$(PERL) -pe 'if (/^# DO NOT DELETE THIS LINE/) {print; exit(0);}' $(MAKEFILE) >Makefile.new
@@ -128,15 +136,24 @@ clean:
 	rm -f req
 
 $(DLIBSSL):
-	(cd ../ssl; $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}')
+	(cd ..; $(MAKE) DIRS=ssl all)
 
 $(DLIBCRYPTO):
-	(cd ../crypto; $(MAKE) CC='${CC}' PLATFORM='${PLATFORM}' CFLAG='${CFLAG}' SDIRS='$(SDIRS)' INSTALLTOP='${INSTALLTOP}' PEX_LIBS='${PEX_LIBS}' EX_LIBS='${EX_LIBS}' BN_ASM='${BN_ASM}' DES_ENC='${DES_ENC}' BF_ENC='${BF_ENC}' CAST_ENC='${CAST_ENC}' RC4_ENC='${RC4_ENC}' RC5_ENC='${RC5_ENC}' SHA1_ASM_OBJ='${SHA1_ASM_OBJ}' MD5_ASM_OBJ='${MD5_ASM_OBJ}' RMD160_ASM_OBJ='${RMD160_ASM_OBJ}' AR='${AR}' PROCESSOR='${PROCESSOR}' PERL='${PERL}' RANLIB='${RANLIB}' TESTS='${TESTS}' EXE_EXT='${EXE_EXT}' SHARED_LIBS='${SHARED_LIBS}' SHLIB_EXT='${SHLIB_EXT}' SHLIB_TARGET='${SHLIB_TARGET}')
+	(cd ..; $(MAKE) DIRS=crypto all)
 
 $(PROGRAM): progs.h $(E_OBJ) $(PROGRAM).o $(DLIBCRYPTO) $(DLIBSSL)
 	$(RM) $(PROGRAM)
-	$(CC) -o $(PROGRAM) $(CFLAGS) $(PROGRAM).o $(E_OBJ) $(PEX_LIBS) $(LIBSSL) $(LIBCRYPTO) $(EX_LIBS)
-	-(cd ..; OPENSSL="`pwd`/apps/openssl"; export OPENSSL; $(PERL) tools/c_rehash certs)
+	if [ "$(SHLIB_TARGET)" = "hpux-shared" -o "$(SHLIB_TARGET)" = "darwin-shared" ] ; then \
+	  $(CC) -o $(PROGRAM) $(CFLAGS) $(PROGRAM).o $(E_OBJ) $(PEX_LIBS) $(DLIBSSL) $(LIBKRB5) $(DLIBCRYPTO) $(EX_LIBS) ; \
+	else \
+	  $(CC) -o $(PROGRAM) $(CFLAGS) $(PROGRAM).o $(E_OBJ) $(PEX_LIBS) $(LIBSSL) $(LIBKRB5) $(LIBCRYPTO) $(EX_LIBS) ; \
+	fi
+	-(cd ..; OPENSSL="`pwd`/apps/openssl"; export OPENSSL; \
+		LIBPATH="`pwd`"; LD_LIBRARY_PATH="`pwd`"; DYLD_LIBRARY_PATH="`pwd`"; SHLIB_PATH="`pwd`"; \
+		if [ "$(PLATFORM)" = "DJGPP" ]; then PATH="`pwd`\;$$PATH";  \
+		elif [ "$(PLATFORM)" = "Cygwin" ]; then PATH="`pwd`:$$PATH"; fi; \
+		export LD_LIBRARY_PATH DYLD_LIBRARY_PATH SHLIB_PATH LIBPATH PATH; \
+		$(PERL) tools/c_rehash certs)
 
 progs.h: progs.pl
 	$(PERL) progs.pl $(E_EXE) >progs.h
@@ -144,567 +161,724 @@ progs.h: progs.pl
 
 # DO NOT DELETE THIS LINE -- make depend depends on it.
 
-app_rand.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-app_rand.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-app_rand.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-app_rand.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-app_rand.o: ../include/openssl/des.h ../include/openssl/dh.h
-app_rand.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-app_rand.o: ../include/openssl/e_os2.h ../include/openssl/evp.h
-app_rand.o: ../include/openssl/idea.h ../include/openssl/lhash.h
-app_rand.o: ../include/openssl/md2.h ../include/openssl/md4.h
-app_rand.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
-app_rand.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-app_rand.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+app_rand.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+app_rand.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+app_rand.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+app_rand.o: ../include/openssl/cast.h ../include/openssl/conf.h
+app_rand.o: ../include/openssl/crypto.h ../include/openssl/des.h
+app_rand.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+app_rand.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+app_rand.o: ../include/openssl/engine.h ../include/openssl/err.h
+app_rand.o: ../include/openssl/evp.h ../include/openssl/idea.h
+app_rand.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+app_rand.o: ../include/openssl/md4.h ../include/openssl/md5.h
+app_rand.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+app_rand.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+app_rand.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 app_rand.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
 app_rand.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
 app_rand.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
 app_rand.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 app_rand.o: ../include/openssl/sha.h ../include/openssl/stack.h
-app_rand.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
-app_rand.o: ../include/openssl/x509_vfy.h apps.h
-apps.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-apps.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-apps.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-apps.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-apps.o: ../include/openssl/des.h ../include/openssl/dh.h
-apps.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-apps.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+app_rand.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+app_rand.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+app_rand.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h app_rand.c
+app_rand.o: apps.h
+apps.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+apps.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+apps.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+apps.o: ../include/openssl/cast.h ../include/openssl/conf.h
+apps.o: ../include/openssl/crypto.h ../include/openssl/des.h
+apps.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+apps.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+apps.o: ../include/openssl/engine.h ../include/openssl/err.h
 apps.o: ../include/openssl/evp.h ../include/openssl/idea.h
 apps.o: ../include/openssl/lhash.h ../include/openssl/md2.h
 apps.o: ../include/openssl/md4.h ../include/openssl/md5.h
 apps.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
 apps.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-apps.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-apps.o: ../include/openssl/pem2.h ../include/openssl/pkcs12.h
-apps.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+apps.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+apps.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+apps.o: ../include/openssl/pkcs12.h ../include/openssl/pkcs7.h
+apps.o: ../include/openssl/rand.h ../include/openssl/rc2.h
 apps.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
 apps.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
 apps.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 apps.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-apps.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
-asn1pars.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-asn1pars.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-asn1pars.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-asn1pars.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-asn1pars.o: ../include/openssl/des.h ../include/openssl/dh.h
-asn1pars.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-asn1pars.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+apps.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
+apps.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+apps.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.c apps.h
+asn1pars.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+asn1pars.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+asn1pars.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+asn1pars.o: ../include/openssl/cast.h ../include/openssl/conf.h
+asn1pars.o: ../include/openssl/crypto.h ../include/openssl/des.h
+asn1pars.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+asn1pars.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+asn1pars.o: ../include/openssl/engine.h ../include/openssl/err.h
 asn1pars.o: ../include/openssl/evp.h ../include/openssl/idea.h
 asn1pars.o: ../include/openssl/lhash.h ../include/openssl/md2.h
 asn1pars.o: ../include/openssl/md4.h ../include/openssl/md5.h
 asn1pars.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
 asn1pars.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-asn1pars.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-asn1pars.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+asn1pars.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+asn1pars.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+asn1pars.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
 asn1pars.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
 asn1pars.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
 asn1pars.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 asn1pars.o: ../include/openssl/sha.h ../include/openssl/stack.h
-asn1pars.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
-asn1pars.o: ../include/openssl/x509_vfy.h apps.h
-ca.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-ca.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-ca.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-ca.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-ca.o: ../include/openssl/des.h ../include/openssl/dh.h ../include/openssl/dsa.h
-ca.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
-ca.o: ../include/openssl/err.h ../include/openssl/evp.h
-ca.o: ../include/openssl/idea.h ../include/openssl/lhash.h
-ca.o: ../include/openssl/md2.h ../include/openssl/md4.h
-ca.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
-ca.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+asn1pars.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+asn1pars.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+asn1pars.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+asn1pars.o: asn1pars.c
+ca.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+ca.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+ca.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+ca.o: ../include/openssl/cast.h ../include/openssl/conf.h
+ca.o: ../include/openssl/crypto.h ../include/openssl/des.h
+ca.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+ca.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+ca.o: ../include/openssl/engine.h ../include/openssl/err.h
+ca.o: ../include/openssl/evp.h ../include/openssl/idea.h
+ca.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ca.o: ../include/openssl/md4.h ../include/openssl/md5.h
+ca.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+ca.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
 ca.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-ca.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-ca.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+ca.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+ca.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ca.o: ../include/openssl/rand.h ../include/openssl/rc2.h
 ca.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
 ca.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
 ca.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 ca.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-ca.o: ../include/openssl/txt_db.h ../include/openssl/x509.h
-ca.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-ciphers.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-ciphers.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-ciphers.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-ciphers.o: ../include/openssl/comp.h ../include/openssl/conf.h
-ciphers.o: ../include/openssl/crypto.h ../include/openssl/des.h
+ca.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
+ca.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+ca.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h ca.c
+ciphers.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+ciphers.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+ciphers.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+ciphers.o: ../include/openssl/cast.h ../include/openssl/comp.h
+ciphers.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+ciphers.o: ../include/openssl/des.h ../include/openssl/des_old.h
 ciphers.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-ciphers.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+ciphers.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
 ciphers.o: ../include/openssl/err.h ../include/openssl/evp.h
-ciphers.o: ../include/openssl/idea.h ../include/openssl/lhash.h
-ciphers.o: ../include/openssl/md2.h ../include/openssl/md4.h
-ciphers.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
-ciphers.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-ciphers.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ciphers.o: ../include/openssl/idea.h ../include/openssl/kssl.h
+ciphers.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ciphers.o: ../include/openssl/md4.h ../include/openssl/md5.h
+ciphers.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+ciphers.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+ciphers.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 ciphers.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-ciphers.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
-ciphers.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-ciphers.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-ciphers.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-ciphers.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-ciphers.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-ciphers.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-ciphers.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-ciphers.o: ../include/openssl/x509_vfy.h apps.h
-crl.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-crl.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-crl.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-crl.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-crl.o: ../include/openssl/des.h ../include/openssl/dh.h
-crl.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-crl.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+ciphers.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+ciphers.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+ciphers.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+ciphers.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+ciphers.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+ciphers.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+ciphers.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+ciphers.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+ciphers.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
+ciphers.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+ciphers.o: ../include/openssl/x509_vfy.h apps.h ciphers.c
+crl.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+crl.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+crl.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+crl.o: ../include/openssl/cast.h ../include/openssl/conf.h
+crl.o: ../include/openssl/crypto.h ../include/openssl/des.h
+crl.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+crl.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+crl.o: ../include/openssl/engine.h ../include/openssl/err.h
 crl.o: ../include/openssl/evp.h ../include/openssl/idea.h
 crl.o: ../include/openssl/lhash.h ../include/openssl/md2.h
 crl.o: ../include/openssl/md4.h ../include/openssl/md5.h
 crl.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
 crl.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-crl.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-crl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+crl.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+crl.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+crl.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
 crl.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
 crl.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
 crl.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 crl.o: ../include/openssl/sha.h ../include/openssl/stack.h
-crl.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
-crl.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-crl2p7.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-crl2p7.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-crl2p7.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-crl2p7.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-crl2p7.o: ../include/openssl/des.h ../include/openssl/dh.h
-crl2p7.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-crl2p7.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+crl.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+crl.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+crl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+crl.o: ../include/openssl/x509v3.h apps.h crl.c
+crl2p7.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+crl2p7.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+crl2p7.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+crl2p7.o: ../include/openssl/cast.h ../include/openssl/conf.h
+crl2p7.o: ../include/openssl/crypto.h ../include/openssl/des.h
+crl2p7.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+crl2p7.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+crl2p7.o: ../include/openssl/engine.h ../include/openssl/err.h
 crl2p7.o: ../include/openssl/evp.h ../include/openssl/idea.h
 crl2p7.o: ../include/openssl/lhash.h ../include/openssl/md2.h
 crl2p7.o: ../include/openssl/md4.h ../include/openssl/md5.h
 crl2p7.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
 crl2p7.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-crl2p7.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-crl2p7.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+crl2p7.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+crl2p7.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+crl2p7.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
 crl2p7.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
 crl2p7.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
 crl2p7.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 crl2p7.o: ../include/openssl/sha.h ../include/openssl/stack.h
-crl2p7.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
-crl2p7.o: ../include/openssl/x509_vfy.h apps.h
-dgst.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-dgst.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-dgst.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-dgst.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-dgst.o: ../include/openssl/des.h ../include/openssl/dh.h
-dgst.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-dgst.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+crl2p7.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+crl2p7.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+crl2p7.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+crl2p7.o: crl2p7.c
+dgst.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+dgst.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+dgst.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+dgst.o: ../include/openssl/cast.h ../include/openssl/conf.h
+dgst.o: ../include/openssl/crypto.h ../include/openssl/des.h
+dgst.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+dgst.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+dgst.o: ../include/openssl/engine.h ../include/openssl/err.h
 dgst.o: ../include/openssl/evp.h ../include/openssl/idea.h
 dgst.o: ../include/openssl/lhash.h ../include/openssl/md2.h
 dgst.o: ../include/openssl/md4.h ../include/openssl/md5.h
 dgst.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
 dgst.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-dgst.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-dgst.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+dgst.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+dgst.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+dgst.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
 dgst.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
 dgst.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
 dgst.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 dgst.o: ../include/openssl/sha.h ../include/openssl/stack.h
-dgst.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
-dgst.o: ../include/openssl/x509_vfy.h apps.h
-dh.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-dh.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-dh.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-dh.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-dh.o: ../include/openssl/des.h ../include/openssl/dh.h ../include/openssl/dsa.h
-dh.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
-dh.o: ../include/openssl/err.h ../include/openssl/evp.h
-dh.o: ../include/openssl/idea.h ../include/openssl/lhash.h
-dh.o: ../include/openssl/md2.h ../include/openssl/md4.h
-dh.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
-dh.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-dh.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+dgst.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+dgst.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+dgst.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h dgst.c
+dh.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+dh.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+dh.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+dh.o: ../include/openssl/cast.h ../include/openssl/conf.h
+dh.o: ../include/openssl/crypto.h ../include/openssl/des.h
+dh.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+dh.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+dh.o: ../include/openssl/engine.h ../include/openssl/err.h
+dh.o: ../include/openssl/evp.h ../include/openssl/idea.h
+dh.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+dh.o: ../include/openssl/md4.h ../include/openssl/md5.h
+dh.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+dh.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+dh.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 dh.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-dh.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
-dh.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-dh.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-dh.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-dh.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-dh.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
-dsa.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-dsa.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-dsa.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-dsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-dsa.o: ../include/openssl/des.h ../include/openssl/dh.h
-dsa.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-dsa.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+dh.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+dh.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+dh.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+dh.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+dh.o: ../include/openssl/sha.h ../include/openssl/stack.h
+dh.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+dh.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+dh.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h dh.c
+dsa.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+dsa.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+dsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+dsa.o: ../include/openssl/cast.h ../include/openssl/conf.h
+dsa.o: ../include/openssl/crypto.h ../include/openssl/des.h
+dsa.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+dsa.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+dsa.o: ../include/openssl/engine.h ../include/openssl/err.h
 dsa.o: ../include/openssl/evp.h ../include/openssl/idea.h
 dsa.o: ../include/openssl/lhash.h ../include/openssl/md2.h
 dsa.o: ../include/openssl/md4.h ../include/openssl/md5.h
 dsa.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
 dsa.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-dsa.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-dsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+dsa.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+dsa.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+dsa.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
 dsa.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
 dsa.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
 dsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 dsa.o: ../include/openssl/sha.h ../include/openssl/stack.h
-dsa.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
-dsa.o: ../include/openssl/x509_vfy.h apps.h
-dsaparam.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-dsaparam.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-dsaparam.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-dsaparam.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-dsaparam.o: ../include/openssl/des.h ../include/openssl/dh.h
-dsaparam.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-dsaparam.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+dsa.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+dsa.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+dsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h dsa.c
+dsaparam.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+dsaparam.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+dsaparam.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+dsaparam.o: ../include/openssl/cast.h ../include/openssl/conf.h
+dsaparam.o: ../include/openssl/crypto.h ../include/openssl/des.h
+dsaparam.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+dsaparam.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+dsaparam.o: ../include/openssl/engine.h ../include/openssl/err.h
 dsaparam.o: ../include/openssl/evp.h ../include/openssl/idea.h
 dsaparam.o: ../include/openssl/lhash.h ../include/openssl/md2.h
 dsaparam.o: ../include/openssl/md4.h ../include/openssl/md5.h
 dsaparam.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
 dsaparam.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-dsaparam.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-dsaparam.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+dsaparam.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+dsaparam.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+dsaparam.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
 dsaparam.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
 dsaparam.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
 dsaparam.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 dsaparam.o: ../include/openssl/sha.h ../include/openssl/stack.h
-dsaparam.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
-dsaparam.o: ../include/openssl/x509_vfy.h apps.h
-enc.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-enc.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-enc.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-enc.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-enc.o: ../include/openssl/des.h ../include/openssl/dh.h
-enc.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-enc.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+dsaparam.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+dsaparam.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+dsaparam.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+dsaparam.o: dsaparam.c
+enc.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+enc.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+enc.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+enc.o: ../include/openssl/cast.h ../include/openssl/conf.h
+enc.o: ../include/openssl/crypto.h ../include/openssl/des.h
+enc.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+enc.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+enc.o: ../include/openssl/engine.h ../include/openssl/err.h
 enc.o: ../include/openssl/evp.h ../include/openssl/idea.h
 enc.o: ../include/openssl/lhash.h ../include/openssl/md2.h
 enc.o: ../include/openssl/md4.h ../include/openssl/md5.h
 enc.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
 enc.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-enc.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-enc.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-enc.o: ../include/openssl/rand.h ../include/openssl/rc2.h
-enc.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-enc.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-enc.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-enc.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-enc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
-errstr.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-errstr.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-errstr.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-errstr.o: ../include/openssl/comp.h ../include/openssl/conf.h
-errstr.o: ../include/openssl/crypto.h ../include/openssl/des.h
+enc.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+enc.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+enc.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+enc.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+enc.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+enc.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+enc.o: ../include/openssl/sha.h ../include/openssl/stack.h
+enc.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+enc.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+enc.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h enc.c
+engine.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+engine.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+engine.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+engine.o: ../include/openssl/cast.h ../include/openssl/comp.h
+engine.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+engine.o: ../include/openssl/des.h ../include/openssl/des_old.h
+engine.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+engine.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
+engine.o: ../include/openssl/err.h ../include/openssl/evp.h
+engine.o: ../include/openssl/idea.h ../include/openssl/kssl.h
+engine.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+engine.o: ../include/openssl/md4.h ../include/openssl/md5.h
+engine.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+engine.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+engine.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+engine.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+engine.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+engine.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+engine.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+engine.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+engine.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+engine.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+engine.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+engine.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+engine.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
+engine.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+engine.o: ../include/openssl/x509_vfy.h apps.h engine.c
+errstr.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+errstr.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+errstr.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+errstr.o: ../include/openssl/cast.h ../include/openssl/comp.h
+errstr.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+errstr.o: ../include/openssl/des.h ../include/openssl/des_old.h
 errstr.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-errstr.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+errstr.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
 errstr.o: ../include/openssl/err.h ../include/openssl/evp.h
-errstr.o: ../include/openssl/idea.h ../include/openssl/lhash.h
-errstr.o: ../include/openssl/md2.h ../include/openssl/md4.h
-errstr.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
-errstr.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-errstr.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+errstr.o: ../include/openssl/idea.h ../include/openssl/kssl.h
+errstr.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+errstr.o: ../include/openssl/md4.h ../include/openssl/md5.h
+errstr.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+errstr.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+errstr.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 errstr.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-errstr.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
-errstr.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-errstr.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-errstr.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-errstr.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-errstr.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-errstr.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-errstr.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-errstr.o: ../include/openssl/x509_vfy.h apps.h
-gendh.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-gendh.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-gendh.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-gendh.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-gendh.o: ../include/openssl/des.h ../include/openssl/dh.h
-gendh.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-gendh.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+errstr.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+errstr.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+errstr.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+errstr.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+errstr.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+errstr.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+errstr.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+errstr.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+errstr.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
+errstr.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+errstr.o: ../include/openssl/x509_vfy.h apps.h errstr.c
+gendh.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+gendh.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+gendh.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+gendh.o: ../include/openssl/cast.h ../include/openssl/conf.h
+gendh.o: ../include/openssl/crypto.h ../include/openssl/des.h
+gendh.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+gendh.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+gendh.o: ../include/openssl/engine.h ../include/openssl/err.h
 gendh.o: ../include/openssl/evp.h ../include/openssl/idea.h
 gendh.o: ../include/openssl/lhash.h ../include/openssl/md2.h
 gendh.o: ../include/openssl/md4.h ../include/openssl/md5.h
 gendh.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
 gendh.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-gendh.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-gendh.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-gendh.o: ../include/openssl/rand.h ../include/openssl/rc2.h
-gendh.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-gendh.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-gendh.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-gendh.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-gendh.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
-gendsa.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-gendsa.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-gendsa.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-gendsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-gendsa.o: ../include/openssl/des.h ../include/openssl/dh.h
-gendsa.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-gendsa.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+gendh.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+gendh.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+gendh.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+gendh.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+gendh.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+gendh.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+gendh.o: ../include/openssl/sha.h ../include/openssl/stack.h
+gendh.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+gendh.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+gendh.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h gendh.c
+gendsa.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+gendsa.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+gendsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+gendsa.o: ../include/openssl/cast.h ../include/openssl/conf.h
+gendsa.o: ../include/openssl/crypto.h ../include/openssl/des.h
+gendsa.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+gendsa.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+gendsa.o: ../include/openssl/engine.h ../include/openssl/err.h
 gendsa.o: ../include/openssl/evp.h ../include/openssl/idea.h
 gendsa.o: ../include/openssl/lhash.h ../include/openssl/md2.h
 gendsa.o: ../include/openssl/md4.h ../include/openssl/md5.h
 gendsa.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
 gendsa.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-gendsa.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-gendsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+gendsa.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+gendsa.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+gendsa.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
 gendsa.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
 gendsa.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
 gendsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 gendsa.o: ../include/openssl/sha.h ../include/openssl/stack.h
-gendsa.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
-gendsa.o: ../include/openssl/x509_vfy.h apps.h
-genrsa.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-genrsa.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-genrsa.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-genrsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-genrsa.o: ../include/openssl/des.h ../include/openssl/dh.h
-genrsa.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-genrsa.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+gendsa.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+gendsa.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+gendsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+gendsa.o: gendsa.c
+genrsa.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+genrsa.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+genrsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+genrsa.o: ../include/openssl/cast.h ../include/openssl/conf.h
+genrsa.o: ../include/openssl/crypto.h ../include/openssl/des.h
+genrsa.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+genrsa.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+genrsa.o: ../include/openssl/engine.h ../include/openssl/err.h
 genrsa.o: ../include/openssl/evp.h ../include/openssl/idea.h
 genrsa.o: ../include/openssl/lhash.h ../include/openssl/md2.h
 genrsa.o: ../include/openssl/md4.h ../include/openssl/md5.h
 genrsa.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
 genrsa.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-genrsa.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-genrsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+genrsa.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+genrsa.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+genrsa.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
 genrsa.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
 genrsa.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
 genrsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 genrsa.o: ../include/openssl/sha.h ../include/openssl/stack.h
-genrsa.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
-genrsa.o: ../include/openssl/x509_vfy.h apps.h
-nseq.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-nseq.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-nseq.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-nseq.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-nseq.o: ../include/openssl/des.h ../include/openssl/dh.h
-nseq.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-nseq.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+genrsa.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+genrsa.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+genrsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+genrsa.o: genrsa.c
+nseq.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+nseq.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+nseq.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+nseq.o: ../include/openssl/cast.h ../include/openssl/conf.h
+nseq.o: ../include/openssl/crypto.h ../include/openssl/des.h
+nseq.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+nseq.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+nseq.o: ../include/openssl/engine.h ../include/openssl/err.h
 nseq.o: ../include/openssl/evp.h ../include/openssl/idea.h
 nseq.o: ../include/openssl/lhash.h ../include/openssl/md2.h
 nseq.o: ../include/openssl/md4.h ../include/openssl/md5.h
 nseq.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
 nseq.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-nseq.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-nseq.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+nseq.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+nseq.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+nseq.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
 nseq.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
 nseq.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
 nseq.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 nseq.o: ../include/openssl/sha.h ../include/openssl/stack.h
-nseq.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
-nseq.o: ../include/openssl/x509_vfy.h apps.h
-openssl.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-openssl.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-openssl.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-openssl.o: ../include/openssl/comp.h ../include/openssl/conf.h
-openssl.o: ../include/openssl/crypto.h ../include/openssl/des.h
+nseq.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+nseq.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+nseq.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h nseq.c
+ocsp.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+ocsp.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+ocsp.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+ocsp.o: ../include/openssl/cast.h ../include/openssl/comp.h
+ocsp.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+ocsp.o: ../include/openssl/des.h ../include/openssl/des_old.h
+ocsp.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+ocsp.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
+ocsp.o: ../include/openssl/err.h ../include/openssl/evp.h
+ocsp.o: ../include/openssl/idea.h ../include/openssl/kssl.h
+ocsp.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+ocsp.o: ../include/openssl/md4.h ../include/openssl/md5.h
+ocsp.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+ocsp.o: ../include/openssl/objects.h ../include/openssl/ocsp.h
+ocsp.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+ocsp.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
+ocsp.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+ocsp.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+ocsp.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+ocsp.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+ocsp.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+ocsp.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
+ocsp.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
+ocsp.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+ocsp.o: ../include/openssl/tls1.h ../include/openssl/txt_db.h
+ocsp.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+ocsp.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+ocsp.o: ../include/openssl/x509v3.h apps.h ocsp.c
+openssl.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+openssl.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+openssl.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+openssl.o: ../include/openssl/cast.h ../include/openssl/comp.h
+openssl.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+openssl.o: ../include/openssl/des.h ../include/openssl/des_old.h
 openssl.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-openssl.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+openssl.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
 openssl.o: ../include/openssl/err.h ../include/openssl/evp.h
-openssl.o: ../include/openssl/idea.h ../include/openssl/lhash.h
-openssl.o: ../include/openssl/md2.h ../include/openssl/md4.h
-openssl.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
-openssl.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-openssl.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+openssl.o: ../include/openssl/idea.h ../include/openssl/kssl.h
+openssl.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+openssl.o: ../include/openssl/md4.h ../include/openssl/md5.h
+openssl.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+openssl.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+openssl.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 openssl.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-openssl.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
-openssl.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-openssl.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-openssl.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-openssl.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-openssl.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-openssl.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-openssl.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-openssl.o: ../include/openssl/x509_vfy.h apps.h progs.h s_apps.h
-passwd.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-passwd.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-passwd.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-passwd.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-passwd.o: ../include/openssl/des.h ../include/openssl/dh.h
-passwd.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-passwd.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+openssl.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+openssl.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+openssl.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+openssl.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+openssl.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+openssl.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+openssl.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+openssl.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+openssl.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
+openssl.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+openssl.o: ../include/openssl/x509_vfy.h apps.h openssl.c progs.h s_apps.h
+passwd.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+passwd.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+passwd.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+passwd.o: ../include/openssl/cast.h ../include/openssl/conf.h
+passwd.o: ../include/openssl/crypto.h ../include/openssl/des.h
+passwd.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+passwd.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+passwd.o: ../include/openssl/engine.h ../include/openssl/err.h
 passwd.o: ../include/openssl/evp.h ../include/openssl/idea.h
 passwd.o: ../include/openssl/lhash.h ../include/openssl/md2.h
 passwd.o: ../include/openssl/md4.h ../include/openssl/md5.h
 passwd.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
 passwd.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-passwd.o: ../include/openssl/opensslv.h ../include/openssl/pkcs7.h
-passwd.o: ../include/openssl/rand.h ../include/openssl/rc2.h
-passwd.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-passwd.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-passwd.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-passwd.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+passwd.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+passwd.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+passwd.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+passwd.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+passwd.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+passwd.o: ../include/openssl/sha.h ../include/openssl/stack.h
+passwd.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+passwd.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
 passwd.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
-pkcs12.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-pkcs12.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-pkcs12.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-pkcs12.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-pkcs12.o: ../include/openssl/des.h ../include/openssl/dh.h
-pkcs12.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-pkcs12.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+passwd.o: passwd.c
+pkcs12.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+pkcs12.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+pkcs12.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+pkcs12.o: ../include/openssl/cast.h ../include/openssl/conf.h
+pkcs12.o: ../include/openssl/crypto.h ../include/openssl/des.h
+pkcs12.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+pkcs12.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+pkcs12.o: ../include/openssl/engine.h ../include/openssl/err.h
 pkcs12.o: ../include/openssl/evp.h ../include/openssl/idea.h
 pkcs12.o: ../include/openssl/lhash.h ../include/openssl/md2.h
 pkcs12.o: ../include/openssl/md4.h ../include/openssl/md5.h
 pkcs12.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
 pkcs12.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-pkcs12.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-pkcs12.o: ../include/openssl/pem2.h ../include/openssl/pkcs12.h
-pkcs12.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+pkcs12.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+pkcs12.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+pkcs12.o: ../include/openssl/pkcs12.h ../include/openssl/pkcs7.h
+pkcs12.o: ../include/openssl/rand.h ../include/openssl/rc2.h
 pkcs12.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
 pkcs12.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
 pkcs12.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 pkcs12.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-pkcs12.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
-pkcs7.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-pkcs7.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-pkcs7.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-pkcs7.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-pkcs7.o: ../include/openssl/des.h ../include/openssl/dh.h
-pkcs7.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-pkcs7.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+pkcs12.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
+pkcs12.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+pkcs12.o: ../include/openssl/x509_vfy.h apps.h pkcs12.c
+pkcs7.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+pkcs7.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+pkcs7.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+pkcs7.o: ../include/openssl/cast.h ../include/openssl/conf.h
+pkcs7.o: ../include/openssl/crypto.h ../include/openssl/des.h
+pkcs7.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+pkcs7.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+pkcs7.o: ../include/openssl/engine.h ../include/openssl/err.h
 pkcs7.o: ../include/openssl/evp.h ../include/openssl/idea.h
 pkcs7.o: ../include/openssl/lhash.h ../include/openssl/md2.h
 pkcs7.o: ../include/openssl/md4.h ../include/openssl/md5.h
 pkcs7.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
 pkcs7.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-pkcs7.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-pkcs7.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+pkcs7.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+pkcs7.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+pkcs7.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
 pkcs7.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
 pkcs7.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
 pkcs7.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 pkcs7.o: ../include/openssl/sha.h ../include/openssl/stack.h
-pkcs7.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
-pkcs7.o: ../include/openssl/x509_vfy.h apps.h
-pkcs8.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-pkcs8.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-pkcs8.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-pkcs8.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-pkcs8.o: ../include/openssl/des.h ../include/openssl/dh.h
-pkcs8.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-pkcs8.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+pkcs7.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+pkcs7.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+pkcs7.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h pkcs7.c
+pkcs8.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+pkcs8.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+pkcs8.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+pkcs8.o: ../include/openssl/cast.h ../include/openssl/conf.h
+pkcs8.o: ../include/openssl/crypto.h ../include/openssl/des.h
+pkcs8.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+pkcs8.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+pkcs8.o: ../include/openssl/engine.h ../include/openssl/err.h
 pkcs8.o: ../include/openssl/evp.h ../include/openssl/idea.h
 pkcs8.o: ../include/openssl/lhash.h ../include/openssl/md2.h
 pkcs8.o: ../include/openssl/md4.h ../include/openssl/md5.h
 pkcs8.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
 pkcs8.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-pkcs8.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-pkcs8.o: ../include/openssl/pem2.h ../include/openssl/pkcs12.h
-pkcs8.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
+pkcs8.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+pkcs8.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+pkcs8.o: ../include/openssl/pkcs12.h ../include/openssl/pkcs7.h
+pkcs8.o: ../include/openssl/rand.h ../include/openssl/rc2.h
 pkcs8.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
 pkcs8.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
 pkcs8.o: ../include/openssl/safestack.h ../include/openssl/sha.h
 pkcs8.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-pkcs8.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
-rand.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-rand.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-rand.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-rand.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-rand.o: ../include/openssl/des.h ../include/openssl/dh.h
-rand.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-rand.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+pkcs8.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
+pkcs8.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+pkcs8.o: ../include/openssl/x509_vfy.h apps.h pkcs8.c
+rand.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+rand.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+rand.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+rand.o: ../include/openssl/cast.h ../include/openssl/conf.h
+rand.o: ../include/openssl/crypto.h ../include/openssl/des.h
+rand.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+rand.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+rand.o: ../include/openssl/engine.h ../include/openssl/err.h
 rand.o: ../include/openssl/evp.h ../include/openssl/idea.h
 rand.o: ../include/openssl/lhash.h ../include/openssl/md2.h
 rand.o: ../include/openssl/md4.h ../include/openssl/md5.h
 rand.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
 rand.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-rand.o: ../include/openssl/opensslv.h ../include/openssl/pkcs7.h
-rand.o: ../include/openssl/rand.h ../include/openssl/rc2.h
-rand.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-rand.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-rand.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-rand.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-rand.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+rand.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+rand.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+rand.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+rand.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+rand.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+rand.o: ../include/openssl/sha.h ../include/openssl/stack.h
+rand.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+rand.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+rand.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h rand.c
+req.o: ../crypto/cryptlib.h ../e_os.h ../include/openssl/aes.h
 req.o: ../include/openssl/asn1.h ../include/openssl/bio.h
 req.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
 req.o: ../include/openssl/buffer.h ../include/openssl/cast.h
 req.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-req.o: ../include/openssl/des.h ../include/openssl/dh.h
-req.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-req.o: ../include/openssl/e_os2.h ../include/openssl/err.h
-req.o: ../include/openssl/evp.h ../include/openssl/idea.h
-req.o: ../include/openssl/lhash.h ../include/openssl/md2.h
-req.o: ../include/openssl/md4.h ../include/openssl/md5.h
-req.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
-req.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-req.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
+req.o: ../include/openssl/des.h ../include/openssl/des_old.h
+req.o: ../include/openssl/dh.h ../include/openssl/dsa.h
+req.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
+req.o: ../include/openssl/err.h ../include/openssl/evp.h
+req.o: ../include/openssl/idea.h ../include/openssl/lhash.h
+req.o: ../include/openssl/md2.h ../include/openssl/md4.h
+req.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
+req.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
+req.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+req.o: ../include/openssl/ossl_typ.h ../include/openssl/pem.h
 req.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
-req.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-req.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-req.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-req.o: ../include/openssl/sha.h ../include/openssl/stack.h
-req.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
-req.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-rsa.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-rsa.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-rsa.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-rsa.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-rsa.o: ../include/openssl/des.h ../include/openssl/dh.h
-rsa.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-rsa.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+req.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+req.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+req.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+req.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+req.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+req.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
+req.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+req.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h req.c
+rsa.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+rsa.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+rsa.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+rsa.o: ../include/openssl/cast.h ../include/openssl/conf.h
+rsa.o: ../include/openssl/crypto.h ../include/openssl/des.h
+rsa.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+rsa.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+rsa.o: ../include/openssl/engine.h ../include/openssl/err.h
 rsa.o: ../include/openssl/evp.h ../include/openssl/idea.h
 rsa.o: ../include/openssl/lhash.h ../include/openssl/md2.h
 rsa.o: ../include/openssl/md4.h ../include/openssl/md5.h
 rsa.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
 rsa.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-rsa.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-rsa.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+rsa.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+rsa.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+rsa.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
 rsa.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
 rsa.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
 rsa.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 rsa.o: ../include/openssl/sha.h ../include/openssl/stack.h
-rsa.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
-rsa.o: ../include/openssl/x509_vfy.h apps.h
-rsautl.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-rsautl.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-rsautl.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-rsautl.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-rsautl.o: ../include/openssl/des.h ../include/openssl/dh.h
-rsautl.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-rsautl.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+rsa.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+rsa.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+rsa.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h rsa.c
+rsautl.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+rsautl.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+rsautl.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+rsautl.o: ../include/openssl/cast.h ../include/openssl/conf.h
+rsautl.o: ../include/openssl/crypto.h ../include/openssl/des.h
+rsautl.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+rsautl.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+rsautl.o: ../include/openssl/engine.h ../include/openssl/err.h
 rsautl.o: ../include/openssl/evp.h ../include/openssl/idea.h
 rsautl.o: ../include/openssl/lhash.h ../include/openssl/md2.h
 rsautl.o: ../include/openssl/md4.h ../include/openssl/md5.h
 rsautl.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
 rsautl.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-rsautl.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-rsautl.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+rsautl.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+rsautl.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+rsautl.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
 rsautl.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
 rsautl.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
 rsautl.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 rsautl.o: ../include/openssl/sha.h ../include/openssl/stack.h
-rsautl.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
-rsautl.o: ../include/openssl/x509_vfy.h apps.h
-s_cb.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-s_cb.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-s_cb.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-s_cb.o: ../include/openssl/comp.h ../include/openssl/conf.h
-s_cb.o: ../include/openssl/crypto.h ../include/openssl/des.h
+rsautl.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+rsautl.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+rsautl.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
+rsautl.o: rsautl.c
+s_cb.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+s_cb.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+s_cb.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+s_cb.o: ../include/openssl/cast.h ../include/openssl/comp.h
+s_cb.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+s_cb.o: ../include/openssl/des.h ../include/openssl/des_old.h
 s_cb.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-s_cb.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+s_cb.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
 s_cb.o: ../include/openssl/err.h ../include/openssl/evp.h
-s_cb.o: ../include/openssl/idea.h ../include/openssl/lhash.h
-s_cb.o: ../include/openssl/md2.h ../include/openssl/md4.h
-s_cb.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
-s_cb.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s_cb.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s_cb.o: ../include/openssl/idea.h ../include/openssl/kssl.h
+s_cb.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s_cb.o: ../include/openssl/md4.h ../include/openssl/md5.h
+s_cb.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+s_cb.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s_cb.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 s_cb.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s_cb.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
-s_cb.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-s_cb.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-s_cb.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s_cb.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s_cb.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s_cb.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s_cb.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-s_cb.o: ../include/openssl/x509_vfy.h apps.h s_apps.h
-s_client.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-s_client.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-s_client.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-s_client.o: ../include/openssl/comp.h ../include/openssl/conf.h
-s_client.o: ../include/openssl/crypto.h ../include/openssl/des.h
+s_cb.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+s_cb.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s_cb.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s_cb.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s_cb.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s_cb.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s_cb.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s_cb.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s_cb.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
+s_cb.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+s_cb.o: ../include/openssl/x509_vfy.h apps.h s_apps.h s_cb.c
+s_client.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+s_client.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+s_client.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+s_client.o: ../include/openssl/cast.h ../include/openssl/comp.h
+s_client.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+s_client.o: ../include/openssl/des.h ../include/openssl/des_old.h
 s_client.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-s_client.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+s_client.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
 s_client.o: ../include/openssl/err.h ../include/openssl/evp.h
-s_client.o: ../include/openssl/idea.h ../include/openssl/lhash.h
-s_client.o: ../include/openssl/md2.h ../include/openssl/md4.h
-s_client.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
-s_client.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s_client.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s_client.o: ../include/openssl/idea.h ../include/openssl/kssl.h
+s_client.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s_client.o: ../include/openssl/md4.h ../include/openssl/md5.h
+s_client.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+s_client.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s_client.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 s_client.o: ../include/openssl/pem.h ../include/openssl/pem2.h
 s_client.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
 s_client.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
@@ -714,21 +888,24 @@ s_client.o: ../include/openssl/sha.h ../include/openssl/ssl.h
 s_client.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
 s_client.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
 s_client.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s_client.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
-s_client.o: s_apps.h
-s_server.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-s_server.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-s_server.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-s_server.o: ../include/openssl/comp.h ../include/openssl/conf.h
-s_server.o: ../include/openssl/crypto.h ../include/openssl/des.h
+s_client.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
+s_client.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+s_client.o: ../include/openssl/x509_vfy.h apps.h s_apps.h s_client.c
+s_server.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+s_server.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+s_server.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+s_server.o: ../include/openssl/cast.h ../include/openssl/comp.h
+s_server.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+s_server.o: ../include/openssl/des.h ../include/openssl/des_old.h
 s_server.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-s_server.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+s_server.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
 s_server.o: ../include/openssl/err.h ../include/openssl/evp.h
-s_server.o: ../include/openssl/idea.h ../include/openssl/lhash.h
-s_server.o: ../include/openssl/md2.h ../include/openssl/md4.h
-s_server.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
-s_server.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s_server.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s_server.o: ../include/openssl/idea.h ../include/openssl/kssl.h
+s_server.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s_server.o: ../include/openssl/md4.h ../include/openssl/md5.h
+s_server.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+s_server.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s_server.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 s_server.o: ../include/openssl/pem.h ../include/openssl/pem2.h
 s_server.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
 s_server.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
@@ -738,22 +915,26 @@ s_server.o: ../include/openssl/sha.h ../include/openssl/ssl.h
 s_server.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
 s_server.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
 s_server.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s_server.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
-s_server.o: s_apps.h
-s_socket.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-s_socket.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-s_socket.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-s_socket.o: ../include/openssl/comp.h ../include/openssl/conf.h
-s_socket.o: ../include/openssl/crypto.h ../include/openssl/des.h
+s_server.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
+s_server.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+s_server.o: ../include/openssl/x509_vfy.h apps.h s_apps.h s_server.c
+s_socket.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+s_socket.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+s_socket.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+s_socket.o: ../include/openssl/cast.h ../include/openssl/comp.h
+s_socket.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+s_socket.o: ../include/openssl/des.h ../include/openssl/des_old.h
 s_socket.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-s_socket.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
-s_socket.o: ../include/openssl/evp.h ../include/openssl/idea.h
+s_socket.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
+s_socket.o: ../include/openssl/err.h ../include/openssl/evp.h
+s_socket.o: ../include/openssl/idea.h ../include/openssl/kssl.h
 s_socket.o: ../include/openssl/lhash.h ../include/openssl/md2.h
 s_socket.o: ../include/openssl/md4.h ../include/openssl/md5.h
 s_socket.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
 s_socket.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-s_socket.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-s_socket.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+s_socket.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+s_socket.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+s_socket.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
 s_socket.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
 s_socket.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
 s_socket.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
@@ -761,169 +942,200 @@ s_socket.o: ../include/openssl/sha.h ../include/openssl/ssl.h
 s_socket.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
 s_socket.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
 s_socket.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
-s_socket.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
-s_socket.o: s_apps.h
-s_time.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-s_time.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-s_time.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-s_time.o: ../include/openssl/comp.h ../include/openssl/conf.h
-s_time.o: ../include/openssl/crypto.h ../include/openssl/des.h
+s_socket.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
+s_socket.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+s_socket.o: ../include/openssl/x509_vfy.h apps.h s_apps.h s_socket.c
+s_time.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+s_time.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+s_time.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+s_time.o: ../include/openssl/cast.h ../include/openssl/comp.h
+s_time.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+s_time.o: ../include/openssl/des.h ../include/openssl/des_old.h
 s_time.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-s_time.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+s_time.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
 s_time.o: ../include/openssl/err.h ../include/openssl/evp.h
-s_time.o: ../include/openssl/idea.h ../include/openssl/lhash.h
-s_time.o: ../include/openssl/md2.h ../include/openssl/md4.h
-s_time.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
-s_time.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-s_time.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+s_time.o: ../include/openssl/idea.h ../include/openssl/kssl.h
+s_time.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+s_time.o: ../include/openssl/md4.h ../include/openssl/md5.h
+s_time.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+s_time.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+s_time.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 s_time.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-s_time.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
-s_time.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-s_time.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-s_time.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-s_time.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-s_time.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-s_time.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-s_time.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-s_time.o: ../include/openssl/x509_vfy.h apps.h s_apps.h
-sess_id.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-sess_id.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-sess_id.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-sess_id.o: ../include/openssl/comp.h ../include/openssl/conf.h
-sess_id.o: ../include/openssl/crypto.h ../include/openssl/des.h
+s_time.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+s_time.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+s_time.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+s_time.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+s_time.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+s_time.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+s_time.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+s_time.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+s_time.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
+s_time.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+s_time.o: ../include/openssl/x509_vfy.h apps.h s_apps.h s_time.c
+sess_id.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+sess_id.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+sess_id.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+sess_id.o: ../include/openssl/cast.h ../include/openssl/comp.h
+sess_id.o: ../include/openssl/conf.h ../include/openssl/crypto.h
+sess_id.o: ../include/openssl/des.h ../include/openssl/des_old.h
 sess_id.o: ../include/openssl/dh.h ../include/openssl/dsa.h
-sess_id.o: ../include/openssl/e_os.h ../include/openssl/e_os2.h
+sess_id.o: ../include/openssl/e_os2.h ../include/openssl/engine.h
 sess_id.o: ../include/openssl/err.h ../include/openssl/evp.h
-sess_id.o: ../include/openssl/idea.h ../include/openssl/lhash.h
-sess_id.o: ../include/openssl/md2.h ../include/openssl/md4.h
-sess_id.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
-sess_id.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-sess_id.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
+sess_id.o: ../include/openssl/idea.h ../include/openssl/kssl.h
+sess_id.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+sess_id.o: ../include/openssl/md4.h ../include/openssl/md5.h
+sess_id.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+sess_id.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+sess_id.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
 sess_id.o: ../include/openssl/pem.h ../include/openssl/pem2.h
-sess_id.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
-sess_id.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-sess_id.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-sess_id.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-sess_id.o: ../include/openssl/ssl.h ../include/openssl/ssl2.h
-sess_id.o: ../include/openssl/ssl23.h ../include/openssl/ssl3.h
-sess_id.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
-sess_id.o: ../include/openssl/tls1.h ../include/openssl/x509.h
-sess_id.o: ../include/openssl/x509_vfy.h apps.h
-smime.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-smime.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-smime.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-smime.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-smime.o: ../include/openssl/des.h ../include/openssl/dh.h
-smime.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-smime.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+sess_id.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+sess_id.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+sess_id.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+sess_id.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+sess_id.o: ../include/openssl/sha.h ../include/openssl/ssl.h
+sess_id.o: ../include/openssl/ssl2.h ../include/openssl/ssl23.h
+sess_id.o: ../include/openssl/ssl3.h ../include/openssl/stack.h
+sess_id.o: ../include/openssl/symhacks.h ../include/openssl/tls1.h
+sess_id.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
+sess_id.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+sess_id.o: ../include/openssl/x509_vfy.h apps.h sess_id.c
+smime.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+smime.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+smime.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+smime.o: ../include/openssl/cast.h ../include/openssl/conf.h
+smime.o: ../include/openssl/crypto.h ../include/openssl/des.h
+smime.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+smime.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+smime.o: ../include/openssl/engine.h ../include/openssl/err.h
 smime.o: ../include/openssl/evp.h ../include/openssl/idea.h
 smime.o: ../include/openssl/lhash.h ../include/openssl/md2.h
 smime.o: ../include/openssl/md4.h ../include/openssl/md5.h
 smime.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
 smime.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-smime.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-smime.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+smime.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+smime.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+smime.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
 smime.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
 smime.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
 smime.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 smime.o: ../include/openssl/sha.h ../include/openssl/stack.h
-smime.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
-smime.o: ../include/openssl/x509_vfy.h apps.h
-speed.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-speed.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-speed.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-speed.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-speed.o: ../include/openssl/des.h ../include/openssl/dh.h
-speed.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-speed.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+smime.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+smime.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+smime.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h smime.c
+speed.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+speed.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+speed.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+speed.o: ../include/openssl/cast.h ../include/openssl/conf.h
+speed.o: ../include/openssl/crypto.h ../include/openssl/des.h
+speed.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+speed.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+speed.o: ../include/openssl/engine.h ../include/openssl/err.h
 speed.o: ../include/openssl/evp.h ../include/openssl/hmac.h
 speed.o: ../include/openssl/idea.h ../include/openssl/lhash.h
 speed.o: ../include/openssl/md2.h ../include/openssl/md4.h
 speed.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
 speed.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
 speed.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-speed.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
-speed.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
-speed.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
-speed.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
-speed.o: ../include/openssl/sha.h ../include/openssl/stack.h
-speed.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
-speed.o: ../include/openssl/x509_vfy.h ./testdsa.h ./testrsa.h apps.h
-spkac.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-spkac.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-spkac.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-spkac.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-spkac.o: ../include/openssl/des.h ../include/openssl/dh.h
-spkac.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-spkac.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+speed.o: ../include/openssl/ossl_typ.h ../include/openssl/pkcs7.h
+speed.o: ../include/openssl/rand.h ../include/openssl/rc2.h
+speed.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
+speed.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
+speed.o: ../include/openssl/safestack.h ../include/openssl/sha.h
+speed.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+speed.o: ../include/openssl/txt_db.h ../include/openssl/ui.h
+speed.o: ../include/openssl/ui_compat.h ../include/openssl/x509.h
+speed.o: ../include/openssl/x509_vfy.h apps.h speed.c testdsa.h testrsa.h
+spkac.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+spkac.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+spkac.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+spkac.o: ../include/openssl/cast.h ../include/openssl/conf.h
+spkac.o: ../include/openssl/crypto.h ../include/openssl/des.h
+spkac.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+spkac.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+spkac.o: ../include/openssl/engine.h ../include/openssl/err.h
 spkac.o: ../include/openssl/evp.h ../include/openssl/idea.h
 spkac.o: ../include/openssl/lhash.h ../include/openssl/md2.h
 spkac.o: ../include/openssl/md4.h ../include/openssl/md5.h
 spkac.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
 spkac.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-spkac.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-spkac.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+spkac.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+spkac.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+spkac.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
 spkac.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
 spkac.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
 spkac.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 spkac.o: ../include/openssl/sha.h ../include/openssl/stack.h
-spkac.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
-spkac.o: ../include/openssl/x509_vfy.h apps.h
-verify.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-verify.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-verify.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-verify.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-verify.o: ../include/openssl/des.h ../include/openssl/dh.h
-verify.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-verify.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+spkac.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+spkac.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+spkac.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h spkac.c
+verify.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+verify.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+verify.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+verify.o: ../include/openssl/cast.h ../include/openssl/conf.h
+verify.o: ../include/openssl/crypto.h ../include/openssl/des.h
+verify.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+verify.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+verify.o: ../include/openssl/engine.h ../include/openssl/err.h
 verify.o: ../include/openssl/evp.h ../include/openssl/idea.h
 verify.o: ../include/openssl/lhash.h ../include/openssl/md2.h
 verify.o: ../include/openssl/md4.h ../include/openssl/md5.h
 verify.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
 verify.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-verify.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-verify.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+verify.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+verify.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+verify.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
 verify.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
 verify.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
 verify.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 verify.o: ../include/openssl/sha.h ../include/openssl/stack.h
-verify.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
-verify.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
-version.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-version.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-version.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-version.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-version.o: ../include/openssl/des.h ../include/openssl/dh.h
-version.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-version.o: ../include/openssl/e_os2.h ../include/openssl/evp.h
-version.o: ../include/openssl/idea.h ../include/openssl/lhash.h
-version.o: ../include/openssl/md2.h ../include/openssl/md4.h
-version.o: ../include/openssl/md5.h ../include/openssl/mdc2.h
-version.o: ../include/openssl/obj_mac.h ../include/openssl/objects.h
-version.o: ../include/openssl/opensslconf.h ../include/openssl/opensslv.h
-version.o: ../include/openssl/pkcs7.h ../include/openssl/rc2.h
-version.o: ../include/openssl/rc4.h ../include/openssl/rc5.h
-version.o: ../include/openssl/ripemd.h ../include/openssl/rsa.h
-version.o: ../include/openssl/safestack.h ../include/openssl/sha.h
-version.o: ../include/openssl/stack.h ../include/openssl/symhacks.h
+verify.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+verify.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+verify.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+verify.o: ../include/openssl/x509v3.h apps.h verify.c
+version.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+version.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+version.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+version.o: ../include/openssl/cast.h ../include/openssl/conf.h
+version.o: ../include/openssl/crypto.h ../include/openssl/des.h
+version.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+version.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+version.o: ../include/openssl/engine.h ../include/openssl/err.h
+version.o: ../include/openssl/evp.h ../include/openssl/idea.h
+version.o: ../include/openssl/lhash.h ../include/openssl/md2.h
+version.o: ../include/openssl/md4.h ../include/openssl/md5.h
+version.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
+version.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
+version.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+version.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
+version.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
+version.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
+version.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
+version.o: ../include/openssl/sha.h ../include/openssl/stack.h
+version.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+version.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
 version.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h apps.h
-x509.o: ../include/openssl/asn1.h ../include/openssl/bio.h
-x509.o: ../include/openssl/blowfish.h ../include/openssl/bn.h
-x509.o: ../include/openssl/buffer.h ../include/openssl/cast.h
-x509.o: ../include/openssl/conf.h ../include/openssl/crypto.h
-x509.o: ../include/openssl/des.h ../include/openssl/dh.h
-x509.o: ../include/openssl/dsa.h ../include/openssl/e_os.h
-x509.o: ../include/openssl/e_os2.h ../include/openssl/err.h
+version.o: version.c
+x509.o: ../e_os.h ../include/openssl/aes.h ../include/openssl/asn1.h
+x509.o: ../include/openssl/bio.h ../include/openssl/blowfish.h
+x509.o: ../include/openssl/bn.h ../include/openssl/buffer.h
+x509.o: ../include/openssl/cast.h ../include/openssl/conf.h
+x509.o: ../include/openssl/crypto.h ../include/openssl/des.h
+x509.o: ../include/openssl/des_old.h ../include/openssl/dh.h
+x509.o: ../include/openssl/dsa.h ../include/openssl/e_os2.h
+x509.o: ../include/openssl/engine.h ../include/openssl/err.h
 x509.o: ../include/openssl/evp.h ../include/openssl/idea.h
 x509.o: ../include/openssl/lhash.h ../include/openssl/md2.h
 x509.o: ../include/openssl/md4.h ../include/openssl/md5.h
 x509.o: ../include/openssl/mdc2.h ../include/openssl/obj_mac.h
 x509.o: ../include/openssl/objects.h ../include/openssl/opensslconf.h
-x509.o: ../include/openssl/opensslv.h ../include/openssl/pem.h
-x509.o: ../include/openssl/pem2.h ../include/openssl/pkcs7.h
+x509.o: ../include/openssl/opensslv.h ../include/openssl/ossl_typ.h
+x509.o: ../include/openssl/pem.h ../include/openssl/pem2.h
+x509.o: ../include/openssl/pkcs7.h ../include/openssl/rand.h
 x509.o: ../include/openssl/rc2.h ../include/openssl/rc4.h
 x509.o: ../include/openssl/rc5.h ../include/openssl/ripemd.h
 x509.o: ../include/openssl/rsa.h ../include/openssl/safestack.h
 x509.o: ../include/openssl/sha.h ../include/openssl/stack.h
-x509.o: ../include/openssl/symhacks.h ../include/openssl/x509.h
-x509.o: ../include/openssl/x509_vfy.h ../include/openssl/x509v3.h apps.h
+x509.o: ../include/openssl/symhacks.h ../include/openssl/txt_db.h
+x509.o: ../include/openssl/ui.h ../include/openssl/ui_compat.h
+x509.o: ../include/openssl/x509.h ../include/openssl/x509_vfy.h
+x509.o: ../include/openssl/x509v3.h apps.h x509.c
diff --git a/crypto/openssl/apps/app_rand.c b/crypto/openssl/apps/app_rand.c
index 8a78e12eb732..b7b6128c1eb9 100644
--- a/crypto/openssl/apps/app_rand.c
+++ b/crypto/openssl/apps/app_rand.c
@@ -124,7 +124,7 @@ int app_RAND_load_file(const char *file, BIO *bio_e, int dont_warn)
 	int consider_randfile = (file == NULL);
 	char buffer[200];
 	
-#ifdef WINDOWS
+#ifdef OPENSSL_SYS_WINDOWS
 	BIO_printf(bio_e,"Loading 'screen' into random state -");
 	BIO_flush(bio_e);
 	RAND_screen();
@@ -142,18 +142,21 @@ int app_RAND_load_file(const char *file, BIO *bio_e, int dont_warn)
 		}
 	if (file == NULL || !RAND_load_file(file, -1))
 		{
-		if (RAND_status() == 0 && !dont_warn)
+		if (RAND_status() == 0)
 			{
-			BIO_printf(bio_e,"unable to load 'random state'\n");
-			BIO_printf(bio_e,"This means that the random number generator has not been seeded\n");
-			BIO_printf(bio_e,"with much random data.\n");
-			if (consider_randfile) /* explanation does not apply when a file is explicitly named */
+			if (!dont_warn)
 				{
-				BIO_printf(bio_e,"Consider setting the RANDFILE environment variable to point at a file that\n");
-				BIO_printf(bio_e,"'random' data can be kept in (the file will be overwritten).\n");
+				BIO_printf(bio_e,"unable to load 'random state'\n");
+				BIO_printf(bio_e,"This means that the random number generator has not been seeded\n");
+				BIO_printf(bio_e,"with much random data.\n");
+				if (consider_randfile) /* explanation does not apply when a file is explicitly named */
+					{
+					BIO_printf(bio_e,"Consider setting the RANDFILE environment variable to point at a file that\n");
+					BIO_printf(bio_e,"'random' data can be kept in (the file will be overwritten).\n");
+					}
 				}
+			return 0;
 			}
-		return 0;
 		}
 	seeded = 1;
 	return 1;
diff --git a/crypto/openssl/apps/apps.c b/crypto/openssl/apps/apps.c
index 618e34c084e0..4a8c9263a7cc 100644
--- a/crypto/openssl/apps/apps.c
+++ b/crypto/openssl/apps/apps.c
@@ -55,25 +55,111 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
 
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <sys/types.h>
 #include <sys/stat.h>
-#define NON_MAIN
-#include "apps.h"
-#undef NON_MAIN
+#include <ctype.h>
 #include <openssl/err.h>
 #include <openssl/x509.h>
+#include <openssl/x509v3.h>
 #include <openssl/pem.h>
 #include <openssl/pkcs12.h>
+#include <openssl/ui.h>
 #include <openssl/safestack.h>
+#include <openssl/engine.h>
+
+#ifdef OPENSSL_SYS_WINDOWS
+#define strcasecmp _stricmp
+#else
+#  ifdef NO_STRINGS_H
+    int	strcasecmp();
+#  else
+#    include <strings.h>
+#  endif /* NO_STRINGS_H */
+#endif
 
-#ifdef WINDOWS
+#define NON_MAIN
+#include "apps.h"
+#undef NON_MAIN
+
+#ifdef OPENSSL_SYS_WINDOWS
 #  include "bss_file.c"
 #endif
 
+typedef struct {
+	char *name;
+	unsigned long flag;
+	unsigned long mask;
+} NAME_EX_TBL;
+
+static UI_METHOD *ui_method = NULL;
+
+static int set_table_opts(unsigned long *flags, const char *arg, const NAME_EX_TBL *in_tbl);
+static int set_multi_opts(unsigned long *flags, const char *arg, const NAME_EX_TBL *in_tbl);
+
+#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
+/* Looks like this stuff is worth moving into separate function */
+static EVP_PKEY *
+load_netscape_key(BIO *err, BIO *key, const char *file,
+		const char *key_descrip, int format);
+#endif
+
 int app_init(long mesgwin);
 #ifdef undef /* never finished - probably never will be :-) */
 int args_from_file(char *file, int *argc, char **argv[])
@@ -170,11 +256,13 @@ int str2fmt(char *s)
 		|| (strcmp(s,"PKCS12") == 0) || (strcmp(s,"pkcs12") == 0)
 		|| (strcmp(s,"P12") == 0) || (strcmp(s,"p12") == 0))
 		return(FORMAT_PKCS12);
+	else if ((*s == 'E') || (*s == 'e'))
+		return(FORMAT_ENGINE);
 	else
 		return(FORMAT_UNDEF);
 	}
 
-#if defined(MSDOS) || defined(WIN32) || defined(WIN16)
+#if defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_WIN16)
 void program_name(char *in, char *out, int size)
 	{
 	int i,n;
@@ -212,7 +300,7 @@ void program_name(char *in, char *out, int size)
 	out[n]='\0';
 	}
 #else
-#ifdef VMS
+#ifdef OPENSSL_SYS_VMS
 void program_name(char *in, char *out, int size)
 	{
 	char *p=in, *q;
@@ -249,28 +337,65 @@ void program_name(char *in, char *out, int size)
 		p++;
 	else
 		p=in;
-	strncpy(out,p,size-1);
-	out[size-1]='\0';
+	BUF_strlcpy(out,p,size);
 	}
 #endif
 #endif
 
-#ifdef WIN32
+#ifdef OPENSSL_SYS_WIN32
 int WIN32_rename(char *from, char *to)
 	{
-#ifdef WINNT
-	int ret;
-/* Note: MoveFileEx() doesn't work under Win95, Win98 */
-
-	ret=MoveFileEx(from,to,MOVEFILE_REPLACE_EXISTING|MOVEFILE_COPY_ALLOWED);
-	return(ret?0:-1);
+#ifndef OPENSSL_SYS_WINCE
+	/* Windows rename gives an error if 'to' exists, so delete it
+	 * first and ignore file not found errror
+	 */
+	if((remove(to) != 0) && (errno != ENOENT))
+		return -1;
+#undef rename
+	return rename(from, to);
 #else
-	unlink(to);
-	return MoveFile(from, to);
+	/* convert strings to UNICODE */
+	{
+	BOOL result = FALSE;
+	WCHAR* wfrom;
+	WCHAR* wto;
+	int i;
+	wfrom = malloc((strlen(from)+1)*2);
+	wto = malloc((strlen(to)+1)*2);
+	if (wfrom != NULL && wto != NULL)
+		{
+		for (i=0; i<(int)strlen(from)+1; i++)
+			wfrom[i] = (short)from[i];
+		for (i=0; i<(int)strlen(to)+1; i++)
+			wto[i] = (short)to[i];
+		result = MoveFile(wfrom, wto);
+		}
+	if (wfrom != NULL)
+		free(wfrom);
+	if (wto != NULL)
+		free(wto);
+	return result;
+	}
 #endif
 	}
 #endif
 
+#ifdef OPENSSL_SYS_VMS
+int VMS_strcasecmp(const char *str1, const char *str2)
+	{
+	while (*str1 && *str2)
+		{
+		int res = toupper(*str1) - toupper(*str2);
+		if (res) return res < 0 ? -1 : 1;
+		}
+	if (*str1)
+		return 1;
+	if (*str2)
+		return -1;
+	return 0;
+	}
+#endif
+
 int chopup_args(ARGS *arg, char *buf, int *argc, char **argv[])
 	{
 	int num,len,i;
@@ -346,18 +471,175 @@ int app_init(long mesgwin)
 
 int dump_cert_text (BIO *out, X509 *x)
 {
-	char buf[256];
-	X509_NAME_oneline(X509_get_subject_name(x),buf,256);
+	char *p;
+
+	p=X509_NAME_oneline(X509_get_subject_name(x),NULL,0);
 	BIO_puts(out,"subject=");
-	BIO_puts(out,buf);
+	BIO_puts(out,p);
+	OPENSSL_free(p);
 
-	X509_NAME_oneline(X509_get_issuer_name(x),buf,256);
-	BIO_puts(out,"\nissuer= ");
-	BIO_puts(out,buf);
+	p=X509_NAME_oneline(X509_get_issuer_name(x),NULL,0);
+	BIO_puts(out,"\nissuer=");
+	BIO_puts(out,p);
 	BIO_puts(out,"\n");
-        return 0;
+	OPENSSL_free(p);
+
+	return 0;
 }
 
+static int ui_open(UI *ui)
+	{
+	return UI_method_get_opener(UI_OpenSSL())(ui);
+	}
+static int ui_read(UI *ui, UI_STRING *uis)
+	{
+	if (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD
+		&& UI_get0_user_data(ui))
+		{
+		switch(UI_get_string_type(uis))
+			{
+		case UIT_PROMPT:
+		case UIT_VERIFY:
+			{
+			const char *password =
+				((PW_CB_DATA *)UI_get0_user_data(ui))->password;
+			if (password[0] != '\0')
+				{
+				UI_set_result(ui, uis, password);
+				return 1;
+				}
+			}
+		default:
+			break;
+			}
+		}
+	return UI_method_get_reader(UI_OpenSSL())(ui, uis);
+	}
+static int ui_write(UI *ui, UI_STRING *uis)
+	{
+	if (UI_get_input_flags(uis) & UI_INPUT_FLAG_DEFAULT_PWD
+		&& UI_get0_user_data(ui))
+		{
+		switch(UI_get_string_type(uis))
+			{
+		case UIT_PROMPT:
+		case UIT_VERIFY:
+			{
+			const char *password =
+				((PW_CB_DATA *)UI_get0_user_data(ui))->password;
+			if (password[0] != '\0')
+				return 1;
+			}
+		default:
+			break;
+			}
+		}
+	return UI_method_get_writer(UI_OpenSSL())(ui, uis);
+	}
+static int ui_close(UI *ui)
+	{
+	return UI_method_get_closer(UI_OpenSSL())(ui);
+	}
+int setup_ui_method(void)
+	{
+	ui_method = UI_create_method("OpenSSL application user interface");
+	UI_method_set_opener(ui_method, ui_open);
+	UI_method_set_reader(ui_method, ui_read);
+	UI_method_set_writer(ui_method, ui_write);
+	UI_method_set_closer(ui_method, ui_close);
+	return 0;
+	}
+void destroy_ui_method(void)
+	{
+	if(ui_method)
+		{
+		UI_destroy_method(ui_method);
+		ui_method = NULL;
+		}
+	}
+int password_callback(char *buf, int bufsiz, int verify,
+	PW_CB_DATA *cb_tmp)
+	{
+	UI *ui = NULL;
+	int res = 0;
+	const char *prompt_info = NULL;
+	const char *password = NULL;
+	PW_CB_DATA *cb_data = (PW_CB_DATA *)cb_tmp;
+
+	if (cb_data)
+		{
+		if (cb_data->password)
+			password = cb_data->password;
+		if (cb_data->prompt_info)
+			prompt_info = cb_data->prompt_info;
+		}
+
+	if (password)
+		{
+		res = strlen(password);
+		if (res > bufsiz)
+			res = bufsiz;
+		memcpy(buf, password, res);
+		return res;
+		}
+
+	ui = UI_new_method(ui_method);
+	if (ui)
+		{
+		int ok = 0;
+		char *buff = NULL;
+		int ui_flags = 0;
+		char *prompt = NULL;
+
+		prompt = UI_construct_prompt(ui, "pass phrase",
+			cb_data->prompt_info);
+
+		ui_flags |= UI_INPUT_FLAG_DEFAULT_PWD;
+		UI_ctrl(ui, UI_CTRL_PRINT_ERRORS, 1, 0, 0);
+
+		if (ok >= 0)
+			ok = UI_add_input_string(ui,prompt,ui_flags,buf,
+				PW_MIN_LENGTH,BUFSIZ-1);
+		if (ok >= 0 && verify)
+			{
+			buff = (char *)OPENSSL_malloc(bufsiz);
+			ok = UI_add_verify_string(ui,prompt,ui_flags,buff,
+				PW_MIN_LENGTH,BUFSIZ-1, buf);
+			}
+		if (ok >= 0)
+			do
+				{
+				ok = UI_process(ui);
+				}
+			while (ok < 0 && UI_ctrl(ui, UI_CTRL_IS_REDOABLE, 0, 0, 0));
+
+		if (buff)
+			{
+			OPENSSL_cleanse(buff,(unsigned int)bufsiz);
+			OPENSSL_free(buff);
+			}
+
+		if (ok >= 0)
+			res = strlen(buf);
+		if (ok == -1)
+			{
+			BIO_printf(bio_err, "User interface error\n");
+			ERR_print_errors(bio_err);
+			OPENSSL_cleanse(buf,(unsigned int)bufsiz);
+			res = 0;
+			}
+		if (ok == -2)
+			{
+			BIO_printf(bio_err,"aborted!\n");
+			OPENSSL_cleanse(buf,(unsigned int)bufsiz);
+			res = 0;
+			}
+		UI_free(ui);
+		OPENSSL_free(prompt);
+		}
+	return res;
+	}
+
 static char *app_get_pass(BIO *err, char *arg, int keepbio);
 
 int app_passwd(BIO *err, char *arg1, char *arg2, char **pass1, char **pass2)
@@ -433,14 +715,18 @@ static char *app_get_pass(BIO *err, char *arg, int keepbio)
 	return BUF_strdup(tpass);
 }
 
-int add_oid_section(BIO *err, LHASH *conf)
+int add_oid_section(BIO *err, CONF *conf)
 {	
 	char *p;
 	STACK_OF(CONF_VALUE) *sktmp;
 	CONF_VALUE *cnf;
 	int i;
-	if(!(p=CONF_get_string(conf,NULL,"oid_section"))) return 1;
-	if(!(sktmp = CONF_get_section(conf, p))) {
+	if(!(p=NCONF_get_string(conf,NULL,"oid_section")))
+		{
+		ERR_clear_error();
+		return 1;
+		}
+	if(!(sktmp = NCONF_get_section(conf, p))) {
 		BIO_printf(err, "problem loading oid section %s\n", p);
 		return 0;
 	}
@@ -455,7 +741,8 @@ int add_oid_section(BIO *err, LHASH *conf)
 	return 1;
 }
 
-X509 *load_cert(BIO *err, char *file, int format)
+X509 *load_cert(BIO *err, const char *file, int format,
+	const char *pass, ENGINE *e, const char *cert_descrip)
 	{
 	ASN1_HEADER *ah=NULL;
 	BUF_MEM *buf=NULL;
@@ -469,12 +756,17 @@ X509 *load_cert(BIO *err, char *file, int format)
 		}
 
 	if (file == NULL)
+		{
+		setvbuf(stdin, NULL, _IONBF, 0);
 		BIO_set_fp(cert,stdin,BIO_NOCLOSE);
+		}
 	else
 		{
 		if (BIO_read_filename(cert,file) <= 0)
 			{
-			perror(file);
+			BIO_printf(err, "Error opening %s %s\n",
+				cert_descrip, file);
+			ERR_print_errors(err);
 			goto end;
 			}
 		}
@@ -525,7 +817,8 @@ X509 *load_cert(BIO *err, char *file, int format)
 		ah->data=NULL;
 		}
 	else if (format == FORMAT_PEM)
-		x=PEM_read_bio_X509_AUX(cert,NULL,NULL,NULL);
+		x=PEM_read_bio_X509_AUX(cert,NULL,
+			(pem_password_cb *)password_callback, NULL);
 	else if (format == FORMAT_PKCS12)
 		{
 		PKCS12 *p12 = d2i_PKCS12_bio(cert, NULL);
@@ -535,7 +828,8 @@ X509 *load_cert(BIO *err, char *file, int format)
 		p12 = NULL;
 		}
 	else	{
-		BIO_printf(err,"bad input format specified for input cert\n");
+		BIO_printf(err,"bad input format specified for %s\n",
+			cert_descrip);
 		goto end;
 		}
 end:
@@ -550,35 +844,62 @@ end:
 	return(x);
 	}
 
-EVP_PKEY *load_key(BIO *err, char *file, int format, char *pass)
+EVP_PKEY *load_key(BIO *err, const char *file, int format, int maybe_stdin,
+	const char *pass, ENGINE *e, const char *key_descrip)
 	{
 	BIO *key=NULL;
 	EVP_PKEY *pkey=NULL;
+	PW_CB_DATA cb_data;
 
-	if (file == NULL)
+	cb_data.password = pass;
+	cb_data.prompt_info = file;
+
+	if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE))
 		{
 		BIO_printf(err,"no keyfile specified\n");
 		goto end;
 		}
+	if (format == FORMAT_ENGINE)
+		{
+		if (!e)
+			BIO_printf(bio_err,"no engine specified\n");
+		else
+			pkey = ENGINE_load_private_key(e, file,
+				ui_method, &cb_data);
+		goto end;
+		}
 	key=BIO_new(BIO_s_file());
 	if (key == NULL)
 		{
 		ERR_print_errors(err);
 		goto end;
 		}
-	if (BIO_read_filename(key,file) <= 0)
+	if (file == NULL && maybe_stdin)
 		{
-		perror(file);
-		goto end;
+		setvbuf(stdin, NULL, _IONBF, 0);
+		BIO_set_fp(key,stdin,BIO_NOCLOSE);
 		}
+	else
+		if (BIO_read_filename(key,file) <= 0)
+			{
+			BIO_printf(err, "Error opening %s %s\n",
+				key_descrip, file);
+			ERR_print_errors(err);
+			goto end;
+			}
 	if (format == FORMAT_ASN1)
 		{
 		pkey=d2i_PrivateKey_bio(key, NULL);
 		}
 	else if (format == FORMAT_PEM)
 		{
-		pkey=PEM_read_bio_PrivateKey(key,NULL,NULL,pass);
+		pkey=PEM_read_bio_PrivateKey(key,NULL,
+			(pem_password_cb *)password_callback, &cb_data);
 		}
+#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
+	else if (format == FORMAT_NETSCAPE || format == FORMAT_IISSGC)
+		pkey = load_netscape_key(err, key, file, key_descrip, format);
+#endif
 	else if (format == FORMAT_PKCS12)
 		{
 		PKCS12 *p12 = d2i_PKCS12_bio(key, NULL);
@@ -589,36 +910,58 @@ EVP_PKEY *load_key(BIO *err, char *file, int format, char *pass)
 		}
 	else
 		{
-		BIO_printf(err,"bad input format specified for key\n");
+		BIO_printf(err,"bad input format specified for key file\n");
 		goto end;
 		}
  end:
 	if (key != NULL) BIO_free(key);
 	if (pkey == NULL)
-		BIO_printf(err,"unable to load Private Key\n");
+		BIO_printf(err,"unable to load %s\n", key_descrip);
 	return(pkey);
 	}
 
-EVP_PKEY *load_pubkey(BIO *err, char *file, int format)
+EVP_PKEY *load_pubkey(BIO *err, const char *file, int format, int maybe_stdin,
+	const char *pass, ENGINE *e, const char *key_descrip)
 	{
 	BIO *key=NULL;
 	EVP_PKEY *pkey=NULL;
+	PW_CB_DATA cb_data;
 
-	if (file == NULL)
+	cb_data.password = pass;
+	cb_data.prompt_info = file;
+
+	if (file == NULL && (!maybe_stdin || format == FORMAT_ENGINE))
 		{
 		BIO_printf(err,"no keyfile specified\n");
 		goto end;
 		}
+	if (format == FORMAT_ENGINE)
+		{
+		if (!e)
+			BIO_printf(bio_err,"no engine specified\n");
+		else
+			pkey = ENGINE_load_public_key(e, file,
+				ui_method, &cb_data);
+		goto end;
+		}
 	key=BIO_new(BIO_s_file());
 	if (key == NULL)
 		{
 		ERR_print_errors(err);
 		goto end;
 		}
-	if (BIO_read_filename(key,file) <= 0)
+	if (file == NULL && maybe_stdin)
 		{
-		perror(file);
-		goto end;
+		setvbuf(stdin, NULL, _IONBF, 0);
+		BIO_set_fp(key,stdin,BIO_NOCLOSE);
+		}
+	else
+		if (BIO_read_filename(key,file) <= 0)
+			{
+			BIO_printf(err, "Error opening %s %s\n",
+				key_descrip, file);
+			ERR_print_errors(err);
+			goto end;
 		}
 	if (format == FORMAT_ASN1)
 		{
@@ -626,27 +969,83 @@ EVP_PKEY *load_pubkey(BIO *err, char *file, int format)
 		}
 	else if (format == FORMAT_PEM)
 		{
-		pkey=PEM_read_bio_PUBKEY(key,NULL,NULL,NULL);
+		pkey=PEM_read_bio_PUBKEY(key,NULL,
+			(pem_password_cb *)password_callback, &cb_data);
 		}
+#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
+	else if (format == FORMAT_NETSCAPE || format == FORMAT_IISSGC)
+		pkey = load_netscape_key(err, key, file, key_descrip, format);
+#endif
 	else
 		{
-		BIO_printf(err,"bad input format specified for key\n");
+		BIO_printf(err,"bad input format specified for key file\n");
 		goto end;
 		}
  end:
 	if (key != NULL) BIO_free(key);
 	if (pkey == NULL)
-		BIO_printf(err,"unable to load Public Key\n");
+		BIO_printf(err,"unable to load %s\n", key_descrip);
 	return(pkey);
 	}
 
-STACK_OF(X509) *load_certs(BIO *err, char *file, int format)
+#if !defined(OPENSSL_NO_RC4) && !defined(OPENSSL_NO_RSA)
+static EVP_PKEY *
+load_netscape_key(BIO *err, BIO *key, const char *file,
+		const char *key_descrip, int format)
+	{
+	EVP_PKEY *pkey;
+	BUF_MEM *buf;
+	RSA	*rsa;
+	const unsigned char *p;
+	int size, i;
+
+	buf=BUF_MEM_new();
+	pkey = EVP_PKEY_new();
+	size = 0;
+	if (buf == NULL || pkey == NULL)
+		goto error;
+	for (;;)
+		{
+		if (!BUF_MEM_grow_clean(buf,size+1024*10))
+			goto error;
+		i = BIO_read(key, &(buf->data[size]), 1024*10);
+		size += i;
+		if (i == 0)
+			break;
+		if (i < 0)
+			{
+				BIO_printf(err, "Error reading %s %s",
+					key_descrip, file);
+				goto error;
+			}
+		}
+	p=(unsigned char *)buf->data;
+	rsa = d2i_RSA_NET(NULL,&p,(long)size,NULL,
+		(format == FORMAT_IISSGC ? 1 : 0));
+	if (rsa == NULL)
+		goto error;
+	BUF_MEM_free(buf);
+	EVP_PKEY_set1_RSA(pkey, rsa);
+	return pkey;
+error:
+	BUF_MEM_free(buf);
+	EVP_PKEY_free(pkey);
+	return NULL;
+	}
+#endif /* ndef OPENSSL_NO_RC4 */
+
+STACK_OF(X509) *load_certs(BIO *err, const char *file, int format,
+	const char *pass, ENGINE *e, const char *cert_descrip)
 	{
 	BIO *certs;
 	int i;
 	STACK_OF(X509) *othercerts = NULL;
 	STACK_OF(X509_INFO) *allcerts = NULL;
 	X509_INFO *xi;
+	PW_CB_DATA cb_data;
+
+	cb_data.password = pass;
+	cb_data.prompt_info = file;
 
 	if((certs = BIO_new(BIO_s_file())) == NULL)
 		{
@@ -660,7 +1059,9 @@ STACK_OF(X509) *load_certs(BIO *err, char *file, int format)
 		{
 		if (BIO_read_filename(certs,file) <= 0)
 			{
-			perror(file);
+			BIO_printf(err, "Error opening %s %s\n",
+				cert_descrip, file);
+			ERR_print_errors(err);
 			goto end;
 			}
 		}
@@ -674,7 +1075,8 @@ STACK_OF(X509) *load_certs(BIO *err, char *file, int format)
 			othercerts = NULL;
 			goto end;
 			}
-		allcerts = PEM_X509_INFO_read_bio(certs, NULL, NULL, NULL);
+		allcerts = PEM_X509_INFO_read_bio(certs, NULL,
+				(pem_password_cb *)password_callback, &cb_data);
 		for(i = 0; i < sk_X509_INFO_num(allcerts); i++)
 			{
 			xi = sk_X509_INFO_value (allcerts, i);
@@ -687,7 +1089,8 @@ STACK_OF(X509) *load_certs(BIO *err, char *file, int format)
 		goto end;
 		}
 	else	{
-		BIO_printf(err,"bad input format specified for input cert\n");
+		BIO_printf(err,"bad input format specified for %s\n",
+			cert_descrip);
 		goto end;
 		}
 end:
@@ -701,16 +1104,49 @@ end:
 	return(othercerts);
 	}
 
-typedef struct {
-	char *name;
-	unsigned long flag;
-	unsigned long mask;
-} NAME_EX_TBL;
+
+#define X509V3_EXT_UNKNOWN_MASK		(0xfL << 16)
+/* Return error for unknown extensions */
+#define X509V3_EXT_DEFAULT		0
+/* Print error for unknown extensions */
+#define X509V3_EXT_ERROR_UNKNOWN	(1L << 16)
+/* ASN1 parse unknown extensions */
+#define X509V3_EXT_PARSE_UNKNOWN	(2L << 16)
+/* BIO_dump unknown extensions */
+#define X509V3_EXT_DUMP_UNKNOWN		(3L << 16)
+
+#define X509_FLAG_CA (X509_FLAG_NO_ISSUER | X509_FLAG_NO_PUBKEY | \
+			 X509_FLAG_NO_HEADER | X509_FLAG_NO_VERSION)
+
+int set_cert_ex(unsigned long *flags, const char *arg)
+{
+	static const NAME_EX_TBL cert_tbl[] = {
+		{ "compatible", X509_FLAG_COMPAT, 0xffffffffl},
+		{ "ca_default", X509_FLAG_CA, 0xffffffffl},
+		{ "no_header", X509_FLAG_NO_HEADER, 0},
+		{ "no_version", X509_FLAG_NO_VERSION, 0},
+		{ "no_serial", X509_FLAG_NO_SERIAL, 0},
+		{ "no_signame", X509_FLAG_NO_SIGNAME, 0},
+		{ "no_validity", X509_FLAG_NO_VALIDITY, 0},
+		{ "no_subject", X509_FLAG_NO_SUBJECT, 0},
+		{ "no_issuer", X509_FLAG_NO_ISSUER, 0},
+		{ "no_pubkey", X509_FLAG_NO_PUBKEY, 0},
+		{ "no_extensions", X509_FLAG_NO_EXTENSIONS, 0},
+		{ "no_sigdump", X509_FLAG_NO_SIGDUMP, 0},
+		{ "no_aux", X509_FLAG_NO_AUX, 0},
+		{ "no_attributes", X509_FLAG_NO_ATTRIBUTES, 0},
+		{ "ext_default", X509V3_EXT_DEFAULT, X509V3_EXT_UNKNOWN_MASK},
+		{ "ext_error", X509V3_EXT_ERROR_UNKNOWN, X509V3_EXT_UNKNOWN_MASK},
+		{ "ext_parse", X509V3_EXT_PARSE_UNKNOWN, X509V3_EXT_UNKNOWN_MASK},
+		{ "ext_dump", X509V3_EXT_DUMP_UNKNOWN, X509V3_EXT_UNKNOWN_MASK},
+		{ NULL, 0, 0}
+	};
+	return set_multi_opts(flags, arg, cert_tbl);
+}
 
 int set_name_ex(unsigned long *flags, const char *arg)
 {
-	char c;
-	const NAME_EX_TBL *ptbl, ex_tbl[] = {
+	static const NAME_EX_TBL ex_tbl[] = {
 		{ "esc_2253", ASN1_STRFLGS_ESC_2253, 0},
 		{ "esc_ctrl", ASN1_STRFLGS_ESC_CTRL, 0},
 		{ "esc_msb", ASN1_STRFLGS_ESC_MSB, 0},
@@ -730,15 +1166,95 @@ int set_name_ex(unsigned long *flags, const char *arg)
 		{ "nofname", XN_FLAG_FN_NONE, XN_FLAG_FN_MASK},
 		{ "sname", XN_FLAG_FN_SN, XN_FLAG_FN_MASK},
 		{ "lname", XN_FLAG_FN_LN, XN_FLAG_FN_MASK},
+		{ "align", XN_FLAG_FN_ALIGN, 0},
 		{ "oid", XN_FLAG_FN_OID, XN_FLAG_FN_MASK},
 		{ "space_eq", XN_FLAG_SPC_EQ, 0},
 		{ "dump_unknown", XN_FLAG_DUMP_UNKNOWN_FIELDS, 0},
 		{ "RFC2253", XN_FLAG_RFC2253, 0xffffffffL},
 		{ "oneline", XN_FLAG_ONELINE, 0xffffffffL},
 		{ "multiline", XN_FLAG_MULTILINE, 0xffffffffL},
+		{ "ca_default", XN_FLAG_MULTILINE, 0xffffffffL},
 		{ NULL, 0, 0}
 	};
+	return set_multi_opts(flags, arg, ex_tbl);
+}
+
+int set_ext_copy(int *copy_type, const char *arg)
+{
+	if (!strcasecmp(arg, "none"))
+		*copy_type = EXT_COPY_NONE;
+	else if (!strcasecmp(arg, "copy"))
+		*copy_type = EXT_COPY_ADD;
+	else if (!strcasecmp(arg, "copyall"))
+		*copy_type = EXT_COPY_ALL;
+	else
+		return 0;
+	return 1;
+}
+
+int copy_extensions(X509 *x, X509_REQ *req, int copy_type)
+{
+	STACK_OF(X509_EXTENSION) *exts = NULL;
+	X509_EXTENSION *ext, *tmpext;
+	ASN1_OBJECT *obj;
+	int i, idx, ret = 0;
+	if (!x || !req || (copy_type == EXT_COPY_NONE))
+		return 1;
+	exts = X509_REQ_get_extensions(req);
+
+	for(i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
+		ext = sk_X509_EXTENSION_value(exts, i);
+		obj = X509_EXTENSION_get_object(ext);
+		idx = X509_get_ext_by_OBJ(x, obj, -1);
+		/* Does extension exist? */
+		if (idx != -1) {
+			/* If normal copy don't override existing extension */
+			if (copy_type == EXT_COPY_ADD)
+				continue;
+			/* Delete all extensions of same type */
+			do {
+				tmpext = X509_get_ext(x, idx);
+				X509_delete_ext(x, idx);
+				X509_EXTENSION_free(tmpext);
+				idx = X509_get_ext_by_OBJ(x, obj, -1);
+			} while (idx != -1);
+		}
+		if (!X509_add_ext(x, ext, -1))
+			goto end;
+	}
+
+	ret = 1;
 
+	end:
+
+	sk_X509_EXTENSION_pop_free(exts, X509_EXTENSION_free);
+
+	return ret;
+}
+		
+		
+			
+
+static int set_multi_opts(unsigned long *flags, const char *arg, const NAME_EX_TBL *in_tbl)
+{
+	STACK_OF(CONF_VALUE) *vals;
+	CONF_VALUE *val;
+	int i, ret = 1;
+	if(!arg) return 0;
+	vals = X509V3_parse_list(arg);
+	for (i = 0; i < sk_CONF_VALUE_num(vals); i++) {
+		val = sk_CONF_VALUE_value(vals, i);
+		if (!set_table_opts(flags, val->name, in_tbl))
+			ret = 0;
+	}
+	sk_CONF_VALUE_pop_free(vals, X509V3_conf_free);
+	return ret;
+}
+
+static int set_table_opts(unsigned long *flags, const char *arg, const NAME_EX_TBL *in_tbl)
+{
+	char c;
+	const NAME_EX_TBL *ptbl;
 	c = arg[0];
 
 	if(c == '-') {
@@ -749,8 +1265,8 @@ int set_name_ex(unsigned long *flags, const char *arg)
 		arg++;
 	} else c = 1;
 
-	for(ptbl = ex_tbl; ptbl->name; ptbl++) {
-		if(!strcmp(arg, ptbl->name)) {
+	for(ptbl = in_tbl; ptbl->name; ptbl++) {
+		if(!strcasecmp(arg, ptbl->name)) {
 			*flags &= ~ptbl->mask;
 			if(c) *flags |= ptbl->flag;
 			else *flags &= ~ptbl->flag;
@@ -765,6 +1281,7 @@ void print_name(BIO *out, char *title, X509_NAME *nm, unsigned long lflags)
 	char *buf;
 	char mline = 0;
 	int indent = 0;
+
 	if(title) BIO_puts(out, title);
 	if((lflags & XN_FLAG_SEP_MASK) == XN_FLAG_SEP_MULTILINE) {
 		mline = 1;
@@ -782,3 +1299,122 @@ void print_name(BIO *out, char *title, X509_NAME *nm, unsigned long lflags)
 	}
 }
 
+X509_STORE *setup_verify(BIO *bp, char *CAfile, char *CApath)
+{
+	X509_STORE *store;
+	X509_LOOKUP *lookup;
+	if(!(store = X509_STORE_new())) goto end;
+	lookup=X509_STORE_add_lookup(store,X509_LOOKUP_file());
+	if (lookup == NULL) goto end;
+	if (CAfile) {
+		if(!X509_LOOKUP_load_file(lookup,CAfile,X509_FILETYPE_PEM)) {
+			BIO_printf(bp, "Error loading file %s\n", CAfile);
+			goto end;
+		}
+	} else X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT);
+		
+	lookup=X509_STORE_add_lookup(store,X509_LOOKUP_hash_dir());
+	if (lookup == NULL) goto end;
+	if (CApath) {
+		if(!X509_LOOKUP_add_dir(lookup,CApath,X509_FILETYPE_PEM)) {
+			BIO_printf(bp, "Error loading directory %s\n", CApath);
+			goto end;
+		}
+	} else X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT);
+
+	ERR_clear_error();
+	return store;
+	end:
+	X509_STORE_free(store);
+	return NULL;
+}
+
+/* Try to load an engine in a shareable library */
+static ENGINE *try_load_engine(BIO *err, const char *engine, int debug)
+	{
+	ENGINE *e = ENGINE_by_id("dynamic");
+	if (e)
+		{
+		if (!ENGINE_ctrl_cmd_string(e, "SO_PATH", engine, 0)
+			|| !ENGINE_ctrl_cmd_string(e, "LOAD", NULL, 0))
+			{
+			ENGINE_free(e);
+			e = NULL;
+			}
+		}
+	return e;
+	}
+
+ENGINE *setup_engine(BIO *err, const char *engine, int debug)
+        {
+        ENGINE *e = NULL;
+
+        if (engine)
+                {
+		if(strcmp(engine, "auto") == 0)
+			{
+			BIO_printf(err,"enabling auto ENGINE support\n");
+			ENGINE_register_all_complete();
+			return NULL;
+			}
+		if((e = ENGINE_by_id(engine)) == NULL
+			&& (e = try_load_engine(err, engine, debug)) == NULL)
+			{
+			BIO_printf(err,"invalid engine \"%s\"\n", engine);
+			ERR_print_errors(err);
+			return NULL;
+			}
+		if (debug)
+			{
+			ENGINE_ctrl(e, ENGINE_CTRL_SET_LOGSTREAM,
+				0, err, 0);
+			}
+                ENGINE_ctrl_cmd(e, "SET_USER_INTERFACE", 0, ui_method, 0, 1);
+		if(!ENGINE_set_default(e, ENGINE_METHOD_ALL))
+			{
+			BIO_printf(err,"can't use that engine\n");
+			ERR_print_errors(err);
+			ENGINE_free(e);
+			return NULL;
+			}
+
+		BIO_printf(err,"engine \"%s\" set.\n", ENGINE_get_id(e));
+
+		/* Free our "structural" reference. */
+		ENGINE_free(e);
+		}
+        return e;
+        }
+
+int load_config(BIO *err, CONF *cnf)
+	{
+	if (!cnf)
+		cnf = config;
+	if (!cnf)
+		return 1;
+
+	OPENSSL_load_builtin_modules();
+
+	if (CONF_modules_load(cnf, NULL, 0) <= 0)
+		{
+		BIO_printf(err, "Error configuring OpenSSL\n");
+		ERR_print_errors(err);
+		return 0;
+		}
+	return 1;
+	}
+
+char *make_config_name()
+	{
+	const char *t=X509_get_default_cert_area();
+	char *p;
+
+	p=OPENSSL_malloc(strlen(t)+strlen(OPENSSL_CONF)+2);
+	strcpy(p,t);
+#ifndef OPENSSL_SYS_VMS
+	strcat(p,"/");
+#endif
+	strcat(p,OPENSSL_CONF);
+
+	return p;
+	}
diff --git a/crypto/openssl/apps/apps.h b/crypto/openssl/apps/apps.h
index 82587b977056..7b1f8ded787d 100644
--- a/crypto/openssl/apps/apps.h
+++ b/crypto/openssl/apps/apps.h
@@ -55,11 +55,64 @@
  * copied and put under another distribution licence
  * [including the GNU Public Licence.]
  */
+/* ====================================================================
+ * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ *
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer. 
+ *
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in
+ *    the documentation and/or other materials provided with the
+ *    distribution.
+ *
+ * 3. All advertising materials mentioning features or use of this
+ *    software must display the following acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
+ *
+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
+ *    endorse or promote products derived from this software without
+ *    prior written permission. For written permission, please contact
+ *    openssl-core@openssl.org.
+ *
+ * 5. Products derived from this software may not be called "OpenSSL"
+ *    nor may "OpenSSL" appear in their names without prior written
+ *    permission of the OpenSSL Project.
+ *
+ * 6. Redistributions of any form whatsoever must retain the following
+ *    acknowledgment:
+ *    "This product includes software developed by the OpenSSL Project
+ *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
+ * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
+ * OF THE POSSIBILITY OF SUCH DAMAGE.
+ * ====================================================================
+ *
+ * This product includes cryptographic software written by Eric Young
+ * (eay@cryptsoft.com).  This product includes software written by Tim
+ * Hudson (tjh@cryptsoft.com).
+ *
+ */
 
 #ifndef HEADER_APPS_H
 #define HEADER_APPS_H
 
-#include "openssl/e_os.h"
+#include "e_os.h"
 
 #include <openssl/buffer.h>
 #include <openssl/bio.h>
@@ -67,6 +120,9 @@
 #include <openssl/x509.h>
 #include <openssl/lhash.h>
 #include <openssl/conf.h>
+#include <openssl/txt_db.h>
+#include <openssl/engine.h>
+#include <openssl/ossl_typ.h>
 
 int app_RAND_load_file(const char *file, BIO *bio_e, int dont_warn);
 int app_RAND_write_file(const char *file, BIO *bio_e);
@@ -78,29 +134,33 @@ long app_RAND_load_files(char *file); /* `file' is a list of files to read,
                                        * (see e_os.h).  The string is
                                        * destroyed! */
 
-#ifdef NO_STDIO
-BIO_METHOD *BIO_s_file();
-#endif
-
-#ifdef WIN32
+#ifdef OPENSSL_SYS_WIN32
 #define rename(from,to) WIN32_rename((from),(to))
 int WIN32_rename(char *oldname,char *newname);
 #endif
 
+/* VMS below version 7.0 doesn't have strcasecmp() */
+#ifdef OPENSSL_SYS_VMS
+#define strcasecmp(str1,str2) VMS_strcasecmp((str1),(str2))
+int VMS_strcasecmp(const char *str1, const char *str2);
+#endif
+
 #ifndef MONOLITH
 
 #define MAIN(a,v)	main(a,v)
 
 #ifndef NON_MAIN
+CONF *config=NULL;
 BIO *bio_err=NULL;
 #else
+extern CONF *config;
 extern BIO *bio_err;
 #endif
 
 #else
 
 #define MAIN(a,v)	PROG(a,v)
-extern LHASH *config;
+extern CONF *config;
 extern char *default_config_file;
 extern BIO *bio_err;
 
@@ -115,21 +175,34 @@ extern BIO *bio_err;
 #endif
 
 #if defined(MONOLITH) && !defined(OPENSSL_C)
-#  define apps_startup()	do_pipe_sig()
+#  define apps_startup() \
+		do_pipe_sig()
+#  define apps_shutdown()
 #else